package org.apache.wss4j.dom.saml;

import java.io.IOException;
import java.security.KeyStore;
import java.util.List;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.util.Loader;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.common.AbstractSAMLCallbackHandler;
import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
import org.apache.wss4j.dom.common.SAML1CallbackHandler;
import org.apache.wss4j.dom.common.SAML2CallbackHandler;
import org.apache.wss4j.dom.common.SOAPUtil;
import org.apache.wss4j.dom.common.SecurityTestUtil;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.WSSecSAMLToken;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Test;
import org.opensaml.common.SAMLVersion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/wss4j/dom/saml/SamlNegativeTest.class */
public class SamlNegativeTest extends Assert {
    private static final Logger LOG = LoggerFactory.getLogger(SamlNegativeTest.class);
    private Crypto trustCrypto;
    private Crypto issuerCrypto;
    private WSSecurityEngine secEngine = new WSSecurityEngine();
    private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
    private Crypto userCrypto = CryptoFactory.getInstance("wss40.properties");

    /* loaded from: input_file:org/apache/wss4j/dom/saml/SamlNegativeTest$SAML1HOKNoKeyInfoCallbackHandler.class */
    private static class SAML1HOKNoKeyInfoCallbackHandler extends AbstractSAMLCallbackHandler {
        public SAML1HOKNoKeyInfoCallbackHandler() throws Exception {
            Crypto cryptoFactory = CryptoFactory.getInstance("wss40.properties");
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias("wss40");
            this.certs = cryptoFactory.getX509Certificates(cryptoType);
            this.subjectName = "uid=joe,ou=people,ou=saml-demo,o=example.com";
            this.subjectQualifier = "www.example.com";
            this.confirmationMethod = SAML1Constants.CONF_HOLDER_KEY;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (!(callbackArr[i] instanceof SAMLCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i], "Unrecognized Callback");
                }
                SAMLCallback sAMLCallback = (SAMLCallback) callbackArr[i];
                createAndSetStatement(new SubjectBean(this.subjectName, this.subjectQualifier, this.confirmationMethod), sAMLCallback);
                sAMLCallback.setSamlVersion(SAMLVersion.VERSION_11);
            }
        }
    }

    @AfterClass
    public static void cleanup() throws Exception {
        SecurityTestUtil.cleanup();
    }

    public SamlNegativeTest() throws Exception {
        this.trustCrypto = null;
        this.issuerCrypto = null;
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setValidateSamlSubjectConfirmation(false);
        this.secEngine.setWssConfig(newInstance);
        this.issuerCrypto = new Merlin();
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        ClassLoader classLoader = Loader.getClassLoader(SamlNegativeTest.class);
        keyStore.load(Merlin.loadInputStream(classLoader, "keys/wss40_server.jks"), "security".toCharArray());
        ((Merlin) this.issuerCrypto).setKeyStore(keyStore);
        this.trustCrypto = new Merlin();
        KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore2.load(Merlin.loadInputStream(classLoader, "keys/wss40CA.jks"), "security".toCharArray());
        ((Merlin) this.trustCrypto).setTrustStore(keyStore2);
    }

    @Test
    public void testSAML2AuthnAssertionModified() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setConfirmationMethod("urn:oasis:names:tc:SAML:2.0:cm:sender-vouches");
        sAML2CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        WSSecSignatureSAML wSSecSignatureSAML = new WSSecSignatureSAML();
        wSSecSignatureSAML.setKeyIdentifierType(1);
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSignatureSAML.build(sOAPPart, null, samlAssertionWrapper, this.userCrypto, "wss40", "security", wSSecHeader);
        ((Element) build.getDocumentElement().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").item(0)).setAttributeNS(null, "MinorVersion", "5");
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML 2 Authn Assertion (sender vouches):");
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        try {
            verify(build, this.trustCrypto);
            fail("Failure expected on a modified SAML Assertion");
        } catch (Exception e) {
        }
    }

    @Test
    public void testSAML1SignedKeyHolderSigModified() throws Exception {
        SAML1CallbackHandler sAML1CallbackHandler = new SAML1CallbackHandler();
        sAML1CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML1CallbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
        sAML1CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML1CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.signAssertion("wss40_server", "security", this.issuerCrypto, false);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        ((Element) ((Element) ((Element) build.getDocumentElement().getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", "Assertion").item(0)).getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0)).getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Transform").item(0)).setAttributeNS(null, "Algorithm", "http://www.w3.org/2001/10/xml-exc-c14n#");
        if (LOG.isDebugEnabled()) {
            LOG.debug("Signed (modified) SAML message (key holder):");
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        try {
            verify(build, this.trustCrypto);
            fail("Expected failure on a modified signature");
        } catch (WSSecurityException e) {
        }
    }

    @Test
    public void testSAML2SignedKeyHolderKeyModified() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setConfirmationMethod("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
        sAML2CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.signAssertion("wss40_server", "security", this.issuerCrypto, false);
        WSSecSAMLToken wSSecSAMLToken = new WSSecSAMLToken();
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSAMLToken.build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        ((Element) build.getDocumentElement().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion").item(0)).setAttributeNS(null, "MinorVersion", "5");
        if (LOG.isDebugEnabled()) {
            LOG.debug("Signed (modified) SAML message (key holder):");
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        try {
            verify(build, this.trustCrypto);
            fail("Expected failure on a modified signature");
        } catch (WSSecurityException e) {
        }
    }

    @Test
    public void testHOKNoKeyInfo() throws Exception {
        SAML1HOKNoKeyInfoCallbackHandler sAML1HOKNoKeyInfoCallbackHandler = new SAML1HOKNoKeyInfoCallbackHandler();
        sAML1HOKNoKeyInfoCallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML1HOKNoKeyInfoCallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML1HOKNoKeyInfoCallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.signAssertion("wss40_server", "security", this.issuerCrypto, false);
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = new WSSecSAMLToken().build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(build);
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML 1.1 Authn Assertion (key holder):");
            LOG.debug(PrettyDocumentToString);
        }
        try {
            verify(build, this.trustCrypto);
            fail("Expected failure on a holder-of-key confirmation method with no KeyInfo");
        } catch (WSSecurityException e) {
        }
    }

    @Test
    public void testHOKNotSigned() throws Exception {
        SAML1CallbackHandler sAML1CallbackHandler = new SAML1CallbackHandler();
        sAML1CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML1CallbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML1CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        sAMLCallback.setIssuer("www.example.com");
        sAMLCallback.setIssuerCrypto(this.issuerCrypto);
        sAMLCallback.setIssuerKeyName("wss40_server");
        sAMLCallback.setIssuerKeyPassword("security");
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = new WSSecSAMLToken().build(sOAPPart, samlAssertionWrapper, wSSecHeader);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(build);
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAML 1.1 Authn Assertion (unsigned key holder):");
            LOG.debug(PrettyDocumentToString);
        }
        try {
            verify(build, this.trustCrypto);
            fail("Expected failure on an unsigned assertion with holder-of-key confirmation method");
        } catch (WSSecurityException e) {
        }
    }

    @Test
    public void testSAML2TrustFailure() throws Exception {
        SAML2CallbackHandler sAML2CallbackHandler = new SAML2CallbackHandler();
        sAML2CallbackHandler.setStatement(AbstractSAMLCallbackHandler.Statement.AUTHN);
        sAML2CallbackHandler.setConfirmationMethod("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key");
        sAML2CallbackHandler.setIssuer("www.example.com");
        SAMLCallback sAMLCallback = new SAMLCallback();
        SAMLUtil.doSAMLCallback(sAML2CallbackHandler, sAMLCallback);
        SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
        samlAssertionWrapper.signAssertion("16c73ab6-b892-458f-abf5-2f875f74882e", "security", CryptoFactory.getInstance("crypto.properties"), false);
        WSSecSignatureSAML wSSecSignatureSAML = new WSSecSignatureSAML();
        wSSecSignatureSAML.setUserInfo("wss40", "security");
        wSSecSignatureSAML.setDigestAlgo("http://www.w3.org/2001/04/xmlenc#sha256");
        wSSecSignatureSAML.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        wSSecSignatureSAML.setKeyIdentifierType(1);
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        Document build = wSSecSignatureSAML.build(sOAPPart, this.userCrypto, samlAssertionWrapper, null, null, null, wSSecHeader);
        String PrettyDocumentToString = XMLUtils.PrettyDocumentToString(build);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Untrusted signed SAML 2 Authn Assertion (key holder):");
            LOG.debug(PrettyDocumentToString);
        }
        try {
            verify(build, this.trustCrypto);
            fail("Failure expected on an untrusted signed assertion");
        } catch (WSSecurityException e) {
        }
    }

    private List<WSSecurityEngineResult> verify(Document document, Crypto crypto) throws Exception {
        List<WSSecurityEngineResult> processSecurityHeader = this.secEngine.processSecurityHeader(document, (String) null, this.callbackHandler, crypto, this.userCrypto);
        assertTrue(XMLUtils.PrettyDocumentToString(document).indexOf("counter_port_type") > 0);
        return processSecurityHeader;
    }
}
