package org.apache.wss4j.dom.saml;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-032.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-dom-2.0.3.jar:org/apache/wss4j/dom/saml/DOMSAMLUtil.class */
public final class DOMSAMLUtil {
    private static final Logger LOG = LoggerFactory.getLogger(DOMSAMLUtil.class);

    private DOMSAMLUtil() {
    }

    public static void validateSAMLResults(List<WSSecurityEngineResult> list, Certificate[] certificateArr, Element element) throws WSSecurityException {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(16);
        arrayList.add(8);
        List<WSSecurityEngineResult> fetchAllActionResults = WSSecurityUtil.fetchAllActionResults(list, arrayList);
        if (fetchAllActionResults.isEmpty()) {
            return;
        }
        ArrayList arrayList2 = new ArrayList(2);
        arrayList2.add(2);
        arrayList2.add(64);
        List<WSSecurityEngineResult> fetchAllActionResults2 = WSSecurityUtil.fetchAllActionResults(list, arrayList2);
        Iterator<WSSecurityEngineResult> it = fetchAllActionResults.iterator();
        while (it.hasNext()) {
            SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) it.next().get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            if (!checkHolderOfKey(samlAssertionWrapper, fetchAllActionResults2, certificateArr)) {
                LOG.warn("Assertion fails holder-of-key requirements");
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
            }
            if (!checkSenderVouches(samlAssertionWrapper, certificateArr, element, fetchAllActionResults2)) {
                LOG.warn("Assertion fails sender-vouches requirements");
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
            }
        }
    }

    public static boolean checkHolderOfKey(SamlAssertionWrapper samlAssertionWrapper, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        Iterator<String> it = samlAssertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodHolderOfKey(it.next()) && ((certificateArr == null && (list == null || list.isEmpty())) || !compareCredentials(samlAssertionWrapper.getSubjectKeyInfo(), list, certificateArr))) {
                return false;
            }
        }
        return true;
    }

    public static boolean compareCredentials(SAMLKeyInfo sAMLKeyInfo, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        X509Certificate[] certs = sAMLKeyInfo.getCerts();
        PublicKey publicKey = sAMLKeyInfo.getPublicKey();
        byte[] secret = sAMLKeyInfo.getSecret();
        if (certificateArr != null && certificateArr.length > 0 && certs != null && certs.length > 0 && certificateArr[0].equals(certs[0])) {
            return true;
        }
        if (certificateArr != null && certificateArr.length > 0 && publicKey != null && certificateArr[0].getPublicKey().equals(publicKey)) {
            return true;
        }
        if (publicKey == null && certs != null && certs.length > 0) {
            publicKey = certs[0].getPublicKey();
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
            PublicKey publicKey2 = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
            byte[] bArr = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            if (x509CertificateArr != null && x509CertificateArr.length > 0 && certs != null && certs.length > 0 && x509CertificateArr[0].equals(certs[0])) {
                return true;
            }
            if ((publicKey2 != null && publicKey2.equals(publicKey)) || checkSecretKey(bArr, secret, wSSecurityEngineResult)) {
                return true;
            }
        }
        return false;
    }

    private static boolean checkSecretKey(byte[] bArr, byte[] bArr2, WSSecurityEngineResult wSSecurityEngineResult) {
        if (bArr == null || bArr2 == null) {
            return false;
        }
        if (Arrays.equals(bArr, bArr2)) {
            return true;
        }
        Principal principal = (Principal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
        return (principal instanceof WSDerivedKeyTokenPrincipal) && Arrays.equals(((WSDerivedKeyTokenPrincipal) principal).getSecret(), bArr2);
    }

    public static boolean checkSenderVouches(SamlAssertionWrapper samlAssertionWrapper, Certificate[] certificateArr, Element element, List<WSSecurityEngineResult> list) {
        if (certificateArr != null && certificateArr.length > 0) {
            return true;
        }
        Iterator<String> it = samlAssertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodSenderVouches(it.next()) && (list == null || list.isEmpty() || !checkAssertionAndBodyAreSigned(samlAssertionWrapper, element, list))) {
                return false;
            }
        }
        return true;
    }

    private static boolean checkAssertionAndBodyAreSigned(SamlAssertionWrapper samlAssertionWrapper, Element element, List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            List list2 = (List) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
            boolean z = false;
            boolean z2 = false;
            if (list2 != null) {
                Iterator it2 = list2.iterator();
                while (it2.hasNext()) {
                    Element protectedElement = ((WSDataRef) it2.next()).getProtectedElement();
                    if (protectedElement == samlAssertionWrapper.getElement()) {
                        z = true;
                    }
                    if (protectedElement == element) {
                        z2 = true;
                    }
                    if (z && z2) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
