package org.springframework.security.saml2.provider.service.authentication;

import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.SignatureSigningConfiguration;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion;
import org.opensaml.xmlsec.crypto.XMLSigningUtil;
import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorManager;
import org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.SignableXMLObject;
import org.opensaml.xmlsec.signature.support.SignatureSupport;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.util.Assert;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils.class */
final class OpenSamlSigningUtils {

    /* loaded from: input_file:org/springframework/security/saml2/provider/service/authentication/OpenSamlSigningUtils$QueryParametersPartial.class */
    static class QueryParametersPartial {
        final RelyingPartyRegistration registration;
        final Map<String, String> components = new LinkedHashMap();

        QueryParametersPartial(RelyingPartyRegistration relyingPartyRegistration) {
            this.registration = relyingPartyRegistration;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public QueryParametersPartial param(String str, String str2) {
            this.components.put(str, str2);
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Map<String, String> parameters() {
            SignatureSigningParameters resolveSigningParameters = OpenSamlSigningUtils.resolveSigningParameters(this.registration);
            Credential signingCredential = resolveSigningParameters.getSigningCredential();
            String signatureAlgorithm = resolveSigningParameters.getSignatureAlgorithm();
            this.components.put(Saml2ParameterNames.SIG_ALG, signatureAlgorithm);
            UriComponentsBuilder newInstance = UriComponentsBuilder.newInstance();
            for (Map.Entry<String, String> entry : this.components.entrySet()) {
                newInstance.queryParam(entry.getKey(), new Object[]{UriUtils.encode(entry.getValue(), StandardCharsets.ISO_8859_1)});
            }
            try {
                this.components.put(Saml2ParameterNames.SIGNATURE, Saml2Utils.samlEncode(XMLSigningUtil.signWithURI(signingCredential, signatureAlgorithm, newInstance.build(true).toString().substring(1).getBytes(StandardCharsets.UTF_8))));
                return this.components;
            } catch (SecurityException e) {
                throw new Saml2Exception((Throwable) e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String serialize(XMLObject xMLObject) {
        try {
            return SerializeSupport.nodeToString(XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject));
        } catch (MarshallingException e) {
            throw new Saml2Exception((Throwable) e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <O extends SignableXMLObject> O sign(O o, RelyingPartyRegistration relyingPartyRegistration) {
        try {
            SignatureSupport.signObject(o, resolveSigningParameters(relyingPartyRegistration));
            return o;
        } catch (Exception e) {
            throw new Saml2Exception(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static QueryParametersPartial sign(RelyingPartyRegistration relyingPartyRegistration) {
        return new QueryParametersPartial(relyingPartyRegistration);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SignatureSigningParameters resolveSigningParameters(RelyingPartyRegistration relyingPartyRegistration) {
        List<Credential> resolveSigningCredentials = resolveSigningCredentials(relyingPartyRegistration);
        List<String> signingAlgorithms = relyingPartyRegistration.getAssertingPartyDetails().getSigningAlgorithms();
        List singletonList = Collections.singletonList("http://www.w3.org/2001/04/xmlenc#sha256");
        SAMLMetadataSignatureSigningParametersResolver sAMLMetadataSignatureSigningParametersResolver = new SAMLMetadataSignatureSigningParametersResolver();
        CriteriaSet criteriaSet = new CriteriaSet();
        SignatureSigningConfiguration basicSignatureSigningConfiguration = new BasicSignatureSigningConfiguration();
        basicSignatureSigningConfiguration.setSigningCredentials(resolveSigningCredentials);
        basicSignatureSigningConfiguration.setSignatureAlgorithms(signingAlgorithms);
        basicSignatureSigningConfiguration.setSignatureReferenceDigestMethods(singletonList);
        basicSignatureSigningConfiguration.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        basicSignatureSigningConfiguration.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());
        criteriaSet.add(new SignatureSigningConfigurationCriterion(new SignatureSigningConfiguration[]{basicSignatureSigningConfiguration}));
        try {
            SignatureSigningParameters signatureSigningParameters = (SignatureSigningParameters) sAMLMetadataSignatureSigningParametersResolver.resolveSingle(criteriaSet);
            Assert.notNull(signatureSigningParameters, "Failed to resolve any signing credential");
            return signatureSigningParameters;
        } catch (Exception e) {
            throw new Saml2Exception(e);
        }
    }

    private static NamedKeyInfoGeneratorManager buildSignatureKeyInfoGeneratorManager() {
        NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = new NamedKeyInfoGeneratorManager();
        namedKeyInfoGeneratorManager.setUseDefaultManager(true);
        KeyInfoGeneratorManager defaultManager = namedKeyInfoGeneratorManager.getDefaultManager();
        X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
        x509KeyInfoGeneratorFactory.setEmitEntityCertificateChain(true);
        defaultManager.registerFactory(x509KeyInfoGeneratorFactory);
        return namedKeyInfoGeneratorManager;
    }

    private static List<Credential> resolveSigningCredentials(RelyingPartyRegistration relyingPartyRegistration) {
        ArrayList arrayList = new ArrayList();
        for (Saml2X509Credential saml2X509Credential : relyingPartyRegistration.getSigningX509Credentials()) {
            BasicX509Credential simpleCredential = CredentialSupport.getSimpleCredential(saml2X509Credential.getCertificate(), saml2X509Credential.getPrivateKey());
            simpleCredential.setEntityId(relyingPartyRegistration.getEntityId());
            simpleCredential.setUsageType(UsageType.SIGNING);
            arrayList.add(simpleCredential);
        }
        return arrayList;
    }

    private OpenSamlSigningUtils() {
    }
}
