package org.apache.wss4j.dom.processor;

import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.util.EncryptionUtils;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-dom-2.1.4.jar:org/apache/wss4j/dom/processor/SAMLTokenProcessor.class */
public class SAMLTokenProcessor implements Processor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SAMLTokenProcessor.class);
    private XMLSignatureFactory signatureFactory;

    public SAMLTokenProcessor() {
        try {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException e) {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM");
        }
    }

    @Override // org.apache.wss4j.dom.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        WSSecurityEngineResult wSSecurityEngineResult;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found SAML Assertion element");
        }
        Validator validator = requestData.getValidator(new QName(element.getNamespaceURI(), element.getLocalName()));
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(element);
        List<WSDataRef> createDataRefs = createDataRefs(element, samlAssertionWrapper, verifySignatureKeysAndAlgorithms(samlAssertionWrapper, requestData, wSDocInfo));
        Credential handleSAMLToken = handleSAMLToken(samlAssertionWrapper, requestData, validator, wSDocInfo);
        SamlAssertionWrapper samlAssertion = handleSAMLToken.getSamlAssertion();
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML Assertion issuer " + samlAssertion.getIssuerString());
            LOG.debug(DOM2Writer.nodeToString(element));
        }
        String id = samlAssertion.getId();
        Element tokenElement = wSDocInfo.getTokenElement(id);
        if (element.equals(tokenElement)) {
            return Collections.singletonList(wSDocInfo.getResult(id));
        }
        if (tokenElement != null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "duplicateError");
        }
        wSDocInfo.addTokenElement(element);
        if (samlAssertion.isSigned()) {
            wSSecurityEngineResult = new WSSecurityEngineResult(16, samlAssertion);
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_DATA_REF_URIS, createDataRefs);
        } else {
            wSSecurityEngineResult = new WSSecurityEngineResult(8, samlAssertion);
        }
        if (!"".equals(id)) {
            wSSecurityEngineResult.put("id", id);
        }
        if (validator != null) {
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
            if (handleSAMLToken.getTransformedToken() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, handleSAMLToken.getTransformedToken());
                if (handleSAMLToken.getPrincipal() != null) {
                    wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, handleSAMLToken.getPrincipal());
                } else {
                    wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipalImpl(handleSAMLToken.getTransformedToken()));
                }
            } else if (handleSAMLToken.getPrincipal() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, handleSAMLToken.getPrincipal());
            } else {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipalImpl(samlAssertion));
            }
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_SUBJECT, handleSAMLToken.getSubject());
        }
        wSDocInfo.addResult(wSSecurityEngineResult);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    public Credential handleSAMLToken(SamlAssertionWrapper samlAssertionWrapper, RequestData requestData, Validator validator, WSDocInfo wSDocInfo) throws WSSecurityException {
        samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(requestData, wSDocInfo), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
        Credential credential = new Credential();
        credential.setSamlAssertion(samlAssertionWrapper);
        return validator != null ? validator.validate(credential, requestData) : credential;
    }

    private XMLSignature verifySignatureKeysAndAlgorithms(SamlAssertionWrapper samlAssertionWrapper, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        PublicKey publicKey;
        if (!samlAssertionWrapper.isSigned()) {
            return null;
        }
        Signature signature = samlAssertionWrapper.getSignature();
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
        SAMLKeyInfo credentialFromKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, wSDocInfo), requestData.getSigVerCrypto());
        if (credentialFromKeyInfo.getCerts() != null && credentialFromKeyInfo.getCerts()[0] != null) {
            publicKey = credentialFromKeyInfo.getCerts()[0].getPublicKey();
        } else {
            if (credentialFromKeyInfo.getPublicKey() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
            }
            publicKey = credentialFromKeyInfo.getPublicKey();
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(publicKey, signature.getDOM());
        dOMValidateContext.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        dOMValidateContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        try {
            XMLSignature unmarshalXMLSignature = this.signatureFactory.unmarshalXMLSignature(dOMValidateContext);
            AlgorithmSuite samlAlgorithmSuite = requestData.getSamlAlgorithmSuite();
            if (samlAlgorithmSuite != null) {
                AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(samlAlgorithmSuite);
                algorithmSuiteValidator.checkSignatureAlgorithms(unmarshalXMLSignature);
                if (credentialFromKeyInfo.getCerts() == null || credentialFromKeyInfo.getCerts().length <= 0) {
                    algorithmSuiteValidator.checkAsymmetricKeyLength(publicKey);
                } else {
                    algorithmSuiteValidator.checkAsymmetricKeyLength(credentialFromKeyInfo.getCerts());
                }
            }
            samlAssertionWrapper.verifySignature(credentialFromKeyInfo);
            return unmarshalXMLSignature;
        } catch (MarshalException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
    }

    private List<WSDataRef> createDataRefs(Element element, SamlAssertionWrapper samlAssertionWrapper, XMLSignature xMLSignature) {
        if (xMLSignature == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        String algorithm = xMLSignature.getSignedInfo().getSignatureMethod().getAlgorithm();
        for (Reference reference : xMLSignature.getSignedInfo().getReferences()) {
            if ("".equals(reference.getURI()) || reference.getURI().equals(samlAssertionWrapper.getId()) || reference.getURI().equals("#" + samlAssertionWrapper.getId())) {
                WSDataRef wSDataRef = new WSDataRef();
                wSDataRef.setWsuId(reference.getURI());
                wSDataRef.setProtectedElement(element);
                wSDataRef.setAlgorithm(algorithm);
                wSDataRef.setDigestAlgorithm(reference.getDigestMethod().getAlgorithm());
                wSDataRef.setDigestValue(reference.getDigestValue());
                List transforms = reference.getTransforms();
                ArrayList arrayList2 = new ArrayList(transforms.size());
                Iterator it = transforms.iterator();
                while (it.hasNext()) {
                    arrayList2.add(((Transform) it.next()).getAlgorithm());
                }
                wSDataRef.setTransformAlgorithms(arrayList2);
                wSDataRef.setXpath(EncryptionUtils.getXPath(element));
                arrayList.add(wSDataRef);
            }
        }
        return arrayList;
    }
}
