package org.apache.wss4j.dom.saml;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/wss4j-ws-security-dom-2.1.9.jar:org/apache/wss4j/dom/saml/DOMSAMLUtil.class */
public final class DOMSAMLUtil {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) DOMSAMLUtil.class);

    private DOMSAMLUtil() {
    }

    public static void validateSAMLResults(WSHandlerResult wSHandlerResult, Certificate[] certificateArr, Element element) throws WSSecurityException {
        ArrayList arrayList = new ArrayList();
        if (wSHandlerResult.getActionResults().containsKey(16)) {
            arrayList.addAll(wSHandlerResult.getActionResults().get(16));
        }
        if (wSHandlerResult.getActionResults().containsKey(8)) {
            arrayList.addAll(wSHandlerResult.getActionResults().get(8));
        }
        if (arrayList.isEmpty()) {
            return;
        }
        ArrayList arrayList2 = new ArrayList();
        if (wSHandlerResult.getActionResults().containsKey(2)) {
            arrayList2.addAll(wSHandlerResult.getActionResults().get(2));
        }
        if (wSHandlerResult.getActionResults().containsKey(64)) {
            arrayList2.addAll(wSHandlerResult.getActionResults().get(64));
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) ((WSSecurityEngineResult) it.next()).get("saml-assertion");
            if (!checkHolderOfKey(samlAssertionWrapper, arrayList2, certificateArr)) {
                LOG.warn("Assertion fails holder-of-key requirements");
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
            }
            if (!checkSenderVouches(samlAssertionWrapper, certificateArr, element, arrayList2)) {
                LOG.warn("Assertion fails sender-vouches requirements");
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
            }
        }
    }

    public static boolean checkHolderOfKey(SamlAssertionWrapper samlAssertionWrapper, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        boolean z = false;
        Iterator<String> it = samlAssertionWrapper.getConfirmationMethods().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (OpenSAMLUtil.isMethodHolderOfKey(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return !(certificateArr == null && (list == null || list.isEmpty())) && compareCredentials(samlAssertionWrapper.getSubjectKeyInfo(), list, certificateArr);
        }
        return true;
    }

    public static boolean compareCredentials(SAMLKeyInfo sAMLKeyInfo, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        X509Certificate[] certs = sAMLKeyInfo.getCerts();
        PublicKey publicKey = sAMLKeyInfo.getPublicKey();
        byte[] secret = sAMLKeyInfo.getSecret();
        if (certificateArr != null && certificateArr.length > 0 && certs != null && certs.length > 0 && certificateArr[0].equals(certs[0])) {
            return true;
        }
        if (certificateArr != null && certificateArr.length > 0 && publicKey != null && certificateArr[0].getPublicKey().equals(publicKey)) {
            return true;
        }
        if (publicKey == null && certs != null && certs.length > 0) {
            publicKey = certs[0].getPublicKey();
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get("x509-certificates");
            PublicKey publicKey2 = (PublicKey) wSSecurityEngineResult.get("public-key");
            byte[] bArr = (byte[]) wSSecurityEngineResult.get("secret");
            if (x509CertificateArr != null && x509CertificateArr.length > 0 && certs != null && certs.length > 0 && x509CertificateArr[0].equals(certs[0])) {
                return true;
            }
            if ((publicKey2 != null && publicKey2.equals(publicKey)) || checkSecretKey(bArr, secret, wSSecurityEngineResult)) {
                return true;
            }
        }
        return false;
    }

    private static boolean checkSecretKey(byte[] bArr, byte[] bArr2, WSSecurityEngineResult wSSecurityEngineResult) {
        if (bArr == null || bArr2 == null) {
            return false;
        }
        if (Arrays.equals(bArr, bArr2)) {
            return true;
        }
        Principal principal = (Principal) wSSecurityEngineResult.get("principal");
        return (principal instanceof WSDerivedKeyTokenPrincipal) && Arrays.equals(((WSDerivedKeyTokenPrincipal) principal).getSecret(), bArr2);
    }

    public static boolean checkSenderVouches(SamlAssertionWrapper samlAssertionWrapper, Certificate[] certificateArr, Element element, List<WSSecurityEngineResult> list) {
        if (certificateArr != null && certificateArr.length > 0) {
            return true;
        }
        boolean z = false;
        Iterator<String> it = samlAssertionWrapper.getConfirmationMethods().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (OpenSAMLUtil.isMethodSenderVouches(it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return (list == null || list.isEmpty() || !checkAssertionAndBodyAreSigned(samlAssertionWrapper, element, list)) ? false : true;
        }
        return true;
    }

    private static boolean checkAssertionAndBodyAreSigned(SamlAssertionWrapper samlAssertionWrapper, Element element, List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            List list2 = (List) it.next().get("data-ref-uris");
            boolean z = false;
            boolean z2 = false;
            if (list2 != null) {
                Iterator it2 = list2.iterator();
                while (it2.hasNext()) {
                    Element protectedElement = ((WSDataRef) it2.next()).getProtectedElement();
                    if (protectedElement == samlAssertionWrapper.getElement()) {
                        z = true;
                    }
                    if (protectedElement == element) {
                        z2 = true;
                    }
                    if (z && z2) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
