package org.apereo.cas.support.saml.web.idp.profile.builders.enc;

import java.util.ArrayList;
import java.util.List;
import lombok.Generated;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.util.EncodingUtils;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.encryption.Encrypter;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/enc/SamlIdPObjectEncrypter.class */
public class SamlIdPObjectEncrypter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlIdPObjectEncrypter.class);
    private final SamlIdPProperties samlIdPProperties;

    public EncryptedAssertion encode(Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        return buildEncrypterForSamlObject(assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade).encrypt(assertion);
    }

    public EncryptedID encode(NameID nameID, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        return buildEncrypterForSamlObject(nameID, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade).encrypt(nameID);
    }

    public EncryptedAttribute encode(Attribute attribute, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        return buildEncrypterForSamlObject(attribute, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade).encrypt(attribute);
    }

    protected Encrypter buildEncrypterForSamlObject(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        String name = obj.getClass().getName();
        String entityId = samlRegisteredServiceServiceProviderMetadataFacade.getEntityId();
        LOGGER.debug("Attempting to encrypt [{}] for [{}]", name, entityId);
        Credential keyEncryptionCredential = getKeyEncryptionCredential(entityId, samlRegisteredServiceServiceProviderMetadataFacade, samlRegisteredService);
        LOGGER.info("Found encryption public key: [{}]", EncodingUtils.encodeBase64(keyEncryptionCredential.getPublicKey().getEncoded()));
        KeyEncryptionParameters keyEncryptionParameters = getKeyEncryptionParameters(obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, keyEncryptionCredential);
        LOGGER.debug("Key encryption algorithm for [{}] is [{}]", keyEncryptionParameters.getRecipient(), keyEncryptionParameters.getAlgorithm());
        DataEncryptionParameters dataEncryptionParameters = getDataEncryptionParameters(obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
        LOGGER.debug("Data encryption algorithm for [{}] is [{}]", entityId, dataEncryptionParameters.getAlgorithm());
        Encrypter encrypter = getEncrypter(obj, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, keyEncryptionParameters, dataEncryptionParameters);
        LOGGER.debug("Attempting to encrypt [{}] for [{}] with key placement of [{}]", new Object[]{name, entityId, encrypter.getKeyPlacement()});
        return encrypter;
    }

    protected Encrypter getEncrypter(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, KeyEncryptionParameters keyEncryptionParameters, DataEncryptionParameters dataEncryptionParameters) {
        Encrypter encrypter = new Encrypter(dataEncryptionParameters, keyEncryptionParameters);
        encrypter.setKeyPlacement(Encrypter.KeyPlacement.PEER);
        return encrypter;
    }

    protected DataEncryptionParameters getDataEncryptionParameters(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        DataEncryptionParameters dataEncryptionParameters = new DataEncryptionParameters();
        dataEncryptionParameters.setAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
        return dataEncryptionParameters;
    }

    protected KeyEncryptionParameters getKeyEncryptionParameters(Object obj, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, Credential credential) {
        KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
        keyEncryptionParameters.setRecipient(samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
        keyEncryptionParameters.setEncryptionCredential(credential);
        keyEncryptionParameters.setAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
        return keyEncryptionParameters;
    }

    protected Credential getKeyEncryptionCredential(String str, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, SamlRegisteredService samlRegisteredService) throws Exception {
        EncryptionConfiguration buildDefaultEncryptionConfiguration = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
        List overrideDataEncryptionAlgorithms = this.samlIdPProperties.getAlgs().getOverrideDataEncryptionAlgorithms();
        List overrideKeyEncryptionAlgorithms = this.samlIdPProperties.getAlgs().getOverrideKeyEncryptionAlgorithms();
        List overrideBlackListedEncryptionAlgorithms = this.samlIdPProperties.getAlgs().getOverrideBlackListedEncryptionAlgorithms();
        List overrideWhiteListedAlgorithms = this.samlIdPProperties.getAlgs().getOverrideWhiteListedAlgorithms();
        if (overrideBlackListedEncryptionAlgorithms != null && !overrideBlackListedEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setBlacklistedAlgorithms(overrideBlackListedEncryptionAlgorithms);
        }
        if (overrideWhiteListedAlgorithms != null && !overrideWhiteListedAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setWhitelistedAlgorithms(overrideWhiteListedAlgorithms);
        }
        if (overrideDataEncryptionAlgorithms != null && !overrideDataEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setDataEncryptionAlgorithms(overrideDataEncryptionAlgorithms);
        }
        if (overrideKeyEncryptionAlgorithms != null && !overrideKeyEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setKeyTransportEncryptionAlgorithms(overrideKeyEncryptionAlgorithms);
        }
        LOGGER.debug("Encryption blacklisted algorithms: [{}]", buildDefaultEncryptionConfiguration.getBlacklistedAlgorithms());
        LOGGER.debug("Encryption key algorithms: [{}]", buildDefaultEncryptionConfiguration.getKeyTransportEncryptionAlgorithms());
        LOGGER.debug("Signature data algorithms: [{}]", buildDefaultEncryptionConfiguration.getDataEncryptionAlgorithms());
        LOGGER.debug("Encryption whitelisted algorithms: [{}]", buildDefaultEncryptionConfiguration.getWhitelistedAlgorithms());
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        ArrayList arrayList = new ArrayList();
        arrayList.add(new RSAKeyValueProvider());
        arrayList.add(new DSAKeyValueProvider());
        arrayList.add(new InlineX509DataProvider());
        arrayList.add(new DEREncodedKeyValueProvider());
        arrayList.add(new KeyInfoReferenceProvider());
        metadataCredentialResolver.setKeyInfoCredentialResolver(new BasicProviderKeyInfoCredentialResolver(arrayList));
        metadataCredentialResolver.setRoleDescriptorResolver(SamlIdPUtils.getRoleDescriptorResolver(samlRegisteredServiceServiceProviderMetadataFacade, this.samlIdPProperties.getMetadata().isRequireValidMetadata()));
        metadataCredentialResolver.initialize();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EncryptionConfigurationCriterion(new EncryptionConfiguration[]{buildDefaultEncryptionConfiguration}));
        criteriaSet.add(new EntityIdCriterion(str));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", str);
        return metadataCredentialResolver.resolveSingle(criteriaSet);
    }

    @Generated
    public SamlIdPObjectEncrypter(SamlIdPProperties samlIdPProperties) {
        this.samlIdPProperties = samlIdPProperties;
    }
}
