package org.opensaml.xmlsec.impl;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.Collections2;
import groovy.inspect.Inspector;
import java.security.Key;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.SignatureSigningConfiguration;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.SignatureSigningParametersResolver;
import org.opensaml.xmlsec.algorithm.AlgorithmRegistry;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.criterion.KeyInfoGenerationProfileCriterion;
import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion;
import org.opensaml.xmlsec.keyinfo.KeyInfoGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-412.zip:modules/system/layers/fuse/org/opensaml/3.1/opensaml-xmlsec-impl-3.1.1.jar:org/opensaml/xmlsec/impl/BasicSignatureSigningParametersResolver.class */
public class BasicSignatureSigningParametersResolver extends AbstractSecurityParametersResolver<SignatureSigningParameters> implements SignatureSigningParametersResolver {
    private Logger log = LoggerFactory.getLogger(BasicSignatureSigningParametersResolver.class);
    private AlgorithmRegistry algorithmRegistry = AlgorithmSupport.getGlobalAlgorithmRegistry();

    public AlgorithmRegistry getAlgorithmRegistry() {
        return this.algorithmRegistry == null ? AlgorithmSupport.getGlobalAlgorithmRegistry() : this.algorithmRegistry;
    }

    public void setAlgorithmRegistry(@Nonnull AlgorithmRegistry algorithmRegistry) {
        this.algorithmRegistry = (AlgorithmRegistry) Constraint.isNotNull(algorithmRegistry, "AlgorithmRegistry was null");
    }

    @Nonnull
    public Iterable<SignatureSigningParameters> resolve(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        SignatureSigningParameters resolveSingle = resolveSingle(criteriaSet);
        return resolveSingle != null ? Collections.singletonList(resolveSingle) : Collections.emptyList();
    }

    @Nullable
    public SignatureSigningParameters resolveSingle(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        Constraint.isNotNull(criteriaSet, "CriteriaSet was null");
        Constraint.isNotNull(criteriaSet.get(SignatureSigningConfigurationCriterion.class), "Resolver requires an instance of SignatureSigningConfigurationCriterion");
        Predicate<String> whitelistBlacklistPredicate = getWhitelistBlacklistPredicate(criteriaSet);
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        resolveAndPopulateCredentialAndSignatureAlgorithm(signatureSigningParameters, criteriaSet, whitelistBlacklistPredicate);
        signatureSigningParameters.setSignatureReferenceDigestMethod(resolveReferenceDigestMethod(criteriaSet, whitelistBlacklistPredicate));
        signatureSigningParameters.setSignatureCanonicalizationAlgorithm(resolveCanonicalizationAlgorithm(criteriaSet));
        if (signatureSigningParameters.getSigningCredential() != null) {
            signatureSigningParameters.setKeyInfoGenerator(resolveKeyInfoGenerator(criteriaSet, signatureSigningParameters.getSigningCredential()));
            signatureSigningParameters.setSignatureHMACOutputLength(resolveHMACOutputLength(criteriaSet, signatureSigningParameters.getSigningCredential(), signatureSigningParameters.getSignatureAlgorithm()));
        }
        if (!validate(signatureSigningParameters)) {
            return null;
        }
        logResult(signatureSigningParameters);
        return signatureSigningParameters;
    }

    protected void logResult(@Nonnull SignatureSigningParameters signatureSigningParameters) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Resolved SignatureSigningParameters:");
            Key extractSigningKey = CredentialSupport.extractSigningKey(signatureSigningParameters.getSigningCredential());
            if (extractSigningKey != null) {
                this.log.debug("\tSigning credential with key algorithm: {}", extractSigningKey.getAlgorithm());
            } else {
                this.log.debug("\tSigning credential: null");
            }
            this.log.debug("\tSignature algorithm URI: {}", signatureSigningParameters.getSignatureAlgorithm());
            this.log.debug("\tSignature KeyInfoGenerator: {}", signatureSigningParameters.getKeyInfoGenerator() != null ? "present" : "null");
            this.log.debug("\tReference digest method algorithm URI: {}", signatureSigningParameters.getSignatureReferenceDigestMethod());
            this.log.debug("\tCanonicalization algorithm URI: {}", signatureSigningParameters.getSignatureCanonicalizationAlgorithm());
            this.log.debug("\tHMAC output length: {}", signatureSigningParameters.getSignatureHMACOutputLength());
        }
    }

    protected boolean validate(@Nonnull SignatureSigningParameters signatureSigningParameters) {
        if (signatureSigningParameters.getSigningCredential() == null) {
            this.log.warn("Validation failure: Unable to resolve signing credential");
            return false;
        }
        if (signatureSigningParameters.getSignatureAlgorithm() == null) {
            this.log.warn("Validation failure: Unable to resolve signing algorithm URI");
            return false;
        }
        if (signatureSigningParameters.getSignatureCanonicalizationAlgorithm() == null) {
            this.log.warn("Validation failure: Unable to resolve signing canonicalization algorithm URI");
            return false;
        }
        if (signatureSigningParameters.getSignatureReferenceDigestMethod() != null) {
            return true;
        }
        this.log.warn("Validation failure: Unable to resolve reference digest algorithm URI");
        return false;
    }

    @Nonnull
    protected Predicate<String> getWhitelistBlacklistPredicate(@Nonnull CriteriaSet criteriaSet) {
        return resolveWhitelistBlacklistPredicate(criteriaSet, ((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class)).getConfigurations());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull SignatureSigningParameters signatureSigningParameters, @Nonnull CriteriaSet criteriaSet, Predicate<String> predicate) {
        List<Credential> effectiveSigningCredentials = getEffectiveSigningCredentials(criteriaSet);
        List<String> effectiveSignatureAlgorithms = getEffectiveSignatureAlgorithms(criteriaSet, predicate);
        this.log.trace("Resolved effective signature algorithms: {}", effectiveSignatureAlgorithms);
        for (Credential credential : effectiveSigningCredentials) {
            if (this.log.isTraceEnabled()) {
                Key extractSigningKey = CredentialSupport.extractSigningKey(credential);
                this.log.trace("Evaluating credential of type: {}", extractSigningKey != null ? extractSigningKey.getAlgorithm() : Inspector.NOT_APPLICABLE);
            }
            for (String str : effectiveSignatureAlgorithms) {
                this.log.trace("Evaluating credential against algorithm: {}", str);
                if (credentialSupportsAlgorithm(credential, str)) {
                    this.log.trace("Credential passed eval against algorithm: {}", str);
                    signatureSigningParameters.setSigningCredential(credential);
                    signatureSigningParameters.setSignatureAlgorithm(str);
                    return;
                }
                this.log.trace("Credential failed eval against algorithm: {}", str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public Predicate<String> getAlgorithmRuntimeSupportedPredicate() {
        return new AlgorithmRuntimeSupportedPredicate(getAlgorithmRegistry());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean credentialSupportsAlgorithm(@Nonnull Credential credential, @NotEmpty @Nonnull String str) {
        return AlgorithmSupport.credentialSupportsAlgorithmForSigning(credential, getAlgorithmRegistry().get(str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public List<Credential> getEffectiveSigningCredentials(@Nonnull CriteriaSet criteriaSet) {
        ArrayList arrayList = new ArrayList();
        Iterator<SignatureSigningConfiguration> it = ((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            arrayList.addAll(it.next().getSigningCredentials());
        }
        return arrayList;
    }

    @Nonnull
    protected List<String> getEffectiveSignatureAlgorithms(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        ArrayList arrayList = new ArrayList();
        Iterator<SignatureSigningConfiguration> it = ((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            arrayList.addAll(Collections2.filter(it.next().getSignatureAlgorithms(), Predicates.and(getAlgorithmRuntimeSupportedPredicate(), predicate)));
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public String resolveReferenceDigestMethod(@Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        Iterator<SignatureSigningConfiguration> it = ((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            for (String str : it.next().getSignatureReferenceDigestMethods()) {
                if (getAlgorithmRuntimeSupportedPredicate().apply(str) && predicate.apply(str)) {
                    return str;
                }
            }
        }
        return null;
    }

    @Nullable
    protected String resolveCanonicalizationAlgorithm(@Nonnull CriteriaSet criteriaSet) {
        for (SignatureSigningConfiguration signatureSigningConfiguration : ((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class)).getConfigurations()) {
            if (signatureSigningConfiguration.getSignatureCanonicalizationAlgorithm() != null) {
                return signatureSigningConfiguration.getSignatureCanonicalizationAlgorithm();
            }
        }
        return null;
    }

    @Nullable
    protected KeyInfoGenerator resolveKeyInfoGenerator(@Nonnull CriteriaSet criteriaSet, @Nonnull Credential credential) {
        String str = null;
        if (criteriaSet.get(KeyInfoGenerationProfileCriterion.class) != null) {
            str = ((KeyInfoGenerationProfileCriterion) criteriaSet.get(KeyInfoGenerationProfileCriterion.class)).getName();
        }
        Iterator<SignatureSigningConfiguration> it = ((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class)).getConfigurations().iterator();
        while (it.hasNext()) {
            KeyInfoGenerator lookupKeyInfoGenerator = lookupKeyInfoGenerator(credential, it.next().getKeyInfoGeneratorManager(), str);
            if (lookupKeyInfoGenerator != null) {
                return lookupKeyInfoGenerator;
            }
        }
        return null;
    }

    @Nullable
    protected Integer resolveHMACOutputLength(@Nonnull CriteriaSet criteriaSet, @Nonnull Credential credential, @NotEmpty @Nonnull String str) {
        if (!AlgorithmSupport.isHMAC(str)) {
            return null;
        }
        for (SignatureSigningConfiguration signatureSigningConfiguration : ((SignatureSigningConfigurationCriterion) criteriaSet.get(SignatureSigningConfigurationCriterion.class)).getConfigurations()) {
            if (signatureSigningConfiguration.getSignatureHMACOutputLength() != null) {
                return signatureSigningConfiguration.getSignatureHMACOutputLength();
            }
        }
        return null;
    }
}
