package org.picketlink.identity.federation.bindings.tomcat.sp;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.log4j.Logger;
import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
import org.picketlink.identity.federation.core.config.KeyProviderType;
import org.picketlink.identity.federation.core.exceptions.ConfigurationException;
import org.picketlink.identity.federation.core.exceptions.ParsingException;
import org.picketlink.identity.federation.core.exceptions.ProcessingException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.picketlink.identity.federation.core.interfaces.TrustKeyManager;
import org.picketlink.identity.federation.core.interfaces.TrustKeyProcessingException;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.core.saml.v2.util.SignatureUtil;
import org.picketlink.identity.federation.core.util.CoreConfigUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.web.process.ServiceProviderBaseProcessor;
import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;

/* loaded from: input_file:org/picketlink/identity/federation/bindings/tomcat/sp/SPRedirectSignatureFormAuthenticator.class */
public class SPRedirectSignatureFormAuthenticator extends SPRedirectFormAuthenticator {
    private static Logger log = Logger.getLogger(SPRedirectSignatureFormAuthenticator.class);
    private TrustKeyManager keyManager;
    private final boolean trace = log.isTraceEnabled();
    protected String idpAddress = null;

    public void setIdpAddress(String str) {
        this.idpAddress = str;
    }

    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator
    public void testStart() throws LifecycleException {
        super.testStart();
        init();
    }

    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator
    public void start() throws LifecycleException {
        super.start();
        init();
    }

    private void init() throws LifecycleException {
        Context container = getContainer();
        KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();
        if (keyProvider == null) {
            throw new LifecycleException("PL00092: Null Value:KeyProvider is null for context=" + container.getName());
        }
        try {
            String className = keyProvider.getClassName();
            if (className == null) {
                throw new RuntimeException("PL00092: Null Value:KeyManager class name");
            }
            Class<?> loadClass = SecurityActions.loadClass(getClass(), className);
            if (loadClass == null) {
                throw new ClassNotFoundException("PL00085: Class Not Loaded:" + className);
            }
            this.keyManager = (TrustKeyManager) loadClass.newInstance();
            this.keyManager.setAuthProperties(CoreConfigUtil.getKeyProviderProperties(keyProvider));
            this.keyManager.setValidatingAlias(keyProvider.getValidatingAlias());
            if (StringUtil.isNotNull(this.idpAddress)) {
                this.keyManager.addAdditionalOption("idp.key", this.idpAddress);
            }
            if (this.trace) {
                log.trace("Key Provider=" + keyProvider.getClassName());
            }
            try {
                populateChainConfig();
                super.initializeHandlerChain();
            } catch (Exception e) {
                log.error("Exception reading configuration:", e);
                throw new LifecycleException(e.getLocalizedMessage());
            }
        } catch (Exception e2) {
            log.error("Exception reading configuration:", e2);
            throw new LifecycleException(e2.getLocalizedMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator
    public boolean validate(Request request) throws IOException, GeneralSecurityException {
        boolean validate = super.validate(request);
        if (!validate) {
            return validate;
        }
        String queryString = request.getQueryString();
        byte[] signatureValueFromSignedURL = RedirectBindingSignatureUtil.getSignatureValueFromSignedURL(queryString);
        if (signatureValueFromSignedURL == null) {
            return false;
        }
        String tokenValue = RedirectBindingSignatureUtil.getTokenValue(queryString, "SAMLResponse");
        String tokenValue2 = RedirectBindingSignatureUtil.getTokenValue(queryString, "RelayState");
        String tokenValue3 = RedirectBindingSignatureUtil.getTokenValue(queryString, "SigAlg");
        StringBuilder sb = new StringBuilder();
        sb.append("SAMLResponse=").append(tokenValue);
        if (StringUtil.isNotNull(tokenValue2)) {
            sb.append("&RelayState=").append(tokenValue2);
        }
        sb.append("&SigAlg=").append(tokenValue3);
        try {
            if (StringUtil.isNullOrEmpty(this.idpAddress)) {
                this.idpAddress = request.getRemoteAddr();
            }
            return SignatureUtil.validate(sb.toString().getBytes("UTF-8"), signatureValueFromSignedURL, this.keyManager.getValidatingKey(this.idpAddress));
        } catch (TrustKeyConfigurationException e) {
            throw new GeneralSecurityException(e.getCause());
        } catch (TrustKeyProcessingException e2) {
            throw new GeneralSecurityException(e2.getCause());
        }
    }

    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator
    protected String getDestinationQueryString(String str, String str2, boolean z) {
        try {
            PrivateKey signingKey = this.keyManager.getSigningKey();
            if (signingKey != null) {
                return z ? RedirectBindingSignatureUtil.getSAMLRequestURLWithSignature(str, str2, signingKey) : RedirectBindingSignatureUtil.getSAMLResponseURLWithSignature(str, str2, signingKey);
            }
            log.error("Signing key is null. Check your KeyStore configuration.");
            throw new RuntimeException("PL00100: Signing Process Failure:");
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator
    public void initializeSAMLProcessor(ServiceProviderBaseProcessor serviceProviderBaseProcessor) {
        super.initializeSAMLProcessor(serviceProviderBaseProcessor);
        serviceProviderBaseProcessor.setTrustKeyManager(this.keyManager);
    }

    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectFormAuthenticator
    protected ResponseType decryptAssertion(ResponseType responseType) throws IOException, GeneralSecurityException, ConfigurationException, ParsingException {
        try {
            SAML2Response sAML2Response = new SAML2Response();
            return sAML2Response.getResponseType(DocumentUtil.getNodeAsStream(XMLEncryptionUtil.decryptElementInDocument(sAML2Response.convert(((ResponseType.RTChoiceType) responseType.getAssertions().get(0)).getEncryptedAssertion()), this.keyManager.getSigningKey())));
        } catch (Exception e) {
            throw new GeneralSecurityException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.picketlink.identity.federation.bindings.tomcat.sp.BaseFormAuthenticator
    public void populateChainConfig() throws ConfigurationException, ProcessingException {
        super.populateChainConfig();
        if (this.keyManager != null) {
            if (this.trace) {
                log.trace("Adding Keypair to the chain config");
            }
            this.chainConfigOptions.put("KEYPAIR", this.keyManager.getSigningKeyPair());
        }
    }
}
