package at.gv.egovernment.moa.id.config.webgui.validation.utils;

import at.gv.egovernment.moa.id.config.webgui.exception.SignatureValidationException;
import at.gv.egovernment.moa.logging.Logger;
import java.util.Iterator;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataFilter;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:at/gv/egovernment/moa/id/config/webgui/validation/utils/MetaDataVerificationFilter.class */
public class MetaDataVerificationFilter implements MetadataFilter {
    BasicX509Credential credential;

    public MetaDataVerificationFilter(BasicX509Credential basicX509Credential) {
        this.credential = basicX509Credential;
    }

    public void doFilter(XMLObject xMLObject) throws SignatureValidationException {
        if (xMLObject instanceof EntitiesDescriptor) {
            EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) xMLObject;
            if (entitiesDescriptor.getSignature() == null) {
                throw new SignatureValidationException("Root element of metadata file has to be signed");
            }
            try {
                processEntitiesDescriptor(entitiesDescriptor);
            } catch (SignatureValidationException e) {
                throw new SignatureValidationException("Invalid signature element in EntitiesDescriptor");
            }
        }
        if (xMLObject instanceof EntityDescriptor) {
            try {
                EntityDescriptor entityDescriptor = (EntityDescriptor) xMLObject;
                if (entityDescriptor.getSignature() == null) {
                    throw new SignatureValidationException("Root element of metadata file has to be signed", null);
                }
                verify(entityDescriptor, this.credential);
            } catch (SignatureValidationException e2) {
                throw new SignatureValidationException("Invalid signature element in EntityDescriptor", null);
            }
        }
    }

    private void processEntitiesDescriptor(EntitiesDescriptor entitiesDescriptor) throws SignatureValidationException {
        Iterator it = entitiesDescriptor.getEntitiesDescriptors().iterator();
        if (entitiesDescriptor.getSignature() != null) {
            verify(entitiesDescriptor, this.credential);
        }
        while (it.hasNext()) {
            processEntitiesDescriptor((EntitiesDescriptor) it.next());
        }
        for (EntityDescriptor entityDescriptor : entitiesDescriptor.getEntityDescriptors()) {
            if (entityDescriptor.getSignature() != null) {
                verify(entityDescriptor, this.credential);
            }
        }
    }

    private void verify(SignableSAMLObject signableSAMLObject, Credential credential) throws SignatureValidationException {
        if (signableSAMLObject.getSignature() == null) {
            throw new SignatureValidationException("PVP2X Metadata not signed");
        }
        try {
            new SAMLSignatureProfileValidator().validate(signableSAMLObject.getSignature());
            try {
                new SignatureValidator(credential).validate(signableSAMLObject.getSignature());
            } catch (ValidationException e) {
                Logger.error("Failed to verfiy Signature", e);
                throw new SignatureValidationException("Failed to verfiy Signature", e);
            }
        } catch (ValidationException e2) {
            Logger.error("Failed to validate Signature", e2);
            throw new SignatureValidationException("Failed to validate Signature", e2);
        }
    }
}
