package org.picketlink.identity.federation.web.handlers.saml2;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.xml.namespace.QName;
import org.picketlink.common.constants.GeneralConstants;
import org.picketlink.common.constants.JBossSAMLConstants;
import org.picketlink.common.constants.JBossSAMLURIConstants;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.util.DocumentUtil;
import org.picketlink.common.util.StringUtil;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/lib/picketlink-federation-2.5.3.SP4.jar:org/picketlink/identity/federation/web/handlers/saml2/SAML2SignatureGenerationHandler.class */
public class SAML2SignatureGenerationHandler extends AbstractSignatureHandler {
    public static final String SIGN_ASSERTION_ONLY = "SIGN_ASSERTION_ONLY";
    public static final String SIGN_RESPONSE_AND_ASSERTION = "SIGN_RESPONSE_AND_ASSERTION";

    @Override // org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler, org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler
    public void generateSAMLRequest(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        Document resultingDocument = sAML2HandlerResponse.getResultingDocument();
        if (resultingDocument == null) {
            logger.trace("No document generated in the handler chain. Cannot generate signature");
        } else {
            sign(resultingDocument, sAML2HandlerRequest, sAML2HandlerResponse);
        }
    }

    @Override // org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler
    public void handleRequestType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        Document resultingDocument = sAML2HandlerResponse.getResultingDocument();
        if (resultingDocument == null) {
            logger.trace("No response document found");
        } else {
            sign(resultingDocument, sAML2HandlerRequest, sAML2HandlerResponse);
        }
    }

    @Override // org.picketlink.identity.federation.web.handlers.saml2.BaseSAML2Handler, org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler
    public void handleStatusResponseType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        Document resultingDocument = sAML2HandlerResponse.getResultingDocument();
        if (resultingDocument == null) {
            logger.trace("No response document found");
        } else {
            sign(resultingDocument, sAML2HandlerRequest, sAML2HandlerResponse);
        }
    }

    private void sign(Document document, SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        if (isSupportsSignature(sAML2HandlerRequest)) {
            KeyPair keyPair = (KeyPair) this.handlerChainConfig.getParameter(GeneralConstants.KEYPAIR);
            X509Certificate x509Certificate = (X509Certificate) this.handlerChainConfig.getParameter(GeneralConstants.X509CERTIFICATE);
            if (keyPair == null) {
                logger.samlHandlerKeyPairNotFound();
                throw logger.samlHandlerKeyPairNotFoundError();
            }
            if (isSAMLResponse(document)) {
                if (isSignAssertionOnly() || isSignResponseAndAssertion()) {
                    Element childElement = DocumentUtil.getChildElement(document.getDocumentElement(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
                    Node cloneNode = childElement.cloneNode(true);
                    try {
                        Document createDocument = DocumentUtil.createDocument();
                        createDocument.adoptNode(cloneNode);
                        createDocument.appendChild(cloneNode);
                        signDocument(createDocument, keyPair, x509Certificate);
                        document.adoptNode(cloneNode);
                        ((Element) childElement.getParentNode()).replaceChild(cloneNode, childElement);
                    } catch (ConfigurationException e) {
                        throw logger.processingError(e);
                    }
                }
                if (!isSignAssertionOnly()) {
                    signDocument(document, keyPair, x509Certificate);
                }
            } else {
                signDocument(document, keyPair, x509Certificate);
            }
            if (sAML2HandlerResponse.isPostBindingForResponse()) {
                return;
            }
            logger.trace("Going to sign response document with REDIRECT binding type");
            sAML2HandlerResponse.setDestinationQueryStringWithSignature(signRedirect(document, sAML2HandlerResponse.getRelayState(), keyPair, sAML2HandlerResponse.getSendRequest()));
        }
    }

    private void signDocument(Document document, KeyPair keyPair, X509Certificate x509Certificate) throws ProcessingException {
        SAML2Signature sAML2Signature = new SAML2Signature();
        sAML2Signature.setNextSibling(sAML2Signature.getNextSiblingOfIssuer(document));
        if (x509Certificate != null) {
            sAML2Signature.setX509Certificate(x509Certificate);
        }
        logger.trace("Going to sign document.");
        sAML2Signature.signSAMLDocument(document, keyPair);
    }

    private String signRedirect(Document document, String str, KeyPair keyPair, boolean z) throws ProcessingException {
        try {
            String deflateBase64URLEncode = RedirectBindingUtil.deflateBase64URLEncode(DocumentUtil.getDocumentAsString(document).getBytes("UTF-8"));
            PrivateKey privateKey = keyPair.getPrivate();
            if (StringUtil.isNotNull(str)) {
                str = RedirectBindingUtil.urlEncode(str);
            }
            return z ? RedirectBindingSignatureUtil.getSAMLRequestURLWithSignature(deflateBase64URLEncode, str, privateKey) : RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(deflateBase64URLEncode, str, privateKey);
        } catch (IOException e) {
            logger.samlHandlerErrorSigningRedirectBindingMessage(e);
            throw logger.samlHandlerSigningRedirectBindingMessageError(e);
        } catch (ConfigurationException e2) {
            logger.samlHandlerErrorSigningRedirectBindingMessage(e2);
            throw logger.samlHandlerSigningRedirectBindingMessageError(e2);
        } catch (GeneralSecurityException e3) {
            logger.samlHandlerErrorSigningRedirectBindingMessage(e3);
            throw logger.samlHandlerSigningRedirectBindingMessageError(e3);
        }
    }

    private boolean isSAMLResponse(Document document) {
        return document.getDocumentElement().getLocalName().equals(JBossSAMLConstants.RESPONSE.get());
    }

    private boolean isSignAssertionOnly() {
        if (this.handlerConfig.getParameter(SIGN_ASSERTION_ONLY) != null) {
            return Boolean.valueOf(this.handlerConfig.getParameter(SIGN_ASSERTION_ONLY).toString()).booleanValue();
        }
        return false;
    }

    private boolean isSignResponseAndAssertion() {
        if (this.handlerConfig.getParameter(SIGN_RESPONSE_AND_ASSERTION) != null) {
            return Boolean.valueOf(this.handlerConfig.getParameter(SIGN_RESPONSE_AND_ASSERTION).toString()).booleanValue();
        }
        return false;
    }
}
