package org.apereo.cas.support.wsfederation;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.Security;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.provider.X509CertParser;
import org.bouncycastle.jce.provider.X509CertificateObject;
import org.bouncycastle.openssl.PEMDecryptorProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.Unmarshaller;
import org.opensaml.core.xml.schema.XSAny;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.Audience;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml.saml1.core.AuthenticationStatement;
import org.opensaml.saml.saml1.core.Conditions;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.soap.wsfed.RequestSecurityTokenResponse;
import org.opensaml.soap.wsfed.RequestedSecurityToken;
import org.opensaml.xmlsec.encryption.EncryptedData;
import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apereo/cas/support/wsfederation/WsFederationHelper.class */
public class WsFederationHelper {
    private static final Logger LOGGER = LoggerFactory.getLogger(WsFederationHelper.class);
    private OpenSamlConfigBean configBean;

    public WsFederationCredential createCredentialFromToken(Assertion assertion) {
        ZonedDateTime now = ZonedDateTime.now();
        LOGGER.debug("Retrieved on [{}]", now);
        WsFederationCredential wsFederationCredential = new WsFederationCredential();
        wsFederationCredential.setRetrievedOn(now);
        wsFederationCredential.setId(assertion.getID());
        wsFederationCredential.setIssuer(assertion.getIssuer());
        wsFederationCredential.setIssuedOn(ZonedDateTime.parse(assertion.getIssueInstant().toDateTimeISO().toString()));
        Conditions conditions = assertion.getConditions();
        if (conditions != null) {
            wsFederationCredential.setNotBefore(ZonedDateTime.parse(conditions.getNotBefore().toDateTimeISO().toString()));
            wsFederationCredential.setNotOnOrAfter(ZonedDateTime.parse(conditions.getNotOnOrAfter().toDateTimeISO().toString()));
            if (!conditions.getAudienceRestrictionConditions().isEmpty()) {
                wsFederationCredential.setAudience(((Audience) ((AudienceRestrictionCondition) conditions.getAudienceRestrictionConditions().get(0)).getAudiences().get(0)).getUri());
            }
        }
        if (!assertion.getAuthenticationStatements().isEmpty()) {
            wsFederationCredential.setAuthenticationMethod(((AuthenticationStatement) assertion.getAuthenticationStatements().get(0)).getAuthenticationMethod());
        }
        HashMap hashMap = new HashMap();
        assertion.getAttributeStatements().stream().flatMap(attributeStatement -> {
            return attributeStatement.getAttributes().stream();
        }).forEach(attribute -> {
            LOGGER.debug("Processed attribute: [{}]", attribute.getAttributeName());
            List list = (List) IntStream.range(0, attribute.getAttributeValues().size()).mapToObj(i -> {
                return ((XSAny) attribute.getAttributeValues().get(i)).getTextContent();
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                return;
            }
            hashMap.put(attribute.getAttributeName(), list);
        });
        wsFederationCredential.setAttributes(hashMap);
        LOGGER.debug("Credential: [{}]", wsFederationCredential);
        return wsFederationCredential;
    }

    /* JADX WARN: Failed to calculate best type for var: r7v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r7v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r8v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r8v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 7, insn: 0x011b: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r7 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:43:0x011b */
    /* JADX WARN: Not initialized variable reg: 8, insn: 0x011f: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r8 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:45:0x011f */
    /* JADX WARN: Type inference failed for: r7v0, types: [java.io.InputStream] */
    /* JADX WARN: Type inference failed for: r8v0, types: [java.lang.Throwable] */
    public RequestedSecurityToken getRequestSecurityTokenFromResult(String str) {
        LOGGER.debug("Result token received from ADFS is [{}]", str);
        try {
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8));
                Throwable th = null;
                LOGGER.debug("Parsing token into a document");
                Element documentElement = this.configBean.getParserPool().parse(byteArrayInputStream).getDocumentElement();
                Unmarshaller unmarshaller = this.configBean.getUnmarshallerFactory().getUnmarshaller(documentElement);
                if (unmarshaller == null) {
                    throw new IllegalArgumentException("Unmarshaller for the metadata root element cannot be determined");
                }
                LOGGER.debug("Unmarshalling the document into a security token response");
                RequestSecurityTokenResponse unmarshall = unmarshaller.unmarshall(documentElement);
                if (unmarshall.getRequestedSecurityToken() == null) {
                    throw new IllegalArgumentException("Request security token response is null");
                }
                LOGGER.debug("Locating list of requested security tokens");
                List requestedSecurityToken = unmarshall.getRequestedSecurityToken();
                if (requestedSecurityToken.isEmpty()) {
                    throw new IllegalArgumentException("No requested security token response is provided in the response");
                }
                LOGGER.debug("Locating the first occurrence of a requested security token in the list");
                RequestedSecurityToken requestedSecurityToken2 = (RequestedSecurityToken) requestedSecurityToken.get(0);
                if (requestedSecurityToken2.getSecurityTokens() == null || requestedSecurityToken2.getSecurityTokens().isEmpty()) {
                    throw new IllegalArgumentException("Requested security token response is not carrying any security tokens");
                }
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                return requestedSecurityToken2;
            } finally {
            }
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return null;
        }
    }

    public Pair<Assertion, WsFederationConfiguration> buildAndVerifyAssertion(RequestedSecurityToken requestedSecurityToken, Collection<WsFederationConfiguration> collection) {
        XMLObject securityTokenFromRequestedToken = getSecurityTokenFromRequestedToken(requestedSecurityToken, collection);
        if (!(securityTokenFromRequestedToken instanceof Assertion)) {
            throw new IllegalArgumentException("Could not extract or decrypt an assertion based on the security token provided");
        }
        LOGGER.debug("Security token is an assertion.");
        Assertion assertion = (Assertion) Assertion.class.cast(securityTokenFromRequestedToken);
        LOGGER.debug("Extracted assertion successfully: [{}]", assertion);
        WsFederationConfiguration orElse = collection.stream().filter(wsFederationConfiguration -> {
            return wsFederationConfiguration.getIdentityProviderIdentifier().equals(assertion.getIssuer());
        }).findFirst().orElse(null);
        if (orElse == null) {
            throw new IllegalArgumentException("Could not locate wsfed configuration for security token provided");
        }
        return Pair.of(assertion, orElse);
    }

    private XMLObject getSecurityTokenFromRequestedToken(RequestedSecurityToken requestedSecurityToken, Collection<WsFederationConfiguration> collection) {
        LOGGER.debug("Locating the first occurrence of a security token from the requested security token");
        XMLObject assertionFromSecurityToken = getAssertionFromSecurityToken(requestedSecurityToken);
        if (assertionFromSecurityToken instanceof EncryptedData) {
            LOGGER.debug("Security token is encrypted. Attempting to decrypt to extract the assertion");
            EncryptedData encryptedData = (EncryptedData) EncryptedData.class.cast(assertionFromSecurityToken);
            Iterator<WsFederationConfiguration> it = collection.iterator();
            boolean z = false;
            while (!z && it.hasNext()) {
                try {
                    Decrypter buildAssertionDecrypter = buildAssertionDecrypter(it.next());
                    LOGGER.debug("Built an instance of [{}]", buildAssertionDecrypter.getClass().getName());
                    assertionFromSecurityToken = buildAssertionDecrypter.decryptData(encryptedData);
                    LOGGER.debug("Decrypted assertion successfully");
                    z = true;
                } catch (Exception e) {
                    LOGGER.debug(e.getMessage(), e);
                }
            }
            if (!z) {
                throw new IllegalArgumentException("Could not extract or decrypt an assertion based on the security token provided");
            }
        }
        return assertionFromSecurityToken;
    }

    public XMLObject getAssertionFromSecurityToken(RequestedSecurityToken requestedSecurityToken) {
        return (XMLObject) requestedSecurityToken.getSecurityTokens().get(0);
    }

    public boolean validateSignature(Pair<Assertion, WsFederationConfiguration> pair) {
        if (pair == null || pair.getKey() == null || pair.getValue() == null) {
            LOGGER.warn("No assertion or its configuration was provided to validate signatures");
            return false;
        }
        boolean z = false;
        Signature signature = ((Assertion) pair.getKey()).getSignature();
        if (signature != null) {
            try {
                new SAMLSignatureProfileValidator().validate(signature);
                CriteriaSet criteriaSet = new CriteriaSet();
                criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
                criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
                criteriaSet.add(new ProtocolCriterion("urn:oasis:names:tc:SAML:2.0:protocol"));
                criteriaSet.add(new EntityIdCriterion(((WsFederationConfiguration) pair.getValue()).getIdentityProviderIdentifier()));
                try {
                    try {
                        z = buildSignatureTrustEngine((WsFederationConfiguration) pair.getValue()).validate(signature, criteriaSet);
                        if (!z) {
                            LOGGER.error("Signature doesn't match any signing credential.");
                        }
                    } catch (SecurityException e) {
                        LOGGER.warn(e.getMessage(), e);
                        if (!z) {
                            LOGGER.error("Signature doesn't match any signing credential.");
                        }
                    }
                } catch (Throwable th) {
                    if (!z) {
                        LOGGER.error("Signature doesn't match any signing credential.");
                    }
                    throw th;
                }
            } catch (SignatureException e2) {
                LOGGER.error("Failed to validate assertion signature", e2);
            }
        }
        SamlUtils.logSamlObject(this.configBean, (XMLObject) pair.getKey());
        return z;
    }

    private static SignatureTrustEngine buildSignatureTrustEngine(WsFederationConfiguration wsFederationConfiguration) {
        try {
            List<Credential> signingWallet = wsFederationConfiguration.getSigningWallet();
            return new ExplicitKeySignatureTrustEngine(new StaticCredentialResolver(signingWallet), new StaticKeyInfoCredentialResolver(signingWallet));
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    public void setConfigBean(OpenSamlConfigBean openSamlConfigBean) {
        this.configBean = openSamlConfigBean;
    }

    private static Credential getEncryptionCredential(WsFederationConfiguration wsFederationConfiguration) {
        KeyPair keyPair;
        try {
            LOGGER.debug("Locating encryption credential private key [{}]", wsFederationConfiguration.getEncryptionPrivateKey());
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(wsFederationConfiguration.getEncryptionPrivateKey().getInputStream(), StandardCharsets.UTF_8));
            Security.addProvider(new BouncyCastleProvider());
            LOGGER.debug("Parsing credential private key");
            Object readObject = new PEMParser(bufferedReader).readObject();
            JcaPEMKeyConverter provider = new JcaPEMKeyConverter().setProvider(new BouncyCastleProvider());
            if (readObject instanceof PEMEncryptedKeyPair) {
                LOGGER.debug("Encryption private key is an encrypted keypair");
                PEMEncryptedKeyPair pEMEncryptedKeyPair = (PEMEncryptedKeyPair) readObject;
                PEMDecryptorProvider build = new JcePEMDecryptorProviderBuilder().build(wsFederationConfiguration.getEncryptionPrivateKeyPassword().toCharArray());
                LOGGER.debug("Attempting to decrypt the encrypted keypair based on the provided encryption private key password");
                keyPair = provider.getKeyPair(pEMEncryptedKeyPair.decryptKeyPair(build));
            } else {
                LOGGER.debug("Extracting a keypair from the private key");
                keyPair = provider.getKeyPair((PEMKeyPair) readObject);
            }
            X509CertParser x509CertParser = new X509CertParser();
            LOGGER.debug("Locating encryption certificate [{}]", wsFederationConfiguration.getEncryptionCertificate());
            x509CertParser.engineInit(wsFederationConfiguration.getEncryptionCertificate().getInputStream());
            LOGGER.debug("Invoking certificate engine to parse the certificate [{}]", wsFederationConfiguration.getEncryptionCertificate());
            X509CertificateObject x509CertificateObject = (X509CertificateObject) x509CertParser.engineRead();
            LOGGER.debug("Creating final credential based on the certificate [{}] and the private key", x509CertificateObject.getIssuerDN());
            return new BasicX509Credential(x509CertificateObject, keyPair.getPrivate());
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    private static Decrypter buildAssertionDecrypter(WsFederationConfiguration wsFederationConfiguration) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new InlineEncryptedKeyResolver());
        arrayList.add(new EncryptedElementTypeEncryptedKeyResolver());
        arrayList.add(new SimpleRetrievalMethodEncryptedKeyResolver());
        LOGGER.debug("Built a list of encrypted key resolvers: [{}]", arrayList);
        ChainingEncryptedKeyResolver chainingEncryptedKeyResolver = new ChainingEncryptedKeyResolver(arrayList);
        LOGGER.debug("Building credential instance to decrypt data");
        Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new StaticKeyInfoCredentialResolver(getEncryptionCredential(wsFederationConfiguration)), chainingEncryptedKeyResolver);
        decrypter.setRootInNewDocument(true);
        return decrypter;
    }
}
