package com.sun.identity.saml2.xmlsig;

import com.sun.identity.saml.common.SAMLConstants;
import com.sun.identity.saml.xmlsig.AMSignatureProvider;
import com.sun.identity.saml.xmlsig.OfflineResolver;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.common.SAML2SDKUtils;
import com.sun.identity.saml2.common.SAML2Utils;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.shared.xml.XPathAPI;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Set;
import javax.xml.xpath.XPathException;
import org.forgerock.openam.sdk.org.apache.xml.security.Init;
import org.forgerock.openam.sdk.org.apache.xml.security.exceptions.XMLSecurityException;
import org.forgerock.openam.sdk.org.apache.xml.security.keys.KeyInfo;
import org.forgerock.openam.sdk.org.apache.xml.security.keys.keyresolver.KeyResolverException;
import org.forgerock.openam.sdk.org.apache.xml.security.signature.XMLSignature;
import org.forgerock.openam.sdk.org.apache.xml.security.signature.XMLSignatureException;
import org.forgerock.openam.sdk.org.apache.xml.security.transforms.TransformationException;
import org.forgerock.openam.sdk.org.apache.xml.security.transforms.Transforms;
import org.forgerock.openam.sdk.org.apache.xml.security.utils.ElementProxy;
import org.forgerock.openam.sdk.org.forgerock.http.swagger.SwaggerApiProducer;
import org.forgerock.openam.utils.StringUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.1.jar:com/sun/identity/saml2/xmlsig/FMSigProvider.class */
public final class FMSigProvider implements SigProvider {
    private static String c14nMethod;
    private static String transformAlg;
    private static String sigAlg;
    private static String digestAlg;
    private static boolean checkCert;

    @Override // com.sun.identity.saml2.xmlsig.SigProvider
    public Element sign(String str, String str2, PrivateKey privateKey, X509Certificate x509Certificate) throws SAML2Exception {
        Node node;
        if (StringUtils.isEmpty(str)) {
            SAML2SDKUtils.debug.error("FMSigProvider.sign: The xml to sign was empty.");
            throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "emptyInputMessage", new String[]{"xml"});
        }
        if (StringUtils.isEmpty(str2)) {
            SAML2SDKUtils.debug.error("FMSigProvider.sign: The idValue was empty.");
            throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "emptyInputMessage", new String[]{"idValue"});
        }
        if (privateKey == null) {
            SAML2SDKUtils.debug.error("FMSigProvider.sign: The private key was null.");
            throw new SAML2Exception(SAML2SDKUtils.BUNDLE_NAME, "nullInputMessage", new String[]{"private key"});
        }
        Document dOMDocument = XMLUtils.toDOMDocument(str, SAML2SDKUtils.debug);
        if (dOMDocument == null) {
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
        }
        Element documentElement = dOMDocument.getDocumentElement();
        try {
            ElementProxy.setDefaultPrefix("http://www.w3.org/2000/09/xmldsig#", "ds");
            documentElement.setIdAttribute("ID", true);
            try {
                if (sigAlg == null || sigAlg.trim().length() == 0) {
                    if (privateKey.getAlgorithm().equalsIgnoreCase("DSA")) {
                        sigAlg = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
                    } else if (privateKey.getAlgorithm().equalsIgnoreCase("RSA")) {
                        sigAlg = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
                    }
                }
                XMLSignature xMLSignature = new XMLSignature(dOMDocument, "", sigAlg, c14nMethod);
                Node firstChild = documentElement.getFirstChild();
                while (true) {
                    node = firstChild;
                    if (node == null || (node.getLocalName() != null && node.getLocalName().equals("Issuer"))) {
                        break;
                    }
                    firstChild = node.getNextSibling();
                }
                Node node2 = null;
                if (node != null) {
                    node2 = node.getNextSibling();
                }
                if (node2 == null) {
                    documentElement.appendChild(xMLSignature.getElement());
                } else {
                    documentElement.insertBefore(xMLSignature.getElement(), node2);
                }
                xMLSignature.getSignedInfo().addResourceResolver(new OfflineResolver());
                Transforms transforms = new Transforms(dOMDocument);
                try {
                    transforms.addTransform(SAMLConstants.TRANSFORM_ENVELOPED_SIGNATURE);
                    try {
                        transforms.addTransform(transformAlg);
                        try {
                            xMLSignature.addDocument(SwaggerApiProducer.VersionTransformer.PATH_FRAGMENT_MARKER + str2, transforms, digestAlg);
                            if (x509Certificate != null) {
                                try {
                                    xMLSignature.addKeyInfo(x509Certificate);
                                } catch (XMLSecurityException e) {
                                    throw new SAML2Exception((Throwable) e);
                                }
                            }
                            try {
                                xMLSignature.sign(privateKey);
                                if (SAML2SDKUtils.debug.messageEnabled()) {
                                    SAML2SDKUtils.debug.message("FMSigProvider.sign: Signing is successful.");
                                }
                                return xMLSignature.getElement();
                            } catch (XMLSignatureException e2) {
                                throw new SAML2Exception((Throwable) e2);
                            }
                        } catch (XMLSignatureException e3) {
                            throw new SAML2Exception((Throwable) e3);
                        }
                    } catch (TransformationException e4) {
                        throw new SAML2Exception((Throwable) e4);
                    }
                } catch (TransformationException e5) {
                    throw new SAML2Exception((Throwable) e5);
                }
            } catch (XMLSecurityException e6) {
                throw new SAML2Exception((Throwable) e6);
            }
        } catch (XMLSecurityException e7) {
            throw new SAML2Exception((Throwable) e7);
        }
    }

    @Override // com.sun.identity.saml2.xmlsig.SigProvider
    public boolean verify(String str, String str2, Set<X509Certificate> set) throws SAML2Exception {
        if (str == null || str.length() == 0 || str2 == null || str2.length() == 0) {
            SAML2SDKUtils.debug.error("FMSigProvider.verify: Either input xmlString or idValue is null.");
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullInput"));
        }
        Document dOMDocument = XMLUtils.toDOMDocument(str, SAML2SDKUtils.debug);
        if (dOMDocument == null) {
            throw new SAML2Exception(SAML2SDKUtils.bundle.getString("errorObtainingElement"));
        }
        Element createDSctx = AMSignatureProvider.createDSctx(dOMDocument, "ds", "http://www.w3.org/2000/09/xmldsig#");
        try {
            Element element = (Element) XPathAPI.selectSingleNode(dOMDocument, "//ds:Signature[1]", createDSctx);
            try {
                String attribute = ((Element) XPathAPI.selectSingleNode(dOMDocument, "//ds:Reference[1]", createDSctx)).getAttribute("URI");
                String attribute2 = ((Element) element.getParentNode()).getAttribute("ID");
                if (attribute == null || attribute2 == null || !attribute.substring(1).equals(attribute2)) {
                    SAML2SDKUtils.debug.error("FMSigProvider.verify: Signature reference ID does not match with element ID");
                    throw new SAML2Exception(SAML2SDKUtils.bundle.getString("uriNoMatchWithId"));
                }
                dOMDocument.getDocumentElement().setIdAttribute("ID", true);
                try {
                    XMLSignature xMLSignature = new XMLSignature(element, "");
                    xMLSignature.addResourceResolver(new OfflineResolver());
                    KeyInfo keyInfo = xMLSignature.getKeyInfo();
                    X509Certificate x509Certificate = null;
                    if (keyInfo != null && keyInfo.containsX509Data()) {
                        try {
                            x509Certificate = keyInfo.getX509Certificate();
                        } catch (KeyResolverException e) {
                            SAML2SDKUtils.debug.error("FMSigProvider.verify: Could not obtain a certificate from inside the document.");
                            x509Certificate = null;
                        }
                        if (x509Certificate != null && checkCert) {
                            if (!set.contains(x509Certificate)) {
                                SAML2SDKUtils.debug.error("FMSigProvider.verify: The cert contained in the document is NOT trusted");
                                throw new SAML2Exception(SAML2SDKUtils.bundle.getString("invalidCertificate"));
                            }
                            if (SAML2SDKUtils.debug.messageEnabled()) {
                                SAML2SDKUtils.debug.message("FMSigProvider.verify: The cert contained in the document is trusted");
                            }
                        }
                    }
                    if (x509Certificate != null) {
                        set = Collections.singleton(x509Certificate);
                    }
                    if (!isValidSignature(xMLSignature, set)) {
                        SAML2SDKUtils.debug.error("FMSigProvider.verify: Signature verification failed.");
                        return false;
                    }
                    if (!SAML2SDKUtils.debug.messageEnabled()) {
                        return true;
                    }
                    SAML2SDKUtils.debug.message("FMSigProvider.verify: Signature verification successful.");
                    return true;
                } catch (XMLSecurityException e2) {
                    throw new SAML2Exception((Throwable) e2);
                } catch (XMLSignatureException e3) {
                    throw new SAML2Exception((Throwable) e3);
                }
            } catch (XPathException e4) {
                throw new SAML2Exception(e4);
            }
        } catch (XPathException e5) {
            throw new SAML2Exception(e5);
        }
    }

    private boolean isValidSignature(XMLSignature xMLSignature, Set<X509Certificate> set) throws SAML2Exception {
        XMLSignatureException xMLSignatureException = null;
        for (X509Certificate x509Certificate : set) {
            if (SAML2Utils.validateCertificate(x509Certificate)) {
                try {
                    if (xMLSignature.checkSignatureValue(x509Certificate)) {
                        return true;
                    }
                } catch (XMLSignatureException e) {
                    SAML2SDKUtils.debug.warning("FMSigProvider.isValidSignature: XML signature validation failed due to " + e);
                    if (xMLSignatureException == null) {
                        xMLSignatureException = e;
                    }
                }
            } else {
                SAML2SDKUtils.debug.error("FMSigProvider.isValidSignature: Signing Certificate is validated as bad.");
            }
        }
        if (xMLSignatureException != null) {
            throw new SAML2Exception((Throwable) xMLSignatureException);
        }
        return false;
    }

    static {
        c14nMethod = null;
        transformAlg = null;
        sigAlg = null;
        digestAlg = null;
        checkCert = true;
        Init.init();
        c14nMethod = SystemPropertiesManager.get("com.sun.identity.saml.xmlsig.c14nMethod", "http://www.w3.org/2001/10/xml-exc-c14n#");
        transformAlg = SystemPropertiesManager.get("com.sun.identity.saml.xmlsig.transformAlg", "http://www.w3.org/2001/10/xml-exc-c14n#");
        sigAlg = SystemPropertiesManager.get("com.sun.identity.saml.xmlsig.xmlSigAlgorithm");
        digestAlg = SystemPropertiesManager.get("com.sun.identity.saml.xmlsig.digestAlgorithm", "http://www.w3.org/2000/09/xmldsig#sha1");
        String str = SystemPropertiesManager.get("com.sun.identity.saml.checkcert", Debug.STR_ON);
        if (str == null || !str.trim().equalsIgnoreCase(Debug.STR_OFF)) {
            return;
        }
        checkCert = false;
    }
}
