package com.ibm.ws.security.saml.sso20.internal.utils;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.metadata.AcsDOMMetadataProvider;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashSet;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import net.shibboleth.utilities.java.support.xml.XMLParserException;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator;
import org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.PKIXSignatureTrustEngine;
import org.w3c.dom.Document;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/internal/utils/MsgCtxUtil.class */
public class MsgCtxUtil<InboundMessageType extends SAMLObject, OutboundMessageType extends SAMLObject, NameIdentifierType extends SAMLObject> {
    private static TraceComponent tc = Tr.register(MsgCtxUtil.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    static MsgCtxUtil<?, ?, ?> instance = new MsgCtxUtil<>();
    static final long serialVersionUID = -4413678121828706961L;

    public static MsgCtxUtil<?, ?, ?> getInstance() {
        return instance;
    }

    public static AcsDOMMetadataProvider parseIdpMetadataProvider(SsoConfig ssoConfig) throws SamlException {
        AcsDOMMetadataProvider acsDOMMetadataProvider = null;
        String idpMetadata = ssoConfig.getIdpMetadata();
        if (idpMetadata != null && !idpMetadata.isEmpty()) {
            final File file = new File(idpMetadata);
            ParserPool parserPool = XMLObjectProviderRegistrySupport.getParserPool();
            try {
                InputStream inputStream = (InputStream) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil.1
                    static final long serialVersionUID = -7645066519357773928L;
                    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil$1", AnonymousClass1.class, (String) null, (String) null);

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        if (file.exists()) {
                            return new FileInputStream(file);
                        }
                        return null;
                    }
                });
                if (inputStream != null) {
                    try {
                        if (parserPool != null) {
                            try {
                                Document parse = parserPool.parse(inputStream);
                                if (inputStream != null) {
                                    try {
                                        inputStream.close();
                                    } catch (IOException e) {
                                        FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "150", (Object) null, new Object[]{ssoConfig});
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Can not close InputStream of MetadataFile:" + idpMetadata, new Object[]{e});
                                        }
                                    }
                                }
                                if (parse != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "document = ", new Object[]{SerializeSupport.nodeToString(parse)});
                                    }
                                    acsDOMMetadataProvider = new AcsDOMMetadataProvider(parse.getDocumentElement(), file);
                                    try {
                                        acsDOMMetadataProvider.setId(ssoConfig.getProviderId());
                                        acsDOMMetadataProvider.initialize();
                                    } catch (Exception e2) {
                                        FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "166", (Object) null, new Object[]{ssoConfig});
                                        throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", e2, new Object[]{idpMetadata, ssoConfig.getProviderId(), e2.getMessage()});
                                    }
                                }
                            } catch (XMLParserException e3) {
                                FFDCFilter.processException(e3, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "141", (Object) null, new Object[]{ssoConfig});
                                throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", (Exception) e3, new Object[]{idpMetadata, ssoConfig.getProviderId(), e3.getMessage()});
                            }
                        }
                    } catch (Throwable th) {
                        if (inputStream != null) {
                            try {
                                inputStream.close();
                            } catch (IOException e4) {
                                FFDCFilter.processException(e4, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "150", (Object) null, new Object[]{ssoConfig});
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Can not close InputStream of MetadataFile:" + idpMetadata, new Object[]{e4});
                                }
                            }
                        }
                        throw th;
                    }
                }
                throw new SamlException(Tr.formatMessage(tc, "SAML20_IDP_METADATA_PARSE_ERROR", new Object[]{idpMetadata, ssoConfig.getProviderId(), "no metadata"}), (Exception) new NullPointerException(), true);
            } catch (PrivilegedActionException e5) {
                FFDCFilter.processException(e5, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "108", (Object) null, new Object[]{ssoConfig});
                Exception exception = e5.getException();
                if (exception instanceof FileNotFoundException) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Provider error MetadataFile:" + idpMetadata, new Object[]{exception});
                    }
                    throw new SamlException("SAML20_NO_IDP_METADATA_ERROR", exception, new Object[]{idpMetadata, ssoConfig.getProviderId(), exception.getMessage()});
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "unexpected Provider error MetadataFile:" + idpMetadata, new Object[]{e5, exception});
                }
                throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", exception, new Object[]{idpMetadata, ssoConfig.getProviderId(), exception.getMessage()});
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The idpMetadataFile in " + ssoConfig.getProviderId() + " is null. This has to define the trustStore to verify the signature in SAML Response", new Object[0]);
        }
        return acsDOMMetadataProvider;
    }

    public static TrustEngine<Signature> getTrustedEngine(BasicMessageContext<?, ?> basicMessageContext) throws SamlException {
        return !basicMessageContext.getSsoConfig().isPkixTrustEngineEnabled() ? getTrustedEngineFromMetadata(basicMessageContext) : getTrustedEngineFromPkix(basicMessageContext);
    }

    public static TrustEngine<Signature> getTrustedEngineFromMetadata(BasicMessageContext<?, ?> basicMessageContext) {
        PredicateRoleDescriptorResolver predicateRoleDescriptorResolver = new PredicateRoleDescriptorResolver(basicMessageContext.getMetadataProvider());
        try {
            predicateRoleDescriptorResolver.initialize();
        } catch (ComponentInitializationException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "206", (Object) null, new Object[]{basicMessageContext});
        }
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        metadataCredentialResolver.setRoleDescriptorResolver(predicateRoleDescriptorResolver);
        metadataCredentialResolver.setKeyInfoCredentialResolver(getKeyInfoCredResolver());
        try {
            metadataCredentialResolver.initialize();
        } catch (ComponentInitializationException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "215", (Object) null, new Object[]{basicMessageContext});
        }
        return new ExplicitKeySignatureTrustEngine(metadataCredentialResolver, getKeyInfoCredResolver());
    }

    public static TrustEngine<Signature> getTrustedEngineFromPkix(BasicMessageContext<?, ?> basicMessageContext) throws SamlException {
        SsoConfig ssoConfig = basicMessageContext.getSsoConfig();
        BasicPKIXValidationInformation basicPKIXValidationInformation = new BasicPKIXValidationInformation(ssoConfig.getPkixTrustAnchors(), ssoConfig.getX509Crls(), 20);
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        arrayList.add(basicPKIXValidationInformation);
        PKIXSignatureTrustEngine pKIXSignatureTrustEngine = new PKIXSignatureTrustEngine(new StaticPKIXValidationInformationResolver(arrayList, hashSet), getKeyInfoCredResolver());
        BasicX509CredentialNameEvaluator x509CredentialNameEvaluator = pKIXSignatureTrustEngine.getX509CredentialNameEvaluator();
        x509CredentialNameEvaluator.setCheckSubjectAltNames(false);
        x509CredentialNameEvaluator.setCheckSubjectDN(false);
        x509CredentialNameEvaluator.setCheckSubjectDNCommonName(false);
        return pKIXSignatureTrustEngine;
    }

    static KeyInfoCredentialResolver getKeyInfoCredResolver() {
        InlineX509DataProvider inlineX509DataProvider = new InlineX509DataProvider();
        ArrayList arrayList = new ArrayList();
        arrayList.add(inlineX509DataProvider);
        return new BasicProviderKeyInfoCredentialResolver(arrayList);
    }

    public static boolean validateIssuer(Issuer issuer, BasicMessageContext<?, ?> basicMessageContext, boolean z) throws SamlException {
        if (issuer.getFormat() != null && !issuer.getFormat().equals(Constants.NAME_ID_FORMAT_ENTITY)) {
            throw new SamlException("SAML20_NO_ISSUER_ERR", (Exception) null, new Object[]{Constants.NAME_ID_FORMAT_ENTITY, issuer.getFormat()});
        }
        EntityDescriptor peerEntityMetadata = z ? null : basicMessageContext.getPeerEntityMetadata();
        if (peerEntityMetadata == null) {
            if (tryTrustedIssuers(issuer, basicMessageContext)) {
                return true;
            }
            throw new SamlException("SAML20_INCORRECT_ISSUER_ERR", (Exception) null, new Object[]{issuer.getValue()});
        }
        if (peerEntityMetadata.getEntityID().equals(issuer.getValue()) || tryTrustedIssuers(issuer, basicMessageContext)) {
            return true;
        }
        throw new SamlException("SAML20_INCORRECT_ISSUER_ERR", (Exception) null, new Object[]{issuer.getValue()});
    }

    static boolean tryTrustedIssuers(Issuer issuer, BasicMessageContext<?, ?> basicMessageContext) {
        String value = issuer.getValue();
        String[] pkixTrustedIssuers = basicMessageContext.getSsoConfig().getPkixTrustedIssuers();
        if (pkixTrustedIssuers == null) {
            return false;
        }
        for (String str : pkixTrustedIssuers) {
            if (Constants.TRUST_ALL_ISSUERS.equals(str) || str.equals(value)) {
                return true;
            }
        }
        return false;
    }
}
