package org.picketlink.identity.federation.web.handlers.saml2;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.namespace.QName;
import org.picketlink.common.constants.GeneralConstants;
import org.picketlink.common.constants.JBossSAMLConstants;
import org.picketlink.common.constants.JBossSAMLURIConstants;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.config.federation.IDPType;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.SAMLMetadataUtil;
import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
import org.picketlink.identity.federation.saml.v2.metadata.KeyTypes;
import org.picketlink.identity.federation.saml.v2.metadata.SSODescriptorType;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.w3c.dom.Document;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/lib/picketlink-federation-2.7.0.Final.jar:org/picketlink/identity/federation/web/handlers/saml2/SAML2EncryptionHandler.class */
public class SAML2EncryptionHandler extends SAML2SignatureGenerationHandler {
    @Override // org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler, org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2Handler
    public void handleRequestType(SAML2HandlerRequest sAML2HandlerRequest, SAML2HandlerResponse sAML2HandlerResponse) throws ProcessingException {
        if (supportsRequest(sAML2HandlerRequest) && isEncryptionEnabled()) {
            Document resultingDocument = sAML2HandlerResponse.getResultingDocument();
            if (resultingDocument == null) {
                throwResponseDocumentOrAssertionNotFound();
            }
            String sAMLNSPrefix = getSAMLNSPrefix(resultingDocument);
            try {
                QName qName = new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ENCRYPTED_ASSERTION.get(), sAMLNSPrefix);
                SecretKeySpec secretKeySpec = new SecretKeySpec(WSTrustUtil.createRandomSecret(16), getAlgorithm());
                XMLEncryptionUtil.encryptElement(new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get(), sAMLNSPrefix), resultingDocument, getSenderPublicKey(sAML2HandlerRequest), secretKeySpec, getKeySize(), qName, true);
            } catch (Exception e) {
                throw logger.processingError(e);
            }
        }
        super.handleRequestType(sAML2HandlerRequest, sAML2HandlerResponse);
    }

    private String getSAMLNSPrefix(Document document) {
        Node item = document.getDocumentElement().getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()).item(0);
        if (item == null) {
            throwResponseDocumentOrAssertionNotFound();
        }
        return item.getPrefix();
    }

    private boolean isEncryptionEnabled() {
        return getType() == SAML2Handler.HANDLER_TYPE.IDP && getConfiguration().isEncrypt();
    }

    private boolean supportsRequest(SAML2HandlerRequest sAML2HandlerRequest) {
        return getType() == SAML2Handler.HANDLER_TYPE.IDP && (sAML2HandlerRequest.getSAML2Object() instanceof AuthnRequestType);
    }

    private IDPType getConfiguration() {
        IDPType iDPType = (IDPType) this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION);
        if (iDPType == null) {
            throw logger.nullArgumentError("IDP Configuration");
        }
        return iDPType;
    }

    private int getKeySize() {
        String str = (String) this.handlerConfig.getParameter(GeneralConstants.SAML_ENC_KEY_SIZE);
        if (str == null) {
            str = String.valueOf(128);
        }
        return Integer.valueOf(str).intValue();
    }

    private String getAlgorithm() {
        String str = (String) this.handlerConfig.getParameter(GeneralConstants.SAML_ENC_ALGORITHM);
        if (str == null) {
            str = "AES";
        }
        return str;
    }

    private PublicKey getSenderPublicKey(SAML2HandlerRequest sAML2HandlerRequest) {
        PublicKey publicKeyFromMetadata = getPublicKeyFromMetadata(sAML2HandlerRequest);
        if (publicKeyFromMetadata != null) {
            return publicKeyFromMetadata;
        }
        PublicKey publicKey = (PublicKey) sAML2HandlerRequest.getOptions().get(GeneralConstants.SENDER_PUBLIC_KEY);
        if (publicKey == null) {
            throw logger.nullArgumentError("Sender Public Key");
        }
        return publicKey;
    }

    private PublicKey getPublicKeyFromMetadata(SAML2HandlerRequest sAML2HandlerRequest) {
        X509Certificate certificate;
        SSODescriptorType sSODescriptorType = (SSODescriptorType) sAML2HandlerRequest.getOptions().get(GeneralConstants.SSO_METADATA_DESCRIPTOR);
        if (sSODescriptorType == null || (certificate = SAMLMetadataUtil.getCertificate(KeyTypes.ENCRYPTION, sSODescriptorType)) == null) {
            return null;
        }
        return certificate.getPublicKey();
    }

    private void throwResponseDocumentOrAssertionNotFound() {
        throw new IllegalStateException("No response document/assertions found. Check if this handler is after the SAML2AuthenticationHandler.");
    }
}
