package org.springframework.security.saml2.provider.service.authentication;

import jakarta.servlet.http.HttpServletRequest;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.metadata.criteria.role.impl.EvaluableProtocolRoleDescriptorCriterion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.StatusResponseType;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion;
import org.opensaml.security.credential.criteria.impl.EvaluableUsageCredentialCriterion;
import org.opensaml.security.credential.impl.CollectionCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import org.springframework.security.saml2.core.Saml2Error;
import org.springframework.security.saml2.core.Saml2ErrorCodes;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.web.util.UriUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.3.9.jar:org/springframework/security/saml2/provider/service/authentication/OpenSamlVerificationUtils.class */
public final class OpenSamlVerificationUtils {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.3.9.jar:org/springframework/security/saml2/provider/service/authentication/OpenSamlVerificationUtils$VerifierPartial.class */
    public static class VerifierPartial {
        private final String id;
        private final CriteriaSet criteria;
        private final SignatureTrustEngine trustEngine;

        /* loaded from: input_file:BOOT-INF/lib/spring-security-saml2-service-provider-6.3.9.jar:org/springframework/security/saml2/provider/service/authentication/OpenSamlVerificationUtils$VerifierPartial$RedirectSignature.class */
        private static class RedirectSignature {
            private final HttpServletRequest request;
            private final String objectParameterName;

            RedirectSignature(HttpServletRequest httpServletRequest, String str) {
                this.request = httpServletRequest;
                this.objectParameterName = str;
            }

            String getAlgorithm() {
                return this.request.getParameter(Saml2ParameterNames.SIG_ALG);
            }

            byte[] getContent() {
                return this.request.getParameter("RelayState") != null ? String.format("%s=%s&%s=%s&%s=%s", this.objectParameterName, UriUtils.encode(this.request.getParameter(this.objectParameterName), StandardCharsets.ISO_8859_1), "RelayState", UriUtils.encode(this.request.getParameter("RelayState"), StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG, UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8) : String.format("%s=%s&%s=%s", this.objectParameterName, UriUtils.encode(this.request.getParameter(this.objectParameterName), StandardCharsets.ISO_8859_1), Saml2ParameterNames.SIG_ALG, UriUtils.encode(getAlgorithm(), StandardCharsets.ISO_8859_1)).getBytes(StandardCharsets.UTF_8);
            }

            byte[] getSignature() {
                return Saml2Utils.samlDecode(this.request.getParameter("Signature"));
            }

            boolean hasSignature() {
                return this.request.getParameter("Signature") != null;
            }
        }

        VerifierPartial(StatusResponseType statusResponseType, RelyingPartyRegistration relyingPartyRegistration) {
            this.id = statusResponseType.getID();
            this.criteria = verificationCriteria(statusResponseType.getIssuer());
            this.trustEngine = OpenSamlVerificationUtils.trustEngine(relyingPartyRegistration);
        }

        VerifierPartial(RequestAbstractType requestAbstractType, RelyingPartyRegistration relyingPartyRegistration) {
            this.id = requestAbstractType.getID();
            this.criteria = verificationCriteria(requestAbstractType.getIssuer());
            this.trustEngine = OpenSamlVerificationUtils.trustEngine(relyingPartyRegistration);
        }

        Saml2ResponseValidatorResult redirect(HttpServletRequest httpServletRequest, String str) {
            RedirectSignature redirectSignature = new RedirectSignature(httpServletRequest, str);
            if (redirectSignature.getAlgorithm() == null) {
                return Saml2ResponseValidatorResult.failure(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Missing signature algorithm for object [" + this.id + "]"));
            }
            if (!redirectSignature.hasSignature()) {
                return Saml2ResponseValidatorResult.failure(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Missing signature for object [" + this.id + "]"));
            }
            ArrayList arrayList = new ArrayList();
            try {
                if (!this.trustEngine.validate(redirectSignature.getSignature(), redirectSignature.getContent(), redirectSignature.getAlgorithm(), this.criteria, null)) {
                    arrayList.add(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for object [" + this.id + "]"));
                }
            } catch (Exception e) {
                arrayList.add(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for object [" + this.id + "]: "));
            }
            return Saml2ResponseValidatorResult.failure(arrayList);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Saml2ResponseValidatorResult post(Signature signature) {
            ArrayList arrayList = new ArrayList();
            try {
                new SAMLSignatureProfileValidator().validate(signature);
            } catch (Exception e) {
                arrayList.add(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for object [" + this.id + "]: "));
            }
            try {
                if (!this.trustEngine.validate(signature, this.criteria)) {
                    arrayList.add(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for object [" + this.id + "]"));
                }
            } catch (Exception e2) {
                arrayList.add(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE, "Invalid signature for object [" + this.id + "]: "));
            }
            return Saml2ResponseValidatorResult.failure(arrayList);
        }

        private CriteriaSet verificationCriteria(Issuer issuer) {
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new EvaluableEntityIDCredentialCriterion(new EntityIdCriterion(issuer.getValue())));
            criteriaSet.add(new EvaluableProtocolRoleDescriptorCriterion(new ProtocolCriterion("urn:oasis:names:tc:SAML:2.0:protocol")));
            criteriaSet.add(new EvaluableUsageCredentialCriterion(new UsageCriterion(UsageType.SIGNING)));
            return criteriaSet;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static VerifierPartial verifySignature(StatusResponseType statusResponseType, RelyingPartyRegistration relyingPartyRegistration) {
        return new VerifierPartial(statusResponseType, relyingPartyRegistration);
    }

    static VerifierPartial verifySignature(RequestAbstractType requestAbstractType, RelyingPartyRegistration relyingPartyRegistration) {
        return new VerifierPartial(requestAbstractType, relyingPartyRegistration);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SignatureTrustEngine trustEngine(RelyingPartyRegistration relyingPartyRegistration) {
        HashSet hashSet = new HashSet();
        Iterator<Saml2X509Credential> it = relyingPartyRegistration.getAssertingPartyDetails().getVerificationX509Credentials().iterator();
        while (it.hasNext()) {
            BasicX509Credential basicX509Credential = new BasicX509Credential(it.next().getCertificate());
            basicX509Credential.setUsageType(UsageType.SIGNING);
            basicX509Credential.setEntityId(relyingPartyRegistration.getAssertingPartyDetails().getEntityId());
            hashSet.add(basicX509Credential);
        }
        return new ExplicitKeySignatureTrustEngine(new CollectionCredentialResolver(hashSet), DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
    }

    private OpenSamlVerificationUtils() {
    }
}
