package org.opensaml.saml.metadata.resolver.filter.impl;

import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.util.Collections;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.xml.XMLParserException;
import org.opensaml.core.testing.XMLObjectBaseTestCase;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.saml.metadata.resolver.filter.FilterException;
import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext;
import org.opensaml.saml.metadata.resolver.filter.data.impl.MetadataSource;
import org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.security.x509.X509Support;
import org.opensaml.xmlsec.SignatureValidationParameters;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
import org.w3c.dom.Document;

/* loaded from: input_file:org/opensaml/saml/metadata/resolver/filter/impl/SignatureValidationFilterExplicitKeyTest.class */
public class SignatureValidationFilterExplicitKeyTest extends XMLObjectBaseTestCase {
    private Document switchMDDocumentValid;
    private Document switchMDDocumentInvalid;
    private SignatureTrustEngine switchSigTrustEngine;
    private KeyInfoCredentialResolver kiResolver;
    private MetadataFilterContext filterContext;
    private final String switchMDFileValid = "/org/opensaml/saml/saml2/metadata/provider/metadata.aaitest_signed.xml";
    private final String switchMDFileInvalid = "/org/opensaml/saml/saml2/metadata/provider/metadata.aaitest_signed.invalid.xml";
    private String switchMDCertBase64 = "MIICrzCCAhgCAQAwDQYJKoZIhvcNAQEEBQAwgZ8xCzAJBgNVBAYTAkNIMUAwPgYDVQQKEzdTV0lUQ0ggLSBUZWxlaW5mb3JtYXRpa2RpZW5zdGUgZnVlciBMZWhyZSB1bmQgRm9yc2NodW5nMQwwCgYDVQQLEwNBQUkxIjAgBgNVBAMTGVNXSVRDSGFhaSBNZXRhZGF0YSBTaWduZXIxHDAaBgkqhkiG9w0BCQEWDWFhaUBzd2l0Y2guY2gwHhcNMDUwODAzMTEyMjUxWhcNMTUwODAxMTEyMjUxWjCBnzELMAkGA1UEBhMCQ0gxQDA+BgNVBAoTN1NXSVRDSCAtIFRlbGVpbmZvcm1hdGlrZGllbnN0ZSBmdWVyIExlaHJlIHVuZCBGb3JzY2h1bmcxDDAKBgNVBAsTA0FBSTEiMCAGA1UEAxMZU1dJVENIYWFpIE1ldGFkYXRhIFNpZ25lcjEcMBoGCSqGSIb3DQEJARYNYWFpQHN3aXRjaC5jaDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsmyBYNZ8mKYutdyQShzuOgnVxDP1UBZE+57S2ORZg1qi4JExOJEPnviHuh6HEajljhAMGHxr656paDpfXkmGq/Ybk3xmXy2FTnFGpjFpZUV6dY/oJ82rve27C/NVcwZw2nYRl5C5aCCgx/QlWsBTw+9972141+wBDH7dXlJ+UGkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQCcLuNwTINkfhBlVCIuTixR1R6mYu/+4KUJWtHlRCOUZhSLFept8HxEvfwnuX9xm+Q6Ju/sOgmI1INuSstUGWwVy0AbpCphUDDmIh9A85ye8DrVaBHQrj5b/JEjCvkY0zhLJzgDzZ6btT40TuCnk2GpdAClu5SyCTiy56+zDYqPqg==";
    private final String openIDFileValid = "/org/opensaml/saml/saml2/metadata/provider/openid-metadata.xml";
    private final String openIDFileInvalid = "/org/opensaml/saml/saml2/metadata/provider/openid-metadata-invalid.xml";
    private String openIDCertBase64 = "MIICfTCCAeagAwIBAgIGAReueFpXMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFDASBgNVBAcTC1NpbWkgVmFsbGV5MR4wHAYDVQQKExVSYXBhdHRvbmkgQ29ycG9yYXRpb24xFDASBgNVBAsTC1NTTyBTdXBwb3J0MRkwFwYDVQQDExBtbHNzdGdzd21pY2hpZ2FuMB4XDTA4MDEyNTAxMDMxOFoXDTA5MDEyNDAxMDMxOFowgYExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEUMBIGA1UEBxMLU2ltaSBWYWxsZXkxHjAcBgNVBAoTFVJhcGF0dG9uaSBDb3Jwb3JhdGlvbjEUMBIGA1UECxMLU1NPIFN1cHBvcnQxGTAXBgNVBAMTEG1sc3N0Z3N3bWljaGlnYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIOnt2MOfIYvvyhiKBS2yb5IXFx+SFEa/TLSUPkE9gZJCIe22GGfiwzsC8ubpifebZUru1fespnaCE8rc7MtWXERW7x6Dp8wg/91NOgUB00eEUlA72DhDjelsYTJa+AzztBsWh6J3HFKNdNaSVTS+CqbmgdTlDW+BExbtHUfSP0RAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAYT8js8O7gbLq4X/yuGCiuKHofQHFAE6pAWaxdTD+Bd2pu48GKICYAhFwHTqrG3bOqObfsILz4PcavCfzIS7/dk9oPnjeH7GqbxUZMsms4qDZzdNkNDUDWj82lJzIMfZyUKbn2waTsgg3mKja0dGw2UByurPV4NvVcNaIQZJunHI=";

    @BeforeClass
    public void buildKeyInfoCredentialResolver() {
        this.kiResolver = DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver();
    }

    @BeforeMethod
    protected void setUp() throws Exception {
        this.switchMDDocumentValid = parserPool.parse(SignatureValidationFilterExplicitKeyTest.class.getResourceAsStream("/org/opensaml/saml/saml2/metadata/provider/metadata.aaitest_signed.xml"));
        this.switchMDDocumentInvalid = parserPool.parse(SignatureValidationFilterExplicitKeyTest.class.getResourceAsStream("/org/opensaml/saml/saml2/metadata/provider/metadata.aaitest_signed.invalid.xml"));
        this.switchSigTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(CredentialSupport.getSimpleCredential(X509Support.decodeCertificate(this.switchMDCertBase64), (PrivateKey) null)), this.kiResolver);
        this.filterContext = new MetadataFilterContext();
    }

    @Test
    public void testValidSWITCHStandalone() throws UnmarshallingException {
        XMLObject unmarshall = unmarshallerFactory.getUnmarshaller(this.switchMDDocumentValid.getDocumentElement()).unmarshall(this.switchMDDocumentValid.getDocumentElement());
        try {
            new SignatureValidationFilter(this.switchSigTrustEngine).filter(unmarshall, this.filterContext);
        } catch (FilterException e) {
            Assert.fail("Filter failed validation, should have succeeded: " + e.getMessage());
        }
    }

    @Test(expectedExceptions = {FilterException.class})
    public void testSWITCHStandaloneBlacklistedSignatureAlgorithm() throws UnmarshallingException, FilterException {
        XMLObject unmarshall = unmarshallerFactory.getUnmarshaller(this.switchMDDocumentValid.getDocumentElement()).unmarshall(this.switchMDDocumentValid.getDocumentElement());
        SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(this.switchSigTrustEngine);
        SignatureValidationParameters signatureValidationParameters = new SignatureValidationParameters();
        signatureValidationParameters.setExcludedAlgorithms(Collections.singleton("http://www.w3.org/2000/09/xmldsig#rsa-sha1"));
        signatureValidationFilter.setDefaultCriteria(new CriteriaSet(new Criterion[]{new SignatureValidationParametersCriterion(signatureValidationParameters)}));
        signatureValidationFilter.filter(unmarshall, this.filterContext);
    }

    @Test
    public void testInvalidSWITCHStandalone() throws UnmarshallingException {
        XMLObject unmarshall = unmarshallerFactory.getUnmarshaller(this.switchMDDocumentInvalid.getDocumentElement()).unmarshall(this.switchMDDocumentInvalid.getDocumentElement());
        try {
            new SignatureValidationFilter(this.switchSigTrustEngine).filter(unmarshall, this.filterContext);
            Assert.fail("Filter passed validation, should have failed");
        } catch (FilterException e) {
        }
    }

    @Test
    public void testInvalidSWITCHStandaloneWithRootSkip() throws UnmarshallingException {
        XMLObject unmarshall = unmarshallerFactory.getUnmarshaller(this.switchMDDocumentInvalid.getDocumentElement()).unmarshall(this.switchMDDocumentInvalid.getDocumentElement());
        MetadataSource metadataSource = new MetadataSource();
        metadataSource.setTrusted(true);
        this.filterContext.add(metadataSource);
        try {
            new SignatureValidationFilter(this.switchSigTrustEngine).filter(unmarshall, this.filterContext);
        } catch (FilterException e) {
            Assert.fail("Filter failed validation, should have passed b/c we implicitly said to skip root signature");
        }
    }

    @Test
    public void testEntityDescriptor() throws UnmarshallingException, CertificateException, XMLParserException {
        ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(CredentialSupport.getSimpleCredential(X509Support.decodeCertificate(this.openIDCertBase64), (PrivateKey) null)), this.kiResolver);
        Document parse = parserPool.parse(SignatureValidationFilterExplicitKeyTest.class.getResourceAsStream("/org/opensaml/saml/saml2/metadata/provider/openid-metadata.xml"));
        EntityDescriptor unmarshall = unmarshallerFactory.getUnmarshaller(parse.getDocumentElement()).unmarshall(parse.getDocumentElement());
        Assert.assertTrue(unmarshall instanceof EntityDescriptor);
        EntityDescriptor entityDescriptor = unmarshall;
        Assert.assertTrue(entityDescriptor.isSigned());
        Assert.assertNotNull(entityDescriptor.getSignature(), "Signature was null");
        try {
            new SignatureValidationFilter(explicitKeySignatureTrustEngine).filter(entityDescriptor, this.filterContext);
        } catch (FilterException e) {
            Assert.fail("Filter failed validation, should have succeeded: " + e.getMessage());
        }
    }

    @Test
    public void testEntityDescriptorInvalid() throws UnmarshallingException, CertificateException, XMLParserException {
        ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(CredentialSupport.getSimpleCredential(X509Support.decodeCertificate(this.openIDCertBase64), (PrivateKey) null)), this.kiResolver);
        Document parse = parserPool.parse(SignatureValidationFilterExplicitKeyTest.class.getResourceAsStream("/org/opensaml/saml/saml2/metadata/provider/openid-metadata-invalid.xml"));
        EntityDescriptor unmarshall = unmarshallerFactory.getUnmarshaller(parse.getDocumentElement()).unmarshall(parse.getDocumentElement());
        Assert.assertTrue(unmarshall instanceof EntityDescriptor);
        EntityDescriptor entityDescriptor = unmarshall;
        Assert.assertTrue(entityDescriptor.isSigned());
        Assert.assertNotNull(entityDescriptor.getSignature(), "Signature was null");
        try {
            new SignatureValidationFilter(explicitKeySignatureTrustEngine).filter(unmarshall, this.filterContext);
            Assert.fail("Filter passed validation, should have failed");
        } catch (FilterException e) {
        }
    }

    @Test
    public void testEntityDescriptorInvalidWithRootSkip() throws UnmarshallingException, CertificateException, XMLParserException {
        ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(CredentialSupport.getSimpleCredential(X509Support.decodeCertificate(this.openIDCertBase64), (PrivateKey) null)), this.kiResolver);
        Document parse = parserPool.parse(SignatureValidationFilterExplicitKeyTest.class.getResourceAsStream("/org/opensaml/saml/saml2/metadata/provider/openid-metadata-invalid.xml"));
        EntityDescriptor unmarshall = unmarshallerFactory.getUnmarshaller(parse.getDocumentElement()).unmarshall(parse.getDocumentElement());
        Assert.assertTrue(unmarshall instanceof EntityDescriptor);
        EntityDescriptor entityDescriptor = unmarshall;
        Assert.assertTrue(entityDescriptor.isSigned());
        Assert.assertNotNull(entityDescriptor.getSignature(), "Signature was null");
        MetadataSource metadataSource = new MetadataSource();
        metadataSource.setTrusted(true);
        this.filterContext.add(metadataSource);
        try {
            new SignatureValidationFilter(explicitKeySignatureTrustEngine).filter(unmarshall, this.filterContext);
        } catch (FilterException e) {
            Assert.fail("Filter failed validation, should have passed b/c we implicitly said to skip root signature");
        }
    }

    @Test
    public void testEntityDescriptorWithProvider() throws CertificateException, XMLParserException, UnmarshallingException {
        ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(CredentialSupport.getSimpleCredential(X509Support.decodeCertificate(this.openIDCertBase64), (PrivateKey) null)), this.kiResolver);
        DOMMetadataResolver dOMMetadataResolver = new DOMMetadataResolver(parserPool.parse(SignatureValidationFilterExplicitKeyTest.class.getResourceAsStream("/org/opensaml/saml/saml2/metadata/provider/openid-metadata.xml")).getDocumentElement());
        dOMMetadataResolver.setParserPool(parserPool);
        dOMMetadataResolver.setId("test");
        dOMMetadataResolver.setRequireValidMetadata(false);
        dOMMetadataResolver.setMetadataFilter(new SignatureValidationFilter(explicitKeySignatureTrustEngine));
        try {
            dOMMetadataResolver.initialize();
        } catch (ComponentInitializationException e) {
            Assert.fail("Failed when initializing metadata provider");
        }
    }

    @Test
    public void testInvalidEntityDescriptorWithProvider() throws CertificateException, XMLParserException, UnmarshallingException {
        ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine = new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(CredentialSupport.getSimpleCredential(X509Support.decodeCertificate(this.openIDCertBase64), (PrivateKey) null)), this.kiResolver);
        DOMMetadataResolver dOMMetadataResolver = new DOMMetadataResolver(parserPool.parse(SignatureValidationFilterExplicitKeyTest.class.getResourceAsStream("/org/opensaml/saml/saml2/metadata/provider/openid-metadata-invalid.xml")).getDocumentElement());
        dOMMetadataResolver.setParserPool(parserPool);
        dOMMetadataResolver.setRequireValidMetadata(false);
        SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(explicitKeySignatureTrustEngine);
        dOMMetadataResolver.setId("test");
        dOMMetadataResolver.setMetadataFilter(signatureValidationFilter);
        try {
            dOMMetadataResolver.initialize();
            Assert.fail("Metadata signature was invalid, provider initialization should have failed");
        } catch (ComponentInitializationException e) {
        }
    }

    @Test
    public void testIsSkipRootSignatureEval() {
        MetadataFilterContext metadataFilterContext = new MetadataFilterContext();
        SignatureValidationFilter signatureValidationFilter = new SignatureValidationFilter(this.switchSigTrustEngine);
        MetadataSource metadataSource = new MetadataSource();
        Assert.assertFalse(signatureValidationFilter.isSkipRootSignature(metadataFilterContext));
        metadataFilterContext.add(metadataSource);
        Assert.assertFalse(signatureValidationFilter.isSkipRootSignature(metadataFilterContext));
        metadataSource.setTrusted(true);
        Assert.assertTrue(signatureValidationFilter.isSkipRootSignature(metadataFilterContext));
        signatureValidationFilter.setAlwaysVerifyTrustedSource(true);
        Assert.assertFalse(signatureValidationFilter.isSkipRootSignature(metadataFilterContext));
    }
}
