package org.jboss.seam.security.external.saml;

import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.Security;
import java.util.Collections;
import javax.inject.Inject;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import org.jboss.seam.security.external.InvalidRequestException;
import org.jcp.xml.dsig.internal.dom.XMLDSigRI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/seam-security-external-3.0.0.CR1.jar:org/jboss/seam/security/external/saml/SamlSignatureUtilForPostBinding.class */
public class SamlSignatureUtilForPostBinding {
    private static final Logger log = LoggerFactory.getLogger(SamlSignatureUtilForPostBinding.class);
    private XMLSignatureFactory fac;

    @Inject
    public void init() {
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: org.jboss.seam.security.external.saml.SamlSignatureUtilForPostBinding.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");
                return null;
            }
        });
        this.fac = getXMLSignatureFactory();
    }

    private XMLSignatureFactory getXMLSignatureFactory() {
        return Security.getProvider("DOM") != null ? XMLSignatureFactory.getInstance("DOM") : XMLSignatureFactory.getInstance("DOM", new XMLDSigRI());
    }

    public Document sign(Document document, KeyPair keyPair) {
        if (log.isTraceEnabled()) {
            log.trace("Document to be signed={0}", new Object[]{SamlUtils.getDocumentAsString(document)});
        }
        PrivateKey privateKey = keyPair.getPrivate();
        PublicKey publicKey = keyPair.getPublic();
        DOMSignContext dOMSignContext = new DOMSignContext(privateKey, document.getDocumentElement());
        dOMSignContext.setDefaultNamespacePrefix("dsig");
        try {
            SignedInfo newSignedInfo = this.fac.newSignedInfo(this.fac.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#WithComments", (C14NMethodParameterSpec) null), this.fac.newSignatureMethod(publicKey.getAlgorithm().equalsIgnoreCase("RSA") ? "http://www.w3.org/2000/09/xmldsig#rsa-sha1" : "http://www.w3.org/2000/09/xmldsig#dsa-sha1", (SignatureMethodParameterSpec) null), Collections.singletonList(this.fac.newReference("#" + document.getDocumentElement().getAttribute("ID"), this.fac.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", (DigestMethodParameterSpec) null), Collections.singletonList(this.fac.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null)), (String) null, (String) null)));
            KeyInfoFactory keyInfoFactory = this.fac.getKeyInfoFactory();
            this.fac.newXMLSignature(newSignedInfo, keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newKeyValue(publicKey)))).sign(dOMSignContext);
            return document;
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException(e);
        } catch (KeyException e2) {
            throw new RuntimeException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException(e3);
        } catch (MarshalException e4) {
            throw new RuntimeException((Throwable) e4);
        } catch (XMLSignatureException e5) {
            throw new RuntimeException((Throwable) e5);
        }
    }

    public void validateSignature(Key key, Document document) throws InvalidRequestException {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS(SamlConstants.XMLDSIG_NSURI, SamlRedirectMessage.QSP_SIGNATURE);
        if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() == 0) {
            throw new InvalidRequestException("Signature element is not present or has zero length.");
        }
        try {
            DOMValidateContext dOMValidateContext = new DOMValidateContext(key, elementsByTagNameNS.item(0));
            XMLSignature unmarshalXMLSignature = this.fac.unmarshalXMLSignature(dOMValidateContext);
            boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
            if (log.isTraceEnabled() && !validate) {
                log.trace("Signature validation status: " + unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext));
                for (Reference reference : unmarshalXMLSignature.getSignedInfo().getReferences()) {
                    log.trace("[Ref id=" + reference.getId() + ":uri=" + reference.getURI() + "] validity status:" + reference.validate(dOMValidateContext));
                }
            }
            if (!validate) {
                throw new InvalidRequestException("Invalid signature.");
            }
        } catch (MarshalException e) {
            throw new RuntimeException((Throwable) e);
        } catch (XMLSignatureException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }
}
