package com.ibm.ws.security.saml.sso20.internal.utils;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.binding.BasicMessageContext;
import com.ibm.ws.security.saml.sso20.metadata.AcsDOMMetadataProvider;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashSet;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.security.MetadataCredentialResolverFactory;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
import org.opensaml.xml.security.trust.TrustEngine;
import org.opensaml.xml.security.x509.BasicPKIXValidationInformation;
import org.opensaml.xml.security.x509.StaticPKIXValidationInformationResolver;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.saml.sso20_1.0.14.jar:com/ibm/ws/security/saml/sso20/internal/utils/MsgCtxUtil.class */
public class MsgCtxUtil<InboundMessageType extends SAMLObject, OutboundMessageType extends SAMLObject, NameIdentifierType extends SAMLObject> {
    private static TraceComponent tc = Tr.register((Class<?>) MsgCtxUtil.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    static MsgCtxUtil<?, ?, ?> instance = new MsgCtxUtil<>();
    static final long serialVersionUID = 8485671836707667367L;

    public static MsgCtxUtil<?, ?, ?> getInstance() {
        return instance;
    }

    @FFDCIgnore({PrivilegedActionException.class, MetadataProviderException.class})
    public static AcsDOMMetadataProvider parseIdpMetadataProvider(SsoConfig ssoConfig) throws SamlException {
        AcsDOMMetadataProvider acsDOMMetadataProvider = null;
        String idpMetadata = ssoConfig.getIdpMetadata();
        if (idpMetadata != null && !idpMetadata.isEmpty()) {
            final File file = new File(idpMetadata);
            InputStream inputStream = null;
            try {
                try {
                    try {
                        try {
                            StaticBasicParserPool staticBasicParserPool = (StaticBasicParserPool) Configuration.getParserPool();
                            inputStream = (InputStream) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil.1
                                static final long serialVersionUID = -7645066519357773928L;
                                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                                @Override // java.security.PrivilegedExceptionAction
                                public Object run() throws Exception {
                                    if (file.exists()) {
                                        return new FileInputStream(file);
                                    }
                                    return null;
                                }
                            });
                            if (inputStream != null) {
                                acsDOMMetadataProvider = new AcsDOMMetadataProvider(staticBasicParserPool.parse(inputStream).getDocumentElement(), file);
                                acsDOMMetadataProvider.initialize();
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "dumpData metadataProvider:" + ((Object) DumpData.dumpMetadata(acsDOMMetadataProvider)), new Object[0]);
                                }
                            }
                            if (inputStream != null) {
                                try {
                                    inputStream.close();
                                } catch (IOException e) {
                                    FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "183", null, new Object[]{ssoConfig});
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Can not close InputStream of MetadataFile:" + idpMetadata, e);
                                    }
                                }
                            }
                        } catch (Throwable th) {
                            if (inputStream != null) {
                                try {
                                    inputStream.close();
                                } catch (IOException e2) {
                                    FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "183", null, new Object[]{ssoConfig});
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Can not close InputStream of MetadataFile:" + idpMetadata, e2);
                                    }
                                }
                            }
                            throw th;
                        }
                    } catch (PrivilegedActionException e3) {
                        Exception exception = e3.getException();
                        if (exception instanceof FileNotFoundException) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Provider error MetadataFile:" + idpMetadata, exception);
                            }
                            throw new SamlException("SAML20_NO_IDP_METADATA_ERROR", exception, new Object[]{idpMetadata, ssoConfig.getProviderId(), exception.getMessage()});
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "unexpected Provider error MetadataFile:" + idpMetadata, e3, exception);
                        }
                        throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", exception, new Object[]{idpMetadata, ssoConfig.getProviderId(), exception.getMessage()});
                    }
                } catch (XMLParserException e4) {
                    FFDCFilter.processException(e4, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "113", null, new Object[]{ssoConfig});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Can not parse MetadataFile:" + idpMetadata, e4);
                    }
                    throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", e4, new Object[]{idpMetadata, ssoConfig.getProviderId(), e4.getMessage()});
                }
            } catch (NullPointerException e5) {
                FFDCFilter.processException(e5, "com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil", "166", null, new Object[]{ssoConfig});
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Provider error MetadataFile:" + idpMetadata, e5);
                }
                throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", e5, new Object[]{idpMetadata, ssoConfig.getProviderId(), e5.getMessage()});
            } catch (MetadataProviderException e6) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Provider error MetadataFile:" + idpMetadata, e6);
                }
                throw new SamlException("SAML20_IDP_METADATA_PARSE_ERROR", e6, new Object[]{idpMetadata, ssoConfig.getProviderId(), e6.getMessage()});
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The idpMetadataFile in " + ssoConfig.getProviderId() + " is null. This has to define the trustStore to verify the signature in SAML Response", new Object[0]);
        }
        return acsDOMMetadataProvider;
    }

    public static TrustEngine<Signature> getTrustedEngine(BasicMessageContext<?, ?, ?> basicMessageContext) throws SamlException {
        return !basicMessageContext.getSsoConfig().isPkixTrustEngineEnabled() ? getTrustedEngineFromMetadata(basicMessageContext) : getTrustedEngineFromPkix(basicMessageContext);
    }

    public static TrustEngine<Signature> getTrustedEngineFromMetadata(BasicMessageContext<?, ?, ?> basicMessageContext) {
        return new ExplicitKeySignatureTrustEngine(MetadataCredentialResolverFactory.getFactory().getInstance(basicMessageContext.getMetadataProvider()), getKeyInfoCredResolver());
    }

    public static TrustEngine<Signature> getTrustedEngineFromPkix(BasicMessageContext<?, ?, ?> basicMessageContext) throws SamlException {
        SsoConfig ssoConfig = basicMessageContext.getSsoConfig();
        BasicPKIXValidationInformation basicPKIXValidationInformation = new BasicPKIXValidationInformation(ssoConfig.getPkixTrustAnchors(), ssoConfig.getX509Crls(), 20);
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        arrayList.add(basicPKIXValidationInformation);
        return new PKIXSignatureTrustEngine(new StaticPKIXValidationInformationResolver(arrayList, hashSet), getKeyInfoCredResolver());
    }

    static KeyInfoCredentialResolver getKeyInfoCredResolver() {
        InlineX509DataProvider inlineX509DataProvider = new InlineX509DataProvider();
        ArrayList arrayList = new ArrayList();
        arrayList.add(inlineX509DataProvider);
        return new BasicProviderKeyInfoCredentialResolver(arrayList);
    }

    public static boolean validateIssuer(Issuer issuer, BasicMessageContext<?, ?, ?> basicMessageContext, boolean z) throws SamlException {
        if (issuer.getFormat() != null && !issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
            throw new SamlException("SAML20_NO_ISSUER_ERR", (Exception) null, new Object[]{"urn:oasis:names:tc:SAML:2.0:nameid-format:entity", issuer.getFormat()});
        }
        EntityDescriptor peerEntityMetadata = z ? null : basicMessageContext.getPeerEntityMetadata();
        if (peerEntityMetadata == null) {
            if (tryTrustedIssuers(issuer, basicMessageContext)) {
                return true;
            }
            throw new SamlException("SAML20_INCORRECT_ISSUER_ERR", (Exception) null, new Object[]{issuer.getValue()});
        }
        if (peerEntityMetadata.getEntityID().equals(issuer.getValue()) || tryTrustedIssuers(issuer, basicMessageContext)) {
            return true;
        }
        throw new SamlException("SAML20_INCORRECT_ISSUER_ERR", (Exception) null, new Object[]{issuer.getValue()});
    }

    static boolean tryTrustedIssuers(Issuer issuer, BasicMessageContext<?, ?, ?> basicMessageContext) {
        String value = issuer.getValue();
        String[] pkixTrustedIssuers = basicMessageContext.getSsoConfig().getPkixTrustedIssuers();
        if (pkixTrustedIssuers == null) {
            return false;
        }
        for (String str : pkixTrustedIssuers) {
            if (Constants.TRUST_ALL_ISSUERS.equals(str) || str.equals(value)) {
                return true;
            }
        }
        return false;
    }
}
