package de.governikus.panstar.sdk.utils.saml;

import de.governikus.panstar.sdk.utils.constant.Common;
import de.governikus.panstar.sdk.utils.exception.SAMLInternalErrorException;
import de.governikus.panstar.sdk.utils.xml.XMLSignatureHandler;
import java.net.MalformedURLException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.zip.DataFormatException;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.net.URLBuilder;
import org.opensaml.security.crypto.JCAConstants;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/panstar/sdk/utils/saml/SAMLUtils.class */
public final class SAMLUtils {
    private static final Logger LOG = LoggerFactory.getLogger(SAMLUtils.class);
    public static final String PARAM_SAMLREQUEST = "SAMLRequest";
    public static final String PARAM_SIGALG = "SigAlg";
    public static final String PARAM_SIGNATURE = "Signature";
    public static final String PARAM_RELAYSTATE = "RelayState";
    public static final String PARAM_SAMLRESPONSE = "SAMLResponse";

    public static byte[] inflate(String str) throws DataFormatException {
        byte[] decode = Base64.getDecoder().decode(str);
        Inflater inflater = new Inflater(true);
        inflater.setInput(decode);
        byte[] bArr = new byte[10 * decode.length];
        int inflate = inflater.inflate(bArr);
        byte[] bArr2 = new byte[inflate];
        System.arraycopy(bArr, 0, bArr2, 0, inflate);
        return bArr2;
    }

    public static String deflate(byte[] bArr) {
        byte[] bArr2 = new byte[2 * bArr.length];
        Deflater deflater = new Deflater(3, true);
        deflater.setInput(bArr);
        deflater.finish();
        int deflate = deflater.deflate(bArr2);
        byte[] bArr3 = new byte[deflate];
        System.arraycopy(bArr2, 0, bArr3, 0, deflate);
        return Base64.getEncoder().encodeToString(bArr3);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:31:0x00b7. Please report as an issue. */
    public static boolean checkQuerySignature(String str, String str2, String str3, String str4, X509Certificate x509Certificate, boolean z) {
        String str5;
        if (str == null || str3 == null || str4 == null || x509Certificate == null) {
            return false;
        }
        try {
            boolean z2 = -1;
            switch (str3.hashCode()) {
                case -804883594:
                    if (str3.equals(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256)) {
                        z2 = 3;
                        break;
                    }
                    break;
                case -804882542:
                    if (str3.equals(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384)) {
                        z2 = 4;
                        break;
                    }
                    break;
                case -804880839:
                    if (str3.equals(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512)) {
                        z2 = 5;
                        break;
                    }
                    break;
                case 256463275:
                    if (str3.equals("http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1")) {
                        z2 = true;
                        break;
                    }
                    break;
                case 601413348:
                    if (str3.equals("http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1")) {
                        z2 = 2;
                        break;
                    }
                    break;
                case 830240327:
                    if (str3.equals("http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1")) {
                        z2 = false;
                        break;
                    }
                    break;
            }
            switch (z2) {
                case false:
                    str5 = "SHA256withRSASSA-PSS";
                    byte[] decode = Base64.getDecoder().decode(str4);
                    Signature signature = Signature.getInstance(str5, Common.BOUNCY_PROVIDER);
                    signature.initVerify(x509Certificate);
                    signature.update(getSignedURL(str, str2, str3, z).getBytes(StandardCharsets.UTF_8));
                    return signature.verify(decode);
                case true:
                    str5 = "SHA384withRSASSA-PSS";
                    byte[] decode2 = Base64.getDecoder().decode(str4);
                    Signature signature2 = Signature.getInstance(str5, Common.BOUNCY_PROVIDER);
                    signature2.initVerify(x509Certificate);
                    signature2.update(getSignedURL(str, str2, str3, z).getBytes(StandardCharsets.UTF_8));
                    return signature2.verify(decode2);
                case true:
                    str5 = "SHA512withRSASSA-PSS";
                    byte[] decode22 = Base64.getDecoder().decode(str4);
                    Signature signature22 = Signature.getInstance(str5, Common.BOUNCY_PROVIDER);
                    signature22.initVerify(x509Certificate);
                    signature22.update(getSignedURL(str, str2, str3, z).getBytes(StandardCharsets.UTF_8));
                    return signature22.verify(decode22);
                case true:
                    str5 = JCAConstants.SIGNATURE_ECDSA_SHA256;
                    byte[] decode222 = Base64.getDecoder().decode(str4);
                    Signature signature222 = Signature.getInstance(str5, Common.BOUNCY_PROVIDER);
                    signature222.initVerify(x509Certificate);
                    signature222.update(getSignedURL(str, str2, str3, z).getBytes(StandardCharsets.UTF_8));
                    return signature222.verify(decode222);
                case true:
                    str5 = JCAConstants.SIGNATURE_ECDSA_SHA384;
                    byte[] decode2222 = Base64.getDecoder().decode(str4);
                    Signature signature2222 = Signature.getInstance(str5, Common.BOUNCY_PROVIDER);
                    signature2222.initVerify(x509Certificate);
                    signature2222.update(getSignedURL(str, str2, str3, z).getBytes(StandardCharsets.UTF_8));
                    return signature2222.verify(decode2222);
                case true:
                    str5 = JCAConstants.SIGNATURE_ECDSA_SHA512;
                    byte[] decode22222 = Base64.getDecoder().decode(str4);
                    Signature signature22222 = Signature.getInstance(str5, Common.BOUNCY_PROVIDER);
                    signature22222.initVerify(x509Certificate);
                    signature22222.update(getSignedURL(str, str2, str3, z).getBytes(StandardCharsets.UTF_8));
                    return signature22222.verify(decode22222);
                default:
                    throw new UnsupportedOperationException("unsupported signature algorithm " + str3);
            }
        } catch (Exception e) {
            LOG.debug("Ex:", e);
            return false;
        }
    }

    public static String signQueryParameter(String str, boolean z, String str2, String str3, PrivateKey privateKey, String str4) throws SAMLInternalErrorException {
        try {
            URLBuilder uRLBuilder = new URLBuilder(str);
            appendParam(uRLBuilder, z ? PARAM_SAMLREQUEST : PARAM_SAMLRESPONSE, str2);
            if (str3 != null) {
                appendParam(uRLBuilder, "RelayState", str3);
            }
            signQuery(uRLBuilder, privateKey, str4, str2, str3, z);
            return uRLBuilder.buildURL();
        } catch (MalformedURLException e) {
            throw new SAMLInternalErrorException(e);
        }
    }

    private static void signQuery(URLBuilder uRLBuilder, PrivateKey privateKey, String str, String str2, String str3, boolean z) throws SAMLInternalErrorException {
        String str4;
        String str5;
        String algorithm = privateKey.getAlgorithm();
        if (JCAConstants.KEY_ALGO_RSA.equalsIgnoreCase(algorithm)) {
            boolean z2 = -1;
            switch (str.hashCode()) {
                case -1850268089:
                    if (str.equals(XMLSignatureHandler.SHA256_ALT)) {
                        z2 = false;
                        break;
                    }
                    break;
                case -1850267037:
                    if (str.equals(XMLSignatureHandler.SHA384_ALT)) {
                        z2 = 3;
                        break;
                    }
                    break;
                case -1850265334:
                    if (str.equals(XMLSignatureHandler.SHA512_ALT)) {
                        z2 = 4;
                        break;
                    }
                    break;
                case -1523887726:
                    if (str.equals("SHA-256")) {
                        z2 = true;
                        break;
                    }
                    break;
                case -1523886674:
                    if (str.equals("SHA-384")) {
                        z2 = 2;
                        break;
                    }
                    break;
                case -1523884971:
                    if (str.equals("SHA-512")) {
                        z2 = 5;
                        break;
                    }
                    break;
            }
            switch (z2) {
                case false:
                case true:
                    str4 = "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1";
                    str5 = "SHA256withRSASSA-PSS";
                    break;
                case true:
                case true:
                    str4 = "http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1";
                    str5 = "SHA384withRSASSA-PSS";
                    break;
                case true:
                case true:
                    str4 = "http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1";
                    str5 = "SHA512withRSASSA-PSS";
                    break;
                default:
                    throw new SAMLInternalErrorException("Given digest algorithm " + str + " not supported");
            }
        } else {
            if (!JCAConstants.KEY_ALGO_EC.equals(algorithm)) {
                throw new SAMLInternalErrorException("Unsupported signature algorithm: " + algorithm);
            }
            boolean z3 = -1;
            switch (str.hashCode()) {
                case -1850268089:
                    if (str.equals(XMLSignatureHandler.SHA256_ALT)) {
                        z3 = false;
                        break;
                    }
                    break;
                case -1850267037:
                    if (str.equals(XMLSignatureHandler.SHA384_ALT)) {
                        z3 = 3;
                        break;
                    }
                    break;
                case -1850265334:
                    if (str.equals(XMLSignatureHandler.SHA512_ALT)) {
                        z3 = 4;
                        break;
                    }
                    break;
                case -1523887726:
                    if (str.equals("SHA-256")) {
                        z3 = true;
                        break;
                    }
                    break;
                case -1523886674:
                    if (str.equals("SHA-384")) {
                        z3 = 2;
                        break;
                    }
                    break;
                case -1523884971:
                    if (str.equals("SHA-512")) {
                        z3 = 5;
                        break;
                    }
                    break;
            }
            switch (z3) {
                case false:
                case true:
                    str4 = SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256;
                    str5 = JCAConstants.SIGNATURE_ECDSA_SHA256;
                    break;
                case true:
                case true:
                    str4 = SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384;
                    str5 = JCAConstants.SIGNATURE_ECDSA_SHA384;
                    break;
                case true:
                case true:
                    str4 = SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512;
                    str5 = JCAConstants.SIGNATURE_ECDSA_SHA512;
                    break;
                default:
                    throw new SAMLInternalErrorException("Given digest algorithm " + str + " not supported");
            }
        }
        appendParam(uRLBuilder, PARAM_SIGALG, str4);
        try {
            Signature signature = privateKey.getClass().getName().contains("P11Key") ? Signature.getInstance(str5) : Signature.getInstance(str5, Common.BOUNCY_PROVIDER);
            signature.initSign(privateKey);
            signature.update(getSignedURL(str2, str3, str4, z).getBytes(StandardCharsets.UTF_8));
            appendParam(uRLBuilder, "Signature", Base64.getEncoder().encodeToString(signature.sign()));
        } catch (InvalidKeyException e) {
            throw new SAMLInternalErrorException("Cannot initialize signing object: Invalid key", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new SAMLInternalErrorException("Cannot get signature instance: No such Algorithm", e2);
        } catch (SignatureException e3) {
            throw new SAMLInternalErrorException("Cannot sign query", e3);
        }
    }

    private static void appendParam(URLBuilder uRLBuilder, String str, String str2) {
        uRLBuilder.getQueryParams().add(new Pair<>(str, str2));
    }

    private static String getSignedURL(String str, String str2, String str3, boolean z) {
        StringBuilder sb = new StringBuilder();
        sb.append(z ? PARAM_SAMLREQUEST : PARAM_SAMLRESPONSE).append('=').append(urlEncode(str));
        if (str2 != null) {
            sb.append('&').append("RelayState").append('=').append(urlEncode(str2));
        }
        sb.append('&').append(PARAM_SIGALG).append('=').append(urlEncode(str3));
        return sb.toString();
    }

    private static String urlEncode(String str) {
        return URLEncoder.encode(str, StandardCharsets.UTF_8);
    }

    private SAMLUtils() {
    }
}
