package org.wso2.solutions.identity.relyingparty.saml;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.URI;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import javax.crypto.SecretKey;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.processor.EncryptedKeyProcessor;
import org.apache.ws.security.util.DOM2Writer;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.Init;
import org.apache.xml.security.encryption.XMLCipher;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.wso2.solutions.identity.i18n.Messages;
import org.wso2.solutions.identity.relyingparty.RelyingPartyException;
import org.wso2.solutions.identity.relyingparty.TokenVerifierConstants;
import org.wso2.solutions.identity.relyingparty.saml.tokens.SAML1TokenHolder;
import org.wso2.solutions.identity.relyingparty.saml.tokens.SAML2TokenHolder;
import org.wso2.solutions.identity.relyingparty.saml.tokens.TokenHolder;
import org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyData;

/* loaded from: input_file:org/wso2/solutions/identity/relyingparty/saml/SAMLTokenVerifier.class */
public class SAMLTokenVerifier {
    private static Log log = LogFactory.getLog(SAMLTokenVerifier.class);
    private static Messages messages = Messages.getInstance(TokenVerifierConstants.RESOURCES);
    private Hashtable attributeTable = new Hashtable();
    private List certificates = new ArrayList();
    private Element keyInfoElement = null;
    private String issuerName = null;
    private boolean isMultipleValues = false;
    private X509Certificate signingCert = null;

    public Element decryptToken(String str, PrivateKey privateKey) throws RelyingPartyException {
        try {
            if (log.isDebugEnabled()) {
                log.debug(messages.getMessage("receivedEncryuptedToken", new String[]{str}));
            }
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes());
            DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
            newInstance.setNamespaceAware(true);
            return decryptElement(privateKey, newInstance.newDocumentBuilder().parse(byteArrayInputStream).getDocumentElement());
        } catch (Exception e) {
            throw new RelyingPartyException("verificationFailure", e);
        }
    }

    public boolean verifyDecryptedToken(Element element, RelyingPartyData relyingPartyData) throws RelyingPartyException {
        TokenHolder sAML1TokenHolder;
        boolean z = true;
        if (log.isDebugEnabled()) {
            log.debug(messages.getMessage("verifyingDecryptedToken"));
        }
        if (log.isDebugEnabled()) {
            try {
                String nodeToString = DOM2Writer.nodeToString(element);
                log.debug(nodeToString);
                FileWriter fileWriter = new FileWriter(new File("last_msg.xml"));
                fileWriter.write(nodeToString.toCharArray());
                fileWriter.flush();
                fileWriter.close();
            } catch (IOException e) {
                log.error(e.getMessage(), e);
            }
        }
        try {
            String namespaceURI = element.getNamespaceURI();
            if (namespaceURI.equals("urn:oasis:names:tc:SAML:1.0:assertion") || namespaceURI.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) {
                sAML1TokenHolder = new SAML1TokenHolder();
            } else {
                if (!namespaceURI.equals("urn:oasis:names:tc:SAML:2.0:assertion")) {
                    throw new RelyingPartyException("invalidTokenType", new String[]{namespaceURI});
                }
                sAML1TokenHolder = new SAML2TokenHolder();
            }
            sAML1TokenHolder.createToken(element);
            this.issuerName = sAML1TokenHolder.getIssuerName();
            if (this.issuerName == null) {
                throw new RelyingPartyException("issuerIsNull");
            }
            Signature sAMLSignature = sAML1TokenHolder.getSAMLSignature();
            X509CredentialImpl x509CredentialImpl = null;
            if (this.issuerName.equals("http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self")) {
                x509CredentialImpl = (X509CredentialImpl) X509CredentialUtil.loadCredentialFromSignature(sAMLSignature);
                this.keyInfoElement = sAMLSignature.getKeyInfo().getDOM();
            } else {
                String validatePolicy = relyingPartyData.getValidatePolicy();
                String host = new URI(this.issuerName).getHost();
                KeyStore trustStore = relyingPartyData.getTrustStore();
                KeyStore systemStore = relyingPartyData.getSystemStore();
                if (trustStore != null && host != null) {
                    x509CredentialImpl = (X509CredentialImpl) X509CredentialUtil.loadCredentialFromTrustStore(host, trustStore);
                }
                boolean z2 = false;
                if (x509CredentialImpl == null) {
                    x509CredentialImpl = (X509CredentialImpl) X509CredentialUtil.loadCredentialFromSignature(sAMLSignature);
                    if (x509CredentialImpl == null) {
                        throw new RelyingPartyException("credentialIsNull");
                    }
                    z2 = true;
                }
                if (!validatePolicy.equals(TokenVerifierConstants.PROMISCUOUS)) {
                    this.signingCert = x509CredentialImpl.getSigningCert();
                    if (this.signingCert == null) {
                        throw new RelyingPartyException("signingCertNull");
                    }
                    this.signingCert.checkValidity();
                    if (z2 && !IssuerCertificateUtil.checkSystemStoree(this.signingCert, trustStore, systemStore)) {
                        z = false;
                    }
                    if (validatePolicy.equals(TokenVerifierConstants.BLACK_LIST) && !IssuerCertificateUtil.doBlackListCheck(relyingPartyData.getBlackList(), this.signingCert)) {
                        z = false;
                    }
                    if (validatePolicy.equals(TokenVerifierConstants.WHITE_LIST) && !IssuerCertificateUtil.doWhiteListCheck(relyingPartyData.getWhiteList(), this.signingCert)) {
                        z = false;
                    }
                }
            }
            if (z) {
                new SignatureValidator(x509CredentialImpl).validate(sAMLSignature);
                sAML1TokenHolder.populateAttributeTable(this.attributeTable);
            }
            if (log.isDebugEnabled()) {
                log.debug(messages.getMessage("verifyingDecryptedTokenDone"));
            }
            return z;
        } catch (Exception e2) {
            log.debug(e2);
            throw new RelyingPartyException("errorInTokenVerification", new Object[]{e2.getMessage()});
        }
    }

    private Element decryptElement(PrivateKey privateKey, Element element) throws Exception {
        if (log.isDebugEnabled()) {
            log.debug(messages.getMessage("decryptingToken"));
        }
        Element element2 = (Element) ((Element) element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "KeyInfo").item(0)).getElementsByTagNameNS("http://www.w3.org/2001/04/xmlenc#", "EncryptedKey").item(0);
        EncryptedKeyProcessor encryptedKeyProcessor = new EncryptedKeyProcessor();
        encryptedKeyProcessor.handleEncryptedKey(element2, privateKey);
        SecretKey prepareSecretKey = WSSecurityUtil.prepareSecretKey("http://www.w3.org/2001/04/xmlenc#aes128-cbc", encryptedKeyProcessor.getDecryptedBytes());
        XMLCipher xMLCipher = XMLCipher.getInstance();
        xMLCipher.init(2, prepareSecretKey);
        Document doFinal = xMLCipher.doFinal(element.getOwnerDocument(), element);
        if (log.isDebugEnabled()) {
            log.debug(messages.getMessage("decryptingTokenDone"));
        }
        return doFinal.getDocumentElement();
    }

    public X509Certificate getSigningCert() {
        return this.signingCert;
    }

    public Hashtable getAttributeTable() {
        return this.attributeTable;
    }

    public List getCertificates() {
        return this.certificates;
    }

    public Element getKeyInfoElement() {
        return this.keyInfoElement;
    }

    public String getIssuerName() {
        return this.issuerName;
    }

    public void setIssuerName(String str) {
        this.issuerName = str;
    }

    public boolean isMultipleValues() {
        return this.isMultipleValues;
    }

    public void setMultipleValues(boolean z) {
        this.isMultipleValues = z;
    }

    static {
        Init.init();
    }
}
