package org.apache.ws.security.saml;

import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Vector;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.EnvelopeIdResolver;
import org.apache.ws.security.message.WSSignEnvelope;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.transforms.TransformationException;
import org.apache.xml.security.transforms.Transforms;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.opensaml.SAMLObject;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.wso2.securevault.definition.CipherInformation;

/* loaded from: input_file:WEB-INF/lib/wss4j-1.5.11.wso2v17.jar:org/apache/ws/security/saml/WSSignSAMLEnvelope.class */
public class WSSignSAMLEnvelope extends WSSignEnvelope {
    private static Log log = LogFactory.getLog(WSSignSAMLEnvelope.class.getName());
    private static Log tlog = LogFactory.getLog("org.apache.ws.security.TIME");

    public WSSignSAMLEnvelope() {
    }

    public WSSignSAMLEnvelope(String str, boolean z) {
        super(str, z);
    }

    public Document build(Document document, Crypto crypto, SAMLAssertion sAMLAssertion, Crypto crypto2, String str, String str2) throws WSSecurityException {
        this.doDebug = log.isDebugEnabled();
        long currentTimeMillis = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
        if (this.doDebug) {
            log.debug("Beginning ST signing...");
        }
        SAMLSubjectStatement sAMLSubjectStatement = null;
        Iterator statements = sAMLAssertion.getStatements();
        while (true) {
            if (!statements.hasNext()) {
                break;
            }
            SAMLObject sAMLObject = (SAMLObject) statements.next();
            if (sAMLObject instanceof SAMLSubjectStatement) {
                sAMLSubjectStatement = (SAMLSubjectStatement) sAMLObject;
                break;
            }
        }
        SAMLSubject subject = sAMLSubjectStatement != null ? sAMLSubjectStatement.getSubject() : null;
        if (subject == null) {
            throw new WSSecurityException(0, "invalidSAMLToken", new Object[]{"for Signature"});
        }
        Iterator confirmationMethods = subject.getConfirmationMethods();
        boolean z = "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches".equals(confirmationMethods.hasNext() ? (String) confirmationMethods.next() : null);
        WSDocInfo wSDocInfo = new WSDocInfo(document);
        Element documentElement = document.getDocumentElement();
        SOAPConstants sOAPConstants = WSSecurityUtil.getSOAPConstants(documentElement);
        Element insertSecurityHeader = insertSecurityHeader(document);
        X509Certificate[] x509CertificateArr = null;
        if (z) {
            x509CertificateArr = crypto2.getCertificates(str);
            wSDocInfo.setCrypto(crypto2);
        } else {
            if (crypto == null || !sAMLAssertion.isSigned()) {
                throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"for SAML Signature (Key Holder)"});
            }
            try {
                KeyInfo keyInfo = new KeyInfo(subject.getKeyInfo(), null);
                if (keyInfo.containsX509Data()) {
                    X509Data itemX509Data = keyInfo.itemX509Data(0);
                    XMLX509Certificate xMLX509Certificate = null;
                    if (itemX509Data != null && itemX509Data.containsCertificate()) {
                        xMLX509Certificate = itemX509Data.itemCertificate(0);
                    }
                    if (xMLX509Certificate != null) {
                        x509CertificateArr = new X509Certificate[]{xMLX509Certificate.getX509Certificate()};
                    }
                }
                wSDocInfo.setCrypto(crypto);
            } catch (XMLSecurityException e) {
                throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate (key holder)"}, e);
            }
        }
        if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
            throw new WSSecurityException(0, "noCertsFound", new Object[]{"SAML signature"});
        }
        if (this.sigAlgo == null) {
            String algorithm = x509CertificateArr[0].getPublicKey().getAlgorithm();
            log.debug("automatic sig algo detection: " + algorithm);
            if (algorithm.equalsIgnoreCase("DSA")) {
                this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
            } else {
                if (!algorithm.equalsIgnoreCase(CipherInformation.DEFAULT_ALGORITHM)) {
                    throw new WSSecurityException(0, "unknownSignatureAlgorithm", new Object[]{algorithm});
                }
                this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
            }
        }
        try {
            XMLSignature xMLSignature = new XMLSignature(document, (String) null, this.sigAlgo, this.canonAlgo);
            KeyInfo keyInfo2 = xMLSignature.getKeyInfo();
            String createSecureId = this.wssConfig.getIdAllocator().createSecureId("KeyId-", keyInfo2);
            keyInfo2.setId(createSecureId);
            SecurityTokenReference securityTokenReference = new SecurityTokenReference(document);
            String createSecureId2 = this.wssConfig.getIdAllocator().createSecureId("STRId-", securityTokenReference);
            securityTokenReference.setID(createSecureId2);
            String createSecureId3 = this.wssConfig.getIdAllocator().createSecureId("CertId-", x509CertificateArr[0]);
            long currentTimeMillis2 = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
            if (this.parts == null) {
                this.parts = new Vector();
                this.parts.add(new WSEncryptionPart(sOAPConstants.getBodyQName().getLocalPart(), sOAPConstants.getEnvelopeURI(), "Content"));
            }
            SecurityTokenReference securityTokenReference2 = null;
            if (z) {
                try {
                    securityTokenReference2 = new SecurityTokenReference(document);
                    String createSecureId4 = this.wssConfig.getIdAllocator().createSecureId("STRSAMLId-", securityTokenReference2);
                    securityTokenReference2.setID(createSecureId4);
                    Reference reference = new Reference(document);
                    reference.setURI("#" + sAMLAssertion.getId());
                    reference.setValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertion-1.1");
                    securityTokenReference2.setReference(reference);
                    Element createSTRParameter = createSTRParameter(document);
                    Transforms transforms = new Transforms(document);
                    transforms.addTransform("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform", createSTRParameter);
                    xMLSignature.addDocument("#" + createSecureId4, transforms);
                } catch (XMLSignatureException e2) {
                    throw new WSSecurityException(10, "noXMLSig", null, e2);
                } catch (TransformationException e3) {
                    throw new WSSecurityException(10, "noXMLSig", null, e3);
                }
            }
            for (int i = 0; i < this.parts.size(); i++) {
                WSEncryptionPart wSEncryptionPart = (WSEncryptionPart) this.parts.get(i);
                String name = wSEncryptionPart.getName();
                String namespace = wSEncryptionPart.getNamespace();
                if (name.equals("Token")) {
                    Transforms transforms2 = new Transforms(document);
                    transforms2.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
                    if (this.keyIdentifierType == 1) {
                        xMLSignature.addDocument("#" + createSecureId3, transforms2);
                    } else {
                        xMLSignature.addDocument("#" + createSecureId, transforms2);
                    }
                } else if (name.equals("STRTransform")) {
                    Element createSTRParameter2 = createSTRParameter(document);
                    Transforms transforms3 = new Transforms(document);
                    transforms3.addTransform("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform", createSTRParameter2);
                    xMLSignature.addDocument("#" + createSecureId2, transforms3);
                } else {
                    Element element = (Element) WSSecurityUtil.findElement(documentElement, name, namespace);
                    if (element == null) {
                        throw new WSSecurityException(0, "noEncElement", new Object[]{namespace + ", " + name});
                    }
                    Transforms transforms4 = new Transforms(document);
                    transforms4.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
                    xMLSignature.addDocument("#" + setWsuId(element), transforms4);
                }
            }
            xMLSignature.addResourceResolver(EnvelopeIdResolver.getInstance());
            WSSecurityUtil.prependChildElement(insertSecurityHeader, xMLSignature.getElement());
            long currentTimeMillis3 = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
            switch (this.keyIdentifierType) {
                case 1:
                    Reference reference2 = new Reference(document);
                    if (z) {
                        reference2.setURI("#" + createSecureId3);
                        X509Security x509Security = new X509Security(document);
                        x509Security.setX509Certificate(x509CertificateArr[0]);
                        x509Security.setID(createSecureId3);
                        WSSecurityUtil.prependChildElement(insertSecurityHeader, x509Security.getElement());
                        wSDocInfo.setBst(x509Security.getElement());
                        reference2.setValueType(x509Security.getValueType());
                    } else {
                        reference2.setURI("#" + sAMLAssertion.getId());
                        reference2.setValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertion-1.1");
                    }
                    securityTokenReference.setReference(reference2);
                    long currentTimeMillis4 = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
                    keyInfo2.addUnknownElement(securityTokenReference.getElement());
                    keyInfo2.getElement().setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:ds", "http://www.w3.org/2000/09/xmldsig#");
                    try {
                        Element element2 = (Element) sAMLAssertion.toDOM(document);
                        if (z) {
                            WSSecurityUtil.prependChildElement(insertSecurityHeader, securityTokenReference2.getElement());
                        }
                        wSDocInfo.setAssertion(element2);
                        WSSecurityUtil.prependChildElement(insertSecurityHeader, element2);
                        boolean store = WSDocInfoStore.store(wSDocInfo);
                        try {
                            try {
                                if (z) {
                                    xMLSignature.sign(crypto2.getPrivateKey(str, str2));
                                } else {
                                    xMLSignature.sign(crypto.getPrivateKey(this.user, this.password));
                                }
                                this.signatureValue = xMLSignature.getSignatureValue();
                                if (store) {
                                    WSDocInfoStore.delete(wSDocInfo);
                                }
                                if (tlog.isDebugEnabled()) {
                                    tlog.debug("SignEnvelope: cre-Sig= " + (currentTimeMillis2 - currentTimeMillis) + " set transform= " + (currentTimeMillis3 - currentTimeMillis2) + " sec-ref= " + (currentTimeMillis4 - currentTimeMillis3) + " signature= " + (System.currentTimeMillis() - currentTimeMillis4));
                                }
                                if (this.doDebug) {
                                    log.debug("Signing complete.");
                                }
                                return document;
                            } catch (XMLSignatureException e4) {
                                throw new WSSecurityException(10, null, null, e4);
                            } catch (Exception e5) {
                                throw new WSSecurityException(10, null, null, e5);
                            }
                        } catch (Throwable th) {
                            if (store) {
                                WSDocInfoStore.delete(wSDocInfo);
                            }
                            throw th;
                        }
                    } catch (SAMLException e6) {
                        throw new WSSecurityException(10, "noSAMLdoc", null, e6);
                    }
                default:
                    throw new WSSecurityException(0, "unsupportedKeyId");
            }
        } catch (XMLSecurityException e7) {
            throw new WSSecurityException(10, "noXMLSig", null, e7);
        }
    }
}
