package com.sun.identity.wss.security;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.common.SystemConfigurationUtil;
import com.sun.identity.saml.assertion.Assertion;
import com.sun.identity.saml.assertion.Attribute;
import com.sun.identity.saml.assertion.AttributeStatement;
import com.sun.identity.saml.assertion.AudienceRestrictionCondition;
import com.sun.identity.saml.assertion.AuthenticationStatement;
import com.sun.identity.saml.assertion.Conditions;
import com.sun.identity.saml.assertion.NameIdentifier;
import com.sun.identity.saml.assertion.Subject;
import com.sun.identity.saml.assertion.SubjectConfirmation;
import com.sun.identity.saml.assertion.SubjectStatement;
import com.sun.identity.saml.common.SAMLConstants;
import com.sun.identity.saml.common.SAMLException;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.xml.XMLUtils;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.xml.namespace.QName;
import org.apache.batik.util.SVGConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.3.jar:com/sun/identity/wss/security/AssertionToken.class */
public class AssertionToken implements SecurityToken {
    private SSOToken ssoToken;
    private String authType;
    private String authTime;
    private String certAlias;
    private Assertion assertion;
    private Element assertionE;
    private AssertionTokenSpec spec;
    private static final String KEY_INFO_TYPE = "com.sun.identity.liberty.ws.security.keyinfotype";
    private static String keyInfoType = SystemConfigurationUtil.getProperty(KEY_INFO_TYPE);

    public AssertionToken(AssertionTokenSpec assertionTokenSpec, SSOToken sSOToken) throws SecurityException {
        this.ssoToken = null;
        this.authType = "";
        this.authTime = "";
        this.certAlias = null;
        this.assertion = null;
        this.assertionE = null;
        this.spec = null;
        if (assertionTokenSpec == null) {
            WSSUtils.debug.error("AssertionToken: constructor: Assertion Token specification is null");
            throw new SecurityException(WSSUtils.bundle.getString("tokenSpecNotSpecified"));
        }
        this.spec = assertionTokenSpec;
        validateSSOToken(sSOToken);
        createAssertion(assertionTokenSpec);
    }

    private void validateSSOToken(SSOToken sSOToken) throws SecurityException {
        try {
            SSOTokenManager.getInstance().validateToken(sSOToken);
            this.authType = sSOToken.getAuthType();
            this.authTime = sSOToken.getProperty("authInstant");
        } catch (SSOException e) {
            WSSUtils.debug.error("AssertionToken.validateSSOToken: SSOException", e);
            throw new SecurityException(WSSUtils.bundle.getString("invalidSSOToken"));
        }
    }

    private void createAssertion(AssertionTokenSpec assertionTokenSpec) throws SecurityException {
        AttributeStatement createAttributeStatement;
        SecurityMechanism securityMechanism = assertionTokenSpec.getSecurityMechanism();
        NameIdentifier senderIdentity = assertionTokenSpec.getSenderIdentity();
        this.certAlias = assertionTokenSpec.getSubjectCertAlias();
        if (senderIdentity == null) {
            throw new SecurityException(WSSUtils.bundle.getString("invalidAssertionTokenSpec"));
        }
        String confirmationMethod = assertionTokenSpec.getConfirmationMethod();
        if (confirmationMethod == null) {
            confirmationMethod = getConfirmationMethod(securityMechanism.getURI());
        }
        String issuer = assertionTokenSpec.getIssuer();
        if (issuer == null) {
            issuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
        }
        Date date = new Date();
        HashSet hashSet = new HashSet();
        AuthenticationStatement createAuthenticationStatement = createAuthenticationStatement(senderIdentity, confirmationMethod);
        if (createAuthenticationStatement != null) {
            hashSet.add(createAuthenticationStatement);
        }
        Map<QName, List<String>> claimedAttributes = assertionTokenSpec.getClaimedAttributes();
        if (claimedAttributes != null && !claimedAttributes.isEmpty() && (createAttributeStatement = createAttributeStatement(assertionTokenSpec)) != null) {
            hashSet.add(createAttributeStatement);
        }
        try {
            Conditions conditions = new Conditions(date, new Date(date.getTime() + assertionTokenSpec.getAssertionInterval()));
            String appliesTo = assertionTokenSpec.getAppliesTo();
            if (appliesTo != null) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(appliesTo);
                conditions.addAudienceRestrictionCondition(new AudienceRestrictionCondition(arrayList));
            }
            if (WSSUtils.debug.messageEnabled()) {
                WSSUtils.debug.message("AssertionToken.createAssertion: Assertion constructs:\nConfirmation method: " + confirmationMethod + "\nIssuer: " + issuer + "\n");
            }
            try {
                this.assertion = new Assertion(assertionTokenSpec.getAssertionID(), issuer, date, conditions, hashSet);
            } catch (SAMLException e) {
                WSSUtils.debug.error("AssertionToken.createAssertion: SAMLException in creating the assertion.", e);
                throw new SecurityException(WSSUtils.bundle.getString("unabletoGenerateAssertion"));
            }
        } catch (SAMLException e2) {
            WSSUtils.debug.error("AssertionToken.createAssertion: SAMLException in creating the assertion.", e2);
            throw new SecurityException(WSSUtils.bundle.getString("unabletoGenerateAssertion"));
        }
    }

    private String getConfirmationMethod(String str) throws SecurityException {
        if (str == null) {
            throw new SecurityException(WSSUtils.bundle.getString("nullSecurityMechanism"));
        }
        if (str.equals(SecurityMechanism.WSS_NULL_SAML_HK_URI) || str.equals(SecurityMechanism.WSS_TLS_SAML_HK_URI) || str.equals(SecurityMechanism.WSS_CLIENT_TLS_SAML_HK_URI)) {
            return "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";
        }
        if (str.equals(SecurityMechanism.WSS_NULL_SAML_SV_URI) || str.equals(SecurityMechanism.WSS_TLS_SAML_SV_URI) || str.equals(SecurityMechanism.WSS_CLIENT_TLS_SAML_SV_URI)) {
            return "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches";
        }
        throw new SecurityException(WSSUtils.bundle.getString("invalidConfirmationMethod"));
    }

    private AuthenticationStatement createAuthenticationStatement(NameIdentifier nameIdentifier, String str) throws SecurityException {
        SubjectConfirmation subjectConfirmation;
        String authMethodURI = WSSUtils.getAuthMethodURI(this.authType);
        try {
            Date stringToDate = DateUtils.stringToDate(this.authTime);
            if (str == null) {
                throw new SecurityException(WSSUtils.bundle.getString("nullConfirmationMethod"));
            }
            if (str.equals("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key")) {
                subjectConfirmation = new SubjectConfirmation(str);
                subjectConfirmation.setKeyInfo(createKeyInfo());
            } else if (str.equals("urn:oasis:names:tc:SAML:1.0:cm:sender-vouches")) {
                subjectConfirmation = new SubjectConfirmation(str);
            } else {
                if (!str.equals("urn:oasis:names:tc:SAML:1.0:cm:bearer")) {
                    throw new SecurityException(WSSUtils.bundle.getString("invalidConfirmationMethod"));
                }
                subjectConfirmation = new SubjectConfirmation(str);
            }
            return new AuthenticationStatement(authMethodURI, stringToDate, new Subject(nameIdentifier, subjectConfirmation));
        } catch (SAMLException e) {
            WSSUtils.debug.error("AssertionToken.getAuthenticationStatement:Failed to generate the authentication statement.", e);
            throw new SecurityException(WSSUtils.bundle.getString("unabletoGenerateAssertion"));
        } catch (ParseException e2) {
            WSSUtils.debug.error("AssertionToken.getAuthenticationStatement:Failed to generate the authentication statement.", e2);
            throw new SecurityException(WSSUtils.bundle.getString("unabletoGenerateAssertion"));
        }
    }

    @Override // com.sun.identity.wss.security.SecurityToken
    public String getTokenType() {
        return SecurityToken.WSS_SAML_TOKEN;
    }

    @Override // com.sun.identity.wss.security.SecurityToken
    public Element toDocumentElement() throws SecurityException {
        if (this.assertionE != null) {
            return WSSUtils.getCanonicalElement(this.assertionE);
        }
        Document dOMDocument = XMLUtils.toDOMDocument(this.assertion.toString(true, true), WSSUtils.debug);
        if (dOMDocument == null) {
            throw new SecurityException(WSSUtils.bundle.getString("cannotConvertToDocument"));
        }
        return WSSUtils.getCanonicalElement(dOMDocument.getDocumentElement());
    }

    public AssertionToken(Element element) throws SAMLException {
        this.ssoToken = null;
        this.authType = "";
        this.authTime = "";
        this.certAlias = null;
        this.assertion = null;
        this.assertionE = null;
        this.spec = null;
        this.assertionE = element;
        this.assertion = new Assertion(element);
    }

    public boolean isSenderVouches() {
        Subject subject;
        SubjectConfirmation subjectConfirmation;
        Set confirmationMethod;
        Set statement = this.assertion.getStatement();
        if (statement == null || statement.isEmpty()) {
            return false;
        }
        for (Object obj : statement) {
            if ((obj instanceof SubjectStatement) && (subject = ((SubjectStatement) obj).getSubject()) != null && (subjectConfirmation = subject.getSubjectConfirmation()) != null && (confirmationMethod = subjectConfirmation.getConfirmationMethod()) != null && !confirmationMethod.isEmpty() && confirmationMethod.contains("urn:oasis:names:tc:SAML:1.0:cm:sender-vouches")) {
                return true;
            }
        }
        return false;
    }

    public X509Certificate getX509Certificate() throws SecurityException {
        X509Certificate x509Certificate = AMTokenProvider.getKeyProvider().getX509Certificate(this.certAlias);
        if (x509Certificate != null) {
            return x509Certificate;
        }
        WSSUtils.debug.error("AssertionToken.getX509Certificate: Could not get certificate for alias : " + this.certAlias);
        throw new SecurityException(WSSUtils.bundle.getString("noCertificate"));
    }

    private Element createKeyInfo() throws SecurityException {
        Element keyInfo = this.spec.getKeyInfo();
        if (keyInfo != null) {
            return keyInfo;
        }
        X509Certificate x509Certificate = getX509Certificate();
        try {
            Document newDocument = XMLUtils.newDocument();
            try {
                PublicKey publicKey = x509Certificate.getPublicKey();
                String name = x509Certificate.getSubjectDN().getName();
                String encode = Base64.encode(x509Certificate.getEncoded());
                Element createElementNS = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyInfo");
                createElementNS.setPrefix("ds");
                if (keyInfoType == null || !keyInfoType.equalsIgnoreCase("certificate")) {
                    Element createElementNS2 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyName");
                    createElementNS2.setPrefix("ds");
                    Text createTextNode = newDocument.createTextNode(name);
                    Element createElementNS3 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyValue");
                    createElementNS3.setPrefix("ds");
                    if (publicKey.getAlgorithm().equals("DSA")) {
                        DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
                        DSAParams params = dSAPublicKey.getParams();
                        BigInteger p = params.getP();
                        BigInteger q = params.getQ();
                        BigInteger g = params.getG();
                        BigInteger y = dSAPublicKey.getY();
                        Element createElementNS4 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SAMLConstants.TAG_DSAKEYVALUE);
                        createElementNS4.setPrefix("ds");
                        Element createElementNS5 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "P");
                        createElementNS5.setPrefix("ds");
                        createElementNS5.appendChild(newDocument.createTextNode(Base64.encode(p.toByteArray())));
                        createElementNS4.appendChild(createElementNS5);
                        Element createElementNS6 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SVGConstants.PATH_QUAD_TO);
                        createElementNS6.setPrefix("ds");
                        createElementNS6.appendChild(newDocument.createTextNode(Base64.encode(q.toByteArray())));
                        createElementNS4.appendChild(createElementNS6);
                        Element createElementNS7 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SVGConstants.SVG_G_VALUE);
                        createElementNS7.setPrefix("ds");
                        createElementNS7.appendChild(newDocument.createTextNode(Base64.encode(g.toByteArray())));
                        createElementNS4.appendChild(createElementNS7);
                        Element createElementNS8 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "Y");
                        createElementNS8.setPrefix("ds");
                        createElementNS8.appendChild(newDocument.createTextNode(Base64.encode(y.toByteArray())));
                        createElementNS4.appendChild(createElementNS8);
                        createElementNS3.appendChild(createElementNS4);
                    } else {
                        RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                        BigInteger publicExponent = rSAPublicKey.getPublicExponent();
                        BigInteger modulus = rSAPublicKey.getModulus();
                        Element createElementNS9 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", SAMLConstants.TAG_RSAKEYVALUE);
                        createElementNS9.setPrefix("ds");
                        Element createElementNS10 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "Modulus");
                        createElementNS10.setPrefix("ds");
                        Element createElementNS11 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "Exponent");
                        createElementNS11.setPrefix("ds");
                        createElementNS9.appendChild(createElementNS10);
                        createElementNS9.appendChild(createElementNS11);
                        createElementNS10.appendChild(newDocument.createTextNode(Base64.encode(modulus.toByteArray())));
                        createElementNS11.appendChild(newDocument.createTextNode(Base64.encode(publicExponent.toByteArray())));
                        createElementNS3.appendChild(createElementNS9);
                    }
                    createElementNS.appendChild(createElementNS2).appendChild(createTextNode);
                    createElementNS.appendChild(createElementNS3);
                } else {
                    Element createElementNS12 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "X509Data");
                    createElementNS12.setPrefix("ds");
                    Element createElementNS13 = newDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "X509Certificate");
                    createElementNS13.setPrefix("ds");
                    createElementNS13.appendChild(newDocument.createTextNode(encode));
                    createElementNS.appendChild(createElementNS12).appendChild(createElementNS13);
                }
                return createElementNS;
            } catch (Exception e) {
                WSSUtils.debug.error("AssertionToken.createKeyInfo: ", e);
                throw new SecurityException(e.getMessage());
            }
        } catch (Exception e2) {
            throw new SecurityException(e2.getMessage());
        }
    }

    public void sign(String str) throws SecurityException {
        try {
            this.assertion.signXML(str);
        } catch (SAMLException e) {
            WSSUtils.debug.error("AssertionToken.sign: exception", e);
            throw new SecurityException(WSSUtils.bundle.getString("unabletoSign"));
        }
    }

    public Assertion getAssertion() {
        return this.assertion;
    }

    private AttributeStatement createAttributeStatement(AssertionTokenSpec assertionTokenSpec) throws SecurityException {
        List<String> list;
        Map<QName, List<String>> claimedAttributes = assertionTokenSpec.getClaimedAttributes();
        if (claimedAttributes == null) {
            return null;
        }
        try {
            ArrayList arrayList = new ArrayList();
            for (QName qName : claimedAttributes.keySet()) {
                String localPart = qName.getLocalPart();
                String namespaceURI = qName.getNamespaceURI();
                if (!"NameID".equals(qName.getLocalPart()) && (list = claimedAttributes.get(qName)) != null && !list.isEmpty()) {
                    ArrayList arrayList2 = new ArrayList();
                    Iterator<String> it = list.iterator();
                    while (it.hasNext()) {
                        arrayList2.add(XMLUtils.toDOMDocument("<AttributeValue>" + it.next() + "</AttributeValue>", WSSUtils.debug).getDocumentElement());
                    }
                    arrayList.add(new Attribute(localPart, namespaceURI, arrayList2));
                }
            }
            if (arrayList.isEmpty()) {
                return null;
            }
            return new AttributeStatement(new Subject(assertionTokenSpec.getSenderIdentity()), arrayList);
        } catch (SAMLException e) {
            WSSUtils.debug.error("AssertionToken.createAttributeStatement: Unable to create attribute statement", e);
            throw new SecurityException(e.getMessage());
        }
    }
}
