package org.globus.gridshib.security.util;

import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.globus.gridshib.common.mapper.GridShibEntityMapper;
import org.globus.gridshib.security.SAMLSecurityContext;
import org.globus.gridshib.security.x509.SAMLX509Extension;
import org.globus.opensaml11.saml.SAMLException;
import org.globus.opensaml11.saml.SAMLSubjectAssertion;

/* loaded from: input_file:org/globus/gridshib/security/util/SAMLUtil.class */
public class SAMLUtil {
    private static Log logger;
    static Class class$org$globus$gridshib$security$util$SAMLUtil;
    static final boolean $assertionsDisabled;

    public static SAMLSubjectAssertion[] getSAMLAssertions(X509Certificate[] x509CertificateArr) throws IOException, SAMLException, CertificateException {
        if (x509CertificateArr == null) {
            logger.error("Null cert chain");
            throw new IllegalArgumentException("Null cert chain");
        }
        logger.debug(new StringBuffer().append("certs = ").append(x509CertificateArr.toString()).toString());
        ArrayList arrayList = new ArrayList();
        int i = 0;
        while (true) {
            if (i >= x509CertificateArr.length) {
                break;
            }
            logger.debug(new StringBuffer().append("Processing certificate ").append(i).append(": ").append(x509CertificateArr[i].toString()).toString());
            SAMLSubjectAssertion sAMLAssertion = SAMLX509Extension.getSAMLAssertion(x509CertificateArr[i]);
            if (sAMLAssertion == null) {
                logger.debug("No SAML extension found in this certificate");
            } else {
                logger.debug("SAML extension found in this certificate");
                arrayList.add(sAMLAssertion);
            }
            if (!CertUtil.isImpersonationProxy(x509CertificateArr[i])) {
                logger.debug("All certificates processed");
                break;
            }
            i++;
        }
        return (SAMLSubjectAssertion[]) arrayList.toArray(new SAMLSubjectAssertion[0]);
    }

    public static SAMLSubjectAssertion getSAMLAssertion(X509Certificate x509Certificate) throws IOException, SAMLException {
        return SAMLX509Extension.getSAMLAssertion(x509Certificate);
    }

    public static void consumeSAMLAssertions(Subject subject) throws IOException, SAMLException, CertificateException {
        if (subject == null) {
            logger.error("Null subject");
            throw new IllegalArgumentException("Null subject");
        }
        logger.debug(new StringBuffer().append("subject = ").append(subject.toString()).toString());
        X509Certificate[] certificateChain = CertUtil.getCertificateChain(subject);
        if (certificateChain == null) {
            logger.warn("Unable to obtain certificate chain");
            logger.info("Attribute collection aborted");
        } else {
            logger.debug(new StringBuffer().append("Found ").append(certificateChain.length).append(" certificates in the chain").toString());
            traverseCertChain(subject, certificateChain);
        }
    }

    private static void traverseCertChain(Subject subject, X509Certificate[] x509CertificateArr) throws IOException, SAMLException, CertificateException {
        if (subject == null) {
            logger.error("Null subject");
            throw new IllegalArgumentException("Null subject");
        }
        logger.debug(new StringBuffer().append("subject = ").append(subject.toString()).toString());
        if (x509CertificateArr == null) {
            logger.error("Null certificate chain");
            throw new IllegalArgumentException("Null certificate chain");
        }
        logger.debug(new StringBuffer().append("Found ").append(x509CertificateArr.length).append(" certificates in the chain").toString());
        for (int i = 0; i < x509CertificateArr.length; i++) {
            logger.debug(new StringBuffer().append("Processing certificate: ").append(x509CertificateArr[i].toString()).toString());
            if (SAMLX509Extension.hasSAMLExtension(x509CertificateArr[i])) {
                logger.debug("SAML extension found in this certificate");
                consumeSAMLExtension(subject, x509CertificateArr[i]);
            } else {
                logger.debug("No SAML extension found in this certificate");
            }
            if (!CertUtil.isImpersonationProxy(x509CertificateArr[i])) {
                logger.debug("All certificates processed");
                return;
            }
        }
    }

    private static void consumeSAMLExtension(Subject subject, X509Certificate x509Certificate) throws IOException, SAMLException, CertificateException {
        if (!$assertionsDisabled && subject == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && x509Certificate == null) {
            throw new AssertionError();
        }
        SAMLSubjectAssertion sAMLAssertion = SAMLX509Extension.getSAMLAssertion(x509Certificate);
        if (sAMLAssertion == null) {
            logger.warn("Unable to obtain SAML assertion");
            logger.info("Skipping this certificate extension");
            return;
        }
        logger.debug(new StringBuffer().append("Processing assertion: ").append(sAMLAssertion.toString()).toString());
        String issuer = sAMLAssertion.getIssuer();
        if (sAMLAssertion.isSigned()) {
            logger.debug("Processing signed assertion...");
            X509Certificate x509Certificate2 = GridShibEntityMapper.getX509Certificate(issuer);
            if (x509Certificate2 == null) {
                logger.error(new StringBuffer().append("Unable to locate a signing certificate for assertion issuer ").append(issuer).toString());
                logger.info("Skipping this certificate extension");
                return;
            }
            logger.debug(new StringBuffer().append("Using signing certificate: ").append(x509Certificate2.toString()).toString());
            try {
                sAMLAssertion.verify(x509Certificate2);
                if (!isAssertionValid(sAMLAssertion)) {
                    logger.error("Signed assertion is not valid");
                    logger.info("Skipping this certificate extension");
                    return;
                }
                logger.debug("Signed assertion is valid");
            } catch (SAMLException e) {
                logger.error("Unable to verify assertion signature");
                logger.debug(e);
                logger.info("Skipping this certificate extension");
                return;
            }
        } else {
            X500Principal subjectX500Principal = CertUtil.isImpersonationProxy(x509Certificate) ? CertUtil.getEEC(subject).getSubjectX500Principal() : x509Certificate.getIssuerX500Principal();
            logger.debug(new StringBuffer().append("Certificate issuer: ").append(subjectX500Principal.toString()).toString());
            if (!isSelfIssuedAssertion(issuer, subjectX500Principal)) {
                logger.error(new StringBuffer().append("Unable to identify assertion issuer ").append(issuer).toString());
                logger.info("Skipping this certificate extension");
                return;
            }
            logger.debug("Processing self-issued assertion");
        }
        SAMLSecurityContext sAMLSecurityContext = SAMLSecurityContext.getSAMLSecurityContext(subject);
        if (!$assertionsDisabled && sAMLSecurityContext == null) {
            throw new AssertionError();
        }
        sAMLSecurityContext.parseSAMLAssertion(sAMLAssertion);
    }

    private static boolean isAssertionValid(SAMLSubjectAssertion sAMLSubjectAssertion) {
        return false;
    }

    private static boolean isSelfIssuedAssertion(String str, X500Principal x500Principal) {
        if (!$assertionsDisabled && (str == null || x500Principal == null)) {
            throw new AssertionError();
        }
        X509Certificate x509Certificate = GridShibEntityMapper.getX509Certificate(str);
        if (x509Certificate == null) {
            logger.debug(new StringBuffer().append("Unable to find a signing certificate for assertion issuer ").append(str).toString());
        } else {
            logger.debug(new StringBuffer().append("Found a signing certificate for assertion issuer ").append(str).toString());
            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
            logger.debug(new StringBuffer().append("Mapped certificate subject: ").append(subjectX500Principal.toString()).toString());
            if (subjectX500Principal.equals(x500Principal)) {
                logger.debug("Mapped certificate subject equals certificate issuer");
                return true;
            }
            logger.warn(new StringBuffer().append("Mapped cert subject does not match certificate issuer ").append(x500Principal.toString()).toString());
        }
        String name = x500Principal.getName("RFC2253");
        String dn = GridShibEntityMapper.getDN(str);
        if (dn == null) {
            logger.debug(new StringBuffer().append("Unable to find a distinguished name for assertion issuer ").append(str).toString());
        } else {
            logger.debug(new StringBuffer().append("Found a distinguished name for assertion issuer ").append(str).toString());
            logger.debug(new StringBuffer().append("Mapped distinguished name: ").append(dn).toString());
            if (dn.equals(name)) {
                logger.debug("Certificate issuer DN matches mapped DN");
                return true;
            }
            logger.warn(new StringBuffer().append("Mapped distinguished name does not match certificate issuer DN ").append(name).toString());
        }
        if (str.equals(name)) {
            logger.debug("Certificate issuer DN matches assertion issuer");
            return true;
        }
        logger.warn(new StringBuffer().append("Assertion issuer does not match certificate issuer DN: ").append(name).toString());
        return false;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        Class cls2;
        if (class$org$globus$gridshib$security$util$SAMLUtil == null) {
            cls = class$("org.globus.gridshib.security.util.SAMLUtil");
            class$org$globus$gridshib$security$util$SAMLUtil = cls;
        } else {
            cls = class$org$globus$gridshib$security$util$SAMLUtil;
        }
        $assertionsDisabled = !cls.desiredAssertionStatus();
        if (class$org$globus$gridshib$security$util$SAMLUtil == null) {
            cls2 = class$("org.globus.gridshib.security.util.SAMLUtil");
            class$org$globus$gridshib$security$util$SAMLUtil = cls2;
        } else {
            cls2 = class$org$globus$gridshib$security$util$SAMLUtil;
        }
        logger = LogFactory.getLog(cls2.getName());
    }
}
