package org.wso2.carbon.hostobjects.sso.internal.util;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.crypto.SecretKey;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xerces.util.SecurityManager;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilder;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.encryption.EncryptedKey;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.w3c.dom.bootstrap.DOMImplementationRegistry;
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSSerializer;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.hostobjects.sso.SignatureVerificationException;
import org.wso2.carbon.hostobjects.sso.SignatureVerificationFailure;
import org.wso2.carbon.hostobjects.sso.exception.SSOHostObjectException;
import org.wso2.carbon.hostobjects.sso.internal.SSOConstants;
import org.wso2.carbon.identity.saml.common.util.SAMLInitializer;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/wso2/carbon/hostobjects/sso/internal/util/Util.class */
public class Util {
    private static final int ENTITY_EXPANSION_LIMIT = 0;
    private static boolean bootStrapped = false;
    private static SecureRandom random = new SecureRandom();
    private static RealmService realmService = null;
    private static final char[] charMapping = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p'};
    private static Log log = LogFactory.getLog(Util.class);

    public static void doBootstrap() {
        if (bootStrapped) {
            return;
        }
        try {
            SAMLInitializer.doBootstrap();
            bootStrapped = true;
        } catch (InitializationException e) {
            System.err.println("Error in bootstrapping the OpenSAML3 library");
            log.error("Error in bootstrapping the OpenSAML3 library", e);
        }
    }

    public static XMLObject buildXMLObject(QName qName) throws SSOHostObjectException {
        XMLObjectBuilder builder = XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName);
        if (builder == null) {
            throw new SSOHostObjectException("Unable to retrieve builder for object QName " + qName);
        }
        return builder.buildObject(qName.getNamespaceURI(), qName.getLocalPart(), qName.getPrefix());
    }

    public static String createID() {
        byte[] bArr = new byte[20];
        random.nextBytes(bArr);
        char[] cArr = new char[40];
        for (int i = ENTITY_EXPANSION_LIMIT; i < bArr.length; i++) {
            int i2 = (bArr[i] >> 4) & 15;
            int i3 = bArr[i] & 15;
            cArr[i * 2] = charMapping[i2];
            cArr[(i * 2) + 1] = charMapping[i3];
        }
        return String.valueOf(cArr);
    }

    public static XMLObject unmarshall(String str) throws Exception {
        try {
            doBootstrap();
            DocumentBuilderFactory securedDocumentBuilder = getSecuredDocumentBuilder();
            securedDocumentBuilder.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
            securedDocumentBuilder.setNamespaceAware(true);
            securedDocumentBuilder.setIgnoringComments(true);
            Document document = getDocument(securedDocumentBuilder, str);
            if (isSignedWithComments(document)) {
                securedDocumentBuilder.setIgnoringComments(false);
                document = getDocument(securedDocumentBuilder, str);
            }
            Element documentElement = document.getDocumentElement();
            return XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        } catch (Exception e) {
            throw new Exception("Error in constructing AuthRequest from the encoded String ", e);
        }
    }

    public static String marshall(XMLObject xMLObject) throws Exception {
        try {
            doBootstrap();
            System.setProperty("javax.xml.parsers.DocumentBuilderFactory", "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
            Element marshall = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DOMImplementationLS dOMImplementationLS = (DOMImplementationLS) DOMImplementationRegistry.newInstance().getDOMImplementation("LS");
            LSSerializer createLSSerializer = dOMImplementationLS.createLSSerializer();
            LSOutput createLSOutput = dOMImplementationLS.createLSOutput();
            createLSOutput.setByteStream(byteArrayOutputStream);
            createLSSerializer.write(marshall, createLSOutput);
            return byteArrayOutputStream.toString();
        } catch (Exception e) {
            throw new Exception("Error Serializing the SAML Response", e);
        }
    }

    public static String encode(String str) throws Exception {
        return Base64Support.encode(str.getBytes("UTF-8"), false).trim();
    }

    public static String deflateAndEncode(String str) throws Exception {
        Deflater deflater = new Deflater(8, true);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
        deflaterOutputStream.write(str.getBytes());
        deflaterOutputStream.close();
        return Base64Support.encode(byteArrayOutputStream.toByteArray(), false).trim();
    }

    public static String decode(String str) throws Exception {
        return new String(Base64Support.decode(str));
    }

    public static boolean validateSignature(Signature signature, String str, String str2, String str3, int i, String str4) throws SignatureVerificationException, SignatureVerificationFailure {
        X509Certificate x509Certificate;
        try {
            if (i != -1234) {
                x509Certificate = (X509Certificate) KeyStoreManager.getInstance(i).getKeyStore(generateKSNameFromDomainName(str4)).getCertificate(str4);
            } else {
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(new FileInputStream(new File(str)), str2.toCharArray());
                x509Certificate = (X509Certificate) keyStore.getCertificate(str3);
            }
            if (log.isDebugEnabled()) {
                log.debug("Validating against " + x509Certificate.getSubjectDN().getName());
            }
            try {
                new SAMLSignatureProfileValidator().validate(signature);
                SignatureValidator.validate(signature, new X509CredentialImpl(x509Certificate));
                return true;
            } catch (SignatureException e) {
                if (log.isDebugEnabled()) {
                    log.debug("The signature do not confirm to SAML signature profile. Possible XML Signature Wrapping Attack!", e);
                }
                log.error(e.getMessage(), e);
                return false;
            }
        } catch (SignatureException e2) {
            if (log.isDebugEnabled()) {
                log.debug("The signature do not confirm to SAML signature profile. Possible XML Signature Wrapping Attack!", e2);
            }
            throw new SignatureVerificationFailure(e2);
        } catch (FileNotFoundException e3) {
            log.error("Could not find the key store file " + str, e3);
            throw new SignatureVerificationException(e3);
        } catch (IOException e4) {
            log.error("Could not load the keystore " + str, e4);
            throw new SignatureVerificationException(e4);
        } catch (KeyStoreException e5) {
            log.error("Error when getting certificate of tenant " + str4, e5);
            throw new SignatureVerificationException(e5);
        } catch (NoSuchAlgorithmException e6) {
            log.error("Could not load the keystore " + str, e6);
            throw new SignatureVerificationException(e6);
        } catch (CertificateException e7) {
            log.error("Could not load the keystore " + str, e7);
            throw new SignatureVerificationException(e7);
        } catch (Exception e8) {
            log.error("Error when getting key store of tenant " + str4, e8);
            throw new SignatureVerificationException(e8.getMessage(), e8);
        }
    }

    public static Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion, String str, String str2, String str3, int i, String str4) throws Exception {
        try {
            StaticKeyInfoCredentialResolver staticKeyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(new X509CredentialImpl(new SSOAgentCarbonX509Credential(i, str4)));
            Decrypter decrypter = new Decrypter(new StaticKeyInfoCredentialResolver(CredentialSupport.getSimpleCredential((SecretKey) new Decrypter((KeyInfoCredentialResolver) null, staticKeyInfoCredentialResolver, (EncryptedKeyResolver) null).decryptKey((EncryptedKey) encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(ENTITY_EXPANSION_LIMIT), encryptedAssertion.getEncryptedData().getEncryptionMethod().getAlgorithm()))), (KeyInfoCredentialResolver) null, (EncryptedKeyResolver) null);
            decrypter.setRootInNewDocument(true);
            return decrypter.decrypt(encryptedAssertion);
        } catch (Exception e) {
            throw new Exception("Decrypted assertion error", e);
        }
    }

    public static String getDomainName(XMLObject xMLObject) {
        NodeList elementsByTagNameNS = xMLObject.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "NameID");
        String str = ENTITY_EXPANSION_LIMIT;
        if (elementsByTagNameNS.getLength() > 0) {
            str = MultitenantUtils.getTenantDomain(elementsByTagNameNS.item(ENTITY_EXPANSION_LIMIT).getTextContent());
        }
        return str;
    }

    private static String generateKSNameFromDomainName(String str) {
        return str.trim().replace(".", "-") + ".jks";
    }

    public static void setRealmService(RealmService realmService2) {
        realmService = realmService2;
    }

    public static RealmService getRealmService() {
        return realmService;
    }

    public static NameIDPolicy buildNameIDPolicy(String str) {
        NameIDPolicy buildObject = new NameIDPolicyBuilder().buildObject();
        if (StringUtils.isEmpty(str)) {
            buildObject.setFormat(SSOConstants.NAME_ID_POLICY_DEFAULT);
        } else {
            buildObject.setFormat(str);
        }
        buildObject.setAllowCreate(true);
        return buildObject;
    }

    public static NameID buildNameID(String str, String str2) {
        NameID buildObject = new NameIDBuilder().buildObject();
        if (StringUtils.isEmpty(str)) {
            buildObject.setFormat(SSOConstants.NAME_ID_POLICY_DEFAULT);
        } else {
            buildObject.setFormat(str);
        }
        buildObject.setValue(str2);
        return buildObject;
    }

    public static String processAcsUrl(String str) {
        Matcher matcher = Pattern.compile("\\$\\{(.*?)\\}").matcher(str);
        while (matcher.find()) {
            String group = matcher.group(1);
            String property = System.getProperty(group);
            if (property != null) {
                str = str.replace("${" + group + "}", property);
            } else {
                log.warn("System Property " + group + " is not set");
            }
        }
        return str;
    }

    public static DocumentBuilderFactory getSecuredDocumentBuilder() {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        newInstance.setXIncludeAware(false);
        newInstance.setExpandEntityReferences(false);
        try {
            newInstance.setFeature("http://xml.org/sax/features/external-general-entities", false);
            newInstance.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            newInstance.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        } catch (ParserConfigurationException e) {
            log.error("Failed to load XML Processor Feature external-general-entities or external-parameter-entities or nonvalidating/load-external-dtd");
        }
        SecurityManager securityManager = new SecurityManager();
        securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
        newInstance.setAttribute("http://apache.org/xml/properties/security-manager", securityManager);
        return newInstance;
    }

    public static String getUsernameFromAssertion(Assertion assertion, String str) {
        String str2 = ENTITY_EXPANSION_LIMIT;
        if (StringUtils.isEmpty(str)) {
            Subject subject = assertion.getSubject();
            if (subject != null && subject.getNameID() != null) {
                str2 = subject.getNameID().getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Name of authenticated user from SAML response : " + str2);
                }
            }
        } else {
            List attributeStatements = assertion.getAttributeStatements();
            if (attributeStatements != null) {
                Iterator it = attributeStatements.iterator();
                while (it.hasNext()) {
                    List<Attribute> attributes = ((AttributeStatement) it.next()).getAttributes();
                    if (attributes != null) {
                        for (Attribute attribute : attributes) {
                            if (attribute.getDOM().getAttribute(SSOConstants.SAML_NAME_ATTRIBUTE).equals(str)) {
                                str2 = ((XMLObject) attribute.getAttributeValues().get(ENTITY_EXPANSION_LIMIT)).getDOM().getTextContent();
                                if (log.isDebugEnabled()) {
                                    log.debug("Name of authenticated user from SAML response : " + str2);
                                }
                            }
                        }
                    }
                }
            }
        }
        return str2;
    }

    private static boolean isSignedWithComments(Document document) {
        NodeList nodeList;
        XPath newXPath = XPathFactory.newInstance().newXPath();
        try {
            String str = (String) newXPath.compile("//*[local-name()='Assertion']/@ID").evaluate(document, XPathConstants.STRING);
            if (!StringUtils.isBlank(str) && (nodeList = (NodeList) newXPath.compile("//*[local-name()='Assertion']/*[local-name()='Signature']/*[local-name()='SignedInfo']/*[local-name()='Reference'][@URI='#" + str + "']/*[local-name()='Transforms']/*[local-name()='Transform'][@Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#WithComments']").evaluate(document, XPathConstants.NODESET)) != null) {
                if (nodeList.getLength() > 0) {
                    return true;
                }
            }
            return false;
        } catch (XPathExpressionException e) {
            log.warn("Failed to find the canonicalization algorithm of the assertion. Defaulting to: http://www.w3.org/2001/10/xml-exc-c14n#");
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Failed to find the canonicalization algorithm of the assertion. Defaulting to: http://www.w3.org/2001/10/xml-exc-c14n#", e);
            return false;
        }
    }

    private static Document getDocument(DocumentBuilderFactory documentBuilderFactory, String str) throws IOException, SAXException, ParserConfigurationException {
        return documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(str.getBytes()));
    }
}
