package com.ibm.ws.security.saml.sso20.acs;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.internal.utils.SignatureMethods;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.security.impl.BaseSAMLXMLSignatureSecurityHandler;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignaturePrevalidator;
import org.opensaml.xmlsec.signature.support.SignatureValidator;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/acs/SAMLMessageXMLSignatureSecurityPolicyRule.class */
public class SAMLMessageXMLSignatureSecurityPolicyRule extends BaseSAMLXMLSignatureSecurityHandler {
    private static TraceComponent tc = Tr.register(SAMLMessageXMLSignatureSecurityPolicyRule.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    private SignaturePrevalidator signaturePrevalidator;
    String processType = "";
    static final long serialVersionUID = -1096247527616695321L;

    public SAMLMessageXMLSignatureSecurityPolicyRule() {
        setSignaturePrevalidator(new SAMLSignatureProfileValidator());
    }

    public void setSignaturePrevalidator(SignaturePrevalidator signaturePrevalidator) {
        this.signaturePrevalidator = signaturePrevalidator;
    }

    public void doInvoke(MessageContext messageContext) throws MessageHandlerException {
        Object message = messageContext.getMessage();
        if (!(message instanceof SignableSAMLObject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "{} Extracted SAML message was not a SignableSAMLObject, cannot process signature", new Object[0]);
            }
        } else {
            if (((SignableSAMLObject) message).isSigned() || !tc.isDebugEnabled()) {
                return;
            }
            Tr.debug(tc, "{} SAML protocol message was not signed, skipping XML signature processing", new Object[0]);
        }
    }

    public void evaluateProfile(BasicMessageContext<?, ?> basicMessageContext) throws MessageHandlerException {
        this.processType = "Profile";
        Response response = (SAMLObject) basicMessageContext.getMessageContext().getMessage();
        if (!(response instanceof SignableSAMLObject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Extracted SAML message was not a SignableSAMLObject, can not process signature", new Object[0]);
            }
        } else if (response instanceof Response) {
            for (Assertion assertion : response.getAssertions()) {
                if (assertion instanceof SignableSAMLObject) {
                    if (!assertion.isSigned() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "A SAML assertion is not signed. We do not allow this kind of situation", new Object[0]);
                    }
                    evaluate(basicMessageContext, assertion);
                }
            }
        }
    }

    public void evaluateAssertion(BasicMessageContext<?, ?> basicMessageContext, Assertion assertion) throws MessageHandlerException {
        this.processType = "Profile";
        if (assertion.isSigned()) {
            evaluate(basicMessageContext, assertion);
        }
    }

    public void evaluateProtocol(BasicMessageContext<?, ?> basicMessageContext) throws MessageHandlerException {
        this.processType = "Protocol";
        SAMLObject sAMLObject = (SAMLObject) basicMessageContext.getMessageContext().getMessage();
        if (!(sAMLObject instanceof SignableSAMLObject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Extracted SAML message was not a SignableSAMLObject, can not process signature", new Object[0]);
                return;
            }
            return;
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLObject;
        if (signableSAMLObject.isSigned()) {
            evaluate(basicMessageContext, signableSAMLObject);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SAML protocol message was not signed, skipping XML signature processing", new Object[0]);
        }
    }

    public void evaluateResponse(BasicMessageContext<?, ?> basicMessageContext) throws MessageHandlerException {
        this.processType = "Protocol";
        SAMLObject sAMLObject = (SAMLObject) basicMessageContext.getMessageContext().getMessage();
        if (!(sAMLObject instanceof SignableSAMLObject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Extracted SAML message was not a SignableSAMLObject, can not process signature", new Object[0]);
                return;
            }
            return;
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) sAMLObject;
        if (signableSAMLObject.isSigned()) {
            evaluate(basicMessageContext, signableSAMLObject);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SAML protocol message was not signed, skipping XML signature processing", new Object[0]);
        }
    }

    public void evaluate(BasicMessageContext<?, ?> basicMessageContext, SignableSAMLObject signableSAMLObject) throws MessageHandlerException {
        Signature signature = signableSAMLObject.getSignature();
        evaluateSignatureMethod(basicMessageContext, signature);
        performPreValidation(signature);
        doEvaluate(signature, signableSAMLObject, basicMessageContext);
    }

    protected void evaluateSignatureMethod(BasicMessageContext<?, ?> basicMessageContext, Signature signature) throws MessageHandlerException {
        String signatureMethodAlgorithm = basicMessageContext.getSsoConfig().getSignatureMethodAlgorithm();
        String signatureAlgorithm = signature.getSignatureAlgorithm();
        if (SignatureMethods.toInteger(signatureAlgorithm) < SignatureMethods.toInteger(signatureMethodAlgorithm)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Required signature method from configuration is " + signatureMethodAlgorithm, new Object[0]);
                Tr.debug(tc, "Received signature method is " + signatureAlgorithm, new Object[0]);
            }
            throw new MessageHandlerException("The server is configured with the signature method " + signatureMethodAlgorithm + " but the received SAML assertion is signed with the signature method " + signatureAlgorithm + ", the signature method provided is weaker than the required.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SAMLPeerEntityContext getPeerContext() {
        return getSAMLPeerEntityContext();
    }

    protected void doEvaluate(Signature signature, SignableSAMLObject signableSAMLObject, BasicMessageContext<?, ?> basicMessageContext) throws MessageHandlerException {
        String inboundSamlMessageIssuer = basicMessageContext.getInboundSamlMessageIssuer();
        MessageContext<SAMLObject> messageContext = basicMessageContext.getMessageContext();
        SAMLPeerEntityContext sAMLPeerEntityContext = getSAMLPeerEntityContext();
        if (inboundSamlMessageIssuer == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Context issuer unavailable, can not attempt SAML " + this.processType + " message signature validation", new Object[0]);
            }
            throw new MessageHandlerException("Context issuer unavailable, can not validate signature");
        }
        String qName = signableSAMLObject.getElementQName().toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Attempting to verify signature on signed SAML " + this.processType + " message using context issuer message type: " + qName, new Object[0]);
        }
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            try {
                Thread.currentThread().setContextClassLoader(SignatureValidator.class.getClassLoader());
                if (!evaluate(signature, inboundSamlMessageIssuer, messageContext)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Validation of " + this.processType + " message signature failed for context issuer '" + inboundSamlMessageIssuer + "', message type: " + qName, new Object[0]);
                    }
                    throw new MessageHandlerException("Validation of " + this.processType + " message signature failed");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Validation of " + this.processType + " message signature succeeded, message type: " + qName, new Object[0]);
                }
                if (!sAMLPeerEntityContext.isAuthenticated()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Authentication via " + this.processType + " message signature succeeded for context issuer entity ID " + inboundSamlMessageIssuer, new Object[0]);
                    }
                    sAMLPeerEntityContext.setAuthenticated(true);
                }
                Thread.currentThread().setContextClassLoader(contextClassLoader);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.acs.SAMLMessageXMLSignatureSecurityPolicyRule", "270", this, new Object[]{signature, signableSAMLObject, basicMessageContext});
                throw new MessageHandlerException("Validation of " + this.processType + " message signature failed");
            }
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    private boolean mevaluate(Signature signature, String str, MessageContext messageContext) {
        try {
            CriteriaSet buildCriteriaSet = buildCriteriaSet(str, messageContext);
            try {
                return getTrustEngine().validate(signature, buildCriteriaSet);
            } catch (SecurityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.acs.SAMLMessageXMLSignatureSecurityPolicyRule", "304", this, new Object[]{signature, str, messageContext});
                return false;
            } catch (ResolverException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.acs.SAMLMessageXMLSignatureSecurityPolicyRule", "302", this, new Object[]{signature, str, messageContext});
                return false;
            }
        } catch (MessageHandlerException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.saml.sso20.acs.SAMLMessageXMLSignatureSecurityPolicyRule", "307", this, new Object[]{signature, str, messageContext});
            return false;
        }
    }

    protected SignaturePrevalidator getSignaturePrevalidator() {
        return this.signaturePrevalidator;
    }

    protected void performPreValidation(Signature signature) throws MessageHandlerException {
        if (getSignaturePrevalidator() == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, this.processType + " message signature failed without pre-validation", new Object[0]);
            }
            throw new MessageHandlerException(this.processType + " message signature failed signature pre-validation");
        }
        try {
            getSignaturePrevalidator().validate(signature);
        } catch (SignatureException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.acs.SAMLMessageXMLSignatureSecurityPolicyRule", "333", this, new Object[]{signature});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, this.processType + " message signature failed signature pre-validation", new Object[]{e});
            }
            throw new MessageHandlerException(this.processType + " message signature failed signature pre-validation", e);
        }
    }
}
