package org.opensaml.xmlsec.signature.support.impl;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.namespace.QName;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.xml.AttributeSupport;
import net.shibboleth.utilities.java.support.xml.ElementSupport;
import org.apache.xml.security.utils.Constants;
import org.opensaml.xmlsec.SignatureValidationParameters;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-283-10.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-xmlsec-impl-3.1.1.jar:org/opensaml/xmlsec/signature/support/impl/SignatureAlgorithmValidator.class */
public class SignatureAlgorithmValidator {
    private static final QName ELEMENT_NAME_SIGNED_INFO = new QName("http://www.w3.org/2000/09/xmldsig#", "SignedInfo");
    private static final QName ELEMENT_NAME_SIGNATURE_METHOD = new QName("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_SIGNATUREMETHOD);
    private static final QName ELEMENT_NAME_REFERENCE = new QName("http://www.w3.org/2000/09/xmldsig#", "Reference");
    private static final QName ELEMENT_NAME_DIGEST_METHOD = new QName("http://www.w3.org/2000/09/xmldsig#", "DigestMethod");
    private static final String ATTR_NAME_ALGORTHM = "Algorithm";
    private Logger log = LoggerFactory.getLogger(SignatureAlgorithmValidator.class);
    private Collection<String> whitelistedAlgorithmURIs;
    private Collection<String> blacklistedAlgorithmURIs;

    public SignatureAlgorithmValidator(@Nonnull SignatureValidationParameters signatureValidationParameters) {
        Constraint.isNotNull(signatureValidationParameters, "SignatureValidationParameters may not be null");
        this.whitelistedAlgorithmURIs = signatureValidationParameters.getWhitelistedAlgorithms();
        this.blacklistedAlgorithmURIs = signatureValidationParameters.getBlacklistedAlgorithms();
    }

    public SignatureAlgorithmValidator(@Nullable Collection<String> collection, @Nullable Collection<String> collection2) {
        this.whitelistedAlgorithmURIs = collection;
        this.blacklistedAlgorithmURIs = collection2;
    }

    public void validate(@Nonnull Signature signature) throws SignatureException {
        Constraint.isNotNull(signature, "Signature was null");
        checkDOM(signature);
        String signatureAlgorithm = getSignatureAlgorithm(signature);
        this.log.debug("Validating SignedInfo/SignatureMethod/@Algorithm against whitelist/blacklist: {}", signatureAlgorithm);
        validateAlgorithmURI(signatureAlgorithm);
        for (String str : getDigestMethods(signature)) {
            this.log.debug("Validating SignedInfo/Reference/DigestMethod/@Algorithm against whitelist/blacklist: {}", str);
            validateAlgorithmURI(str);
        }
    }

    protected void checkDOM(@Nonnull Signature signature) throws SignatureException {
        if (signature.getDOM() == null) {
            this.log.warn("Signgaure does not have a cached DOM Element.");
            throw new SignatureException("Signature does not have a cached DOM Element.");
        }
    }

    @Nonnull
    protected String getSignatureAlgorithm(@Nonnull Signature signature) throws SignatureException {
        String trimOrNull = StringSupport.trimOrNull(AttributeSupport.getAttributeValue(ElementSupport.getFirstChildElement(ElementSupport.getFirstChildElement(signature.getDOM(), ELEMENT_NAME_SIGNED_INFO), ELEMENT_NAME_SIGNATURE_METHOD), (String) null, "Algorithm"));
        if (trimOrNull != null) {
            return trimOrNull;
        }
        throw new SignatureException("SignatureMethod Algorithm was null");
    }

    @Nonnull
    protected List<String> getDigestMethods(@Nonnull Signature signature) throws SignatureException {
        ArrayList arrayList = new ArrayList();
        Iterator it = ElementSupport.getChildElements(ElementSupport.getFirstChildElement(signature.getDOM(), ELEMENT_NAME_SIGNED_INFO), ELEMENT_NAME_REFERENCE).iterator();
        while (it.hasNext()) {
            String trimOrNull = StringSupport.trimOrNull(AttributeSupport.getAttributeValue(ElementSupport.getFirstChildElement((Element) it.next(), ELEMENT_NAME_DIGEST_METHOD), (String) null, "Algorithm"));
            if (trimOrNull == null) {
                throw new SignatureException("Saw null DigestMethod Algorithm");
            }
            arrayList.add(trimOrNull);
        }
        return arrayList;
    }

    protected void validateAlgorithmURI(@Nonnull String str) throws SignatureException {
        this.log.debug("Validating algorithm URI against whitelist and blacklist: algorithm: {}, whitelist: {}, blacklist: {}", new Object[]{str, this.whitelistedAlgorithmURIs, this.blacklistedAlgorithmURIs});
        if (!AlgorithmSupport.validateAlgorithmURI(str, this.whitelistedAlgorithmURIs, this.blacklistedAlgorithmURIs)) {
            throw new SignatureException("Algorithm failed whitelist/blacklist validation: " + str);
        }
    }
}
