package com.sun.identity.liberty.ws.security;

import com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
import com.sun.identity.liberty.ws.disco.EncryptedResourceID;
import com.sun.identity.liberty.ws.disco.common.DiscoServiceManager;
import com.sun.identity.plugin.session.SessionException;
import com.sun.identity.plugin.session.SessionManager;
import com.sun.identity.plugin.session.SessionProvider;
import com.sun.identity.saml.assertion.AttributeStatement;
import com.sun.identity.saml.assertion.AudienceRestrictionCondition;
import com.sun.identity.saml.assertion.AuthenticationStatement;
import com.sun.identity.saml.assertion.Conditions;
import com.sun.identity.saml.assertion.NameIdentifier;
import com.sun.identity.saml.assertion.Subject;
import com.sun.identity.saml.assertion.SubjectConfirmation;
import com.sun.identity.saml.common.SAMLConstants;
import com.sun.identity.saml.common.SAMLException;
import com.sun.identity.saml.common.SAMLServiceManager;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml.xmlsig.XMLSignatureManager;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.locale.Locale;
import com.sun.identity.shared.xml.XMLUtils;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.ResourceBundle;
import org.apache.batik.util.SVGConstants;
import org.forgerock.openam.utils.Time;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.3.jar:com/sun/identity/liberty/ws/security/LibSecurityTokenProvider.class */
public class LibSecurityTokenProvider implements SecurityTokenProvider {
    private static final String AUTH_INSTANT = "authInstant";
    private static final String WS_ATTRIBUTE_PLUGIN = "com.sun.identity.liberty.ws.attributeplugin";
    private static String DEFAULT_CERT_ALIAS_KEY = "com.sun.identity.liberty.ws.wsc.certalias";
    private static String DEFAULT_CERT_ALIAS_VALUE = SystemPropertiesManager.get(DEFAULT_CERT_ALIAS_KEY);
    private static String DEFAULT_TA_CERT_ALIAS_KEY = "com.sun.identity.liberty.ws.ta.certalias";
    private static String DEFAULT_TA_CERT_ALIAS_VALUE = SystemPropertiesManager.get(DEFAULT_TA_CERT_ALIAS_KEY);
    private static String KEYINFO_TYPE = "com.sun.identity.liberty.ws.security.keyinfotype";
    private static String keyInfoType = SystemPropertiesManager.get(KEYINFO_TYPE);
    private static Debug debug = Debug.getInstance("libIDWSF");
    private static ResourceBundle bundle = Locale.getInstallResourceBundle("fmLibertySecurity");
    protected static SecurityAttributePlugin attributePlugin = null;
    protected XMLSignatureManager sigManager = null;
    protected KeyProvider keystore = null;
    private Object ssoToken = null;
    private String certAlias = null;
    private X509Certificate wssCert = null;
    protected String authTime = "";
    protected String authType = "";

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public void initialize(Object obj, XMLSignatureManager xMLSignatureManager) throws SecurityTokenException {
        debug.message("LibSecurityTokenProvider.initialize");
        if (xMLSignatureManager == null) {
            debug.error("AMP: nulll signature manager");
            throw new SecurityTokenException(bundle.getString("nullXMLSigManager"));
        }
        this.keystore = xMLSignatureManager.getKeyProvider();
        try {
            this.ssoToken = obj;
            SessionProvider provider = SessionManager.getProvider();
            if (!provider.isValid(this.ssoToken)) {
                throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
            }
            String[] property = provider.getProperty(this.ssoToken, SessionProvider.AUTH_METHOD);
            if (property != null && property.length != 0) {
                this.authType = property[0];
            }
            String[] property2 = provider.getProperty(this.ssoToken, "authInstant");
            if (property2 != null && property2.length != 0) {
                this.authTime = property2[0];
            }
            this.sigManager = xMLSignatureManager;
        } catch (SessionException e) {
            debug.error("AMP: invalid SSO Token", e);
            throw new SecurityTokenException(bundle.getString("invalidSSOToken"));
        }
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public void setCertAlias(String str) throws SecurityTokenException {
        if (debug.messageEnabled()) {
            debug.message("AMP : certalias=" + str);
        }
        this.certAlias = str;
        this.wssCert = getX509Certificate();
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public void setCertificate(X509Certificate x509Certificate) throws SecurityTokenException {
        this.certAlias = this.keystore.getCertificateAlias(x509Certificate);
        if (debug.messageEnabled()) {
            debug.message("AMP : certalias=" + this.certAlias);
        }
        if (this.certAlias == null) {
            debug.error("AMP: no cert found");
            throw new SecurityTokenException(bundle.getString("noCertAlias"));
        }
        this.wssCert = x509Certificate;
    }

    private X509Certificate getX509Certificate() throws SecurityTokenException {
        if (this.certAlias == null) {
            if (DEFAULT_CERT_ALIAS_VALUE == null || DEFAULT_CERT_ALIAS_VALUE.trim().length() == 0) {
                debug.error("AMP: no cert found");
                throw new SecurityTokenException(bundle.getString("noCertAlias"));
            }
            this.certAlias = DEFAULT_CERT_ALIAS_VALUE;
        }
        X509Certificate x509Certificate = this.keystore.getX509Certificate(this.certAlias);
        if (x509Certificate != null) {
            return x509Certificate;
        }
        debug.error("AMP : no cert found in store");
        throw new SecurityTokenException(bundle.getString("noMatchingCert"));
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public BinarySecurityToken getX509CertificateToken() throws SecurityTokenException {
        if (this.wssCert == null) {
            this.wssCert = getX509Certificate();
        }
        try {
            return new BinarySecurityToken(Base64.encode(this.wssCert.getEncoded()), BinarySecurityToken.X509V3, BinarySecurityToken.BASE64BINARY);
        } catch (Exception e) {
            debug.error("getX509Token", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLAuthenticationToken(NameIdentifier nameIdentifier) throws SecurityTokenException {
        return getSAMLToken(nameIdentifier, null, null, true, false, null, false);
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLAuthorizationToken(NameIdentifier nameIdentifier, SessionContext sessionContext, String str, boolean z, boolean z2, String str2) throws SecurityTokenException {
        return getSAMLToken(nameIdentifier, sessionContext, str, z, z2, str2, false);
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLAuthorizationToken(NameIdentifier nameIdentifier, SessionContext sessionContext, EncryptedResourceID encryptedResourceID, boolean z, boolean z2, String str) throws SecurityTokenException {
        return getSAMLToken(nameIdentifier, sessionContext, encryptedResourceID, z, z2, str, false);
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLBearerToken(NameIdentifier nameIdentifier, SessionContext sessionContext, String str, boolean z, boolean z2, String str2) throws SecurityTokenException {
        return getSAMLToken(nameIdentifier, sessionContext, str, z, z2, str2, true);
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLBearerToken(NameIdentifier nameIdentifier, SessionContext sessionContext, EncryptedResourceID encryptedResourceID, boolean z, boolean z2, String str) throws SecurityTokenException {
        return getSAMLToken(nameIdentifier, sessionContext, encryptedResourceID, z, z2, str, true);
    }

    private SecurityAssertion getSAMLToken(NameIdentifier nameIdentifier, SessionContext sessionContext, Object obj, boolean z, boolean z2, String str, boolean z3) throws SecurityTokenException {
        SecurityAssertion securityAssertion;
        List attributes;
        AttributeStatement createAttributeStatement;
        if (debug.messageEnabled()) {
            debug.message("getSAMLToken: isBear = " + z3);
        }
        if (nameIdentifier == null) {
            debug.error("LibSecurityTokenProvider.getSAMLToken:senderIdentity is null");
            throw new SecurityTokenException(bundle.getString("nullSenderIdentity"));
        }
        boolean z4 = true;
        HashSet hashSet = new HashSet();
        if (z) {
            hashSet.add(createAuthenticationStatement(nameIdentifier, z3));
            z4 = false;
        }
        if (z2) {
            hashSet.add(createResourceAccessStatement(nameIdentifier, sessionContext, obj, z3));
            z4 = false;
        } else if (sessionContext != null) {
            hashSet.add(createSessionContextStatement(nameIdentifier, sessionContext, z3));
            z4 = false;
        }
        if (z4) {
            debug.error("getSAMLAuthorizationToken: SAML statement should not be null.");
            throw new SecurityTokenException(bundle.getString("nullStatement"));
        }
        String discoProviderID = DiscoServiceManager.getDiscoProviderID();
        attributePlugin = getAttributePlugin();
        if (attributePlugin != null && (attributes = attributePlugin.getAttributes(nameIdentifier, obj, discoProviderID)) != null && attributes.size() != 0 && (createAttributeStatement = createAttributeStatement(nameIdentifier, attributes, z3)) != null) {
            hashSet.add(createAttributeStatement);
        }
        Date newDate = Time.newDate();
        try {
            if (str != null) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(str);
                AudienceRestrictionCondition audienceRestrictionCondition = new AudienceRestrictionCondition(arrayList);
                Conditions conditions = new Conditions();
                conditions.addAudienceRestrictionCondition(audienceRestrictionCondition);
                securityAssertion = new SecurityAssertion("", discoProviderID, newDate, conditions, hashSet);
            } else {
                securityAssertion = new SecurityAssertion("", discoProviderID, newDate, hashSet);
            }
            securityAssertion.signXML(DEFAULT_TA_CERT_ALIAS_VALUE);
            return securityAssertion;
        } catch (Exception e) {
            debug.error("getSAMLToken.signXML", e);
            throw new SecurityTokenException(bundle.getString("nullAssertion"));
        }
    }

    private AuthenticationStatement createAuthenticationStatement(NameIdentifier nameIdentifier, boolean z) throws SecurityTokenException {
        SubjectConfirmation subjectConfirmation;
        try {
            String authMethodURI = SAMLServiceManager.getAuthMethodURI(this.authType);
            Date stringToDate = DateUtils.stringToDate(this.authTime);
            if (z) {
                subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:bearer");
            } else {
                subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");
                subjectConfirmation.setKeyInfo(createKeyInfo());
            }
            return new AuthenticationStatement(authMethodURI, stringToDate, new Subject(nameIdentifier, subjectConfirmation));
        } catch (Exception e) {
            debug.error("createAuthenticationStatement: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    private ResourceAccessStatement createResourceAccessStatement(NameIdentifier nameIdentifier, SessionContext sessionContext, Object obj, boolean z) throws SecurityTokenException {
        if (debug.messageEnabled()) {
            debug.message("LibSecurityTokenProvider.createResourceAccessStatement: resourceID class = " + obj.getClass() + ", value = " + obj);
        }
        try {
            ProxySubject proxySubject = null;
            List createSubjectAndProxySubject = createSubjectAndProxySubject(nameIdentifier, sessionContext, z);
            Subject subject = (Subject) createSubjectAndProxySubject.get(0);
            if (createSubjectAndProxySubject.size() == 2) {
                proxySubject = (ProxySubject) createSubjectAndProxySubject.get(1);
            }
            ResourceAccessStatement resourceAccessStatement = obj instanceof String ? new ResourceAccessStatement((String) obj, proxySubject, sessionContext, subject) : new ResourceAccessStatement((EncryptedResourceID) obj, proxySubject, sessionContext, subject);
            if (debug.messageEnabled()) {
                debug.message("LibSecurityTokenProvider.createResourceAccessStatement: ras = " + resourceAccessStatement);
            }
            return resourceAccessStatement;
        } catch (Exception e) {
            debug.error("createResourceAccessStatement: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    private List createSubjectAndProxySubject(NameIdentifier nameIdentifier, SessionContext sessionContext, boolean z) throws Exception {
        SubjectConfirmation subjectConfirmation;
        ArrayList arrayList = new ArrayList();
        if (sessionContext != null) {
            NameIdentifier nameIdentifier2 = sessionContext.getSessionSubject().getNameIdentifier();
            if (!nameIdentifier2.equals(nameIdentifier)) {
                Subject subject = new Subject(nameIdentifier2, new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:sender-vouches"));
                ProxySubject createProxySubject = createProxySubject(nameIdentifier, z);
                arrayList.add(subject);
                arrayList.add(createProxySubject);
                return arrayList;
            }
        }
        if (z) {
            subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:bearer");
        } else {
            subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");
            subjectConfirmation.setKeyInfo(createKeyInfo());
        }
        arrayList.add(new Subject(nameIdentifier, subjectConfirmation));
        return arrayList;
    }

    private SessionContextStatement createSessionContextStatement(NameIdentifier nameIdentifier, SessionContext sessionContext, boolean z) throws SecurityTokenException {
        try {
            ProxySubject proxySubject = null;
            List createSubjectAndProxySubject = createSubjectAndProxySubject(nameIdentifier, sessionContext, z);
            Subject subject = (Subject) createSubjectAndProxySubject.get(0);
            if (createSubjectAndProxySubject.size() == 2) {
                proxySubject = (ProxySubject) createSubjectAndProxySubject.get(1);
            }
            return new SessionContextStatement(sessionContext, proxySubject, subject);
        } catch (Exception e) {
            debug.error("createSessionContextStatement: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    private ProxySubject createProxySubject(NameIdentifier nameIdentifier, boolean z) throws SecurityTokenException, SAMLException {
        SubjectConfirmation subjectConfirmation;
        if (z) {
            subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:bearer");
        } else {
            subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");
            subjectConfirmation.setKeyInfo(createKeyInfo());
        }
        return new ProxySubject(nameIdentifier, subjectConfirmation);
    }

    private Element createKeyInfo() throws SecurityTokenException {
        X509Certificate x509Certificate = getX509Certificate();
        try {
            Document newDocument = XMLUtils.newDocument();
            try {
                PublicKey publicKey = x509Certificate.getPublicKey();
                String name = x509Certificate.getSubjectDN().getName();
                String encode = Base64.encode(x509Certificate.getEncoded());
                Element createElementNS = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyInfo");
                createElementNS.setAttribute("xmlns", "http://www.w3.org/2000/09/xmldsig#");
                if (keyInfoType == null || !keyInfoType.equalsIgnoreCase("certificate")) {
                    Element createElementNS2 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyName");
                    Text createTextNode = newDocument.createTextNode(name);
                    Element createElementNS3 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyValue");
                    if (publicKey.getAlgorithm().equals("DSA")) {
                        DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
                        DSAParams params = dSAPublicKey.getParams();
                        BigInteger p = params.getP();
                        BigInteger q = params.getQ();
                        BigInteger g = params.getG();
                        BigInteger y = dSAPublicKey.getY();
                        Element createElementNS4 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SAMLConstants.TAG_DSAKEYVALUE);
                        Element createElementNS5 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "P");
                        createElementNS5.appendChild(newDocument.createTextNode(Base64.encode(p.toByteArray())));
                        createElementNS4.appendChild(createElementNS5);
                        Element createElementNS6 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SVGConstants.PATH_QUAD_TO);
                        createElementNS6.appendChild(newDocument.createTextNode(Base64.encode(q.toByteArray())));
                        createElementNS4.appendChild(createElementNS6);
                        Element createElementNS7 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SVGConstants.SVG_G_VALUE);
                        createElementNS7.appendChild(newDocument.createTextNode(Base64.encode(g.toByteArray())));
                        createElementNS4.appendChild(createElementNS7);
                        Element createElementNS8 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "Y");
                        createElementNS8.appendChild(newDocument.createTextNode(Base64.encode(y.toByteArray())));
                        createElementNS4.appendChild(createElementNS8);
                        createElementNS3.appendChild(createElementNS4);
                    } else {
                        RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                        BigInteger publicExponent = rSAPublicKey.getPublicExponent();
                        BigInteger modulus = rSAPublicKey.getModulus();
                        Element createElementNS9 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SAMLConstants.TAG_RSAKEYVALUE);
                        Element createElementNS10 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "Modulus");
                        Element createElementNS11 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "Exponent");
                        createElementNS9.appendChild(createElementNS10);
                        createElementNS9.appendChild(createElementNS11);
                        createElementNS10.appendChild(newDocument.createTextNode(Base64.encode(modulus.toByteArray())));
                        createElementNS11.appendChild(newDocument.createTextNode(Base64.encode(publicExponent.toByteArray())));
                        createElementNS3.appendChild(createElementNS9);
                    }
                    createElementNS.appendChild(createElementNS2).appendChild(createTextNode);
                    createElementNS.appendChild(createElementNS3);
                } else {
                    Element createElementNS12 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "X509Data");
                    Element createElementNS13 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate");
                    createElementNS13.appendChild(newDocument.createTextNode(encode));
                    createElementNS.appendChild(createElementNS12).appendChild(createElementNS13);
                }
                return createElementNS;
            } catch (Exception e) {
                debug.error("createKeyInfo: ", e);
                throw new SecurityTokenException(e.getMessage());
            }
        } catch (Exception e2) {
            debug.error("createKeyInfo: ", e2);
            throw new SecurityTokenException(e2.getMessage());
        }
    }

    private AttributeStatement createAttributeStatement(NameIdentifier nameIdentifier, List list, boolean z) {
        SubjectConfirmation subjectConfirmation;
        try {
            if (z) {
                subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:bearer");
            } else {
                subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");
                subjectConfirmation.setKeyInfo(createKeyInfo());
            }
            return new AttributeStatement(new Subject(nameIdentifier, subjectConfirmation), list);
        } catch (Exception e) {
            if (!debug.messageEnabled()) {
                return null;
            }
            debug.message("createAttributeStatement: ", e);
            return null;
        }
    }

    private static SecurityAttributePlugin getAttributePlugin() {
        if (attributePlugin != null) {
            return attributePlugin;
        }
        String str = SystemPropertiesManager.get("com.sun.identity.liberty.ws.attributeplugin");
        if (str == null || str.length() == 0) {
            return null;
        }
        try {
            attributePlugin = (SecurityAttributePlugin) Class.forName(str).newInstance();
        } catch (Exception e) {
            if (debug.warningEnabled()) {
                debug.warning("LibSecurityTokenProvider.getAttributePlugin: Exception", e);
            }
        }
        return attributePlugin;
    }
}
