package org.apache.cxf.rs.security.saml.sso;

import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.rs.security.common.RSSecurityUtils;
import org.apache.cxf.rs.security.xml.EncryptionUtils;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SignatureTrustValidator;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-rs-security-sso-saml-3.4.1.jar:org/apache/cxf/rs/security/saml/sso/SAMLProtocolResponseValidator.class */
public class SAMLProtocolResponseValidator {
    public static final String SAML2_STATUSCODE_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
    public static final String SAML1_STATUSCODE_SUCCESS = "Success";
    private static final Logger LOG = LogUtils.getL7dLogger(SAMLProtocolResponseValidator.class);
    private Validator signatureValidator = new SignatureTrustValidator();
    private boolean keyInfoMustBeAvailable = true;
    private int futureTTL = 60;

    public void validateSamlResponse(Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null) {
            LOG.warning("Either the SAML Response Status or StatusCode is null");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (!"urn:oasis:names:tc:SAML:2.0:status:Success".equals(response.getStatus().getStatusCode().getValue())) {
            LOG.warning("SAML Status code of " + response.getStatus().getStatusCode().getValue() + "does not equal urn:oasis:names:tc:SAML:2.0:status:Success");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (response.getIssueInstant() != null) {
            if (response.getIssueInstant().isAfter(new DateTime().plusSeconds(this.futureTTL))) {
                LOG.warning("SAML Response IssueInstant not met");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        if (SAMLVersion.VERSION_20 != response.getVersion()) {
            LOG.warning("SAML Version of " + response.getVersion() + "does not equal " + SAMLVersion.VERSION_20);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        validateResponseSignature(response, crypto, callbackHandler);
        Document ownerDocument = response.getDOM().getOwnerDocument();
        Iterator<EncryptedAssertion> it = response.getEncryptedAssertions().iterator();
        while (it.hasNext()) {
            response.getAssertions().add(new SamlAssertionWrapper(decryptAssertion(it.next(), crypto, callbackHandler)).getSaml2());
        }
        Iterator<Assertion> it2 = response.getAssertions().iterator();
        while (it2.hasNext()) {
            validateAssertion(new SamlAssertionWrapper(it2.next()), crypto, callbackHandler, ownerDocument, response.isSigned());
        }
    }

    public void validateSamlResponse(org.opensaml.saml.saml1.core.Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.getStatus() == null || response.getStatus().getStatusCode() == null || response.getStatus().getStatusCode().getValue() == null) {
            LOG.warning("Either the SAML Response Status or StatusCode is null");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (!"Success".equals(response.getStatus().getStatusCode().getValue().getLocalPart())) {
            LOG.warning("SAML Status code of " + response.getStatus().getStatusCode().getValue() + "does not equal Success");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (response.getIssueInstant() != null) {
            if (response.getIssueInstant().isAfter(new DateTime().plusSeconds(this.futureTTL))) {
                LOG.warning("SAML Response IssueInstant not met");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        if (SAMLVersion.VERSION_11 != response.getVersion()) {
            LOG.warning("SAML Version of " + response.getVersion() + "does not equal " + SAMLVersion.VERSION_11);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        validateResponseSignature(response, crypto, callbackHandler);
        Iterator<org.opensaml.saml.saml1.core.Assertion> it = response.getAssertions().iterator();
        while (it.hasNext()) {
            validateAssertion(new SamlAssertionWrapper(it.next()), crypto, callbackHandler, response.getDOM().getOwnerDocument(), response.isSigned());
        }
    }

    private void validateResponseSignature(Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.isSigned()) {
            Attr attributeNodeNS = response.getDOM().getAttributeNodeNS(null, "ID");
            if (attributeNodeNS != null) {
                response.getDOM().setIdAttributeNode(attributeNodeNS, true);
            }
            validateResponseSignature(response.getSignature(), response.getDOM().getOwnerDocument(), crypto, callbackHandler);
        }
    }

    private void validateResponseSignature(org.opensaml.saml.saml1.core.Response response, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (response.isSigned()) {
            Attr attributeNodeNS = response.getDOM().getAttributeNodeNS(null, "ID");
            if (attributeNodeNS != null) {
                response.getDOM().setIdAttributeNode(attributeNodeNS, true);
            }
            validateResponseSignature(response.getSignature(), response.getDOM().getOwnerDocument(), crypto, callbackHandler);
        }
    }

    private void validateResponseSignature(Signature signature, Document document, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(crypto);
        requestData.setWssConfig(WSSConfig.getNewInstance());
        requestData.setCallbackHandler(callbackHandler);
        requestData.setWsDocInfo(new WSDocInfo(document));
        SAMLKeyInfo sAMLKeyInfo = null;
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo != null) {
            try {
                sAMLKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), crypto);
            } catch (WSSecurityException e) {
                LOG.log(Level.FINE, "Error in getting KeyInfo from SAML Response: " + e.getMessage(), (Throwable) e);
                throw e;
            }
        } else if (!this.keyInfoMustBeAvailable) {
            sAMLKeyInfo = createKeyInfoFromDefaultAlias(crypto);
        }
        if (sAMLKeyInfo == null) {
            LOG.warning("No KeyInfo supplied in the SAMLResponse signature");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        validateSignatureAgainstProfiles(signature, sAMLKeyInfo);
        Credential credential = new Credential();
        credential.setPublicKey(sAMLKeyInfo.getPublicKey());
        credential.setCertificates(sAMLKeyInfo.getCerts());
        try {
            this.signatureValidator.validate(credential, requestData);
        } catch (WSSecurityException e2) {
            LOG.log(Level.FINE, "Error in validating signature on SAML Response: " + e2.getMessage(), (Throwable) e2);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }

    protected SAMLKeyInfo createKeyInfoFromDefaultAlias(Crypto crypto) throws WSSecurityException {
        try {
            X509Certificate[] certificates = RSSecurityUtils.getCertificates(crypto, crypto.getDefaultX509Identifier());
            SAMLKeyInfo sAMLKeyInfo = new SAMLKeyInfo(new X509Certificate[]{certificates[0]});
            sAMLKeyInfo.setPublicKey(certificates[0].getPublicKey());
            return sAMLKeyInfo;
        } catch (Exception e) {
            LOG.log(Level.FINE, "Error in loading the certificates: " + e.getMessage(), (Throwable) e);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
        }
    }

    private void validateSignatureAgainstProfiles(Signature signature, SAMLKeyInfo sAMLKeyInfo) throws WSSecurityException {
        BasicCredential basicCredential;
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            if (sAMLKeyInfo.getCerts() != null) {
                basicCredential = new BasicX509Credential(sAMLKeyInfo.getCerts()[0]);
            } else {
                if (sAMLKeyInfo.getPublicKey() == null) {
                    LOG.warning("Can't get X509Certificate or PublicKey to verify signature");
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                }
                basicCredential = new BasicCredential(sAMLKeyInfo.getPublicKey());
            }
            try {
                new ApacheSantuarioSignatureValidationProviderImpl().validate(signature, basicCredential);
            } catch (SignatureException e) {
                LOG.log(Level.FINE, "Error in validating the SAML Signature: " + e.getMessage(), (Throwable) e);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        } catch (SignatureException e2) {
            LOG.log(Level.FINE, "Error in validating the SAML Signature: " + e2.getMessage(), (Throwable) e2);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }

    private void validateAssertion(SamlAssertionWrapper samlAssertionWrapper, Crypto crypto, CallbackHandler callbackHandler, Document document, boolean z) throws WSSecurityException {
        Credential credential = new Credential();
        credential.setSamlAssertion(samlAssertionWrapper);
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(crypto);
        requestData.setWssConfig(WSSConfig.getNewInstance());
        requestData.setCallbackHandler(callbackHandler);
        if (samlAssertionWrapper.isSigned()) {
            if (samlAssertionWrapper.getSaml1() != null) {
                samlAssertionWrapper.getSaml1().getDOM().setIdAttributeNS(null, "AssertionID", true);
            } else {
                samlAssertionWrapper.getSaml2().getDOM().setIdAttributeNS(null, "ID", true);
            }
            try {
                Signature signature = samlAssertionWrapper.getSignature();
                requestData.setWsDocInfo(new WSDocInfo(signature.getDOM().getOwnerDocument()));
                SAMLKeyInfo sAMLKeyInfo = null;
                KeyInfo keyInfo = signature.getKeyInfo();
                if (keyInfo != null) {
                    sAMLKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData), crypto);
                } else if (!this.keyInfoMustBeAvailable) {
                    sAMLKeyInfo = createKeyInfoFromDefaultAlias(crypto);
                }
                if (sAMLKeyInfo == null) {
                    LOG.warning("No KeyInfo supplied in the SAMLResponse assertion signature");
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                }
                samlAssertionWrapper.verifySignature(sAMLKeyInfo);
                samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
            } catch (WSSecurityException e) {
                LOG.log(Level.FINE, "Assertion failed signature validation", (Throwable) e);
                throw e;
            }
        }
        try {
            new SamlSSOAssertionValidator(z).validate(credential, requestData);
        } catch (WSSecurityException e2) {
            LOG.log(Level.FINE, "Assertion validation failed: " + e2.getMessage(), (Throwable) e2);
            throw e2;
        }
    }

    private Element decryptAssertion(EncryptedAssertion encryptedAssertion, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        Element dom = encryptedAssertion.getEncryptedData().getDOM();
        Element node = getNode(encryptedAssertion.getDOM(), "http://www.w3.org/2001/04/xmlenc#", "EncryptedKey", 0);
        if (node == null) {
            node = getNode(dom, "http://www.w3.org/2001/04/xmlenc#", "EncryptedKey", 0);
        }
        if (node == null) {
            LOG.log(Level.FINE, "EncryptedKey element is not available");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        X509Certificate loadCertificate = loadCertificate(crypto, node);
        if (loadCertificate == null) {
            LOG.warning("X509Certificate cannot be retrieved from EncryptedKey element");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        String encodingMethodAlgorithm = getEncodingMethodAlgorithm(node);
        String digestMethodAlgorithm = getDigestMethodAlgorithm(node);
        Element node2 = getNode(node, "http://www.w3.org/2001/04/xmlenc#", "CipherValue", 0);
        if (node2 == null) {
            LOG.warning("CipherValue element is not available");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (callbackHandler == null) {
            LOG.warning("A CallbackHandler must be configured to decrypt encrypted Assertions");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        try {
            try {
                byte[] doFinal = EncryptionUtils.initCipherWithKey(encodingMethodAlgorithm, digestMethodAlgorithm, 2, crypto.getPrivateKey(loadCertificate, callbackHandler)).doFinal(Base64Utility.decode(node2.getTextContent().trim()));
                try {
                    byte[] decryptPayload = decryptPayload(dom, doFinal, getEncodingMethodAlgorithm(dom));
                    Arrays.fill(doFinal, (byte) 0);
                    try {
                        return StaxUtils.read(new InputStreamReader(new ByteArrayInputStream(decryptPayload), StandardCharsets.UTF_8)).getDocumentElement();
                    } catch (Exception e) {
                        LOG.log(Level.FINE, "Payload document can not be created", (Throwable) e);
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                    }
                } catch (Exception e2) {
                    LOG.log(Level.FINE, "Payload can not be decrypted", (Throwable) e2);
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                }
            } catch (Base64Exception e3) {
                LOG.log(Level.FINE, "Base64 decoding has failed", (Throwable) e3);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            } catch (Exception e4) {
                LOG.log(Level.FINE, "Encrypted key can not be decrypted", (Throwable) e4);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        } catch (Exception e5) {
            LOG.log(Level.FINE, "Encrypted key can not be decrypted", (Throwable) e5);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }

    private Element getNode(Element element, String str, String str2, int i) {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(str, str2);
        if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() < i + 1) {
            return null;
        }
        return (Element) elementsByTagNameNS.item(i);
    }

    private X509Certificate loadCertificate(Crypto crypto, Element element) throws WSSecurityException {
        Element node = getNode(element, "http://www.w3.org/2000/09/xmldsig#", "X509Certificate", 0);
        if (node != null) {
            try {
                return RSSecurityUtils.loadX509Certificate(crypto, node);
            } catch (Exception e) {
                LOG.log(Level.FINE, "X509Certificate can not be created", (Throwable) e);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        Element node2 = getNode(element, "http://www.w3.org/2000/09/xmldsig#", "X509IssuerSerial", 0);
        if (node2 != null) {
            try {
                return RSSecurityUtils.loadX509IssuerSerial(crypto, node2);
            } catch (Exception e2) {
                LOG.log(Level.FINE, "X509Certificate can not be created", (Throwable) e2);
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        if (crypto.getDefaultX509Identifier() == null) {
            return null;
        }
        try {
            X509Certificate[] certificates = RSSecurityUtils.getCertificates(crypto, crypto.getDefaultX509Identifier());
            if (certificates.length > 0) {
                return certificates[0];
            }
            return null;
        } catch (Exception e3) {
            LOG.log(Level.FINE, "X509Certificate can not be created", (Throwable) e3);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }

    private String getEncodingMethodAlgorithm(Element element) throws WSSecurityException {
        Element node = getNode(element, "http://www.w3.org/2001/04/xmlenc#", "EncryptionMethod", 0);
        if (node != null) {
            return node.getAttribute("Algorithm");
        }
        LOG.warning("EncryptionMethod element is not available");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    private String getDigestMethodAlgorithm(Element element) {
        Element node;
        Element node2 = getNode(element, "http://www.w3.org/2001/04/xmlenc#", "EncryptionMethod", 0);
        if (node2 == null || (node = getNode(node2, "http://www.w3.org/2000/09/xmldsig#", "DigestMethod", 0)) == null) {
            return null;
        }
        return node.getAttributeNS(null, "Algorithm");
    }

    private byte[] decryptPayload(Element element, byte[] bArr, String str) throws WSSecurityException {
        try {
            return EncryptionUtils.initXMLCipher(str, 2, KeyUtils.prepareSecretKey(str, bArr)).decryptToByteArray(element);
        } catch (XMLEncryptionException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e);
        }
    }

    public void setKeyInfoMustBeAvailable(boolean z) {
        this.keyInfoMustBeAvailable = z;
    }

    public int getFutureTTL() {
        return this.futureTTL;
    }

    public void setFutureTTL(int i) {
        this.futureTTL = i;
    }
}
