package org.opensaml.saml.metadata.resolver.filter.impl;

import java.io.InputStream;
import java.security.PrivateKey;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBaseTestCase;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.crypto.KeySupport;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.PKIXValidationInformation;
import org.opensaml.security.x509.X509Support;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator;
import org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator;
import org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureSupport;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.Signer;
import org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;
import org.testng.collections.Lists;
import org.w3c.dom.Element;

/* loaded from: input_file:org/opensaml/saml/metadata/resolver/filter/impl/SignatureValidationFilterPKIXTest.class */
public class SignatureValidationFilterPKIXTest extends XMLObjectBaseTestCase {
    private static final String DATA_PATH = "/org/opensaml/saml/metadata/resolver/filter/impl/";
    private SignatureValidationFilter filter;

    @BeforeMethod
    public void setUp() {
        this.filter = new SignatureValidationFilter(buildTrustEngine());
        this.filter.setDynamicTrustedNamesStrategy(new BasicDynamicTrustedNamesStrategy());
    }

    @Test
    public void testEntityDescriptor() throws Exception {
        this.filter.filter(generateSignedMetadata(buildSigningCredential("entity.key", "entity.crt", "ca.crt"), "EntityDescriptor.xml"));
    }

    @Test
    public void testEntityDescriptorInvalidEntityID() throws Exception {
        Assert.assertNull(this.filter.filter(generateSignedMetadata(buildSigningCredential("entity.key", "entity.crt", "ca.crt"), "EntityDescriptor-invalid-entityid.xml")));
    }

    private XMLObject generateSignedMetadata(Credential credential, String str) throws SecurityException, SignatureException, MarshallingException, UnmarshallingException {
        SignableSAMLObject unmarshallElement = unmarshallElement(DATA_PATH + str);
        if (!(unmarshallElement instanceof SignableSAMLObject)) {
            Assert.fail("Not a signable SAML object");
        }
        SignableSAMLObject signableSAMLObject = unmarshallElement;
        SignatureSigningParameters signatureSigningParameters = new SignatureSigningParameters();
        signatureSigningParameters.setSigningCredential(credential);
        signatureSigningParameters.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        signatureSigningParameters.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        signatureSigningParameters.setSignatureReferenceDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256");
        X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
        x509KeyInfoGeneratorFactory.setEmitEntityCertificateChain(true);
        x509KeyInfoGeneratorFactory.setEmitX509SubjectName(true);
        signatureSigningParameters.setKeyInfoGenerator(x509KeyInfoGeneratorFactory.newInstance());
        Signature buildXMLObject = buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
        signableSAMLObject.setSignature(buildXMLObject);
        SignatureSupport.prepareSignatureParams(buildXMLObject, signatureSigningParameters);
        Element marshall = XMLObjectSupport.marshall(signableSAMLObject);
        Signer.signObject(buildXMLObject);
        return unmarshallerFactory.getUnmarshaller(marshall).unmarshall(marshall);
    }

    private SignatureTrustEngine buildTrustEngine() {
        return new PKIXSignatureTrustEngine(new StaticPKIXValidationInformationResolver(Lists.newArrayList(new PKIXValidationInformation[]{getPKIXInfoSet(getCertificates("root.crt"), new HashSet(), 10)}), new HashSet(), true), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver(), new CertPathPKIXTrustEvaluator(), new BasicX509CredentialNameEvaluator());
    }

    private PKIXValidationInformation getPKIXInfoSet(Collection<X509Certificate> collection, Collection<X509CRL> collection2, Integer num) {
        return new BasicPKIXValidationInformation(collection, collection2, num);
    }

    private BasicX509Credential buildSigningCredential(String str, String str2, String... strArr) {
        X509Certificate certificate = getCertificate(str2);
        BasicX509Credential basicX509Credential = new BasicX509Credential(certificate, getPrivateKey(str));
        HashSet hashSet = new HashSet();
        hashSet.add(certificate);
        for (String str3 : strArr) {
            hashSet.add(getCertificate(str3));
        }
        basicX509Credential.setEntityCertificateChain(hashSet);
        return basicX509Credential;
    }

    private PrivateKey getPrivateKey(String str) {
        try {
            InputStream inputStream = getInputStream(str);
            byte[] bArr = new byte[inputStream.available()];
            inputStream.read(bArr);
            return KeySupport.decodePrivateKey(bArr, (char[]) null);
        } catch (Exception e) {
            Assert.fail("Could not create private key from file: " + str + ": " + e.getMessage());
            return null;
        }
    }

    private Collection<X509Certificate> getCertificates(String... strArr) {
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            hashSet.add(getCertificate(str));
        }
        return hashSet;
    }

    private X509Certificate getCertificate(String str) {
        try {
            InputStream inputStream = getInputStream(str);
            byte[] bArr = new byte[inputStream.available()];
            inputStream.read(bArr);
            return (X509Certificate) X509Support.decodeCertificates(bArr).iterator().next();
        } catch (Exception e) {
            Assert.fail("Could not create certificate from file: " + str + ": " + e.getMessage());
            return null;
        }
    }

    private InputStream getInputStream(String str) {
        return getClass().getResourceAsStream(DATA_PATH + str);
    }
}
