package be.fgov.ehealth.technicalconnector.signature.resolvers;

import be.ehealth.technicalconnector.utils.ConnectorIOUtils;
import be.fgov.ehealth.technicalconnector.signature.impl.DomUtils;
import be.fgov.ehealth.technicalconnector.signature.impl.SignatureUtils;
import java.io.ByteArrayInputStream;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import org.apache.xml.security.keys.keyresolver.KeyResolverException;
import org.apache.xml.security.keys.keyresolver.KeyResolverSpi;
import org.apache.xml.security.keys.storage.StorageResolver;
import org.apache.xml.security.utils.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/resolvers/SAMLAssertionKeyResolver.class */
public class SAMLAssertionKeyResolver extends KeyResolverSpi {
    private static final String ATTR_VALUE_SAML_1_1_PROFILE = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
    private static final String ATTR_VALUE_ASSERTION_ID = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";
    private static final String XMLNS_SAML = "urn:oasis:names:tc:SAML:1.0:assertion";
    private static final String XMLNS_WSSE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    private static final Logger LOG = LoggerFactory.getLogger(SAMLAssertionKeyResolver.class);
    private static final CertificateFactory CF;

    public boolean engineCanResolve(Element element, String str, StorageResolver storageResolver) {
        return extract(element) != null;
    }

    public Node extract(Element element) {
        Element element2 = null;
        if ("SecurityTokenReference".equals(element.getLocalName()) && XMLNS_WSSE.equals(element.getNamespaceURI())) {
            element2 = element;
        } else {
            NodeList matchingChilds = DomUtils.getMatchingChilds(element, XMLNS_WSSE, "SecurityTokenReference");
            if (matchingChilds.getLength() == 1) {
                element2 = (Element) matchingChilds.item(0);
            }
        }
        if (element2 == null || !ATTR_VALUE_SAML_1_1_PROFILE.equals(element2.getAttributes().getNamedItemNS("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "TokenType").getTextContent())) {
            return null;
        }
        NodeList matchingChilds2 = DomUtils.getMatchingChilds(element2, XMLNS_WSSE, "KeyIdentifier");
        for (int i = 0; i < matchingChilds2.getLength(); i++) {
            Node item = matchingChilds2.item(i);
            if (ATTR_VALUE_ASSERTION_ID.equals(item.getAttributes().getNamedItem("ValueType").getTextContent())) {
                LOG.debug("SAML1.1 assertion detected.");
                return item;
            }
        }
        return null;
    }

    public X509Certificate engineResolveX509Certificate(Element element, String str, StorageResolver storageResolver) throws KeyResolverException {
        String textContent = extract(element).getTextContent();
        NodeList elementsByTagNameNS = element.getOwnerDocument().getElementsByTagNameNS(XMLNS_SAML, "Assertion");
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            Element element2 = (Element) elementsByTagNameNS.item(i);
            if (textContent.equals(element2.getAttributes().getNamedItem("AssertionID").getTextContent())) {
                NodeList matchingChilds = DomUtils.getMatchingChilds(element2, XMLNS_SAML, "AuthenticationStatement");
                if (matchingChilds.getLength() > 1) {
                    LOG.debug("Multiple AuthenticationStatements found;");
                    return null;
                }
                NodeList matchingChilds2 = DomUtils.getMatchingChilds(matchingChilds.item(0), SignatureUtils.XMLNS_DS, "X509Certificate");
                ArrayList arrayList = new ArrayList();
                for (int i2 = 0; i2 < matchingChilds2.getLength(); i2++) {
                    arrayList.add(generate(matchingChilds2.item(i2).getTextContent()));
                }
                LOG.debug("X509Certificate(s) detected in AuthenticationStatement [" + arrayList.size() + "];");
                try {
                    X509Certificate x509Certificate = (X509Certificate) CF.generateCertPath(arrayList).getCertificates().get(0);
                    LOG.debug("returning  X509Certificate [" + x509Certificate.getSubjectX500Principal().getName("RFC1779"));
                    return x509Certificate;
                } catch (CertificateException e) {
                    LOG.error("", e);
                    return null;
                }
            }
        }
        return null;
    }

    private X509Certificate generate(String str) {
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            try {
                byteArrayInputStream = new ByteArrayInputStream(Base64.decode(str.getBytes()));
                X509Certificate x509Certificate = (X509Certificate) CF.generateCertificate(byteArrayInputStream);
                ConnectorIOUtils.closeQuietly(byteArrayInputStream);
                return x509Certificate;
            } catch (Exception e) {
                LOG.error("Error while generating certificate.", e);
                ConnectorIOUtils.closeQuietly(byteArrayInputStream);
                return null;
            }
        } catch (Throwable th) {
            ConnectorIOUtils.closeQuietly(byteArrayInputStream);
            throw th;
        }
    }

    static {
        try {
            CF = CertificateFactory.getInstance("X.509", "BC");
        } catch (NoSuchProviderException e) {
            throw new IllegalArgumentException(e);
        } catch (CertificateException e2) {
            throw new IllegalArgumentException(e2);
        }
    }
}
