package org.opensaml.saml.security.impl;

import com.google.common.base.Strings;
import javax.annotation.Nonnull;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.TransformationException;
import org.apache.xml.security.transforms.Transforms;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.impl.SignatureImpl;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-4.3.1.jar:org/opensaml/saml/security/impl/SAMLSignatureProfileValidator.class */
public class SAMLSignatureProfileValidator implements SignaturePrevalidator {
    private final Logger log = LoggerFactory.getLogger((Class<?>) SAMLSignatureProfileValidator.class);

    @Override // org.opensaml.xmlsec.signature.support.SignaturePrevalidator
    public void validate(@Nonnull Signature signature) throws SignatureException {
        Constraint.isNotNull(signature, "Signature was null");
        if (signature instanceof SignatureImpl) {
            validateSignatureImpl((SignatureImpl) signature);
        } else {
            this.log.info("Signature was not an instance of SignatureImpl, was {} validation not supported", signature.getClass().getName());
        }
    }

    protected void validateSignatureImpl(SignatureImpl signatureImpl) throws SignatureException {
        if (signatureImpl.getXMLSignature() == null) {
            this.log.error("SignatureImpl did not contain the an Apache XMLSignature child");
            throw new SignatureException("Apache XMLSignature does not exist on SignatureImpl");
        }
        XMLSignature xMLSignature = signatureImpl.getXMLSignature();
        if (!(signatureImpl.getParent() instanceof SignableSAMLObject)) {
            this.log.error("Signature is not an immedidate child of a SignableSAMLObject");
            throw new SignatureException("Signature is not an immediate child of a SignableSAMLObject.");
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) signatureImpl.getParent();
        Reference validateReference = validateReference(xMLSignature);
        validateReferenceURI(validateReference.getURI(), signableSAMLObject);
        validateTransforms(validateReference);
        validateObjectChildren(xMLSignature);
    }

    protected Reference validateReference(XMLSignature xMLSignature) throws SignatureException {
        int length = xMLSignature.getSignedInfo().getLength();
        if (length != 1) {
            this.log.error("Signature SignedInfo had invalid number of References: " + length);
            throw new SignatureException("Signature SignedInfo must have exactly 1 Reference element");
        }
        try {
            Reference item = xMLSignature.getSignedInfo().item(0);
            if (item != null) {
                return item;
            }
            this.log.error("Signature Reference was null");
            throw new SignatureException("Signature Reference was null");
        } catch (XMLSecurityException e) {
            this.log.error("Apache XML Security exception obtaining Reference: {}", e.getMessage());
            throw new SignatureException("Could not obtain Reference from Signature/SignedInfo", e);
        }
    }

    protected void validateReferenceURI(String str, SignableSAMLObject signableSAMLObject) throws SignatureException {
        validateReferenceURI(str, signableSAMLObject.getSignatureReferenceID());
        if (Strings.isNullOrEmpty(str)) {
            return;
        }
        String substring = str.substring(1);
        Element dom = signableSAMLObject.getDOM();
        if (dom == null) {
            this.log.error("SignableSAMLObject does not have a cached DOM Element.");
            throw new SignatureException("SignableSAMLObject does not have a cached DOM Element.");
        }
        Element elementById = dom.getOwnerDocument().getElementById(substring);
        if (elementById == null) {
            this.log.error("DOM Document getElementById could not resolve the Element for id reference: {}", substring);
            throw new SignatureException("DOM Document getElementById could not resolve the Element for id reference: " + substring);
        }
        if (dom.isSameNode(elementById)) {
            return;
        }
        this.log.error("Signature Reference URI '{}' did not resolve to the expected parent Element", str);
        throw new SignatureException("Signature Reference URI did not resolve to the expected parent Element");
    }

    protected void validateReferenceURI(String str, String str2) throws SignatureException {
        if (Strings.isNullOrEmpty(str)) {
            return;
        }
        if (!str.startsWith("#")) {
            this.log.error("Signature Reference URI was not a document fragment reference: " + str);
            throw new SignatureException("Signature Reference URI was not a document fragment reference");
        }
        if (Strings.isNullOrEmpty(str2)) {
            this.log.error("SignableSAMLObject did not contain an ID attribute");
            throw new SignatureException("SignableSAMLObject did not contain an ID attribute");
        }
        if (str.length() < 2 || !str2.equals(str.substring(1))) {
            this.log.error("Reference URI '{}' did not point to SignableSAMLObject with ID '{}'", str, str2);
            throw new SignatureException("Reference URI did not point to parent ID");
        }
    }

    protected void validateTransforms(Reference reference) throws SignatureException {
        try {
            Transforms transforms = reference.getTransforms();
            if (transforms == null) {
                this.log.error("Error obtaining Transforms instance, null was returned");
                throw new SignatureException("Transforms instance was null");
            }
            int length = transforms.getLength();
            if (length > 2) {
                this.log.error("Invalid number of Transforms was present: " + length);
                throw new SignatureException("Invalid number of transforms");
            }
            boolean z = false;
            for (int i = 0; i < length; i++) {
                try {
                    String uri = transforms.item(i).getURI();
                    if ("http://www.w3.org/2000/09/xmldsig#enveloped-signature".equals(uri)) {
                        this.log.debug("Saw Enveloped signature transform");
                        z = true;
                    } else {
                        if (!"http://www.w3.org/2001/10/xml-exc-c14n#".equals(uri) && !"http://www.w3.org/2001/10/xml-exc-c14n#WithComments".equals(uri)) {
                            this.log.error("Saw invalid signature transform: " + uri);
                            throw new SignatureException("Signature contained an invalid transform");
                        }
                        this.log.debug("Saw Exclusive C14N signature transform");
                    }
                } catch (TransformationException e) {
                    this.log.error("Error obtaining transform instance: {}", e.getMessage());
                    throw new SignatureException("Error obtaining transform instance", e);
                }
            }
            if (z) {
                return;
            }
            this.log.error("Signature was missing the required Enveloped signature transform");
            throw new SignatureException("Transforms did not contain the required enveloped transform");
        } catch (XMLSecurityException e2) {
            this.log.error("Apache XML Security error obtaining Transforms instance: {}", e2.getMessage());
            throw new SignatureException("Apache XML Security error obtaining Transforms instance", e2);
        }
    }

    protected void validateObjectChildren(XMLSignature xMLSignature) throws SignatureException {
        if (xMLSignature.getObjectLength() > 0) {
            this.log.error("Signature contained {} ds:Object child element(s)", Integer.valueOf(xMLSignature.getObjectLength()));
            throw new SignatureException("Signature contained illegal ds:Object children");
        }
    }
}
