package org.apache.wss4j.common.saml;

import java.io.IOException;
import java.security.NoSuchProviderException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.keyinfo.X509IssuerSerial;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.XMLUtils;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.AttributeStatement;
import org.opensaml.saml.saml1.core.AuthenticationStatement;
import org.opensaml.saml.saml1.core.AuthorizationDecisionStatement;
import org.opensaml.saml.saml1.core.Statement;
import org.opensaml.saml.saml1.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.w3c.dom.Element;

/* loaded from: input_file:repository/org/apache/wss4j/wss4j-ws-security-common/2.2.0/wss4j-ws-security-common-2.2.0.jar:org/apache/wss4j/common/saml/SAMLUtil.class */
public final class SAMLUtil {
    private static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";

    private SAMLUtil() {
    }

    public static SAMLKeyInfo getCredentialFromSubject(SamlAssertionWrapper samlAssertionWrapper, SAMLKeyInfoProcessor sAMLKeyInfoProcessor, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (samlAssertionWrapper.getSaml1() != null) {
            return getCredentialFromSubject(samlAssertionWrapper.getSaml1(), sAMLKeyInfoProcessor, crypto, callbackHandler);
        }
        if (samlAssertionWrapper.getSaml2() != null) {
            return getCredentialFromSubject(samlAssertionWrapper.getSaml2(), sAMLKeyInfoProcessor, crypto, callbackHandler);
        }
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"Cannot get credentials from an unknown SAML Assertion"});
    }

    public static SAMLKeyInfo getCredentialFromSubject(Assertion assertion, SAMLKeyInfoProcessor sAMLKeyInfoProcessor, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        Element directChildElement;
        for (Statement statement : assertion.getStatements()) {
            Subject subject = statement instanceof AttributeStatement ? ((AttributeStatement) statement).getSubject() : statement instanceof AuthenticationStatement ? ((AuthenticationStatement) statement).getSubject() : ((AuthorizationDecisionStatement) statement).getSubject();
            if (subject != null && subject.getSubjectConfirmation() != null && (directChildElement = XMLUtils.getDirectChildElement(subject.getSubjectConfirmation().getDOM(), "KeyInfo", "http://www.w3.org/2000/09/xmldsig#")) != null) {
                return getCredentialFromKeyInfo(directChildElement, sAMLKeyInfoProcessor, crypto);
            }
        }
        return null;
    }

    public static SAMLKeyInfo getCredentialFromSubject(org.opensaml.saml.saml2.core.Assertion assertion, SAMLKeyInfoProcessor sAMLKeyInfoProcessor, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        Element directChildElement;
        org.opensaml.saml.saml2.core.Subject subject = assertion.getSubject();
        if (subject == null) {
            return null;
        }
        Iterator<SubjectConfirmation> it = subject.getSubjectConfirmations().iterator();
        while (it.hasNext()) {
            SubjectConfirmationData subjectConfirmationData = it.next().getSubjectConfirmationData();
            if (subjectConfirmationData != null && (directChildElement = XMLUtils.getDirectChildElement(subjectConfirmationData.getDOM(), "KeyInfo", "http://www.w3.org/2000/09/xmldsig#")) != null) {
                return getCredentialFromKeyInfo(directChildElement, sAMLKeyInfoProcessor, crypto);
            }
        }
        return null;
    }

    public static SAMLKeyInfo getCredentialFromKeyInfo(Element element, SAMLKeyInfoProcessor sAMLKeyInfoProcessor, Crypto crypto) throws WSSecurityException {
        KeyInfoFactory keyInfoFactory;
        SAMLKeyInfo processSAMLKeyInfo;
        if (sAMLKeyInfoProcessor != null && (processSAMLKeyInfo = sAMLKeyInfoProcessor.processSAMLKeyInfo(element)) != null) {
            return processSAMLKeyInfo;
        }
        try {
            keyInfoFactory = KeyInfoFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException e) {
            keyInfoFactory = KeyInfoFactory.getInstance("DOM");
        }
        try {
            List content = keyInfoFactory.unmarshalKeyInfo(new DOMStructure(element)).getContent();
            for (int i = 0; i < content.size(); i++) {
                X509Data x509Data = (XMLStructure) content.get(i);
                if (x509Data instanceof KeyValue) {
                    return new SAMLKeyInfo(((KeyValue) x509Data).getPublicKey());
                }
                if (x509Data instanceof X509Data) {
                    List content2 = x509Data.getContent();
                    for (int i2 = 0; i2 < content2.size(); i2++) {
                        Object obj = content2.get(i2);
                        if (obj instanceof X509Certificate) {
                            return new SAMLKeyInfo(new X509Certificate[]{(X509Certificate) obj});
                        }
                        if (obj instanceof X509IssuerSerial) {
                            if (crypto == null) {
                                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
                            }
                            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
                            cryptoType.setIssuerSerial(((X509IssuerSerial) obj).getIssuerName(), ((X509IssuerSerial) obj).getSerialNumber());
                            X509Certificate[] x509Certificates = crypto.getX509Certificates(cryptoType);
                            if (x509Certificates == null || x509Certificates.length < 1) {
                                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
                            }
                            return new SAMLKeyInfo(x509Certificates);
                        }
                    }
                }
            }
            return null;
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
    }

    public static void doSAMLCallback(CallbackHandler callbackHandler, SAMLCallback sAMLCallback) {
        try {
            callbackHandler.handle(new SAMLCallback[]{sAMLCallback});
        } catch (IOException | UnsupportedCallbackException e) {
            throw new IllegalStateException("Error while creating SAML assertion wrapper", e);
        }
    }
}
