package at.gv.egovernment.moa.id.auth.modules.eidas.config;

import at.gv.egovernment.moa.id.auth.modules.eidas.Constants;
import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAWhiteListConfigurator;
import at.gv.egovernment.moa.logging.Logger;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.sun.istack.Nullable;
import eu.eidas.auth.commons.EidasErrorKey;
import eu.eidas.auth.engine.configuration.SamlEngineConfigurationException;
import eu.eidas.auth.engine.configuration.dom.ConfigurationAdapter;
import eu.eidas.auth.engine.configuration.dom.ConfigurationEntry;
import eu.eidas.auth.engine.configuration.dom.ConfigurationKey;
import eu.eidas.auth.engine.configuration.dom.InstanceEntry;
import eu.eidas.auth.engine.configuration.dom.KeyStoreSignatureConfigurator;
import eu.eidas.auth.engine.configuration.dom.SignatureConfiguration;
import eu.eidas.auth.engine.core.ProtocolSignerI;
import eu.eidas.auth.engine.core.impl.BouncyCastleBootstrap;
import eu.eidas.auth.engine.core.impl.CertificateValidator;
import eu.eidas.auth.engine.metadata.MetadataSignerI;
import eu.eidas.auth.engine.xml.opensaml.CertificateUtil;
import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
import eu.eidas.samlengineconfig.CertificateConfigurationManager;
import eu.eidas.util.Preconditions;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.opensaml.Configuration;
import org.opensaml.common.impl.SAMLObjectContentReference;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.SignableXMLObject;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAExtendedSWSigner.class */
public class MOAExtendedSWSigner implements ProtocolSignerI, MetadataSignerI {
    private static final String DEFAULT_SIGNATURE_ALGORITHM = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
    private static final ImmutableSet<String> ALLOWED_ALGORITHMS_FOR_SIGNING;
    private static final ImmutableSet<String> ALLOWED_ALGORITHMS_FOR_VERIFYING;
    private static final ImmutableSet<String> DEFAULT_ALGORITHM_WHITE_LIST;
    private static final String DEFAULT_DIGEST_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#sha512";
    private static final ImmutableMap<Object, Object> SIGNATURE_TO_DIGEST_ALGORITHM_MAP;
    private final boolean checkedValidityPeriod;
    private final boolean disallowedSelfSignedCertificate;
    private final boolean responseSignAssertions;
    private final ImmutableSet<String> signatureAlgorithmWhiteList;
    private final X509Credential privateSigningCredential;
    private final X509Credential publicSigningCredential;
    private final X509Credential privateMetadataSigningCredential;
    private final X509Credential publicMetadataSigningCredential;
    private final ImmutableList<X509Credential> trustedCredentials;
    private final String signatureAlgorithm;

    public MOAExtendedSWSigner(Map<String, String> map, String str) throws SamlEngineConfigurationException {
        this(new KeyStoreSignatureConfigurator().getSignatureConfiguration(map, (String) null));
    }

    public MOAExtendedSWSigner(CertificateConfigurationManager certificateConfigurationManager) throws SamlEngineConfigurationException {
        this(new KeyStoreSignatureConfigurator().getSignatureConfiguration(((ConfigurationEntry) ((InstanceEntry) ConfigurationAdapter.adapt(certificateConfigurationManager).getInstances().get(Constants.eIDAS_SAML_ENGINE_NAME)).getConfigurationEntries().get(ConfigurationKey.SIGNATURE_CONFIGURATION.getKey())).getParameters(), (String) null));
    }

    protected MOAExtendedSWSigner(SignatureConfiguration signatureConfiguration) throws SamlEngineConfigurationException {
        this(signatureConfiguration.isCheckedValidityPeriod(), signatureConfiguration.isDisallowedSelfSignedCertificate(), signatureConfiguration.isResponseSignAssertions(), signatureConfiguration.getSignatureKeyAndCertificate(), signatureConfiguration.getTrustedCertificates(), signatureConfiguration.getSignatureAlgorithm(), signatureConfiguration.getSignatureAlgorithmWhiteList(), signatureConfiguration.getMetadataSigningKeyAndCertificate());
    }

    protected MOAExtendedSWSigner(boolean z, boolean z2, boolean z3, KeyStore.PrivateKeyEntry privateKeyEntry, ImmutableSet<X509Certificate> immutableSet, String str, String str2, KeyStore.PrivateKeyEntry privateKeyEntry2) throws SamlEngineConfigurationException {
        Preconditions.checkNotNull(privateKeyEntry, "signatureKeyAndCertificate");
        Preconditions.checkNotNull(immutableSet, "trustedCertificates");
        String validateSigningAlgorithm = StringUtils.isBlank(str) ? DEFAULT_SIGNATURE_ALGORITHM : validateSigningAlgorithm(str);
        ImmutableSet<String> allowedAlgorithms = MOAWhiteListConfigurator.getAllowedAlgorithms(DEFAULT_ALGORITHM_WHITE_LIST, ALLOWED_ALGORITHMS_FOR_VERIFYING, str2);
        this.checkedValidityPeriod = z;
        this.disallowedSelfSignedCertificate = z2;
        this.responseSignAssertions = z3;
        this.trustedCredentials = CertificateUtil.getListOfCredential(immutableSet);
        this.signatureAlgorithmWhiteList = allowedAlgorithms;
        this.signatureAlgorithm = validateSigningAlgorithm;
        this.privateSigningCredential = CertificateUtil.createCredential(privateKeyEntry);
        this.publicSigningCredential = CertificateUtil.toCredential((X509Certificate) privateKeyEntry.getCertificate());
        if (null != privateKeyEntry2) {
            this.privateMetadataSigningCredential = CertificateUtil.createCredential(privateKeyEntry2);
            this.publicMetadataSigningCredential = CertificateUtil.toCredential((X509Certificate) privateKeyEntry2.getCertificate());
        } else {
            this.privateMetadataSigningCredential = null;
            this.publicMetadataSigningCredential = null;
        }
    }

    private static X509Certificate getSignatureCertificate(Signature signature) throws EIDASSAMLEngineException {
        return CertificateUtil.toCertificate(signature.getKeyInfo());
    }

    public static String validateDigestAlgorithm(String str) throws SamlEngineConfigurationException {
        if (StringUtils.isBlank(str)) {
            return DEFAULT_DIGEST_ALGORITHM;
        }
        String str2 = (String) SIGNATURE_TO_DIGEST_ALGORITHM_MAP.get(str.trim());
        if (null != str2) {
            return str2;
        }
        String str3 = "Signing algorithm \"" + str + "\" does not contain an allowed digest algorithm";
        Logger.error(str3);
        throw new SamlEngineConfigurationException(str3);
    }

    public static String validateSigningAlgorithm(@Nullable String str) throws SamlEngineConfigurationException {
        if (str == null || StringUtils.isBlank(str)) {
            return DEFAULT_SIGNATURE_ALGORITHM;
        }
        String trim = str.trim();
        if (ALLOWED_ALGORITHMS_FOR_SIGNING.contains(trim)) {
            return trim;
        }
        String str2 = "Signing algorithm \"" + str + "\" is not allowed";
        Logger.error(str2);
        throw new SamlEngineConfigurationException(str2);
    }

    protected void checkCertificateIssuer(X509Certificate x509Certificate) throws EIDASSAMLEngineException {
        CertificateValidator.checkCertificateIssuer(this.disallowedSelfSignedCertificate, x509Certificate);
    }

    protected void checkCertificateValidityPeriod(X509Certificate x509Certificate) throws EIDASSAMLEngineException {
        CertificateValidator.checkCertificateValidityPeriod(this.checkedValidityPeriod, x509Certificate);
    }

    protected Signature createSignature(X509Credential x509Credential) throws EIDASSAMLEngineException {
        checkCertificateValidityPeriod(x509Credential.getEntityCertificate());
        checkCertificateIssuer(x509Credential.getEntityCertificate());
        try {
            Logger.trace("Creating an OpenSAML signature object");
            Signature buildObject = Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME).buildObject(Signature.DEFAULT_ELEMENT_NAME);
            buildObject.setSigningCredential(x509Credential);
            buildObject.setSignatureAlgorithm(getSignatureAlgorithm());
            buildObject.setKeyInfo(Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().getDefaultManager().getFactory(x509Credential).newInstance().generate(x509Credential));
            buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
            return buildObject;
        } catch (SecurityException e) {
            Logger.error("ERROR : Security exception: " + e, e);
            throw new EIDASSAMLEngineException(e);
        }
    }

    public X509Credential getPublicMetadataSigningCredential() {
        return this.publicMetadataSigningCredential;
    }

    public X509Credential getPublicSigningCredential() {
        return this.publicSigningCredential;
    }

    protected String getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    protected ImmutableSet<String> getSignatureAlgorithmWhiteList() {
        return this.signatureAlgorithmWhiteList;
    }

    private X509Credential getTrustedCertificate(Signature signature, List<? extends Credential> list) throws EIDASSAMLEngineException {
        X509Certificate signatureCertificate = getSignatureCertificate(signature);
        X509Credential credential = CertificateUtil.toCredential(signatureCertificate);
        CertificateUtil.checkTrust(credential, list);
        checkCertificateValidityPeriod(signatureCertificate);
        checkCertificateIssuer(signatureCertificate);
        return credential;
    }

    protected ImmutableList<X509Credential> getTrustedCredentials() {
        return this.trustedCredentials;
    }

    private boolean isAlgorithmAllowedForVerifying(String str) {
        return StringUtils.isNotBlank(str) && getSignatureAlgorithmWhiteList().contains(str.trim());
    }

    public <T extends SignableXMLObject> T sign(T t) throws EIDASSAMLEngineException {
        return (T) sign(t, this.privateSigningCredential);
    }

    protected <T extends SignableXMLObject> T sign(T t, X509Credential x509Credential) throws EIDASSAMLEngineException {
        Logger.trace("Start Sign process.");
        try {
            Signature createSignature = createSignature(x509Credential);
            t.setSignature(createSignature);
            String validateDigestAlgorithm = validateDigestAlgorithm(getSignatureAlgorithm());
            List contentReferences = createSignature.getContentReferences();
            if (CollectionUtils.isNotEmpty(contentReferences)) {
                ((SAMLObjectContentReference) contentReferences.get(0)).setDigestAlgorithm(validateDigestAlgorithm);
            } else {
                Logger.error("Unable to set DigestMethodAlgorithm - algorithm " + validateDigestAlgorithm + " not set");
            }
            Logger.trace("Marshall samlToken.");
            Configuration.getMarshallerFactory().getMarshaller(t).marshall(t);
            Logger.trace("Sign samlToken.");
            Signer.signObject(createSignature);
            return t;
        } catch (MarshallingException e) {
            Logger.error("ERROR : MarshallingException: " + e, e);
            throw new EIDASSAMLEngineException(e);
        } catch (SignatureException e2) {
            Logger.error("ERROR : Signature exception: " + e2, e2);
            throw new EIDASSAMLEngineException(e2);
        }
    }

    public <T extends SignableXMLObject> T signMetadata(T t) throws EIDASSAMLEngineException {
        if (null == this.privateMetadataSigningCredential) {
            throw new SamlEngineConfigurationException("No metadataSigningCredential configured");
        }
        return (T) sign(t, this.privateMetadataSigningCredential);
    }

    public <T extends SignableXMLObject> T validateMetadataSignature(T t) throws EIDASSAMLEngineException {
        return (T) validateSignature(t, null);
    }

    private SAMLSignatureProfileValidator validateSamlSignatureStructure(SignableXMLObject signableXMLObject) throws EIDASSAMLEngineException {
        SAMLSignatureProfileValidator sAMLSignatureProfileValidator = new SAMLSignatureProfileValidator();
        try {
            sAMLSignatureProfileValidator.validate(signableXMLObject.getSignature());
            return sAMLSignatureProfileValidator;
        } catch (ValidationException e) {
            Logger.error("ERROR : ValidationException: signature isn't conform to SAML Signature profile: " + e, e);
            throw new EIDASSAMLEngineException(e);
        }
    }

    public <T extends SignableXMLObject> T validateSignature(T t, Collection<X509Certificate> collection) throws EIDASSAMLEngineException {
        return (T) validateSignatureWithCredentials(t, CollectionUtils.isEmpty(collection) ? getTrustedCredentials() : CertificateUtil.getListOfCredential(collection));
    }

    private <T extends SignableXMLObject> T validateSignatureWithCredentials(T t, List<? extends Credential> list) throws EIDASSAMLEngineException {
        Logger.debug("Start signature validation.");
        validateSamlSignatureStructure(t);
        verifyCryptographicSignature(t.getSignature(), list);
        return t;
    }

    private void verifyCryptographicSignature(Signature signature, List<? extends Credential> list) throws EIDASSAMLEngineException {
        String signatureAlgorithm = signature.getSignatureAlgorithm();
        Logger.trace("Key algorithm " + SecurityHelper.getKeyAlgorithmFromURI(signatureAlgorithm));
        if (!isAlgorithmAllowedForVerifying(signatureAlgorithm)) {
            Logger.error("ERROR : the algorithm " + signatureAlgorithm + " used by the signature is not allowed");
            throw new EIDASSAMLEngineException(EidasErrorKey.INVALID_SIGNATURE_ALGORITHM.errorCode());
        }
        try {
            new SignatureValidator(getTrustedCertificate(signature, list)).validate(signature);
        } catch (ValidationException e) {
            Logger.error("ERROR : Signature Validation Exception: " + e, e);
            throw new EIDASSAMLEngineException(e);
        }
    }

    public boolean isResponseSignAssertions() {
        return this.responseSignAssertions;
    }

    static {
        BouncyCastleBootstrap.bootstrap();
        ALLOWED_ALGORITHMS_FOR_SIGNING = ImmutableSet.of("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", DEFAULT_SIGNATURE_ALGORITHM, "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", new String[]{"http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1", "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1"});
        ALLOWED_ALGORITHMS_FOR_VERIFYING = ImmutableSet.of("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", DEFAULT_SIGNATURE_ALGORITHM, "http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", new String[]{"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1", "http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1", "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1", "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1", "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1"});
        DEFAULT_ALGORITHM_WHITE_LIST = ImmutableSet.of("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", DEFAULT_SIGNATURE_ALGORITHM, "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", new String[]{"http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"});
        SIGNATURE_TO_DIGEST_ALGORITHM_MAP = ImmutableMap.builder().put("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmlenc#sha256").put("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#sha384").put(DEFAULT_SIGNATURE_ALGORITHM, DEFAULT_DIGEST_ALGORITHM).put("http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160", "http://www.w3.org/2001/04/xmlenc#ripemd160").put("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmlenc#sha256").put("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#sha384").put("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", DEFAULT_DIGEST_ALGORITHM).put("http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1", "http://www.w3.org/2001/04/xmlenc#sha256").put("http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1", DEFAULT_DIGEST_ALGORITHM).build();
    }
}
