package com.mulesoft.modules.saml.internal.validation.validator;

import com.mulesoft.modules.saml.api.signature.store.TrustStore;
import com.mulesoft.modules.saml.internal.error.SamlError;
import java.io.IOException;
import java.util.Properties;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.crypto.PasswordEncryptor;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLKeyInfoProcessor;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SignatureTrustValidator;
import org.mule.runtime.extension.api.exception.ModuleException;

/* loaded from: input_file:com/mulesoft/modules/saml/internal/validation/validator/SamlSignatureVerificationValidator.class */
public class SamlSignatureVerificationValidator implements SamlValidator {
    private Crypto crypto;

    public SamlSignatureVerificationValidator(TrustStore trustStore) {
        this.crypto = createCrypto(trustStore);
    }

    private Crypto createCrypto(TrustStore trustStore) {
        Properties properties = new Properties();
        properties.put("org.apache.wss4j.crypto.merlin.truststore.file", trustStore.getPath());
        properties.put("org.apache.wss4j.crypto.merlin.truststore.type", trustStore.getType().getName());
        properties.put("org.apache.wss4j.crypto.merlin.truststore.password", trustStore.getPassword());
        try {
            return new Merlin(properties, getClass().getClassLoader(), (PasswordEncryptor) null);
        } catch (WSSecurityException | IOException e) {
            throw new ModuleException("Failed to load TrustStore.", SamlError.STORE_ERROR, e);
        }
    }

    @Override // com.mulesoft.modules.saml.internal.validation.validator.SamlValidator
    public void validate(SamlAssertionWrapper samlAssertionWrapper) {
        if (samlAssertionWrapper.isSigned()) {
            verifySignatureIntegrity(samlAssertionWrapper);
            verifySignatureTrust(samlAssertionWrapper);
        }
    }

    private void verifySignatureTrust(SamlAssertionWrapper samlAssertionWrapper) {
        Credential credential = new Credential();
        SAMLKeyInfo signatureKeyInfo = samlAssertionWrapper.getSignatureKeyInfo();
        credential.setPublicKey(signatureKeyInfo.getPublicKey());
        credential.setCertificates(signatureKeyInfo.getCerts());
        SignatureTrustValidator signatureTrustValidator = new SignatureTrustValidator();
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(this.crypto);
        try {
            signatureTrustValidator.validate(credential, requestData);
        } catch (WSSecurityException e) {
            throw new ModuleException("Failed to verify trust on the assertion signature.", SamlError.SIGNATURE_VERIFICATION, e);
        }
    }

    private void verifySignatureIntegrity(SamlAssertionWrapper samlAssertionWrapper) {
        try {
            samlAssertionWrapper.verifySignature((SAMLKeyInfoProcessor) null, this.crypto);
        } catch (WSSecurityException e) {
            throw new ModuleException("Failed to verify signature integrity.", SamlError.SIGNATURE_VERIFICATION, e);
        }
    }
}
