package com.appiancorp.security.auth.saml;

import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.log4j.Logger;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.SecurityException;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.KeyAlgorithmCriterion;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;

/* loaded from: input_file:com/appiancorp/security/auth/saml/SamlSignatureValidator.class */
public class SamlSignatureValidator {
    private static final Logger LOG = Logger.getLogger(SamlSignatureValidator.class);
    private final ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine;
    private final SAMLSignatureProfileValidator samlSignatureProfileValidator;

    public SamlSignatureValidator(SAMLSignatureProfileValidator sAMLSignatureProfileValidator, ExplicitKeySignatureTrustEngine explicitKeySignatureTrustEngine) {
        this.samlSignatureProfileValidator = sAMLSignatureProfileValidator;
        this.explicitKeySignatureTrustEngine = explicitKeySignatureTrustEngine;
    }

    public void verifySignature(String str, SignableSAMLObject signableSAMLObject) throws MessageHandlerException {
        LOG.debug("Verifying signed SAML message from IdP: " + str);
        try {
            this.samlSignatureProfileValidator.validate(signableSAMLObject.getSignature());
            checkSignature(str, signableSAMLObject);
        } catch (SignatureException e) {
            throw new MessageHandlerException("Signature did not conform to SAML Signature profile", e);
        }
    }

    private void checkSignature(String str, SignableSAMLObject signableSAMLObject) throws MessageHandlerException {
        if (!signableSAMLObject.isSigned()) {
            throw new MessageHandlerException("SAML Object was not signed");
        }
        CriteriaSet criteriaSet = new CriteriaSet();
        try {
            criteriaSet.add(new EntityIdCriterion(str));
            criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
            criteriaSet.add(new KeyAlgorithmCriterion("RSA"));
            criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
            try {
                if (this.explicitKeySignatureTrustEngine.validate(signableSAMLObject.getSignature(), criteriaSet)) {
                } else {
                    throw new MessageHandlerException("Signature was either invalid or signing key could not be established as trusted");
                }
            } catch (SecurityException e) {
                throw new MessageHandlerException("Error evaluating the signature", e);
            }
        } catch (IllegalArgumentException e2) {
            throw new MessageHandlerException("Could not retrieve IdP Entity ID", e2);
        }
    }
}
