package com.sun.identity.liberty.ws.security;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.am.util.XMLUtils;
import com.iplanet.services.util.Base64;
import com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
import com.sun.identity.liberty.ws.soapbinding.Message;
import com.sun.identity.saml.assertion.AuthenticationStatement;
import com.sun.identity.saml.assertion.Statement;
import com.sun.identity.saml.assertion.Subject;
import com.sun.identity.saml.common.SAMLConstants;
import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.saml.common.SAMLUtilsCommon;
import com.sun.identity.saml.xmlsig.AMSignatureProvider;
import com.sun.identity.saml.xmlsig.JKSKeyProvider;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml.xmlsig.XMLSignatureException;
import com.sun.identity.saml.xmlsig.XMLSignatureManager;
import com.sun.org.apache.xml.security.exceptions.XMLSecurityException;
import com.sun.org.apache.xml.security.keys.content.keyvalues.DSAKeyValue;
import com.sun.org.apache.xml.security.keys.content.keyvalues.RSAKeyValue;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:120954-02/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/liberty/ws/security/SecurityUtils.class */
public class SecurityUtils {
    private static JKSKeyProvider keys;
    private static AMSignatureProvider asp;
    private static XMLSignatureManager sm;
    private static Debug debug;
    private static KeyProvider keystore;
    private static SecurityUtils securityManager = null;
    private static String PROP_TRUSTED_CA_CERT_ALIASES = "com.sun.identity.liberty.ws.trustedca.certaliases";
    private static Set trustedCACertAliases = new HashSet();
    private static Map issuerTrustedCACertAliases = new HashMap();

    public static Element signMessage(Message message) {
        try {
            Document document = message.toDocument(true);
            int securityProfileType = message.getSecurityProfileType();
            List signingIds = message.getSigningIds();
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Security Type = ").append(securityProfileType).toString());
            }
            if (securityProfileType == 1) {
                return sm.signWithWSSX509TokenProfile(document, message.getMessageCertificate(), "", signingIds);
            }
            if (securityProfileType != 2) {
                if (securityProfileType == 0) {
                }
                return null;
            }
            SecurityAssertion assertion = message.getAssertion();
            return sm.signWithWSSSAMLTokenProfile(document, message.getMessageCertificate(), assertion.getAssertionID(), "", signingIds);
        } catch (Exception e) {
            debug.error("Unable to sign Soap message!", e);
            return null;
        }
    }

    public static boolean verifyMessage(Message message) {
        String certificateAlias;
        try {
            Document document = message.toDocument(false);
            X509Certificate peerCertificate = message.getPeerCertificate();
            X509Certificate messageCertificate = message.getMessageCertificate();
            int securityProfileType = message.getSecurityProfileType();
            if (securityProfileType == 2 || securityProfileType == 3) {
                SecurityAssertion assertion = message.getAssertion();
                X509Certificate assertionSigningCert = getAssertionSigningCert(assertion);
                if (assertionSigningCert == null) {
                    certificateAlias = (String) issuerTrustedCACertAliases.get(assertion.getIssuer());
                    if (certificateAlias == null) {
                        debug.error("SecurityUtils.verifyMessage: assertion doesn't have keyInfo and issuer is not in com.sun.identity.liberty.ws.trustedca.certalias in AMConfig");
                        return false;
                    }
                } else {
                    certificateAlias = keystore.getCertificateAlias(assertionSigningCert);
                    if (certificateAlias == null) {
                        debug.error("SecurityUtils.verifyMessage: assertion is signed with a certificate that  is not in the keystore");
                        return false;
                    }
                    if (!trustedCACertAliases.contains(certificateAlias)) {
                        debug.error("SecurityUtils.verifyMessage: assertion is signed with a certificate that  is in the keystore but not in com.sun.identity.liberty.ws.trustedca.certalias in AMConfig");
                        return false;
                    }
                }
                assertion.setVerifyingCertAlias(certificateAlias);
                if (!assertion.isSignatureValid()) {
                    debug.error("SecurityUtils.verifyMessage: assertion signature invalid");
                    return false;
                }
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("SecurityUtils.verifyMessage: Assertion  signing cert alias = ").append(certificateAlias).toString());
                }
            }
            if (peerCertificate != null && !peerCertificate.equals(messageCertificate)) {
                debug.error("Client authentication certificate is not the same as the certificate inside the soap message");
                return false;
            }
            if (messageCertificate == null) {
                return true;
            }
            return sm.verifyXMLSignature(document, keystore.getCertificateAlias(messageCertificate));
        } catch (Exception e) {
            debug.error("Unable to verify Soap Message!", e);
            return false;
        }
    }

    public static Certificate getCertificate(BinarySecurityToken binarySecurityToken) {
        Certificate certificate = null;
        try {
            String tokenValue = binarySecurityToken.getTokenValue();
            StringBuffer stringBuffer = new StringBuffer(100);
            stringBuffer.append("-----BEGIN CERTIFICATE-----\n");
            stringBuffer.append(tokenValue);
            stringBuffer.append("\n-----END CERTIFICATE-----");
            byte[] bytes = stringBuffer.toString().getBytes();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
            if (binarySecurityToken.getValueType().equals(BinarySecurityToken.PKCS7)) {
                Iterator<? extends Certificate> it = certificateFactory.generateCertificates(byteArrayInputStream).iterator();
                while (it.hasNext()) {
                    certificate = it.next();
                }
            } else {
                while (byteArrayInputStream.available() > 0) {
                    certificate = certificateFactory.generateCertificate(byteArrayInputStream);
                }
            }
        } catch (Exception e) {
            debug.error("WSSecurityManager:getX509Certificate", e);
        }
        return certificate;
    }

    private SecurityAssertion getAssertion(Document document) {
        return null;
    }

    public static Certificate getCertificate(SecurityAssertion securityAssertion) {
        X509Certificate x509Certificate = null;
        Subject subject = null;
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("SecurityAssertion = ").append(securityAssertion.toString()).toString());
        }
        try {
            Set statement = securityAssertion.getStatement();
            if (statement == null) {
                debug.error("Assertion does not contain any Statement.");
            }
            if (!statement.isEmpty()) {
                Iterator it = statement.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Statement statement2 = (Statement) it.next();
                    if (statement2.getStatementType() == 1) {
                        subject = ((AuthenticationStatement) statement2).getSubject();
                        break;
                    }
                }
            }
            x509Certificate = getCertificate(subject.getSubjectConfirmation().getKeyInfo());
        } catch (Exception e) {
            debug.error("getCertificate Exception: ", e);
        }
        return x509Certificate;
    }

    private static X509Certificate getCertificate(Element element) {
        X509Certificate x509Certificate = null;
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("KeyInfo = ").append(XMLUtils.print(element)).toString());
        }
        Element element2 = (Element) element.getElementsByTagNameNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_X509CERTIFICATE).item(0);
        if (element2 == null) {
            try {
                x509Certificate = (X509Certificate) keystore.getCertificate(getPublicKey(element));
            } catch (Exception e) {
                debug.error("getCertificate Exception: ", e);
            }
        } else {
            x509Certificate = getCertificate(element2.getChildNodes().item(0).getNodeValue(), null);
        }
        return x509Certificate;
    }

    private static PublicKey getPublicKey(Element element) throws XMLSignatureException {
        PublicKey publicKey = null;
        Document ownerDocument = element.getOwnerDocument();
        Element element2 = (Element) element.getElementsByTagNameNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_DSAKEYVALUE).item(0);
        if (element2 != null) {
            NodeList childNodes = element2.getChildNodes();
            int length = childNodes.getLength();
            if (length > 0) {
                BigInteger bigInteger = null;
                BigInteger bigInteger2 = null;
                BigInteger bigInteger3 = null;
                BigInteger bigInteger4 = null;
                for (int i = 0; i < length; i++) {
                    Node item = childNodes.item(i);
                    if (item.getNodeType() == 1) {
                        String localName = item.getLocalName();
                        BigInteger bigInteger5 = new BigInteger(Base64.decode(SAMLUtils.removeNewLineChars(item.getChildNodes().item(0).getNodeValue())));
                        if (localName.equals("P")) {
                            bigInteger = bigInteger5;
                        } else if (localName.equals("Q")) {
                            bigInteger2 = bigInteger5;
                        } else if (localName.equals("G")) {
                            bigInteger3 = bigInteger5;
                        } else {
                            if (!localName.equals("Y")) {
                                throw new XMLSignatureException();
                            }
                            bigInteger4 = bigInteger5;
                        }
                    }
                }
                try {
                    publicKey = new DSAKeyValue(ownerDocument, bigInteger, bigInteger2, bigInteger3, bigInteger4).getPublicKey();
                } catch (XMLSecurityException e) {
                    SAMLUtilsCommon.debug.error("Could not get Public Key from DSA key value.");
                    throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("errorObtainPK"));
                }
            }
        } else {
            Element element3 = (Element) element.getElementsByTagNameNS(SAMLConstants.XMLSIG_NAMESPACE_URI, SAMLConstants.TAG_RSAKEYVALUE).item(0);
            if (element3 != null) {
                NodeList childNodes2 = element3.getChildNodes();
                int length2 = childNodes2.getLength();
                BigInteger bigInteger6 = null;
                BigInteger bigInteger7 = null;
                if (length2 > 0) {
                    for (int i2 = 0; i2 < length2; i2++) {
                        Node item2 = childNodes2.item(i2);
                        if (item2.getNodeType() == 1) {
                            String localName2 = item2.getLocalName();
                            BigInteger bigInteger8 = new BigInteger(Base64.decode(SAMLUtils.removeNewLineChars(item2.getChildNodes().item(0).getNodeValue())));
                            if (localName2.equals("Exponent")) {
                                bigInteger7 = bigInteger8;
                            } else {
                                if (!localName2.equals("Modulus")) {
                                    throw new XMLSignatureException();
                                }
                                bigInteger6 = bigInteger8;
                            }
                        }
                    }
                }
                try {
                    publicKey = new RSAKeyValue(ownerDocument, bigInteger6, bigInteger7).getPublicKey();
                } catch (XMLSecurityException e2) {
                    SAMLUtilsCommon.debug.error("Could not get Public Key from RSA key value.");
                    throw new XMLSignatureException(SAMLUtilsCommon.bundle.getString("errorObtainPK"));
                }
            }
        }
        return publicKey;
    }

    private static X509Certificate getCertificate(String str, String str2) {
        X509Certificate x509Certificate = null;
        try {
            if (SAMLUtilsCommon.debug.messageEnabled()) {
                SAMLUtilsCommon.debug.message(new StringBuffer().append("getCertificate(Assertion) : ").append(str).toString());
            }
            StringBuffer stringBuffer = new StringBuffer(100);
            stringBuffer.append("-----BEGIN CERTIFICATE-----\n");
            stringBuffer.append(str);
            stringBuffer.append("\n-----END CERTIFICATE-----");
            byte[] bytes = stringBuffer.toString().getBytes();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
            if (str2 == null || !str2.equals("wsse:PKCS7")) {
                while (byteArrayInputStream.available() > 0) {
                    x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
                }
            } else {
                Iterator<? extends Certificate> it = certificateFactory.generateCertificates(byteArrayInputStream).iterator();
                while (it.hasNext()) {
                    x509Certificate = (X509Certificate) it.next();
                }
            }
        } catch (Exception e) {
            SAMLUtilsCommon.debug.error("getCertificate Exception: ", e);
        }
        return x509Certificate;
    }

    private static X509Certificate getAssertionSigningCert(SecurityAssertion securityAssertion) {
        Element element = (Element) securityAssertion.getSignature().getElementsByTagNameNS(SAMLConstants.XMLSIG_NAMESPACE_URI, "KeyInfo").item(0);
        if (element == null) {
            return null;
        }
        return getCertificate(element);
    }

    static {
        keys = null;
        asp = null;
        sm = null;
        debug = null;
        keystore = null;
        debug = Debug.getInstance("amWSSecurity");
        String str = SystemProperties.get(PROP_TRUSTED_CA_CERT_ALIASES);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("SecurityUtils.static: trusted ca certaliases = ").append(str).toString());
        }
        if (str != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(str, "|");
            while (stringTokenizer.hasMoreTokens()) {
                String trim = stringTokenizer.nextToken().trim();
                if (trim.length() > 0) {
                    int indexOf = trim.indexOf(":");
                    if (indexOf == -1) {
                        trustedCACertAliases.add(trim);
                        if (debug.messageEnabled()) {
                            debug.message(new StringBuffer().append("SecurityUtils.static: add ").append(trim).append(" to trustedCACertAliases").toString());
                        }
                    } else {
                        String trim2 = trim.substring(0, indexOf).trim();
                        if (trim2.length() > 0) {
                            trustedCACertAliases.add(trim2);
                            if (debug.messageEnabled()) {
                                debug.message(new StringBuffer().append("SecurityUtils.static: add ").append(trim2).append(" to trustedCACertAliases").toString());
                            }
                            String trim3 = trim.substring(indexOf + 1).trim();
                            if (trim3.length() > 0) {
                                issuerTrustedCACertAliases.put(trim3, trim2);
                                if (debug.messageEnabled()) {
                                    debug.message(new StringBuffer().append("SecurityUtils.static: add [").append(trim3).append(", ").append(trim2).append("] to issuerTrustedCACertAliases").toString());
                                }
                            }
                        }
                    }
                }
            }
        }
        keys = new JKSKeyProvider();
        asp = new AMSignatureProvider();
        sm = XMLSignatureManager.getInstance(keys, asp);
        keystore = sm.getKeyProvider();
    }
}
