package org.wso2.solutions.identity.sts;

import java.io.ByteArrayInputStream;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.OMNode;
import org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl;
import org.apache.axiom.om.util.UUIDGenerator;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasData;
import org.apache.rahas.Token;
import org.apache.rahas.TokenIssuer;
import org.apache.rahas.TrustException;
import org.apache.rahas.TrustUtil;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.apache.xml.security.encryption.EncryptedData;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.utils.Base64;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.wso2.solutions.identity.IdentityProviderException;
import org.wso2.solutions.identity.admin.ReportAdmin;
import org.wso2.solutions.identity.persistence.IPPersistenceManager;
import org.wso2.solutions.identity.persistence.dataobject.ActionDO;
import org.wso2.solutions.identity.persistence.dataobject.InfoCardDO;
import org.wso2.solutions.identity.persistence.dataobject.IssuedTokensDO;
import org.wso2.solutions.identity.persistence.dataobject.PPIDValueDO;
import org.wso2.solutions.identity.persistence.dataobject.RelyingPartyDO;
import org.wso2.solutions.identity.sts.IdentityProviderData;
import org.wso2.solutions.identity.util.IdentityUtil;
import org.wso2.utils.ServerConfiguration;

/* loaded from: input_file:org/wso2/solutions/identity/sts/IdentityTokenIssuer.class */
public class IdentityTokenIssuer implements TokenIssuer {
    private static Log log = LogFactory.getLog(IdentityTokenIssuer.class);
    private static final String WSS_SAML_NS = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#";
    String confileFilePath;
    IdentityProviderData ipData;
    public static final String ISSUER_SELF = "http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self";

    public String getResponseAction(RahasData rahasData) throws TrustException {
        return "http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue";
    }

    /* JADX WARN: Finally extract failed */
    public SOAPEnvelope issue(RahasData rahasData) throws TrustException {
        boolean isDebugEnabled = log.isDebugEnabled();
        if (isDebugEnabled) {
            log.debug("issue");
        }
        try {
            if (isDebugEnabled) {
                try {
                    log.debug("Request: \n" + rahasData.getRstElement().toString() + "\n\n");
                } catch (Exception e) {
                    throw new TrustException("RequestFailed", e);
                }
            }
            this.ipData = new IdentityProviderData(rahasData);
            boolean isValidCard = isValidCard(this.ipData.getCardID());
            if (isDebugEnabled) {
                log.debug("Card is validated");
            }
            if (isValidCard) {
                SOAPEnvelope createResponse = createResponse(rahasData);
                log.info("Issued token");
                return createResponse;
            }
            log.error("Invalid information card");
            new ReportAdmin();
            ReportAdmin.record(this.ipData.getUserIdentifier(), ActionDO.ACTION_TOKEN_ISSUE_FAILURE, "Invalid information card");
            throw new TrustException("RequestFailed");
        } catch (Throwable th) {
            log.info("Issued token");
            throw th;
        }
    }

    private SOAPEnvelope createResponse(RahasData rahasData) throws TrustException {
        try {
            try {
                Date date = new Date();
                Date date2 = new Date();
                date2.setTime(date.getTime() + 300000);
                DocumentBuilderFactoryImpl.setDOOMRequired(true);
                Element createSOAPEnvelope = TrustUtil.createSOAPEnvelope(rahasData.getInMessageContext().getEnvelope().getNamespace().getNamespaceURI());
                Document ownerDocument = createSOAPEnvelope.getOwnerDocument();
                WSSecEncryptedKey wSSecEncryptedKey = null;
                X509Certificate rpCert = this.ipData.getRpCert();
                if (rpCert != null) {
                    wSSecEncryptedKey = new WSSecEncryptedKey();
                    wSSecEncryptedKey.setUseThisCert(rpCert);
                    wSSecEncryptedKey.setKeySize(256);
                    wSSecEncryptedKey.setKeyEncAlgo("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
                    wSSecEncryptedKey.setKeyIdentifierType(8);
                    wSSecEncryptedKey.prepare(ownerDocument, (Crypto) null);
                    OMElement encryptedKeyElement = wSSecEncryptedKey.getEncryptedKeyElement();
                    Element createElementNS = ownerDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "KeyInfo");
                    encryptedKeyElement.declareNamespace("http://www.w3.org/2000/09/xmldsig#", "ds");
                    encryptedKeyElement.declareNamespace("http://www.w3.org/2001/04/xmlenc#", "xenc");
                    createElementNS.appendChild(encryptedKeyElement);
                }
                SAMLAssertion sAMLAssertion = new SAMLAssertion("http://" + ServerConfiguration.getInstance().getFirstProperty("HostName"), date, date2, (Collection) null, (Collection) null, Arrays.asList(createSAMLStatements(this.ipData, rahasData)));
                String firstProperty = ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.KeyAlias");
                X509Certificate[] serviceCertificateChain = KeyUtil.getServiceCertificateChain(firstProperty);
                sAMLAssertion.sign(serviceCertificateChain[0].getPublicKey().getAlgorithm().equalsIgnoreCase("DSA") ? "http://www.w3.org/2000/09/xmldsig#dsa-sha1" : "http://www.w3.org/2000/09/xmldsig#rsa-sha1", KeyUtil.getPrivateKey(firstProperty), Arrays.asList(serviceCertificateChain));
                OMElement createRSTR = createRSTR(rahasData, date, date2, createSOAPEnvelope, ownerDocument, sAMLAssertion, wSSecEncryptedKey);
                if (log.isDebugEnabled()) {
                    log.debug("Response created");
                    log.debug("Response body : \n" + createRSTR.toString() + "\n\n");
                }
                IPPersistenceManager persistanceManager = IPPersistenceManager.getPersistanceManager();
                InfoCardDO infoCard = persistanceManager.getInfoCard(this.ipData.getCardID());
                IssuedTokensDO issuedTokensDO = new IssuedTokensDO();
                issuedTokensDO.setCard(infoCard);
                issuedTokensDO.setDateExpires(date2);
                issuedTokensDO.setDateIssued(date);
                issuedTokensDO.setTokenType(rahasData.getTokenType());
                persistanceManager.create(issuedTokensDO);
                DocumentBuilderFactoryImpl.setDOOMRequired(false);
                log.info("Response ready for : " + this.ipData.getCardID());
                return createSOAPEnvelope;
            } catch (Exception e) {
                log.error(e.getMessage());
                try {
                    ReportAdmin.record(this.ipData.getUserIdentifier(), ActionDO.ACTION_TOKEN_ISSUE_FAILURE, e.getMessage());
                    throw new TrustException("RequestFailed", e);
                } catch (IdentityProviderException e2) {
                    throw new TrustException("RequestFailed", e2);
                }
            }
        } catch (Throwable th) {
            DocumentBuilderFactoryImpl.setDOOMRequired(false);
            log.info("Response ready for : " + this.ipData.getCardID());
            throw th;
        }
    }

    private OMElement createRSTR(RahasData rahasData, Date date, Date date2, SOAPEnvelope sOAPEnvelope, Document document, SAMLAssertion sAMLAssertion, WSSecEncryptedKey wSSecEncryptedKey) throws TrustException, SAMLException, IdentityProviderException {
        if (log.isDebugEnabled()) {
            log.debug("Begin RSTR Element creation.");
        }
        int version = rahasData.getVersion();
        MessageContext inMessageContext = rahasData.getInMessageContext();
        OMElement createRequestSecurityTokenResponseElement = TrustUtil.createRequestSecurityTokenResponseElement(version, sOAPEnvelope.getBody());
        TrustUtil.createTokenTypeElement(version, createRequestSecurityTokenResponseElement).setText(rahasData.getTokenType());
        createDisplayToken(createRequestSecurityTokenResponseElement, this.ipData);
        OMElement oMElement = null;
        if (wSSecEncryptedKey != null) {
            int keysize = rahasData.getKeysize();
            if (keysize == -1) {
                keysize = wSSecEncryptedKey.getEphemeralKey().length * 8;
            }
            TrustUtil.createKeySizeElement(version, createRequestSecurityTokenResponseElement, keysize);
            try {
                oMElement = document.importNode(DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new ByteArrayInputStream(rahasData.getAppliesToEpr().toString().getBytes())).getDocumentElement(), true);
            } catch (Exception e) {
                new TrustException("RequestFailed", e);
            }
            createRequestSecurityTokenResponseElement.getOMFactory().createOMElement(new QName("http://schemas.xmlsoap.org/ws/2004/09/policy", "AppliesTo", "wsp"), createRequestSecurityTokenResponseElement).addChild(oMElement);
        }
        XmlSchemaDateFormat xmlSchemaDateFormat = new XmlSchemaDateFormat();
        TrustUtil.createLifetimeElement(version, createRequestSecurityTokenResponseElement, xmlSchemaDateFormat.format(date), xmlSchemaDateFormat.format(date2));
        OMElement createRequestedSecurityTokenElement = TrustUtil.createRequestedSecurityTokenElement(version, createRequestSecurityTokenResponseElement);
        OMNode importNode = document.importNode(sAMLAssertion.toDOM(), true);
        createRequestedSecurityTokenElement.addChild(importNode);
        if (log.isDebugEnabled()) {
            log.debug(importNode.toString());
        }
        if (wSSecEncryptedKey != null) {
            encryptSAMLAssertion(document, (Element) importNode, wSSecEncryptedKey);
        }
        createAttachedRef(createRequestSecurityTokenResponseElement, sAMLAssertion.getId());
        createUnattachedRef(createRequestSecurityTokenResponseElement, sAMLAssertion.getId());
        Token token = new Token(sAMLAssertion.getId(), document.importNode(sAMLAssertion.toDOM(), true), date, date2);
        token.setSecret(rahasData.getEphmeralKey());
        TrustUtil.getTokenStore(inMessageContext).add(token);
        if (log.isDebugEnabled()) {
            log.debug("RSTR Elem created.");
        }
        log.info("RSTR ready with token : " + sAMLAssertion.getId());
        return createRequestSecurityTokenResponseElement;
    }

    private void createAttachedRef(OMElement oMElement, String str) {
        OMFactory oMFactory = oMElement.getOMFactory();
        OMElement createOMElement = oMFactory.createOMElement(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier", "wsse"), oMFactory.createOMElement(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "SecurityTokenReference", "wsse"), oMFactory.createOMElement(new QName("http://schemas.xmlsoap.org/ws/2005/02/trust", "RequestedAttachedReference", "wst"), oMElement)));
        createOMElement.addAttribute("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID", (OMNamespace) null);
        createOMElement.setText(str);
    }

    private void createUnattachedRef(OMElement oMElement, String str) {
        OMFactory oMFactory = oMElement.getOMFactory();
        OMElement createOMElement = oMFactory.createOMElement(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier", "wsse"), oMFactory.createOMElement(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "SecurityTokenReference", "wsse"), oMFactory.createOMElement(new QName("http://schemas.xmlsoap.org/ws/2005/02/trust", "RequestedUnattachedReference", "wst"), oMElement)));
        createOMElement.addAttribute("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID", (OMNamespace) null);
        createOMElement.setText(str);
    }

    private void encryptSAMLAssertion(Document document, Element element, WSSecEncryptedKey wSSecEncryptedKey) throws TrustException {
        try {
            XMLCipher xMLCipher = XMLCipher.getInstance("http://www.w3.org/2001/04/xmlenc#aes256-cbc");
            xMLCipher.init(1, WSSecurityUtil.prepareSecretKey("http://www.w3.org/2001/04/xmlenc#aes256-cbc", wSSecEncryptedKey.getEphemeralKey()));
            String str = "EncDataId-" + element.hashCode();
            KeyInfo keyInfo = new KeyInfo(document);
            keyInfo.addUnknownElement(wSSecEncryptedKey.getEncryptedKeyElement());
            EncryptedData encryptedData = xMLCipher.getEncryptedData();
            encryptedData.setId(str);
            encryptedData.setKeyInfo(keyInfo);
            xMLCipher.doFinal(document, element, false);
        } catch (Exception e) {
            throw new TrustException("RequestFailed", e);
        }
    }

    private OMElement createDisplayToken(OMElement oMElement, IdentityProviderData identityProviderData) throws IdentityProviderException {
        if (log.isDebugEnabled()) {
            log.debug("Begin Display token creation.");
        }
        Map requestedClaims = identityProviderData.getRequestedClaims();
        if (requestedClaims.isEmpty()) {
            return null;
        }
        OMElement createRequestedDisplayToken = IdentityProviderUtil.createRequestedDisplayToken(oMElement, identityProviderData);
        OMElement createDisplayToken = IdentityProviderUtil.createDisplayToken(createRequestedDisplayToken, identityProviderData);
        try {
            for (IdentityProviderData.RequestedClaimData requestedClaimData : requestedClaims.values()) {
                if (requestedClaimData.uri.equals("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier")) {
                    IdentityProviderUtil.createDisplayClaim(createDisplayToken, identityProviderData.getDisplayName(requestedClaimData.uri), IdentityUtil.getPPIDDisplayValue(requestedClaimData.value), requestedClaimData.uri);
                } else {
                    IdentityProviderUtil.createDisplayClaim(createDisplayToken, identityProviderData.getDisplayName(requestedClaimData.uri), requestedClaimData.value, requestedClaimData.uri);
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("createDisplayToken");
            }
            return createRequestedDisplayToken;
        } catch (Exception e) {
            throw new IdentityProviderException(e.getMessage(), e);
        }
    }

    private SAMLStatement[] createSAMLStatements(IdentityProviderData identityProviderData, RahasData rahasData) throws SAMLException, IdentityProviderException {
        if (log.isDebugEnabled()) {
            log.debug("Begin SAML statement creation.");
        }
        SAMLSubject sAMLSubject = new SAMLSubject((SAMLNameIdentifier) null, Arrays.asList("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key"), (Element) null, (Object) null);
        Map requestedClaims = identityProviderData.getRequestedClaims();
        ArrayList arrayList = new ArrayList();
        for (IdentityProviderData.RequestedClaimData requestedClaimData : requestedClaims.values()) {
            String str = requestedClaimData.uri;
            if (str.equals("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier")) {
                requestedClaimData.value = getPPID(rahasData, identityProviderData.getUserIdentifier(), rahasData.getAppliesToEpr());
            }
            int lastIndexOf = str.lastIndexOf("/");
            if (requestedClaimData.value == null) {
                throw new IdentityProviderException("noValueForRequestedAttribute", new String[]{requestedClaimData.uri});
            }
            List asList = Arrays.asList(requestedClaimData.value);
            if (identityProviderData.getDisplayName(str) == null && !requestedClaimData.bOptional) {
                throw new IdentityProviderException("unknownClaimUri", new String[]{str});
            }
            arrayList.add(new SAMLAttribute(str.substring(lastIndexOf + 1, str.length()), str.substring(0, lastIndexOf), (QName) null, -1L, asList));
        }
        SAMLStatement[] sAMLStatementArr = {new SAMLAttributeStatement(sAMLSubject, Arrays.asList((SAMLAttribute[]) arrayList.toArray(new SAMLAttribute[arrayList.size()])))};
        if (log.isDebugEnabled()) {
            log.debug("SAML statements created");
        }
        return sAMLStatementArr;
    }

    private String getPPID(RahasData rahasData, String str, OMElement oMElement) throws IdentityProviderException {
        String appliesToHostName = IdentityProviderUtil.getAppliesToHostName(rahasData);
        IPPersistenceManager persistanceManager = IPPersistenceManager.getPersistanceManager();
        PPIDValueDO[] pPIDValuesForUser = persistanceManager.getPPIDValuesForUser(str);
        PPIDValueDO pPIDValueDO = null;
        for (int i = 0; i < pPIDValuesForUser.length; i++) {
            String str2 = null;
            if (pPIDValuesForUser[i].getRelyingParty() != null) {
                str2 = pPIDValuesForUser[i].getRelyingParty().getHostName();
            } else if (pPIDValuesForUser[i].getPersonalRelyingParty() != null) {
                str2 = pPIDValuesForUser[i].getPersonalRelyingParty().getIdentifier().getHostName();
            }
            if (str2 == null) {
                throw new IdentityProviderException("hostNotTrusted", new String[]{str2});
            }
            if (appliesToHostName.equals(str2)) {
                pPIDValueDO = pPIDValuesForUser[i];
            }
        }
        if (pPIDValueDO != null) {
            return pPIDValueDO.getPpid();
        }
        String encode = Base64.encode(UUIDGenerator.getUUID().getBytes());
        PPIDValueDO pPIDValueDO2 = new PPIDValueDO();
        pPIDValueDO2.setUserId(str);
        pPIDValueDO2.setPpid(encode);
        RelyingPartyDO relyingParty = persistanceManager.getRelyingParty(appliesToHostName);
        if (relyingParty != null) {
            pPIDValueDO2.setRelyingParty(relyingParty);
        } else {
            pPIDValueDO2.setPersonalRelyingParty(persistanceManager.getPersonalRelyingParty(str, appliesToHostName));
        }
        persistanceManager.create(pPIDValueDO2);
        return encode;
    }

    public void setConfigurationElement(OMElement oMElement) {
    }

    public void setConfigurationFile(String str) {
        this.confileFilePath = str;
    }

    public void setConfigurationParamName(String str) {
    }

    private boolean isValidCard(String str) throws IdentityProviderException {
        if (log.isDebugEnabled()) {
            log.debug("Begin Validating card.");
        }
        boolean z = false;
        InfoCardDO infoCard = IPPersistenceManager.getPersistanceManager().getInfoCard(str);
        if (infoCard != null) {
            Date time = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
            if (time.before(infoCard.getDateExpires()) && time.after(infoCard.getDateIssued())) {
                z = true;
            }
        }
        return z;
    }
}
