package org.wso2.carbon.identity.sso.saml.validators;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.ArrayList;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.transport.http.HTTPTransportUtils;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.CollectionCredentialResolver;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.builders.X509CredentialImpl;
import org.wso2.carbon.identity.sso.saml.exception.IdentitySAML2SSOException;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/validators/SAML2HTTPRedirectDeflateSignatureValidator.class */
public class SAML2HTTPRedirectDeflateSignatureValidator implements SAML2HTTPRedirectSignatureValidator {
    private static final Log log = LogFactory.getLog(SAML2HTTPRedirectDeflateSignatureValidator.class);

    private static CriteriaSet buildCriteriaSet(String str) {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!DatatypeHelper.isEmpty(str)) {
            criteriaSet.add(new EntityIDCriteria(str));
        }
        criteriaSet.add(new UsageCriteria(UsageType.SIGNING));
        return criteriaSet;
    }

    private static String getSigAlg(String str) throws SecurityPolicyException {
        String rawQueryStringParameter = HTTPTransportUtils.getRawQueryStringParameter(str, SAMLSSOConstants.SIG_ALG);
        if (DatatypeHelper.isEmpty(rawQueryStringParameter)) {
            throw new SecurityPolicyException("Could not extract Signature Algorithm from query string");
        }
        try {
            return URLDecoder.decode(rawQueryStringParameter.split("=")[1], "UTF-8");
        } catch (UnsupportedEncodingException e) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Encoding not supported.", e);
            return null;
        }
    }

    protected static byte[] getSignature(String str) throws SecurityPolicyException {
        String rawQueryStringParameter = HTTPTransportUtils.getRawQueryStringParameter(str, SAMLSSOConstants.SIGNATURE);
        if (DatatypeHelper.isEmpty(rawQueryStringParameter)) {
            throw new SecurityPolicyException("Could not extract the Signature from query string");
        }
        try {
            return Base64.decode(URLDecoder.decode(rawQueryStringParameter.split("=")[1], "UTF-8"));
        } catch (UnsupportedEncodingException e) {
            if (log.isDebugEnabled()) {
                log.debug("Encoding not supported.", e);
            }
            return new byte[0];
        }
    }

    protected static byte[] getSignedContent(String str) throws SecurityPolicyException {
        if (log.isDebugEnabled()) {
            log.debug("Constructing signed content string from URL query string " + str);
        }
        String buildSignedContentString = buildSignedContentString(str);
        if (DatatypeHelper.isEmpty(buildSignedContentString)) {
            throw new SecurityPolicyException("Could not extract signed content string from query string");
        }
        if (log.isDebugEnabled()) {
            log.debug("Constructed signed content string for HTTP-Redirect DEFLATE " + buildSignedContentString);
        }
        try {
            return buildSignedContentString.getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            if (log.isDebugEnabled()) {
                log.debug("Encoding not supported.", e);
            }
            return new byte[0];
        }
    }

    private static String buildSignedContentString(String str) throws SecurityPolicyException {
        StringBuilder sb = new StringBuilder();
        if (!appendParameter(sb, str, SAMLSSOConstants.AUTH_REQ_SAML_ASSRTN) && !appendParameter(sb, str, SAMLSSOConstants.SAML_RESP)) {
            throw new SecurityPolicyException("Extract of SAMLRequest or SAMLResponse from query string failed");
        }
        appendParameter(sb, str, SAMLSSOConstants.RELAY_STATE);
        appendParameter(sb, str, SAMLSSOConstants.SIG_ALG);
        return sb.toString();
    }

    private static boolean appendParameter(StringBuilder sb, String str, String str2) {
        String rawQueryStringParameter = HTTPTransportUtils.getRawQueryStringParameter(str, str2);
        if (rawQueryStringParameter == null) {
            return false;
        }
        if (sb.length() > 0) {
            sb.append('&');
        }
        sb.append(rawQueryStringParameter);
        return true;
    }

    @Override // org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectSignatureValidator
    public void init() throws IdentityException {
    }

    @Override // org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectSignatureValidator
    public boolean validateSignature(String str, String str2, String str3, String str4) throws SecurityException, IdentitySAML2SSOException {
        byte[] signature = getSignature(str);
        byte[] signedContent = getSignedContent(str);
        String sigAlg = getSigAlg(str);
        CriteriaSet buildCriteriaSet = buildCriteriaSet(str2);
        X509CredentialImpl x509CredentialImplForTenant = SAMLSSOUtil.getX509CredentialImplForTenant(str4, str3);
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509CredentialImplForTenant);
        return new ExplicitKeySignatureTrustEngine(new CollectionCredentialResolver(arrayList), SecurityHelper.buildBasicInlineKeyInfoResolver()).validate(signature, signedContent, sigAlg, buildCriteriaSet, (Credential) null);
    }
}
