package net.shibboleth.idp.profile.spring.relyingparty.metadata.filter.impl;

import java.util.ArrayList;
import java.util.List;
import javax.xml.namespace.QName;
import net.shibboleth.ext.spring.util.SpringSupport;
import net.shibboleth.idp.profile.spring.factory.BasicInlineCredentialFactoryBean;
import net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean;
import net.shibboleth.idp.profile.spring.relyingparty.metadata.AbstractMetadataProviderParser;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.xml.ElementSupport;
import org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
import org.springframework.beans.factory.support.ManagedList;
import org.springframework.beans.factory.xml.AbstractSingleBeanDefinitionParser;
import org.springframework.beans.factory.xml.ParserContext;
import org.w3c.dom.Element;

/* loaded from: input_file:net/shibboleth/idp/profile/spring/relyingparty/metadata/filter/impl/SignatureValidationParser.class */
public class SignatureValidationParser extends AbstractSingleBeanDefinitionParser {
    public static final QName TYPE_NAME = new QName(AbstractMetadataProviderParser.METADATA_NAMESPACE, "SignatureValidation");
    public static final QName PUBLIC_KEY = new QName(AbstractMetadataProviderParser.METADATA_NAMESPACE, "PublicKey");
    private final Logger log = LoggerFactory.getLogger(SignatureValidationParser.class);

    protected Class getBeanClass(Element element) {
        return SignatureValidationFilter.class;
    }

    protected void doParse(Element element, ParserContext parserContext, BeanDefinitionBuilder beanDefinitionBuilder) {
        boolean hasAttributeNS = element.hasAttributeNS(null, "trustEngineRef");
        boolean hasAttributeNS2 = element.hasAttributeNS(null, "certificateFile");
        List<Element> childElements = ElementSupport.getChildElements(element, PUBLIC_KEY);
        List childElements2 = ElementSupport.getChildElements(element, AbstractMetadataProviderParser.TRUST_ENGINE_ELEMENT_NAME);
        super.doParse(element, parserContext, beanDefinitionBuilder);
        if (hasAttributeNS) {
            if (hasAttributeNS2) {
                this.log.error("{}: trustEngineRef and certificateFile are mutually exclusive", parserContext.getReaderContext().getResource().getDescription());
                throw new BeanCreationException("trustEngineRef and certificateFile are mutually exclusive");
            }
            if (childElements2 != null && !childElements2.isEmpty()) {
                this.log.error("{}: trustEngineRef and Embedded <TrustEngine>  are mutually exclusive", parserContext.getReaderContext().getResource().getDescription());
                throw new BeanCreationException("trustEngineRef and Embedded <TrustEngine> are mutually exclusive");
            }
            if (null != childElements && !childElements.isEmpty()) {
                this.log.error("{}: trustEngineRef and certificateFile are mutually exclusive", parserContext.getReaderContext().getResource().getDescription());
                throw new BeanCreationException("trustEngineRef and embedded public keys are mutually exclusive");
            }
            beanDefinitionBuilder.addConstructorArgReference(StringSupport.trimOrNull(element.getAttributeNS(null, "trustEngineRef")));
        } else if (hasAttributeNS2) {
            if (null != childElements && !childElements.isEmpty()) {
                this.log.error("{}: certificateFile and embedded public keys are mutually exclusive", parserContext.getReaderContext().getResource().getDescription());
                throw new BeanCreationException("certificateFile and embedded public keys are mutually exclusive");
            }
            if (childElements2 != null && !childElements2.isEmpty()) {
                this.log.error("{}: certificateFile and Embedded <TrustEngine>  are mutually exclusive", parserContext.getReaderContext().getResource().getDescription());
                throw new BeanCreationException("Embedded <TrustEngine> and certificateFile are mutually exclusive");
            }
            buildTrustEngine(beanDefinitionBuilder, buildCertificateCredential(element.getAttributeNS(null, "certificateFile")));
        } else if (null == childElements2 || childElements2.isEmpty()) {
            buildTrustEngine(beanDefinitionBuilder, buildPublicKeyCredential(parserContext, childElements));
        } else {
            if (childElements2.size() > 1) {
                this.log.error("{}: Too many <TrustEngine>s", parserContext.getReaderContext().getResource().getDescription());
                throw new BeanCreationException("{}: Too many <TrustEngine>s");
            }
            beanDefinitionBuilder.addConstructorArgValue(SpringSupport.parseCustomElements(childElements2, parserContext).get(0));
        }
        if (element.hasAttributeNS(null, "requireSignedRoot")) {
            beanDefinitionBuilder.addPropertyValue("requireSignedRoot", element.getAttributeNS(null, "requireSignedRoot"));
        } else if (element.hasAttributeNS(null, "requireSignedMetadata")) {
            this.log.warn("{} Use of the attribute 'requireSignedMetadata' is deprecated, use 'requireSignedRoot' instead", parserContext.getReaderContext().getResource().getDescription());
            beanDefinitionBuilder.addPropertyValue("requireSignedRoot", element.getAttributeNS(null, "requireSignedMetadata"));
        }
        if (element.hasAttributeNS(null, "defaultCriteriaRef")) {
            beanDefinitionBuilder.addPropertyReference("defaultCriteria", element.getAttributeNS(null, "defaultCriteriaRef"));
        } else {
            beanDefinitionBuilder.addPropertyReference("defaultCriteria", "shibboleth.MetadataSignatureValidationStaticCriteria");
        }
        if (element.hasAttributeNS(null, "signaturePrevalidatorRef")) {
            beanDefinitionBuilder.addPropertyReference("signaturePrevalidator", element.getAttributeNS(null, "signaturePrevalidatorRef"));
        }
        if (element.hasAttributeNS(null, "dynamicTrustedNamesStrategyRef")) {
            beanDefinitionBuilder.addPropertyReference("dynamicTrustedNamesStrategy", element.getAttributeNS(null, "dynamicTrustedNamesStrategyRef"));
        }
    }

    private void buildTrustEngine(BeanDefinitionBuilder beanDefinitionBuilder, BeanDefinition beanDefinition) {
        BeanDefinitionBuilder genericBeanDefinition = BeanDefinitionBuilder.genericBeanDefinition(ExplicitKeySignatureTrustEngine.class);
        BeanDefinitionBuilder genericBeanDefinition2 = BeanDefinitionBuilder.genericBeanDefinition(StaticCredentialResolver.class);
        genericBeanDefinition2.addConstructorArgValue(beanDefinition);
        genericBeanDefinition.addConstructorArgValue(genericBeanDefinition2.getBeanDefinition());
        ArrayList arrayList = new ArrayList();
        arrayList.add(new DSAKeyValueProvider());
        arrayList.add(new RSAKeyValueProvider());
        arrayList.add(new InlineX509DataProvider());
        genericBeanDefinition.addConstructorArgValue(new BasicProviderKeyInfoCredentialResolver(arrayList));
        beanDefinitionBuilder.addConstructorArgValue(genericBeanDefinition.getBeanDefinition());
    }

    private BeanDefinition buildPublicKeyCredential(ParserContext parserContext, List<Element> list) {
        if (null == list || list.isEmpty()) {
            this.log.error("{}: SignatureValidation filter must have a 'trustEngineRef' attribute, a 'certificateFile' attribute or <PublicKey> elements", parserContext.getReaderContext().getResource().getDescription());
            throw new BeanCreationException("SignatureValidation filter must have a 'trustEngineRef' attribute, a 'certificateFile' attribute or <PublicKey> elements");
        }
        if (list.size() > 1) {
            this.log.error("{}: Only one <PublicKey> element may be specified", parserContext.getReaderContext().getResource().getDescription());
            throw new BeanCreationException("Only one <PublicKey> element may be specified");
        }
        BeanDefinitionBuilder genericBeanDefinition = BeanDefinitionBuilder.genericBeanDefinition(BasicInlineCredentialFactoryBean.class);
        String trimOrNull = StringSupport.trimOrNull(list.get(0).getTextContent());
        if (null == trimOrNull) {
            this.log.error("{}: <PublicKey> must contain the public key", parserContext.getReaderContext().getResource().getDescription());
            throw new BeanCreationException("<PublicKey> must contain the public key");
        }
        new ManagedList(1).add(trimOrNull);
        genericBeanDefinition.addPropertyValue("publicKeyInfo", trimOrNull);
        return genericBeanDefinition.getBeanDefinition();
    }

    private BeanDefinition buildCertificateCredential(String str) {
        BeanDefinitionBuilder genericBeanDefinition = BeanDefinitionBuilder.genericBeanDefinition(BasicX509CredentialFactoryBean.class);
        ManagedList managedList = new ManagedList(1);
        managedList.add(str);
        genericBeanDefinition.addPropertyValue("certificates", managedList);
        return genericBeanDefinition.getBeanDefinition();
    }

    protected boolean shouldGenerateId() {
        return true;
    }
}
