package be.ehealth.technicalconnector.service.sts.impl;

import be.ehealth.technicalconnector.config.ConfigFactory;
import be.ehealth.technicalconnector.config.domain.Duration;
import be.ehealth.technicalconnector.exception.InstantiationException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorExceptionValues;
import be.ehealth.technicalconnector.service.sts.domain.SAMLAttribute;
import be.ehealth.technicalconnector.service.sts.domain.SAMLAttributeDesignator;
import be.ehealth.technicalconnector.service.sts.domain.SAMLNameIdentifier;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.ehealth.technicalconnector.service.sts.utils.SAMLConverter;
import be.ehealth.technicalconnector.service.sts.utils.SAMLHelper;
import be.ehealth.technicalconnector.service.ws.ServiceFactory;
import be.ehealth.technicalconnector.utils.ConnectorIOUtils;
import be.ehealth.technicalconnector.utils.ConnectorXmlUtils;
import be.ehealth.technicalconnector.ws.domain.GenericRequest;
import be.ehealth.technicalconnector.ws.feature.SHA1Feature;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.soap.SOAPException;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:be/ehealth/technicalconnector/service/sts/impl/STSServiceImpl.class */
public class STSServiceImpl extends AbstractSTSService {
    private static final String ATTRIBUTE_NAME = "AttributeName";
    private static final Logger LOG = LoggerFactory.getLogger(STSServiceImpl.class);
    private static final String ATTRIBUTE_QUERY = "AttributeQuery";
    private static final String AUTHENTICATION_STATEMENT = "AuthenticationStatement";
    private static final String ATTRIBUTE_STATEMENT = "AttributeStatement";
    private static final String CONFIRMATION_METHOD = "ConfirmationMethod";
    private static final String ATTRIBUTE_VALUE = "AttributeValue";
    private static final String ATTRIBUTE = "Attribute";
    private static final String ATTRIBUTE_NAMESPACE = "AttributeNamespace";
    private static final String XMLNS_SAML = "urn:oasis:names:tc:SAML:1.0:assertion";
    public static final String HOK_KEYINFO_TYPE = "be.ehealth.technicalconnector.service.sts.keyinfo";
    public static final String ALWAYS_SIGN_INNER_REQUEST = "be.ehealth.technicalconnector.service.sts.always.sign.inner.request";
    private static final String JSR105PROVIDER_CLASSNAME_DEFAULT = "org.jcp.xml.dsig.internal.dom.XMLDSigRI";
    private static final XMLSignatureFactory xmlSignatureFactory;

    @Override // be.ehealth.technicalconnector.service.sts.STSService
    public Element getToken(Credential credential, Credential credential2, List<SAMLAttribute> list, List<SAMLAttributeDesignator> list2, String str, String str2, String str3, String str4, Duration duration) throws TechnicalConnectorException {
        String convertStreamToString;
        try {
            SAMLNameIdentifier generateNameIdentifier = generateNameIdentifier(credential, str2, str3);
            boolean z = false;
            if (str4.equalsIgnoreCase(AbstractSTSService.HOK_METHOD)) {
                z = true;
                convertStreamToString = "publickey".equalsIgnoreCase(ConfigFactory.getConfigValidator().getProperty(HOK_KEYINFO_TYPE, "x509")) ? ConnectorIOUtils.convertStreamToString(ConnectorIOUtils.getResourceAsStream("/legacy/issue.samlv11.hok.publickey.template.xml")) : ConnectorIOUtils.convertStreamToString(ConnectorIOUtils.getResourceAsStream("/legacy/issue.samlv11.hok.template.xml"));
            } else {
                if (!str4.equalsIgnoreCase(AbstractSTSService.SV_METHOD)) {
                    throw new UnsupportedOperationException("SubjectConfirmationMethod [" + str4 + "] not supported.");
                }
                convertStreamToString = StringUtils.isEmpty(str) ? ConnectorIOUtils.convertStreamToString(ConnectorIOUtils.getResourceAsStream("/legacy/issue.samlv11.sv.template.xml")) : ConnectorIOUtils.convertStreamToString(ConnectorIOUtils.getResourceAsStream("/legacy/issue.samlv11.sv.authmethod.template.xml"));
            }
            Document generateToken = generateToken(convertStreamToString, z, credential, credential2, generateNameIdentifier, str, list, list2, duration);
            GenericRequest sTSService = ServiceFactory.getSTSService(credential.getCertificate(), credential.getPrivateKey());
            sTSService.setSoapAction("urn:be:fgov:ehealth:sts:protocol:v1:RequestSecureToken");
            sTSService.setPayload(generateToken, new SHA1Feature() { // from class: be.ehealth.technicalconnector.service.sts.impl.STSServiceImpl.1
                @Override // be.ehealth.technicalconnector.ws.feature.SHA1Feature, be.ehealth.technicalconnector.ws.feature.AbstractSigningFeature
                protected String getSignatureECMethodAlgorithm() {
                    return "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
                }

                @Override // be.ehealth.technicalconnector.ws.feature.SHA1Feature, be.ehealth.technicalconnector.ws.feature.AbstractSigningFeature
                protected String getDigestECMethodAlgorithm() {
                    return "http://www.w3.org/2001/04/xmlenc#sha256";
                }
            });
            Element convert = SAMLConverter.convert(be.ehealth.technicalconnector.ws.ServiceFactory.getGenericWsSender().send(sTSService).asSource());
            String statusCode = SAMLHelper.getStatusCode(convert);
            if (!statusCode.contains(SAMLHelper.SAML_SUCCESS)) {
                LOG.warn("The status of the SAMLResponse is " + statusCode + " [" + SAMLHelper.getStatusMessage(convert));
                throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.INVALID_TOKEN, "Inbound Security problem: " + SAMLHelper.getStatusMessage(convert));
            }
            if (convert.getElementsByTagName(SAMLHelper.SAML_ASSERTION).getLength() >= 0) {
                return SAMLHelper.getAssertion(convert);
            }
            LOG.warn("SAMLResponse has a flag succesfull but contains no assertions.");
            LOG.warn("SAMLResponse was: " + SAMLConverter.toXMLString(convert));
            LOG.warn("The status of the SAMLResponse is " + statusCode + " [" + SAMLHelper.getStatusMessage(convert));
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.INVALID_TOKEN, "SAMLResponse has a flag succesfull but contains no assertions.");
        } catch (SOAPException e) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_WS, (Throwable) e, e.getMessage());
        }
    }

    @Override // be.ehealth.technicalconnector.service.sts.STSService
    public Element getToken(Credential credential, Credential credential2, List<SAMLAttribute> list, List<SAMLAttributeDesignator> list2, String str, Duration duration) throws TechnicalConnectorException {
        return getToken(credential, credential2, list, list2, (String) null, (String) null, (String) null, str, duration);
    }

    @Override // be.ehealth.technicalconnector.service.sts.STSService
    public Element renewToken(Credential credential, Credential credential2, Element element, Duration duration) throws TechnicalConnectorException {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(XMLNS_SAML, AUTHENTICATION_STATEMENT);
        HashSet hashSet = new HashSet();
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            NodeList elementsByTagNameNS2 = ((Element) elementsByTagNameNS.item(i)).getElementsByTagNameNS(XMLNS_SAML, "Attribute");
            for (int i2 = 0; i2 < elementsByTagNameNS2.getLength(); i2++) {
                Element element2 = (Element) elementsByTagNameNS2.item(i2);
                String attribute = element2.getAttribute(ATTRIBUTE_NAMESPACE);
                String attribute2 = element2.getAttribute(ATTRIBUTE_NAME);
                String[] extractTextContent = extractTextContent(element2.getElementsByTagNameNS(XMLNS_SAML, ATTRIBUTE_VALUE));
                if (!"urn:be:fgov:certified-namespace:ehealth".equals(attribute)) {
                    arrayList2.add(new SAMLAttribute(attribute2, attribute, extractTextContent));
                    hashSet.add(attribute2);
                }
            }
        }
        NodeList elementsByTagNameNS3 = element.getElementsByTagNameNS(XMLNS_SAML, "AttributeStatement");
        for (int i3 = 0; i3 < elementsByTagNameNS3.getLength(); i3++) {
            NodeList elementsByTagNameNS4 = ((Element) elementsByTagNameNS3.item(i3)).getElementsByTagNameNS(XMLNS_SAML, "Attribute");
            for (int i4 = 0; i4 < elementsByTagNameNS4.getLength(); i4++) {
                Element element3 = (Element) elementsByTagNameNS4.item(i4);
                String attribute3 = element3.getAttribute(ATTRIBUTE_NAMESPACE);
                String attribute4 = element3.getAttribute(ATTRIBUTE_NAME);
                arrayList.add(new SAMLAttributeDesignator(attribute4, attribute3));
                if (!hashSet.contains(attribute4)) {
                    String[] extractTextContent2 = extractTextContent(element3.getElementsByTagNameNS(XMLNS_SAML, ATTRIBUTE_VALUE));
                    if (!"urn:be:fgov:certified-namespace:ehealth".equals(attribute3)) {
                        arrayList2.add(new SAMLAttribute(attribute4, attribute3, extractTextContent2));
                    }
                }
            }
        }
        String textContent = element.getElementsByTagNameNS(XMLNS_SAML, CONFIRMATION_METHOD).item(0).getTextContent();
        String str = null;
        for (int i5 = 0; i5 < elementsByTagNameNS.getLength(); i5++) {
            str = ((Element) elementsByTagNameNS.item(i5)).getAttribute("AuthenticationMethod");
        }
        String str2 = null;
        String str3 = null;
        NodeList elementsByTagNameNS5 = element.getElementsByTagNameNS(XMLNS_SAML, "NameIdentifier");
        int i6 = 0;
        while (true) {
            if (i6 >= elementsByTagNameNS3.getLength()) {
                break;
            }
            Element element4 = (Element) elementsByTagNameNS5.item(i6);
            if ("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".equals(element4.getAttribute("Format"))) {
                str2 = StringEscapeUtils.escapeXml(element4.getAttribute("NameQualifier"));
                str3 = StringEscapeUtils.escapeXml(element4.getTextContent());
                break;
            }
            i6++;
        }
        return getToken(credential, credential2, arrayList2, arrayList, str, str2, str3, textContent, duration);
    }

    private String[] extractTextContent(NodeList nodeList) {
        String[] strArr = ArrayUtils.EMPTY_STRING_ARRAY;
        for (int i = 0; i < nodeList.getLength(); i++) {
            strArr = (String[]) ArrayUtils.add(strArr, ((Element) nodeList.item(i)).getTextContent());
        }
        return strArr;
    }

    private Document generateToken(String str, boolean z, Credential credential, Credential credential2, SAMLNameIdentifier sAMLNameIdentifier, String str2, List<SAMLAttribute> list, List<SAMLAttributeDesignator> list2, Duration duration) throws TechnicalConnectorException {
        try {
            Document ownerDocument = ConnectorXmlUtils.toElement(StringUtils.replace(processHolderOfKeyCredentials(credential2, processDefaultFields(ConnectorXmlUtils.flatten(str), duration, sAMLNameIdentifier)), "${authenticationMethod}", str2).getBytes(Charsets.UTF_8)).getOwnerDocument();
            addDesignators(list2, ownerDocument);
            processAttributes(list, ownerDocument);
            boolean parseBoolean = Boolean.parseBoolean(ConfigFactory.getConfigValidator().getProperty(ALWAYS_SIGN_INNER_REQUEST));
            if (z && (!credential.getCertificate().equals(credential2.getCertificate()) || parseBoolean)) {
                try {
                    if ("publickey".equalsIgnoreCase(ConfigFactory.getConfigValidator().getProperty(HOK_KEYINFO_TYPE, "x509"))) {
                        signRequest(ownerDocument.getDocumentElement(), credential2.getPrivateKey(), credential2.getPublicKey());
                    } else {
                        signRequest(ownerDocument.getDocumentElement(), credential2.getPrivateKey(), credential2.getCertificate());
                    }
                } catch (Exception e) {
                    throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_SIGNATURE, "XML signature error: " + e.getMessage(), e);
                }
            }
            return ownerDocument;
        } catch (CertificateEncodingException e2) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_CRYPTO, e2, e2.getMessage());
        }
    }

    private void processAttributes(List<SAMLAttribute> list, Document document) {
        Element element = (Element) document.getElementsByTagNameNS(XMLNS_SAML, "AttributeStatement").item(0);
        for (SAMLAttribute sAMLAttribute : list) {
            Element createElementNS = document.createElementNS(XMLNS_SAML, "saml:Attribute");
            createElementNS.setAttribute(ATTRIBUTE_NAME, sAMLAttribute.getName());
            createElementNS.setAttribute(ATTRIBUTE_NAMESPACE, sAMLAttribute.getNamespace());
            processAttributeValues(createElementNS, sAMLAttribute.getValues());
            element.appendChild(createElementNS);
        }
    }

    private void addDesignators(List<SAMLAttributeDesignator> list, Document document) {
        Element element = (Element) document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:protocol", ATTRIBUTE_QUERY).item(0);
        for (SAMLAttributeDesignator sAMLAttributeDesignator : list) {
            Element createElementNS = document.createElementNS(XMLNS_SAML, "saml:AttributeDesignator");
            createElementNS.setAttribute(ATTRIBUTE_NAME, sAMLAttributeDesignator.getName());
            createElementNS.setAttribute(ATTRIBUTE_NAMESPACE, sAMLAttributeDesignator.getNamespace());
            element.appendChild(createElementNS);
        }
    }

    private String processHolderOfKeyCredentials(Credential credential, String str) throws TechnicalConnectorException, CertificateEncodingException {
        if (credential != null && credential.getCertificate() != null) {
            str = StringUtils.replace(str, "${holder.of.key}", new String(Base64.encode(credential.getCertificate().getEncoded())));
            PublicKey publicKey = credential.getCertificate().getPublicKey();
            if (publicKey instanceof RSAPublicKey) {
                RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                str = StringUtils.replace(StringUtils.replace(StringUtils.replace(str, "${publickey.rsa.modulus}", new String(Base64.encode(convertTo(rSAPublicKey.getModulus())))), "${publickey.rsa.exponent}", new String(Base64.encode(convertTo(rSAPublicKey.getPublicExponent())))), "<ds:DSAKeyValue><ds:G>${publickey.dsa.g}<ds:G><ds:P>${publickey.dsa.p}</ds:P><ds:Q>${publickey.dsa.q}</ds:Q></ds:DSAKeyValue>", "");
            } else if (publicKey instanceof DSAPublicKey) {
                DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
                str = StringUtils.replace(StringUtils.replace(StringUtils.replace(StringUtils.replace(str, "${publickey.dsa.g}", new String(Base64.encode(convertTo(dSAPublicKey.getParams().getG())))), "${publickey.dsa.p}", new String(Base64.encode(convertTo(dSAPublicKey.getParams().getP())))), "${publickey.dsa.q}", new String(Base64.encode(convertTo(dSAPublicKey.getParams().getQ())))), "<ds:RSAKeyValue><ds:Modulus>${publickey.rsa.modulus}</ds:Modulus><ds:Exponent>${publickey.rsa.exponent}</ds:Exponent></ds:RSAKeyValue>", "");
            } else {
                LOG.info("Unsupported public key: [" + publicKey.getClass().getName() + "+]");
            }
        }
        return str;
    }

    private void processAttributeValues(Element element, String[] strArr) {
        for (String str : strArr) {
            Element createElementNS = element.getOwnerDocument().createElementNS(XMLNS_SAML, "saml:AttributeValue");
            createElementNS.setTextContent(str);
            element.appendChild(createElementNS);
        }
    }

    private void signRequest(Element element, PrivateKey privateKey, Object obj) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, MarshalException, XMLSignatureException, KeyException {
        KeyInfo newKeyInfo;
        DOMSignContext dOMSignContext = new DOMSignContext(privateKey, element, element.getFirstChild());
        String attribute = element.getAttribute("RequestID");
        element.setIdAttribute("RequestID", true);
        LinkedList linkedList = new LinkedList();
        linkedList.add(xmlSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null));
        linkedList.add(xmlSignatureFactory.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null));
        SignedInfo newSignedInfo = xmlSignatureFactory.newSignedInfo(xmlSignatureFactory.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null), xmlSignatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", (SignatureMethodParameterSpec) null), Collections.singletonList(xmlSignatureFactory.newReference("#" + attribute, xmlSignatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", (DigestMethodParameterSpec) null), linkedList, (String) null, (String) null)));
        KeyInfoFactory keyInfoFactory = xmlSignatureFactory.getKeyInfoFactory();
        if (obj instanceof PublicKey) {
            newKeyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newKeyValue((PublicKey) obj)));
        } else {
            if (!(obj instanceof X509Certificate)) {
                throw new IllegalArgumentException("Unsupported keyinfo type [" + obj.getClass() + "]");
            }
            newKeyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(Collections.singletonList(obj))));
        }
        xmlSignatureFactory.newXMLSignature(newSignedInfo, newKeyInfo).sign(dOMSignContext);
    }

    private static byte[] convertTo(BigInteger bigInteger) {
        byte[] byteArray = bigInteger.toByteArray();
        if (byteArray[0] == 0) {
            byte[] bArr = new byte[byteArray.length - 1];
            System.arraycopy(byteArray, 1, bArr, 0, bArr.length);
            byteArray = bArr;
        }
        return byteArray;
    }

    static {
        try {
            String property = System.getProperty("jsr105Provider", JSR105PROVIDER_CLASSNAME_DEFAULT);
            LOG.info("Instantiating providate with class [" + property + "]");
            Provider provider = (Provider) Class.forName(property).newInstance();
            LOG.info("Using the following provider: " + provider + " " + provider.getInfo());
            xmlSignatureFactory = XMLSignatureFactory.getInstance("DOM", provider);
        } catch (ClassNotFoundException e) {
            throw new InstantiationException(e.getClass().getSimpleName() + ": " + e.getMessage(), e);
        } catch (IllegalAccessException e2) {
            throw new InstantiationException(e2.getClass().getSimpleName() + ": " + e2.getMessage(), e2);
        } catch (InstantiationException e3) {
            throw new InstantiationException(e3.getClass().getSimpleName() + ": " + e3.getMessage(), e3);
        }
    }
}
