package org.wso2.carbon.webapp.mgt.sso;

import java.security.cert.X509Certificate;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Response;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.sso.agent.bean.SSOAgentConfig;
import org.wso2.carbon.identity.sso.agent.exception.SSOAgentException;
import org.wso2.carbon.identity.sso.agent.saml.SAMLSignatureValidator;
import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.carbon.webapp.mgt.DataHolder;

/* loaded from: input_file:org/wso2/carbon/webapp/mgt/sso/SAMLSignatureValidatorImpl.class */
public class SAMLSignatureValidatorImpl implements SAMLSignatureValidator {
    private static Log log = LogFactory.getLog(SAMLSignatureValidatorImpl.class);

    @Override // org.wso2.carbon.identity.sso.agent.saml.SAMLSignatureValidator
    public void validateSignature(Response response, Assertion assertion, SSOAgentConfig sSOAgentConfig) throws SSOAgentException {
        if (sSOAgentConfig.getSAML2().isResponseSigned().booleanValue()) {
            if (response.getSignature() == null) {
                throw new SSOAgentException("SAML2 Response signing is enabled, but signature element not found in SAML2 Response element");
            }
            try {
                log.info("Invoking SAMLSignatureProfileValidator for Response");
                new SAMLSignatureProfileValidator().validate(response.getSignature());
                getSignatureValidator(assertion).validate(response.getSignature());
            } catch (ValidationException e) {
                throw new SSOAgentException("Signature validation failed for SAML2 Response", e);
            }
        }
        if (sSOAgentConfig.getSAML2().isAssertionSigned().booleanValue()) {
            if (assertion.getSignature() == null) {
                throw new SSOAgentException("SAML2 Assertion signing is enabled, but signature element not found in SAML2 Assertion element");
            }
            try {
                log.info("Invoking SAMLSignatureProfileValidator for Assersion");
                new SAMLSignatureProfileValidator().validate(assertion.getSignature());
                getSignatureValidator(assertion).validate(assertion.getSignature());
            } catch (ValidationException e2) {
                throw new SSOAgentException("Signature validation failed for SAML2 Assertion");
            }
        }
    }

    private SignatureValidator getSignatureValidator(Assertion assertion) throws SSOAgentException {
        String tenantDomain = MultitenantUtils.getTenantDomain(assertion.getSubject().getNameID().getValue());
        try {
            int tenantId = DataHolder.getRealmService().getTenantManager().getTenantId(tenantDomain);
            if (tenantId != -1234) {
                try {
                    try {
                        PrivilegedCarbonContext.startTenantFlow();
                        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
                        DataHolder.getTenantRegistryLoader().loadTenantRegistry(tenantId);
                        PrivilegedCarbonContext.endTenantFlow();
                    } catch (RegistryException e) {
                        log.error("Unable to load tenant registry for tenant :: " + tenantDomain, e);
                        PrivilegedCarbonContext.endTenantFlow();
                    }
                } catch (Throwable th) {
                    PrivilegedCarbonContext.endTenantFlow();
                    throw th;
                }
            }
            return new SignatureValidator(new SSOCarbonX509Credential(getX509CredentialImplForTenant(tenantId, tenantDomain).getEntityCertificate()));
        } catch (UserStoreException e2) {
            throw new SSOAgentException("unable to get tenant ID for domain : " + tenantDomain, e2);
        }
    }

    private SSOCarbonX509Credential getX509CredentialImplForTenant(int i, String str) throws SSOAgentException {
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(i);
        try {
            return new SSOCarbonX509Credential(i != -1234 ? (X509Certificate) keyStoreManager.getKeyStore(generateKSNameFromDomainName(str)).getCertificate(str) : keyStoreManager.getDefaultPrimaryCertificate());
        } catch (Exception e) {
            throw new SSOAgentException("Error instantiating an X509CredentialImpl object for the public cert.", e);
        }
    }

    private static String generateKSNameFromDomainName(String str) {
        return str.trim().replace(".", "-") + ".jks";
    }
}
