package com.sun.identity.saml2.meta;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.Locale;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.am.util.XMLUtils;
import com.iplanet.services.util.Base64;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml.xmlsig.JKSKeyProvider;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml.xmlsig.OfflineResolver;
import com.sun.identity.saml.xmlsig.XMLSignatureException;
import com.sun.identity.saml.xmlsig.XMLSignatureManager;
import com.sun.identity.saml2.common.SAML2Constants;
import com.sun.identity.saml2.jaxb.entityconfig.IDPSSOConfigElement;
import com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
import com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
import com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
import com.sun.identity.saml2.key.KeyUtil;
import com.sun.org.apache.xml.security.Init;
import com.sun.org.apache.xml.security.keys.KeyInfo;
import com.sun.org.apache.xml.security.keys.storage.StorageResolver;
import com.sun.org.apache.xml.security.keys.storage.implementations.KeyStoreResolver;
import com.sun.org.apache.xml.security.signature.XMLSignature;
import com.sun.org.apache.xpath.internal.XPathAPI;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.xml.bind.JAXBException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:122984-01/SUNWsaml2/reloc/SUNWam/saml2/lib/saml2.jar:com/sun/identity/saml2/meta/SAML2MetaSecurityUtils.class */
final class SAML2MetaSecurityUtils {
    private static Debug debug = SAML2MetaUtils.debug;
    private static KeyProvider keyProvider = null;
    private static KeyStore keyStore = null;
    private static boolean checkCert = true;
    private static boolean keyProviderInitialized = false;
    static final String NS_META = "urn:oasis:names:tc:SAML:2.0:metadata";
    static final String NS_XMLSIG = "http://www.w3.org/2000/09/xmldsig#";
    static final String NS_XMLENC = "http://www.w3.org/2001/04/xmlenc#";
    static final String PREFIX_XMLSIG = "ds";
    static final String PREFIX_XMLENC = "xenc";
    static final String TAG_KEY_INFO = "KeyInfo";
    static final String TAG_KEY_DESCRIPTOR = "KeyDescriptor";
    static final String TAG_SP_SSO_DESCRIPTOR = "SPSSODescriptor";
    static final String TAG_IDP_SSO_DESCRIPTOR = "IDPSSODescriptor";
    static final String ATTR_USE = "use";
    static final String ATTR_ID = "ID";

    private SAML2MetaSecurityUtils() {
    }

    private static void initializeKeyStore() {
        if (keyProviderInitialized) {
            return;
        }
        Init.init();
        keyProvider = KeyUtil.getKeyProviderInstance();
        if (keyProvider instanceof JKSKeyProvider) {
            keyStore = keyProvider.getKeyStore();
        }
        try {
            checkCert = SystemProperties.get("com.sun.identity.saml.checkcert", "on").trim().equalsIgnoreCase("on");
        } catch (Exception e) {
            checkCert = true;
        }
        keyProviderInitialized = true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Document sign(EntityDescriptorElement entityDescriptorElement, SPSSOConfigElement sPSSOConfigElement, IDPSSOConfigElement iDPSSOConfigElement) throws JAXBException, SAML2MetaException {
        List list;
        IDPSSODescriptorElement iDPSSODescriptor;
        List list2;
        SPSSODescriptorElement sPSSODescriptor;
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (sPSSOConfigElement != null && (list2 = (List) SAML2MetaUtils.getAttributes(sPSSOConfigElement).get(SAML2Constants.SIGNING_CERT_ALIAS)) != null && !list2.isEmpty()) {
            str3 = ((String) list2.get(0)).trim();
            if (str3.length() > 0 && (sPSSODescriptor = SAML2MetaUtils.getSPSSODescriptor(entityDescriptorElement)) != null) {
                str = SAMLUtils.generateID();
                sPSSODescriptor.setID(str);
            }
        }
        if (iDPSSOConfigElement != null && (list = (List) SAML2MetaUtils.getAttributes(iDPSSOConfigElement).get(SAML2Constants.SIGNING_CERT_ALIAS)) != null && !list.isEmpty()) {
            str4 = ((String) list.get(0)).trim();
            if (str4.length() > 0 && (iDPSSODescriptor = SAML2MetaUtils.getIDPSSODescriptor(entityDescriptorElement)) != null) {
                str2 = SAMLUtils.generateID();
                iDPSSODescriptor.setID(str2);
            }
        }
        if (str == null && str2 == null) {
            return null;
        }
        initializeKeyStore();
        Document dOMDocument = XMLUtils.toDOMDocument(formatBase64BinaryElement(SAML2MetaUtils.convertJAXBToString(entityDescriptorElement)), debug);
        XMLSignatureManager xMLSignatureManager = XMLSignatureManager.getInstance();
        if (str != null) {
            try {
                xMLSignatureManager.signXML(dOMDocument, str3, (String) null, "ID", str, true, "//*[local-name()=\"SPSSODescriptor\" and namespace-uri()=\"urn:oasis:names:tc:SAML:2.0:metadata\"]/*[1]");
            } catch (XMLSignatureException e) {
                if (debug.messageEnabled()) {
                    debug.message("SAML2MetaSecurityUtils.sign:", e);
                }
                throw new SAML2MetaException(e.getMessage());
            }
        }
        if (str2 != null) {
            try {
                xMLSignatureManager.signXML(dOMDocument, str4, (String) null, "ID", str2, true, "//*[local-name()=\"IDPSSODescriptor\" and namespace-uri()=\"urn:oasis:names:tc:SAML:2.0:metadata\"]/*[1]");
            } catch (XMLSignatureException e2) {
                if (debug.messageEnabled()) {
                    debug.message("SAML2MetaSecurityUtils.sign:", e2);
                }
                throw new SAML2MetaException(e2.getMessage());
            }
        }
        return dOMDocument;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifySignature(Document document) throws SAML2MetaException {
        NodeList nodeList = null;
        try {
            nodeList = XPathAPI.selectNodeList(document, "//ds:Signature", com.sun.org.apache.xml.security.utils.XMLUtils.createDSctx(document, PREFIX_XMLSIG, NS_XMLSIG));
        } catch (Exception e) {
            if (debug.messageEnabled()) {
                debug.message("SAML2MetaSecurityUtils.verifySignature:", e);
                throw new SAML2MetaException(e.getMessage());
            }
        }
        int length = nodeList.getLength();
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("SAML2MetaSecurityUtils.verifySignature: # of signatures = ").append(length).toString());
        }
        if (length == 0) {
            return;
        }
        initializeKeyStore();
        for (int i = 0; i < length; i++) {
            Element element = (Element) nodeList.item(i);
            String localName = element.getParentNode().getLocalName();
            Object[] objArr = {localName};
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("SAML2MetaSecurityUtils.verifySignature: verifying signature under ").append(localName).toString());
            }
            try {
                XMLSignature xMLSignature = new XMLSignature(element, "");
                xMLSignature.addResourceResolver(new OfflineResolver());
                KeyInfo keyInfo = xMLSignature.getKeyInfo();
                X509Certificate x509Certificate = null;
                if (keyInfo != null && keyInfo.containsX509Data()) {
                    if (keyStore != null) {
                        keyInfo.addStorageResolver(new StorageResolver(new KeyStoreResolver(keyStore)));
                    }
                    x509Certificate = keyInfo.getX509Certificate();
                }
                if (x509Certificate == null) {
                    if (debug.messageEnabled()) {
                        debug.message("SAML2MetaSecurityUtils.verifySignature: try to find cert in KeyDescriptor");
                    }
                    Node selectSingleNode = XPathAPI.selectSingleNode(element, "following-sibling::*[local-name()=\"KeyDescriptor\" and namespace-uri()=\"urn:oasis:names:tc:SAML:2.0:metadata\"]");
                    if (selectSingleNode != null) {
                        Element element2 = (Element) selectSingleNode;
                        if (element2.getAttributeNS(null, ATTR_USE).equals("signing")) {
                            NodeList childNodes = element2.getChildNodes();
                            int i2 = 0;
                            while (true) {
                                if (i2 >= childNodes.getLength()) {
                                    break;
                                }
                                Node item = childNodes.item(i2);
                                if (item.getNodeType() == 1) {
                                    String localName2 = item.getLocalName();
                                    String namespaceURI = item.getNamespaceURI();
                                    if (TAG_KEY_INFO.equals(localName2) && NS_XMLSIG.equals(namespaceURI)) {
                                        KeyInfo keyInfo2 = new KeyInfo((Element) item, "");
                                        if (keyInfo2.containsX509Data()) {
                                            if (keyStore != null) {
                                                keyInfo2.addStorageResolver(new StorageResolver(new KeyStoreResolver(keyStore)));
                                            }
                                            x509Certificate = keyInfo2.getX509Certificate();
                                        }
                                    }
                                } else {
                                    i2++;
                                }
                            }
                        }
                    }
                }
                if (x509Certificate == null) {
                    throw new SAML2MetaException("verify_no_cert", objArr);
                }
                if (checkCert && keyProvider.getCertificateAlias(x509Certificate) == null) {
                    throw new SAML2MetaException("untrusted_cert", objArr);
                }
                if (!xMLSignature.checkSignatureValue(x509Certificate.getPublicKey())) {
                    throw new SAML2MetaException("verify_fail", objArr);
                }
            } catch (SAML2MetaException e2) {
                throw e2;
            } catch (Exception e3) {
                debug.error("SAML2MetaSecurityUtils.verifySignature: ", e3);
                throw new SAML2MetaException(new StringBuffer().append(Locale.getString(SAML2MetaUtils.resourceBundle, "verify_fail", objArr)).append(SAML2Constants.NEWLINE).append(e3.getMessage()).toString());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String formatBase64BinaryElement(String str) {
        int i = 0;
        int indexOf = str.indexOf("<ds:X509Certificate>");
        int length = str.length();
        StringBuffer stringBuffer = new StringBuffer(length + 100);
        while (indexOf != -1) {
            stringBuffer.append(str.substring(i, indexOf));
            int indexOf2 = str.indexOf("</ds:X509Certificate>", indexOf);
            String substring = str.substring(indexOf + 20, indexOf2);
            int length2 = substring.length();
            stringBuffer.append("<ds:X509Certificate>\n");
            int i2 = 0;
            while (i2 < length2 - 76) {
                stringBuffer.append(substring.substring(i2, i2 + 76)).append(SAML2Constants.NEWLINE);
                i2 += 76;
            }
            stringBuffer.append(substring.substring(i2, length2)).append(SAML2Constants.NEWLINE).append(str.substring(str.lastIndexOf(10, indexOf) + 1, indexOf)).append("</ds:X509Certificate>");
            i = indexOf2 + 21;
            indexOf = str.indexOf("<ds:X509Certificate>", i);
        }
        stringBuffer.append(str.substring(i, length));
        return stringBuffer.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String buildX509Certificate(String str) throws SAML2MetaException {
        if (str == null) {
            return null;
        }
        X509Certificate x509Certificate = KeyUtil.getKeyProviderInstance().getX509Certificate(str);
        if (x509Certificate != null) {
            try {
                return Base64.encode(x509Certificate.getEncoded(), 76);
            } catch (Exception e) {
                if (debug.messageEnabled()) {
                    debug.message("SAML2MetaSecurityUtils.buildX509Certificate:", e);
                }
            }
        }
        throw new SAML2MetaException("invalid_cert_alias", new Object[]{str});
    }
}
