package org.apache.ws.security.saml;

import java.security.Key;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.token.DOMX509Data;
import org.apache.ws.security.message.token.DOMX509IssuerSerial;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/wss4j.jar:org/apache/ws/security/saml/WSSecSignatureSAML.class */
public class WSSecSignatureSAML extends WSSecSignature {
    private static Log log = LogFactory.getLog(WSSecSignatureSAML.class);
    private boolean senderVouches;
    private SecurityTokenReference secRefSaml;
    private String secRefID;
    private Element samlToken;
    private Crypto userCrypto;
    private Crypto issuerCrypto;
    private String issuerKeyName;
    private String issuerKeyPW;
    private boolean useDirectReferenceToAssertion;

    public WSSecSignatureSAML() {
        this.senderVouches = false;
        this.secRefSaml = null;
        this.secRefID = null;
        this.samlToken = null;
        this.userCrypto = null;
        this.issuerCrypto = null;
        this.issuerKeyName = null;
        this.issuerKeyPW = null;
        this.useDirectReferenceToAssertion = false;
        this.doDebug = log.isDebugEnabled();
    }

    public WSSecSignatureSAML(WSSConfig wSSConfig) {
        super(wSSConfig);
        this.senderVouches = false;
        this.secRefSaml = null;
        this.secRefID = null;
        this.samlToken = null;
        this.userCrypto = null;
        this.issuerCrypto = null;
        this.issuerKeyName = null;
        this.issuerKeyPW = null;
        this.useDirectReferenceToAssertion = false;
        this.doDebug = log.isDebugEnabled();
    }

    public Document build(Document document, Crypto crypto, AssertionWrapper assertionWrapper, Crypto crypto2, String str, String str2, WSSecHeader wSSecHeader) throws WSSecurityException {
        prepare(document, crypto, assertionWrapper, crypto2, str, str2, wSSecHeader);
        String sOAPNamespace = WSSecurityUtil.getSOAPNamespace(document.getDocumentElement());
        if (this.parts == null) {
            this.parts = new ArrayList(1);
            this.parts.add(new WSEncryptionPart("Body", sOAPNamespace, "Content"));
        } else {
            for (WSEncryptionPart wSEncryptionPart : this.parts) {
                if ("STRTransform".equals(wSEncryptionPart.getName()) && wSEncryptionPart.getId() == null) {
                    wSEncryptionPart.setId(this.strUri);
                }
            }
        }
        if (this.secRefID != null) {
            WSEncryptionPart wSEncryptionPart2 = new WSEncryptionPart("STRTransform", sOAPNamespace, "Content");
            wSEncryptionPart2.setId(this.secRefID);
            this.parts.add(wSEncryptionPart2);
        }
        List<Reference> addReferencesToSign = addReferencesToSign(this.parts, wSSecHeader);
        prependSAMLElementsToHeader(wSSecHeader);
        if (this.senderVouches) {
            computeSignature(addReferencesToSign, wSSecHeader, this.secRefSaml.getElement());
        } else {
            computeSignature(addReferencesToSign, wSSecHeader, this.samlToken);
        }
        if (this.bstToken != null) {
            prependBSTElementToHeader(wSSecHeader);
        }
        return document;
    }

    public void prepare(Document document, Crypto crypto, AssertionWrapper assertionWrapper, Crypto crypto2, String str, String str2, WSSecHeader wSSecHeader) throws WSSecurityException {
        PublicKey publicKey;
        if (this.doDebug) {
            log.debug("Beginning ST signing...");
        }
        this.userCrypto = crypto;
        this.issuerCrypto = crypto2;
        this.document = document;
        this.issuerKeyName = str;
        this.issuerKeyPW = str2;
        this.samlToken = assertionWrapper.toDOM(document);
        String str3 = null;
        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
        if (confirmationMethods != null && confirmationMethods.size() > 0) {
            str3 = confirmationMethods.get(0);
        }
        if (OpenSAMLUtil.isMethodSenderVouches(str3)) {
            this.senderVouches = true;
        }
        this.wsDocInfo = new WSDocInfo(document);
        X509Certificate[] x509CertificateArr = null;
        PublicKey publicKey2 = null;
        if (this.senderVouches) {
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(this.issuerKeyName);
            x509CertificateArr = this.issuerCrypto.getX509Certificates(cryptoType);
            this.wsDocInfo.setCrypto(this.issuerCrypto);
        } else {
            if (this.userCrypto == null || !assertionWrapper.isSigned()) {
                throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"for SAML Signature (Key Holder)"});
            }
            if (this.secretKey == null) {
                RequestData requestData = new RequestData();
                requestData.setSigCrypto(this.userCrypto);
                requestData.setWssConfig(getWsConfig());
                SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(assertionWrapper, requestData, this.wsDocInfo, getWsConfig().isWsiBSPCompliant());
                publicKey2 = credentialFromSubject.getPublicKey();
                x509CertificateArr = credentialFromSubject.getCerts();
                this.wsDocInfo.setCrypto(this.userCrypto);
            }
        }
        if ((x509CertificateArr == null || x509CertificateArr.length == 0 || x509CertificateArr[0] == null) && publicKey2 == null && this.secretKey == null) {
            throw new WSSecurityException(0, "noCertsFound", new Object[]{"SAML signature"});
        }
        if (this.sigAlgo == null) {
            if (x509CertificateArr != null && x509CertificateArr[0] != null) {
                publicKey = x509CertificateArr[0].getPublicKey();
            } else {
                if (publicKey2 == null) {
                    throw new WSSecurityException(0, "unknownSignatureAlgorithm");
                }
                publicKey = publicKey2;
            }
            String algorithm = publicKey.getAlgorithm();
            log.debug("automatic sig algo detection: " + algorithm);
            if (algorithm.equalsIgnoreCase("DSA")) {
                this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
            } else {
                if (!algorithm.equalsIgnoreCase("RSA")) {
                    throw new WSSecurityException(0, "unknownSignatureAlgorithm", new Object[]{algorithm});
                }
                this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
            }
        }
        this.sig = null;
        try {
            ExcC14NParameterSpec excC14NParameterSpec = null;
            if (getWsConfig().isWsiBSPCompliant() && this.canonAlgo.equals("http://www.w3.org/2001/10/xml-exc-c14n#")) {
                excC14NParameterSpec = new ExcC14NParameterSpec(getInclusivePrefixes(wSSecHeader.getSecurityHeader(), false));
            }
            this.c14nMethod = this.signatureFactory.newCanonicalizationMethod(this.canonAlgo, excC14NParameterSpec);
            this.keyInfoUri = getWsConfig().getIdAllocator().createSecureId("KeyId-", this.keyInfo);
            this.secRef = new SecurityTokenReference(document);
            this.strUri = getWsConfig().getIdAllocator().createSecureId("STRId-", this.secRef);
            this.secRef.setID(this.strUri);
            if (x509CertificateArr != null && x509CertificateArr.length != 0) {
                this.certUri = getWsConfig().getIdAllocator().createSecureId("CertId-", x509CertificateArr[0]);
            }
            try {
                if (this.senderVouches) {
                    this.secRefSaml = new SecurityTokenReference(document);
                    this.secRefID = getWsConfig().getIdAllocator().createSecureId("STRSAMLId-", this.secRefSaml);
                    this.secRefSaml.setID(this.secRefID);
                    if (this.useDirectReferenceToAssertion) {
                        org.apache.ws.security.message.token.Reference reference = new org.apache.ws.security.message.token.Reference(document);
                        reference.setURI("#" + assertionWrapper.getId());
                        if (assertionWrapper.getSaml1() != null) {
                            reference.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                            this.secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                        } else if (assertionWrapper.getSaml2() != null) {
                            this.secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
                        }
                        this.secRefSaml.setReference(reference);
                    } else {
                        Element createElementNS = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse:KeyIdentifier");
                        String str4 = null;
                        if (assertionWrapper.getSaml1() != null) {
                            str4 = WSConstants.WSS_SAML_KI_VALUE_TYPE;
                            this.secRefSaml.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                        } else if (assertionWrapper.getSaml2() != null) {
                            str4 = WSConstants.WSS_SAML2_KI_VALUE_TYPE;
                            this.secRefSaml.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
                        }
                        createElementNS.setAttributeNS(null, "ValueType", str4);
                        createElementNS.appendChild(document.createTextNode(assertionWrapper.getId()));
                        this.secRefSaml.getElement().appendChild(createElementNS);
                    }
                    this.wsDocInfo.addTokenElement(this.secRefSaml.getElement(), false);
                }
                if (this.senderVouches) {
                    switch (this.keyIdentifierType) {
                        case 1:
                            org.apache.ws.security.message.token.Reference reference2 = new org.apache.ws.security.message.token.Reference(document);
                            reference2.setURI("#" + this.certUri);
                            this.bstToken = new X509Security(document);
                            ((X509Security) this.bstToken).setX509Certificate(x509CertificateArr[0]);
                            this.bstToken.setID(this.certUri);
                            this.wsDocInfo.addTokenElement(this.bstToken.getElement(), false);
                            reference2.setValueType(this.bstToken.getValueType());
                            this.secRef.setReference(reference2);
                            break;
                        case 2:
                            this.secRef.setX509Data(new DOMX509Data(this.document, new DOMX509IssuerSerial(this.document, x509CertificateArr[0].getIssuerDN().getName(), x509CertificateArr[0].getSerialNumber())));
                            break;
                        case 3:
                            this.secRef.setKeyIdentifier(x509CertificateArr[0]);
                            break;
                        case 4:
                            this.secRef.setKeyIdentifierSKI(x509CertificateArr[0], crypto2 != null ? crypto2 : crypto);
                            break;
                        case 5:
                        case 6:
                        case 7:
                        default:
                            throw new WSSecurityException(0, "unsupportedKeyId", new Object[0]);
                        case 8:
                            this.secRef.setKeyIdentifierThumb(x509CertificateArr[0]);
                            break;
                    }
                } else if (this.useDirectReferenceToAssertion) {
                    org.apache.ws.security.message.token.Reference reference3 = new org.apache.ws.security.message.token.Reference(document);
                    reference3.setURI("#" + assertionWrapper.getId());
                    if (assertionWrapper.getSaml1() != null) {
                        reference3.setValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                        this.secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                    } else if (assertionWrapper.getSaml2() != null) {
                        this.secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
                    }
                    this.secRef.setReference(reference3);
                } else {
                    Element createElementNS2 = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse:KeyIdentifier");
                    String str5 = null;
                    if (assertionWrapper.getSaml1() != null) {
                        str5 = WSConstants.WSS_SAML_KI_VALUE_TYPE;
                        this.secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                    } else if (assertionWrapper.getSaml2() != null) {
                        str5 = WSConstants.WSS_SAML2_KI_VALUE_TYPE;
                        this.secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
                    }
                    createElementNS2.setAttributeNS(null, "ValueType", str5);
                    createElementNS2.appendChild(document.createTextNode(assertionWrapper.getId()));
                    this.secRef.getElement().appendChild(createElementNS2);
                }
                DOMStructure dOMStructure = new DOMStructure(this.secRef.getElement());
                this.wsDocInfo.addTokenElement(this.secRef.getElement(), false);
                this.keyInfo = this.keyInfoFactory.newKeyInfo(Collections.singletonList(dOMStructure), this.keyInfoUri);
                this.wsDocInfo.addTokenElement(this.samlToken, false);
            } catch (Exception e) {
                throw new WSSecurityException(10, "noXMLSig", null, e);
            }
        } catch (Exception e2) {
            log.error("", e2);
            throw new WSSecurityException(10, "noXMLSig", null, e2);
        }
    }

    public void prependSAMLElementsToHeader(WSSecHeader wSSecHeader) {
        if (this.senderVouches) {
            WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), this.secRefSaml.getElement());
        }
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), this.samlToken);
    }

    public void computeSignature(List<Reference> list, WSSecHeader wSSecHeader, Element element) throws WSSecurityException {
        try {
            Key privateKey = this.senderVouches ? this.issuerCrypto.getPrivateKey(this.issuerKeyName, this.issuerKeyPW) : this.secretKey != null ? WSSecurityUtil.prepareSecretKey(this.sigAlgo, this.secretKey) : this.userCrypto.getPrivateKey(this.user, this.password);
            this.sig = this.signatureFactory.newXMLSignature(this.signatureFactory.newSignedInfo(this.c14nMethod, this.signatureFactory.newSignatureMethod(this.sigAlgo, null), list), this.keyInfo, null, getWsConfig().getIdAllocator().createId("SIG-", null), null);
            Element securityHeader = wSSecHeader.getSecurityHeader();
            DOMSignContext dOMSignContext = (element == null || element.getNextSibling() == null) ? new DOMSignContext(privateKey, securityHeader) : new DOMSignContext(privateKey, securityHeader, element.getNextSibling());
            dOMSignContext.putNamespacePrefix("http://www.w3.org/2000/09/xmldsig#", WSConstants.SIG_PREFIX);
            if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(this.canonAlgo)) {
                dOMSignContext.putNamespacePrefix("http://www.w3.org/2001/10/xml-exc-c14n#", WSConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX);
            }
            dOMSignContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, this.wsDocInfo);
            this.wsDocInfo.setCallbackLookup(this.callbackLookup);
            this.wsDocInfo.setTokensOnContext(dOMSignContext);
            if (this.secRefSaml != null && this.secRefSaml.getElement() != null) {
                WSSecurityUtil.storeElementInContext(dOMSignContext, this.secRefSaml.getElement());
            }
            if (this.secRef != null && this.secRef.getElement() != null) {
                WSSecurityUtil.storeElementInContext(dOMSignContext, this.secRef.getElement());
            }
            this.sig.sign(dOMSignContext);
            this.signatureValue = this.sig.getSignatureValue().getValue();
        } catch (Exception e) {
            log.error(e);
            throw new WSSecurityException(10, null, null, e);
        }
    }

    public boolean isUseDirectReferenceToAssertion() {
        return this.useDirectReferenceToAssertion;
    }

    public void setUseDirectReferenceToAssertion(boolean z) {
        this.useDirectReferenceToAssertion = z;
    }
}
