package org.keycloak.protocol.saml;

import java.security.PublicKey;
import java.security.Signature;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.models.ClientModel;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
import org.w3c.dom.Document;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocolUtils.class */
public class SamlProtocolUtils {
    public static void verifyDocumentSignature(ClientModel clientModel, Document document) throws VerificationException {
        if (new SamlClient(clientModel).requiresClientSignature()) {
            verifyDocumentSignature(document, getSignatureValidationKey(clientModel));
        }
    }

    public static void verifyDocumentSignature(Document document, PublicKey publicKey) throws VerificationException {
        try {
            if (new SAML2Signature().validate(document, publicKey)) {
            } else {
                throw new VerificationException("Invalid signature on document");
            }
        } catch (ProcessingException e) {
            throw new VerificationException("Error validating signature", e);
        }
    }

    public static PublicKey getSignatureValidationKey(ClientModel clientModel) throws VerificationException {
        return getPublicKey(new SamlClient(clientModel).getClientSigningCertificate());
    }

    public static PublicKey getEncryptionValidationKey(ClientModel clientModel) throws VerificationException {
        return getPublicKey(clientModel, SamlConfigAttributes.SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE);
    }

    public static PublicKey getPublicKey(ClientModel clientModel, String str) throws VerificationException {
        return getPublicKey(clientModel.getAttribute(str));
    }

    private static PublicKey getPublicKey(String str) throws VerificationException {
        if (str == null) {
            throw new VerificationException("Client does not have a public key.");
        }
        try {
            return PemUtils.decodeCertificate(str).getPublicKey();
        } catch (Exception e) {
            throw new VerificationException("Could not decode cert", e);
        }
    }

    public static void verifyRedirectSignature(PublicKey publicKey, UriInfo uriInfo, String str) throws VerificationException {
        MultivaluedMap queryParameters = uriInfo.getQueryParameters(false);
        String str2 = (String) queryParameters.getFirst(str);
        String str3 = (String) queryParameters.getFirst("SigAlg");
        String str4 = (String) queryParameters.getFirst("Signature");
        String str5 = (String) uriInfo.getQueryParameters(true).getFirst("SigAlg");
        if (str2 == null) {
            throw new VerificationException("SAM was null");
        }
        if (str3 == null) {
            throw new VerificationException("SigAlg was null");
        }
        if (str4 == null) {
            throw new VerificationException("Signature was null");
        }
        UriBuilder queryParam = UriBuilder.fromPath("/").queryParam(str, new Object[]{str2});
        if (queryParameters.containsKey("RelayState")) {
            queryParam.queryParam("RelayState", new Object[]{queryParameters.getFirst("RelayState")});
        }
        queryParam.queryParam("SigAlg", new Object[]{str3});
        String rawQuery = queryParam.build(new Object[0]).getRawQuery();
        try {
            byte[] urlBase64Decode = RedirectBindingUtil.urlBase64Decode(str4);
            Signature createSignature = SignatureAlgorithm.getFromXmlMethod(str5).createSignature();
            createSignature.initVerify(publicKey);
            createSignature.update(rawQuery.getBytes("UTF-8"));
            if (createSignature.verify(urlBase64Decode)) {
            } else {
                throw new VerificationException("Invalid query param signature");
            }
        } catch (Exception e) {
            throw new VerificationException(e);
        }
    }
}
