package com.sun.identity.wss.security;

import com.sun.identity.saml.xmlsig.XMLSignatureManager;
import com.sun.identity.saml2.assertion.Attribute;
import com.sun.identity.saml2.assertion.AttributeStatement;
import com.sun.identity.saml2.assertion.AuthnContext;
import com.sun.identity.saml2.assertion.AuthnStatement;
import com.sun.identity.saml2.assertion.Subject;
import com.sun.identity.saml2.assertion.SubjectConfirmation;
import com.sun.identity.saml2.assertion.SubjectConfirmationData;
import com.sun.identity.saml2.assertion.impl.AssertionImpl;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.shared.StringUtils;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.wss.sts.config.FAMSTSConfiguration;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.1.jar:com/sun/identity/wss/security/SAML2AssertionValidator.class */
public class SAML2AssertionValidator {
    private Map<String, String> attributeMap = null;
    private String subjectName;
    private FAMSTSConfiguration stsConfig;
    private X509Certificate cert;

    public SAML2AssertionValidator(Element element, FAMSTSConfiguration fAMSTSConfiguration) throws SecurityException {
        this.subjectName = null;
        this.stsConfig = null;
        this.cert = null;
        this.stsConfig = fAMSTSConfiguration;
        if (fAMSTSConfiguration == null) {
            throw new SecurityException(WSSUtils.bundle.getString("nullConfig"));
        }
        try {
            AssertionImpl assertionImpl = new AssertionImpl(element);
            if (!assertionImpl.isSigned()) {
                throw new SecurityException(WSSUtils.bundle.getString("assertionNotSigned"));
            }
            String value = assertionImpl.getIssuer().getValue();
            if (value == null) {
                throw new SecurityException(WSSUtils.bundle.getString("nullIssuer"));
            }
            Set trustedIssuers = fAMSTSConfiguration.getTrustedIssuers();
            String str = null;
            boolean z = false;
            if (trustedIssuers != null && !trustedIssuers.isEmpty()) {
                Iterator it = trustedIssuers.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String str2 = (String) it.next();
                    if (str2.length() > 0) {
                        int indexOf = str2.indexOf(":");
                        if (indexOf == -1) {
                            throw new SecurityException(WSSUtils.bundle.getString("issuerOrAliasNull"));
                        }
                        str = str2.substring(0, indexOf).trim();
                        if (str.length() > 0) {
                            String trim = str2.substring(indexOf + 1).trim();
                            if (trim.length() > 0 && value.equals(trim)) {
                                z = true;
                                break;
                            }
                        } else {
                            continue;
                        }
                    }
                }
            }
            if (!z) {
                throw new SecurityException(WSSUtils.bundle.getString("issuerNotTrusted"));
            }
            try {
                XMLSignatureManager xMLSignatureManager = WSSUtils.getXMLSignatureManager();
                Document newDocument = XMLUtils.newDocument();
                newDocument.appendChild(newDocument.importNode(element, true));
                if (WSSUtils.debug.messageEnabled()) {
                    WSSUtils.debug.message("SAML2AssertionValidator: Assertion to be verified" + XMLUtils.print(element));
                }
                if (!xMLSignatureManager.verifyXMLSignature(newDocument, str)) {
                    if (WSSUtils.debug.messageEnabled()) {
                        WSSUtils.debug.message("SAML2AssertionValidator: Signature verification for the assertion failed");
                    }
                    throw new SecurityException(WSSUtils.bundle.getString("assertionSigNotVerified"));
                }
                if (WSSUtils.debug.messageEnabled()) {
                    WSSUtils.debug.message("SAML2AssertionValidator: Signature verification successful for the Assertion");
                }
                if (!assertionImpl.isTimeValid()) {
                    throw new SecurityException(WSSUtils.bundle.getString("assertionTimeNotValid"));
                }
                Subject subject = assertionImpl.getSubject();
                if (subject == null) {
                    throw new SecurityException(WSSUtils.bundle.getString("nullSubject"));
                }
                this.subjectName = subject.getNameID().getValue();
                if (this.subjectName == null) {
                    throw new SecurityException(WSSUtils.bundle.getString("nullSubject"));
                }
                Element keyInfo = getKeyInfo(subject);
                if (keyInfo != null) {
                    this.cert = WSSUtils.getCertificate(keyInfo);
                }
                List<AuthnStatement> authnStatements = assertionImpl.getAuthnStatements();
                if (authnStatements != null && !authnStatements.isEmpty()) {
                    validateAuthnStatement(authnStatements.get(0));
                }
                List<AttributeStatement> attributeStatements = assertionImpl.getAttributeStatements();
                if (attributeStatements != null && !attributeStatements.isEmpty()) {
                    validateAttributeStatement(attributeStatements.get(0));
                }
            } catch (Exception e) {
                WSSUtils.debug.error("SAML2AssertionValidator:Signature validation on Assertion failed", e);
                throw new SecurityException(WSSUtils.bundle.getString("signatureValidationFailed"));
            }
        } catch (SAML2Exception e2) {
            throw new SecurityException(e2.getMessage());
        }
    }

    private void validateAuthnStatement(AuthnStatement authnStatement) throws SecurityException {
        authnStatement.getSubjectLocality();
        AuthnContext authnContext = authnStatement.getAuthnContext();
        if (authnContext != null) {
            authnContext.getAuthnContextClassRef();
        }
    }

    private void validateAttributeStatement(AttributeStatement attributeStatement) throws SecurityException {
        List<Attribute> attribute = attributeStatement.getAttribute();
        if (!attribute.isEmpty()) {
            this.attributeMap = new HashMap();
        }
        for (Attribute attribute2 : attribute) {
            String name = attribute2.getName();
            List attributeValueString = attribute2.getAttributeValueString();
            if (attributeValueString != null && !attributeValueString.isEmpty()) {
                StringBuilder sb = new StringBuilder();
                for (int i = 0; i < attributeValueString.size(); i++) {
                    if (i != 0) {
                        sb.append("|");
                    }
                    sb.append(StringUtils.getEscapedValue((String) attributeValueString.get(i)));
                }
                this.attributeMap.put(name, sb.toString());
            }
        }
    }

    public Map getAttributes() {
        return this.attributeMap;
    }

    public String getSubjectName() {
        return this.subjectName;
    }

    public X509Certificate getKeyInfoCert() {
        return this.cert;
    }

    private Element getKeyInfo(Subject subject) {
        SubjectConfirmationData subjectConfirmationData;
        List content;
        List subjectConfirmation = subject.getSubjectConfirmation();
        if (subjectConfirmation == null || subjectConfirmation.isEmpty() || (subjectConfirmationData = ((SubjectConfirmation) subjectConfirmation.get(0)).getSubjectConfirmationData()) == null || (content = subjectConfirmationData.getContent()) == null || content.isEmpty()) {
            return null;
        }
        return (Element) content.get(0);
    }
}
