package org.apache.rahas.impl;

import java.security.Principal;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.description.Parameter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.RahasData;
import org.apache.rahas.Token;
import org.apache.rahas.TokenIssuer;
import org.apache.rahas.TrustException;
import org.apache.rahas.TrustUtil;
import org.apache.rahas.impl.util.CommonUtil;
import org.apache.rahas.impl.util.SAMLAttributeCallback;
import org.apache.rahas.impl.util.SAMLCallbackHandler;
import org.apache.rahas.impl.util.SAMLNameIdentifierCallback;
import org.apache.rahas.impl.util.SAMLUtils;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.jasypt.salt.RandomSaltGenerator;
import org.joda.time.DateTime;
import org.opensaml.common.SAMLException;
import org.opensaml.saml1.core.Assertion;
import org.opensaml.saml1.core.Attribute;
import org.opensaml.saml1.core.AttributeStatement;
import org.opensaml.saml1.core.AuthenticationStatement;
import org.opensaml.saml1.core.NameIdentifier;
import org.opensaml.saml1.core.Subject;
import org.opensaml.xml.signature.KeyInfo;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/open/rampart/rampart-trust-1.6.2.jar:org/apache/rahas/impl/SAMLTokenIssuer.class */
public class SAMLTokenIssuer implements TokenIssuer {
    private String configParamName;
    private OMElement configElement;
    private String configFile;
    private static final String AUTHENTICATION_METHOD_PASSWORD = "urn:oasis:names:tc:SAML:1.0:am:password";
    private static final Log log = LogFactory.getLog(SAMLTokenIssuer.class);

    @Override // org.apache.rahas.TokenIssuer
    public SOAPEnvelope issue(RahasData rahasData) throws TrustException {
        Assertion createHoKAssertion;
        MessageContext inMessageContext = rahasData.getInMessageContext();
        SAMLTokenIssuerConfig sAMLTokenIssuerConfig = null;
        if (this.configElement != null) {
            sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(this.configElement.getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
        }
        if (sAMLTokenIssuerConfig == null && this.configFile != null) {
            sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(this.configFile);
        }
        if (sAMLTokenIssuerConfig == null && this.configParamName != null) {
            Parameter parameter = inMessageContext.getParameter(this.configParamName);
            if (parameter == null || parameter.getParameterElement() == null) {
                throw new TrustException("expectedParameterMissing", new String[]{this.configParamName});
            }
            sAMLTokenIssuerConfig = new SAMLTokenIssuerConfig(parameter.getParameterElement().getFirstChildWithName(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG));
        }
        if (sAMLTokenIssuerConfig == null) {
            throw new TrustException("configurationIsNull");
        }
        SOAPEnvelope createSOAPEnvelope = TrustUtil.createSOAPEnvelope(inMessageContext.getEnvelope().getNamespace().getNamespaceURI());
        Crypto crypto = sAMLTokenIssuerConfig.cryptoElement != null ? CommonUtil.getCrypto(TrustUtil.toProperties(sAMLTokenIssuerConfig.cryptoElement), inMessageContext.getAxisService().getClassLoader()) : CommonUtil.getCrypto(sAMLTokenIssuerConfig.cryptoPropertiesFile, inMessageContext.getAxisService().getClassLoader());
        DateTime dateTime = new DateTime();
        DateTime dateTime2 = new DateTime(dateTime.getMillis() + sAMLTokenIssuerConfig.ttl);
        Document ownerDocument = ((Element) createSOAPEnvelope).getOwnerDocument();
        int keysize = rahasData.getKeysize();
        int i = keysize == -1 ? sAMLTokenIssuerConfig.keySize : keysize;
        String keyType = rahasData.getKeyType();
        if (keyType == null) {
            throw new TrustException(TrustException.INVALID_REQUEST, new String[]{"Requested KeyType is missing"});
        }
        if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) || keyType.endsWith(RahasConstants.KEY_TYPE_PUBLIC_KEY)) {
            createHoKAssertion = createHoKAssertion(sAMLTokenIssuerConfig, ownerDocument, crypto, dateTime, dateTime2, rahasData);
        } else {
            if (!keyType.endsWith(RahasConstants.KEY_TYPE_BEARER)) {
                throw new TrustException("unsupportedKeyType");
            }
            createHoKAssertion = createBearerAssertion(sAMLTokenIssuerConfig, ownerDocument, crypto, dateTime, dateTime2, rahasData);
        }
        int version = rahasData.getVersion();
        OMElement createRequestSecurityTokenResponseElement = 1 == version ? TrustUtil.createRequestSecurityTokenResponseElement(version, createSOAPEnvelope.getBody()) : TrustUtil.createRequestSecurityTokenResponseElement(version, TrustUtil.createRequestSecurityTokenResponseCollectionElement(version, createSOAPEnvelope.getBody()));
        TrustUtil.createTokenTypeElement(version, createRequestSecurityTokenResponseElement).setText("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
            TrustUtil.createKeySizeElement(version, createRequestSecurityTokenResponseElement, i);
        }
        if (sAMLTokenIssuerConfig.addRequestedAttachedRef) {
            TrustUtil.createRequestedAttachedRef(createRequestSecurityTokenResponseElement, createHoKAssertion.getID(), version);
        }
        if (sAMLTokenIssuerConfig.addRequestedUnattachedRef) {
            TrustUtil.createRequestedUnattachedRef(createRequestSecurityTokenResponseElement, createHoKAssertion.getID(), version);
        }
        if (rahasData.getAppliesToAddress() != null) {
            TrustUtil.createAppliesToElement(createRequestSecurityTokenResponseElement, rahasData.getAppliesToAddress(), rahasData.getAddressingNs());
        }
        XmlSchemaDateFormat xmlSchemaDateFormat = new XmlSchemaDateFormat();
        TrustUtil.createLifetimeElement(version, createRequestSecurityTokenResponseElement, xmlSchemaDateFormat.format(dateTime.toDate()), xmlSchemaDateFormat.format(dateTime2.toDate()));
        TrustUtil.createRequestedSecurityTokenElement(version, createRequestSecurityTokenResponseElement).addChild((OMNode) ((Element) createRequestSecurityTokenResponseElement).getOwnerDocument().importNode(createHoKAssertion.getDOM(), true));
        Token token = new Token(createHoKAssertion.getID(), (OMElement) createHoKAssertion.getDOM(), dateTime.toDate(), dateTime2.toDate());
        token.setSecret(rahasData.getEphmeralKey());
        TrustUtil.getTokenStore(inMessageContext).add(token);
        if (keyType.endsWith(RahasConstants.KEY_TYPE_SYMM_KEY) && sAMLTokenIssuerConfig.keyComputation != 1) {
            TokenIssuerUtil.handleRequestedProofToken(rahasData, version, sAMLTokenIssuerConfig, createRequestSecurityTokenResponseElement, token, ownerDocument);
        }
        return createSOAPEnvelope;
    }

    private Assertion createBearerAssertion(SAMLTokenIssuerConfig sAMLTokenIssuerConfig, Document document, Crypto crypto, DateTime dateTime, DateTime dateTime2, RahasData rahasData) throws TrustException {
        NameIdentifier createNamedIdentifier;
        Principal principal = rahasData.getPrincipal();
        if (!(principal instanceof WSUsernameTokenPrincipal)) {
            throw new TrustException("samlUnsupportedPrincipal", new String[]{principal.getClass().getName()});
        }
        if (sAMLTokenIssuerConfig.getCallbackHandler() != null) {
            SAMLNameIdentifierCallback sAMLNameIdentifierCallback = new SAMLNameIdentifierCallback(rahasData);
            sAMLNameIdentifierCallback.setUserId(principal.getName());
            try {
                sAMLTokenIssuerConfig.getCallbackHandler().handle(sAMLNameIdentifierCallback);
                createNamedIdentifier = sAMLNameIdentifierCallback.getNameId();
            } catch (SAMLException e) {
                throw new TrustException("unableToRetrieveCallbackHandler", e);
            }
        } else {
            createNamedIdentifier = SAMLUtils.createNamedIdentifier(principal.getName(), "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
        }
        return createAuthAssertion("urn:oasis:names:tc:SAML:1.0:cm:bearer", createNamedIdentifier, null, sAMLTokenIssuerConfig, crypto, dateTime, dateTime2, rahasData);
    }

    private Assertion createHoKAssertion(SAMLTokenIssuerConfig sAMLTokenIssuerConfig, Document document, Crypto crypto, DateTime dateTime, DateTime dateTime2, RahasData rahasData) throws TrustException {
        if (!rahasData.getKeyType().endsWith(RahasConstants.KEY_TYPE_SYMM_KEY)) {
            try {
                NameIdentifier createNamedIdentifier = SAMLUtils.createNamedIdentifier(rahasData.getPrincipal().getName(), "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
                X509Certificate clientCert = rahasData.getClientCert();
                if (clientCert == null) {
                    clientCert = CommonUtil.getCertificateByAlias(crypto, rahasData.getPrincipal().getName());
                }
                return createAuthAssertion("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key", createNamedIdentifier, SAMLUtils.getCertificateBasedKeyInfo(clientCert), sAMLTokenIssuerConfig, crypto, dateTime, dateTime2, rahasData);
            } catch (Exception e) {
                throw new TrustException("samlAssertionCreationError", e);
            }
        }
        X509Certificate x509Certificate = null;
        try {
            NameIdentifier nameIdentifier = null;
            if (rahasData.getPrincipal() != null) {
                nameIdentifier = SAMLUtils.createNamedIdentifier(rahasData.getPrincipal().getName(), "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
            }
            x509Certificate = getServiceCert(sAMLTokenIssuerConfig, crypto, rahasData.getAppliesToAddress());
            int keysize = rahasData.getKeysize();
            return createAttributeAssertion(rahasData, SAMLUtils.getSymmetricKeyBasedKeyInfo(document, rahasData, x509Certificate, keysize != -1 ? keysize : sAMLTokenIssuerConfig.keySize, crypto, sAMLTokenIssuerConfig.keyComputation), nameIdentifier, sAMLTokenIssuerConfig, crypto, dateTime, dateTime2);
        } catch (WSSecurityException e2) {
            if (x509Certificate != null) {
                throw new TrustException("errorInBuildingTheEncryptedKeyForPrincipal", new String[]{x509Certificate.getSubjectDN().getName()}, e2);
            }
            throw new TrustException("trustedCertNotFoundForEPR", new String[]{rahasData.getAppliesToAddress()}, e2);
        }
    }

    private X509Certificate getServiceCert(SAMLTokenIssuerConfig sAMLTokenIssuerConfig, Crypto crypto, String str) throws TrustException {
        if (str == null || "".equals(str)) {
            return CommonUtil.getCertificateByAlias(crypto, (String) sAMLTokenIssuerConfig.trustedServices.get("*"));
        }
        String str2 = (String) sAMLTokenIssuerConfig.trustedServices.get(str);
        return str2 != null ? CommonUtil.getCertificateByAlias(crypto, str2) : CommonUtil.getCertificateByAlias(crypto, (String) sAMLTokenIssuerConfig.trustedServices.get("*"));
    }

    private Assertion createAttributeAssertion(RahasData rahasData, KeyInfo keyInfo, NameIdentifier nameIdentifier, SAMLTokenIssuerConfig sAMLTokenIssuerConfig, Crypto crypto, DateTime dateTime, DateTime dateTime2) throws TrustException {
        Attribute[] attributeArr;
        try {
            Subject createSubject = SAMLUtils.createSubject(nameIdentifier, "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key", keyInfo);
            if (sAMLTokenIssuerConfig.getCallbackHandler() != null) {
                SAMLAttributeCallback sAMLAttributeCallback = new SAMLAttributeCallback(rahasData);
                sAMLTokenIssuerConfig.getCallbackHandler().handle(sAMLAttributeCallback);
                attributeArr = sAMLAttributeCallback.getAttributes();
            } else if (sAMLTokenIssuerConfig.getCallbackHandlerName() == null || sAMLTokenIssuerConfig.getCallbackHandlerName().trim().length() <= 0) {
                attributeArr = new Attribute[]{SAMLUtils.createAttribute("Name", "https://rahas.apache.org/saml/attrns", "Colombo/Rahas")};
            } else {
                SAMLAttributeCallback sAMLAttributeCallback2 = new SAMLAttributeCallback(rahasData);
                try {
                    try {
                        ((SAMLCallbackHandler) Loader.loadClass(rahasData.getInMessageContext().getAxisService().getClassLoader(), sAMLTokenIssuerConfig.getCallbackHandlerName()).newInstance()).handle(sAMLAttributeCallback2);
                        attributeArr = sAMLAttributeCallback2.getAttributes();
                    } catch (Exception e) {
                        throw new TrustException("cannotCreatePWCBInstance", new String[]{sAMLTokenIssuerConfig.getCallbackHandlerName()}, e);
                    }
                } catch (ClassNotFoundException e2) {
                    throw new TrustException("cannotLoadPWCBClass", new String[]{sAMLTokenIssuerConfig.getCallbackHandlerName()}, e2);
                }
            }
            AttributeStatement createAttributeStatement = SAMLUtils.createAttributeStatement(createSubject, Arrays.asList(attributeArr));
            ArrayList arrayList = new ArrayList();
            arrayList.add(createAttributeStatement);
            Assertion createAssertion = SAMLUtils.createAssertion(sAMLTokenIssuerConfig.issuerName, dateTime, dateTime2, arrayList);
            SAMLUtils.signAssertion(createAssertion, crypto, sAMLTokenIssuerConfig.getIssuerKeyAlias(), sAMLTokenIssuerConfig.getIssuerKeyPassword());
            return createAssertion;
        } catch (Exception e3) {
            throw new TrustException("samlAssertionCreationError", e3);
        }
    }

    private Assertion createAuthAssertion(String str, NameIdentifier nameIdentifier, KeyInfo keyInfo, SAMLTokenIssuerConfig sAMLTokenIssuerConfig, Crypto crypto, DateTime dateTime, DateTime dateTime2, RahasData rahasData) throws TrustException {
        try {
            Subject createSubject = SAMLUtils.createSubject(nameIdentifier, str, keyInfo);
            AuthenticationStatement createAuthenticationStatement = SAMLUtils.createAuthenticationStatement(createSubject, "urn:oasis:names:tc:SAML:1.0:am:password", dateTime);
            ArrayList arrayList = new ArrayList();
            if (rahasData.getClaimDialect() != null && rahasData.getClaimElem() != null) {
                arrayList.add(createSAMLAttributeStatement(SAMLUtils.createSubject(createSubject.getNameIdentifier(), str, keyInfo), rahasData, sAMLTokenIssuerConfig));
            }
            arrayList.add(createAuthenticationStatement);
            Assertion createAssertion = SAMLUtils.createAssertion(sAMLTokenIssuerConfig.issuerName, dateTime, dateTime2, arrayList);
            SAMLUtils.signAssertion(createAssertion, crypto, sAMLTokenIssuerConfig.getIssuerKeyAlias(), sAMLTokenIssuerConfig.getIssuerKeyPassword());
            return createAssertion;
        } catch (Exception e) {
            throw new TrustException("samlAssertionCreationError", e);
        }
    }

    @Override // org.apache.rahas.TokenIssuer
    public String getResponseAction(RahasData rahasData) throws TrustException {
        return TrustUtil.getActionValue(rahasData.getVersion(), RahasConstants.RSTR_ACTION_ISSUE);
    }

    protected byte[] generateEphemeralKey(int i) throws TrustException {
        try {
            byte[] bArr = new byte[i / 8];
            SecureRandom.getInstance(RandomSaltGenerator.DEFAULT_SECURE_RANDOM_ALGORITHM).nextBytes(bArr);
            return bArr;
        } catch (Exception e) {
            throw new TrustException("Error in creating the ephemeral key", e);
        }
    }

    @Override // org.apache.rahas.TokenIssuer
    public void setConfigurationFile(String str) {
        this.configFile = str;
    }

    @Override // org.apache.rahas.TokenIssuer
    public void setConfigurationElement(OMElement oMElement) {
        this.configElement = oMElement;
    }

    @Override // org.apache.rahas.TokenIssuer
    public void setConfigurationParamName(String str) {
        this.configParamName = str;
    }

    private AttributeStatement createSAMLAttributeStatement(Subject subject, RahasData rahasData, SAMLTokenIssuerConfig sAMLTokenIssuerConfig) throws TrustException {
        Attribute[] attributeArr;
        if (sAMLTokenIssuerConfig.getCallbackHandler() != null) {
            SAMLAttributeCallback sAMLAttributeCallback = new SAMLAttributeCallback(rahasData);
            try {
                sAMLTokenIssuerConfig.getCallbackHandler().handle(sAMLAttributeCallback);
                attributeArr = sAMLAttributeCallback.getAttributes();
            } catch (SAMLException e) {
                throw new TrustException("unableToRetrieveCallbackHandler", e);
            }
        } else if (sAMLTokenIssuerConfig.getCallbackHandlerName() == null || sAMLTokenIssuerConfig.getCallbackHandlerName().trim().length() <= 0) {
            attributeArr = new Attribute[]{SAMLUtils.createAttribute("Name", "https://rahas.apache.org/saml/attrns", "Colombo/Rahas")};
        } else {
            SAMLAttributeCallback sAMLAttributeCallback2 = new SAMLAttributeCallback(rahasData);
            try {
                try {
                    try {
                        ((SAMLCallbackHandler) Loader.loadClass(rahasData.getInMessageContext().getAxisService().getClassLoader(), sAMLTokenIssuerConfig.getCallbackHandlerName()).newInstance()).handle(sAMLAttributeCallback2);
                        attributeArr = sAMLAttributeCallback2.getAttributes();
                    } catch (SAMLException e2) {
                        throw new TrustException("unableToRetrieveCallbackHandler", e2);
                    }
                } catch (Exception e3) {
                    throw new TrustException("cannotCreatePWCBInstance", new String[]{sAMLTokenIssuerConfig.getCallbackHandlerName()}, e3);
                }
            } catch (ClassNotFoundException e4) {
                throw new TrustException("cannotLoadPWCBClass", new String[]{sAMLTokenIssuerConfig.getCallbackHandlerName()}, e4);
            }
        }
        return SAMLUtils.createAttributeStatement(subject, Arrays.asList(attributeArr));
    }
}
