package at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.IAuthData;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.core.impl.utils.Random;
import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.SAMLRequestNotSignedException;
import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.PVP2AssertionBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionAttributeExtractorExeption;
import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AssertionValidationExeption;
import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants;
import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.Pair;
import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferAuthenticationData;
import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferOnlineApplication;
import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.data.MISMandate;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.util.BpkUtil;
import com.google.gson.JsonObject;
import iaik.x509.X509Certificate;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyAgreement;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.TransformerFactoryConfigurationError;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.encryption.EncryptionException;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.validation.ValidationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

@Service("SSOContainerUtils")
/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.class */
public class SSOContainerUtils {

    @Autowired(required = true)
    private IPVP2BasicConfiguration pvpConfiguration;

    @Autowired(required = true)
    private PVP2AssertionBuilder assertionBuilder;
    private static final String PVP_HOLDEROFKEY_NAME = "urn:oid:1.2.40.0.10.2.1.1.261.xx.xx";
    public static final List<String> REQUIRED_ATTRIBUTES;

    @Autowired
    IDPCredentialProvider credentials;

    @Autowired
    SAMLVerificationEngineSP samlVerificationEngine;

    @Autowired
    AuthConfiguration authConfig;

    public void parseSSOContainerToMOASessionDataObject(IRequest iRequest, IAuthenticationSession iAuthenticationSession, AssertionAttributeExtractor assertionAttributeExtractor) throws AssertionAttributeExtractorExeption, ConfigurationException {
        iAuthenticationSession.setBkuURL("http://egiz.gv.at/sso_session-transfer_app");
        String singleAttributeValue = assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.94");
        if (!MiscUtil.isNotEmpty(singleAttributeValue)) {
            Logger.warn("SSO session-container contains NO QAA-level");
        } else if (singleAttributeValue.startsWith("http://www.stork.gov.eu/1.0/citizenQAALevel/")) {
            iAuthenticationSession.setQAALevel(singleAttributeValue);
        } else {
            iAuthenticationSession.setQAALevel("http://www.stork.gov.eu/1.0/citizenQAALevel/" + singleAttributeValue);
        }
        String singleAttributeValue2 = assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.62");
        if (MiscUtil.isNotEmpty(singleAttributeValue2)) {
            iAuthenticationSession.setAuthBlock(singleAttributeValue2);
        } else {
            Logger.warn("SSO session-container contains NO AuthBlock");
        }
        try {
            String singleAttributeValue3 = assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.66");
            if (MiscUtil.isNotEmpty(singleAttributeValue3)) {
                iAuthenticationSession.setSignerCertificate(new X509Certificate(Base64Utils.decode(singleAttributeValue3, false)));
            } else {
                Logger.warn("SSO session-container contains NO SignerCertificate");
            }
        } catch (IOException | CertificateException e) {
            Logger.error("SignerCertificate is not parseable.", e);
        }
        String singleAttributeValue4 = assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.38");
        try {
            if (!MiscUtil.isNotEmpty(singleAttributeValue4)) {
                Logger.warn("SSO session-container contains NO IdentityLink");
                throw new AssertionAttributeExtractorExeption("SSO session-container contains NO IdentityLink");
            }
            iAuthenticationSession.setIdentityLink(new IdentityLinkAssertionParser(Base64Utils.decodeToStream(singleAttributeValue4, false)).parseIdentityLink());
            String singleAttributeValue5 = assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.90");
            if (MiscUtil.isNotEmpty(singleAttributeValue5)) {
                iAuthenticationSession.setMandateReferenceValue(singleAttributeValue5);
                iAuthenticationSession.setUseMandate("true");
                Logger.info("Found mandate information in SSO session-container.");
                try {
                    MISMandate mISMandate = new MISMandate();
                    String singleAttributeValue6 = assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.92");
                    if (MiscUtil.isNotEmpty(singleAttributeValue6)) {
                        mISMandate.setMandate(Base64Utils.decode(singleAttributeValue6, false));
                    } else {
                        Logger.warn("No Full-Mandate information found in SSO session-container.");
                    }
                    String singleAttributeValue7 = assertionAttributeExtractor.getSingleAttributeValue("urn:oid:1.2.40.0.10.2.1.1.261.86");
                    if (MiscUtil.isNotEmpty(singleAttributeValue7)) {
                        mISMandate.setProfRep(singleAttributeValue7);
                    }
                    NodeList childNodes = mISMandate.getMandateDOM().getChildNodes();
                    for (int i = 0; i < childNodes.getLength(); i++) {
                        Element element = (Element) childNodes.item(i);
                        if (element.hasAttribute("OWbPK")) {
                            mISMandate.setOWbPK(element.getAttribute("OWbPK"));
                        }
                    }
                    iAuthenticationSession.setMISMandate(mISMandate);
                } catch (IOException e2) {
                    Logger.error("Full-Mandate information is not parseable.", e2);
                }
            }
        } catch (ParseException e3) {
            Logger.error("IdentityLink is not parseable.", e3);
            throw new AssertionAttributeExtractorExeption("IdentityLink is not parseable.");
        }
    }

    public Response validateReceivedSSOContainer(String str) throws IOException, XMLParserException, UnmarshallingException, MOAIDException, SAMLRequestNotSignedException, NoCredentialsException, CredentialsNotAvailableException, AssertionValidationExeption {
        BasicParserPool basicParserPool = new BasicParserPool();
        HashMap hashMap = new HashMap();
        hashMap.put("http://javax.xml.XMLConstants/feature/secure-processing", Boolean.TRUE);
        basicParserPool.setBuilderFeatures(hashMap);
        basicParserPool.setNamespaceAware(true);
        Element documentElement = basicParserPool.parse(new ByteArrayInputStream(str.getBytes())).getDocumentElement();
        Response unmarshall = Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
        if (!(unmarshall instanceof Response)) {
            Logger.warn("SSO Container is not of type SAML2 Response");
            throw new MOAIDException("SSO Container is not of type SAML2 Response", (Object[]) null);
        }
        Response response = unmarshall;
        try {
            new SAMLSignatureProfileValidator().validate(response.getSignature());
            X509Credential iDPAssertionSigningCredential = this.credentials.getIDPAssertionSigningCredential();
            if (iDPAssertionSigningCredential == null) {
                throw new NoCredentialsException("moaID IDP");
            }
            try {
                new SignatureValidator(iDPAssertionSigningCredential).validate(response.getSignature());
                if (response.getStatus().getStatusCode().getValue().equals("urn:oasis:names:tc:SAML:2.0:status:Success")) {
                    this.samlVerificationEngine.validateAssertion(response, false, this.credentials.getIDPAssertionEncryptionCredential(), response.getIssuer().getValue(), "SSO-Session Transfer module", false);
                    return response;
                }
                Logger.debug("Receive StatusCode " + response.getStatus().getStatusCode().getValue() + " from interfederated IDP.");
                throw new MOAIDException("SSO Container has a not valid Status Code", (Object[]) null);
            } catch (ValidationException e) {
                Logger.error("Failed to verfiy Signature", e);
                throw new SAMLRequestNotSignedException(e);
            }
        } catch (ValidationException e2) {
            Logger.error("Failed to validate Signature", e2);
            throw new SAMLRequestNotSignedException(e2);
        }
    }

    public String generateSignedAndEncryptedSSOContainer(String str, IAuthenticationSession iAuthenticationSession, Date date, byte[] bArr) {
        try {
            String iDPEntityId = this.pvpConfiguration.getIDPEntityId(str);
            AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) SAML2Utils.createSAMLObject(AuthnContextClassRef.class);
            authnContextClassRef.setAuthnContextClassRef(iAuthenticationSession.getQAALevel());
            NameID nameID = (NameID) SAML2Utils.createSAMLObject(NameID.class);
            try {
                nameID.setValue(Base64Utils.encode(MessageDigest.getInstance("SHA-1").digest(Random.nextLongRandom().getBytes("ISO-8859-1"))));
                nameID.setNameQualifier((String) null);
                nameID.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
            } catch (Exception e) {
                Logger.warn("PVP2 subjectNameID error", e);
            }
            SubjectConfirmationData subjectConfirmationData = (SubjectConfirmationData) SAML2Utils.createSAMLObject(SubjectConfirmationData.class);
            subjectConfirmationData.setNotOnOrAfter(new DateTime(new Date(iAuthenticationSession.getSessionCreated().getTime() + (AuthConfigurationProviderFactory.getInstance().getSSOCreatedTimeOut() * 1000)).getTime()));
            String secureIdentifier = SAML2Utils.getSecureIdentifier();
            SSOTransferAuthenticationData sSOTransferAuthenticationData = new SSOTransferAuthenticationData(this.authConfig, iAuthenticationSession);
            String buildSSOContainerObject = buildSSOContainerObject(iDPEntityId, this.assertionBuilder.buildGenericAssertion(iDPEntityId, iDPEntityId, new DateTime(date.getTime()), authnContextClassRef, buildSSOAttributeForTransfer(iAuthenticationSession, sSOTransferAuthenticationData), nameID, subjectConfirmationData, secureIdentifier, subjectConfirmationData.getNotOnOrAfter()), new DateTime(date.getTime()));
            Logger.debug("Unencrypted SessionBlob:" + buildSSOContainerObject);
            String encode = Base64Utils.encode(enOrDeCryptCSR(buildSSOContainerObject.getBytes(), bArr, 1));
            Logger.debug("Encrypted SessionBlob:" + encode);
            JsonObject jsonObject = new JsonObject();
            jsonObject.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, SSOTransferConstants.SSOCONTAINER_VALUE_TYPE_SSO);
            jsonObject.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_VALIDTO, subjectConfirmationData.getNotOnOrAfter().toString());
            jsonObject.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_ENTITYID, iDPEntityId);
            jsonObject.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_USERID, sSOTransferAuthenticationData.getGivenName() + " " + sSOTransferAuthenticationData.getFamilyName());
            jsonObject.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_SESSION, encode);
            jsonObject.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_UNIQUEUSERID, BpkUtil.calcBPK(sSOTransferAuthenticationData.getIdentificationValue(), "AB"));
            jsonObject.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_RESULTENDPOINT, "https://demo.egiz.gv.at");
            return jsonObject.toString();
        } catch (EncryptionException | SecurityException | ParserConfigurationException | MarshallingException | SignatureException | IOException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException | TransformerException | TransformerFactoryConfigurationError | EAAFException e2) {
            Logger.warn("SSO container generation FAILED.", e2);
            return null;
        }
    }

    public byte[] enOrDeCryptCSR(byte[] bArr, byte[] bArr2, int i) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr2, "AES");
        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(i, secretKeySpec);
        return cipher.doFinal(bArr);
    }

    public Pair<DHPublicKeySpec, PrivateKey> createSpecificKey(BigInteger bigInteger, BigInteger bigInteger2) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DiffieHellman");
        keyPairGenerator.initialize(new DHParameterSpec(bigInteger, bigInteger2));
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        return new Pair<>((DHPublicKeySpec) KeyFactory.getInstance("DiffieHellman").getKeySpec(generateKeyPair.getPublic(), DHPublicKeySpec.class), generateKeyPair.getPrivate());
    }

    public byte[] getSecret(DHPublicKeySpec dHPublicKeySpec, PrivateKey privateKey) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        KeyAgreement keyAgreement = KeyAgreement.getInstance("DiffieHellman");
        keyAgreement.init(privateKey);
        keyAgreement.doPhase(KeyFactory.getInstance("DiffieHellman").generatePublic(dHPublicKeySpec), true);
        return keyAgreement.generateSecret();
    }

    private String buildSSOContainerObject(String str, Assertion assertion, DateTime dateTime) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException {
        Response response = (Response) SAML2Utils.createSAMLObject(Response.class);
        Issuer issuer = (Issuer) SAML2Utils.createSAMLObject(Issuer.class);
        issuer.setValue(str);
        issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        response.setIssuer(issuer);
        response.setID(SAML2Utils.getSecureIdentifier());
        response.setIssueInstant(dateTime);
        response.setStatus(SAML2Utils.getSuccessStatus());
        response.getAssertions().add(assertion);
        X509Credential iDPAssertionSigningCredential = this.credentials.getIDPAssertionSigningCredential();
        Signature iDPSignature = AbstractCredentialProvider.getIDPSignature(iDPAssertionSigningCredential);
        SecurityHelper.prepareSignatureParams(iDPSignature, iDPAssertionSigningCredential, (SecurityConfiguration) null, (String) null);
        response.setSignature(iDPSignature);
        Document newDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
        Configuration.getMarshallerFactory().getMarshaller(response).marshall(response, newDocument);
        Signer.signObject(iDPSignature);
        Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
        StringWriter stringWriter = new StringWriter();
        newTransformer.transform(new DOMSource(newDocument), new StreamResult(stringWriter));
        stringWriter.close();
        return stringWriter.toString();
    }

    private static List<Attribute> buildSSOAttributeForTransfer(IAuthenticationSession iAuthenticationSession, IAuthData iAuthData) {
        ArrayList arrayList = new ArrayList();
        SSOTransferOnlineApplication sSOTransferOnlineApplication = new SSOTransferOnlineApplication();
        for (String str : REQUIRED_ATTRIBUTES) {
            try {
                Attribute buildAttribute = PVPAttributeBuilder.buildAttribute(str, sSOTransferOnlineApplication, iAuthData);
                if (buildAttribute != null) {
                    arrayList.add(buildAttribute);
                } else {
                    Logger.info("SSO-Transfer attribute " + str + " is empty!");
                }
            } catch (Exception e) {
                Logger.info("Build SSO-Transfer attribute " + str + " FAILED:" + e.getMessage());
            }
        }
        return arrayList;
    }

    static {
        ArrayList arrayList = new ArrayList();
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.62");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.38");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.32");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.66");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.36");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.104");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.90");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.92");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.68");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.86");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.88");
        arrayList.add("urn:oid:1.2.40.0.10.2.1.1.261.94");
        arrayList.add(PVP_HOLDEROFKEY_NAME);
        REQUIRED_ATTRIBUTES = Collections.unmodifiableList(arrayList);
    }
}
