package org.picketlink.identity.federation.bindings.jboss.auth;

import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Map;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.security.JBossJSSESecurityDomain;
import org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.w3c.dom.Element;

/* loaded from: input_file:org/picketlink/identity/federation/bindings/jboss/auth/SAML2STSLoginModule.class */
public class SAML2STSLoginModule extends SAML2STSCommonLoginModule {
    private static final String CLOCK_SKEW = "clockSkew";
    protected int clockSkew = 0;

    @Override // org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSCommonLoginModule, org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        super.initialize(subject, callbackHandler, map, map2);
        String str = (String) map2.get(CLOCK_SKEW);
        if (str != null) {
            this.clockSkew = Integer.parseInt(str);
        }
    }

    @Override // org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSCommonLoginModule
    protected boolean localValidation(Element element) throws Exception {
        if (this.localTestingOnly) {
            return true;
        }
        try {
            JBossJSSESecurityDomain jBossJSSESecurityDomain = (JBossJSSESecurityDomain) new InitialContext().lookup(this.localValidationSecurityDomain + "/jsse");
            String securityDomain = jBossJSSESecurityDomain.getSecurityDomain();
            KeyStore trustStore = jBossJSSESecurityDomain.getTrustStore();
            if (trustStore == null) {
                throw logger.authNullKeyStoreFromSecurityDomainError(securityDomain);
            }
            String serverAlias = jBossJSSESecurityDomain.getServerAlias();
            if (serverAlias == null) {
                throw logger.authNullKeyStoreAliasFromSecurityDomainError(securityDomain);
            }
            Certificate certificate = trustStore.getCertificate(serverAlias);
            if (certificate == null) {
                throw logger.authNoCertificateFoundForAliasError(serverAlias, securityDomain);
            }
            if (!AssertionUtil.isSignatureValid(element, certificate.getPublicKey())) {
                throw logger.authSAMLInvalidSignatureError();
            }
            if (AssertionUtil.hasExpired(SAMLUtil.fromElement(element), this.clockSkew)) {
                throw logger.authSAMLAssertionExpiredError();
            }
            return true;
        } catch (NamingException e) {
            throw new LoginException(e.toString());
        }
    }

    @Override // org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSCommonLoginModule
    protected JBossAuthCacheInvalidationFactory.TimeCacheExpiry getCacheExpiry() throws Exception {
        return AS7AuthCacheInvalidationFactory.getCacheExpiry();
    }
}
