package org.apache.wss4j.common.saml;

import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.builder.SAML1ComponentBuilder;
import org.apache.wss4j.common.saml.builder.SAML2ComponentBuilder;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.common.util.InetAddressUtils;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.utils.XMLUtils;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SAMLObjectContentReference;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml1.core.Assertion;
import org.opensaml.saml.saml1.core.AttributeStatement;
import org.opensaml.saml.saml1.core.AudienceRestrictionCondition;
import org.opensaml.saml.saml1.core.AuthenticationStatement;
import org.opensaml.saml.saml1.core.AuthorizationDecisionStatement;
import org.opensaml.saml.saml1.core.Conditions;
import org.opensaml.saml.saml1.core.ConfirmationMethod;
import org.opensaml.saml.saml1.core.Statement;
import org.opensaml.saml.saml1.core.SubjectConfirmation;
import org.opensaml.saml.saml1.core.SubjectStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.crypto.JCAConstants;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.opensaml.xmlsec.signature.support.SignerProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/wss4j/common/saml/SamlAssertionWrapper.class */
public class SamlAssertionWrapper {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SamlAssertionWrapper.class);
    private SAMLObject samlObject;
    private SAMLVersion samlVersion;
    private Element assertionElement;
    private SAMLKeyInfo subjectKeyInfo;
    private SAMLKeyInfo signatureKeyInfo;
    private final String defaultCanonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
    private final String defaultRSASignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
    private final String defaultDSASignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
    private final String defaultECDSASignatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";
    private final String defaultSignatureDigestAlgorithm = "http://www.w3.org/2000/09/xmldsig#sha1";
    private final boolean fromDOM;

    public SamlAssertionWrapper(Element element) throws WSSecurityException {
        OpenSAMLUtil.initSamlEngine();
        parseElement(element);
        this.fromDOM = true;
    }

    public SamlAssertionWrapper(SAMLObject sAMLObject) throws WSSecurityException {
        OpenSAMLUtil.initSamlEngine();
        this.samlObject = sAMLObject;
        if (sAMLObject instanceof Assertion) {
            this.samlVersion = SAMLVersion.VERSION_11;
        } else {
            if (!(sAMLObject instanceof org.opensaml.saml.saml2.core.Assertion)) {
                LOG.error("SamlAssertionWrapper: found unexpected type " + (sAMLObject != null ? sAMLObject.getClass().getName() : null));
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"A SAML 2.0 or 1.1 Assertion can only be used with SamlAssertionWrapper"});
            }
            this.samlVersion = SAMLVersion.VERSION_20;
        }
        this.fromDOM = false;
    }

    public SamlAssertionWrapper(SAMLCallback sAMLCallback) throws WSSecurityException {
        OpenSAMLUtil.initSamlEngine();
        if (sAMLCallback.getAssertionElement() != null) {
            parseElement(sAMLCallback.getAssertionElement());
            this.fromDOM = true;
        } else {
            parseCallback(sAMLCallback);
            this.fromDOM = false;
        }
    }

    public Assertion getSaml1() {
        if (this.samlVersion == SAMLVersion.VERSION_11) {
            return (Assertion) this.samlObject;
        }
        return null;
    }

    public org.opensaml.saml.saml2.core.Assertion getSaml2() {
        if (this.samlVersion == SAMLVersion.VERSION_20) {
            return (org.opensaml.saml.saml2.core.Assertion) this.samlObject;
        }
        return null;
    }

    public boolean isCreated() {
        return this.samlObject != null;
    }

    public Element toDOM(Document document) throws WSSecurityException {
        if (!this.fromDOM || this.assertionElement == null) {
            this.assertionElement = OpenSAMLUtil.toDom(this.samlObject, document);
            return this.assertionElement;
        }
        parseElement(this.assertionElement);
        return document != null ? (Element) document.importNode(this.assertionElement, true) : this.assertionElement;
    }

    public String assertionToString() throws WSSecurityException {
        return this.assertionElement == null ? DOM2Writer.nodeToString(toDOM(null)) : DOM2Writer.nodeToString(this.assertionElement);
    }

    public Instant getNotBefore() {
        DateTime notBefore = getSamlVersion().equals(SAMLVersion.VERSION_20) ? getSaml2().getConditions().getNotBefore() : getSaml1().getConditions().getNotBefore();
        if (notBefore != null) {
            return notBefore.toDate().toInstant();
        }
        return null;
    }

    public Instant getNotOnOrAfter() {
        DateTime notOnOrAfter = getSamlVersion().equals(SAMLVersion.VERSION_20) ? getSaml2().getConditions().getNotOnOrAfter() : getSaml1().getConditions().getNotOnOrAfter();
        if (notOnOrAfter != null) {
            return notOnOrAfter.toDate().toInstant();
        }
        return null;
    }

    public String getId() {
        String str = null;
        if (this.samlVersion == SAMLVersion.VERSION_20) {
            str = ((org.opensaml.saml.saml2.core.Assertion) this.samlObject).getID();
            if (str == null || str.length() == 0) {
                LOG.error("SamlAssertionWrapper: ID was null, seeting a new ID value");
                str = IDGenerator.generateID("_");
                ((org.opensaml.saml.saml2.core.Assertion) this.samlObject).setID(str);
            }
        } else if (this.samlVersion == SAMLVersion.VERSION_11) {
            str = ((Assertion) this.samlObject).getID();
            if (str == null || str.length() == 0) {
                LOG.error("SamlAssertionWrapper: ID was null, seeting a new ID value");
                str = IDGenerator.generateID("_");
                ((Assertion) this.samlObject).setID(str);
            }
        } else {
            LOG.error("SamlAssertionWrapper: unable to return ID - no saml assertion object");
        }
        return str;
    }

    public String getIssuerString() {
        if (this.samlVersion == SAMLVersion.VERSION_20 && ((org.opensaml.saml.saml2.core.Assertion) this.samlObject).getIssuer() != null) {
            return ((org.opensaml.saml.saml2.core.Assertion) this.samlObject).getIssuer().getValue();
        }
        if (this.samlVersion == SAMLVersion.VERSION_11 && ((Assertion) this.samlObject).getIssuer() != null) {
            return ((Assertion) this.samlObject).getIssuer();
        }
        LOG.error("SamlAssertionWrapper: unable to return Issuer string - no saml assertion object or issuer is null");
        return null;
    }

    public String getSubjectName() {
        if (this.samlVersion == SAMLVersion.VERSION_20) {
            Subject subject = ((org.opensaml.saml.saml2.core.Assertion) this.samlObject).getSubject();
            if (subject != null && subject.getNameID() != null) {
                return subject.getNameID().getValue();
            }
        } else if (this.samlVersion == SAMLVersion.VERSION_11) {
            org.opensaml.saml.saml1.core.Subject subject2 = null;
            for (Statement statement : ((Assertion) this.samlObject).getStatements()) {
                subject2 = statement instanceof AttributeStatement ? ((AttributeStatement) statement).getSubject() : statement instanceof AuthenticationStatement ? ((AuthenticationStatement) statement).getSubject() : ((AuthorizationDecisionStatement) statement).getSubject();
                if (subject2 != null) {
                    break;
                }
            }
            if (subject2 != null && subject2.getNameIdentifier() != null) {
                return subject2.getNameIdentifier().getValue();
            }
        }
        LOG.error("SamlAssertionWrapper: unable to return SubjectName - no saml assertion object or subject is null");
        return null;
    }

    public List<String> getConfirmationMethods() {
        SubjectConfirmation subjectConfirmation;
        ArrayList arrayList = new ArrayList();
        if (this.samlVersion == SAMLVersion.VERSION_20) {
            Iterator<org.opensaml.saml.saml2.core.SubjectConfirmation> it = ((org.opensaml.saml.saml2.core.Assertion) this.samlObject).getSubject().getSubjectConfirmations().iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getMethod());
            }
        } else if (this.samlVersion == SAMLVersion.VERSION_11) {
            ArrayList arrayList2 = new ArrayList();
            Assertion assertion = (Assertion) this.samlObject;
            arrayList2.addAll(assertion.getSubjectStatements());
            arrayList2.addAll(assertion.getAuthenticationStatements());
            arrayList2.addAll(assertion.getAttributeStatements());
            arrayList2.addAll(assertion.getAuthorizationDecisionStatements());
            Iterator it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                org.opensaml.saml.saml1.core.Subject subject = ((SubjectStatement) it2.next()).getSubject();
                if (subject != null && (subjectConfirmation = subject.getSubjectConfirmation()) != null) {
                    XMLObject subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                    if (subjectConfirmationData instanceof ConfirmationMethod) {
                        arrayList.add(((ConfirmationMethod) subjectConfirmationData).getConfirmationMethod());
                    }
                    Iterator<ConfirmationMethod> it3 = subjectConfirmation.getConfirmationMethods().iterator();
                    while (it3.hasNext()) {
                        arrayList.add(it3.next().getConfirmationMethod());
                    }
                }
            }
        }
        return arrayList;
    }

    public boolean isSigned() {
        if (this.samlObject instanceof SignableSAMLObject) {
            return ((SignableSAMLObject) this.samlObject).isSigned() || ((SignableSAMLObject) this.samlObject).getSignature() != null;
        }
        return false;
    }

    public void setSignature(Signature signature) {
        setSignature(signature, "http://www.w3.org/2000/09/xmldsig#sha1");
    }

    public void setSignature(Signature signature, String str) {
        if (!(this.samlObject instanceof SignableSAMLObject)) {
            LOG.error("Attempt to sign an unsignable object " + this.samlObject.getClass().getName());
            return;
        }
        SignableSAMLObject signableSAMLObject = (SignableSAMLObject) this.samlObject;
        signableSAMLObject.setSignature(signature);
        String str2 = str;
        if (str2 == null) {
            str2 = "http://www.w3.org/2000/09/xmldsig#sha1";
        }
        ((SAMLObjectContentReference) signature.getContentReferences().get(0)).setDigestAlgorithm(str2);
        signableSAMLObject.releaseDOM();
        signableSAMLObject.releaseChildrenDOM(true);
    }

    public void signAssertion(String str, String str2, Crypto crypto, boolean z) throws WSSecurityException {
        signAssertion(str, str2, crypto, z, "http://www.w3.org/2001/10/xml-exc-c14n#", "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2000/09/xmldsig#sha1");
    }

    public void signAssertion(String str, String str2, Crypto crypto, boolean z, String str3, String str4) throws WSSecurityException {
        signAssertion(str, str2, crypto, z, str3, str4, "http://www.w3.org/2000/09/xmldsig#sha1");
    }

    public void signAssertion(String str, String str2, Crypto crypto, boolean z, String str3, String str4, String str5) throws WSSecurityException {
        Signature buildSignature = OpenSAMLUtil.buildSignature();
        String str6 = str3;
        if (str6 == null) {
            str6 = "http://www.w3.org/2001/10/xml-exc-c14n#";
        }
        buildSignature.setCanonicalizationAlgorithm(str6);
        LOG.debug("Using Canonicalization algorithm {}", str6);
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(str);
        X509Certificate[] x509CertificateArr = null;
        if (crypto != null) {
            x509CertificateArr = crypto.getX509Certificates(cryptoType);
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"No issuer certs were found to sign the SAML Assertion using issuer name: " + str});
        }
        String str7 = str4;
        if (str7 == null) {
            str7 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        }
        String algorithm = x509CertificateArr[0].getPublicKey().getAlgorithm();
        LOG.debug("automatic sig algo detection: {}", algorithm);
        if (algorithm.equalsIgnoreCase(JCAConstants.KEY_ALGO_DSA)) {
            str7 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
        } else if (algorithm.equalsIgnoreCase(JCAConstants.KEY_ALGO_EC)) {
            str7 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";
        }
        LOG.debug("Using Signature algorithm {}", str7);
        try {
            PrivateKey privateKey = crypto.getPrivateKey(str, str2);
            if (privateKey == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"No private key was found using issuer name: " + str});
            }
            buildSignature.setSignatureAlgorithm(str7);
            BasicX509Credential basicX509Credential = new BasicX509Credential(x509CertificateArr[0], privateKey);
            buildSignature.setSigningCredential(basicX509Credential);
            X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
            if (z) {
                x509KeyInfoGeneratorFactory.setEmitPublicKeyValue(true);
            } else {
                x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
            }
            try {
                buildSignature.setKeyInfo(x509KeyInfoGeneratorFactory.newInstance().generate(basicX509Credential));
                setSignature(buildSignature, str5);
            } catch (SecurityException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty", new Object[]{"Error generating KeyInfo from signing credential"});
            }
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2);
        }
    }

    public void verifySignature(SAMLKeyInfoProcessor sAMLKeyInfoProcessor, Crypto crypto) throws WSSecurityException {
        Signature signature = getSignature();
        if (signature == null) {
            LOG.debug("SamlAssertionWrapper: no signature to validate");
            return;
        }
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
        verifySignature(SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), sAMLKeyInfoProcessor, crypto));
    }

    public void verifySignature(SAMLKeyInfo sAMLKeyInfo) throws WSSecurityException {
        BasicCredential basicCredential;
        Signature signature = getSignature();
        if (signature == null) {
            LOG.debug("SamlAssertionWrapper: no signature to validate");
            return;
        }
        if (sAMLKeyInfo == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
        if (sAMLKeyInfo.getCerts() != null) {
            basicCredential = new BasicX509Credential(sAMLKeyInfo.getCerts()[0]);
        } else {
            if (sAMLKeyInfo.getPublicKey() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
            }
            basicCredential = new BasicCredential(sAMLKeyInfo.getPublicKey());
        }
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            try {
                Thread.currentThread().setContextClassLoader(SignerProvider.class.getClassLoader());
                SignatureValidator.validate(signature, basicCredential);
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                this.signatureKeyInfo = sAMLKeyInfo;
            } catch (SignatureException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty", new Object[]{"SAML signature validation failed"});
            }
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    public void validateSignatureAgainstProfile() throws WSSecurityException {
        Signature signature = getSignature();
        if (signature != null) {
            try {
                new SAMLSignatureProfileValidator().validate(signature);
            } catch (SignatureException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty", new Object[]{"SAML signature validation failed"});
            }
        }
    }

    public void parseSubject(SAMLKeyInfoProcessor sAMLKeyInfoProcessor, Crypto crypto, CallbackHandler callbackHandler) throws WSSecurityException {
        if (this.samlVersion == SAMLVersion.VERSION_11) {
            this.subjectKeyInfo = SAMLUtil.getCredentialFromSubject((Assertion) this.samlObject, sAMLKeyInfoProcessor, crypto, callbackHandler);
        } else if (this.samlVersion == SAMLVersion.VERSION_20) {
            this.subjectKeyInfo = SAMLUtil.getCredentialFromSubject((org.opensaml.saml.saml2.core.Assertion) this.samlObject, sAMLKeyInfoProcessor, crypto, callbackHandler);
        }
    }

    public SAMLVersion getSamlVersion() {
        if (this.samlVersion == null) {
            LOG.debug("The SAML version was null in getSamlVersion(). Recomputing SAML version...");
            if (this.samlObject instanceof Assertion) {
                this.samlVersion = SAMLVersion.VERSION_11;
            } else {
                if (!(this.samlObject instanceof org.opensaml.saml.saml2.core.Assertion)) {
                    throw new IllegalStateException("Could not determine the SAML version number. Check your configuration and try again.");
                }
                this.samlVersion = SAMLVersion.VERSION_20;
            }
        }
        return this.samlVersion;
    }

    public Element getElement() {
        return this.assertionElement;
    }

    public SAMLKeyInfo getSignatureKeyInfo() {
        return this.signatureKeyInfo;
    }

    public SAMLKeyInfo getSubjectKeyInfo() {
        return this.subjectKeyInfo;
    }

    public byte[] getSignatureValue() throws WSSecurityException {
        Signature signature = null;
        if (this.samlObject instanceof SignableSAMLObject) {
            signature = ((SignableSAMLObject) this.samlObject).getSignature();
        }
        if (signature != null) {
            return getSignatureValue(signature);
        }
        return null;
    }

    private byte[] getSignatureValue(Signature signature) throws WSSecurityException {
        Element nextElement;
        Element nextElement2;
        Element dom = signature.getDOM();
        if (dom == null || (nextElement = XMLUtils.getNextElement(dom.getFirstChild())) == null || (nextElement2 = XMLUtils.getNextElement(nextElement.getNextSibling())) == null) {
            return null;
        }
        return XMLUtils.decode(XMLUtils.getFullTextChildrenFromElement(nextElement2));
    }

    public Signature getSignature() throws WSSecurityException {
        if (this.samlObject instanceof SignableSAMLObject) {
            return ((SignableSAMLObject) this.samlObject).getSignature();
        }
        return null;
    }

    public SAMLObject getSamlObject() {
        return this.samlObject;
    }

    public void checkConditions(int i) throws WSSecurityException {
        DateTime dateTime = null;
        DateTime dateTime2 = null;
        if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) {
            dateTime = getSaml2().getConditions().getNotBefore();
            dateTime2 = getSaml2().getConditions().getNotOnOrAfter();
        } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) {
            dateTime = getSaml1().getConditions().getNotBefore();
            dateTime2 = getSaml1().getConditions().getNotOnOrAfter();
        }
        if (dateTime != null) {
            if (dateTime.isAfter(new DateTime().plusSeconds(i))) {
                LOG.debug("SAML Token condition (Not Before) not met");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
        }
        if (dateTime2 == null || !dateTime2.isBeforeNow()) {
            return;
        }
        LOG.debug("SAML Token condition (Not On Or After) not met");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    public void checkIssueInstant(int i, int i2) throws WSSecurityException {
        DateTime dateTime = null;
        DateTime dateTime2 = null;
        if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) {
            dateTime2 = getSaml2().getConditions().getNotOnOrAfter();
            dateTime = getSaml2().getIssueInstant();
        } else if (getSamlVersion().equals(SAMLVersion.VERSION_11) && getSaml1().getConditions() != null) {
            dateTime2 = getSaml1().getConditions().getNotOnOrAfter();
            dateTime = getSaml1().getIssueInstant();
        }
        if (dateTime != null) {
            if (dateTime.isAfter(new DateTime().plusSeconds(i))) {
                LOG.debug("SAML Token IssueInstant not met");
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
            if (dateTime2 == null) {
                if (dateTime.isBefore(new DateTime().minusSeconds(i2))) {
                    LOG.debug("SAML Token IssueInstant not met. The assertion was created too long ago.");
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
                }
            }
        }
    }

    public void checkAudienceRestrictions(List<String> list) throws WSSecurityException {
        Conditions conditions;
        if (list == null || list.isEmpty()) {
            return;
        }
        if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getConditions() != null) {
            org.opensaml.saml.saml2.core.Conditions conditions2 = getSaml2().getConditions();
            if (conditions2 == null || conditions2.getAudienceRestrictions() == null || conditions2.getAudienceRestrictions().isEmpty()) {
                return;
            }
            boolean z = false;
            for (AudienceRestriction audienceRestriction : conditions2.getAudienceRestrictions()) {
                if (audienceRestriction.getAudiences() != null) {
                    Iterator<Audience> it = audienceRestriction.getAudiences().iterator();
                    while (true) {
                        if (it.hasNext()) {
                            if (list.contains(it.next().getAudienceURI())) {
                                z = true;
                                break;
                            }
                        } else {
                            break;
                        }
                    }
                }
            }
            if (!z) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
            return;
        }
        if (!getSamlVersion().equals(SAMLVersion.VERSION_11) || getSaml1().getConditions() == null || (conditions = getSaml1().getConditions()) == null || conditions.getAudienceRestrictionConditions() == null || conditions.getAudienceRestrictionConditions().isEmpty()) {
            return;
        }
        boolean z2 = false;
        for (AudienceRestrictionCondition audienceRestrictionCondition : conditions.getAudienceRestrictionConditions()) {
            if (audienceRestrictionCondition.getAudiences() != null) {
                Iterator<org.opensaml.saml.saml1.core.Audience> it2 = audienceRestrictionCondition.getAudiences().iterator();
                while (true) {
                    if (it2.hasNext()) {
                        if (list.contains(it2.next().getUri())) {
                            z2 = true;
                            break;
                        }
                    } else {
                        break;
                    }
                }
            }
        }
        if (!z2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
    }

    public void checkAuthnStatements(int i) throws WSSecurityException {
        if (getSamlVersion().equals(SAMLVersion.VERSION_20) && getSaml2().getAuthnStatements() != null) {
            for (AuthnStatement authnStatement : getSaml2().getAuthnStatements()) {
                DateTime authnInstant = authnStatement.getAuthnInstant();
                DateTime sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter();
                String str = null;
                if (authnStatement.getSubjectLocality() != null && authnStatement.getSubjectLocality().getAddress() != null) {
                    str = authnStatement.getSubjectLocality().getAddress();
                }
                validateAuthnStatement(authnInstant, sessionNotOnOrAfter, str, i);
            }
            return;
        }
        if (!getSamlVersion().equals(SAMLVersion.VERSION_11) || getSaml1().getAuthenticationStatements() == null) {
            return;
        }
        for (AuthenticationStatement authenticationStatement : getSaml1().getAuthenticationStatements()) {
            DateTime authenticationInstant = authenticationStatement.getAuthenticationInstant();
            String str2 = null;
            if (authenticationStatement.getSubjectLocality() != null && authenticationStatement.getSubjectLocality().getIPAddress() != null) {
                str2 = authenticationStatement.getSubjectLocality().getIPAddress();
            }
            validateAuthnStatement(authenticationInstant, null, str2, i);
        }
    }

    private void validateAuthnStatement(DateTime dateTime, DateTime dateTime2, String str, int i) throws WSSecurityException {
        if (dateTime.isAfter(new DateTime().plusSeconds(i))) {
            LOG.debug("SAML Token AuthnInstant not met");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (dateTime2 != null && dateTime2.isBeforeNow()) {
            LOG.debug("SAML Token SessionNotOnOrAfter not met");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
        }
        if (str == null || InetAddressUtils.isIPv4Address(str) || InetAddressUtils.isIPv6Address(str)) {
            return;
        }
        LOG.debug("SAML Token SubjectLocality address is not valid: " + str);
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    private void parseElement(Element element) throws WSSecurityException {
        XMLObject fromDom = OpenSAMLUtil.fromDom(element);
        if (fromDom instanceof Assertion) {
            this.samlObject = (SAMLObject) fromDom;
            this.samlVersion = SAMLVersion.VERSION_11;
        } else if (fromDom instanceof org.opensaml.saml.saml2.core.Assertion) {
            this.samlObject = (SAMLObject) fromDom;
            this.samlVersion = SAMLVersion.VERSION_20;
        } else {
            LOG.error("SamlAssertionWrapper: found unexpected type " + fromDom.getClass().getName());
        }
        this.assertionElement = element;
    }

    private void parseCallback(SAMLCallback sAMLCallback) throws WSSecurityException {
        this.samlVersion = sAMLCallback.getSamlVersion();
        if (this.samlVersion == null) {
            this.samlVersion = SAMLVersion.VERSION_20;
        }
        String issuer = sAMLCallback.getIssuer();
        String issuerFormat = sAMLCallback.getIssuerFormat();
        String issuerQualifier = sAMLCallback.getIssuerQualifier();
        if (this.samlVersion.equals(SAMLVersion.VERSION_11)) {
            Assertion createSamlv1Assertion = SAML1ComponentBuilder.createSamlv1Assertion(issuer);
            try {
                createSamlv1Assertion.getAuthenticationStatements().addAll(SAML1ComponentBuilder.createSamlv1AuthenticationStatement(sAMLCallback.getAuthenticationStatementData()));
                createSamlv1Assertion.getAttributeStatements().addAll(SAML1ComponentBuilder.createSamlv1AttributeStatement(sAMLCallback.getAttributeStatementData()));
                createSamlv1Assertion.getAuthorizationDecisionStatements().addAll(SAML1ComponentBuilder.createSamlv1AuthorizationDecisionStatement(sAMLCallback.getAuthDecisionStatementData()));
                createSamlv1Assertion.setConditions(SAML1ComponentBuilder.createSamlv1Conditions(sAMLCallback.getConditions()));
                if (sAMLCallback.getAdvice() != null) {
                    createSamlv1Assertion.setAdvice(SAML1ComponentBuilder.createAdvice(sAMLCallback.getAdvice()));
                }
                this.samlObject = createSamlv1Assertion;
                return;
            } catch (SecurityException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty", new Object[]{"Error generating KeyInfo from signing credential"});
            }
        }
        if (this.samlVersion.equals(SAMLVersion.VERSION_20)) {
            org.opensaml.saml.saml2.core.Assertion createAssertion = SAML2ComponentBuilder.createAssertion();
            Issuer createIssuer = SAML2ComponentBuilder.createIssuer(issuer, issuerFormat, issuerQualifier);
            createAssertion.getAuthnStatements().addAll(SAML2ComponentBuilder.createAuthnStatement(sAMLCallback.getAuthenticationStatementData()));
            createAssertion.getAttributeStatements().addAll(SAML2ComponentBuilder.createAttributeStatement(sAMLCallback.getAttributeStatementData()));
            createAssertion.getAuthzDecisionStatements().addAll(SAML2ComponentBuilder.createAuthorizationDecisionStatement(sAMLCallback.getAuthDecisionStatementData()));
            createAssertion.setIssuer(createIssuer);
            try {
                createAssertion.setSubject(SAML2ComponentBuilder.createSaml2Subject(sAMLCallback.getSubject()));
                createAssertion.setConditions(SAML2ComponentBuilder.createConditions(sAMLCallback.getConditions()));
                if (sAMLCallback.getAdvice() != null) {
                    createAssertion.setAdvice(SAML2ComponentBuilder.createAdvice(sAMLCallback.getAdvice()));
                }
                this.samlObject = createAssertion;
            } catch (SecurityException e2) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "empty", new Object[]{"Error generating KeyInfo from signing credential"});
            }
        }
    }
}
