package org.apache.rahas.impl;

import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.RahasData;
import org.apache.rahas.Token;
import org.apache.rahas.TokenIssuer;
import org.apache.rahas.TrustException;
import org.apache.rahas.TrustUtil;
import org.apache.rahas.impl.util.CommonUtil;
import org.apache.rahas.impl.util.SAML2Utils;
import org.apache.rahas.impl.util.SAMLAttributeCallback;
import org.apache.rahas.impl.util.SAMLCallbackHandler;
import org.apache.rahas.impl.util.SignKeyHolder;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.apache.xml.security.utils.Base64;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLException;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.AttributeValue;
import org.opensaml.saml2.core.AuthnContext;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnStatement;
import org.opensaml.saml2.core.KeyInfoConfirmationDataType;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.signature.X509Certificate;
import org.opensaml.xml.signature.X509Data;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/rahas/impl/SAML2TokenIssuer.class */
public class SAML2TokenIssuer implements TokenIssuer {
    private String configParamName;
    private OMElement configElement;
    private String configFile;
    protected List<Signature> signatureList = new ArrayList();
    private boolean isSymmetricKeyBasedHoK = false;
    private SAMLTokenIssuerConfig tokenIssuerConfiguration;
    private static Log log = LogFactory.getLog(SAML2TokenIssuer.class);

    @Override // org.apache.rahas.TokenIssuer
    public SOAPEnvelope issue(RahasData rahasData) throws TrustException {
        MessageContext inMessageContext = rahasData.getInMessageContext();
        this.tokenIssuerConfiguration = CommonUtil.getTokenIssuerConfiguration(this.configElement, this.configFile, inMessageContext.getParameter(this.configParamName));
        if (this.tokenIssuerConfiguration == null) {
            if (log.isDebugEnabled()) {
                log.debug("Unable to build token configurations, " + (this.configElement != null ? "OMElement - " + this.configElement.toString() : this.configFile != null ? "File - " + this.configFile : this.configParamName != null ? "With message context parameter name - " + this.configParamName : "No method to build configurations"));
            }
            throw new TrustException("configurationIsNull");
        }
        Element createSOAPEnvelope = TrustUtil.createSOAPEnvelope(inMessageContext.getEnvelope().getNamespace().getNamespaceURI());
        Crypto issuerCrypto = this.tokenIssuerConfiguration.getIssuerCrypto(inMessageContext.getAxisService().getClassLoader());
        Document ownerDocument = createSOAPEnvelope.getOwnerDocument();
        int keySize = rahasData.getKeySize();
        rahasData.setKeySize(keySize == -1 ? this.tokenIssuerConfiguration.getKeySize() : keySize);
        return createRequestSecurityTokenResponse(rahasData, signAssertion(ownerDocument, buildAssertion(ownerDocument, issuerCrypto, rahasData), issuerCrypto), createSOAPEnvelope);
    }

    protected SOAPEnvelope createRequestSecurityTokenResponse(RahasData rahasData, Assertion assertion, SOAPEnvelope sOAPEnvelope) throws TrustException {
        int version = rahasData.getVersion();
        OMElement createRequestSecurityTokenResponseElement = 1 == version ? TrustUtil.createRequestSecurityTokenResponseElement(version, sOAPEnvelope.getBody()) : TrustUtil.createRequestSecurityTokenResponseElement(version, TrustUtil.createRequestSecurityTokenResponseCollectionElement(version, sOAPEnvelope.getBody()));
        TrustUtil.createTokenTypeElement(version, createRequestSecurityTokenResponseElement).setText(RahasConstants.TOK_TYPE_SAML_20);
        if (rahasData.getKeyType().endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
            TrustUtil.createKeySizeElement(version, createRequestSecurityTokenResponseElement, rahasData.getKeySize());
        }
        if (this.tokenIssuerConfiguration.isAddRequestedAttachedRef()) {
            TrustUtil.createRequestedAttachedRef(version, createRequestSecurityTokenResponseElement, "#" + assertion.getID(), RahasConstants.TOK_TYPE_SAML_20);
        }
        if (this.tokenIssuerConfiguration.isAddRequestedUnattachedRef()) {
            TrustUtil.createRequestedUnattachedRef(version, createRequestSecurityTokenResponseElement, assertion.getID(), RahasConstants.TOK_TYPE_SAML_20);
        }
        if (rahasData.getAppliesToAddress() != null) {
            TrustUtil.createAppliesToElement(createRequestSecurityTokenResponseElement, rahasData.getAppliesToAddress(), rahasData.getAddressingNs());
        }
        XmlSchemaDateFormat xmlSchemaDateFormat = new XmlSchemaDateFormat();
        TrustUtil.createLifetimeElement(version, createRequestSecurityTokenResponseElement, xmlSchemaDateFormat.format(rahasData.getAssertionCreatedDate()), xmlSchemaDateFormat.format(rahasData.getAssertionExpiringDate()));
        OMElement createRequestedSecurityTokenElement = TrustUtil.createRequestedSecurityTokenElement(version, createRequestSecurityTokenResponseElement);
        OMElement dom = assertion.getDOM();
        createRequestedSecurityTokenElement.addChild((OMNode) dom);
        Token token = new Token(assertion.getID(), dom, rahasData.getAssertionCreatedDate(), rahasData.getAssertionExpiringDate());
        token.setSecret(rahasData.getEphmeralKey());
        TrustUtil.getTokenStore(rahasData.getInMessageContext()).add(token);
        if (rahasData.getKeyType().endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) && this.tokenIssuerConfiguration.getKeyComputation() != 1) {
            TokenIssuerUtil.handleRequestedProofToken(rahasData, version, this.tokenIssuerConfiguration, createRequestSecurityTokenResponseElement, token, ((Element) sOAPEnvelope).getOwnerDocument());
        }
        return sOAPEnvelope;
    }

    protected Assertion buildAssertion(Document document, Crypto crypto, RahasData rahasData) throws TrustException {
        Assertion createAssertion = SAML2Utils.createAssertion();
        createAssertion.setIssuer(SAML2Utils.createIssuer(this.tokenIssuerConfiguration.getIssuerName()));
        DateTime dateTime = new DateTime();
        DateTime dateTime2 = new DateTime(dateTime.getMillis() + this.tokenIssuerConfiguration.getTtl());
        rahasData.setAssertionCreatedDate(dateTime.toDate());
        rahasData.setAssertionExpiringDate(dateTime2.toDate());
        createAssertion.setIssueInstant(dateTime);
        createAssertion.setConditions(SAML2Utils.createConditions(dateTime, dateTime2));
        createAssertion.setSubject(!rahasData.getKeyType().endsWith(RahasConstants.KEY_TYPE_BEARER) ? createSubjectWithHolderOfKeySubjectConfirmation(document, crypto, dateTime, dateTime2, rahasData) : createSubjectWithBearerSubjectConfirmation(rahasData));
        if (this.isSymmetricKeyBasedHoK) {
            createAssertion.getAttributeStatements().add(createAttributeStatement(rahasData));
        } else {
            createAssertion.getAuthnStatements().add(createAuthenticationStatement(rahasData));
            if (rahasData.getClaimDialect() != null && rahasData.getClaimElem() != null) {
                createAssertion.getAttributeStatements().add(createAttributeStatement(rahasData));
            }
        }
        return createAssertion;
    }

    protected Subject createSubjectWithHolderOfKeySubjectConfirmation(Document document, Crypto crypto, DateTime dateTime, DateTime dateTime2, RahasData rahasData) throws TrustException {
        Subject buildXMLObject = CommonUtil.buildXMLObject(Subject.DEFAULT_ELEMENT_NAME);
        if (rahasData.getPrincipal() != null) {
            setSubjectNamedIdentifierData(buildXMLObject, rahasData.getPrincipal().getName(), "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
        }
        KeyInfo createKeyInfo = createKeyInfo(document, crypto, rahasData);
        SubjectConfirmation buildXMLObject2 = CommonUtil.buildXMLObject(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
        buildXMLObject2.setMethod(RahasConstants.SAML20_SUBJECT_CONFIRMATION_HOK);
        KeyInfoConfirmationDataType createKeyInfoConfirmationDataType = createKeyInfoConfirmationDataType();
        createKeyInfoConfirmationDataType.getKeyInfos().add(createKeyInfo);
        createKeyInfoConfirmationDataType.setNotBefore(dateTime);
        createKeyInfoConfirmationDataType.setNotOnOrAfter(dateTime2);
        buildXMLObject2.setSubjectConfirmationData(createKeyInfoConfirmationDataType);
        buildXMLObject.getSubjectConfirmations().add(buildXMLObject2);
        log.debug("SAML2.0 subject is constructed successfully.");
        return buildXMLObject;
    }

    private KeyInfoConfirmationDataType createKeyInfoConfirmationDataType() {
        return Configuration.getBuilderFactory().getBuilder(KeyInfoConfirmationDataType.TYPE_NAME).buildObject(SubjectConfirmationData.DEFAULT_ELEMENT_NAME, KeyInfoConfirmationDataType.TYPE_NAME);
    }

    protected Subject createSubjectWithBearerSubjectConfirmation(RahasData rahasData) throws TrustException {
        Subject buildXMLObject = CommonUtil.buildXMLObject(Subject.DEFAULT_ELEMENT_NAME);
        setSubjectNamedIdentifierData(buildXMLObject, rahasData.getPrincipal().getName(), "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
        SubjectConfirmation buildXMLObject2 = CommonUtil.buildXMLObject(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
        buildXMLObject2.setMethod(RahasConstants.SAML20_SUBJECT_CONFIRMATION_BEARER);
        buildXMLObject.getSubjectConfirmations().add(buildXMLObject2);
        return buildXMLObject;
    }

    protected Assertion signAssertion(Document document, Assertion assertion, Crypto crypto) throws TrustException {
        SignKeyHolder createSignKeyHolder = createSignKeyHolder(crypto);
        Signature buildXMLObject = CommonUtil.buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
        buildXMLObject.setSigningCredential(createSignKeyHolder);
        buildXMLObject.setSignatureAlgorithm(createSignKeyHolder.getSignatureAlgorithm());
        buildXMLObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        try {
            KeyInfo buildXMLObject2 = CommonUtil.buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
            X509Data buildXMLObject3 = CommonUtil.buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
            X509Certificate buildXMLObject4 = CommonUtil.buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
            buildXMLObject4.setValue(Base64.encode(createSignKeyHolder.getEntityCertificate().getEncoded()));
            buildXMLObject3.getX509Certificates().add(buildXMLObject4);
            buildXMLObject2.getX509Datas().add(buildXMLObject3);
            buildXMLObject.setKeyInfo(buildXMLObject2);
            assertion.setSignature(buildXMLObject);
            this.signatureList.add(buildXMLObject);
            org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(assertion).marshall(assertion, document);
            Signer.signObjects(this.signatureList);
            log.debug("SAML2.0 assertion is marshalled and signed..");
            return assertion;
        } catch (SignatureException e) {
            throw new TrustException("errorSigningAssertion", (Throwable) e);
        } catch (CertificateEncodingException e2) {
            throw new TrustException("Error in setting the signature", e2);
        } catch (MarshallingException e3) {
            throw new TrustException("errorMarshallingAssertion", (Throwable) e3);
        }
    }

    private SignKeyHolder createSignKeyHolder(Crypto crypto) throws TrustException {
        SignKeyHolder signKeyHolder = new SignKeyHolder();
        try {
            java.security.cert.X509Certificate[] certificatesByAlias = CommonUtil.getCertificatesByAlias(crypto, this.tokenIssuerConfiguration.getIssuerKeyAlias());
            String str = certificatesByAlias[0].getPublicKey().getAlgorithm().equalsIgnoreCase("DSA") ? "http://www.w3.org/2000/09/xmldsig#dsa-sha1" : "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
            PrivateKey privateKey = crypto.getPrivateKey(this.tokenIssuerConfiguration.getIssuerKeyAlias(), this.tokenIssuerConfiguration.getIssuerKeyPassword());
            signKeyHolder.setIssuerCerts(certificatesByAlias);
            signKeyHolder.setIssuerPK(privateKey);
            signKeyHolder.setSignatureAlgorithm(str);
            log.debug("SignKeyHolder object is created with the credentials..");
            return signKeyHolder;
        } catch (Exception e) {
            throw new TrustException("Error creating issuer signature");
        }
    }

    protected AttributeStatement createAttributeStatement(RahasData rahasData) throws TrustException {
        Attribute[] sAML2Attributes;
        AttributeStatement buildXMLObject = CommonUtil.buildXMLObject(AttributeStatement.DEFAULT_ELEMENT_NAME);
        SAMLCallbackHandler sAMLCallbackHandler = CommonUtil.getSAMLCallbackHandler(this.tokenIssuerConfiguration, rahasData);
        SAMLAttributeCallback sAMLAttributeCallback = new SAMLAttributeCallback(rahasData);
        if (sAMLCallbackHandler != null) {
            try {
                sAMLCallbackHandler.handle(sAMLAttributeCallback);
                sAML2Attributes = sAMLAttributeCallback.getSAML2Attributes();
            } catch (SAMLException e) {
                throw new TrustException("errorCallingSAMLCallback", (Throwable) e);
            }
        } else {
            log.debug("No callback registered to get attributes ... Using default attributes");
            Attribute attribute = (Attribute) CommonUtil.buildXMLObject(Attribute.DEFAULT_ELEMENT_NAME);
            attribute.setName("Name");
            attribute.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
            XSString buildObject = Configuration.getBuilderFactory().getBuilder(XSString.TYPE_NAME).buildObject(AttributeValue.DEFAULT_ELEMENT_NAME, XSString.TYPE_NAME);
            buildObject.setValue("Colombo/Rahas");
            attribute.getAttributeValues().add(buildObject);
            sAML2Attributes = new Attribute[]{attribute};
        }
        buildXMLObject.getAttributes().addAll(Arrays.asList(sAML2Attributes));
        log.debug("SAML2.0 attribute statement is constructed successfully.");
        return buildXMLObject;
    }

    protected AuthnStatement createAuthenticationStatement(RahasData rahasData) throws TrustException {
        MessageContext inMessageContext = rahasData.getInMessageContext();
        AuthnStatement buildXMLObject = CommonUtil.buildXMLObject(AuthnStatement.DEFAULT_ELEMENT_NAME);
        buildXMLObject.setAuthnInstant(new DateTime());
        AuthnContext buildXMLObject2 = CommonUtil.buildXMLObject(AuthnContext.DEFAULT_ELEMENT_NAME);
        AuthnContextClassRef buildXMLObject3 = CommonUtil.buildXMLObject(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
        if (inMessageContext.getProperty(RahasConstants.USERNAME) != null) {
            buildXMLObject3.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password");
        } else if (inMessageContext.getProperty(RahasConstants.X509_CERT) != null) {
            buildXMLObject3.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:X509");
        }
        buildXMLObject2.setAuthnContextClassRef(buildXMLObject3);
        buildXMLObject.setAuthnContext(buildXMLObject2);
        log.debug("SAML2.0 authentication statement is constructed successfully.");
        return buildXMLObject;
    }

    protected static void setSubjectNamedIdentifierData(Subject subject, String str, String str2) throws TrustException {
        subject.setNameID(SAML2Utils.createNamedIdentifier(str, str2));
    }

    protected KeyInfo createKeyInfo(Document document, Crypto crypto, RahasData rahasData) throws TrustException {
        KeyInfo certificateBasedKeyInfo;
        if (rahasData.getKeyType().endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
            this.isSymmetricKeyBasedHoK = true;
            java.security.cert.X509Certificate x509Certificate = null;
            try {
                x509Certificate = this.tokenIssuerConfiguration.getServiceCert(crypto, rahasData.getAppliesToAddress());
                certificateBasedKeyInfo = CommonUtil.getSymmetricKeyBasedKeyInfo(document, rahasData, x509Certificate, rahasData.getKeySize(), crypto, this.tokenIssuerConfiguration.getKeyComputation());
            } catch (Exception e) {
                if (x509Certificate != null) {
                    throw new TrustException("errorInBuildingTheEncryptedKeyForPrincipal", new String[]{x509Certificate.getSubjectDN().getName()}, e);
                }
                throw new TrustException("errorInBuildingTheEncryptedKeyForPrincipal", new String[]{"UnknownSubjectDN"}, e);
            }
        } else {
            if (!rahasData.getKeyType().endsWith(RahasConstants.KEY_TYPE_PUBLIC_KEY)) {
                log.error("Unidentified key type " + rahasData.getKeyType());
                throw new TrustException("unidentifiedKeyType", new String[]{rahasData.getKeyType()});
            }
            try {
                java.security.cert.X509Certificate clientCert = rahasData.getClientCert();
                if (clientCert == null) {
                    clientCert = CommonUtil.getCertificateByAlias(crypto, rahasData.getPrincipal().getName());
                }
                certificateBasedKeyInfo = CommonUtil.getCertificateBasedKeyInfo(clientCert);
            } catch (Exception e2) {
                throw new TrustException("samlAssertionCreationError", e2);
            }
        }
        return certificateBasedKeyInfo;
    }

    @Override // org.apache.rahas.TokenIssuer
    public String getResponseAction(RahasData rahasData) throws TrustException {
        return null;
    }

    @Override // org.apache.rahas.TokenIssuer
    public void setConfigurationFile(String str) {
        this.configFile = str;
    }

    @Override // org.apache.rahas.TokenIssuer
    public void setConfigurationElement(OMElement oMElement) {
        this.configElement = oMElement;
    }

    @Override // org.apache.rahas.TokenIssuer
    public void setConfigurationParamName(String str) {
        this.configParamName = str;
    }
}
