package org.springframework.security.saml.websso;

import java.security.cert.CertificateEncodingException;
import java.util.Iterator;
import org.opensaml.common.SAMLException;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.KeyInfoConfirmationDataType;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.util.Base64;
import org.springframework.security.saml.SAMLConstants;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.1.RELEASE.jar:org/springframework/security/saml/websso/WebSSOProfileConsumerHoKImpl.class */
public class WebSSOProfileConsumerHoKImpl extends WebSSOProfileConsumerImpl implements WebSSOProfileConsumer {
    @Override // org.springframework.security.saml.websso.WebSSOProfileConsumerImpl, org.springframework.security.saml.websso.AbstractProfileBase
    public String getProfileIdentifier() {
        return SAMLConstants.SAML2_HOK_WEBSSO_PROFILE_URI;
    }

    @Override // org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
    protected void verifySubject(Subject subject, AuthnRequest authnRequest, SAMLMessageContext sAMLMessageContext) throws SAMLException, DecryptionException {
        NameID nameID;
        String userAgentBase64Certificate = getUserAgentBase64Certificate(sAMLMessageContext);
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if (SubjectConfirmation.METHOD_HOLDER_OF_KEY.equals(subjectConfirmation.getMethod())) {
                this.log.debug("Processing Holder-of-Key subject confirmation");
                SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                if (subjectConfirmationData == null) {
                    this.log.debug("HoK SubjectConfirmation invalidated by missing confirmation data");
                } else if (subjectConfirmationData instanceof KeyInfoConfirmationDataType) {
                    boolean z = false;
                    Iterator<XMLObject> it2 = ((KeyInfoConfirmationDataType) subjectConfirmationData).getKeyInfos().iterator();
                    while (true) {
                        if (!it2.hasNext()) {
                            break;
                        }
                        for (String str : SAMLUtil.getBase64EncodeCertificates((KeyInfo) it2.next())) {
                            this.log.debug("Comparing user agent certificate {} with certificate in HoK key info {}", userAgentBase64Certificate, str);
                            if (userAgentBase64Certificate.equals(str)) {
                                this.log.debug("User agent certificate confirmed");
                                z = true;
                                break;
                            }
                        }
                    }
                    if (!z) {
                        this.log.debug("HoK SubjectConfirmation invalidated by confirmation keyInfo not corresponding to certificate supplied by user agent");
                    } else if (subjectConfirmationData.getNotBefore() != null && subjectConfirmationData.getNotBefore().isAfterNow()) {
                        this.log.debug("HoK SubjectConfirmation invalidated by notBefore field");
                    } else if (subjectConfirmationData.getNotBefore() != null && subjectConfirmationData.getNotOnOrAfter().isBeforeNow()) {
                        this.log.debug("HoK SubjectConfirmation invalidated by expired notOnOrAfter");
                    } else {
                        if (authnRequest == null || subjectConfirmationData.getInResponseTo() == null || subjectConfirmationData.getInResponseTo().equals(authnRequest.getID())) {
                            if (subjectConfirmationData.getRecipient() != null) {
                                try {
                                    verifyEndpoint(sAMLMessageContext.getLocalEntityEndpoint(), subjectConfirmationData.getRecipient());
                                } catch (SAMLException e) {
                                    this.log.debug("HoK SubjectConfirmation invalidated by recipient assertion consumer URL, found {}", subjectConfirmationData.getRecipient());
                                }
                            }
                            if (subject.getEncryptedID() != null) {
                                Assert.notNull(sAMLMessageContext.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context");
                                nameID = (NameID) sAMLMessageContext.getLocalDecrypter().decrypt(subject.getEncryptedID());
                            } else {
                                nameID = subject.getNameID();
                            }
                            sAMLMessageContext.setSubjectNameIdentifier(nameID);
                            return;
                        }
                        this.log.debug("HoK SubjectConfirmation invalidated by invalid in response to field");
                    }
                } else {
                    this.log.debug("HoK SubjectConfirmation invalidated by confirmation data not being of KeyInformationDataType type");
                }
            }
        }
        throw new SAMLException("Assertion invalidated by subject confirmation - can't be confirmed by holder-of-key method");
    }

    protected String getUserAgentBase64Certificate(SAMLMessageContext sAMLMessageContext) throws SAMLException {
        if (sAMLMessageContext.getPeerSSLCredential() == null) {
            throw new SAMLException("Cannot verify Holder-of-Key Assertion, peer SSL/TLS credential is not set in the context");
        }
        try {
            return Base64.encodeBytes(sAMLMessageContext.getPeerSSLCredential().getEntityCertificate().getEncoded());
        } catch (CertificateEncodingException e) {
            throw new SAMLException("Error base64 encoding peer certificate");
        }
    }
}
