package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;

import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import java.util.ArrayList;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.RequestAbstractType;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.encryption.Encrypter;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.xml.encryption.EncryptionException;
import org.opensaml.xml.encryption.EncryptionParameters;
import org.opensaml.xml.encryption.KeyEncryptionParameters;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.class */
public class AuthResponseBuilder {
    private static final Logger log = LoggerFactory.getLogger(AuthResponseBuilder.class);

    public static Response buildResponse(MetadataProvider metadataProvider, String str, RequestAbstractType requestAbstractType, DateTime dateTime, Assertion assertion, boolean z) throws InvalidAssertionEncryptionException {
        Response response = (Response) SAML2Utils.createSAMLObject(Response.class);
        Issuer issuer = (Issuer) SAML2Utils.createSAMLObject(Issuer.class);
        issuer.setValue(str);
        issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        response.setIssuer(issuer);
        response.setInResponseTo(requestAbstractType.getID());
        response.setID(SAML2Utils.getSecureIdentifier());
        response.setIssueInstant(dateTime);
        response.setStatus(SAML2Utils.getSuccessStatus());
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver(metadataProvider);
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIDCriteria(requestAbstractType.getIssuer().getValue()));
        criteriaSet.add(new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol"));
        criteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION));
        try {
            X509Credential resolveSingle = metadataCredentialResolver.resolveSingle(criteriaSet);
            if (resolveSingle == null || !z) {
                response.getAssertions().add(assertion);
            } else {
                try {
                    EncryptionParameters encryptionParameters = new EncryptionParameters();
                    encryptionParameters.setAlgorithm("http://www.w3.org/2001/04/xmlenc#aes256-cbc");
                    ArrayList arrayList = new ArrayList();
                    KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
                    keyEncryptionParameters.setEncryptionCredential(resolveSingle);
                    keyEncryptionParameters.setAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
                    keyEncryptionParameters.setKeyInfoGenerator(Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().getDefaultManager().getFactory(resolveSingle).newInstance());
                    arrayList.add(keyEncryptionParameters);
                    Encrypter encrypter = new Encrypter(encryptionParameters, arrayList);
                    encrypter.setKeyPlacement(Encrypter.KeyPlacement.PEER);
                    response.getEncryptedAssertions().add(encrypter.encrypt(assertion));
                } catch (EncryptionException e) {
                    log.warn("Can not encrypt the PVP2 assertion", e);
                    throw new InvalidAssertionEncryptionException();
                }
            }
            return response;
        } catch (SecurityException e2) {
            log.warn("Can not extract the Assertion Encryption-Key from metadata", e2);
            throw new InvalidAssertionEncryptionException();
        }
    }
}
