package edu.internet2.middleware.shibboleth.common.provider;

import edu.internet2.middleware.shibboleth.common.IdentityProvider;
import edu.internet2.middleware.shibboleth.common.InvalidNameIdentifierException;
import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMapping;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
import edu.internet2.middleware.shibboleth.common.ServiceProvider;
import edu.internet2.middleware.shibboleth.common.ShibResource;
import edu.internet2.middleware.shibboleth.utils.Base32;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.StreamCorruptedException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import org.apache.log4j.Logger;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/common/provider/CryptoShibHandle.class */
public class CryptoShibHandle extends AQHNameIdentifierMapping implements NameIdentifierMapping {
    private static Logger log;
    protected SecretKey secret;
    private SecureRandom random;
    private String cipherAlgorithm;
    private String macAlgorithm;
    private String storeType;
    static Class class$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.common.provider.CryptoShibHandle");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
    }

    public CryptoShibHandle(Element element) throws NameIdentifierMappingException {
        super(element);
        this.random = new SecureRandom();
        this.cipherAlgorithm = "DESede/CBC/PKCS5Padding";
        this.macAlgorithm = "HmacSHA1";
        this.storeType = "JCEKS";
        try {
            String elementConfigData = getElementConfigData(element, "KeyStorePath", true);
            String elementConfigData2 = getElementConfigData(element, "KeyStorePassword", true);
            String elementConfigData3 = getElementConfigData(element, "KeyStoreKeyAlias", true);
            String elementConfigData4 = getElementConfigData(element, "KeyStoreKeyPassword", true);
            String elementConfigData5 = getElementConfigData(element, "KeyStoreType", false);
            if (elementConfigData5 != null && !elementConfigData5.equals("")) {
                this.storeType = elementConfigData5;
            }
            String elementConfigData6 = getElementConfigData(element, "Cipher", false);
            if (elementConfigData6 != null && !elementConfigData6.equals("")) {
                this.cipherAlgorithm = elementConfigData6;
            }
            String elementConfigData7 = getElementConfigData(element, "MAC", false);
            if (elementConfigData7 != null && !elementConfigData7.equals("")) {
                this.macAlgorithm = elementConfigData7;
            }
            KeyStore keyStore = KeyStore.getInstance(this.storeType);
            keyStore.load(new ShibResource(elementConfigData, getClass()).getInputStream(), elementConfigData2.toCharArray());
            this.secret = (SecretKey) keyStore.getKey(elementConfigData3, elementConfigData4.toCharArray());
            testEncryption();
            if (usingDefaultSecret()) {
                log.warn("You are running Crypto AQH Name Mapping with the default secret key.  This is UNSAFE!  Please change this configuration and restart the IdP.");
            }
        } catch (StreamCorruptedException e) {
            if (System.getProperty("java.version").startsWith("1.4.2")) {
                log.error("There is a bug in some versions of Java 1.4.2.x that prevent JCEKS keystores from being loaded properly.  You probably need to upgrade or downgrade your JVM in order to make this work.");
            }
            log.error(new StringBuffer("An error occurred while loading the java keystore.  Unable to initialize Crypto Name Mapping: ").append(e).toString());
            throw new NameIdentifierMappingException("An error occurred while loading the java keystore.  Unable to initialize Crypto Name Mapping.");
        } catch (IOException e2) {
            log.error(new StringBuffer("An error accessing while loading the java keystore.  Unable to initialize Crypto Name Mapping: ").append(e2).toString());
            throw new NameIdentifierMappingException("An error occurred while accessing the java keystore.  Unable to initialize Crypto Name Mapping.");
        } catch (KeyStoreException e3) {
            log.error(new StringBuffer("An error occurred while loading the java keystore.  Unable to initialize Crypto Name Mapping: ").append(e3).toString());
            throw new NameIdentifierMappingException("An error occurred while loading the java keystore.  Unable to initialize Crypto Name Mapping.");
        } catch (NoSuchAlgorithmException e4) {
            log.error(new StringBuffer("Appropriate JCE provider not found in the java environment. Unable to initialize Crypto Name Mapping: ").append(e4).toString());
            throw new NameIdentifierMappingException("Appropriate JCE provider not found in the java environment. Unable to initialize Crypto Name Mapping.");
        } catch (UnrecoverableKeyException e5) {
            log.error(new StringBuffer("Secret could not be loaded from the java keystore.  Verify that the alias and password are correct: ").append(e5).toString());
            throw new NameIdentifierMappingException("Secret could not be loaded from the java keystore.  Verify that the alias and password are correct. ");
        } catch (CertificateException e6) {
            log.error(new StringBuffer("The java keystore contained corrupted data.  Unable to initialize Crypto Name Mapping: ").append(e6).toString());
            throw new NameIdentifierMappingException("The java keystore contained corrupted data.  Unable to initialize Crypto Name Mapping.");
        }
    }

    @Override // edu.internet2.middleware.shibboleth.common.NameIdentifierMapping
    public Principal getPrincipal(SAMLNameIdentifier sAMLNameIdentifier, ServiceProvider serviceProvider, IdentityProvider identityProvider) throws NameIdentifierMappingException, InvalidNameIdentifierException {
        verifyQualifier(sAMLNameIdentifier, identityProvider);
        return getPrincipal(sAMLNameIdentifier.getName());
    }

    public Principal getPrincipal(String str) throws NameIdentifierMappingException, InvalidNameIdentifierException {
        try {
            byte[] decode = Base32.decode(str);
            Cipher cipher = Cipher.getInstance(this.cipherAlgorithm);
            int blockSize = cipher.getBlockSize();
            byte[] bArr = new byte[blockSize];
            Mac mac = Mac.getInstance(this.macAlgorithm);
            mac.init(this.secret);
            int macLength = mac.getMacLength();
            if (decode.length < blockSize) {
                log.error("Attribute Query Handle is malformed (not enough bytes).");
                throw new NameIdentifierMappingException("Attribute Query Handle is malformed (not enough bytes).");
            }
            System.arraycopy(decode, 0, bArr, 0, blockSize);
            cipher.init(2, this.secret, new IvParameterSpec(bArr));
            byte[] bArr2 = new byte[decode.length - bArr.length];
            System.arraycopy(decode, blockSize, bArr2, 0, decode.length - bArr.length);
            DataInputStream dataInputStream = new DataInputStream(new GZIPInputStream(new ByteArrayInputStream(cipher.doFinal(bArr2))));
            byte[] bArr3 = new byte[macLength];
            if (dataInputStream.read(bArr3) != macLength) {
                log.error("Error parsing handle: Unable to extract HMAC.");
                throw new NameIdentifierMappingException("Error parsing handle: Unable to extract HMAC.");
            }
            long readLong = dataInputStream.readLong();
            HMACHandleEntry createHMACHandleEntry = createHMACHandleEntry(new LocalPrincipal(dataInputStream.readUTF()));
            createHMACHandleEntry.setExpirationTime(readLong);
            byte[] mac2 = createHMACHandleEntry.getMAC(mac);
            if (createHMACHandleEntry.isExpired()) {
                log.debug("Attribute Query Handle is expired.");
                throw new InvalidNameIdentifierException("Attribute Query Handle is expired.", errorCodes);
            }
            if (Arrays.equals(bArr3, mac2)) {
                log.debug("Attribute Query Handle recognized.");
                return createHMACHandleEntry.principal;
            }
            log.warn("Attribute Query Handle failed integrity check.");
            throw new NameIdentifierMappingException("Attribute Query Handle failed integrity check.");
        } catch (IOException e) {
            log.warn("IO error while decoding handle.");
            throw new NameIdentifierMappingException("IO error while decoding handle.");
        } catch (InvalidKeyException e2) {
            log.error(new StringBuffer("Could not use the supplied secret key: ").append(e2).toString());
            throw new NameIdentifierMappingException("Could not use the supplied secret key.");
        } catch (NoSuchAlgorithmException e3) {
            log.error(new StringBuffer("Appropriate JCE provider not found in the java environment.  Could not load Algorithm: ").append(e3).toString());
            throw new NameIdentifierMappingException("Appropriate JCE provider not found in the java environment.  Could not load Algorithm.");
        } catch (NoSuchPaddingException e4) {
            log.error(new StringBuffer("Appropriate JCE provider not found in the java environment.  Could not load Padding method: ").append(e4).toString());
            throw new NameIdentifierMappingException("Appropriate JCE provider not found in the java environment.  Could not load Padding method.");
        } catch (GeneralSecurityException e5) {
            log.warn(new StringBuffer("Unable to decrypt the supplied Attribute Query Handle: ").append(e5).toString());
            throw new NameIdentifierMappingException("Unable to decrypt the supplied Attribute Query Handle.");
        }
    }

    @Override // edu.internet2.middleware.shibboleth.common.NameIdentifierMapping
    public SAMLNameIdentifier getNameIdentifier(LocalPrincipal localPrincipal, ServiceProvider serviceProvider, IdentityProvider identityProvider) throws NameIdentifierMappingException {
        try {
            SAMLNameIdentifier sAMLNameIdentifier = SAMLNameIdentifier.getInstance(getNameIdentifierFormat().toString());
            sAMLNameIdentifier.setName(getName(localPrincipal).replaceAll(System.getProperty("line.separator"), ""));
            sAMLNameIdentifier.setNameQualifier(identityProvider.getProviderId());
            return sAMLNameIdentifier;
        } catch (SAMLException e) {
            throw new NameIdentifierMappingException(new StringBuffer("Unable to generate Attribute Query Handle: ").append(e).toString());
        }
    }

    public String getName(LocalPrincipal localPrincipal) throws NameIdentifierMappingException {
        if (localPrincipal == null) {
            log.error("A principal must be supplied for Attribute Query Handle creation.");
            throw new IllegalArgumentException("A principal must be supplied for Attribute Query Handle creation.");
        }
        try {
            Mac mac = Mac.getInstance(this.macAlgorithm);
            mac.init(this.secret);
            HMACHandleEntry createHMACHandleEntry = createHMACHandleEntry(localPrincipal);
            Cipher cipher = Cipher.getInstance(this.cipherAlgorithm);
            byte[] bArr = new byte[cipher.getBlockSize()];
            this.random.nextBytes(bArr);
            cipher.init(1, this.secret, new IvParameterSpec(bArr));
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
            DataOutputStream dataOutputStream = new DataOutputStream(gZIPOutputStream);
            dataOutputStream.write(createHMACHandleEntry.getMAC(mac));
            dataOutputStream.writeLong(createHMACHandleEntry.getExpirationTime());
            dataOutputStream.writeUTF(localPrincipal.getName());
            dataOutputStream.flush();
            gZIPOutputStream.flush();
            gZIPOutputStream.finish();
            byteArrayOutputStream.flush();
            byte[] doFinal = cipher.doFinal(byteArrayOutputStream.toByteArray());
            byte[] bArr2 = new byte[bArr.length + doFinal.length];
            System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
            System.arraycopy(doFinal, 0, bArr2, bArr.length, doFinal.length);
            return Base32.encode(bArr2);
        } catch (IOException e) {
            log.error("IO error while decoding handle.");
            throw new NameIdentifierMappingException("IO error while decoding handle.");
        } catch (KeyException e2) {
            log.error(new StringBuffer("Could not use the supplied secret key: ").append(e2).toString());
            throw new NameIdentifierMappingException("Could not use the supplied secret key.");
        } catch (GeneralSecurityException e3) {
            log.error(new StringBuffer("Appropriate JCE provider not found in the java environment.  Could not load Cipher: ").append(e3).toString());
            throw new NameIdentifierMappingException("Appropriate JCE provider not found in the java environment.  Could not load Cipher.");
        }
    }

    private String getElementConfigData(Element element, String str, boolean z) throws NameIdentifierMappingException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(NameIdentifierMapping.mappingNamespace, str);
        if (elementsByTagNameNS.getLength() < 1) {
            if (!z) {
                return null;
            }
            log.error(new StringBuffer(String.valueOf(str)).append(" not specified.").toString());
            throw new NameIdentifierMappingException(new StringBuffer("Crypto Name Mapping requires a <").append(str).append("> specification.").toString());
        }
        if (elementsByTagNameNS.getLength() > 1) {
            log.error(new StringBuffer("Multiple ").append(str).append(" specifications, using first.").toString());
        }
        Node firstChild = elementsByTagNameNS.item(0).getFirstChild();
        String str2 = null;
        if (firstChild != null && firstChild.getNodeType() == 3) {
            str2 = firstChild.getNodeValue();
        }
        if (str2 != null && !str2.equals("")) {
            return str2;
        }
        log.error(new StringBuffer(String.valueOf(str)).append(" not specified.").toString());
        throw new NameIdentifierMappingException(new StringBuffer("Crypto Name Mapping requires a valid <").append(str).append("> specification.").toString());
    }

    private void testEncryption() throws NameIdentifierMappingException {
        try {
            Cipher cipher = Cipher.getInstance(this.cipherAlgorithm);
            byte[] bArr = new byte[cipher.getBlockSize()];
            this.random.nextBytes(bArr);
            IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
            cipher.init(1, this.secret, ivParameterSpec);
            byte[] doFinal = cipher.doFinal("test".getBytes());
            Cipher cipher2 = Cipher.getInstance(this.cipherAlgorithm);
            cipher2.init(2, this.secret, ivParameterSpec);
            String str = new String(cipher2.doFinal(doFinal));
            if (str == null || !str.equals("test")) {
                log.error("Round trip encryption/decryption test unsuccessful.  Decrypted text did not match.");
                throw new NameIdentifierMappingException("Round trip encryption/decryption test unsuccessful.");
            }
            try {
                Mac mac = Mac.getInstance(this.macAlgorithm);
                mac.init(this.secret);
                mac.update("foo".getBytes());
                if (mac.doFinal() == null) {
                    log.error("Message Authentication test unsuccessful.");
                    throw new NameIdentifierMappingException("Message Authentication test unsuccessful.");
                }
            } catch (Exception e) {
                log.error(new StringBuffer("Message Authentication test unsuccessful: ").append(e).toString());
                throw new NameIdentifierMappingException("Message Authentication test unsuccessful.");
            }
        } catch (Exception e2) {
            log.error(new StringBuffer("Round trip encryption/decryption test unsuccessful: ").append(e2).toString());
            throw new NameIdentifierMappingException("Round trip encryption/decryption test unsuccessful.");
        }
    }

    private boolean usingDefaultSecret() {
        return Arrays.equals(new byte[]{-57, 73, Byte.MIN_VALUE, -45, 2, 74, 97, -17, 37, 93, -29, 47, 87, 81, 32, 21, -57, 73, Byte.MIN_VALUE, -45, 2, 74, 97, -17}, this.secret.getEncoded());
    }

    protected HMACHandleEntry createHMACHandleEntry(LocalPrincipal localPrincipal) {
        return new HMACHandleEntry(localPrincipal, this.handleTTL);
    }
}
