package org.opensaml.xml.encryption;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.Key;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import org.apache.tools.ant.util.XmlConstants;
import org.apache.xml.security.Init;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.XMLRuntimeException;
import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.Unmarshaller;
import org.opensaml.xml.io.UnmarshallerFactory;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.opensaml.xml.security.Criteria;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.KeyAlgorithmCriteria;
import org.opensaml.xml.security.criteria.KeyLengthCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCriteria;
import org.opensaml.xml.signature.DigestMethod;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.util.XMLHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.DocumentFragment;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/xmltooling-1.4.4.jar:org/opensaml/xml/encryption/Decrypter.class */
public class Decrypter {
    private KeyInfoCredentialResolver resolver;
    private KeyInfoCredentialResolver kekResolver;
    private EncryptedKeyResolver encKeyResolver;
    private String jcaProviderName;
    private final Logger log = LoggerFactory.getLogger(Decrypter.class);
    private CriteriaSet resolverCriteria = null;
    private CriteriaSet kekResolverCriteria = null;
    private final ParserPool parserPool = buildParserPool();
    private UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
    private boolean defaultRootInNewDocument = false;

    public Decrypter(KeyInfoCredentialResolver keyInfoCredentialResolver, KeyInfoCredentialResolver keyInfoCredentialResolver2, EncryptedKeyResolver encryptedKeyResolver) {
        this.resolver = keyInfoCredentialResolver;
        this.kekResolver = keyInfoCredentialResolver2;
        this.encKeyResolver = encryptedKeyResolver;
    }

    public boolean isRootInNewDocument() {
        return this.defaultRootInNewDocument;
    }

    public void setRootInNewDocument(boolean z) {
        this.defaultRootInNewDocument = z;
    }

    public String getJCAProviderName() {
        return this.jcaProviderName;
    }

    public void setJCAProviderName(String str) {
        this.jcaProviderName = str;
    }

    public KeyInfoCredentialResolver getKeyResolver() {
        return this.resolver;
    }

    public void setKeyResolver(KeyInfoCredentialResolver keyInfoCredentialResolver) {
        this.resolver = keyInfoCredentialResolver;
    }

    public KeyInfoCredentialResolver getKEKResolver() {
        return this.kekResolver;
    }

    public void setKEKResolver(KeyInfoCredentialResolver keyInfoCredentialResolver) {
        this.kekResolver = keyInfoCredentialResolver;
    }

    public EncryptedKeyResolver getEncryptedKeyResolver() {
        return this.encKeyResolver;
    }

    public void setEncryptedKeyResolver(EncryptedKeyResolver encryptedKeyResolver) {
        this.encKeyResolver = encryptedKeyResolver;
    }

    public CriteriaSet getKeyResolverCriteria() {
        return this.resolverCriteria;
    }

    public CriteriaSet setKeyResolverCriteria() {
        return getKeyResolverCriteria();
    }

    public void setKeyResolverCriteria(CriteriaSet criteriaSet) {
        this.resolverCriteria = criteriaSet;
    }

    public CriteriaSet getKEKResolverCriteria() {
        return this.kekResolverCriteria;
    }

    public void setKEKResolverCriteria(CriteriaSet criteriaSet) {
        this.kekResolverCriteria = criteriaSet;
    }

    public XMLObject decryptData(EncryptedData encryptedData) throws DecryptionException {
        return decryptData(encryptedData, isRootInNewDocument());
    }

    public XMLObject decryptData(EncryptedData encryptedData, boolean z) throws DecryptionException {
        List<XMLObject> decryptDataToList = decryptDataToList(encryptedData, z);
        if (decryptDataToList.size() == 1) {
            return decryptDataToList.get(0);
        }
        this.log.error("The decrypted data contained more than one top-level XMLObject child");
        throw new DecryptionException("The decrypted data contained more than one XMLObject child");
    }

    public List<XMLObject> decryptDataToList(EncryptedData encryptedData) throws DecryptionException {
        return decryptDataToList(encryptedData, isRootInNewDocument());
    }

    public List<XMLObject> decryptDataToList(EncryptedData encryptedData, boolean z) throws DecryptionException {
        LinkedList linkedList = new LinkedList();
        NodeList childNodes = decryptDataToDOM(encryptedData).getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() != 1) {
                this.log.error("Decryption returned a top-level node that was not of type Element: " + ((int) item.getNodeType()));
                throw new DecryptionException("Top-level node was not of type Element");
            }
            Element element = (Element) item;
            if (z) {
                try {
                    Document newDocument = this.parserPool.newDocument();
                    newDocument.adoptNode(element);
                    newDocument.appendChild(element);
                } catch (XMLParserException e) {
                    this.log.error("There was an error creating a new DOM Document", e);
                    throw new DecryptionException("Error creating new DOM Document", e);
                }
            }
            try {
                Unmarshaller unmarshaller = this.unmarshallerFactory.getUnmarshaller(element);
                if (unmarshaller == null) {
                    unmarshaller = this.unmarshallerFactory.getUnmarshaller(Configuration.getDefaultProviderQName());
                    if (unmarshaller == null) {
                        String str = "Unable to locate unmarshaller for " + XMLHelper.getNodeQName(element);
                        this.log.error(str);
                        throw new DecryptionException(str);
                    }
                }
                linkedList.add(unmarshaller.unmarshall(element));
            } catch (UnmarshallingException e2) {
                this.log.error("There was an error during unmarshalling of the decrypted element", e2);
                throw new DecryptionException("Unmarshalling error during decryption", e2);
            }
        }
        return linkedList;
    }

    public DocumentFragment decryptDataToDOM(EncryptedData encryptedData) throws DecryptionException {
        if (this.resolver == null && this.encKeyResolver == null) {
            this.log.error("Decryption can not be attempted, required resolvers are not available");
            throw new DecryptionException("Unable to decrypt EncryptedData, required resolvers are not available");
        }
        if (this.resolver != null) {
            DocumentFragment decryptUsingResolvedKey = decryptUsingResolvedKey(encryptedData);
            if (decryptUsingResolvedKey != null) {
                return decryptUsingResolvedKey;
            }
            this.log.debug("Failed to decrypt EncryptedData using standard KeyInfo resolver");
        }
        String algorithm = encryptedData.getEncryptionMethod().getAlgorithm();
        if (DatatypeHelper.isEmpty(algorithm)) {
            this.log.error("EncryptedData's EncryptionMethod Algorithm attribute was empty, key decryption could not be attempted");
            throw new DecryptionException("EncryptedData's EncryptionMethod Algorithm attribute was empty, key decryption could not be attempted");
        }
        if (this.encKeyResolver != null) {
            DocumentFragment decryptUsingResolvedEncryptedKey = decryptUsingResolvedEncryptedKey(encryptedData, algorithm);
            if (decryptUsingResolvedEncryptedKey != null) {
                return decryptUsingResolvedEncryptedKey;
            }
            this.log.debug("Failed to decrypt EncryptedData using EncryptedKeyResolver");
        }
        this.log.error("Failed to decrypt EncryptedData using either EncryptedData KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey KeyInfoCredentialResolver");
        throw new DecryptionException("Failed to decrypt EncryptedData");
    }

    public DocumentFragment decryptDataToDOM(EncryptedData encryptedData, Key key) throws DecryptionException {
        if (!"http://www.w3.org/2001/04/xmlenc#Element".equals(encryptedData.getType())) {
            this.log.error("EncryptedData was of unsupported type '" + encryptedData.getType() + "', could not attempt decryption");
            throw new DecryptionException("EncryptedData of unsupported type was encountered");
        }
        if (key == null) {
            this.log.error("Data decryption key was null");
            throw new IllegalArgumentException("Data decryption key may not be null");
        }
        try {
            checkAndMarshall(encryptedData);
            Element dom = encryptedData.getDOM();
            try {
                XMLCipher providerInstance = getJCAProviderName() != null ? XMLCipher.getProviderInstance(getJCAProviderName()) : XMLCipher.getInstance();
                providerInstance.init(2, key);
                try {
                    byte[] decryptToByteArray = providerInstance.decryptToByteArray(dom);
                    if (decryptToByteArray == null) {
                        throw new DecryptionException("EncryptedData could not be decrypted");
                    }
                    return parseInputStream(new ByteArrayInputStream(decryptToByteArray), encryptedData.getDOM().getOwnerDocument());
                } catch (XMLEncryptionException e) {
                    this.log.error("Error decrypting the encrypted data element", e);
                    throw new DecryptionException("Error decrypting the encrypted data element", e);
                } catch (Exception e2) {
                    throw new DecryptionException("Probable runtime exception on decryption:" + e2.getMessage(), e2);
                }
            } catch (XMLEncryptionException e3) {
                this.log.error("Error initialzing cipher instance on data decryption", e3);
                throw new DecryptionException("Error initialzing cipher instance on data decryption", e3);
            }
        } catch (DecryptionException e4) {
            this.log.error("Error marshalling EncryptedData for decryption", e4);
            throw e4;
        }
    }

    public Key decryptKey(EncryptedKey encryptedKey, String str) throws DecryptionException {
        if (this.kekResolver == null) {
            this.log.warn("No KEK KeyInfo credential resolver is available, can not attempt EncryptedKey decryption");
            throw new DecryptionException("No KEK KeyInfo resolver is available for EncryptedKey decryption");
        }
        if (DatatypeHelper.isEmpty(str)) {
            this.log.error("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
            throw new DecryptionException("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
        }
        try {
            Iterator<Credential> it = this.kekResolver.resolve(buildCredentialCriteria(encryptedKey, this.kekResolverCriteria)).iterator();
            while (it.hasNext()) {
                try {
                    return decryptKey(encryptedKey, str, SecurityHelper.extractDecryptionKey(it.next()));
                } catch (DecryptionException e) {
                    this.log.debug("Attempt to decrypt EncryptedKey using credential from KEK KeyInfo resolver failed: ", e);
                }
            }
        } catch (SecurityException e2) {
            this.log.error("Error resolving credentials from EncryptedKey KeyInfo", e2);
        }
        this.log.error("Failed to decrypt EncryptedKey, valid decryption key could not be resolved");
        throw new DecryptionException("Valid decryption key for EncryptedKey could not be resolved");
    }

    public Key decryptKey(EncryptedKey encryptedKey, String str, Key key) throws DecryptionException {
        if (key == null) {
            this.log.error("Data encryption key was null");
            throw new IllegalArgumentException("Data encryption key may not be null");
        }
        if (DatatypeHelper.isEmpty(str)) {
            this.log.error("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
            throw new DecryptionException("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
        }
        try {
            checkAndMarshall(encryptedKey);
            preProcessEncryptedKey(encryptedKey, str, key);
            Element dom = encryptedKey.getDOM();
            try {
                XMLCipher providerInstance = getJCAProviderName() != null ? XMLCipher.getProviderInstance(getJCAProviderName()) : XMLCipher.getInstance();
                providerInstance.init(4, key);
                try {
                    try {
                        Key decryptKey = providerInstance.decryptKey(providerInstance.loadEncryptedKey(dom.getOwnerDocument(), dom), str);
                        if (decryptKey == null) {
                            throw new DecryptionException("Key could not be decrypted");
                        }
                        return decryptKey;
                    } catch (XMLEncryptionException e) {
                        this.log.error("Error decrypting encrypted key", e);
                        throw new DecryptionException("Error decrypting encrypted key", e);
                    } catch (Exception e2) {
                        throw new DecryptionException("Probable runtime exception on decryption:" + e2.getMessage(), e2);
                    }
                } catch (XMLEncryptionException e3) {
                    this.log.error("Error when loading library native encrypted key representation", e3);
                    throw new DecryptionException("Error when loading library native encrypted key representation", e3);
                }
            } catch (XMLEncryptionException e4) {
                this.log.error("Error initialzing cipher instance on key decryption", e4);
                throw new DecryptionException("Error initialzing cipher instance on key decryption", e4);
            }
        } catch (DecryptionException e5) {
            this.log.error("Error marshalling EncryptedKey for decryption", e5);
            throw e5;
        }
    }

    protected void preProcessEncryptedKey(EncryptedKey encryptedKey, String str, Key key) throws DecryptionException {
        if ("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p".equals(encryptedKey.getEncryptionMethod().getAlgorithm())) {
            List<XMLObject> unknownXMLObjects = encryptedKey.getEncryptionMethod().getUnknownXMLObjects(DigestMethod.DEFAULT_ELEMENT_NAME);
            if (unknownXMLObjects.isEmpty()) {
                return;
            }
            DigestMethod digestMethod = (DigestMethod) unknownXMLObjects.get(0);
            if ("http://www.w3.org/2000/09/xmldsig#sha1".equals(DatatypeHelper.safeTrimOrNullString(digestMethod.getAlgorithm()))) {
                return;
            }
            this.log.error("EncryptedKey/EncryptionMethod/DigestMethod contains unsupported algorithm URI: {}", digestMethod.getAlgorithm());
            throw new DecryptionException("EncryptedKey/EncryptionMethod/DigestMethod contains unsupported algorithm URI");
        }
    }

    private DocumentFragment decryptUsingResolvedKey(EncryptedData encryptedData) {
        if (this.resolver == null) {
            return null;
        }
        try {
            Iterator<Credential> it = this.resolver.resolve(buildCredentialCriteria(encryptedData, this.resolverCriteria)).iterator();
            while (it.hasNext()) {
                try {
                    return decryptDataToDOM(encryptedData, SecurityHelper.extractDecryptionKey(it.next()));
                } catch (DecryptionException e) {
                    this.log.debug("Decryption attempt using credential from standard KeyInfo resolver failed: ", e);
                }
            }
            return null;
        } catch (SecurityException e2) {
            this.log.error("Error resolving credentials from EncryptedData KeyInfo", e2);
            return null;
        }
    }

    private DocumentFragment decryptUsingResolvedEncryptedKey(EncryptedData encryptedData, String str) {
        if (this.encKeyResolver == null) {
            return null;
        }
        Iterator<EncryptedKey> it = this.encKeyResolver.resolve(encryptedData).iterator();
        while (it.hasNext()) {
            try {
                return decryptDataToDOM(encryptedData, decryptKey(it.next(), str));
            } catch (DecryptionException e) {
                this.log.debug("Attempt to decrypt EncryptedData using key extracted from EncryptedKey failed: ", e);
            }
        }
        return null;
    }

    private DocumentFragment parseInputStream(InputStream inputStream, Document document) throws DecryptionException {
        try {
            Element documentElement = this.parserPool.parse(inputStream).getDocumentElement();
            document.adoptNode(documentElement);
            DocumentFragment createDocumentFragment = document.createDocumentFragment();
            createDocumentFragment.appendChild(documentElement);
            return createDocumentFragment;
        } catch (XMLParserException e) {
            this.log.error("Error parsing decrypted input stream", e);
            throw new DecryptionException("Error parsing input stream", e);
        }
    }

    private CriteriaSet buildCredentialCriteria(EncryptedType encryptedType, CriteriaSet criteriaSet) {
        CriteriaSet criteriaSet2 = new CriteriaSet();
        criteriaSet2.add(new KeyInfoCriteria(encryptedType.getKeyInfo()));
        Set<Criteria> buildKeyCriteria = buildKeyCriteria(encryptedType);
        if (buildKeyCriteria != null && !buildKeyCriteria.isEmpty()) {
            criteriaSet2.addAll(buildKeyCriteria);
        }
        if (criteriaSet != null && !criteriaSet.isEmpty()) {
            criteriaSet2.addAll(criteriaSet);
        }
        if (!criteriaSet2.contains(UsageCriteria.class)) {
            criteriaSet2.add(new UsageCriteria(UsageType.ENCRYPTION));
        }
        return criteriaSet2;
    }

    private Set<Criteria> buildKeyCriteria(EncryptedType encryptedType) {
        String safeTrimOrNullString;
        EncryptionMethod encryptionMethod = encryptedType.getEncryptionMethod();
        if (encryptionMethod != null && (safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString(encryptionMethod.getAlgorithm())) != null) {
            HashSet hashSet = new HashSet(2);
            KeyAlgorithmCriteria buildKeyAlgorithmCriteria = buildKeyAlgorithmCriteria(safeTrimOrNullString);
            if (buildKeyAlgorithmCriteria != null) {
                hashSet.add(buildKeyAlgorithmCriteria);
                this.log.debug("Added decryption key algorithm criteria: {}", buildKeyAlgorithmCriteria.getKeyAlgorithm());
            }
            KeyLengthCriteria buildKeyLengthCriteria = buildKeyLengthCriteria(safeTrimOrNullString);
            if (buildKeyLengthCriteria != null) {
                hashSet.add(buildKeyLengthCriteria);
                this.log.debug("Added decryption key length criteria from EncryptionMethod algorithm URI: {}", buildKeyLengthCriteria.getKeyLength());
            } else if (encryptionMethod.getKeySize() != null && encryptionMethod.getKeySize().getValue() != null) {
                KeyLengthCriteria keyLengthCriteria = new KeyLengthCriteria(encryptionMethod.getKeySize().getValue());
                hashSet.add(keyLengthCriteria);
                this.log.debug("Added decryption key length criteria from EncryptionMethod/KeySize: {}", keyLengthCriteria.getKeyLength());
            }
            return hashSet;
        }
        return Collections.emptySet();
    }

    private KeyAlgorithmCriteria buildKeyAlgorithmCriteria(String str) {
        if (DatatypeHelper.isEmpty(str)) {
            return null;
        }
        String keyAlgorithmFromURI = SecurityHelper.getKeyAlgorithmFromURI(str);
        if (DatatypeHelper.isEmpty(keyAlgorithmFromURI)) {
            return null;
        }
        return new KeyAlgorithmCriteria(keyAlgorithmFromURI);
    }

    private KeyLengthCriteria buildKeyLengthCriteria(String str) {
        Integer keyLengthFromURI;
        if (DatatypeHelper.isEmpty(str) && (keyLengthFromURI = SecurityHelper.getKeyLengthFromURI(str)) != null) {
            return new KeyLengthCriteria(keyLengthFromURI);
        }
        return null;
    }

    protected void checkAndMarshall(XMLObject xMLObject) throws DecryptionException {
        if (xMLObject.getDOM() == null) {
            Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(xMLObject);
            if (marshaller == null) {
                marshaller = Configuration.getMarshallerFactory().getMarshaller(Configuration.getDefaultProviderQName());
                if (marshaller == null) {
                    String str = "No marshaller available for " + xMLObject.getElementQName();
                    this.log.error(str);
                    throw new DecryptionException(str);
                }
            }
            try {
                marshaller.marshall(xMLObject);
            } catch (MarshallingException e) {
                this.log.error("Error marshalling target XMLObject", e);
                throw new DecryptionException("Error marshalling target XMLObject", e);
            }
        }
    }

    protected ParserPool buildParserPool() {
        StaticBasicParserPool staticBasicParserPool = new StaticBasicParserPool();
        HashMap hashMap = new HashMap();
        staticBasicParserPool.setNamespaceAware(true);
        hashMap.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
        staticBasicParserPool.setExpandEntityReferences(false);
        hashMap.put("http://javax.xml.XMLConstants/feature/secure-processing", true);
        hashMap.put(XmlConstants.FEATURE_DISALLOW_DTD, true);
        staticBasicParserPool.setBuilderFeatures(hashMap);
        try {
            staticBasicParserPool.initialize();
            return staticBasicParserPool;
        } catch (XMLParserException e) {
            throw new XMLRuntimeException("Problem initializing Decrypter internal ParserPool", e);
        }
    }

    static {
        if (Init.isInitialized()) {
            return;
        }
        Init.init();
    }
}
