package com.sun.identity.wsfederation.meta;

import com.sun.identity.saml.xmlsig.AMSignatureProvider;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml.xmlsig.OfflineResolver;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.locale.Locale;
import com.sun.identity.shared.xml.XPathAPI;
import com.sun.identity.wsfederation.jaxb.entityconfig.AttributeType;
import com.sun.identity.wsfederation.jaxb.entityconfig.BaseConfigType;
import com.sun.identity.wsfederation.jaxb.entityconfig.FederationConfigElement;
import com.sun.identity.wsfederation.jaxb.entityconfig.IDPSSOConfigElement;
import com.sun.identity.wsfederation.jaxb.entityconfig.ObjectFactory;
import com.sun.identity.wsfederation.jaxb.entityconfig.SPSSOConfigElement;
import com.sun.identity.wsfederation.jaxb.wsfederation.FederationElement;
import com.sun.identity.wsfederation.jaxb.wsfederation.TokenSigningKeyInfoElement;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.xml.bind.JAXBException;
import org.apache.xml.security.Init;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.storage.StorageResolver;
import org.apache.xml.security.keys.storage.implementations.KeyStoreResolver;
import org.apache.xml.security.signature.XMLSignature;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:com/sun/identity/wsfederation/meta/WSFederationMetaSecurityUtils.class */
public final class WSFederationMetaSecurityUtils {
    private static Debug debug = WSFederationMetaUtils.debug;
    private static KeyProvider keyProvider = null;
    private static KeyStore keyStore = null;
    private static boolean checkCert = true;
    private static boolean keyProviderInitialized = false;
    public static final String NS_META = "http://schemas.xmlsoap.org/ws/2006/12/federation";
    public static final String NS_XMLSIG = "http://www.w3.org/2000/09/xmldsig#";
    public static final String NS_XMLENC = "http://www.w3.org/2001/04/xmlenc#";
    public static final String PREFIX_XMLSIG = "ds";
    public static final String PREFIX_XMLENC = "xenc";
    public static final String TAG_KEY_INFO = "KeyInfo";
    public static final String TAG_KEY_DESCRIPTOR = "KeyDescriptor";
    public static final String TAG_SP_SSO_DESCRIPTOR = "SPSSODescriptor";
    public static final String TAG_IDP_SSO_DESCRIPTOR = "IDPSSODescriptor";
    public static final String ATTR_USE = "use";
    public static final String ATTR_ID = "ID";

    private WSFederationMetaSecurityUtils() {
    }

    private static void initializeKeyStore() {
        if (keyProviderInitialized) {
            return;
        }
        Init.init();
        keyProvider = KeyUtil.getKeyProviderInstance();
        if (keyProvider != null) {
            keyStore = keyProvider.getKeyStore();
        }
        try {
            checkCert = SystemPropertiesManager.get("com.sun.identity.saml.checkcert", "on").trim().equalsIgnoreCase("on");
        } catch (Exception e) {
            checkCert = true;
        }
        keyProviderInitialized = true;
    }

    public static Document sign(FederationElement federationElement, SPSSOConfigElement sPSSOConfigElement, IDPSSOConfigElement iDPSSOConfigElement) throws JAXBException, WSFederationMetaException {
        return null;
    }

    public static void verifySignature(Document document) throws WSFederationMetaException {
        try {
            NodeList selectNodeList = XPathAPI.selectNodeList(document, "//ds:Signature", AMSignatureProvider.createDSctx(document, "ds", "http://www.w3.org/2000/09/xmldsig#"));
            int length = selectNodeList.getLength();
            if (debug.messageEnabled()) {
                debug.message("WSFederationMetaSecurityUtils.verifySignature: # of signatures = " + length);
            }
            if (length == 0) {
                return;
            }
            initializeKeyStore();
            for (int i = 0; i < length; i++) {
                Element element = (Element) selectNodeList.item(i);
                String localName = element.getParentNode().getLocalName();
                Object[] objArr = {localName};
                if (debug.messageEnabled()) {
                    debug.message("WSFederationMetaSecurityUtils.verifySignature: verifying signature under " + localName);
                }
                try {
                    XMLSignature xMLSignature = new XMLSignature(element, "");
                    xMLSignature.addResourceResolver(new OfflineResolver());
                    KeyInfo keyInfo = xMLSignature.getKeyInfo();
                    X509Certificate x509Certificate = null;
                    if (keyInfo != null && keyInfo.containsX509Data()) {
                        if (keyStore != null) {
                            keyInfo.addStorageResolver(new StorageResolver(new KeyStoreResolver(keyStore)));
                        }
                        x509Certificate = keyInfo.getX509Certificate();
                    }
                    if (x509Certificate == null) {
                        if (debug.messageEnabled()) {
                            debug.message("WSFederationMetaSecurityUtils.verifySignature: try to find cert in KeyDescriptor");
                        }
                        Node selectSingleNode = XPathAPI.selectSingleNode(element, "following-sibling::*[local-name()=\"KeyDescriptor\" and namespace-uri()=\"http://schemas.xmlsoap.org/ws/2006/12/federation\"]");
                        if (selectSingleNode != null) {
                            Element element2 = (Element) selectSingleNode;
                            if (element2.getAttributeNS(null, "use").equals("signing")) {
                                NodeList childNodes = element2.getChildNodes();
                                int i2 = 0;
                                while (true) {
                                    if (i2 >= childNodes.getLength()) {
                                        break;
                                    }
                                    Node item = childNodes.item(i2);
                                    if (item.getNodeType() == 1) {
                                        String localName2 = item.getLocalName();
                                        String namespaceURI = item.getNamespaceURI();
                                        if ("KeyInfo".equals(localName2) && "http://www.w3.org/2000/09/xmldsig#".equals(namespaceURI)) {
                                            KeyInfo keyInfo2 = new KeyInfo((Element) item, "");
                                            if (keyInfo2.containsX509Data()) {
                                                if (keyStore != null) {
                                                    keyInfo2.addStorageResolver(new StorageResolver(new KeyStoreResolver(keyStore)));
                                                }
                                                x509Certificate = keyInfo2.getX509Certificate();
                                            }
                                        }
                                    } else {
                                        i2++;
                                    }
                                }
                            }
                        }
                    }
                    if (x509Certificate == null) {
                        throw new WSFederationMetaException("verify_no_cert", objArr);
                    }
                    if (checkCert && (keyProvider == null || keyProvider.getCertificateAlias(x509Certificate) == null)) {
                        throw new WSFederationMetaException("untrusted_cert", objArr);
                    }
                    if (!xMLSignature.checkSignatureValue(x509Certificate.getPublicKey())) {
                        throw new WSFederationMetaException("verify_fail", objArr);
                    }
                } catch (WSFederationMetaException e) {
                    throw e;
                } catch (Exception e2) {
                    debug.error("WSFederationMetaSecurityUtils.verifySignature: ", e2);
                    throw new WSFederationMetaException(Locale.getString(WSFederationMetaUtils.bundle, "verify_fail", objArr) + "\n" + e2.getMessage());
                }
            }
        } catch (Exception e3) {
            debug.error("WSFederationMetaSecurityUtils.verifySignature: ", e3);
            throw new WSFederationMetaException(e3);
        }
    }

    public static String formatBase64BinaryElement(String str) {
        int i = 0;
        int indexOf = str.indexOf("<ds:X509Certificate>");
        int length = str.length();
        StringBuffer stringBuffer = new StringBuffer(length + 100);
        while (indexOf != -1) {
            stringBuffer.append(str.substring(i, indexOf));
            int indexOf2 = str.indexOf("</ds:X509Certificate>", indexOf);
            String substring = str.substring(indexOf + 20, indexOf2);
            int length2 = substring.length();
            stringBuffer.append("<ds:X509Certificate>\n");
            int i2 = 0;
            while (i2 < length2 - 76) {
                stringBuffer.append(substring.substring(i2, i2 + 76)).append("\n");
                i2 += 76;
            }
            stringBuffer.append(substring.substring(i2, length2)).append("\n").append(str.substring(str.lastIndexOf(10, indexOf) + 1, indexOf)).append("</ds:X509Certificate>");
            i = indexOf2 + 21;
            indexOf = str.indexOf("<ds:X509Certificate>", i);
        }
        stringBuffer.append(str.substring(i, length));
        return stringBuffer.toString();
    }

    public static String buildX509Certificate(String str) throws WSFederationMetaException {
        if (str == null || str.trim().length() == 0) {
            return null;
        }
        X509Certificate x509Certificate = KeyUtil.getKeyProviderInstance().getX509Certificate(str);
        if (x509Certificate != null) {
            try {
                return Base64.encode(x509Certificate.getEncoded(), true);
            } catch (Exception e) {
                if (debug.messageEnabled()) {
                    debug.message("WSFederationMetaSecurityUtils.buildX509Certificate: ", e);
                }
            }
        }
        throw new WSFederationMetaException("invalid_cert_alias", new Object[]{str});
    }

    public static void updateProviderKeyInfo(String str, String str2, String str3, boolean z) throws WSFederationMetaException {
        WSFederationMetaManager wSFederationMetaManager = new WSFederationMetaManager();
        FederationConfigElement entityConfig = wSFederationMetaManager.getEntityConfig(str, str2);
        if (!entityConfig.isHosted()) {
            throw new WSFederationMetaException("entityNotHosted", new String[]{str2, str});
        }
        FederationElement entityDescriptor = wSFederationMetaManager.getEntityDescriptor(str, str2);
        if (z) {
            IDPSSOConfigElement iDPSSOConfig = wSFederationMetaManager.getIDPSSOConfig(str, str2);
            if (iDPSSOConfig == null || entityDescriptor == null) {
                throw new WSFederationMetaException("entityNotIDP", new String[]{str2, str});
            }
            if (str3 == null || str3.length() == 0) {
                removeKeyDescriptor(entityDescriptor);
                setExtendedAttributeValue(iDPSSOConfig, "signingCertAlias", null);
            } else {
                updateKeyDescriptor(entityDescriptor, getKeyDescriptor(str3));
                HashSet hashSet = new HashSet();
                hashSet.add(str3);
                setExtendedAttributeValue(iDPSSOConfig, "signingCertAlias", hashSet);
            }
        } else {
            SPSSOConfigElement sPSSOConfig = wSFederationMetaManager.getSPSSOConfig(str, str2);
            if (sPSSOConfig == null || entityDescriptor == null) {
                throw new WSFederationMetaException("entityNotSP", new String[]{str2, str});
            }
            if (str3 == null || str3.length() == 0) {
                removeKeyDescriptor(entityDescriptor);
                setExtendedAttributeValue(sPSSOConfig, "signingCertAlias", null);
            } else {
                updateKeyDescriptor(entityDescriptor, getKeyDescriptor(str3));
                HashSet hashSet2 = new HashSet();
                hashSet2.add(str3);
                setExtendedAttributeValue(sPSSOConfig, "signingCertAlias", hashSet2);
            }
        }
        wSFederationMetaManager.setFederation(str, entityDescriptor);
        wSFederationMetaManager.setEntityConfig(str, entityConfig);
    }

    private static void updateKeyDescriptor(FederationElement federationElement, TokenSigningKeyInfoElement tokenSigningKeyInfoElement) {
        Iterator it = federationElement.getAny().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof TokenSigningKeyInfoElement) {
                it.remove();
            }
        }
        federationElement.getAny().add(0, tokenSigningKeyInfoElement);
    }

    private static void removeKeyDescriptor(FederationElement federationElement) {
        Iterator it = federationElement.getAny().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof TokenSigningKeyInfoElement) {
                it.remove();
            }
        }
    }

    private static void setExtendedAttributeValue(BaseConfigType baseConfigType, String str, Set set) throws WSFederationMetaException {
        try {
            Iterator it = baseConfigType.getAttribute().iterator();
            while (it.hasNext()) {
                if (((AttributeType) it.next()).getName().trim().equalsIgnoreCase(str)) {
                    it.remove();
                }
            }
            if (set != null) {
                AttributeType createAttributeType = new ObjectFactory().createAttributeType();
                createAttributeType.setName(str);
                createAttributeType.getValue().addAll(set);
                baseConfigType.getAttribute().add(createAttributeType);
            }
        } catch (JAXBException e) {
            throw new WSFederationMetaException((Throwable) e);
        }
    }

    private static TokenSigningKeyInfoElement getKeyDescriptor(String str) throws WSFederationMetaException {
        try {
            String buildX509Certificate = buildX509Certificate(str);
            StringBuffer stringBuffer = new StringBuffer(4000);
            stringBuffer.append("<TokenSigningKeyInfo xmlns=\"").append(NS_META).append("\">\n");
            stringBuffer.append("<SecurityTokenReference xmlns=\"").append("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">\n").append("<X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n").append("<X509Certificate>\n").append(buildX509Certificate).append("</X509Certificate>\n").append("</X509Data>\n").append("</SecurityTokenReference>\n");
            stringBuffer.append("</TokenSigningKeyInfo>\n");
            return (TokenSigningKeyInfoElement) WSFederationMetaUtils.convertStringToJAXB(stringBuffer.toString());
        } catch (JAXBException e) {
            throw new WSFederationMetaException((Throwable) e);
        }
    }
}
