package org.picketlink.identity.federation.web.handlers.saml2;

import java.security.PublicKey;
import java.util.Map;
import javax.ws.rs.HttpMethod;
import org.jboss.security.audit.AuditLevel;
import org.picketlink.common.constants.GeneralConstants;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.util.DocumentUtil;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditEvent;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditEventType;
import org.picketlink.identity.federation.core.audit.PicketLinkAuditHelper;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.web.core.HTTPContext;
import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import org.w3c.dom.Document;

/* loaded from: input_file:WEB-INF/lib/picketlink-federation-2.5.3.SP1.jar:org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureValidationHandler.class */
public class SAML2SignatureValidationHandler extends AbstractSignatureHandler {
    private SAML2Signature saml2Signature = new SAML2Signature();

    @Override // org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler
    public void handleRequestType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        validateSender(sAML2HandlerRequest, sAML2HandlerResponse);
    }

    @Override // org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler, org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler
    public void handleStatusResponseType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        validateSender(sAML2HandlerRequest, sAML2HandlerResponse);
    }

    private void validateSender(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        if (isSupportsSignature(sAML2HandlerRequest)) {
            Map<String, Object> options = sAML2HandlerRequest.getOptions();
            PicketLinkAuditHelper picketLinkAuditHelper = (PicketLinkAuditHelper) options.get(GeneralConstants.AUDIT_HELPER);
            Boolean bool = (Boolean) options.get(GeneralConstants.IGNORE_SIGNATURES);
            if (bool == null) {
                bool = Boolean.FALSE;
            }
            if (bool == Boolean.TRUE) {
                return;
            }
            Document requestDocument = sAML2HandlerRequest.getRequestDocument();
            if (logger.isTraceEnabled()) {
                logger.trace("Going to validate signature for: " + DocumentUtil.asString(requestDocument));
            }
            PublicKey publicKey = (PublicKey) sAML2HandlerRequest.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY);
            try {
                HTTPContext hTTPContext = (HTTPContext) sAML2HandlerRequest.getContext();
                boolean equalsIgnoreCase = hTTPContext.getRequest().getMethod().equalsIgnoreCase(HttpMethod.POST);
                logger.trace("HTTP method for validating response: " + hTTPContext.getRequest().getMethod());
                if (equalsIgnoreCase ? verifyPostBindingSignature(requestDocument, publicKey) : verifyRedirectBindingSignature(hTTPContext, publicKey)) {
                    return;
                }
                if (picketLinkAuditHelper != null) {
                    PicketLinkAuditEvent picketLinkAuditEvent = new PicketLinkAuditEvent(AuditLevel.INFO);
                    picketLinkAuditEvent.setWhoIsAuditing((String) options.get(GeneralConstants.CONTEXT_PATH));
                    picketLinkAuditEvent.setType(PicketLinkAuditEventType.ERROR_SIG_VALIDATION);
                    picketLinkAuditHelper.audit(picketLinkAuditEvent);
                }
                throw constructSignatureException();
            } catch (ProcessingException e) {
                if (picketLinkAuditHelper != null) {
                    PicketLinkAuditEvent picketLinkAuditEvent2 = new PicketLinkAuditEvent(AuditLevel.INFO);
                    picketLinkAuditEvent2.setWhoIsAuditing((String) options.get(GeneralConstants.CONTEXT_PATH));
                    picketLinkAuditEvent2.setType(PicketLinkAuditEventType.ERROR_SIG_VALIDATION);
                    picketLinkAuditHelper.audit(picketLinkAuditEvent2);
                }
                sAML2HandlerResponse.setError(100, "Signature Validation Failed");
                throw e;
            }
        }
    }

    private boolean verifyPostBindingSignature(Document document, PublicKey publicKey) throws ProcessingException {
        try {
            return this.saml2Signature.validate(document, publicKey);
        } catch (Exception e) {
            logger.samlHandlerErrorValidatingSignature(e);
            throw logger.samlHandlerInvalidSignatureError();
        }
    }

    private boolean verifyRedirectBindingSignature(HTTPContext hTTPContext, PublicKey publicKey) throws ProcessingException {
        try {
            String queryString = hTTPContext.getRequest().getQueryString();
            byte[] signatureValueFromSignedURL = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
            if (signatureValueFromSignedURL == null) {
                throw logger.samlHandlerSignatureNotPresentError();
            }
            return RedirectBindingSignatureUtil.validateSignature(queryString, publicKey, signatureValueFromSignedURL);
        } catch (Exception e) {
            throw logger.samlHandlerSignatureValidationError(e);
        }
    }

    private ProcessingException constructSignatureException() {
        return new ProcessingException(logger.samlHandlerSignatureValidationFailed());
    }
}
