package org.apache.ws.security.processor;

import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.SAMLTokenPrincipal;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.AlgorithmSuite;
import org.apache.ws.security.components.crypto.AlgorithmSuiteValidator;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.DOM2Writer;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.Validator;
import org.mule.metadata.persistence.MetadataTypeConstants;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/wss4j-1.6.18.jar:org/apache/ws/security/processor/SAMLTokenProcessor.class */
public class SAMLTokenProcessor implements Processor {
    private static Log log = LogFactory.getLog(SAMLTokenProcessor.class);
    private XMLSignatureFactory signatureFactory;

    public SAMLTokenProcessor() {
        try {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException e) {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM");
        }
    }

    @Override // org.apache.ws.security.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        WSSecurityEngineResult wSSecurityEngineResult;
        if (log.isDebugEnabled()) {
            log.debug("Found SAML Assertion element");
        }
        Validator validator = requestData.getValidator(new QName(element.getNamespaceURI(), element.getLocalName()));
        AssertionWrapper assertionWrapper = new AssertionWrapper(element);
        List<WSDataRef> createDataRefs = createDataRefs(element, assertionWrapper, verifySignatureKeysAndAlgorithms(assertionWrapper, requestData, wSDocInfo));
        Credential handleSAMLToken = handleSAMLToken(assertionWrapper, requestData, validator, wSDocInfo);
        AssertionWrapper assertion = handleSAMLToken.getAssertion();
        if (log.isDebugEnabled()) {
            log.debug("SAML Assertion issuer " + assertion.getIssuerString());
            log.debug(DOM2Writer.nodeToString(element));
        }
        String id = assertion.getId();
        Element tokenElement = wSDocInfo.getTokenElement(id);
        if (element.equals(tokenElement)) {
            return Collections.singletonList(wSDocInfo.getResult(id));
        }
        if (tokenElement != null) {
            throw new WSSecurityException(4, "duplicateError");
        }
        wSDocInfo.addTokenElement(element);
        if (assertion.isSigned()) {
            wSSecurityEngineResult = new WSSecurityEngineResult(16, assertion);
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_DATA_REF_URIS, createDataRefs);
        } else {
            wSSecurityEngineResult = new WSSecurityEngineResult(8, assertion);
        }
        if (!"".equals(id)) {
            wSSecurityEngineResult.put("id", id);
        }
        if (validator != null) {
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
            if (handleSAMLToken.getTransformedToken() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, handleSAMLToken.getTransformedToken());
                if (handleSAMLToken.getPrincipal() != null) {
                    wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, handleSAMLToken.getPrincipal());
                } else {
                    wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipal(handleSAMLToken.getTransformedToken()));
                }
            } else if (handleSAMLToken.getPrincipal() != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, handleSAMLToken.getPrincipal());
            } else {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipal(assertion));
            }
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_SUBJECT, handleSAMLToken.getSubject());
        }
        wSDocInfo.addResult(wSSecurityEngineResult);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    public Credential handleSAMLToken(AssertionWrapper assertionWrapper, RequestData requestData, Validator validator, WSDocInfo wSDocInfo) throws WSSecurityException {
        assertionWrapper.parseHOKSubject(requestData, wSDocInfo);
        Credential credential = new Credential();
        credential.setAssertion(assertionWrapper);
        return validator != null ? validator.validate(credential, requestData) : credential;
    }

    private XMLSignature verifySignatureKeysAndAlgorithms(AssertionWrapper assertionWrapper, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        PublicKey publicKey;
        if (!assertionWrapper.isSigned()) {
            return null;
        }
        Signature signature = assertionWrapper.getSignature();
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo == null) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
        SAMLKeyInfo credentialFromKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), requestData, wSDocInfo, requestData.getWssConfig().isWsiBSPCompliant());
        if (credentialFromKeyInfo.getCerts() != null && credentialFromKeyInfo.getCerts()[0] != null) {
            publicKey = credentialFromKeyInfo.getCerts()[0].getPublicKey();
        } else {
            if (credentialFromKeyInfo.getPublicKey() == null) {
                throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
            }
            publicKey = credentialFromKeyInfo.getPublicKey();
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(publicKey, signature.getDOM());
        dOMValidateContext.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        dOMValidateContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        try {
            XMLSignature unmarshalXMLSignature = this.signatureFactory.unmarshalXMLSignature(dOMValidateContext);
            AlgorithmSuite samlAlgorithmSuite = requestData.getSamlAlgorithmSuite();
            if (samlAlgorithmSuite != null) {
                AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(samlAlgorithmSuite);
                algorithmSuiteValidator.checkSignatureAlgorithms(unmarshalXMLSignature);
                algorithmSuiteValidator.checkAsymmetricKeyLength(publicKey);
            }
            assertionWrapper.verifySignature(credentialFromKeyInfo);
            return unmarshalXMLSignature;
        } catch (MarshalException e) {
            throw new WSSecurityException(6, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"}, e);
        }
    }

    private List<WSDataRef> createDataRefs(Element element, AssertionWrapper assertionWrapper, XMLSignature xMLSignature) {
        if (xMLSignature == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        String algorithm = xMLSignature.getSignedInfo().getSignatureMethod().getAlgorithm();
        for (Reference reference : xMLSignature.getSignedInfo().getReferences()) {
            if ("".equals(reference.getURI()) || reference.getURI().equals(assertionWrapper.getId()) || reference.getURI().equals(MetadataTypeConstants.RECURSION_FLAG + assertionWrapper.getId())) {
                WSDataRef wSDataRef = new WSDataRef();
                wSDataRef.setWsuId(reference.getURI());
                wSDataRef.setProtectedElement(element);
                wSDataRef.setAlgorithm(algorithm);
                wSDataRef.setDigestAlgorithm(reference.getDigestMethod().getAlgorithm());
                List transforms = reference.getTransforms();
                ArrayList arrayList2 = new ArrayList(transforms.size());
                Iterator it = transforms.iterator();
                while (it.hasNext()) {
                    arrayList2.add(((Transform) it.next()).getAlgorithm());
                }
                wSDataRef.setTransformAlgorithms(arrayList2);
                wSDataRef.setXpath(ReferenceListProcessor.getXPath(element));
                arrayList.add(wSDataRef);
            }
        }
        return arrayList;
    }
}
