package org.keycloak.protocol.saml;

import java.security.PublicKey;
import org.keycloak.VerificationException;
import org.keycloak.models.ClientModel;
import org.keycloak.util.PemUtils;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
import org.w3c.dom.Document;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocolUtils.class */
public class SamlProtocolUtils {
    public static void verifyDocumentSignature(ClientModel clientModel, Document document) throws VerificationException {
        if (SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(clientModel.getAttribute(SamlProtocol.SAML_CLIENT_SIGNATURE_ATTRIBUTE))) {
            try {
                if (new SAML2Signature().validate(document, getSignatureValidationKey(clientModel))) {
                } else {
                    throw new VerificationException("Invalid signature on document");
                }
            } catch (ProcessingException e) {
                throw new VerificationException("Error validating signature", e);
            }
        }
    }

    public static PublicKey getSignatureValidationKey(ClientModel clientModel) throws VerificationException {
        return getPublicKey(clientModel, SamlProtocol.SAML_SIGNING_CERTIFICATE_ATTRIBUTE);
    }

    public static PublicKey getEncryptionValidationKey(ClientModel clientModel) throws VerificationException {
        return getPublicKey(clientModel, SamlProtocol.SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE);
    }

    public static PublicKey getPublicKey(ClientModel clientModel, String str) throws VerificationException {
        String attribute = clientModel.getAttribute(str);
        if (attribute == null) {
            throw new VerificationException("Client does not have a public key.");
        }
        try {
            return PemUtils.decodeCertificate(attribute).getPublicKey();
        } catch (Exception e) {
            throw new VerificationException("Could not decode cert", e);
        }
    }
}
