package org.opensaml.saml.saml2.assertion.impl;

import java.security.KeyException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.collection.LazyList;
import net.shibboleth.utilities.java.support.collection.Pair;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.assertion.AssertionValidationException;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.KeyInfoConfirmationDataType;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
import org.opensaml.xmlsec.signature.DEREncodedKeyValue;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.KeyValue;
import org.opensaml.xmlsec.signature.X509Data;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:BOOT-INF/lib/opensaml-saml-impl-3.4.0.jar:org/opensaml/saml/saml2/assertion/impl/HolderOfKeySubjectConfirmationValidator.class */
public class HolderOfKeySubjectConfirmationValidator extends AbstractSubjectConfirmationValidator {
    private Logger log = LoggerFactory.getLogger((Class<?>) HolderOfKeySubjectConfirmationValidator.class);

    @Override // org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator
    @Nonnull
    public String getServicedMethod() {
        return "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
    }

    @Override // org.opensaml.saml.saml2.assertion.impl.AbstractSubjectConfirmationValidator
    @Nonnull
    protected ValidationResult doValidate(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        if (!Objects.equals(subjectConfirmation.getMethod(), "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key")) {
            return ValidationResult.INDETERMINATE;
        }
        this.log.debug("Attempting holder-of-key subject confirmation");
        if (!isValidConfirmationDataType(subjectConfirmation)) {
            String format = String.format("Subject confirmation data is not of type '%s'", KeyInfoConfirmationDataType.TYPE_NAME);
            this.log.debug(format);
            validationContext.setValidationFailureMessage(format);
            return ValidationResult.INVALID;
        }
        List<KeyInfo> subjectConfirmationKeyInformation = getSubjectConfirmationKeyInformation(subjectConfirmation, assertion, validationContext);
        if (subjectConfirmationKeyInformation.isEmpty()) {
            String format2 = String.format("No key information for holder of key subject confirmation in assertion '%s'", assertion.getID());
            this.log.debug(format2);
            validationContext.setValidationFailureMessage(format2);
            return ValidationResult.INVALID;
        }
        try {
            Pair<PublicKey, X509Certificate> keyAndCertificate = getKeyAndCertificate(validationContext);
            if (keyAndCertificate.getFirst() == null && keyAndCertificate.getSecond() == null) {
                this.log.debug("Neither the presenter's certificate nor its public key were provided");
                validationContext.setValidationFailureMessage("Neither the presenter's certificate nor its public key were provided");
                return ValidationResult.INDETERMINATE;
            }
            for (KeyInfo keyInfo : subjectConfirmationKeyInformation) {
                if (matchesKeyValue(keyAndCertificate.getFirst(), keyInfo)) {
                    this.log.debug("Successfully matched public key in subject confirmation data to supplied key param");
                    validationContext.getDynamicParameters().put(SAML2AssertionValidationParameters.SC_HOK_CONFIRMED_KEYINFO, keyInfo);
                    return ValidationResult.VALID;
                }
                if (matchesX509Certificate(keyAndCertificate.getSecond(), keyInfo)) {
                    this.log.debug("Successfully matched certificate in subject confirmation data to supplied cert param");
                    validationContext.getDynamicParameters().put(SAML2AssertionValidationParameters.SC_HOK_CONFIRMED_KEYINFO, keyInfo);
                    return ValidationResult.VALID;
                }
            }
            return ValidationResult.INVALID;
        } catch (IllegalArgumentException e) {
            this.log.warn("Problem with the validation context presenter key/cert params: {}", e.getMessage());
            validationContext.setValidationFailureMessage("Unable to obtain presenter key/cert params from validation context");
            return ValidationResult.INDETERMINATE;
        }
    }

    protected boolean isValidConfirmationDataType(@Nonnull SubjectConfirmation subjectConfirmation) throws AssertionValidationException {
        QName schemaType = subjectConfirmation.getSubjectConfirmationData().getSchemaType();
        if (schemaType == null || schemaType.equals(KeyInfoConfirmationDataType.TYPE_NAME)) {
            this.log.debug("SubjectConfirmationData xsi:type was either null or matched {}", KeyInfoConfirmationDataType.TYPE_NAME);
            return true;
        }
        this.log.debug("SubjectConfirmationData xsi:type was non-null and did not match {}", KeyInfoConfirmationDataType.TYPE_NAME);
        return false;
    }

    @Nonnull
    protected Pair<PublicKey, X509Certificate> getKeyAndCertificate(@Nonnull ValidationContext validationContext) throws AssertionValidationException {
        try {
            PublicKey publicKey = (PublicKey) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY);
            try {
                X509Certificate x509Certificate = (X509Certificate) validationContext.getStaticParameters().get(SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT);
                if (x509Certificate != null) {
                    if (publicKey == null) {
                        publicKey = x509Certificate.getPublicKey();
                    } else if (!publicKey.equals(x509Certificate.getPublicKey())) {
                        throw new IllegalArgumentException("Presenter's certificate contains a different public key than the one explicitly given");
                    }
                }
                return new Pair<>(publicKey, x509Certificate);
            } catch (ClassCastException e) {
                throw new IllegalArgumentException(String.format("The value of the static validation parameter '%s' was not of the required type '%s'", SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT, X509Certificate.class.getName()));
            }
        } catch (ClassCastException e2) {
            throw new IllegalArgumentException(String.format("The value of the static validation parameter '%s' was not of the required type '%s'", SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY, PublicKey.class.getName()));
        }
    }

    @Nonnull
    protected List<KeyInfo> getSubjectConfirmationKeyInformation(@Nonnull SubjectConfirmation subjectConfirmation, @Nonnull Assertion assertion, @Nonnull ValidationContext validationContext) throws AssertionValidationException {
        SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
        LazyList lazyList = new LazyList();
        for (XMLObject xMLObject : subjectConfirmationData.getUnknownXMLObjects(KeyInfo.DEFAULT_ELEMENT_NAME)) {
            if (xMLObject != null) {
                lazyList.add((KeyInfo) xMLObject);
            }
        }
        this.log.debug("Found '{}' KeyInfo children of SubjectConfirmationData", Integer.valueOf(lazyList.size()));
        return lazyList;
    }

    protected boolean matchesKeyValue(@Nullable PublicKey publicKey, @Nonnull KeyInfo keyInfo) throws AssertionValidationException {
        if (publicKey == null) {
            this.log.debug("Presenter PublicKey was null, skipping KeyValue match");
            return false;
        }
        if (matchesKeyValue(publicKey, keyInfo.getKeyValues()) || matchesDEREncodedKeyValue(publicKey, keyInfo.getDEREncodedKeyValues())) {
            return true;
        }
        this.log.debug("Failed to match either a KeyInfo KeyValue or DEREncodedKeyValue against supplied PublicKey param");
        return false;
    }

    protected boolean matchesKeyValue(@Nonnull PublicKey publicKey, @Nullable List<KeyValue> list) {
        if (list == null || list.isEmpty()) {
            this.log.debug("KeyInfo contained no KeyValue children");
            return false;
        }
        this.log.debug("Attempting to match KeyInfo KeyValue to supplied PublicKey param of type: {}", publicKey.getAlgorithm());
        Iterator<KeyValue> it = list.iterator();
        while (it.hasNext()) {
            try {
            } catch (KeyException e) {
                this.log.warn("KeyInfo contained KeyValue that can not be parsed", (Throwable) e);
            }
            if (Objects.equals(publicKey, KeyInfoSupport.getKey(it.next()))) {
                this.log.debug("Matched KeyValue PublicKey");
                return true;
            }
            continue;
        }
        this.log.debug("Failed to match any KeyValue");
        return false;
    }

    protected boolean matchesDEREncodedKeyValue(@Nonnull PublicKey publicKey, @Nullable List<DEREncodedKeyValue> list) {
        if (list == null || list.isEmpty()) {
            this.log.debug("KeyInfo contained no DEREncodedKeyValue children");
            return false;
        }
        this.log.debug("Attempting to match KeyInfo DEREncodedKeyValue to supplied PublicKey param of type: {}", publicKey.getAlgorithm());
        Iterator<DEREncodedKeyValue> it = list.iterator();
        while (it.hasNext()) {
            try {
            } catch (KeyException e) {
                this.log.warn("KeyInfo contained DEREncodedKeyValue that can not be parsed", (Throwable) e);
            }
            if (Objects.equals(publicKey, KeyInfoSupport.getKey(it.next()))) {
                this.log.debug("Matched DEREncodedKeyValue PublicKey");
                return true;
            }
            continue;
        }
        this.log.debug("Failed to match any DEREncodedKeyValue");
        return false;
    }

    protected boolean matchesX509Certificate(@Nullable X509Certificate x509Certificate, @Nonnull KeyInfo keyInfo) throws AssertionValidationException {
        if (x509Certificate == null) {
            this.log.debug("Presenter X509Certificate was null, skipping certificate match");
            return false;
        }
        List<X509Data> x509Datas = keyInfo.getX509Datas();
        if (x509Datas == null || x509Datas.isEmpty()) {
            this.log.debug("KeyInfo contained no X509Data children, skipping certificate match");
            return false;
        }
        this.log.debug("Attempting to match KeyInfo X509Data to supplied X509Certificate param");
        Iterator<X509Data> it = x509Datas.iterator();
        while (it.hasNext()) {
            List<org.opensaml.xmlsec.signature.X509Certificate> x509Certificates = it.next().getX509Certificates();
            if (x509Certificates == null || x509Certificates.isEmpty()) {
                this.log.debug("X509Data contained no X509Certificate children, skipping certificate match");
            } else {
                Iterator<org.opensaml.xmlsec.signature.X509Certificate> it2 = x509Certificates.iterator();
                while (it2.hasNext()) {
                    try {
                    } catch (CertificateException e) {
                        this.log.warn("KeyInfo contained Certificate value that can not be parsed", (Throwable) e);
                    }
                    if (Objects.equals(x509Certificate, KeyInfoSupport.getCertificate(it2.next()))) {
                        this.log.debug("Matched X509Certificate");
                        return true;
                    }
                    continue;
                }
            }
        }
        this.log.debug("Failed to match a KeyInfo X509Data against supplied X509Certificate param");
        return false;
    }
}
