package com.sun.identity.saml2.common;

import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.encode.URLEncDec;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Set;
import java.util.StringTokenizer;
import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.JCEMapper;

/* loaded from: input_file:com/sun/identity/saml2/common/QuerySignatureUtil.class */
public class QuerySignatureUtil {
    private static final String SIGNATURE = "Signature";

    private QuerySignatureUtil() {
    }

    public static String sign(String str, PrivateKey privateKey) throws SAML2Exception {
        String str2;
        if (str == null || str.length() == 0 || privateKey == null) {
            SAML2Utils.debug.error("QuerySignatureUtil.sign: Either input query string or private key is null.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullInput"));
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("QuerySignatureUtil.sign: Input query string:\n" + str);
        }
        String algorithm = privateKey.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = 2;
                    break;
                }
                break;
            case 67986:
                if (algorithm.equals("DSA")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str2 = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_RSA, "http://www.w3.org/2000/09/xmldsig#rsa-sha1");
                break;
            case true:
                str2 = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_DSA, "http://www.w3.org/2000/09/xmldsig#dsa-sha1");
                break;
            case true:
                str2 = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_EC, "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512");
                break;
            default:
                SAML2Utils.debug.error("QuerySignatureUtil.sign: Private Key algorithm not supported: " + algorithm);
                throw new SAML2Exception(SAML2Utils.bundle.getString("algorithmNotSupported"));
        }
        try {
            Signature signature = Signature.getInstance(JCEMapper.translateURItoJCEID(str2));
            if (str.charAt(str.length() - 1) != '&') {
                str = str + "&";
            }
            String str3 = str + "SigAlg=" + URLEncDec.encode(str2);
            if (SAML2Utils.debug.messageEnabled()) {
                SAML2Utils.debug.message("QuerySignatureUtil.sign: Final string to be signed:\n" + str3);
            }
            try {
                signature.initSign(privateKey);
                signature.update(str3.getBytes());
                byte[] sign = signature.sign();
                if (sign == null || sign.length == 0) {
                    SAML2Utils.debug.error("QuerySignatureUtil.sign: Generated signature is null");
                    throw new SAML2Exception(SAML2Utils.bundle.getString("nullSigGenerated"));
                }
                new Base64();
                String str4 = str3 + "&Signature=" + URLEncDec.encode(Base64.encode(sign));
                if (SAML2Utils.debug.messageEnabled()) {
                    SAML2Utils.debug.message("QuerySignatureUtil.sign: Signed query string:\n" + str4);
                }
                return str4;
            } catch (GeneralSecurityException e) {
                throw new SAML2Exception(e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new SAML2Exception(e2);
        }
    }

    public static boolean verify(String str, Set<X509Certificate> set) throws SAML2Exception {
        if (str == null || str.length() == 0 || set.isEmpty()) {
            SAML2Utils.debug.error("QuerySignatureUtil.verify: Input query string or certificate is null");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullInput"));
        }
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("QuerySignatureUtil.verify: Query string to be verifed:\n" + str);
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str, "&");
        String str2 = null;
        String str3 = null;
        String str4 = null;
        String str5 = null;
        String str6 = null;
        while (stringTokenizer.hasMoreTokens()) {
            String nextToken = stringTokenizer.nextToken();
            if (nextToken.startsWith("SAMLRequest")) {
                str2 = nextToken;
            } else if (nextToken.startsWith("SAMLResponse")) {
                str3 = nextToken;
            } else if (nextToken.startsWith("RelayState")) {
                str4 = nextToken;
            } else if (nextToken.startsWith(SAML2Constants.SIG_ALG)) {
                str5 = nextToken;
            } else if (nextToken.startsWith("Signature")) {
                str6 = nextToken;
            }
        }
        if (str5 == null || str5.equals("")) {
            SAML2Utils.debug.error("QuerySignatureUtil.verify: Null SigAlg query parameter.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSigAlg"));
        }
        if (str6 == null || str6.equals("")) {
            SAML2Utils.debug.error("QuerySignatureUtil.verify: Null Signature query parameter.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSig"));
        }
        String str7 = str2 != null ? str2 : str3;
        if (str4 != null) {
            str7 = str7 + "&" + str4;
        }
        String str8 = str7 + "&" + str5;
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("QuerySignatureUtil.verify: Query string to be verifed (re-arranged):\n" + str8);
        }
        String substring = str5.substring(str5.indexOf(61) + 1);
        if (substring == null || substring.equals("")) {
            SAML2Utils.debug.error("QuerySignatureUtil.verify: Null SigAlg query parameter value.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSigAlg"));
        }
        String decode = URLEncDec.decode(substring);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("QuerySignatureUtil.verify: SigAlg query parameter value: " + decode);
        }
        String substring2 = str6.substring(str6.indexOf(61) + 1);
        if (substring2 == null || substring2.equals("")) {
            SAML2Utils.debug.message("QuerySignatureUtil.verify: Null Signature query parameter value.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSig"));
        }
        String decode2 = URLEncDec.decode(substring2);
        if (SAML2Utils.debug.messageEnabled()) {
            SAML2Utils.debug.message("QuerySignatureUtil.verify: Signature query parameter value:\n" + decode2);
        }
        new Base64();
        byte[] decode3 = Base64.decode(decode2);
        if (!"Signature".equals(JCEMapper.getAlgorithmClassFromURI(decode))) {
            SAML2Utils.debug.error("QuerySignatureUtil.verify: Signature algorithm " + decode + " is not supported.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("algNotSupported"));
        }
        try {
            return isValidSignature(Signature.getInstance(JCEMapper.translateURItoJCEID(decode)), set, str8.getBytes(), decode3);
        } catch (NoSuchAlgorithmException e) {
            throw new SAML2Exception(e);
        }
    }

    private static boolean isValidSignature(Signature signature, Set<X509Certificate> set, byte[] bArr, byte[] bArr2) throws SAML2Exception {
        Throwable th = null;
        Iterator<X509Certificate> it = set.iterator();
        while (it.hasNext()) {
            try {
                signature.initVerify(it.next());
                signature.update(bArr);
            } catch (InvalidKeyException | SignatureException e) {
                SAML2Utils.debug.warning("QuerySignatureUtil.isValidSignature: Signature validation failed due to " + e);
                if (th == null) {
                    th = e;
                }
            }
            if (signature.verify(bArr2)) {
                return true;
            }
        }
        if (th != null) {
            throw new SAML2Exception(th);
        }
        return false;
    }

    static {
        Init.init();
    }
}
