package com.sun.identity.saml2.meta;

import com.sun.identity.authentication.share.AuthXMLTags;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml.xmlsig.AMSignatureProvider;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml.xmlsig.OfflineResolver;
import com.sun.identity.saml.xmlsig.XMLSignatureException;
import com.sun.identity.saml.xmlsig.XMLSignatureManager;
import com.sun.identity.saml2.jaxb.entityconfig.AttributeType;
import com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType;
import com.sun.identity.saml2.jaxb.entityconfig.EntityConfigElement;
import com.sun.identity.saml2.jaxb.entityconfig.ObjectFactory;
import com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.KeyDescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.KeyDescriptorType;
import com.sun.identity.saml2.jaxb.metadata.RoleDescriptorType;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.locale.Locale;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.shared.xml.XPathAPI;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.xml.bind.JAXBException;
import org.assertj.core.util.GroupFormatUtil;
import org.forgerock.openam.sdk.com.fasterxml.jackson.databind.ser.SerializerCache;
import org.forgerock.openam.sdk.org.apache.xml.security.Init;
import org.forgerock.openam.sdk.org.apache.xml.security.keys.KeyInfo;
import org.forgerock.openam.sdk.org.apache.xml.security.keys.storage.StorageResolver;
import org.forgerock.openam.sdk.org.apache.xml.security.keys.storage.implementations.KeyStoreResolver;
import org.forgerock.openam.sdk.org.apache.xml.security.signature.XMLSignature;
import org.forgerock.openam.utils.CollectionUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/saml2/meta/SAML2MetaSecurityUtils.class */
public final class SAML2MetaSecurityUtils {
    private static Debug debug = SAML2MetaUtils.debug;
    private static KeyProvider keyProvider = null;
    private static KeyStore keyStore = null;
    private static boolean checkCert = true;
    private static boolean keyProviderInitialized = false;
    public static final String NS_META = "urn:oasis:names:tc:SAML:2.0:metadata";
    public static final String NS_XMLSIG = "http://www.w3.org/2000/09/xmldsig#";
    public static final String NS_XMLENC = "http://www.w3.org/2001/04/xmlenc#";
    public static final String NS_MD_QUERY = "urn:oasis:names:tc:SAML:metadata:ext:query";
    public static final String PREFIX_XMLSIG = "ds";
    public static final String PREFIX_XMLENC = "xenc";
    public static final String PREFIX_MD_QUERY = "query";
    public static final String TAG_KEY_INFO = "KeyInfo";
    public static final String TAG_KEY_DESCRIPTOR = "KeyDescriptor";
    public static final String TAG_ENTITY_DESCRIPTOR = "EntityDescriptor";
    public static final String TAG_SP_SSO_DESCRIPTOR = "SPSSODescriptor";
    public static final String TAG_IDP_SSO_DESCRIPTOR = "IDPSSODescriptor";
    public static final String ATTR_USE = "use";
    public static final String ATTR_ID = "ID";
    private static final String METADATA_SIGNING_KEY = "metadataSigningKey";
    private static final String METADATA_SIGNING_KEY_PASS = "metadataSigningKeyPass";

    private SAML2MetaSecurityUtils() {
    }

    private static void initializeKeyStore() {
        if (keyProviderInitialized) {
            return;
        }
        Init.init();
        keyProvider = KeyUtil.getKeyProviderInstance();
        if (keyProvider != null) {
            keyStore = keyProvider.getKeyStore();
        }
        try {
            checkCert = SystemPropertiesManager.get("com.sun.identity.saml.checkcert", Debug.STR_ON).trim().equalsIgnoreCase(Debug.STR_ON);
        } catch (Exception e) {
            checkCert = true;
        }
        keyProviderInitialized = true;
    }

    public static Document sign(String str, EntityDescriptorElement entityDescriptorElement) throws JAXBException, SAML2MetaException {
        if (entityDescriptorElement == null) {
            throw new SAML2MetaException("Unable to sign null descriptor");
        }
        EntityConfigElement entityConfig = new SAML2MetaManager().getEntityConfig(str, entityDescriptorElement.getEntityID());
        boolean isHosted = entityConfig == null ? false : entityConfig.isHosted();
        String realmSetting = getRealmSetting(METADATA_SIGNING_KEY, str);
        if (realmSetting == null) {
            return null;
        }
        initializeKeyStore();
        Document dOMDocument = XMLUtils.toDOMDocument(formatBase64BinaryElement(SAML2MetaUtils.convertJAXBToString(entityDescriptorElement)), debug);
        NodeList childNodes = dOMDocument.getDocumentElement().getChildNodes();
        int i = 0;
        while (true) {
            if (i >= childNodes.getLength()) {
                break;
            }
            Node item = childNodes.item(i);
            if (item.getLocalName() == null || !item.getLocalName().equals("Signature") || !item.getNamespaceURI().equals("http://www.w3.org/2000/09/xmldsig#")) {
                i++;
            } else {
                if (!isHosted) {
                    return dOMDocument;
                }
                item.getParentNode().removeChild(item);
            }
        }
        String generateID = SAMLUtils.generateID();
        dOMDocument.getDocumentElement().setAttribute("ID", generateID);
        try {
            XMLSignatureManager.getInstance().signXMLUsingKeyPass(dOMDocument, realmSetting, getRealmSetting(METADATA_SIGNING_KEY_PASS, str), null, "ID", generateID, true, "//*[local-name()=\"EntityDescriptor\" and namespace-uri()=\"urn:oasis:names:tc:SAML:2.0:metadata\"]/*[1]");
        } catch (XMLSignatureException e) {
            if (debug.messageEnabled()) {
                debug.message("SAML2MetaSecurityUtils.sign:", e);
            }
        }
        return dOMDocument;
    }

    public static void verifySignature(Document document) throws SAML2MetaException {
        NodeList nodeList = null;
        try {
            nodeList = XPathAPI.selectNodeList(document, "//ds:Signature", AMSignatureProvider.createDSctx(document, "ds", "http://www.w3.org/2000/09/xmldsig#"));
        } catch (Exception e) {
            if (debug.messageEnabled()) {
                debug.message("SAML2MetaSecurityUtils.verifySignature:", e);
                throw new SAML2MetaException(e.getMessage());
            }
        }
        int length = nodeList.getLength();
        if (debug.messageEnabled()) {
            debug.message("SAML2MetaSecurityUtils.verifySignature: # of signatures = " + length);
        }
        if (length == 0) {
            return;
        }
        document.getDocumentElement().setIdAttribute("ID", true);
        initializeKeyStore();
        for (int i = 0; i < length; i++) {
            Element element = (Element) nodeList.item(i);
            String localName = element.getParentNode().getLocalName();
            Object[] objArr = {localName};
            if (debug.messageEnabled()) {
                debug.message("SAML2MetaSecurityUtils.verifySignature: verifying signature under " + localName);
            }
            try {
                XMLSignature xMLSignature = new XMLSignature(element, "");
                xMLSignature.addResourceResolver(new OfflineResolver());
                KeyInfo keyInfo = xMLSignature.getKeyInfo();
                X509Certificate x509Certificate = null;
                if (keyInfo != null && keyInfo.containsX509Data()) {
                    if (keyStore != null) {
                        keyInfo.addStorageResolver(new StorageResolver(new KeyStoreResolver(keyStore)));
                    }
                    x509Certificate = keyInfo.getX509Certificate();
                }
                if (x509Certificate == null) {
                    if (debug.messageEnabled()) {
                        debug.message("SAML2MetaSecurityUtils.verifySignature: try to find cert in KeyDescriptor");
                    }
                    Node selectSingleNode = XPathAPI.selectSingleNode(element, "following-sibling::*[local-name()=\"KeyDescriptor\" and namespace-uri()=\"urn:oasis:names:tc:SAML:2.0:metadata\"]");
                    if (selectSingleNode != null) {
                        Element element2 = (Element) selectSingleNode;
                        String attributeNS = element2.getAttributeNS(null, "use");
                        if (attributeNS.length() == 0 || attributeNS.equals("signing")) {
                            NodeList childNodes = element2.getChildNodes();
                            int i2 = 0;
                            while (true) {
                                if (i2 >= childNodes.getLength()) {
                                    break;
                                }
                                Node item = childNodes.item(i2);
                                if (item.getNodeType() == 1) {
                                    String localName2 = item.getLocalName();
                                    String namespaceURI = item.getNamespaceURI();
                                    if ("KeyInfo".equals(localName2) && "http://www.w3.org/2000/09/xmldsig#".equals(namespaceURI)) {
                                        KeyInfo keyInfo2 = new KeyInfo((Element) item, "");
                                        if (keyInfo2.containsX509Data()) {
                                            if (keyStore != null) {
                                                keyInfo2.addStorageResolver(new StorageResolver(new KeyStoreResolver(keyStore)));
                                            }
                                            x509Certificate = keyInfo2.getX509Certificate();
                                        }
                                    }
                                } else {
                                    i2++;
                                }
                            }
                        }
                    }
                }
                if (x509Certificate == null) {
                    throw new SAML2MetaException("verify_no_cert", objArr);
                }
                if (checkCert && (keyProvider == null || keyProvider.getCertificateAlias(x509Certificate) == null)) {
                    throw new SAML2MetaException("untrusted_cert", objArr);
                }
                if (!xMLSignature.checkSignatureValue(x509Certificate.getPublicKey())) {
                    throw new SAML2MetaException("verify_fail", objArr);
                }
            } catch (SAML2MetaException e2) {
                throw e2;
            } catch (Exception e3) {
                debug.error("SAML2MetaSecurityUtils.verifySignature: ", e3);
                throw new SAML2MetaException(Locale.getString(SAML2MetaUtils.resourceBundle, "verify_fail", objArr) + "\n" + e3.getMessage());
            }
        }
    }

    public static String formatBase64BinaryElement(String str) {
        int i = 0;
        int indexOf = str.indexOf("<ds:X509Certificate>");
        int length = str.length();
        StringBuffer stringBuffer = new StringBuffer(length + 100);
        while (indexOf != -1) {
            stringBuffer.append(str.substring(i, indexOf));
            int indexOf2 = str.indexOf("</ds:X509Certificate>", indexOf);
            String substring = str.substring(indexOf + 20, indexOf2);
            int length2 = substring.length();
            stringBuffer.append("<ds:X509Certificate>\n");
            int i2 = 0;
            while (i2 < length2 - 76) {
                stringBuffer.append(substring.substring(i2, i2 + 76)).append("\n");
                i2 += 76;
            }
            stringBuffer.append(substring.substring(i2, length2)).append("\n").append(str.substring(str.lastIndexOf(10, indexOf) + 1, indexOf)).append("</ds:X509Certificate>");
            i = indexOf2 + 21;
            indexOf = str.indexOf("<ds:X509Certificate>", i);
        }
        stringBuffer.append(str.substring(i, length));
        return stringBuffer.toString();
    }

    public static String buildX509Certificate(String str) throws SAML2MetaException {
        if (str == null || str.trim().length() == 0) {
            return null;
        }
        X509Certificate x509Certificate = KeyUtil.getKeyProviderInstance().getX509Certificate(str);
        if (x509Certificate != null) {
            try {
                return Base64.encode(x509Certificate.getEncoded(), true);
            } catch (Exception e) {
                if (debug.messageEnabled()) {
                    debug.message("SAML2MetaSecurityUtils.buildX509Certificate:", e);
                }
            }
        }
        throw new SAML2MetaException("invalid_cert_alias", new Object[]{str});
    }

    public static void updateProviderKeyInfo(String str, String str2, Set<String> set, boolean z, boolean z2, String str3, int i) throws SAML2MetaException {
        BaseConfigType sPSSOConfig;
        RoleDescriptorType sPSSODescriptor;
        SAML2MetaManager sAML2MetaManager = new SAML2MetaManager();
        EntityConfigElement entityConfig = sAML2MetaManager.getEntityConfig(str, str2);
        if (!entityConfig.isHosted()) {
            throw new SAML2MetaException("entityNotHosted", new String[]{str2, str});
        }
        EntityDescriptorElement entityDescriptor = sAML2MetaManager.getEntityDescriptor(str, str2);
        if (z2) {
            sPSSOConfig = SAML2MetaUtils.getIDPSSOConfig(entityConfig);
            sPSSODescriptor = SAML2MetaUtils.getIDPSSODescriptor(entityDescriptor);
            if (sPSSOConfig == null || sPSSODescriptor == null) {
                throw new SAML2MetaException("entityNotIDP", new String[]{str2, str});
            }
        } else {
            sPSSOConfig = SAML2MetaUtils.getSPSSOConfig(entityConfig);
            sPSSODescriptor = SAML2MetaUtils.getSPSSODescriptor(entityDescriptor);
            if (sPSSOConfig == null || sPSSODescriptor == null) {
                throw new SAML2MetaException("entityNotSP", new String[]{str2, str});
            }
        }
        if (CollectionUtils.isEmpty(set)) {
            removeKeyDescriptor(sPSSODescriptor, z);
            if (z) {
                setExtendedAttributeValue(sPSSOConfig, "signingCertAlias", null);
            } else {
                setExtendedAttributeValue(sPSSOConfig, "encryptionCertAlias", null);
            }
        } else {
            LinkedHashSet linkedHashSet = new LinkedHashSet(set.size());
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                linkedHashSet.add(getKeyDescriptor(it.next(), z, str3, i));
            }
            updateKeyDescriptor(sPSSODescriptor, linkedHashSet);
            if (z) {
                setExtendedAttributeValue(sPSSOConfig, "signingCertAlias", set);
            } else {
                setExtendedAttributeValue(sPSSOConfig, "encryptionCertAlias", set);
            }
        }
        sAML2MetaManager.setEntityDescriptor(str, entityDescriptor);
        sAML2MetaManager.setEntityConfig(str, entityConfig);
    }

    private static void updateKeyDescriptor(RoleDescriptorType roleDescriptorType, Set<KeyDescriptorType> set) {
        String use = set.iterator().next().getUse();
        Iterator it = roleDescriptorType.getKeyDescriptor().iterator();
        while (it.hasNext()) {
            if (((KeyDescriptorType) it.next()).getUse().equalsIgnoreCase(use)) {
                it.remove();
            }
        }
        roleDescriptorType.getKeyDescriptor().addAll(set);
    }

    private static void removeKeyDescriptor(RoleDescriptorType roleDescriptorType, boolean z) {
        Iterator it = roleDescriptorType.getKeyDescriptor().iterator();
        while (it.hasNext()) {
            KeyDescriptorElement keyDescriptorElement = (KeyDescriptorElement) it.next();
            String str = z ? "signing" : "encryption";
            if (keyDescriptorElement.getUse() != null && keyDescriptorElement.getUse().equalsIgnoreCase(str)) {
                it.remove();
            }
        }
    }

    private static void setExtendedAttributeValue(BaseConfigType baseConfigType, String str, Set set) throws SAML2MetaException {
        try {
            Iterator it = baseConfigType.getAttribute().iterator();
            while (it.hasNext()) {
                if (((AttributeType) it.next()).getName().trim().equalsIgnoreCase(str)) {
                    it.remove();
                }
            }
            if (set != null) {
                AttributeType createAttributeType = new ObjectFactory().createAttributeType();
                createAttributeType.setName(str);
                createAttributeType.getValue().addAll(set);
                baseConfigType.getAttribute().add(createAttributeType);
            }
        } catch (JAXBException e) {
            throw new SAML2MetaException(e);
        }
    }

    private static KeyDescriptorElement getKeyDescriptor(String str, boolean z, String str2, int i) throws SAML2MetaException {
        try {
            String buildX509Certificate = buildX509Certificate(str);
            StringBuilder sb = new StringBuilder(SerializerCache.DEFAULT_MAX_CACHED);
            sb.append("<KeyDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" use=\"");
            if (z) {
                sb.append("signing");
            } else {
                sb.append("encryption");
            }
            sb.append("\">\n").append("<KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n").append("<X509Data>\n").append("<X509Certificate>\n").append(buildX509Certificate).append("\n").append(AuthXMLTags.X509CERTIFICATE_END).append("</X509Data>").append("</KeyInfo>");
            if (!z && str2 != null) {
                sb.append("<EncryptionMethod Algorithm=\"").append(str2).append("\">\n");
                sb.append("<KeySize xmlns=\"http://www.w3.org/2001/04/xmlenc#\">").append(i).append("</KeySize>\n").append("</EncryptionMethod>");
            }
            sb.append("</KeyDescriptor>");
            return (KeyDescriptorElement) SAML2MetaUtils.convertStringToJAXB(sb.toString());
        } catch (JAXBException e) {
            throw new SAML2MetaException(e);
        }
    }

    private static String getRealmSetting(String str, String str2) throws SAML2MetaException {
        return SystemPropertiesManager.get(str + GroupFormatUtil.DEFAULT_START + str2 + "]");
    }
}
