package org.apache.cxf.ws.security.wss4j;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml1.core.Assertion;
import org.opensaml.saml1.core.Attribute;
import org.opensaml.saml1.core.AttributeStatement;
import org.opensaml.xml.XMLObject;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.7.19-MULE-001.jar:org/apache/cxf/ws/security/wss4j/SAMLUtils.class */
public final class SAMLUtils {
    private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class);

    private SAMLUtils() {
    }

    public static List<String> parseRolesInAssertion(Object obj, String str) {
        return ((AssertionWrapper) obj).getSamlVersion().equals(SAMLVersion.VERSION_20) ? parseRolesInAssertion(((AssertionWrapper) obj).getSaml2(), str) : parseRolesInAssertion(((AssertionWrapper) obj).getSaml1(), str);
    }

    public static String getIssuer(Object obj) {
        return ((AssertionWrapper) obj).getIssuerString();
    }

    public static Element getAssertionElement(Object obj) {
        return ((AssertionWrapper) obj).getElement();
    }

    private static List<String> parseRolesInAssertion(Assertion assertion, String str) {
        List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<AttributeStatement> it = attributeStatements.iterator();
        while (it.hasNext()) {
            for (Attribute attribute : it.next().getAttributes()) {
                if (attribute.getAttributeName().equals(str)) {
                    Iterator<XMLObject> it2 = attribute.getAttributeValues().iterator();
                    while (it2.hasNext()) {
                        arrayList.add(it2.next().getDOM().getTextContent());
                    }
                    if (attribute.getAttributeValues().size() > 1) {
                        break;
                    }
                }
            }
        }
        return Collections.unmodifiableList(arrayList);
    }

    private static List<String> parseRolesInAssertion(org.opensaml.saml2.core.Assertion assertion, String str) {
        List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = assertion.getAttributeStatements();
        if (attributeStatements == null || attributeStatements.isEmpty()) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<org.opensaml.saml2.core.AttributeStatement> it = attributeStatements.iterator();
        while (it.hasNext()) {
            for (org.opensaml.saml2.core.Attribute attribute : it.next().getAttributes()) {
                if (attribute.getName().equals(str)) {
                    Iterator<XMLObject> it2 = attribute.getAttributeValues().iterator();
                    while (it2.hasNext()) {
                        arrayList.add(it2.next().getDOM().getTextContent());
                    }
                    if (attribute.getAttributeValues().size() > 1) {
                        break;
                    }
                }
            }
        }
        return Collections.unmodifiableList(arrayList);
    }

    public static void validateSAMLResults(List<WSSecurityEngineResult> list, Message message, Element element) throws WSSecurityException {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(16);
        arrayList.add(8);
        List<WSSecurityEngineResult> fetchAllActionResults = WSS4JUtils.fetchAllActionResults(list, arrayList);
        if (fetchAllActionResults.isEmpty()) {
            return;
        }
        ArrayList arrayList2 = new ArrayList(2);
        arrayList2.add(2);
        arrayList2.add(64);
        List<WSSecurityEngineResult> fetchAllActionResults2 = WSS4JUtils.fetchAllActionResults(list, arrayList2);
        Iterator<WSSecurityEngineResult> it = fetchAllActionResults.iterator();
        while (it.hasNext()) {
            AssertionWrapper assertionWrapper = (AssertionWrapper) it.next().get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            TLSSessionInfo tLSSessionInfo = (TLSSessionInfo) message.get(TLSSessionInfo.class);
            Certificate[] certificateArr = null;
            if (tLSSessionInfo != null) {
                certificateArr = tLSSessionInfo.getPeerCertificates();
            }
            if (!checkHolderOfKey(assertionWrapper, fetchAllActionResults2, certificateArr)) {
                LOG.warning("Assertion fails holder-of-key requirements");
                throw new WSSecurityException(3);
            }
            if (!checkSenderVouches(assertionWrapper, certificateArr, element, fetchAllActionResults2)) {
                LOG.warning("Assertion fails sender-vouches requirements");
                throw new WSSecurityException(3);
            }
        }
    }

    public static boolean checkHolderOfKey(AssertionWrapper assertionWrapper, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        Iterator<String> it = assertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodHolderOfKey(it.next()) && ((certificateArr == null && (list == null || list.isEmpty())) || !compareCredentials(assertionWrapper.getSubjectKeyInfo(), list, certificateArr))) {
                return false;
            }
        }
        return true;
    }

    public static boolean compareCredentials(SAMLKeyInfo sAMLKeyInfo, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        X509Certificate[] certs = sAMLKeyInfo.getCerts();
        PublicKey publicKey = sAMLKeyInfo.getPublicKey();
        byte[] secret = sAMLKeyInfo.getSecret();
        if (certificateArr != null && certificateArr.length > 0 && certs != null && certs.length > 0 && certificateArr[0].equals(certs[0])) {
            return true;
        }
        if (certificateArr != null && certificateArr.length > 0 && publicKey != null && certificateArr[0].getPublicKey().equals(publicKey)) {
            return true;
        }
        if (publicKey == null && certs != null && certs.length > 0) {
            publicKey = certs[0].getPublicKey();
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
            PublicKey publicKey2 = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
            byte[] bArr = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            if (x509CertificateArr != null && x509CertificateArr.length > 0 && certs != null && certs.length > 0 && x509CertificateArr[0].equals(certs[0])) {
                return true;
            }
            if ((publicKey2 != null && publicKey2.equals(publicKey)) || checkSecretKey(bArr, secret, wSSecurityEngineResult)) {
                return true;
            }
        }
        return false;
    }

    private static boolean checkSecretKey(byte[] bArr, byte[] bArr2, WSSecurityEngineResult wSSecurityEngineResult) {
        if (bArr == null || bArr2 == null) {
            return false;
        }
        if (Arrays.equals(bArr, bArr2)) {
            return true;
        }
        Principal principal = (Principal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
        return (principal instanceof WSDerivedKeyTokenPrincipal) && Arrays.equals(((WSDerivedKeyTokenPrincipal) principal).getSecret(), bArr2);
    }

    public static boolean checkSenderVouches(AssertionWrapper assertionWrapper, Certificate[] certificateArr, Element element, List<WSSecurityEngineResult> list) {
        if (certificateArr != null && certificateArr.length > 0) {
            return true;
        }
        Iterator<String> it = assertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodSenderVouches(it.next()) && (list == null || list.isEmpty() || !checkAssertionAndBodyAreSigned(assertionWrapper, element, list))) {
                return false;
            }
        }
        return true;
    }

    private static boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper, Element element, List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            List cast = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            boolean z = false;
            boolean z2 = false;
            if (cast != null) {
                Iterator it2 = cast.iterator();
                while (it2.hasNext()) {
                    Element protectedElement = ((WSDataRef) it2.next()).getProtectedElement();
                    if (protectedElement == assertionWrapper.getElement()) {
                        z = true;
                    }
                    if (protectedElement == element) {
                        z2 = true;
                    }
                    if (z && z2) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
