package org.opensaml.xml.security;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.DSAPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Set;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import org.apache.commons.ssl.PKCS8Key;
import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.encryption.EncryptionParameters;
import org.opensaml.xml.encryption.KeyEncryptionParameters;
import org.opensaml.xml.security.credential.BasicCredential;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory;
import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.util.LazySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:wlp/lib/com.ibm.ws.org.opensaml.xmltooling.1.3.4_1.0.14.jar:org/opensaml/xml/security/SecurityHelper.class */
public final class SecurityHelper {
    private static Set<String> rsaAlgorithmURIs;
    private static Set<String> dsaAlgorithmURIs;
    private static Set<String> ecdsaAlgorithmURIs;

    private SecurityHelper() {
    }

    public static String getAlgorithmIDFromURI(String str) {
        return DatatypeHelper.safeTrimOrNullString(JCEMapper.translateURItoJCEID(str));
    }

    public static boolean isHMAC(String str) {
        return ApacheXMLSecurityConstants.ALGO_CLASS_MAC.equals(DatatypeHelper.safeTrimOrNullString(JCEMapper.getAlgorithmClassFromURI(str)));
    }

    public static String getKeyAlgorithmFromURI(String str) {
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString(JCEMapper.getJCEKeyAlgorithmFromURI(str));
        if (safeTrimOrNullString != null) {
            return safeTrimOrNullString;
        }
        if (isHMAC(str)) {
            return null;
        }
        if (rsaAlgorithmURIs.contains(str)) {
            return "RSA";
        }
        if (dsaAlgorithmURIs.contains(str)) {
            return "DSA";
        }
        if (ecdsaAlgorithmURIs.contains(str)) {
            return "ECDSA";
        }
        return null;
    }

    public static Integer getKeyLengthFromURI(String str) {
        Logger logger = getLogger();
        String safeTrimOrNullString = DatatypeHelper.safeTrimOrNullString(JCEMapper.getAlgorithmClassFromURI(str));
        if (ApacheXMLSecurityConstants.ALGO_CLASS_BLOCK_ENCRYPTION.equals(safeTrimOrNullString) || ApacheXMLSecurityConstants.ALGO_CLASS_SYMMETRIC_KEY_WRAP.equals(safeTrimOrNullString)) {
            try {
                return new Integer(JCEMapper.getKeyLengthFromURI(str));
            } catch (NumberFormatException e) {
                logger.warn("XML Security config contained invalid key length value for algorithm URI: " + str);
            }
        }
        logger.info("Mapping from algorithm URI {} to key length not available", str);
        return null;
    }

    public static SecretKey generateSymmetricKey(String str) throws NoSuchAlgorithmException, KeyException {
        Logger logger = getLogger();
        String keyAlgorithmFromURI = getKeyAlgorithmFromURI(str);
        if (DatatypeHelper.isEmpty(keyAlgorithmFromURI)) {
            logger.error("Mapping from algorithm URI '" + str + "' to key algorithm not available, key generation failed");
            throw new NoSuchAlgorithmException("Algorithm URI'" + str + "' is invalid for key generation");
        }
        Integer keyLengthFromURI = getKeyLengthFromURI(str);
        if (keyLengthFromURI == null) {
            logger.error("Key length could not be determined from algorithm URI, can't generate key");
            throw new KeyException("Key length not determinable from algorithm URI, could not generate new key");
        }
        KeyGenerator keyGenerator = KeyGenerator.getInstance(keyAlgorithmFromURI);
        keyGenerator.init(keyLengthFromURI.intValue());
        return keyGenerator.generateKey();
    }

    public static Key extractEncryptionKey(Credential credential) {
        if (credential == null) {
            return null;
        }
        return credential.getPublicKey() != null ? credential.getPublicKey() : credential.getSecretKey();
    }

    public static Key extractDecryptionKey(Credential credential) {
        if (credential == null) {
            return null;
        }
        return credential.getPrivateKey() != null ? credential.getPrivateKey() : credential.getSecretKey();
    }

    public static Key extractSigningKey(Credential credential) {
        if (credential == null) {
            return null;
        }
        return credential.getPrivateKey() != null ? credential.getPrivateKey() : credential.getSecretKey();
    }

    public static Key extractVerificationKey(Credential credential) {
        if (credential == null) {
            return null;
        }
        return credential.getPublicKey() != null ? credential.getPublicKey() : credential.getSecretKey();
    }

    public static Integer getKeyLength(Key key) {
        Logger logger = getLogger();
        if ((key instanceof SecretKey) && "RAW".equals(key.getFormat())) {
            return Integer.valueOf(key.getEncoded().length * 8);
        }
        logger.debug("Unable to determine length in bits of specified Key instance");
        return null;
    }

    public static BasicCredential getSimpleCredential(SecretKey secretKey) {
        if (secretKey == null) {
            throw new IllegalArgumentException("A secret key is required");
        }
        BasicCredential basicCredential = new BasicCredential();
        basicCredential.setSecretKey(secretKey);
        return basicCredential;
    }

    public static BasicCredential getSimpleCredential(PublicKey publicKey, PrivateKey privateKey) {
        if (publicKey == null) {
            throw new IllegalArgumentException("A public key is required");
        }
        BasicCredential basicCredential = new BasicCredential();
        basicCredential.setPublicKey(publicKey);
        basicCredential.setPrivateKey(privateKey);
        return basicCredential;
    }

    public static BasicX509Credential getSimpleCredential(X509Certificate x509Certificate, PrivateKey privateKey) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("A certificate is required");
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        basicX509Credential.setEntityCertificate(x509Certificate);
        basicX509Credential.setPrivateKey(privateKey);
        return basicX509Credential;
    }

    public static SecretKey decodeSecretKey(byte[] bArr, char[] cArr) throws KeyException {
        throw new UnsupportedOperationException("This method is not yet supported");
    }

    public static PublicKey decodePublicKey(byte[] bArr, char[] cArr) throws KeyException {
        X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(bArr);
        try {
            return buildKey(x509EncodedKeySpec, "RSA");
        } catch (KeyException e) {
            try {
                return buildKey(x509EncodedKeySpec, "DSA");
            } catch (KeyException e2) {
                try {
                    return buildKey(x509EncodedKeySpec, "EC");
                } catch (KeyException e3) {
                    throw new KeyException("Unsupported key type.");
                }
            }
        }
    }

    public static PublicKey derivePublicKey(PrivateKey privateKey) throws KeyException {
        if (privateKey instanceof DSAPrivateKey) {
            DSAPrivateKey dSAPrivateKey = (DSAPrivateKey) privateKey;
            DSAParams params = dSAPrivateKey.getParams();
            try {
                return KeyFactory.getInstance("DSA").generatePublic(new DSAPublicKeySpec(params.getQ().modPow(dSAPrivateKey.getX(), params.getP()), params.getP(), params.getQ(), params.getG()));
            } catch (GeneralSecurityException e) {
                throw new KeyException("Unable to derive public key from DSA private key", e);
            }
        }
        if (!(privateKey instanceof RSAPrivateCrtKey)) {
            throw new KeyException("Private key was not a DSA or RSA key");
        }
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) privateKey;
        try {
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent()));
        } catch (GeneralSecurityException e2) {
            throw new KeyException("Unable to derive public key from RSA private key", e2);
        }
    }

    public static PrivateKey decodePrivateKey(File file, char[] cArr) throws KeyException {
        if (!file.exists()) {
            throw new KeyException("Key file " + file.getAbsolutePath() + " does not exist");
        }
        if (!file.canRead()) {
            throw new KeyException("Key file " + file.getAbsolutePath() + " is not readable");
        }
        try {
            return decodePrivateKey(DatatypeHelper.fileToByteArray(file), cArr);
        } catch (IOException e) {
            throw new KeyException("Error reading Key file " + file.getAbsolutePath(), e);
        }
    }

    public static PrivateKey decodePrivateKey(byte[] bArr, char[] cArr) throws KeyException {
        try {
            return new PKCS8Key(bArr, cArr).getPrivateKey();
        } catch (GeneralSecurityException e) {
            throw new KeyException("Unable to decode private key", e);
        }
    }

    public static X509Certificate buildJavaX509Cert(String str) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(new ByteArrayInputStream(Base64.decode(str)));
    }

    public static X509CRL buildJavaX509CRL(String str) throws CertificateException, CRLException {
        return (X509CRL) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCRL(new ByteArrayInputStream(Base64.decode(str)));
    }

    public static DSAPublicKey buildJavaDSAPublicKey(String str) throws KeyException {
        return (DSAPublicKey) buildKey(new X509EncodedKeySpec(Base64.decode(str)), "DSA");
    }

    public static RSAPublicKey buildJavaRSAPublicKey(String str) throws KeyException {
        return (RSAPublicKey) buildKey(new X509EncodedKeySpec(Base64.decode(str)), "RSA");
    }

    public static ECPublicKey buildJavaECPublicKey(String str) throws KeyException {
        return (ECPublicKey) buildKey(new X509EncodedKeySpec(Base64.decode(str)), "EC");
    }

    public static RSAPrivateKey buildJavaRSAPrivateKey(String str) throws KeyException {
        PrivateKey buildJavaPrivateKey = buildJavaPrivateKey(str);
        if (buildJavaPrivateKey instanceof RSAPrivateKey) {
            return (RSAPrivateKey) buildJavaPrivateKey;
        }
        throw new KeyException("Generated key was not an RSAPrivateKey instance");
    }

    public static DSAPrivateKey buildJavaDSAPrivateKey(String str) throws KeyException {
        PrivateKey buildJavaPrivateKey = buildJavaPrivateKey(str);
        if (buildJavaPrivateKey instanceof DSAPrivateKey) {
            return (DSAPrivateKey) buildJavaPrivateKey;
        }
        throw new KeyException("Generated key was not a DSAPrivateKey instance");
    }

    public static PrivateKey buildJavaPrivateKey(String str) throws KeyException {
        return decodePrivateKey(Base64.decode(str), (char[]) null);
    }

    public static PublicKey buildKey(KeySpec keySpec, String str) throws KeyException {
        try {
            return KeyFactory.getInstance(str).generatePublic(keySpec);
        } catch (NoSuchAlgorithmException e) {
            throw new KeyException(str + "algorithm is not supported by the JCE", e);
        } catch (InvalidKeySpecException e2) {
            throw new KeyException("Invalid key information", e2);
        }
    }

    public static SecretKey generateKeyFromURI(String str) throws NoSuchAlgorithmException, NoSuchProviderException {
        return generateKey(JCEMapper.getJCEKeyAlgorithmFromURI(str), JCEMapper.getKeyLengthFromURI(str), null);
    }

    public static KeyPair generateKeyPairFromURI(String str, int i) throws NoSuchAlgorithmException, NoSuchProviderException {
        return generateKeyPair(JCEMapper.getJCEKeyAlgorithmFromURI(str), i, null);
    }

    public static SecretKey generateKey(String str, int i, String str2) throws NoSuchAlgorithmException, NoSuchProviderException {
        KeyGenerator keyGenerator = str2 != null ? KeyGenerator.getInstance(str, str2) : KeyGenerator.getInstance(str);
        keyGenerator.init(i);
        return keyGenerator.generateKey();
    }

    public static KeyPair generateKeyPair(String str, int i, String str2) throws NoSuchAlgorithmException, NoSuchProviderException {
        KeyPairGenerator keyPairGenerator = str2 != null ? KeyPairGenerator.getInstance(str, str2) : KeyPairGenerator.getInstance(str);
        keyPairGenerator.initialize(i);
        return keyPairGenerator.generateKeyPair();
    }

    public static Credential generateKeyAndCredential(String str) throws NoSuchAlgorithmException, NoSuchProviderException {
        SecretKey generateKeyFromURI = generateKeyFromURI(str);
        BasicCredential basicCredential = new BasicCredential();
        basicCredential.setSecretKey(generateKeyFromURI);
        return basicCredential;
    }

    public static Credential generateKeyPairAndCredential(String str, int i, boolean z) throws NoSuchAlgorithmException, NoSuchProviderException {
        KeyPair generateKeyPairFromURI = generateKeyPairFromURI(str, i);
        BasicCredential basicCredential = new BasicCredential();
        basicCredential.setPublicKey(generateKeyPairFromURI.getPublic());
        if (z) {
            basicCredential.setPrivateKey(generateKeyPairFromURI.getPrivate());
        }
        return basicCredential;
    }

    public static KeyInfoCredentialResolver buildBasicInlineKeyInfoResolver() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new RSAKeyValueProvider());
        arrayList.add(new DSAKeyValueProvider());
        arrayList.add(new InlineX509DataProvider());
        return new BasicProviderKeyInfoCredentialResolver(arrayList);
    }

    public static boolean matchKeyPair(PublicKey publicKey, PrivateKey privateKey) throws SecurityException {
        Logger logger = getLogger();
        if (publicKey == null || privateKey == null) {
            throw new SecurityException("Either public or private key was null");
        }
        SecurityConfiguration globalSecurityConfiguration = Configuration.getGlobalSecurityConfiguration();
        if (globalSecurityConfiguration == null) {
            throw new SecurityException("Global security configuration was null, could not resolve signing algorithm");
        }
        String signatureAlgorithmURI = globalSecurityConfiguration.getSignatureAlgorithmURI(privateKey.getAlgorithm());
        if (signatureAlgorithmURI == null) {
            throw new SecurityException("Can't determine algorithm URI from key algorithm: " + privateKey.getAlgorithm());
        }
        String algorithmIDFromURI = getAlgorithmIDFromURI(signatureAlgorithmURI);
        if (algorithmIDFromURI == null) {
            throw new SecurityException("Can't determine JCA algorithm ID from algorithm URI: " + signatureAlgorithmURI);
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Attempting to match key pair containing key algorithms public '{}' private '{}', using JCA signature algorithm '{}'", new Object[]{publicKey.getAlgorithm(), privateKey.getAlgorithm(), algorithmIDFromURI});
        }
        byte[] bytes = "This is the data to sign".getBytes();
        return SigningUtil.verify(publicKey, algorithmIDFromURI, SigningUtil.sign(privateKey, algorithmIDFromURI, bytes), bytes);
    }

    public static void prepareSignatureParams(Signature signature, Credential credential, SecurityConfiguration securityConfiguration, String str) throws SecurityException {
        Logger logger = getLogger();
        SecurityConfiguration globalSecurityConfiguration = securityConfiguration != null ? securityConfiguration : Configuration.getGlobalSecurityConfiguration();
        String signatureAlgorithm = signature.getSignatureAlgorithm();
        if (signatureAlgorithm == null) {
            signatureAlgorithm = globalSecurityConfiguration.getSignatureAlgorithmURI(credential);
            signature.setSignatureAlgorithm(signatureAlgorithm);
        }
        if (isHMAC(signatureAlgorithm) && signature.getHMACOutputLength() == null) {
            signature.setHMACOutputLength(globalSecurityConfiguration.getSignatureHMACOutputLength());
        }
        if (signature.getCanonicalizationAlgorithm() == null) {
            signature.setCanonicalizationAlgorithm(globalSecurityConfiguration.getSignatureCanonicalizationAlgorithm());
        }
        if (signature.getKeyInfo() == null) {
            KeyInfoGenerator keyInfoGenerator = getKeyInfoGenerator(credential, globalSecurityConfiguration, str);
            if (keyInfoGenerator == null) {
                logger.info("No factory for named KeyInfoGenerator {} was found for credential type {}", str, credential.getCredentialType().getName());
                logger.info("No KeyInfo will be generated for Signature");
            } else {
                try {
                    signature.setKeyInfo(keyInfoGenerator.generate(credential));
                } catch (SecurityException e) {
                    logger.error("Error generating KeyInfo from credential", e);
                    throw e;
                }
            }
        }
    }

    public static EncryptionParameters buildDataEncryptionParams(Credential credential, SecurityConfiguration securityConfiguration, String str) {
        Logger logger = getLogger();
        SecurityConfiguration globalSecurityConfiguration = securityConfiguration != null ? securityConfiguration : Configuration.getGlobalSecurityConfiguration();
        EncryptionParameters encryptionParameters = new EncryptionParameters();
        encryptionParameters.setEncryptionCredential(credential);
        if (credential == null) {
            encryptionParameters.setAlgorithm(globalSecurityConfiguration.getAutoGeneratedDataEncryptionKeyAlgorithmURI());
        } else {
            encryptionParameters.setAlgorithm(globalSecurityConfiguration.getDataEncryptionAlgorithmURI(credential));
            KeyInfoGenerator keyInfoGenerator = getKeyInfoGenerator(credential, globalSecurityConfiguration, str);
            if (keyInfoGenerator != null) {
                encryptionParameters.setKeyInfoGenerator(keyInfoGenerator);
            } else {
                logger.info("No factory for named KeyInfoGenerator {} was found for credential type{}", str, credential.getCredentialType().getName());
                logger.info("No KeyInfo will be generated for EncryptedData");
            }
        }
        return encryptionParameters;
    }

    public static KeyEncryptionParameters buildKeyEncryptionParams(Credential credential, String str, SecurityConfiguration securityConfiguration, String str2, String str3) throws SecurityException {
        Logger logger = getLogger();
        SecurityConfiguration globalSecurityConfiguration = securityConfiguration != null ? securityConfiguration : Configuration.getGlobalSecurityConfiguration();
        KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
        keyEncryptionParameters.setEncryptionCredential(credential);
        if (credential == null) {
            throw new SecurityException("Key encryption credential may not be null");
        }
        keyEncryptionParameters.setAlgorithm(globalSecurityConfiguration.getKeyTransportEncryptionAlgorithmURI(credential, str));
        KeyInfoGenerator keyInfoGenerator = getKeyInfoGenerator(credential, globalSecurityConfiguration, str2);
        if (keyInfoGenerator != null) {
            keyEncryptionParameters.setKeyInfoGenerator(keyInfoGenerator);
        } else {
            logger.info("No factory for named KeyInfoGenerator {} was found for credential type {}", str2, credential.getCredentialType().getName());
            logger.info("No KeyInfo will be generated for EncryptedKey");
        }
        keyEncryptionParameters.setRecipient(str3);
        return keyEncryptionParameters;
    }

    public static KeyInfoGenerator getKeyInfoGenerator(Credential credential, SecurityConfiguration securityConfiguration, String str) {
        NamedKeyInfoGeneratorManager keyInfoGeneratorManager = (securityConfiguration != null ? securityConfiguration : Configuration.getGlobalSecurityConfiguration()).getKeyInfoGeneratorManager();
        if (keyInfoGeneratorManager == null) {
            return null;
        }
        KeyInfoGeneratorFactory factory = DatatypeHelper.isEmpty(str) ? keyInfoGeneratorManager.getDefaultManager().getFactory(credential) : keyInfoGeneratorManager.getFactory(str, credential);
        if (factory != null) {
            return factory.newInstance();
        }
        return null;
    }

    private static Logger getLogger() {
        return LoggerFactory.getLogger(SecurityHelper.class);
    }

    static {
        if (!Init.isInitialized()) {
            Init.init();
        }
        dsaAlgorithmURIs = new LazySet();
        dsaAlgorithmURIs.add("http://www.w3.org/2000/09/xmldsig#dsa-sha1");
        ecdsaAlgorithmURIs = new LazySet();
        ecdsaAlgorithmURIs.add("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1");
        rsaAlgorithmURIs = new HashSet(10);
        rsaAlgorithmURIs.add("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
        rsaAlgorithmURIs.add("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        rsaAlgorithmURIs.add("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384");
        rsaAlgorithmURIs.add("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
        rsaAlgorithmURIs.add("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
        rsaAlgorithmURIs.add("http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160");
        rsaAlgorithmURIs.add("http://www.w3.org/2001/04/xmldsig-more#rsa-md5");
    }
}
