package org.apache.ws.security.saml;

import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.keyinfo.X509IssuerSerial;
import javax.xml.namespace.QName;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.AlgorithmSuite;
import org.apache.ws.security.components.crypto.AlgorithmSuiteValidator;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.processor.EncryptedKeyProcessor;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.str.SignatureSTRParser;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.opensaml.saml1.core.Assertion;
import org.opensaml.saml1.core.AttributeStatement;
import org.opensaml.saml1.core.AuthenticationStatement;
import org.opensaml.saml1.core.AuthorizationDecisionStatement;
import org.opensaml.saml1.core.Statement;
import org.opensaml.saml1.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.ws.wstrust.BinarySecret;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;

/* loaded from: input_file:lib/wss4j-1.6.18.jar:org/apache/ws/security/saml/SAMLUtil.class */
public final class SAMLUtil {
    private static final QName BINARY_SECRET = new QName("http://schemas.xmlsoap.org/ws/2005/02/trust", BinarySecret.ELEMENT_LOCAL_NAME);
    private static final QName BINARY_SECRET_05_12 = new QName("http://docs.oasis-open.org/ws-sx/ws-trust/200512", BinarySecret.ELEMENT_LOCAL_NAME);

    private SAMLUtil() {
    }

    public static AssertionWrapper getAssertionFromKeyIdentifier(SecurityTokenReference securityTokenReference, Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        String keyIdentifierValue = securityTokenReference.getKeyIdentifierValue();
        String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
        WSSecurityEngineResult result = wSDocInfo.getResult(keyIdentifierValue);
        if (result != null) {
            return (AssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
        }
        Element findProcessedTokenElement = securityTokenReference.findProcessedTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler(), keyIdentifierValue, keyIdentifierValueType);
        if (findProcessedTokenElement != null) {
            if ("Assertion".equals(findProcessedTokenElement.getLocalName())) {
                return new AssertionWrapper(findProcessedTokenElement);
            }
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        Element findUnprocessedTokenElement = securityTokenReference.findUnprocessedTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler(), keyIdentifierValue, keyIdentifierValueType);
        if (findUnprocessedTokenElement == null || !"Assertion".equals(findUnprocessedTokenElement.getLocalName())) {
            throw new WSSecurityException(0, "invalidSAMLsecurity");
        }
        return (AssertionWrapper) requestData.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN).handleToken(findUnprocessedTokenElement, requestData, wSDocInfo).get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
    }

    public static SAMLKeyInfo getCredentialFromSubject(AssertionWrapper assertionWrapper, RequestData requestData, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        return assertionWrapper.getSaml1() != null ? getCredentialFromSubject(assertionWrapper.getSaml1(), requestData, wSDocInfo, z) : getCredentialFromSubject(assertionWrapper.getSaml2(), requestData, wSDocInfo, z);
    }

    private static byte[] getSecretKeyFromCallbackHandler(String str, CallbackHandler callbackHandler) throws WSSecurityException {
        if (callbackHandler == null) {
            return null;
        }
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, 9);
        try {
            callbackHandler.handle(new Callback[]{wSPasswordCallback});
            return wSPasswordCallback.getKey();
        } catch (Exception e) {
            throw new WSSecurityException(0, "noKey", new Object[]{str}, e);
        }
    }

    public static SAMLKeyInfo getCredentialFromSubject(Assertion assertion, RequestData requestData, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        byte[] secretKeyFromCallbackHandler = getSecretKeyFromCallbackHandler(assertion.getID(), requestData.getCallbackHandler());
        if (secretKeyFromCallbackHandler != null && secretKeyFromCallbackHandler.length > 0) {
            return new SAMLKeyInfo(secretKeyFromCallbackHandler);
        }
        for (Statement statement : assertion.getStatements()) {
            Subject subject = statement instanceof AttributeStatement ? ((AttributeStatement) statement).getSubject() : statement instanceof AuthenticationStatement ? ((AuthenticationStatement) statement).getSubject() : ((AuthorizationDecisionStatement) statement).getSubject();
            if (subject == null) {
                throw new WSSecurityException(0, "invalidSAMLToken", new Object[]{"for Signature (no Subject)"});
            }
            Element directChildElement = WSSecurityUtil.getDirectChildElement(subject.getSubjectConfirmation().getDOM(), "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
            if (directChildElement != null) {
                return getCredentialFromKeyInfo(directChildElement, requestData, wSDocInfo, z);
            }
        }
        return null;
    }

    public static SAMLKeyInfo getCredentialFromSubject(org.opensaml.saml2.core.Assertion assertion, RequestData requestData, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        byte[] secretKeyFromCallbackHandler = getSecretKeyFromCallbackHandler(assertion.getID(), requestData.getCallbackHandler());
        if (secretKeyFromCallbackHandler != null && secretKeyFromCallbackHandler.length > 0) {
            return new SAMLKeyInfo(secretKeyFromCallbackHandler);
        }
        org.opensaml.saml2.core.Subject subject = assertion.getSubject();
        if (subject == null) {
            throw new WSSecurityException(0, "invalidSAMLToken", new Object[]{"for Signature (no Subject)"});
        }
        Iterator<SubjectConfirmation> it = subject.getSubjectConfirmations().iterator();
        while (it.hasNext()) {
            Element directChildElement = WSSecurityUtil.getDirectChildElement(it.next().getSubjectConfirmationData().getDOM(), "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
            if (directChildElement != null) {
                return getCredentialFromKeyInfo(directChildElement, requestData, wSDocInfo, z);
            }
        }
        return null;
    }

    public static SAMLKeyInfo getCredentialFromKeyInfo(Element element, RequestData requestData, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        Node node;
        KeyInfoFactory keyInfoFactory;
        Node firstChild = element.getFirstChild();
        while (true) {
            node = firstChild;
            if (node == null) {
                try {
                    keyInfoFactory = KeyInfoFactory.getInstance("DOM", "ApacheXMLDSig");
                } catch (NoSuchProviderException e) {
                    keyInfoFactory = KeyInfoFactory.getInstance("DOM");
                }
                try {
                    List content = keyInfoFactory.unmarshalKeyInfo(new DOMStructure(element)).getContent();
                    for (int i = 0; i < content.size(); i++) {
                        XMLStructure xMLStructure = (XMLStructure) content.get(i);
                        if (xMLStructure instanceof KeyValue) {
                            return new SAMLKeyInfo(((KeyValue) xMLStructure).getPublicKey());
                        }
                        if (xMLStructure instanceof X509Data) {
                            List content2 = ((X509Data) xMLStructure).getContent();
                            for (int i2 = 0; i2 < content2.size(); i2++) {
                                Object obj = content2.get(i2);
                                if (obj instanceof X509Certificate) {
                                    return new SAMLKeyInfo(new X509Certificate[]{(X509Certificate) obj});
                                }
                                if (obj instanceof X509IssuerSerial) {
                                    if (requestData.getSigCrypto() == null) {
                                        throw new WSSecurityException(0, "noSigCryptoFile");
                                    }
                                    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
                                    cryptoType.setIssuerSerial(((X509IssuerSerial) obj).getIssuerName(), ((X509IssuerSerial) obj).getSerialNumber());
                                    X509Certificate[] x509Certificates = requestData.getSigCrypto().getX509Certificates(cryptoType);
                                    if (x509Certificates == null || x509Certificates.length < 1) {
                                        throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
                                    }
                                    return new SAMLKeyInfo(x509Certificates);
                                }
                            }
                        }
                    }
                    return null;
                } catch (Exception e2) {
                    throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"}, e2);
                }
            }
            if (1 == node.getNodeType()) {
                QName qName = new QName(node.getNamespaceURI(), node.getLocalName());
                if (qName.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
                    return new SAMLKeyInfo((byte[]) new EncryptedKeyProcessor().handleToken((Element) node, requestData, wSDocInfo, requestData.getSamlAlgorithmSuite()).get(0).get(WSSecurityEngineResult.TAG_SECRET));
                }
                if (qName.equals(BINARY_SECRET) || qName.equals(BINARY_SECRET_05_12)) {
                    break;
                }
                if (SecurityTokenReference.STR_QNAME.equals(qName)) {
                    SignatureSTRParser signatureSTRParser = new SignatureSTRParser();
                    signatureSTRParser.parseSecurityTokenReference((Element) node, requestData, wSDocInfo, new HashMap());
                    SAMLKeyInfo sAMLKeyInfo = new SAMLKeyInfo(signatureSTRParser.getCertificates());
                    sAMLKeyInfo.setPublicKey(signatureSTRParser.getPublicKey());
                    sAMLKeyInfo.setSecret(signatureSTRParser.getSecretKey());
                    Principal principal = signatureSTRParser.getPrincipal();
                    AlgorithmSuite samlAlgorithmSuite = requestData.getSamlAlgorithmSuite();
                    if (samlAlgorithmSuite != null && (principal instanceof WSDerivedKeyTokenPrincipal)) {
                        AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(samlAlgorithmSuite);
                        algorithmSuiteValidator.checkDerivedKeyAlgorithm(((WSDerivedKeyTokenPrincipal) principal).getAlgorithm());
                        algorithmSuiteValidator.checkSignatureDerivedKeyLength(((WSDerivedKeyTokenPrincipal) principal).getLength());
                    }
                    return sAMLKeyInfo;
                }
            }
            firstChild = node.getNextSibling();
        }
        return new SAMLKeyInfo(Base64.decode(((Text) node.getFirstChild()).getData()));
    }
}
