package org.opensaml.saml.security.impl;

import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import net.shibboleth.utilities.java.support.logic.ConstraintViolationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBaseTestCase;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.ext.saml2alg.DigestMethod;
import org.opensaml.saml.ext.saml2alg.SigningMethod;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.Extensions;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.crypto.KeySupport;
import org.opensaml.xmlsec.SignatureSigningConfiguration;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion;
import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
import org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager;
import org.opensaml.xmlsec.keyinfo.impl.BasicKeyInfoGeneratorFactory;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:org/opensaml/saml/security/impl/SAMLMetadataSignatureSigningParametersResolverTest.class */
public class SAMLMetadataSignatureSigningParametersResolverTest extends XMLObjectBaseTestCase {
    private SAMLMetadataSignatureSigningParametersResolver resolver;
    private CriteriaSet criteriaSet;
    private SignatureSigningConfigurationCriterion configCriterion;
    private BasicSignatureSigningConfiguration config1;
    private BasicSignatureSigningConfiguration config2;
    private BasicSignatureSigningConfiguration config3;
    private Credential rsaCred1024;
    private Credential rsaCred2048;
    private Credential rsaCred4096;
    private Credential dsaCred;
    private Credential ecCred;
    private Credential hmacCred;
    private RoleDescriptorCriterion roleDescCriterion;
    private RoleDescriptor roleDesc;
    private String defaultReferenceDigest = "http://www.w3.org/2000/09/xmldsig#sha1";
    private String defaultC14N = "http://www.w3.org/2001/10/xml-exc-c14n#";
    private String defaultRSAAlgo = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
    private String defaultDSAAlgo = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
    private String defaultECAlgo = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";
    private String defaultHMACAlgo = "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
    private Integer defaultHMACOutputLength = 128;
    private NamedKeyInfoGeneratorManager defaultKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager();
    private String targetEntityID = "urn:test:foo";

    @BeforeClass
    public void buildCredentials() throws NoSuchAlgorithmException, NoSuchProviderException {
        KeyPair generateKeyPair = KeySupport.generateKeyPair("RSA", 1024, (String) null);
        this.rsaCred1024 = CredentialSupport.getSimpleCredential(generateKeyPair.getPublic(), generateKeyPair.getPrivate());
        KeyPair generateKeyPair2 = KeySupport.generateKeyPair("RSA", 2048, (String) null);
        this.rsaCred2048 = CredentialSupport.getSimpleCredential(generateKeyPair2.getPublic(), generateKeyPair2.getPrivate());
        KeyPair generateKeyPair3 = KeySupport.generateKeyPair("RSA", 4096, (String) null);
        this.rsaCred4096 = CredentialSupport.getSimpleCredential(generateKeyPair3.getPublic(), generateKeyPair3.getPrivate());
        KeyPair generateKeyPair4 = KeySupport.generateKeyPair("DSA", 1024, (String) null);
        this.dsaCred = CredentialSupport.getSimpleCredential(generateKeyPair4.getPublic(), generateKeyPair4.getPrivate());
        try {
            KeyPair generateKeyPair5 = KeySupport.generateKeyPair("EC", 256, (String) null);
            this.ecCred = CredentialSupport.getSimpleCredential(generateKeyPair5.getPublic(), generateKeyPair5.getPrivate());
        } catch (NoSuchAlgorithmException e) {
        }
        this.hmacCred = CredentialSupport.getSimpleCredential(KeySupport.generateKey("AES", 128, (String) null));
    }

    @BeforeMethod
    public void setUp() {
        this.resolver = new SAMLMetadataSignatureSigningParametersResolver();
        this.config1 = new BasicSignatureSigningConfiguration();
        this.config2 = new BasicSignatureSigningConfiguration();
        this.config3 = new BasicSignatureSigningConfiguration();
        this.config3.setSignatureAlgorithms(Arrays.asList(this.defaultRSAAlgo, this.defaultDSAAlgo, this.defaultECAlgo, this.defaultHMACAlgo));
        this.config3.setSignatureReferenceDigestMethods(Collections.singletonList(this.defaultReferenceDigest));
        this.config3.setSignatureCanonicalizationAlgorithm(this.defaultC14N);
        this.config3.setSignatureHMACOutputLength(this.defaultHMACOutputLength);
        BasicKeyInfoGeneratorFactory basicKeyInfoGeneratorFactory = new BasicKeyInfoGeneratorFactory();
        X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        this.defaultKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager();
        this.defaultKeyInfoGeneratorManager.registerDefaultFactory(basicKeyInfoGeneratorFactory);
        this.defaultKeyInfoGeneratorManager.registerDefaultFactory(x509KeyInfoGeneratorFactory);
        this.config3.setKeyInfoGeneratorManager(this.defaultKeyInfoGeneratorManager);
        this.configCriterion = new SignatureSigningConfigurationCriterion(new SignatureSigningConfiguration[]{this.config1, this.config2, this.config3});
        this.roleDesc = buildRoleDescriptorSkeleton();
        this.roleDescCriterion = new RoleDescriptorCriterion(this.roleDesc);
        this.criteriaSet = new CriteriaSet(new Criterion[]{this.configCriterion, this.roleDescCriterion});
    }

    @Test
    public void testBasicRSA() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred2048);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), this.defaultRSAAlgo);
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAWithRoleDescriptorSigningMethod() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null, null));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred2048);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAWithEntityDescriptorSigningMethod() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        addEntityDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null, null));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred2048);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAWithRoleDescriptorDigestMethod() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        addRoleDescriptorExtension(this.roleDesc, buildDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256"));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred2048);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), this.defaultRSAAlgo);
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), "http://www.w3.org/2001/04/xmlenc#sha256");
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAWithEntityDescriptorDigestMethod() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        addEntityDescriptorExtension(this.roleDesc, buildDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256"));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred2048);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), this.defaultRSAAlgo);
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), "http://www.w3.org/2001/04/xmlenc#sha256");
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAWithSigningMethodBlacklisted() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        this.config1.setBlacklistedAlgorithms(Collections.singletonList("http://www.w3.org/2001/04/xmldsig-more#rsa-md5"));
        addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-md5", null, null));
        addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2000/09/xmldsig#dsa-sha1", null, null));
        addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null, null));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred2048);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAWithDigestMethodBlacklisted() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        this.config1.setBlacklistedAlgorithms(Collections.singletonList("http://www.w3.org/2001/04/xmldsig-more#md5"));
        addRoleDescriptorExtension(this.roleDesc, buildDigestMethod("http://www.w3.org/2001/04/xmldsig-more#md5"));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred2048);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), this.defaultRSAAlgo);
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testECWithSigningMethodWhitelisted() throws ResolverException {
        if (this.ecCred != null) {
            this.config1.setSigningCredentials(Arrays.asList(this.rsaCred2048, this.dsaCred, this.ecCred));
            this.config1.setWhitelistedAlgorithms(Arrays.asList("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", this.defaultReferenceDigest));
            addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", null, null));
            addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null, null));
            addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", null, null));
            SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
            Assert.assertNotNull(resolveSingle);
            Assert.assertEquals(resolveSingle.getSigningCredential(), this.ecCred);
            Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256");
            Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
            Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
            Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
            Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
        }
    }

    @Test
    public void testMultipleCredsWithSigningMethodSelection() throws ResolverException {
        this.config1.setSigningCredentials(Arrays.asList(this.rsaCred2048, this.hmacCred, this.dsaCred));
        addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2000/09/xmldsig#dsa-sha1", null, null));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.dsaCred);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), this.defaultDSAAlgo);
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAMinKeyLength() throws ResolverException {
        this.config1.setSigningCredentials(Arrays.asList(this.rsaCred1024, this.rsaCred2048, this.rsaCred4096));
        addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", 4096, null));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred4096);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testRSAMaxKeyLength() throws ResolverException {
        this.config1.setSigningCredentials(Arrays.asList(this.rsaCred4096, this.rsaCred2048, this.rsaCred1024));
        addRoleDescriptorExtension(this.roleDesc, buildSigningMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null, 1024));
        SignatureSigningParameters resolveSingle = this.resolver.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getSigningCredential(), this.rsaCred1024);
        Assert.assertEquals(resolveSingle.getSignatureAlgorithm(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        Assert.assertEquals(resolveSingle.getSignatureReferenceDigestMethod(), this.defaultReferenceDigest);
        Assert.assertEquals(resolveSingle.getSignatureCanonicalizationAlgorithm(), this.defaultC14N);
        Assert.assertNull(resolveSingle.getSignatureHMACOutputLength());
        Assert.assertNotNull(resolveSingle.getKeyInfoGenerator());
    }

    @Test
    public void testNoCredentials() throws ResolverException {
        Assert.assertNull(this.resolver.resolveSingle(this.criteriaSet));
    }

    @Test
    public void testNoAlgorithms() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        this.config3.setSignatureAlgorithms(new ArrayList());
        Assert.assertNull(this.resolver.resolveSingle(this.criteriaSet));
    }

    @Test
    public void testNoReferenceDigestMethods() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        this.config3.setSignatureReferenceDigestMethods(new ArrayList());
        Assert.assertNull(this.resolver.resolveSingle(this.criteriaSet));
    }

    @Test
    public void testNoC14NAlgorithm() throws ResolverException {
        this.config1.setSigningCredentials(Collections.singletonList(this.rsaCred2048));
        this.config3.setSignatureCanonicalizationAlgorithm((String) null);
        Assert.assertNull(this.resolver.resolveSingle(this.criteriaSet));
    }

    @Test(expectedExceptions = {ConstraintViolationException.class})
    public void testNullCriteriaSet() throws ResolverException {
        this.resolver.resolve((CriteriaSet) null);
    }

    @Test(expectedExceptions = {ConstraintViolationException.class})
    public void testAbsentCriterion() throws ResolverException {
        this.resolver.resolve(new CriteriaSet());
    }

    private RoleDescriptor buildRoleDescriptorSkeleton() {
        EntityDescriptor buildXMLObject = buildXMLObject(EntityDescriptor.DEFAULT_ELEMENT_NAME);
        buildXMLObject.setEntityID(this.targetEntityID);
        SPSSODescriptor buildXMLObject2 = buildXMLObject(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        buildXMLObject2.setParent(buildXMLObject);
        return buildXMLObject2;
    }

    private SigningMethod buildSigningMethod(String str, Integer num, Integer num2) {
        SigningMethod buildXMLObject = buildXMLObject(SigningMethod.DEFAULT_ELEMENT_NAME);
        buildXMLObject.setAlgorithm(str);
        buildXMLObject.setMinKeySize(num);
        buildXMLObject.setMaxKeySize(num2);
        return buildXMLObject;
    }

    private DigestMethod buildDigestMethod(String str) {
        DigestMethod buildXMLObject = buildXMLObject(DigestMethod.DEFAULT_ELEMENT_NAME);
        buildXMLObject.setAlgorithm(str);
        return buildXMLObject;
    }

    private void addRoleDescriptorExtension(RoleDescriptor roleDescriptor, XMLObject xMLObject) {
        Extensions extensions = roleDescriptor.getExtensions();
        if (extensions == null) {
            extensions = buildExtensions();
            roleDescriptor.setExtensions(extensions);
        }
        extensions.getUnknownXMLObjects().add(xMLObject);
    }

    private void addEntityDescriptorExtension(RoleDescriptor roleDescriptor, XMLObject xMLObject) {
        EntityDescriptor parent = roleDescriptor.getParent();
        Extensions extensions = parent.getExtensions();
        if (extensions == null) {
            extensions = buildExtensions();
            parent.setExtensions(extensions);
        }
        extensions.getUnknownXMLObjects().add(xMLObject);
    }

    private Extensions buildExtensions() {
        return buildXMLObject(Extensions.DEFAULT_ELEMENT_NAME);
    }
}
