package org.apache.ws.security.saml;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import javax.crypto.SecretKey;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.processor.EncryptedKeyProcessor;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.XMLUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.KeyInfoConfirmationDataType;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.CredentialContextSet;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
import org.xml.sax.SAXException;

/* loaded from: input_file:WEB-INF/lib/wss4j-1.5.11-wso2v20.jar:org/apache/ws/security/saml/SAML2Util.class */
public class SAML2Util {
    public static boolean bootstrapped = false;

    public static void doBootstrap() throws WSSecurityException {
        if (bootstrapped) {
            return;
        }
        try {
            DefaultBootstrap.bootstrap();
            bootstrapped = true;
        } catch (ConfigurationException e) {
            throw new WSSecurityException("errorBootstrapping", (Throwable) e);
        }
    }

    public static SAML2KeyInfo getSAML2KeyInfo(Element element, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        try {
            doBootstrap();
            Element documentElement = XMLUtils.getSecuredDocumentBuilder().newDocumentBuilder().parse(new ByteArrayInputStream(element.toString().trim().getBytes())).getDocumentElement();
            NodeList elementsByTagNameNS = documentElement.getElementsByTagNameNS(WSConstants.SAML2_NS, WSConstants.ASSERTION_LN);
            if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() <= 0) {
                return getSAML2KeyInfo(Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement), crypto, callbackHandler);
            }
            throw new WSSecurityException("invalidSAMLSecurity");
        } catch (IOException e) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", null, e);
        } catch (ParserConfigurationException e2) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", null, e2);
        } catch (UnmarshallingException e3) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", null, e3);
        } catch (SAXException e4) {
            throw new WSSecurityException(0, "Failure in unmarshelling the assertion", null, e4);
        }
    }

    public static SAML2KeyInfo getSAML2KeyInfo(Assertion assertion, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(assertion.getID(), 7);
        if (callbackHandler != null) {
            try {
                callbackHandler.handle(new Callback[]{wSPasswordCallback});
            } catch (Exception e) {
                throw new WSSecurityException(0, "noKey", new Object[]{assertion.getID()}, e);
            }
        }
        byte[] key = wSPasswordCallback.getKey();
        if (key != null) {
            return new SAML2KeyInfo(assertion, key);
        }
        try {
            Subject subject = assertion.getSubject();
            if (subject == null) {
                throw new WSSecurityException(0, "invalidSAML2Token", new Object[]{"for Signature (no Subject)"});
            }
            SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subject.getSubjectConfirmations().get(0);
            if (subjectConfirmation == null) {
                throw new WSSecurityException(0, "invalidSAML2Token", new Object[]{"for Signature (no Subject Confirmation)"});
            }
            KeyInfoConfirmationDataType subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
            if (subjectConfirmationData == null) {
                throw new WSSecurityException(0, "invalidSAML2Token", new Object[]{"for Signature (no Subject Confirmation Data)"});
            }
            XMLObject xMLObject = subjectConfirmationData.getKeyInfos() != null ? (XMLObject) subjectConfirmationData.getKeyInfos().get(0) : null;
            if (xMLObject == null) {
                throw new WSSecurityException(0, "invalidSAML2Token", new Object[]{"for Signature (no key info element)"});
            }
            String property = System.getProperty("javax.xml.parsers.DocumentBuilderFactory");
            System.setProperty("javax.xml.parsers.DocumentBuilderFactory", "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
            Element marshall = org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
            if (property == null) {
                System.getProperties().remove("javax.xml.parsers.DocumentBuilderFactory");
            } else {
                System.setProperty("javax.xml.parsers.DocumentBuilderFactory", property);
            }
            AttributeStatement attributeStatement = assertion.getAttributeStatements().size() != 0 ? (AttributeStatement) assertion.getAttributeStatements().get(0) : null;
            AuthnStatement authnStatement = assertion.getAuthnStatements().size() != 0 ? (AuthnStatement) assertion.getAuthnStatements().get(0) : null;
            if (attributeStatement != null) {
                NodeList childNodes = marshall.getChildNodes();
                int length = childNodes.getLength();
                for (int i = 0; i < length; i++) {
                    Node item = childNodes.item(i);
                    if (item.getNodeType() == 1) {
                        QName qName = new QName(item.getNamespaceURI(), item.getLocalName());
                        if (qName.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
                            EncryptedKeyProcessor encryptedKeyProcessor = new EncryptedKeyProcessor();
                            encryptedKeyProcessor.handleEncryptedKey((Element) item, callbackHandler, crypto, null);
                            return new SAML2KeyInfo(assertion, encryptedKeyProcessor.getDecryptedBytes());
                        }
                        if (qName.equals(new QName(WSConstants.WST_NS, "BinarySecret"))) {
                            return new SAML2KeyInfo(assertion, Base64.decode(((Text) item.getFirstChild()).getData()));
                        }
                        if (qName.equals(new QName("http://www.w3.org/2000/09/xmldsig#", "X509Data"))) {
                            try {
                                KeyInfo keyInfo = new KeyInfo(marshall, null);
                                if (keyInfo.containsX509Data()) {
                                    X509Data itemX509Data = keyInfo.itemX509Data(0);
                                    XMLX509Certificate xMLX509Certificate = null;
                                    if (itemX509Data != null && itemX509Data.containsCertificate()) {
                                        xMLX509Certificate = itemX509Data.itemCertificate(0);
                                    }
                                    if (xMLX509Certificate != null) {
                                        return new SAML2KeyInfo(assertion, new X509Certificate[]{xMLX509Certificate.getX509Certificate()});
                                    }
                                }
                            } catch (XMLSecurityException e2) {
                                throw new WSSecurityException(0, "invalidSAMLSecurity", new Object[]{"cannot get certificate (key holder)"}, e2);
                            }
                        } else {
                            continue;
                        }
                    }
                }
            }
            if (authnStatement == null && 0 == 0) {
                throw new WSSecurityException(0, "invalidSAMLSecurity", new Object[]{"cannot get certificate or key "});
            }
            try {
                KeyInfo keyInfo2 = new KeyInfo(marshall, null);
                if (keyInfo2.containsX509Data()) {
                    X509Data itemX509Data2 = keyInfo2.itemX509Data(0);
                    XMLX509Certificate xMLX509Certificate2 = null;
                    if (itemX509Data2 != null && itemX509Data2.containsCertificate()) {
                        xMLX509Certificate2 = itemX509Data2.itemCertificate(0);
                    }
                    if (xMLX509Certificate2 != null) {
                        return new SAML2KeyInfo(assertion, new X509Certificate[]{xMLX509Certificate2.getX509Certificate()});
                    }
                }
                throw new WSSecurityException(0, "invalidSAMLSecurity", new Object[]{"cannot get certificate or key "});
            } catch (XMLSecurityException e3) {
                throw new WSSecurityException(0, "invalidSAMLSecurity", new Object[]{"cannot get certificate (key holder)"}, e3);
            }
        } catch (MarshallingException e4) {
            throw new WSSecurityException(0, "Failed marshalling the SAML Assertion", null, e4);
        }
    }

    public static Timestamp getTimestampForSAMLAssertion(Assertion assertion) throws WSSecurityException {
        SubjectConfirmationData subjectConfirmationData = ((SubjectConfirmation) assertion.getSubject().getSubjectConfirmations().get(0)).getSubjectConfirmationData();
        String str = null;
        String str2 = null;
        if (assertion.getConditions() != null) {
            Conditions conditions = assertion.getConditions();
            if (conditions.getNotBefore() != null) {
                str = conditions.getNotBefore().toString();
            }
            if (conditions.getNotOnOrAfter() != null) {
                str2 = conditions.getNotOnOrAfter().toString();
            }
        } else if (subjectConfirmationData != null) {
            if (subjectConfirmationData.getNotBefore() != null) {
                str = subjectConfirmationData.getNotBefore().toString();
            }
            if (subjectConfirmationData.getNotOnOrAfter() != null) {
                str2 = subjectConfirmationData.getNotOnOrAfter().toString();
            }
        }
        if (str == null || str2 == null) {
            return null;
        }
        try {
            Document newDocument = XMLUtils.getSecuredDocumentBuilder().newDocumentBuilder().newDocument();
            Element createElement = newDocument.createElement("SAMLTimestamp");
            Element createElementNS = newDocument.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", WSConstants.CREATED_LN);
            createElementNS.setTextContent(str);
            createElement.appendChild(createElementNS);
            Element createElementNS2 = newDocument.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Expires");
            createElementNS2.setTextContent(str2);
            createElement.appendChild(createElementNS2);
            return new Timestamp(createElement);
        } catch (ParserConfigurationException e) {
            throw new WSSecurityException(0, "SAMLTimeStampBuildError", null, e);
        } catch (WSSecurityException e2) {
            throw new WSSecurityException(0, "SAMLTimeStampBuildError", null, e2);
        }
    }

    public static Set getClaims(Assertion assertion) {
        TreeSet treeSet = new TreeSet();
        List attributeStatements = assertion.getAttributeStatements();
        for (int i = 0; i < attributeStatements.size(); i++) {
            List attributes = ((AttributeStatement) attributeStatements.get(i)).getAttributes();
            for (int i2 = 0; i2 < attributes.size(); i2++) {
                treeSet.add(((Attribute) attributes.get(i2)).getName());
            }
        }
        return treeSet;
    }

    public static void validateSignature(Assertion assertion, Crypto crypto) throws WSSecurityException {
        List x509Datas = assertion.getSignature().getKeyInfo().getX509Datas();
        if (x509Datas == null || x509Datas.size() <= 0) {
            throw new WSSecurityException(0, "SAMLTokenInvalidX509Data");
        }
        List x509Certificates = ((org.opensaml.xml.signature.X509Data) x509Datas.get(0)).getX509Certificates();
        if (x509Certificates == null || x509Certificates.size() <= 0) {
            throw new WSSecurityException(0, "SAMLTokenInvalidX509Data");
        }
        try {
            String aliasForX509CertThumb = crypto.getAliasForX509CertThumb(calculateThumbPrint((X509Certificate) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(new ByteArrayInputStream(org.opensaml.xml.util.Base64.decode(((org.opensaml.xml.signature.X509Certificate) x509Certificates.get(0)).getValue())))));
            if (aliasForX509CertThumb == null) {
                throw new WSSecurityException(0, "SAMLTokenUntrustedSignatureKey");
            }
            new SignatureValidator(new X509Credential(crypto.getCertificates(aliasForX509CertThumb)[0]) { // from class: org.apache.ws.security.saml.SAML2Util.1X509CredentialImpl
                private PublicKey publicKey;

                {
                    this.publicKey = null;
                    this.publicKey = r4.getPublicKey();
                }

                public X509Certificate getEntityCertificate() {
                    return null;
                }

                public Collection<X509Certificate> getEntityCertificateChain() {
                    return null;
                }

                public Collection<X509CRL> getCRLs() {
                    return null;
                }

                public String getEntityId() {
                    return null;
                }

                public UsageType getUsageType() {
                    return null;
                }

                public Collection<String> getKeyNames() {
                    return null;
                }

                public PublicKey getPublicKey() {
                    return this.publicKey;
                }

                public PrivateKey getPrivateKey() {
                    return null;
                }

                public SecretKey getSecretKey() {
                    return null;
                }

                public CredentialContextSet getCredentalContextSet() {
                    return null;
                }

                public Class<? extends Credential> getCredentialType() {
                    return null;
                }
            }).validate(assertion.getSignature());
        } catch (CertificateException e) {
            throw new WSSecurityException("SAMLTokenErrorGeneratingX509CertInstance", e);
        } catch (ValidationException e2) {
            throw new WSSecurityException(10, "SAMLTokenInvalidSignature");
        }
    }

    private static byte[] calculateThumbPrint(X509Certificate x509Certificate) {
        byte[] bArr = new byte[0];
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(x509Certificate.getEncoded());
            bArr = messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (CertificateEncodingException e2) {
            e2.printStackTrace();
        }
        return bArr;
    }
}
