package org.picketlink.identity.seam.federation;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import javax.servlet.http.HttpServletRequest;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.XMLSignatureException;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.ui.util.HTML;
import org.picketlink.identity.federation.core.saml.v2.util.SignatureUtil;
import org.picketlink.identity.federation.core.util.StringUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingSignatureUtil;
import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
import org.picketlink.identity.seam.federation.configuration.SamlIdentityProvider;
import org.w3c.dom.Document;

@Name("org.picketlink.identity.seam.federation.samlSignatureValidator")
@AutoCreate
/* loaded from: input_file:WEB-INF/lib/picketlink-seam-1.0.3.SP1.jar:org/picketlink/identity/seam/federation/SamlSignatureValidator.class */
public class SamlSignatureValidator {
    public void validateSignatureForPostBinding(SamlIdentityProvider samlIdentityProvider, Document document) throws InvalidRequestException {
        try {
            if (!XMLSignatureUtil.validate(document, samlIdentityProvider.getPublicKey())) {
                throw new InvalidRequestException("Invalid signature");
            }
        } catch (MarshalException e) {
            throw new RuntimeException(e);
        } catch (XMLSignatureException e2) {
            throw new RuntimeException(e2);
        }
    }

    public void validateSignatureForRedirectBinding(SamlIdentityProvider samlIdentityProvider, HttpServletRequest httpServletRequest, RequestOrResponse requestOrResponse) throws InvalidRequestException {
        String queryString = httpServletRequest.getQueryString();
        String tokenValue = RedirectBindingSignatureUtil.getTokenValue(queryString, "Signature");
        if (tokenValue == null) {
            throw new InvalidRequestException("Signature parameter is not present.");
        }
        try {
            byte[] urlBase64Decode = RedirectBindingUtil.urlBase64Decode(tokenValue);
            String str = requestOrResponse == RequestOrResponse.REQUEST ? "SAMLRequest" : "SAMLResponse";
            String tokenValue2 = RedirectBindingSignatureUtil.getTokenValue(queryString, str);
            String tokenValue3 = RedirectBindingSignatureUtil.getTokenValue(queryString, "RelayState");
            String tokenValue4 = RedirectBindingSignatureUtil.getTokenValue(queryString, SamlConstants.QSP_SIG_ALG);
            StringBuilder sb = new StringBuilder();
            sb.append(str).append(HTML.HREF_PARAM_NAME_FROM_VALUE_SEPARATOR).append(tokenValue2);
            if (StringUtil.isNotNull(tokenValue3)) {
                sb.append(HTML.HREF_PARAM_SEPARATOR).append("RelayState").append(HTML.HREF_PARAM_NAME_FROM_VALUE_SEPARATOR).append(tokenValue3);
            }
            sb.append(HTML.HREF_PARAM_SEPARATOR).append(SamlConstants.QSP_SIG_ALG).append(HTML.HREF_PARAM_NAME_FROM_VALUE_SEPARATOR).append(tokenValue4);
            try {
                if (!SignatureUtil.validate(sb.toString().getBytes("UTF-8"), urlBase64Decode, samlIdentityProvider.getPublicKey())) {
                    throw new InvalidRequestException("Invalid signature.");
                }
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException(e);
            } catch (GeneralSecurityException e2) {
                throw new RuntimeException(e2);
            }
        } catch (IOException e3) {
            throw new RuntimeException(e3);
        }
    }
}
