package com.sun.identity.liberty.ws.security;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.am.util.XMLUtils;
import com.iplanet.services.util.Base64;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.common.DateUtils;
import com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
import com.sun.identity.liberty.ws.disco.EncryptedResourceID;
import com.sun.identity.saml.assertion.AuthenticationStatement;
import com.sun.identity.saml.assertion.NameIdentifier;
import com.sun.identity.saml.assertion.Subject;
import com.sun.identity.saml.assertion.SubjectConfirmation;
import com.sun.identity.saml.common.SAMLConstants;
import com.sun.identity.saml.common.SAMLException;
import com.sun.identity.saml.common.SAMLServiceManager;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml.xmlsig.XMLSignatureManager;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import java.util.HashSet;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Text;
import securecomputing.swec.Eassp2Const;

/* loaded from: input_file:119465-02/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/liberty/ws/security/AMSecurityTokenProvider.class */
public class AMSecurityTokenProvider implements SecurityTokenProvider {
    private static String DEFAULT_CERT_ALIAS_KEY = "com.sun.identity.liberty.ws.wsc.certalias";
    private static String DEFAULT_CERT_ALIAS_VALUE = SystemProperties.get(DEFAULT_CERT_ALIAS_KEY);
    private static String DEFAULT_TA_CERT_ALIAS_KEY = "com.sun.identity.liberty.ws.ta.certalias";
    private static String DEFAULT_TA_CERT_ALIAS_VALUE = SystemProperties.get(DEFAULT_TA_CERT_ALIAS_KEY);
    private static String KEYINFO_TYPE = "com.sun.identity.liberty.ws.security.keyinfotype";
    private static String keyInfoType = SystemProperties.get(KEYINFO_TYPE);
    private XMLSignatureManager sigManager = null;
    private KeyProvider keystore = null;
    private SSOToken ssoToken = null;
    private String certAlias = null;
    private X509Certificate wssCert = null;
    protected String authTime = "";
    protected String authType = "";

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public void initialize(Object obj, XMLSignatureManager xMLSignatureManager) throws SecurityTokenException {
        if (xMLSignatureManager == null) {
            SecurityTokenManager.debug.error("AMP: nulll signature manager");
            throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullXMLSigManager"));
        }
        this.keystore = xMLSignatureManager.getKeyProvider();
        try {
            this.ssoToken = (SSOToken) obj;
            SSOTokenManager.getInstance().validateToken(this.ssoToken);
            this.authType = this.ssoToken.getAuthType();
            this.authTime = this.ssoToken.getProperty("authInstant");
            this.sigManager = xMLSignatureManager;
        } catch (SSOException e) {
            SecurityTokenManager.debug.error("AMP: invalid SSO Token", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public void setCertAlias(String str) throws SecurityTokenException {
        if (SecurityTokenManager.debug.messageEnabled()) {
            SecurityTokenManager.debug.message(new StringBuffer().append("AMP : certalias=").append(str).toString());
        }
        this.certAlias = str;
        this.wssCert = getX509Certificate();
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public void setCertificate(X509Certificate x509Certificate) throws SecurityTokenException {
        this.certAlias = this.keystore.getCertificateAlias(x509Certificate);
        if (SecurityTokenManager.debug.messageEnabled()) {
            SecurityTokenManager.debug.message(new StringBuffer().append("AMP : certalias=").append(this.certAlias).toString());
        }
        if (this.certAlias == null) {
            SecurityTokenManager.debug.error("AMP: no cert found");
            throw new SecurityTokenException(SecurityTokenManager.bundle.getString("noCertAlias"));
        }
        this.wssCert = x509Certificate;
    }

    private X509Certificate getX509Certificate() throws SecurityTokenException {
        if (this.certAlias == null) {
            if (DEFAULT_CERT_ALIAS_VALUE == null || DEFAULT_CERT_ALIAS_VALUE.trim().equals("")) {
                SecurityTokenManager.debug.error("AMP: no cert found");
                throw new SecurityTokenException(SecurityTokenManager.bundle.getString("noCertAlias"));
            }
            this.certAlias = DEFAULT_CERT_ALIAS_VALUE;
        }
        X509Certificate x509Certificate = this.keystore.getX509Certificate(this.certAlias);
        if (x509Certificate != null) {
            return x509Certificate;
        }
        SecurityTokenManager.debug.error("AMP : no cert found in store");
        throw new SecurityTokenException(SecurityTokenManager.bundle.getString("noMatchingCert"));
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public BinarySecurityToken getX509CertificateToken() throws SecurityTokenException {
        if (this.wssCert == null) {
            this.wssCert = getX509Certificate();
        }
        try {
            return new BinarySecurityToken(Base64.encode(this.wssCert.getEncoded()), BinarySecurityToken.X509V3, BinarySecurityToken.BASE64BINARY);
        } catch (Exception e) {
            SecurityTokenManager.debug.error("getX509Token", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLAuthenticationToken(NameIdentifier nameIdentifier) throws SecurityTokenException {
        if (nameIdentifier != null) {
            return _getSAMLAuthorizationToken(nameIdentifier, null, (String) null, true, false);
        }
        SecurityTokenManager.debug.error("getSAMLAuthenticationToken: senderIdentity is null");
        throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullSenderIdentity"));
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLAuthorizationToken(NameIdentifier nameIdentifier, SessionContext sessionContext, String str, boolean z, boolean z2) throws SecurityTokenException {
        if (nameIdentifier != null) {
            return _getSAMLAuthorizationToken(nameIdentifier, sessionContext, str, z, z2);
        }
        SecurityTokenManager.debug.error("getSAMLAuthorizationToken: senderIdentity is null");
        throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullSenderIdentity"));
    }

    private SecurityAssertion _getSAMLAuthorizationToken(NameIdentifier nameIdentifier, SessionContext sessionContext, String str, boolean z, boolean z2) throws SecurityTokenException {
        boolean z3 = true;
        HashSet hashSet = new HashSet();
        if (z) {
            hashSet.add(createAuthenticationStatement(nameIdentifier, false));
            z3 = false;
        }
        if (z2) {
            hashSet.add(createResourceAccessStatement(nameIdentifier, sessionContext, str));
            z3 = false;
        } else if (sessionContext != null) {
            hashSet.add(createSessionContextStatement(nameIdentifier, sessionContext));
            z3 = false;
        }
        if (z3) {
            SecurityTokenManager.debug.error("getSAMLAuthorizationToken: SAML statement should not be null.");
            throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullStatement"));
        }
        try {
            SecurityAssertion securityAssertion = new SecurityAssertion("", (String) SAMLServiceManager.getAttribute(SAMLConstants.ISSUER_NAME), new Date(), hashSet);
            securityAssertion.signXML(DEFAULT_TA_CERT_ALIAS_VALUE);
            return securityAssertion;
        } catch (Exception e) {
            throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullAssertion"));
        }
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLAuthorizationToken(NameIdentifier nameIdentifier, SessionContext sessionContext, EncryptedResourceID encryptedResourceID, boolean z, boolean z2) throws SecurityTokenException {
        return null;
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLBearerToken(NameIdentifier nameIdentifier, SessionContext sessionContext, String str, boolean z, boolean z2) throws SecurityTokenException {
        if (SecurityTokenManager.debug.messageEnabled()) {
            SecurityTokenManager.debug.message("getSAMLBearerToken: ");
        }
        if (nameIdentifier == null) {
            SecurityTokenManager.debug.error("getSAMLBearerToken: senderIdentity is null");
            throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullSenderIdentity"));
        }
        boolean z3 = true;
        HashSet hashSet = new HashSet();
        if (z) {
            hashSet.add(createAuthenticationStatement(nameIdentifier, true));
            z3 = false;
        }
        if (z2) {
            hashSet.add(createResourceAccessStatement(nameIdentifier, str));
            z3 = false;
        } else if (sessionContext != null) {
            hashSet.add(createSessionContextStatement(nameIdentifier, sessionContext));
            z3 = false;
        }
        if (z3) {
            SecurityTokenManager.debug.error("getSAMLAuthorizationToken: SAML statement should not be null.");
            throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullStatement"));
        }
        try {
            SecurityAssertion securityAssertion = new SecurityAssertion("", (String) SAMLServiceManager.getAttribute(SAMLConstants.ISSUER_NAME), new Date(), hashSet);
            securityAssertion.signXML(DEFAULT_TA_CERT_ALIAS_VALUE);
            return securityAssertion;
        } catch (Exception e) {
            throw new SecurityTokenException(SecurityTokenManager.bundle.getString("nullAssertion"));
        }
    }

    @Override // com.sun.identity.liberty.ws.security.SecurityTokenProvider
    public SecurityAssertion getSAMLBearerToken(NameIdentifier nameIdentifier, SessionContext sessionContext, EncryptedResourceID encryptedResourceID, boolean z, boolean z2) throws SecurityTokenException {
        return null;
    }

    private AuthenticationStatement createAuthenticationStatement(NameIdentifier nameIdentifier, boolean z) throws SecurityTokenException {
        SubjectConfirmation subjectConfirmation;
        try {
            String authMethodURI = SAMLServiceManager.getAuthMethodURI(this.authType);
            Date stringToDate = DateUtils.stringToDate(this.authTime);
            if (z) {
                subjectConfirmation = new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:bearer");
            } else {
                subjectConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
                subjectConfirmation.setKeyInfo(createKeyInfo(XMLUtils.toDOMDocument(subjectConfirmation.toString(true, true), SecurityTokenManager.debug), getX509Certificate()));
            }
            return new AuthenticationStatement(authMethodURI, stringToDate, new Subject(nameIdentifier, subjectConfirmation));
        } catch (Exception e) {
            SecurityTokenManager.debug.error("createAuthenticationStatement: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    private ResourceAccessStatement createResourceAccessStatement(NameIdentifier nameIdentifier, SessionContext sessionContext, String str) throws SecurityTokenException {
        SubjectConfirmation subjectConfirmation;
        NameIdentifier nameIdentifier2;
        try {
            ProxySubject proxySubject = null;
            Document dOMDocument = XMLUtils.toDOMDocument(nameIdentifier.toString(true, true), SecurityTokenManager.debug);
            X509Certificate x509Certificate = getX509Certificate();
            if (sessionContext != null) {
                subjectConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_SENDERVOUCHES);
                nameIdentifier2 = sessionContext.getSessionSubject().getNameIdentifier();
                proxySubject = createProxySubject(nameIdentifier, dOMDocument, x509Certificate);
            } else {
                subjectConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
                nameIdentifier2 = nameIdentifier;
            }
            subjectConfirmation.setKeyInfo(createKeyInfo(dOMDocument, x509Certificate));
            return new ResourceAccessStatement(str, proxySubject, sessionContext, new Subject(nameIdentifier2, subjectConfirmation));
        } catch (Exception e) {
            SecurityTokenManager.debug.error("createResourceAccessStatement: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    private ResourceAccessStatement createResourceAccessStatement(NameIdentifier nameIdentifier, String str) throws SecurityTokenException {
        try {
            return new ResourceAccessStatement(str, null, null, new Subject(nameIdentifier, new SubjectConfirmation("urn:oasis:names:tc:SAML:1.0:cm:bearer")));
        } catch (Exception e) {
            SecurityTokenManager.debug.error("createResourceAccessStatement: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    private SessionContextStatement createSessionContextStatement(NameIdentifier nameIdentifier, SessionContext sessionContext) throws SecurityTokenException {
        try {
            return new SessionContextStatement(sessionContext, createProxySubject(nameIdentifier, XMLUtils.toDOMDocument(nameIdentifier.toString(true, true), SecurityTokenManager.debug), getX509Certificate()), new Subject(sessionContext.getSessionSubject().getNameIdentifier()));
        } catch (Exception e) {
            SecurityTokenManager.debug.error("createSessionContextStatement: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }

    private ProxySubject createProxySubject(NameIdentifier nameIdentifier, Document document, X509Certificate x509Certificate) throws SecurityTokenException, SAMLException {
        SubjectConfirmation subjectConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_SENDERVOUCHES);
        subjectConfirmation.setKeyInfo(createKeyInfo(document, x509Certificate));
        return new ProxySubject(nameIdentifier, subjectConfirmation);
    }

    private Element createKeyInfo(Document document, X509Certificate x509Certificate) throws SecurityTokenException {
        try {
            PublicKey publicKey = x509Certificate.getPublicKey();
            String name = x509Certificate.getSubjectDN().getName();
            String encode = Base64.encode(x509Certificate.getEncoded());
            Element createElementNS = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "KeyInfo");
            createElementNS.setAttribute("xmlns", SAMLConstants.XMLSIG_NAMESPACE_URI);
            if (keyInfoType == null || !keyInfoType.equalsIgnoreCase(Eassp2Const.ATTAG_CERT)) {
                Element createElementNS2 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_KEYNAME);
                Text createTextNode = document.createTextNode(name);
                Element createElementNS3 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_KEYVALUE);
                if (publicKey.getAlgorithm().equals("DSA")) {
                    DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
                    DSAParams params = dSAPublicKey.getParams();
                    BigInteger p = params.getP();
                    BigInteger q = params.getQ();
                    BigInteger g = params.getG();
                    BigInteger y = dSAPublicKey.getY();
                    Element createElementNS4 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_DSAKEYVALUE);
                    Element createElementNS5 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "P");
                    createElementNS5.appendChild(document.createTextNode(Base64.encode(p.toByteArray())));
                    createElementNS4.appendChild(createElementNS5);
                    Element createElementNS6 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "Q");
                    createElementNS6.appendChild(document.createTextNode(Base64.encode(q.toByteArray())));
                    createElementNS4.appendChild(createElementNS6);
                    Element createElementNS7 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "G");
                    createElementNS7.appendChild(document.createTextNode(Base64.encode(g.toByteArray())));
                    createElementNS4.appendChild(createElementNS7);
                    Element createElementNS8 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "Y");
                    createElementNS8.appendChild(document.createTextNode(Base64.encode(y.toByteArray())));
                    createElementNS4.appendChild(createElementNS8);
                    createElementNS3.appendChild(createElementNS4);
                } else {
                    RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                    BigInteger publicExponent = rSAPublicKey.getPublicExponent();
                    BigInteger modulus = rSAPublicKey.getModulus();
                    Element createElementNS9 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_RSAKEYVALUE);
                    Element createElementNS10 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "Modulus");
                    Element createElementNS11 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "Exponent");
                    createElementNS9.appendChild(createElementNS10);
                    createElementNS9.appendChild(createElementNS11);
                    createElementNS10.appendChild(document.createTextNode(Base64.encode(modulus.toByteArray())));
                    createElementNS11.appendChild(document.createTextNode(Base64.encode(publicExponent.toByteArray())));
                    createElementNS3.appendChild(createElementNS9);
                }
                createElementNS.appendChild(createElementNS2).appendChild(createTextNode);
                createElementNS.appendChild(createElementNS3);
            } else {
                Element createElementNS12 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_X509DATA);
                Element createElementNS13 = document.createElementNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_X509CERTIFICATE);
                createElementNS13.appendChild(document.createTextNode(encode));
                createElementNS.appendChild(createElementNS12).appendChild(createElementNS13);
            }
            return createElementNS;
        } catch (Exception e) {
            SecurityTokenManager.debug.error("createKeyInfo: ", e);
            throw new SecurityTokenException(e.getMessage());
        }
    }
}
