package org.apereo.cas.support.saml.web.idp.profile.builders.enc;

import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.util.crypto.PrivateKeyFactoryBean;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.metadata.resolver.impl.BasicRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.encryption.Encrypter;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.io.FileSystemResource;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/enc/SamlObjectEncrypter.class */
public class SamlObjectEncrypter {
    protected transient Logger logger = LoggerFactory.getLogger(getClass());
    protected List overrideDataEncryptionAlgorithms;
    protected List overrideKeyEncryptionAlgorithms;
    protected List overrideBlackListedEncryptionAlgorithms;
    protected List overrideWhiteListedAlgorithms;

    @Autowired
    private CasConfigurationProperties casProperties;

    public EncryptedAssertion encode(Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws SamlException {
        try {
            this.logger.debug("Attempting to encrypt [{}] for [{}]", assertion.getClass().getName(), samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            KeyEncryptionParameters keyEncryptionParameters = getKeyEncryptionParameters(assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, getKeyEncryptionCredential(samlRegisteredServiceServiceProviderMetadataFacade.getEntityId(), samlRegisteredServiceServiceProviderMetadataFacade, samlRegisteredService));
            this.logger.debug("Key encryption algorithm for [{}] is [{}]", keyEncryptionParameters.getRecipient(), keyEncryptionParameters.getAlgorithm());
            DataEncryptionParameters dataEncryptionParameters = getDataEncryptionParameters(assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
            this.logger.debug("Data encryption algorithm for [{}] is [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId(), dataEncryptionParameters.getAlgorithm());
            Encrypter encrypter = getEncrypter(assertion, samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, keyEncryptionParameters, dataEncryptionParameters);
            this.logger.debug("Attempting to encrypt [{}] for [{}] with key placement of [{}]", new Object[]{assertion.getClass().getName(), samlRegisteredServiceServiceProviderMetadataFacade.getEntityId(), encrypter.getKeyPlacement()});
            return encrypter.encrypt(assertion);
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    protected Encrypter getEncrypter(Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, KeyEncryptionParameters keyEncryptionParameters, DataEncryptionParameters dataEncryptionParameters) {
        Encrypter encrypter = new Encrypter(dataEncryptionParameters, keyEncryptionParameters);
        encrypter.setKeyPlacement(Encrypter.KeyPlacement.PEER);
        return encrypter;
    }

    protected DataEncryptionParameters getDataEncryptionParameters(Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        DataEncryptionParameters dataEncryptionParameters = new DataEncryptionParameters();
        dataEncryptionParameters.setAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
        return dataEncryptionParameters;
    }

    protected KeyEncryptionParameters getKeyEncryptionParameters(Assertion assertion, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, Credential credential) {
        KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
        keyEncryptionParameters.setRecipient(samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
        keyEncryptionParameters.setEncryptionCredential(credential);
        keyEncryptionParameters.setAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
        return keyEncryptionParameters;
    }

    protected Credential getKeyEncryptionCredential(String str, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, SamlRegisteredService samlRegisteredService) throws Exception {
        EncryptionConfiguration buildDefaultEncryptionConfiguration = DefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
        if (this.overrideBlackListedEncryptionAlgorithms != null && !this.overrideBlackListedEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setBlacklistedAlgorithms(this.overrideBlackListedEncryptionAlgorithms);
        }
        if (this.overrideWhiteListedAlgorithms != null && !this.overrideWhiteListedAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setWhitelistedAlgorithms(this.overrideWhiteListedAlgorithms);
        }
        if (this.overrideDataEncryptionAlgorithms != null && !this.overrideDataEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setDataEncryptionAlgorithms(this.overrideDataEncryptionAlgorithms);
        }
        if (this.overrideKeyEncryptionAlgorithms != null && !this.overrideKeyEncryptionAlgorithms.isEmpty()) {
            buildDefaultEncryptionConfiguration.setKeyTransportEncryptionAlgorithms(this.overrideKeyEncryptionAlgorithms);
        }
        this.logger.debug("Encryption blacklisted algorithms: [{}]", buildDefaultEncryptionConfiguration.getBlacklistedAlgorithms());
        this.logger.debug("Encryption key algorithms: [{}]", buildDefaultEncryptionConfiguration.getKeyTransportEncryptionAlgorithms());
        this.logger.debug("Signature data algorithms: [{}]", buildDefaultEncryptionConfiguration.getDataEncryptionAlgorithms());
        this.logger.debug("Encryption whitelisted algorithms: {}", buildDefaultEncryptionConfiguration.getWhitelistedAlgorithms());
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        BasicX509Credential basicX509Credential = new BasicX509Credential(getEncryptionCertificate(), getEncryptionPrivateKey());
        this.logger.debug("Created encryption credential");
        metadataCredentialResolver.setKeyInfoCredentialResolver(new StaticKeyInfoCredentialResolver(basicX509Credential));
        BasicRoleDescriptorResolver basicRoleDescriptorResolver = new BasicRoleDescriptorResolver(samlRegisteredServiceServiceProviderMetadataFacade.getMetadataResolver());
        basicRoleDescriptorResolver.initialize();
        metadataCredentialResolver.setRoleDescriptorResolver(basicRoleDescriptorResolver);
        metadataCredentialResolver.initialize();
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EncryptionConfigurationCriterion(new EncryptionConfiguration[]{buildDefaultEncryptionConfiguration}));
        criteriaSet.add(new EntityIdCriterion(str));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        this.logger.debug("Attempting to resolve the encryption key for entity id [{}]", str);
        return metadataCredentialResolver.resolveSingle(criteriaSet);
    }

    protected X509Certificate getEncryptionCertificate() {
        this.logger.debug("Locating encryption certificate file from [{}]", this.casProperties.getAuthn().getSamlIdp().getMetadata().getEncryptionCertFile());
        return SamlUtils.readCertificate(new FileSystemResource(this.casProperties.getAuthn().getSamlIdp().getMetadata().getEncryptionCertFile()));
    }

    protected PrivateKey getEncryptionPrivateKey() throws Exception {
        PrivateKeyFactoryBean privateKeyFactoryBean = new PrivateKeyFactoryBean();
        privateKeyFactoryBean.setLocation(new FileSystemResource(this.casProperties.getAuthn().getSamlIdp().getMetadata().getEncryptionKeyFile()));
        privateKeyFactoryBean.setAlgorithm(this.casProperties.getAuthn().getSamlIdp().getMetadata().getPrivateKeyAlgName());
        privateKeyFactoryBean.setSingleton(false);
        this.logger.debug("Locating encryption key file from [{}]", this.casProperties.getAuthn().getSamlIdp().getMetadata().getEncryptionKeyFile());
        return (PrivateKey) privateKeyFactoryBean.getObject();
    }

    public void setOverrideDataEncryptionAlgorithms(List list) {
        this.overrideDataEncryptionAlgorithms = list;
    }

    public void setOverrideKeyEncryptionAlgorithms(List list) {
        this.overrideKeyEncryptionAlgorithms = list;
    }

    public void setOverrideBlackListedEncryptionAlgorithms(List list) {
        this.overrideBlackListedEncryptionAlgorithms = list;
    }

    public void setOverrideWhiteListedAlgorithms(List list) {
        this.overrideWhiteListedAlgorithms = list;
    }
}
