package de.governikus.autent.saml.client.utils;

import de.bos_bremen.gov.autent.common.ErrorCode;
import de.bos_bremen.gov.autent.common.ErrorCodeException;
import de.bos_bremen.gov.autent.common.XMLSignatureHandler;
import java.io.ByteArrayInputStream;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import net.shibboleth.utilities.java.support.xml.XMLParserException;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.Signature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:de/governikus/autent/saml/client/utils/ResponseParser.class */
public class ResponseParser {
    private static final Logger log = LoggerFactory.getLogger(ResponseParser.class);
    private final List<X509Certificate> trustedAnchorList = new LinkedList();
    private final List<Credential> decryptionCredentialList = new LinkedList();
    private boolean checkResponseSig = true;
    private boolean checkAssertionSig = false;
    private boolean doCheckTime = true;
    private boolean ignoreUndecryptable = false;
    private String decryptionProviderName;

    public void addTrustedAnchorCert(X509Certificate x509Certificate) {
        this.trustedAnchorList.add(x509Certificate);
    }

    public boolean isCheckResponseSig() {
        return this.checkResponseSig;
    }

    public void setCheckResponseSig(boolean z) {
        this.checkResponseSig = z;
    }

    public boolean isCheckAssertionSig() {
        return this.checkAssertionSig;
    }

    public void setCheckAssertionSig(boolean z) {
        this.checkAssertionSig = z;
    }

    public void addDecryptionKey(PrivateKey privateKey, X509Certificate x509Certificate) {
        if (x509Certificate == null || privateKey == null) {
            return;
        }
        this.decryptionCredentialList.add(CredentialSupport.getSimpleCredential(x509Certificate, privateKey));
    }

    public void disableTimeConditionCheck() {
        this.doCheckTime = false;
    }

    public ParsedResponse parse(byte[] bArr) throws UnmarshallingException, ErrorCodeException, XMLParserException {
        Document parse = XMLObjectProviderRegistrySupport.getParserPool().parse(new ByteArrayInputStream(bArr));
        Response unmarshall = XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(parse.getDocumentElement()).unmarshall(parse.getDocumentElement());
        if (this.checkResponseSig) {
            checkSignature(unmarshall.getSignature());
        }
        if (!this.decryptionCredentialList.isEmpty()) {
            ArrayList arrayList = new ArrayList();
            for (EncryptedAssertion encryptedAssertion : unmarshall.getEncryptedAssertions()) {
                Decrypter decrypter = new Decrypter((KeyInfoCredentialResolver) null, new StaticKeyInfoCredentialResolver(this.decryptionCredentialList), new InlineEncryptedKeyResolver());
                decrypter.setJCAProviderName(this.decryptionProviderName);
                decrypter.setRootInNewDocument(true);
                try {
                    unmarshall.getAssertions().add(decrypter.decrypt(encryptedAssertion));
                    arrayList.add(encryptedAssertion);
                } catch (DecryptionException e) {
                    if (!this.ignoreUndecryptable) {
                        log.error("can not decrypt assertion", e);
                        throw new ErrorCodeException(ErrorCode.CANNOT_DECRYPT, e);
                    }
                    log.debug("can not decrypt assertion", e);
                }
            }
            unmarshall.getEncryptedAssertions().removeAll(arrayList);
        } else if (!unmarshall.getEncryptedAssertions().isEmpty() && !this.ignoreUndecryptable) {
            throw new ErrorCodeException(ErrorCode.CANNOT_DECRYPT, new String[0]);
        }
        for (Assertion assertion : unmarshall.getAssertions()) {
            if (this.checkAssertionSig) {
                checkSignature(assertion.getSignature());
            }
        }
        return new ParsedResponse(unmarshall, this.doCheckTime);
    }

    public void ignoreUndecryptableAssertions() {
        this.ignoreUndecryptable = true;
    }

    private void checkSignature(Signature signature) throws ErrorCodeException {
        if (this.trustedAnchorList.isEmpty()) {
            return;
        }
        XMLSignatureHandler.checkSignature(signature, (X509Certificate[]) this.trustedAnchorList.toArray(new X509Certificate[this.trustedAnchorList.size()]));
    }

    public String getDecryptionProviderName() {
        return this.decryptionProviderName;
    }

    public void setDecryptionProviderName(String str) {
        this.decryptionProviderName = str;
    }
}
