package org.miniorange.saml;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.StringWriter;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.UUID;
import java.util.logging.Logger;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.apache.xml.serialize.LineSeparator;
import org.joda.time.DateTime;
import org.jsoup.Jsoup;
import org.miniorange.saml.MoSAMLException;
import org.opensaml.Configuration;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.EncryptedAssertion;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.impl.AuthnContextClassRefBuilder;
import org.opensaml.saml2.core.impl.AuthnRequestBuilder;
import org.opensaml.saml2.core.impl.IssuerBuilder;
import org.opensaml.saml2.core.impl.NameIDPolicyBuilder;
import org.opensaml.saml2.core.impl.RequestedAuthnContextBuilder;
import org.opensaml.saml2.encryption.Decrypter;
import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.SignableXMLObject;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.XMLHelper;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/miniorange-saml-sp.jar:org/miniorange/saml/MoSAMLUtils.class */
public class MoSAMLUtils {
    public static final String SAML_REQUEST_PARAM = "SAMLRequest";
    public static final String RELAY_STATE_PARAM = "RelayState";
    public static final String SIGNATURE_ALGO_PARAM = "SigAlg";
    public static final String SIGNATURE_PARAM = "Signature";
    public static final String SAML_RESPONSE_PARAM = "SAMLResponse";
    private static boolean bootstrap = false;
    private static final Logger LOGGER = Logger.getLogger(MoSAMLUtils.class.getName());

    public static void doBootstrap() {
        if (bootstrap) {
            return;
        }
        try {
            bootstrap = true;
            DefaultBootstrap.bootstrap();
        } catch (ConfigurationException e) {
            LOGGER.fine("Failed to bootstrap, error is " + e.getMessage());
        }
    }

    public static String sanitizeText(String str) {
        return StringUtils.isBlank(str) ? str : Jsoup.parse(str).text();
    }

    public static Response decodeResponse(String str) throws Exception {
        LOGGER.fine("Decoding Response..");
        String str2 = new String(Base64.decode(str), "UTF-8");
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        newInstance.setNamespaceAware(true);
        newInstance.setIgnoringComments(true);
        disableExternalEntityParsing(newInstance);
        Element documentElement = newInstance.newDocumentBuilder().parse(new ByteArrayInputStream(str2.getBytes(StandardCharsets.UTF_8))).getDocumentElement();
        return (Response) Configuration.getUnmarshallerFactory().getUnmarshaller(documentElement).unmarshall(documentElement);
    }

    public static AuthnRequest buildAuthnRequest(String str, String str2, String str3, String str4, Boolean bool, String str5) {
        LOGGER.fine("Building Authentication Request");
        AuthnRequest buildObject = new AuthnRequestBuilder().buildObject(SAMLConstants.SAML20P_NS, AuthnRequest.DEFAULT_ELEMENT_LOCAL_NAME, "samlp");
        DateTime dateTime = new DateTime();
        buildObject.setID(generateRandomString());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssueInstant(dateTime);
        buildObject.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
        buildObject.setIssuer(buildIssuer(str));
        buildObject.setAssertionConsumerServiceURL(str2);
        buildObject.setDestination(str3);
        if (bool.booleanValue()) {
            buildObject.setForceAuthn(bool);
        }
        if (org.apache.commons.lang3.StringUtils.isNotBlank(str5) && !str5.equals("None")) {
            buildObject.setRequestedAuthnContext(buildRequestedAuthnContext(str5));
        }
        NameIDPolicy mo904buildObject = new NameIDPolicyBuilder().mo904buildObject();
        mo904buildObject.setFormat(str4);
        mo904buildObject.setAllowCreate((Boolean) true);
        buildObject.setNameIDPolicy(mo904buildObject);
        return buildObject;
    }

    private static Issuer buildIssuer(String str) {
        LOGGER.fine("Building Issuer");
        Issuer buildObject = new IssuerBuilder().buildObject(SAMLConstants.SAML20_NS, "Issuer", "saml");
        buildObject.setValue(str);
        return buildObject;
    }

    public static RequestedAuthnContext buildRequestedAuthnContext(String str) {
        AuthnContextClassRef buildObject = new AuthnContextClassRefBuilder().buildObject(SAMLConstants.SAML20_NS, AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME, "saml");
        buildObject.setAuthnContextClassRef(str);
        RequestedAuthnContext mo904buildObject = new RequestedAuthnContextBuilder().mo904buildObject();
        mo904buildObject.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
        mo904buildObject.getAuthnContextClassRefs().add(buildObject);
        return mo904buildObject;
    }

    public static Assertion decryptAssertion(EncryptedAssertion encryptedAssertion, String str, String str2) throws CertificateException, InvalidKeySpecException, NoSuchAlgorithmException, DecryptionException {
        LOGGER.fine("Decrypting Assertion.");
        StaticKeyInfoCredentialResolver staticKeyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(getCredential(str, str2));
        Decrypter decrypter = new Decrypter(null, staticKeyInfoCredentialResolver, new InlineEncryptedKeyResolver());
        if (!decrypter.getEncryptedKeyResolver().resolve(encryptedAssertion.getEncryptedData()).iterator().hasNext()) {
            decrypter = new Decrypter(null, staticKeyInfoCredentialResolver, new EncryptedElementTypeEncryptedKeyResolver());
        }
        decrypter.setRootInNewDocument(true);
        return decrypter.decrypt(encryptedAssertion);
    }

    public static Boolean verifyCertificate(SignableXMLObject signableXMLObject, String str) throws ValidationException, CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
        LOGGER.fine("verifying Certificate");
        if (!signableXMLObject.isSigned()) {
            if (signableXMLObject instanceof Response) {
                LOGGER.fine("Response not Signed");
                throw new MoSAMLException(MoSAMLException.SAMLErrorCode.RESPONSE_NOT_SIGNED);
            }
            LOGGER.fine("Assertion not Signed");
            throw new MoSAMLException(MoSAMLException.SAMLErrorCode.ASSERTION_NOT_SIGNED);
        }
        new SAMLSignatureProfileValidator().validate(signableXMLObject.getSignature());
        SignatureValidator signatureValidator = new SignatureValidator(getCredential(str, ""));
        LOGGER.fine("Validating signature.");
        signatureValidator.validate(signableXMLObject.getSignature());
        LOGGER.fine("Signature validated.");
        return Boolean.TRUE;
    }

    public static String generateRandomString() {
        return "_" + org.apache.commons.lang3.StringUtils.remove(UUID.randomUUID().toString(), '-');
    }

    private static Credential getCredential(String str, String str2) throws CertificateException, InvalidKeySpecException, NoSuchAlgorithmException {
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(serializePublicCertificate(str).getBytes(StandardCharsets.UTF_8)));
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        basicX509Credential.setPublicKey(x509Certificate.getPublicKey());
        PrivateKey privateKey = getPrivateKey(str2);
        if (privateKey != null) {
            basicX509Credential.setPrivateKey(privateKey);
        }
        return basicX509Credential;
    }

    public static String serializePublicCertificate(String str) {
        LOGGER.fine("Serializing Public Certificate");
        if (!org.apache.commons.lang3.StringUtils.isNotBlank(str)) {
            return str;
        }
        String encodeToString = new org.apache.commons.codec.binary.Base64(64).encodeToString(org.apache.commons.codec.binary.Base64.decodeBase64(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(str, LineSeparator.Macintosh), "\n"), "-"), "BEGIN CERTIFICATE"), "END CERTIFICATE"), " ")));
        StringBuffer stringBuffer = new StringBuffer("-----BEGIN CERTIFICATE-----\r\n");
        stringBuffer.append(encodeToString);
        stringBuffer.append("-----END CERTIFICATE-----");
        return stringBuffer.toString();
    }

    public static String deserializePublicCertificate(String str) {
        LOGGER.fine("Deserializing Public Certificate");
        if (org.apache.commons.lang3.StringUtils.isNotBlank(str)) {
            str = org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(str, LineSeparator.Macintosh), "\n"), "-"), "BEGIN CERTIFICATE"), "END CERTIFICATE"), " ");
        }
        return str;
    }

    public static String serializePrivateCertificate(String str) {
        LOGGER.fine("Serializing Private Certificate");
        if (!org.apache.commons.lang3.StringUtils.isNotBlank(str)) {
            return str;
        }
        String encodeToString = new org.apache.commons.codec.binary.Base64(64).encodeToString(org.apache.commons.codec.binary.Base64.decodeBase64(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(str, LineSeparator.Macintosh), "\n"), "-"), "BEGIN PRIVATE KEY"), "END PRIVATE KEY"), " ")));
        StringBuffer stringBuffer = new StringBuffer("-----BEGIN PRIVATE KEY-----\r\n");
        stringBuffer.append(encodeToString);
        stringBuffer.append("-----END PRIVATE KEY-----");
        return stringBuffer.toString();
    }

    public static String deserializePrivateCertificate(String str) {
        LOGGER.fine("Deserializing Private Certificate");
        if (org.apache.commons.lang3.StringUtils.isNotBlank(str)) {
            str = org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(org.apache.commons.lang3.StringUtils.remove(str, LineSeparator.Macintosh), "\n"), "-"), "BEGIN PRIVATE KEY"), "END PRIVATE KEY"), " ");
        }
        return str;
    }

    public static String base64EncodeRequest(XMLObject xMLObject, Boolean bool) throws Exception {
        LOGGER.fine("Encoding Sign Request with Base64 encoder.");
        Element marshall = Configuration.getMarshallerFactory().getMarshaller(xMLObject).marshall(xMLObject);
        StringWriter stringWriter = new StringWriter();
        XMLHelper.writeNode(marshall, stringWriter);
        String stringWriter2 = stringWriter.toString();
        if (bool.booleanValue()) {
            return Base64.encodeBytes(stringWriter2.getBytes(StandardCharsets.UTF_8), 8);
        }
        Deflater deflater = new Deflater(-1, true);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DeflaterOutputStream deflaterOutputStream = new DeflaterOutputStream(byteArrayOutputStream, deflater);
        deflaterOutputStream.write(stringWriter2.getBytes(StandardCharsets.UTF_8));
        deflaterOutputStream.close();
        byteArrayOutputStream.close();
        return Base64.encodeBytes(byteArrayOutputStream.toByteArray(), 8);
    }

    public static String signHttpRedirectRequest(String str, String str2, String str3, String str4) throws Exception {
        LOGGER.fine("Signing Http Redirect Request called ");
        StringBuilder sb = new StringBuilder(str);
        sb.append("&").append(SIGNATURE_ALGO_PARAM).append("=").append(URLEncoder.encode(str2, "UTF-8"));
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initSign(getCredential(str3, str4).getPrivateKey());
        signature.update(sb.toString().getBytes(StandardCharsets.UTF_8));
        return Base64.encodeBytes(signature.sign());
    }

    private static void disableExternalEntityParsing(DocumentBuilderFactory documentBuilderFactory) {
        LOGGER.info("Disabling External Entity Parsing from DocumentBuilderFactory");
        String str = null;
        try {
            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
            str = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
            documentBuilderFactory.setFeature(str, false);
            documentBuilderFactory.setXIncludeAware(false);
            documentBuilderFactory.setExpandEntityReferences(false);
        } catch (ParserConfigurationException e) {
            LOGGER.fine("ParserConfigurationException was thrown. The feature '" + str + "' is probably not supported by your XML processor.");
        }
    }

    private static PrivateKey getPrivateKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        LOGGER.fine("getPrivateKey called ");
        if (!org.apache.commons.lang3.StringUtils.isNotBlank(str)) {
            return null;
        }
        return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.decode(deserializePrivateCertificate(str))));
    }

    public static Boolean isValidPublicCertificate(String str) {
        LOGGER.fine("Validating Public Certificate");
        String serializePublicCertificate = serializePublicCertificate(str);
        Boolean bool = Boolean.FALSE;
        try {
            if (((X509Certificate) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(new ByteArrayInputStream(serializePublicCertificate.getBytes(StandardCharsets.UTF_8)))) != null) {
                bool = Boolean.TRUE;
            }
        } catch (CertificateException e) {
            LOGGER.fine(e.getMessage());
        }
        return bool;
    }

    public static SignableSAMLObject signHttpPostRequest(SignableSAMLObject signableSAMLObject, String str, String str2) throws Exception {
        LOGGER.fine("Signing HTTP Post Request. ");
        org.opensaml.xml.signature.Signature signature = (org.opensaml.xml.signature.Signature) Configuration.getBuilderFactory().getBuilder(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME).buildObject(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME);
        Credential credential = getCredential(str, str2);
        signature.setSigningCredential(credential);
        signature.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        signature.setKeyInfo(Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager().getDefaultManager().getFactory(credential).newInstance().generate(credential));
        signature.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        signableSAMLObject.setSignature(signature);
        Configuration.getMarshallerFactory().getMarshaller(signableSAMLObject).marshall(signableSAMLObject);
        Signer.signObject(signature);
        return signableSAMLObject;
    }

    public static String generateRandomAlphaNumericKey(int i) {
        return RandomStringUtils.random(i, true, true);
    }
}
