package org.wso2.carbon.identity.application.authenticator.samlsso.logout.validators;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.net.URISupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.CollectionCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.signature.SignableXMLObject;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.wso2.carbon.identity.application.authenticator.samlsso.manager.X509CredentialImpl;
import org.wso2.carbon.identity.application.authenticator.samlsso.util.SSOConstants;
import org.wso2.carbon.identity.base.IdentityException;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/samlsso/logout/validators/LogoutReqSignatureValidator.class */
public class LogoutReqSignatureValidator {
    private static final Log log = LogFactory.getLog(LogoutReqSignatureValidator.class);

    public boolean validateSignature(String str, String str2, X509Certificate x509Certificate) throws SecurityException, IdentityException {
        byte[] signature = getSignature(str);
        byte[] signedContent = getSignedContent(str);
        String signatureAlgorithm = getSignatureAlgorithm(str);
        CriteriaSet buildCriteriaSet = buildCriteriaSet(str2);
        X509CredentialImpl x509CredentialImpl = new X509CredentialImpl(x509Certificate, str2);
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509CredentialImpl);
        return new ExplicitKeySignatureTrustEngine(new CollectionCredentialResolver(arrayList), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver()).validate(signature, signedContent, signatureAlgorithm, buildCriteriaSet, (Credential) null);
    }

    public boolean validateXMLSignature(SignableXMLObject signableXMLObject, X509Credential x509Credential, String str) throws IdentityException {
        if (signableXMLObject.getSignature() == null) {
            return false;
        }
        try {
            SignatureValidator.validate(signableXMLObject.getSignature(), x509Credential);
            return true;
        } catch (SignatureException e) {
            throw IdentityException.error("Signature Validation Failed for the SAML Assertion", e);
        }
    }

    private static CriteriaSet buildCriteriaSet(String str) {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (StringUtils.isNotBlank(str)) {
            criteriaSet.add(new EntityIdCriterion(str));
        }
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        return criteriaSet;
    }

    private static String getSignatureAlgorithm(String str) throws SecurityException, IdentityException {
        String rawQueryStringParameter = URISupport.getRawQueryStringParameter(str, "SigAlg");
        if (StringUtils.isEmpty(rawQueryStringParameter)) {
            throw new SecurityException("Couldn't extract signature algorithm from query string: " + str);
        }
        try {
            if (StringUtils.isNotBlank(rawQueryStringParameter.split("=")[1])) {
                return URLDecoder.decode(rawQueryStringParameter.split("=")[1], StandardCharsets.UTF_8.name());
            }
            throw new SecurityException("Couldn't extract the signature algorithm value from the query string parameter: " + rawQueryStringParameter);
        } catch (UnsupportedEncodingException e) {
            throw new IdentityException("Error occurred while decoding signature algorithm query parameter: " + rawQueryStringParameter, e);
        }
    }

    private static byte[] getSignature(String str) throws SecurityException, IdentityException {
        String rawQueryStringParameter = URISupport.getRawQueryStringParameter(str, "Signature");
        if (StringUtils.isEmpty(rawQueryStringParameter)) {
            throw new SecurityException("Couldn't extract the Signature from query string: " + str);
        }
        try {
            if (StringUtils.isNotBlank(rawQueryStringParameter.split("=")[1])) {
                return Base64Support.decode(URLDecoder.decode(rawQueryStringParameter.split("=")[1], StandardCharsets.UTF_8.name()));
            }
            throw new SecurityException("Couldn't extract the signature value from the query string parameter: " + rawQueryStringParameter);
        } catch (UnsupportedEncodingException e) {
            throw new IdentityException("Error occurred while decoding signature query parameter: " + rawQueryStringParameter, e);
        }
    }

    private static byte[] getSignedContent(String str) throws SecurityException {
        String buildSignedContentString = buildSignedContentString(str);
        if (!StringUtils.isEmpty(buildSignedContentString)) {
            return buildSignedContentString.getBytes(StandardCharsets.UTF_8);
        }
        String str2 = "Couldn't extract signed content string from query string: " + str;
        if (log.isDebugEnabled()) {
            log.debug(str2);
        }
        throw new SecurityException(str2);
    }

    private static String buildSignedContentString(String str) throws SecurityException {
        StringBuilder sb = new StringBuilder();
        if (StringUtils.isBlank(URISupport.getRawQueryStringParameter(str, SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ))) {
            throw new SecurityException("Process of extracting SAMLRequest from query string failed: " + str);
        }
        appendParameter(sb, str, SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ);
        appendParameter(sb, str, SSOConstants.RELAY_STATE);
        appendParameter(sb, str, "SigAlg");
        return sb.toString();
    }

    private static boolean appendParameter(StringBuilder sb, String str, String str2) {
        String rawQueryStringParameter = URISupport.getRawQueryStringParameter(str, str2);
        if (rawQueryStringParameter == null) {
            return false;
        }
        if (sb.length() > 0) {
            sb.append('&');
        }
        sb.append(rawQueryStringParameter);
        return true;
    }
}
