package org.apache.cxf.rs.security.saml.sso;

import java.net.MalformedURLException;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.security.crypto.JCAConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:BOOT-INF/lib/cxf-rt-rs-security-sso-saml-3.2.4.jar:org/apache/cxf/rs/security/saml/sso/MetadataWriter.class */
public class MetadataWriter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) MetadataWriter.class);
    private static final XMLSignatureFactory XML_SIGNATURE_FACTORY = XMLSignatureFactory.getInstance("DOM");

    public Document getMetaData(String str, String str2, String str3, Key key, X509Certificate x509Certificate, boolean z) throws Exception {
        W3CDOMStreamWriter w3CDOMStreamWriter = new W3CDOMStreamWriter();
        w3CDOMStreamWriter.writeStartDocument(StandardCharsets.UTF_8.name(), "1.0");
        String generateID = IDGenerator.generateID("_");
        w3CDOMStreamWriter.writeStartElement(SAMLConstants.SAML20MD_PREFIX, EntityDescriptor.DEFAULT_ELEMENT_LOCAL_NAME, "urn:oasis:names:tc:SAML:2.0:metadata");
        w3CDOMStreamWriter.writeAttribute("ID", generateID);
        w3CDOMStreamWriter.writeAttribute("entityID", str);
        w3CDOMStreamWriter.writeNamespace(SAMLConstants.SAML20MD_PREFIX, "urn:oasis:names:tc:SAML:2.0:metadata");
        w3CDOMStreamWriter.writeNamespace("wsa", "http://www.w3.org/2005/08/addressing");
        w3CDOMStreamWriter.writeNamespace("xsi", "http://www.w3.org/2001/XMLSchema-instance");
        writeSAMLMetadata(w3CDOMStreamWriter, str2, str3, x509Certificate, z);
        w3CDOMStreamWriter.writeEndElement();
        w3CDOMStreamWriter.writeEndDocument();
        w3CDOMStreamWriter.close();
        if (LOG.isDebugEnabled()) {
            String nodeToString = DOM2Writer.nodeToString(w3CDOMStreamWriter.getDocument());
            LOG.debug("***************** unsigned ****************");
            LOG.debug(nodeToString);
            LOG.debug("***************** unsigned ****************");
        }
        Document document = w3CDOMStreamWriter.getDocument();
        return key != null ? signMetaInfo(x509Certificate, key, document, generateID) : document;
    }

    private void writeSAMLMetadata(XMLStreamWriter xMLStreamWriter, String str, String str2, X509Certificate x509Certificate, boolean z) throws XMLStreamException, MalformedURLException, CertificateEncodingException {
        xMLStreamWriter.writeStartElement(SAMLConstants.SAML20MD_PREFIX, SPSSODescriptor.DEFAULT_ELEMENT_LOCAL_NAME, "urn:oasis:names:tc:SAML:2.0:metadata");
        xMLStreamWriter.writeAttribute(SPSSODescriptor.AUTH_REQUESTS_SIGNED_ATTRIB_NAME, Boolean.toString(z));
        xMLStreamWriter.writeAttribute("WantAssertionsSigned", "true");
        xMLStreamWriter.writeAttribute(RoleDescriptor.PROTOCOL_ENUMERATION_ATTRIB_NAME, "urn:oasis:names:tc:SAML:2.0:protocol");
        if (str2 != null) {
            xMLStreamWriter.writeStartElement(SAMLConstants.SAML20MD_PREFIX, SingleLogoutService.DEFAULT_ELEMENT_LOCAL_NAME, "urn:oasis:names:tc:SAML:2.0:metadata");
            xMLStreamWriter.writeAttribute("Location", str2);
            xMLStreamWriter.writeAttribute("Binding", SAMLConstants.SAML2_POST_BINDING_URI);
            xMLStreamWriter.writeEndElement();
        }
        xMLStreamWriter.writeStartElement(SAMLConstants.SAML20MD_PREFIX, AssertionConsumerService.DEFAULT_ELEMENT_LOCAL_NAME, "urn:oasis:names:tc:SAML:2.0:metadata");
        xMLStreamWriter.writeAttribute("Location", str);
        xMLStreamWriter.writeAttribute("index", "0");
        xMLStreamWriter.writeAttribute("isDefault", "true");
        xMLStreamWriter.writeAttribute("Binding", SAMLConstants.SAML2_POST_BINDING_URI);
        xMLStreamWriter.writeEndElement();
        xMLStreamWriter.writeStartElement(SAMLConstants.SAML20MD_PREFIX, AssertionConsumerService.DEFAULT_ELEMENT_LOCAL_NAME, "urn:oasis:names:tc:SAML:2.0:metadata");
        xMLStreamWriter.writeAttribute("Location", str);
        xMLStreamWriter.writeAttribute("index", "1");
        xMLStreamWriter.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT");
        xMLStreamWriter.writeEndElement();
        if (x509Certificate != null) {
            xMLStreamWriter.writeStartElement(SAMLConstants.SAML20MD_PREFIX, KeyDescriptor.DEFAULT_ELEMENT_LOCAL_NAME, "urn:oasis:names:tc:SAML:2.0:metadata");
            xMLStreamWriter.writeAttribute("use", "signing");
            xMLStreamWriter.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
            xMLStreamWriter.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
            xMLStreamWriter.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
            xMLStreamWriter.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
            xMLStreamWriter.writeCharacters(Base64.getMimeEncoder().encodeToString(x509Certificate.getEncoded()));
            xMLStreamWriter.writeEndElement();
            xMLStreamWriter.writeEndElement();
            xMLStreamWriter.writeEndElement();
            xMLStreamWriter.writeEndElement();
        }
        xMLStreamWriter.writeEndElement();
    }

    private static Document signMetaInfo(X509Certificate x509Certificate, Key key, Document document, String str) throws Exception {
        String str2;
        if (JCAConstants.SIGNATURE_DSA_SHA1.equals(x509Certificate.getSigAlgName())) {
            str2 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
        } else if (JCAConstants.SIGNATURE_RSA_SHA1.equals(x509Certificate.getSigAlgName())) {
            str2 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        } else {
            if (!"SHA256withRSA".equals(x509Certificate.getSigAlgName())) {
                LOG.error("Unsupported signature method: " + x509Certificate.getSigAlgName());
                throw new RuntimeException("Unsupported signature method: " + x509Certificate.getSigAlgName());
            }
            str2 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(XML_SIGNATURE_FACTORY.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null));
        arrayList.add(XML_SIGNATURE_FACTORY.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null));
        SignedInfo newSignedInfo = XML_SIGNATURE_FACTORY.newSignedInfo(XML_SIGNATURE_FACTORY.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null), XML_SIGNATURE_FACTORY.newSignatureMethod(str2, (SignatureMethodParameterSpec) null), Collections.singletonList(XML_SIGNATURE_FACTORY.newReference("#" + str, XML_SIGNATURE_FACTORY.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", (DigestMethodParameterSpec) null), arrayList, (String) null, (String) null)));
        KeyInfoFactory keyInfoFactory = XML_SIGNATURE_FACTORY.getKeyInfoFactory();
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(x509Certificate.getSubjectX500Principal().getName());
        arrayList2.add(x509Certificate);
        KeyInfo newKeyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(arrayList2)));
        DOMSignContext dOMSignContext = new DOMSignContext(key, document.getDocumentElement());
        dOMSignContext.setIdAttributeNS(document.getDocumentElement(), (String) null, "ID");
        dOMSignContext.setNextSibling(document.getDocumentElement().getFirstChild());
        XML_SIGNATURE_FACTORY.newXMLSignature(newSignedInfo, newKeyInfo).sign(dOMSignContext);
        return document;
    }
}
