package org.apache.wss4j.dom.saml;

import java.security.Key;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import org.apache.wss4j.common.SignatureActionToken;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.DOMX509Data;
import org.apache.wss4j.common.token.DOMX509IssuerSerial;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.WSSecSignature;
import org.apache.wss4j.dom.transform.STRTransform;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.opensaml.security.crypto.JCAConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-dom-2.2.2-SNAPSHOT.jar:org/apache/wss4j/dom/saml/WSSecSignatureSAML.class */
public class WSSecSignatureSAML extends WSSecSignature {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) WSSecSignatureSAML.class);
    private boolean senderVouches;
    private SecurityTokenReference secRefSaml;
    private String secRefID;
    private Element samlToken;
    private Crypto userCrypto;
    private Crypto issuerCrypto;
    private String issuerKeyName;
    private String issuerKeyPW;
    private boolean useDirectReferenceToAssertion;

    public WSSecSignatureSAML(WSSecHeader wSSecHeader) {
        super(wSSecHeader);
    }

    public WSSecSignatureSAML(Document document) {
        super(document);
    }

    public Document build(Crypto crypto, SamlAssertionWrapper samlAssertionWrapper, Crypto crypto2, String str, String str2) throws WSSecurityException {
        prepare(crypto, samlAssertionWrapper, crypto2, str, str2);
        if (getParts().isEmpty()) {
            getParts().add(WSSecurityUtil.getDefaultEncryptionPart(getDocument()));
        } else {
            for (WSEncryptionPart wSEncryptionPart : getParts()) {
                if ("STRTransform".equals(wSEncryptionPart.getName()) && wSEncryptionPart.getId() == null) {
                    wSEncryptionPart.setId(this.strUri);
                }
            }
        }
        if (this.secRefID != null) {
            WSEncryptionPart wSEncryptionPart2 = new WSEncryptionPart("STRTransform", WSSecurityUtil.getSOAPNamespace(getDocument().getDocumentElement()), "Content");
            wSEncryptionPart2.setId(this.secRefID);
            getParts().add(wSEncryptionPart2);
        }
        List<Reference> addReferencesToSign = addReferencesToSign(getParts());
        prependSAMLElementsToHeader();
        if (this.senderVouches) {
            computeSignature(addReferencesToSign, this.secRefSaml.getElement());
        } else {
            computeSignature(addReferencesToSign, this.samlToken);
        }
        if (this.bstToken != null) {
            prependBSTElementToHeader();
        }
        return getDocument();
    }

    public void prepare(Crypto crypto, SamlAssertionWrapper samlAssertionWrapper, Crypto crypto2, String str, String str2) throws WSSecurityException {
        PublicKey publicKey;
        LOG.debug("Beginning ST signing...");
        this.userCrypto = crypto;
        this.issuerCrypto = crypto2;
        this.issuerKeyName = str;
        this.issuerKeyPW = str2;
        this.samlToken = samlAssertionWrapper.toDOM(getDocument());
        String str3 = null;
        List<String> confirmationMethods = samlAssertionWrapper.getConfirmationMethods();
        if (confirmationMethods != null && !confirmationMethods.isEmpty()) {
            str3 = confirmationMethods.get(0);
        }
        if (OpenSAMLUtil.isMethodSenderVouches(str3)) {
            this.senderVouches = true;
        }
        if (super.getWsDocInfo() == null) {
            super.setWsDocInfo(new WSDocInfo(getDocument()));
        }
        X509Certificate[] x509CertificateArr = null;
        PublicKey publicKey2 = null;
        if (this.senderVouches) {
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(this.issuerKeyName);
            x509CertificateArr = this.issuerCrypto.getX509Certificates(cryptoType);
            getWsDocInfo().setCrypto(this.issuerCrypto);
        } else {
            if (this.userCrypto == null || !samlAssertionWrapper.isSigned()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[]{"for SAML Signature (Key Holder)"});
            }
            if (this.secretKey == null) {
                RequestData requestData = new RequestData();
                requestData.setWsDocInfo(getWsDocInfo());
                SignatureActionToken signatureActionToken = new SignatureActionToken();
                requestData.setSignatureToken(signatureActionToken);
                signatureActionToken.setCrypto(this.userCrypto);
                SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(samlAssertionWrapper, new WSSSAMLKeyInfoProcessor(requestData), this.userCrypto, requestData.getCallbackHandler());
                if (credentialFromSubject != null) {
                    publicKey2 = credentialFromSubject.getPublicKey();
                    x509CertificateArr = credentialFromSubject.getCerts();
                    getWsDocInfo().setCrypto(this.userCrypto);
                }
            }
        }
        if ((x509CertificateArr == null || x509CertificateArr.length == 0 || x509CertificateArr[0] == null) && publicKey2 == null && this.secretKey == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCertsFound", new Object[]{"SAML signature"});
        }
        if (getSignatureAlgorithm() == null) {
            if (x509CertificateArr != null && x509CertificateArr[0] != null) {
                publicKey = x509CertificateArr[0].getPublicKey();
            } else {
                if (publicKey2 == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "unknownSignatureAlgorithm");
                }
                publicKey = publicKey2;
            }
            String algorithm = publicKey.getAlgorithm();
            LOG.debug("automatic sig algo detection: {}", algorithm);
            if (algorithm.equalsIgnoreCase(JCAConstants.KEY_ALGO_DSA)) {
                setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#dsa-sha1");
            } else {
                if (!algorithm.equalsIgnoreCase(JCAConstants.KEY_ALGO_RSA)) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "unknownSignatureAlgorithm", new Object[]{algorithm});
                }
                setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
            }
        }
        this.sig = null;
        try {
            ExcC14NParameterSpec excC14NParameterSpec = null;
            if (isAddInclusivePrefixes() && getSigCanonicalization().equals("http://www.w3.org/2001/10/xml-exc-c14n#")) {
                excC14NParameterSpec = new ExcC14NParameterSpec(getInclusivePrefixes(getSecurityHeader().getSecurityHeaderElement(), false));
            }
            this.c14nMethod = this.signatureFactory.newCanonicalizationMethod(getSigCanonicalization(), excC14NParameterSpec);
            this.keyInfoUri = getIdAllocator().createSecureId("KeyId-", this.keyInfo);
            SecurityTokenReference securityTokenReference = new SecurityTokenReference(getDocument());
            this.strUri = getIdAllocator().createSecureId("STRId-", securityTokenReference);
            securityTokenReference.setID(this.strUri);
            setSecurityTokenReference(securityTokenReference);
            if (x509CertificateArr != null && x509CertificateArr.length != 0) {
                this.certUri = getIdAllocator().createSecureId("CertId-", x509CertificateArr[0]);
            }
            try {
                if (this.senderVouches) {
                    this.secRefSaml = new SecurityTokenReference(getDocument());
                    this.secRefID = getIdAllocator().createSecureId("STRSAMLId-", this.secRefSaml);
                    this.secRefSaml.setID(this.secRefID);
                    if (this.useDirectReferenceToAssertion) {
                        org.apache.wss4j.common.token.Reference reference = new org.apache.wss4j.common.token.Reference(getDocument());
                        reference.setURI("#" + samlAssertionWrapper.getId());
                        if (samlAssertionWrapper.getSaml1() != null) {
                            reference.setValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                            this.secRefSaml.addTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
                        } else if (samlAssertionWrapper.getSaml2() != null) {
                            this.secRefSaml.addTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
                        }
                        this.secRefSaml.setReference(reference);
                    } else {
                        Element createElementNS = getDocument().createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse:KeyIdentifier");
                        String str4 = null;
                        if (samlAssertionWrapper.getSaml1() != null) {
                            str4 = WSS4JConstants.WSS_SAML_KI_VALUE_TYPE;
                            this.secRefSaml.addTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
                        } else if (samlAssertionWrapper.getSaml2() != null) {
                            str4 = WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE;
                            this.secRefSaml.addTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
                        }
                        createElementNS.setAttributeNS(null, "ValueType", str4);
                        createElementNS.appendChild(getDocument().createTextNode(samlAssertionWrapper.getId()));
                        this.secRefSaml.getElement().appendChild(createElementNS);
                    }
                    getWsDocInfo().addTokenElement(this.secRefSaml.getElement(), false);
                }
                configureKeyInfo(securityTokenReference, x509CertificateArr != null ? x509CertificateArr[0] : null, crypto2 != null ? crypto2 : crypto, samlAssertionWrapper);
                getWsDocInfo().addTokenElement(this.samlToken, false);
            } catch (Exception e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e, "noXMLSig");
            }
        } catch (Exception e2) {
            LOG.error("", (Throwable) e2);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e2, "noXMLSig");
        }
    }

    private void configureKeyInfo(SecurityTokenReference securityTokenReference, X509Certificate x509Certificate, Crypto crypto, SamlAssertionWrapper samlAssertionWrapper) throws WSSecurityException {
        if (getCustomKeyInfoElement() == null) {
            if (this.senderVouches) {
                switch (this.keyIdentifierType) {
                    case 1:
                        org.apache.wss4j.common.token.Reference reference = new org.apache.wss4j.common.token.Reference(getDocument());
                        reference.setURI("#" + this.certUri);
                        X509Security x509Security = new X509Security(getDocument());
                        x509Security.setX509Certificate(x509Certificate);
                        x509Security.setID(this.certUri);
                        this.bstToken = x509Security.getElement();
                        getWsDocInfo().addTokenElement(this.bstToken, false);
                        reference.setValueType(x509Security.getValueType());
                        securityTokenReference.setReference(reference);
                        break;
                    case 2:
                        securityTokenReference.setUnknownElement(new DOMX509Data(getDocument(), new DOMX509IssuerSerial(getDocument(), x509Certificate.getIssuerDN().getName(), x509Certificate.getSerialNumber())).getElement());
                        break;
                    case 3:
                        securityTokenReference.setKeyIdentifier(x509Certificate);
                        break;
                    case 4:
                        securityTokenReference.setKeyIdentifierSKI(x509Certificate, crypto);
                        break;
                    case 5:
                    case 6:
                    case 7:
                    default:
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "unsupportedKeyId");
                    case 8:
                        securityTokenReference.setKeyIdentifierThumb(x509Certificate);
                        break;
                }
            } else if (this.useDirectReferenceToAssertion) {
                org.apache.wss4j.common.token.Reference reference2 = new org.apache.wss4j.common.token.Reference(getDocument());
                reference2.setURI("#" + samlAssertionWrapper.getId());
                if (samlAssertionWrapper.getSaml1() != null) {
                    reference2.setValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                    securityTokenReference.addTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
                } else if (samlAssertionWrapper.getSaml2() != null) {
                    securityTokenReference.addTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
                }
                securityTokenReference.setReference(reference2);
            } else {
                Element createElementNS = getDocument().createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse:KeyIdentifier");
                String str = null;
                if (samlAssertionWrapper.getSaml1() != null) {
                    str = WSS4JConstants.WSS_SAML_KI_VALUE_TYPE;
                    securityTokenReference.addTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
                } else if (samlAssertionWrapper.getSaml2() != null) {
                    str = WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE;
                    securityTokenReference.addTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
                }
                createElementNS.setAttributeNS(null, "ValueType", str);
                createElementNS.appendChild(getDocument().createTextNode(samlAssertionWrapper.getId()));
                securityTokenReference.getElement().appendChild(createElementNS);
            }
        }
        marshalKeyInfo(getWsDocInfo());
    }

    public void prependSAMLElementsToHeader() {
        Element securityHeaderElement = getSecurityHeader().getSecurityHeaderElement();
        if (this.senderVouches) {
            WSSecurityUtil.prependChildElement(securityHeaderElement, this.secRefSaml.getElement());
        }
        WSSecurityUtil.prependChildElement(securityHeaderElement, this.samlToken);
    }

    public void computeSignature(List<Reference> list, Element element) throws WSSecurityException {
        try {
            Key privateKey = this.senderVouches ? this.issuerCrypto.getPrivateKey(this.issuerKeyName, this.issuerKeyPW) : this.secretKey != null ? KeyUtils.prepareSecretKey(getSignatureAlgorithm(), this.secretKey) : this.userCrypto.getPrivateKey(this.user, this.password);
            this.sig = this.signatureFactory.newXMLSignature(this.signatureFactory.newSignedInfo(this.c14nMethod, this.signatureFactory.newSignatureMethod(getSignatureAlgorithm(), (SignatureMethodParameterSpec) null), list), this.keyInfo, (List) null, getIdAllocator().createId("SIG-", null), (String) null);
            Element securityHeaderElement = getSecurityHeader().getSecurityHeaderElement();
            DOMSignContext dOMSignContext = (element == null || element.getNextSibling() == null) ? new DOMSignContext(privateKey, securityHeaderElement) : new DOMSignContext(privateKey, securityHeaderElement, element.getNextSibling());
            dOMSignContext.putNamespacePrefix("http://www.w3.org/2000/09/xmldsig#", "ds");
            if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(getSigCanonicalization())) {
                dOMSignContext.putNamespacePrefix("http://www.w3.org/2001/10/xml-exc-c14n#", WSS4JConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX);
            }
            dOMSignContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, getWsDocInfo());
            getWsDocInfo().setCallbackLookup(this.callbackLookup);
            getWsDocInfo().setTokensOnContext(dOMSignContext);
            this.sig.sign(dOMSignContext);
            this.signatureValue = this.sig.getSignatureValue().getValue();
        } catch (Exception e) {
            LOG.error(e.getMessage(), (Throwable) e);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
        }
    }

    public boolean isUseDirectReferenceToAssertion() {
        return this.useDirectReferenceToAssertion;
    }

    public void setUseDirectReferenceToAssertion(boolean z) {
        this.useDirectReferenceToAssertion = z;
    }
}
