package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder;

import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import java.time.Instant;
import java.util.ArrayList;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.encryption.Encrypter;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.xmlsec.SecurityConfigurationSupport;
import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
import org.opensaml.xmlsec.encryption.support.EncryptionException;
import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.class */
public class AuthResponseBuilder {
    private static final Logger log = LoggerFactory.getLogger(AuthResponseBuilder.class);

    public static Response buildResponse(IPvp2MetadataProvider iPvp2MetadataProvider, String str, RequestAbstractType requestAbstractType, Instant instant, Assertion assertion, IConfiguration iConfiguration) throws InvalidAssertionEncryptionException {
        Response response = (Response) Saml2Utils.createSamlObject(Response.class);
        Issuer issuer = (Issuer) Saml2Utils.createSamlObject(Issuer.class);
        issuer.setValue(str);
        issuer.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        response.setIssuer(issuer);
        response.setInResponseTo(requestAbstractType.getID());
        response.setID(Saml2Utils.getSecureIdentifier());
        response.setIssueInstant(instant);
        response.setStatus(Saml2Utils.getSuccessStatus());
        X509Credential resolveEncryptionCredential = resolveEncryptionCredential(requestAbstractType, iPvp2MetadataProvider);
        if (resolveEncryptionCredential == null || !iConfiguration.getBasicConfigurationBoolean("pvp2.assertion.encryption.active", true)) {
            response.getAssertions().add(assertion);
        } else {
            response.getEncryptedAssertions().add(doEncryption(assertion, resolveEncryptionCredential, iConfiguration));
        }
        return response;
    }

    private static EncryptedAssertion doEncryption(Assertion assertion, X509Credential x509Credential, IConfiguration iConfiguration) throws InvalidAssertionEncryptionException {
        try {
            String keyOperationAlgorithmFromCredential = Saml2Utils.getKeyOperationAlgorithmFromCredential(x509Credential, iConfiguration.getBasicConfiguration("pvp2.security.alg.enc.key.rsa", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"), iConfiguration.getBasicConfiguration("pvp2.security.alg.enc.key.ec", "http://www.w3.org/2001/04/xmlenc#dh"));
            DataEncryptionParameters dataEncryptionParameters = new DataEncryptionParameters();
            dataEncryptionParameters.setAlgorithm(iConfiguration.getBasicConfiguration("pvp2.security.alg.enc.data", "http://www.w3.org/2009/xmlenc11#aes128-gcm"));
            ArrayList arrayList = new ArrayList();
            KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
            keyEncryptionParameters.setEncryptionCredential(x509Credential);
            keyEncryptionParameters.setAlgorithm(keyOperationAlgorithmFromCredential);
            keyEncryptionParameters.setKeyInfoGenerator(SecurityConfigurationSupport.getGlobalEncryptionConfiguration().getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(x509Credential).newInstance());
            arrayList.add(keyEncryptionParameters);
            Encrypter encrypter = new Encrypter(dataEncryptionParameters, arrayList);
            encrypter.setKeyPlacement(Encrypter.KeyPlacement.PEER);
            Element marshall = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);
            marshall.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:xs", "http://www.w3.org/2001/XMLSchema");
            return encrypter.encrypt(XMLObjectSupport.getUnmarshaller(marshall).unmarshall(marshall));
        } catch (EncryptionException | SamlSigningException | MarshallingException | UnmarshallingException e) {
            log.warn("Can not encrypt the PVP2 assertion", e);
            throw new InvalidAssertionEncryptionException();
        }
    }

    private static X509Credential resolveEncryptionCredential(RequestAbstractType requestAbstractType, IPvp2MetadataProvider iPvp2MetadataProvider) throws InvalidAssertionEncryptionException {
        try {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new DSAKeyValueProvider());
            arrayList.add(new RSAKeyValueProvider());
            arrayList.add(new InlineX509DataProvider());
            BasicProviderKeyInfoCredentialResolver basicProviderKeyInfoCredentialResolver = new BasicProviderKeyInfoCredentialResolver(arrayList);
            PredicateRoleDescriptorResolver predicateRoleDescriptorResolver = new PredicateRoleDescriptorResolver(iPvp2MetadataProvider);
            predicateRoleDescriptorResolver.setRequireValidMetadata(true);
            predicateRoleDescriptorResolver.initialize();
            MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
            metadataCredentialResolver.setRoleDescriptorResolver(predicateRoleDescriptorResolver);
            metadataCredentialResolver.setKeyInfoCredentialResolver(basicProviderKeyInfoCredentialResolver);
            metadataCredentialResolver.initialize();
            CriteriaSet criteriaSet = new CriteriaSet();
            criteriaSet.add(new EntityIdCriterion(requestAbstractType.getIssuer().getValue()));
            criteriaSet.add(new ProtocolCriterion("urn:oasis:names:tc:SAML:2.0:protocol"));
            criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
            criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
            return metadataCredentialResolver.resolveSingle(criteriaSet);
        } catch (SecurityException | ComponentInitializationException | ResolverException e) {
            log.warn("Can not extract the Assertion Encryption-Key from metadata", e);
            throw new InvalidAssertionEncryptionException();
        }
    }
}
