package com.sun.xml.ws.security.trust.impl;

import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException;
import com.sun.org.apache.xml.internal.security.keys.KeyInfo;
import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
import com.sun.xml.ws.api.security.trust.STSAttributeProvider;
import com.sun.xml.ws.api.security.trust.STSTokenProvider;
import com.sun.xml.ws.api.security.trust.Status;
import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.client.STSIssuedTokenConfiguration;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.trust.GenericToken;
import com.sun.xml.ws.security.trust.WSTrustElementFactory;
import com.sun.xml.ws.security.trust.WSTrustVersion;
import com.sun.xml.ws.security.trust.elements.str.SecurityTokenReference;
import com.sun.xml.ws.security.trust.logging.LogDomainConstants;
import com.sun.xml.ws.security.trust.logging.LogStringsMessages;
import com.sun.xml.ws.security.trust.util.WSTrustUtil;
import com.sun.xml.wss.WSITXMLFactory;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.saml.Advice;
import com.sun.xml.wss.saml.Assertion;
import com.sun.xml.wss.saml.Conditions;
import com.sun.xml.wss.saml.KeyInfoConfirmationData;
import com.sun.xml.wss.saml.NameID;
import com.sun.xml.wss.saml.NameIdentifier;
import com.sun.xml.wss.saml.SAMLAssertionFactory;
import com.sun.xml.wss.saml.SAMLException;
import com.sun.xml.wss.saml.Subject;
import com.sun.xml.wss.saml.SubjectConfirmation;
import com.sun.xml.wss.saml.internal.saml20.jaxb20.SubjectType;
import com.sun.xml.wss.saml.util.SAMLUtil;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:com/sun/xml/ws/security/trust/impl/DefaultSAMLTokenProvider.class */
public class DefaultSAMLTokenProvider implements STSTokenProvider {
    private static final Logger log = Logger.getLogger("com.sun.xml.ws.security.trust", LogDomainConstants.TRUST_IMPL_DOMAIN_BUNDLE);
    protected static final String SAML_HOLDER_OF_KEY_1_0 = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";
    protected static final String SAML_HOLDER_OF_KEY_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
    protected static final String SAML_BEARER_1_0 = "urn:oasis:names:tc:SAML:1.0:cm:bearer";
    protected static final String SAML_BEARER_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:bearer";
    protected static final String SAML_SENDER_VOUCHES_1_0 = "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches";
    protected static final String SAML_SENDER_VOUCHES_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches";

    @Override // com.sun.xml.ws.api.security.trust.STSTokenProvider
    public void generateToken(IssuedTokenContext issuedTokenContext) throws WSTrustException {
        Assertion createSAML11Assertion;
        SecurityTokenReference createSecurityTokenReference;
        String tokenIssuer = issuedTokenContext.getTokenIssuer();
        String appliesTo = issuedTokenContext.getAppliesTo();
        String tokenType = issuedTokenContext.getTokenType();
        String keyType = issuedTokenContext.getKeyType();
        int time = (int) (issuedTokenContext.getExpirationTime().getTime() - issuedTokenContext.getCreationTime().getTime());
        String str = (String) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.CONFIRMATION_METHOD);
        Map<QName, List<String>> map = (Map) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.CLAIMED_ATTRUBUTES);
        WSTrustVersion wSTrustVersion = (WSTrustVersion) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.WS_TRUST_VERSION);
        KeyInfo createKeyInfo = createKeyInfo(issuedTokenContext);
        String str2 = "uuid-" + UUID.randomUUID().toString();
        if ("urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenType)) {
            createSAML11Assertion = createSAML11Assertion(wSTrustVersion, time, str, str2, tokenIssuer, appliesTo, createKeyInfo, map, keyType);
            createSecurityTokenReference = WSTrustUtil.createSecurityTokenReference(str2, MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE);
        } else {
            if (!"urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType) && !"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenType)) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0031_UNSUPPORTED_TOKEN_TYPE(tokenType, appliesTo));
                throw new WSTrustException(LogStringsMessages.WST_0031_UNSUPPORTED_TOKEN_TYPE(tokenType, appliesTo));
            }
            createSAML11Assertion = createSAML20Assertion(wSTrustVersion, time, str, str2, tokenIssuer, appliesTo, createKeyInfo, map, keyType, (String) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.AUTHN_CONTEXT));
            createSecurityTokenReference = WSTrustUtil.createSecurityTokenReference(str2, MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE);
            createSecurityTokenReference.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
        }
        try {
            issuedTokenContext.setSecurityToken(new GenericToken(createSAML11Assertion.sign((X509Certificate) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.STS_CERTIFICATE), (PrivateKey) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.STS_PRIVATE_KEY), true, issuedTokenContext.getSignatureAlgorithm(), issuedTokenContext.getCanonicalizationAlgorithm())));
            issuedTokenContext.setAttachedSecurityTokenReference(createSecurityTokenReference);
            issuedTokenContext.setUnAttachedSecurityTokenReference(createSecurityTokenReference);
        } catch (SAMLException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        }
    }

    @Override // com.sun.xml.ws.api.security.trust.STSTokenProvider
    public void isValideToken(IssuedTokenContext issuedTokenContext) throws WSTrustException {
        WSTrustVersion wSTrustVersion = (WSTrustVersion) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.WS_TRUST_VERSION);
        WSTrustElementFactory newInstance = WSTrustElementFactory.newInstance(wSTrustVersion);
        Element element = newInstance.toElement(issuedTokenContext.getTarget().getTokenValue());
        String validStatusCodeURI = wSTrustVersion.getValidStatusCodeURI();
        String str = "The Trust service successfully validate the input";
        if (!isSAMLAssertion(element)) {
            validStatusCodeURI = wSTrustVersion.getInvalidStatusCodeURI();
            str = "The Trust service did not successfully validate the input";
        }
        try {
            SAMLUtil.verifySignature(element, ((X509Certificate) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.STS_CERTIFICATE)).getPublicKey());
            if (!SAMLUtil.validateTimeInConditionsStatement(element)) {
                validStatusCodeURI = wSTrustVersion.getInvalidStatusCodeURI();
                str = "The Trust service did not successfully validate the input";
            }
            Status createStatus = newInstance.createStatus(validStatusCodeURI, str);
            if (!wSTrustVersion.getValidateStatuesTokenType().equals(issuedTokenContext.getTokenType())) {
            }
            issuedTokenContext.getOtherProperties().put(IssuedTokenContext.STATUS, createStatus);
        } catch (XWSSecurityException e) {
            throw new WSTrustException(e.getMessage());
        }
    }

    @Override // com.sun.xml.ws.api.security.trust.STSTokenProvider
    public void renewToken(IssuedTokenContext issuedTokenContext) throws WSTrustException {
        throw new UnsupportedOperationException("Not supported yet.");
    }

    @Override // com.sun.xml.ws.api.security.trust.STSTokenProvider
    public void invalidateToken(IssuedTokenContext issuedTokenContext) throws WSTrustException {
        throw new UnsupportedOperationException("Not supported yet.");
    }

    protected Assertion createSAML11Assertion(WSTrustVersion wSTrustVersion, int i, String str, String str2, String str3, String str4, KeyInfo keyInfo, Map<QName, List<String>> map, String str5) throws WSTrustException {
        try {
            SAMLAssertionFactory newInstance = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML1_1);
            TimeZone timeZone = TimeZone.getTimeZone("UTC");
            GregorianCalendar gregorianCalendar = new GregorianCalendar(timeZone);
            GregorianCalendar gregorianCalendar2 = new GregorianCalendar(timeZone);
            gregorianCalendar2.add(14, i);
            ArrayList arrayList = null;
            if (str4 != null) {
                arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(str4);
                arrayList.add(newInstance.createAudienceRestrictionCondition(arrayList2));
            }
            ArrayList arrayList3 = new ArrayList();
            Element element = null;
            if (str5.equals(wSTrustVersion.getBearerKeyTypeURI())) {
                str = SAML_BEARER_1_0;
            } else {
                if (str == null) {
                    str = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";
                }
                if (keyInfo != null) {
                    element = keyInfo.getElement();
                }
            }
            arrayList3.add(str);
            SubjectConfirmation createSubjectConfirmation = newInstance.createSubjectConfirmation(arrayList3, (Element) null, element);
            Conditions createConditions = newInstance.createConditions(gregorianCalendar, gregorianCalendar2, null, arrayList, null);
            Advice createAdvice = newInstance.createAdvice(null, null, null);
            QName qName = null;
            String str6 = null;
            String str7 = null;
            Iterator<Map.Entry<QName, List<String>>> it = map.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map.Entry<QName, List<String>> next = it.next();
                QName key = next.getKey();
                List<String> value = next.getValue();
                if (value != null) {
                    if (STSIssuedTokenConfiguration.ACT_AS.equals(key.getLocalPart())) {
                        str6 = value.size() > 0 ? value.get(0) : null;
                        str7 = key.getNamespaceURI();
                        qName = key;
                    } else if (STSAttributeProvider.NAME_IDENTIFIER.equals(key.getLocalPart()) && 0 == 0) {
                        if (value.size() > 0) {
                            str6 = value.get(0);
                        }
                        str7 = key.getNamespaceURI();
                        qName = key;
                    }
                }
            }
            NameIdentifier nameIdentifier = null;
            if (qName != null && str6 != null) {
                nameIdentifier = newInstance.createNameIdentifier(str6, str7, null);
                map.remove(qName);
            }
            Subject createSubject = newInstance.createSubject(nameIdentifier, createSubjectConfirmation);
            ArrayList arrayList4 = new ArrayList();
            if (map.isEmpty()) {
                arrayList4.add(newInstance.createAuthenticationStatement(null, gregorianCalendar, createSubject, null, null));
            } else {
                arrayList4.add(newInstance.createAttributeStatement(createSubject, null));
            }
            Assertion createAssertion = newInstance.createAssertion(str2, str3, gregorianCalendar, createConditions, createAdvice, arrayList4);
            return !map.isEmpty() ? WSTrustUtil.addSamlAttributes(createAssertion, map) : createAssertion;
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        } catch (SAMLException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e2);
        }
    }

    protected Assertion createSAML20Assertion(WSTrustVersion wSTrustVersion, int i, String str, String str2, String str3, String str4, KeyInfo keyInfo, Map<QName, List<String>> map, String str5, String str6) throws WSTrustException {
        try {
            SAMLAssertionFactory newInstance = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0);
            TimeZone timeZone = TimeZone.getTimeZone("UTC");
            GregorianCalendar gregorianCalendar = new GregorianCalendar(timeZone);
            GregorianCalendar gregorianCalendar2 = new GregorianCalendar(timeZone);
            gregorianCalendar2.add(14, i);
            ArrayList arrayList = null;
            if (str4 != null) {
                arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(str4);
                arrayList.add(newInstance.createAudienceRestriction(arrayList2));
            }
            KeyInfoConfirmationData keyInfoConfirmationData = null;
            if (str5.equals(wSTrustVersion.getBearerKeyTypeURI())) {
                str = SAML_BEARER_2_0;
            } else {
                if (str == null) {
                    str = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
                }
                if (keyInfo != null) {
                    keyInfoConfirmationData = newInstance.createKeyInfoConfirmationData(keyInfo.getElement());
                }
            }
            Conditions createConditions = newInstance.createConditions(gregorianCalendar, gregorianCalendar2, null, arrayList, null, null);
            SubjectConfirmation createSubjectConfirmation = newInstance.createSubjectConfirmation((NameID) null, keyInfoConfirmationData, str);
            QName qName = null;
            String str7 = null;
            String str8 = null;
            Iterator<Map.Entry<QName, List<String>>> it = map.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map.Entry<QName, List<String>> next = it.next();
                QName key = next.getKey();
                List<String> value = next.getValue();
                if (value != null) {
                    if (STSIssuedTokenConfiguration.ACT_AS.equals(key.getLocalPart())) {
                        str7 = value.size() > 0 ? value.get(0) : null;
                        str8 = key.getNamespaceURI();
                        qName = key;
                    } else if (STSAttributeProvider.NAME_IDENTIFIER.equals(key.getLocalPart()) && 0 == 0) {
                        if (value.size() > 0) {
                            str7 = value.get(0);
                        }
                        str8 = key.getNamespaceURI();
                        qName = key;
                    }
                }
            }
            NameID nameID = null;
            if (qName != null && str7 != null) {
                nameID = newInstance.createNameID(str7, str8, null);
                map.remove(qName);
            }
            Object createSubject = newInstance.createSubject(nameID, createSubjectConfirmation);
            ArrayList arrayList3 = new ArrayList();
            if (map.isEmpty()) {
                arrayList3.add(newInstance.createAuthnStatement(gregorianCalendar, null, newInstance.createAuthnContext(str6, null), null, null));
            } else {
                arrayList3.add(newInstance.createAttributeStatement(null));
            }
            Assertion createAssertion = newInstance.createAssertion(str2, newInstance.createNameID(str3, null, null), gregorianCalendar, createConditions, (Advice) null, (Subject) null, arrayList3);
            if (!map.isEmpty()) {
                createAssertion = WSTrustUtil.addSamlAttributes(createAssertion, map);
            }
            ((com.sun.xml.wss.saml.assertion.saml20.jaxb20.Assertion) createAssertion).setSubject((SubjectType) createSubject);
            return createAssertion;
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        } catch (SAMLException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e2);
        }
    }

    private KeyInfo createKeyInfo(IssuedTokenContext issuedTokenContext) throws WSTrustException {
        Element element = (Element) issuedTokenContext.getOtherProperties().get("ConfirmationKeyInfo");
        if (element != null && "KeyInfo".equals(element.getLocalName())) {
            try {
                return new KeyInfo(element, null);
            } catch (XMLSecurityException e) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), (Throwable) e);
                throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), e);
            }
        }
        try {
            Document newDocument = WSITXMLFactory.createDocumentBuilderFactory(WSITXMLFactory.DISABLE_SECURE_PROCESSING).newDocumentBuilder().newDocument();
            String appliesTo = issuedTokenContext.getAppliesTo();
            KeyInfo keyInfo = new KeyInfo(newDocument);
            if (element != null) {
                keyInfo.addUnknownElement(element);
                return keyInfo;
            }
            String keyType = issuedTokenContext.getKeyType();
            WSTrustVersion wSTrustVersion = (WSTrustVersion) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.WS_TRUST_VERSION);
            if (wSTrustVersion.getSymmetricKeyTypeURI().equals(keyType)) {
                try {
                    keyInfo.add(WSTrustUtil.encryptKey(newDocument, issuedTokenContext.getProofKey(), (X509Certificate) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.TARGET_SERVICE_CERTIFICATE), null));
                } catch (Exception e2) {
                    log.log(Level.SEVERE, LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), (Throwable) e2);
                    throw new WSTrustException(LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), e2);
                }
            } else if (wSTrustVersion.getPublicKeyTypeURI().equals(keyType)) {
                X509Data x509Data = new X509Data(newDocument);
                try {
                    x509Data.addCertificate(issuedTokenContext.getRequestorCertificate());
                    keyInfo.add(x509Data);
                } catch (XMLSecurityException e3) {
                    log.log(Level.SEVERE, LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), (Throwable) e3);
                    throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), e3);
                }
            }
            return keyInfo;
        } catch (ParserConfigurationException e4) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0039_ERROR_CREATING_DOCFACTORY(), (Throwable) e4);
            throw new WSTrustException(LogStringsMessages.WST_0039_ERROR_CREATING_DOCFACTORY(), e4);
        }
    }

    private boolean isSAMLAssertion(Element element) {
        if (element.getLocalName().equals(MessageConstants.SAML_ASSERTION_LNAME)) {
            return element.getNamespaceURI().equals("urn:oasis:names:tc:SAML:1.0:assertion") || element.getNamespaceURI().equals("urn:oasis:names:tc:SAML:2.0:assertion");
        }
        return false;
    }
}
