package de.bos_bremen.gov.autent.common;

import de.bos_bremen.gov.autent.common.exceptions.IllegalParameterException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.zip.DataFormatException;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
import javax.xml.bind.DatatypeConverter;
import org.apache.http.HttpHost;
import org.apache.xml.security.signature.XMLSignature;
import org.codehaus.groovy.control.ResolveVisitor;
import org.opensaml.security.crypto.JCAConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;

/* loaded from: input_file:BOOT-INF/lib/autent-common-3.72.5.jar:de/bos_bremen/gov/autent/common/HttpRedirectUtils.class */
public final class HttpRedirectUtils {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) HttpRedirectUtils.class);
    public static final String REQUEST_PARAMNAME = "SAMLRequest";
    public static final String RESPONSE_PARAMNAME = "SAMLResponse";
    public static final String SIGALG_PARAMNAME = "SigAlg";
    public static final String RELAYSTATE_PARAMNAME = "RelayState";
    public static final String SIGVALUE_PARAMNAME = "Signature";

    @Deprecated
    public static final String SIGALG_RSA_SHA256_OLD_WRONG = "http://www.w3.org/2001/04/xmldsig-more/rsa-sha256";
    public static final String REFERENCE_PARAMNAME = "refID";

    private HttpRedirectUtils() {
    }

    public static String deflate(byte[] bArr) {
        byte[] bArr2 = new byte[2 * bArr.length];
        Deflater deflater = new Deflater(3, true);
        deflater.setInput(bArr);
        deflater.finish();
        int deflate = deflater.deflate(bArr2);
        byte[] bArr3 = new byte[deflate];
        System.arraycopy(bArr2, 0, bArr3, 0, deflate);
        return DatatypeConverter.printBase64Binary(bArr3);
    }

    public static byte[] inflate(String str) throws DataFormatException {
        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(str);
        Inflater inflater = new Inflater(true);
        inflater.setInput(parseBase64Binary);
        byte[] bArr = new byte[10 * parseBase64Binary.length];
        int inflate = inflater.inflate(bArr);
        byte[] bArr2 = new byte[inflate];
        System.arraycopy(bArr, 0, bArr2, 0, inflate);
        return bArr2;
    }

    public static String createQueryString(String str, byte[] bArr, boolean z, String str2, PrivateKey privateKey, String str3) throws UnsupportedEncodingException, GeneralSecurityException, MalformedURLException {
        return createQueryString(str, bArr, z, str2, privateKey, str3, null, true, false);
    }

    public static String createQueryString(String str, byte[] bArr, boolean z, String str2, PrivateKey privateKey, String str3, String str4, boolean z2, boolean z3) throws UnsupportedEncodingException, GeneralSecurityException, MalformedURLException {
        String str5;
        String str6;
        StringBuilder sb = new StringBuilder();
        appendParam(sb, true, z ? REQUEST_PARAMNAME : RESPONSE_PARAMNAME, deflate(bArr));
        if (str2 != null) {
            appendParam(sb, false, "RelayState", str2);
        }
        if (privateKey != null) {
            String algorithm = privateKey.getAlgorithm();
            log.trace("signature key algorithm: ", algorithm);
            if (JCAConstants.KEY_ALGO_RSA.equalsIgnoreCase(algorithm)) {
                if (z3) {
                    str5 = ("SHA-1".equals(str3) || "SHA1".equals(str3)) ? XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1_MGF1 : XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256_MGF1;
                    str6 = str3 + "WithRSAandMGF1";
                } else {
                    str5 = ("SHA-1".equals(str3) || "SHA1".equals(str3)) ? "http://www.w3.org/2000/09/xmldsig#rsa-sha1" : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
                    str6 = str3 + "WithRSA";
                }
            } else if (JCAConstants.KEY_ALGO_DSA.equalsIgnoreCase(algorithm)) {
                str5 = ("SHA-1".equals(str3) || "SHA1".equals(str3)) ? "http://www.w3.org/2000/09/xmldsig#dsa-sha1" : "http://www.w3.org/2009/xmldsig11#dsa-sha256";
                str6 = str3 + "WithDSA";
            } else {
                if (!JCAConstants.KEY_ALGO_EC.equalsIgnoreCase(algorithm) && !"ECDSA".equalsIgnoreCase(algorithm)) {
                    throw new GeneralSecurityException("Unsupported signature algorithm: " + algorithm);
                }
                if ("SHA-1".equals(str3) || "SHA1".equals(str3)) {
                    str5 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1";
                } else if ("SHA-256".equals(str3) || "SHA256".equals(str3)) {
                    str5 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
                } else if ("SHA-384".equals(str3) || XMLSignatureHandler.SHA384_ALT.equals(str3)) {
                    str5 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384";
                } else {
                    if (!"SHA-512".equals(str3) && !"SHA512".equals(str3)) {
                        throw new GeneralSecurityException("Given digest algorithm " + str3 + " not supported");
                    }
                    str5 = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512";
                }
                str6 = str3 + "WithECDSA";
            }
            log.debug("algorithm name on saml request: '{}'", str5);
            log.debug("signature algorithm for saml request is: {}", str6);
            appendParam(sb, false, SIGALG_PARAMNAME, str5);
            Signature signature = str4 == null ? Signature.getInstance(str6) : Signature.getInstance(str6, str4);
            signature.initSign(privateKey);
            signature.update(sb.toString().getBytes(Utils.ENCODING));
            appendParam(sb, false, "Signature", DatatypeConverter.printBase64Binary(signature.sign()));
            if (!z2) {
                appendParam(sb, false, "notHot", "true");
            }
        }
        URL url = new URL(str);
        return (url.getQuery() == null || url.getQuery().isEmpty()) ? str + ResolveVisitor.QUESTION_MARK + sb.toString() : str + BeanFactory.FACTORY_BEAN_PREFIX + sb.toString();
    }

    private static void appendParam(StringBuilder sb, boolean z, String str, String str2) throws UnsupportedEncodingException {
        if (!z) {
            sb.append('&');
        }
        sb.append(str);
        sb.append('=');
        sb.append(URLEncoder.encode(str2, Utils.ENCODING));
    }

    private static String getSignedURL(String str) throws UnsupportedEncodingException, URISyntaxException {
        Map<String, String> parameterList = getParameterList(str, false);
        StringBuilder sb = new StringBuilder();
        if (parameterList.get(RESPONSE_PARAMNAME) == null) {
            sb.append(REQUEST_PARAMNAME);
            sb.append('=');
            sb.append(parameterList.get(REQUEST_PARAMNAME));
        } else {
            sb.append(RESPONSE_PARAMNAME);
            sb.append('=');
            sb.append(parameterList.get(RESPONSE_PARAMNAME));
        }
        if (parameterList.get("RelayState") != null) {
            sb.append('&');
            sb.append("RelayState");
            sb.append('=');
            sb.append(parameterList.get("RelayState"));
        }
        sb.append('&');
        sb.append(SIGALG_PARAMNAME);
        sb.append('=');
        sb.append(parameterList.get(SIGALG_PARAMNAME));
        return sb.toString();
    }

    public static boolean checkQueryString(String str, X509Certificate x509Certificate) {
        String str2;
        if (x509Certificate == null || str == null) {
            return false;
        }
        try {
            Map<String, String> parameterList = getParameterList(str, true);
            String str3 = parameterList.get(SIGALG_PARAMNAME);
            if ("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".equals(str3) || "http://www.w3.org/2001/04/xmldsig-more/rsa-sha256".equals(str3)) {
                str2 = "SHA256WithRSA";
            } else if (XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256_MGF1.equals(str3)) {
                str2 = "SHA256WithRSAandMGF1";
            } else if ("http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(str3)) {
                str2 = "SHA1WithRSA";
            } else if (XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1_MGF1.equals(str3)) {
                str2 = "SHA1WithRSAandMGF1";
            } else if ("http://www.w3.org/2009/xmldsig11#dsa-sha256".equals(str3)) {
                str2 = "SHA256WithDSA";
            } else if ("http://www.w3.org/2000/09/xmldsig#dsa-sha1".equals(str3)) {
                str2 = "SHA1WithDSA";
            } else if ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512".equals(str3)) {
                str2 = "SHA512WithECDSA";
            } else if ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384".equals(str3)) {
                str2 = "SHA384WithECDSA";
            } else if ("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256".equals(str3)) {
                str2 = "SHA256WithECDSA";
            } else {
                if (!"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(str3)) {
                    throw new UnsupportedOperationException("unknown signature algorithm " + str3);
                }
                str2 = "SHA1WithECDSA";
            }
            byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(parameterList.get("Signature"));
            Signature signature = Signature.getInstance(str2);
            signature.initVerify(x509Certificate);
            signature.update(getSignedURL(str).getBytes(Utils.ENCODING));
            return signature.verify(parseBase64Binary);
        } catch (Exception e) {
            if (!log.isTraceEnabled()) {
                return false;
            }
            log.trace(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    public static Map<String, String> getParameterList(String str, boolean z) throws URISyntaxException, UnsupportedEncodingException {
        String str2 = str;
        if (str.startsWith(HttpHost.DEFAULT_SCHEME_NAME)) {
            str2 = new URI(str).getRawQuery();
        }
        String[] split = str2.split(BeanFactory.FACTORY_BEAN_PREFIX);
        HashMap hashMap = new HashMap();
        for (String str3 : split) {
            String[] split2 = str3.split("=");
            if (z) {
                if (split2.length == 2) {
                    String decode = URLDecoder.decode(split2[0], Utils.ENCODING);
                    if (hashMap.containsKey(decode)) {
                        throwIllegalParameterException(split, decode);
                    }
                    hashMap.put(decode, URLDecoder.decode(split2[1], Utils.ENCODING));
                } else if (split2.length == 1) {
                    String decode2 = URLDecoder.decode(split2[0], Utils.ENCODING);
                    if (hashMap.containsKey(decode2)) {
                        throwIllegalParameterException(split, decode2);
                    }
                    hashMap.put(decode2, null);
                } else if (split2.length > 2) {
                    throw new IllegalStateException("invalid Query parameter for too many '=' in one parameter: " + str3);
                }
            } else if (split2.length == 2) {
                String str4 = split2[0];
                if (hashMap.containsKey(str4)) {
                    throwIllegalParameterException(split, str4);
                }
                hashMap.put(str4, split2[1]);
            } else {
                if (split2.length != 1) {
                    throw new IllegalStateException("invalid Query parameter for too many '=' in one parameter: " + str3);
                }
                String str5 = split2[0];
                if (hashMap.containsKey(str5)) {
                    throwIllegalParameterException(split, str5);
                }
                hashMap.put(str5, null);
            }
        }
        return hashMap;
    }

    private static void throwIllegalParameterException(String[] strArr, String str) {
        throw new IllegalParameterException("found an illegal parameter with name '" + str + "' in the query. If the parameter has a valid name it might be that the parameter was found more than once. The following parameters were detected: " + ((String) Arrays.stream(strArr).map(str2 -> {
            String[] split = str2.split("=");
            if (split.length == 0) {
                return null;
            }
            return split[0];
        }).collect(Collectors.joining(", "))));
    }

    public static String findParameterInUrl(String str, String str2, boolean z) throws UnsupportedEncodingException, URISyntaxException {
        return getParameterList(str, z).get(str2);
    }
}
