package org.keycloak.saml.processing.core.util;

import java.io.ByteArrayInputStream;
import java.io.OutputStream;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyException;
import java.security.KeyPair;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collections;
import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.stream.StreamResult;
import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
import org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType;
import org.keycloak.saml.common.PicketLinkLogger;
import org.keycloak.saml.common.PicketLinkLoggerFactory;
import org.keycloak.saml.common.constants.JBossSAMLConstants;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.Base64;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.common.util.StringUtil;
import org.keycloak.saml.common.util.SystemPropertiesUtil;
import org.keycloak.saml.common.util.TransformerUtil;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/keycloak/saml/processing/core/util/XMLSignatureUtil.class */
public class XMLSignatureUtil {
    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
    private static String canonicalizationMethodType;
    private static XMLSignatureFactory fac;
    private static boolean includeKeyInfoInSignature;

    private static XMLSignatureFactory getXMLSignatureFactory() {
        XMLSignatureFactory xMLSignatureFactory;
        try {
            xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException e) {
            try {
                xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
            } catch (Exception e2) {
                throw new RuntimeException((Throwable) logger.couldNotCreateInstance("DOM", e2));
            }
        }
        return xMLSignatureFactory;
    }

    public static void setIncludeKeyInfoInSignature(boolean z) {
        includeKeyInfoInSignature = z;
    }

    public static Document sign(Document document, Node node, KeyPair keyPair, String str, String str2, String str3, X509Certificate x509Certificate, String str4) throws ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException {
        if (node == null) {
            throw logger.nullArgumentError("Node to be signed");
        }
        if (logger.isTraceEnabled()) {
            logger.trace("Document to be signed=" + DocumentUtil.asString(document));
        }
        Node parentNode = node.getParentNode();
        Document createDocument = DocumentUtil.createDocument();
        createDocument.appendChild(createDocument.importNode(node, true));
        if (!str3.isEmpty()) {
            propagateIDAttributeSetup(node, createDocument.getDocumentElement());
        }
        Document sign = sign(createDocument, keyPair, str, str2, str3, x509Certificate, str4);
        if (node.getLocalName().equals("Assertion") && "urn:oasis:names:tc:SAML:2.0:assertion".equals(node.getNamespaceURI())) {
            Element element = DocumentUtil.getElement(sign, new QName(XMLEncryptionUtil.XMLSIG_NS, "Signature"));
            Element element2 = DocumentUtil.getElement(sign, new QName("urn:oasis:names:tc:SAML:2.0:assertion", "Subject"));
            if (element != null && element2 != null) {
                sign.getDocumentElement().removeChild(element);
                sign.getDocumentElement().insertBefore(element, element2);
            }
        }
        Node importNode = document.importNode(sign.getFirstChild(), true);
        if (!str3.isEmpty()) {
            propagateIDAttributeSetup(sign.getDocumentElement(), (Element) importNode);
        }
        parentNode.replaceChild(importNode, node);
        return document;
    }

    public static void sign(Element element, Node node, KeyPair keyPair, String str, String str2, String str3, String str4) throws GeneralSecurityException, MarshalException, XMLSignatureException {
        sign(element, node, keyPair, str, str2, str3, (X509Certificate) null, str4);
    }

    public static void sign(Element element, Node node, KeyPair keyPair, String str, String str2, String str3, X509Certificate x509Certificate, String str4) throws GeneralSecurityException, MarshalException, XMLSignatureException {
        PrivateKey privateKey = keyPair.getPrivate();
        signImpl(new DOMSignContext(privateKey, element, node), str, str2, str3, keyPair.getPublic(), x509Certificate, str4);
    }

    public static void propagateIDAttributeSetup(Node node, Element element) {
        NamedNodeMap attributes = node.getAttributes();
        for (int i = 0; i < attributes.getLength(); i++) {
            Attr attr = (Attr) attributes.item(i);
            if (attr.isId()) {
                element.setIdAttribute(attr.getName(), true);
                return;
            }
        }
    }

    public static Document sign(Document document, KeyPair keyPair, String str, String str2, String str3, String str4) throws GeneralSecurityException, MarshalException, XMLSignatureException {
        return sign(document, keyPair, str, str2, str3, (X509Certificate) null, str4);
    }

    public static Document sign(Document document, KeyPair keyPair, String str, String str2, String str3, X509Certificate x509Certificate, String str4) throws GeneralSecurityException, MarshalException, XMLSignatureException {
        logger.trace("Document to be signed=" + DocumentUtil.asString(document));
        signImpl(new DOMSignContext(keyPair.getPrivate(), document.getDocumentElement()), str, str2, str3, keyPair.getPublic(), x509Certificate, str4);
        return document;
    }

    public static Document sign(SignatureUtilTransferObject signatureUtilTransferObject, String str) throws GeneralSecurityException, MarshalException, XMLSignatureException {
        Document documentToBeSigned = signatureUtilTransferObject.getDocumentToBeSigned();
        KeyPair keyPair = signatureUtilTransferObject.getKeyPair();
        Node nextSibling = signatureUtilTransferObject.getNextSibling();
        String digestMethod = signatureUtilTransferObject.getDigestMethod();
        String referenceURI = signatureUtilTransferObject.getReferenceURI();
        String signatureMethod = signatureUtilTransferObject.getSignatureMethod();
        logger.trace("Document to be signed=" + DocumentUtil.asString(documentToBeSigned));
        signImpl(new DOMSignContext(keyPair.getPrivate(), documentToBeSigned.getDocumentElement(), nextSibling), digestMethod, signatureMethod, referenceURI, keyPair.getPublic(), signatureUtilTransferObject.getX509Certificate(), str);
        return documentToBeSigned;
    }

    public static boolean validate(Document document, Key key) throws MarshalException, XMLSignatureException {
        if (document == null) {
            throw logger.nullArgumentError("Signed Document");
        }
        propagateIDAttributeSetup(document.getDocumentElement(), document.getDocumentElement());
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS(XMLEncryptionUtil.XMLSIG_NS, "Signature");
        if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() == 0) {
            logger.debug("Cannot find Signature element");
            return false;
        }
        if (key == null) {
            throw logger.nullValueError("Public Key");
        }
        int i = 0;
        String str = null;
        for (int i2 = 0; i2 < elementsByTagNameNS.getLength(); i2++) {
            Node parentNode = elementsByTagNameNS.item(i2).getParentNode();
            if (parentNode != null && JBossSAMLConstants.ASSERTION.get().equals(parentNode.getLocalName())) {
                i++;
                if (str == null) {
                    str = parentNode.getNamespaceURI();
                }
            }
            DOMValidateContext dOMValidateContext = new DOMValidateContext(key, elementsByTagNameNS.item(i2));
            XMLSignature unmarshalXMLSignature = fac.unmarshalXMLSignature(dOMValidateContext);
            if (!unmarshalXMLSignature.validate(dOMValidateContext)) {
                if (!logger.isTraceEnabled()) {
                    return false;
                }
                logger.trace("Signature validation status: " + unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext));
                for (Reference reference : unmarshalXMLSignature.getSignedInfo().getReferences()) {
                    logger.trace("[Ref id=" + reference.getId() + ":uri=" + reference.getURI() + "]validity status:" + reference.validate(dOMValidateContext));
                }
                return false;
            }
        }
        NodeList elementsByTagNameNS2 = document.getElementsByTagNameNS(str, JBossSAMLConstants.ASSERTION.get());
        if (i <= 0 || elementsByTagNameNS2 == null || elementsByTagNameNS2.getLength() == i) {
            return true;
        }
        if (!logger.isDebugEnabled()) {
            return false;
        }
        logger.debug("SAML Response document may contain malicious assertions. Signature validation will fail.");
        return false;
    }

    public static void marshall(SignatureType signatureType, OutputStream outputStream) throws JAXBException, SAXException {
        throw logger.notImplementedYet("NYI");
    }

    public static void marshall(Document document, OutputStream outputStream) throws TransformerException {
        TransformerUtil.getTransformerFactory().newTransformer().transform(DocumentUtil.getXMLSource(document), new StreamResult(outputStream));
    }

    public static X509Certificate getX509CertificateFromKeyInfoString(String str) throws ProcessingException {
        X509Certificate x509Certificate = null;
        StringBuilder sb = new StringBuilder();
        sb.append("-----BEGIN CERTIFICATE-----\n").append(str).append("\n-----END CERTIFICATE-----");
        String sb2 = sb.toString();
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(sb2.getBytes());
            while (byteArrayInputStream.available() > 0) {
                x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
            }
            return x509Certificate;
        } catch (CertificateException e) {
            throw logger.processingError(e);
        }
    }

    public static DSAKeyValueType getDSAKeyValue(Element element) throws ParsingException {
        DSAKeyValueType dSAKeyValueType = new DSAKeyValueType();
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            if (item instanceof Element) {
                Element element2 = (Element) item;
                String localName = element2.getLocalName();
                byte[] bytes = element2.getTextContent().getBytes();
                if ("P".equals(localName)) {
                    dSAKeyValueType.setP(bytes);
                } else if ("Q".equals(localName)) {
                    dSAKeyValueType.setQ(bytes);
                } else if ("G".equals(localName)) {
                    dSAKeyValueType.setG(bytes);
                } else if ("Y".equals(localName)) {
                    dSAKeyValueType.setY(bytes);
                } else if ("Seed".equals(localName)) {
                    dSAKeyValueType.setSeed(bytes);
                } else if ("PgenCounter".equals(localName)) {
                    dSAKeyValueType.setPgenCounter(bytes);
                }
            }
        }
        return dSAKeyValueType;
    }

    public static RSAKeyValueType getRSAKeyValue(Element element) throws ParsingException {
        RSAKeyValueType rSAKeyValueType = new RSAKeyValueType();
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            if (item instanceof Element) {
                Element element2 = (Element) item;
                String localName = element2.getLocalName();
                byte[] bytes = element2.getTextContent().getBytes();
                if ("Modulus".equals(localName)) {
                    rSAKeyValueType.setModulus(bytes);
                } else if ("Exponent".equals(localName)) {
                    rSAKeyValueType.setExponent(bytes);
                }
            }
        }
        return rSAKeyValueType;
    }

    public static KeyValueType createKeyValue(PublicKey publicKey) {
        if (publicKey instanceof RSAPublicKey) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            byte[] byteArray = rSAPublicKey.getModulus().toByteArray();
            byte[] byteArray2 = rSAPublicKey.getPublicExponent().toByteArray();
            RSAKeyValueType rSAKeyValueType = new RSAKeyValueType();
            rSAKeyValueType.setModulus(Base64.encodeBytes(byteArray).getBytes());
            rSAKeyValueType.setExponent(Base64.encodeBytes(byteArray2).getBytes());
            return rSAKeyValueType;
        }
        if (!(publicKey instanceof DSAPublicKey)) {
            throw logger.unsupportedType(publicKey.toString());
        }
        DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
        byte[] byteArray3 = dSAPublicKey.getParams().getP().toByteArray();
        byte[] byteArray4 = dSAPublicKey.getParams().getQ().toByteArray();
        byte[] byteArray5 = dSAPublicKey.getParams().getG().toByteArray();
        byte[] byteArray6 = dSAPublicKey.getY().toByteArray();
        DSAKeyValueType dSAKeyValueType = new DSAKeyValueType();
        dSAKeyValueType.setP(Base64.encodeBytes(byteArray3).getBytes());
        dSAKeyValueType.setQ(Base64.encodeBytes(byteArray4).getBytes());
        dSAKeyValueType.setG(Base64.encodeBytes(byteArray5).getBytes());
        dSAKeyValueType.setY(Base64.encodeBytes(byteArray6).getBytes());
        return dSAKeyValueType;
    }

    private static void signImpl(DOMSignContext dOMSignContext, String str, String str2, String str3, PublicKey publicKey, X509Certificate x509Certificate, String str4) throws GeneralSecurityException, MarshalException, XMLSignatureException {
        dOMSignContext.setDefaultNamespacePrefix("dsig");
        DigestMethod newDigestMethod = fac.newDigestMethod(str, (DigestMethodParameterSpec) null);
        Transform newTransform = fac.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null);
        Transform newTransform2 = fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null);
        ArrayList arrayList = new ArrayList();
        arrayList.add(newTransform);
        arrayList.add(newTransform2);
        Reference newReference = fac.newReference(str3, newDigestMethod, arrayList, (String) null, (String) null);
        SignedInfo newSignedInfo = fac.newSignedInfo(fac.newCanonicalizationMethod(str4, (C14NMethodParameterSpec) null), fac.newSignatureMethod(str2, (SignatureMethodParameterSpec) null), Collections.singletonList(newReference));
        KeyInfo keyInfo = null;
        if (includeKeyInfoInSignature) {
            keyInfo = createKeyInfo(publicKey, x509Certificate);
        }
        fac.newXMLSignature(newSignedInfo, keyInfo).sign(dOMSignContext);
    }

    private static KeyInfo createKeyInfo(PublicKey publicKey, X509Certificate x509Certificate) throws KeyException {
        KeyInfoFactory keyInfoFactory = fac.getKeyInfoFactory();
        KeyInfo keyInfo = null;
        KeyValue keyValue = null;
        if (publicKey != null) {
            keyValue = keyInfoFactory.newKeyValue(publicKey);
            keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyValue));
        }
        if (x509Certificate != null) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(x509Certificate);
            X509Data newX509Data = keyInfoFactory.newX509Data(arrayList);
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(newX509Data);
            if (keyValue != null) {
                arrayList2.add(keyValue);
            }
            keyInfo = keyInfoFactory.newKeyInfo(arrayList2);
        }
        return keyInfo;
    }

    static {
        ProvidersUtil.ensure();
        SystemPropertiesUtil.ensure();
        String systemProperty = SecurityActions.getSystemProperty("picketlink.xmlsig.includeKeyInfo", null);
        if (StringUtil.isNotNull(systemProperty)) {
            includeKeyInfoInSignature = Boolean.parseBoolean(systemProperty);
        }
        canonicalizationMethodType = "http://www.w3.org/2001/10/xml-exc-c14n#";
        fac = getXMLSignatureFactory();
        includeKeyInfoInSignature = true;
    }
}
