package edu.internet2.middleware.shibboleth.idp.profile.saml2;

import edu.internet2.middleware.shibboleth.common.attribute.AttributeRequestException;
import edu.internet2.middleware.shibboleth.common.attribute.provider.SAML2AttributeAuthority;
import edu.internet2.middleware.shibboleth.common.log.AuditLogEntry;
import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel;
import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration;
import edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler;
import edu.internet2.middleware.shibboleth.idp.session.ServiceInformation;
import edu.internet2.middleware.shibboleth.idp.session.Session;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.joda.time.DateTime;
import org.opensaml.Configuration;
import org.opensaml.common.SAMLObjectBuilder;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.binding.encoding.SAMLMessageEncoder;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.AttributeQuery;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.saml2.core.Audience;
import org.opensaml.saml2.core.AudienceRestriction;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Conditions;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameID;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.ProxyRestriction;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.Statement;
import org.opensaml.saml2.core.Status;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.core.Subject;
import org.opensaml.saml2.core.SubjectConfirmation;
import org.opensaml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml2.encryption.Encrypter;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.MetadataCredentialResolver;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.encryption.EncryptionException;
import org.opensaml.xml.encryption.EncryptionParameters;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.helpers.MessageFormatter;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.class */
public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHandler {
    public static final SAMLVersion SAML_VERSION = SAMLVersion.VERSION_20;
    private Logger log = LoggerFactory.getLogger(AbstractSAML2ProfileHandler.class);
    private SAMLObjectBuilder<Response> responseBuilder = getBuilderFactory().getBuilder(Response.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<Status> statusBuilder = getBuilderFactory().getBuilder(Status.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<StatusCode> statusCodeBuilder = getBuilderFactory().getBuilder(StatusCode.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<StatusMessage> statusMessageBuilder = getBuilderFactory().getBuilder(StatusMessage.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<Issuer> issuerBuilder = getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<Assertion> assertionBuilder = getBuilderFactory().getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<Subject> subjectBuilder = getBuilderFactory().getBuilder(Subject.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<SubjectConfirmation> subjectConfirmationBuilder = getBuilderFactory().getBuilder(SubjectConfirmation.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<SubjectConfirmationData> subjectConfirmationDataBuilder = getBuilderFactory().getBuilder(SubjectConfirmationData.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<Conditions> conditionsBuilder = getBuilderFactory().getBuilder(Conditions.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder = getBuilderFactory().getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<ProxyRestriction> proxyRestrictionBuilder = getBuilderFactory().getBuilder(ProxyRestriction.DEFAULT_ELEMENT_NAME);
    private SAMLObjectBuilder<Audience> audienceBuilder = getBuilderFactory().getBuilder(Audience.DEFAULT_ELEMENT_NAME);
    private XMLObjectBuilder<Signature> signatureBuilder = getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME);

    /* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler$SAML2AuditLogEntry.class */
    protected class SAML2AuditLogEntry extends AuditLogEntry {
        private StatusResponseType samlResponse;
        private NameID unencryptedNameId;

        protected SAML2AuditLogEntry() {
        }

        public StatusResponseType getSAMLResponse() {
            return this.samlResponse;
        }

        public void setSAMLResponse(StatusResponseType statusResponseType) {
            this.samlResponse = statusResponseType;
        }

        public NameID getUnencryptedNameId() {
            return this.unencryptedNameId;
        }

        public void setUnencryptedNameId(NameID nameID) {
            this.unencryptedNameId = nameID;
        }

        public String toString() {
            List assertions;
            StringBuilder sb = new StringBuilder(super.toString());
            StringBuilder sb2 = new StringBuilder();
            if ((this.samlResponse instanceof Response) && (assertions = this.samlResponse.getAssertions()) != null && !assertions.isEmpty()) {
                Iterator it = assertions.iterator();
                while (it.hasNext()) {
                    sb2.append(((Assertion) it.next()).getID());
                    sb2.append(",");
                }
            }
            if (this.unencryptedNameId != null) {
                sb.append(this.unencryptedNameId.getValue());
            }
            sb.append("|");
            sb.append(sb2.toString());
            sb.append("|");
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void populateRequestContext(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) throws ProfileException {
        BaseSAML2ProfileRequestContext baseSAML2ProfileRequestContext = (BaseSAML2ProfileRequestContext) baseSAMLProfileRequestContext;
        try {
            super.populateRequestContext(baseSAMLProfileRequestContext);
        } catch (ProfileException e) {
            if (baseSAML2ProfileRequestContext.getFailureStatus() == null) {
                baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Requester", null, e.getMessage()));
            }
            throw e;
        }
    }

    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    protected void populateUserInformation(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) {
        NameID subjectNameIdentifier;
        Session userSession = getUserSession(baseSAMLProfileRequestContext.getInboundMessageTransport());
        if (userSession == null && (subjectNameIdentifier = baseSAMLProfileRequestContext.getSubjectNameIdentifier()) != null && subjectNameIdentifier.getValue() != null) {
            userSession = getUserSession(subjectNameIdentifier.getValue());
        }
        if (userSession != null) {
            baseSAMLProfileRequestContext.setUserSession(userSession);
            baseSAMLProfileRequestContext.setPrincipalName(userSession.getPrincipalName());
            ServiceInformation serviceInformation = userSession.getServicesInformation().get(baseSAMLProfileRequestContext.getInboundMessageIssuer());
            if (serviceInformation != null) {
                baseSAMLProfileRequestContext.setPrincipalAuthenticationMethod(serviceInformation.getAuthenticationMethod().getAuthenticationMethod());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkSamlVersion(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) throws ProfileException {
        SAMLVersion version = baseSAML2ProfileRequestContext.getInboundSAMLMessage().getVersion();
        if (version.getMajorVersion() < 2) {
            baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:VersionMismatch", "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow", null));
            throw new ProfileException("SAML request version too low");
        }
        if (version.getMajorVersion() > 2 || version.getMinorVersion() > 0) {
            baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:VersionMismatch", "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh", null));
            throw new ProfileException("SAML request version too high");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response buildResponse(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, String str, List<Statement> list) throws ProfileException {
        DateTime dateTime = new DateTime();
        Response buildObject = this.responseBuilder.buildObject();
        buildObject.setIssueInstant(dateTime);
        populateStatusResponse(baseSAML2ProfileRequestContext, buildObject);
        if (list != null && !list.isEmpty()) {
            Assertion buildAssertion = buildAssertion(baseSAML2ProfileRequestContext, dateTime);
            buildAssertion.getStatements().addAll(list);
            buildAssertion.setSubject(buildSubject(baseSAML2ProfileRequestContext, str, dateTime));
            postProcessAssertion(baseSAML2ProfileRequestContext, buildAssertion);
            signAssertion(baseSAML2ProfileRequestContext, buildAssertion);
            if (isEncryptAssertion(baseSAML2ProfileRequestContext)) {
                this.log.debug("Attempting to encrypt assertion to relying party '{}'", baseSAML2ProfileRequestContext.getInboundMessageIssuer());
                try {
                    buildObject.getEncryptedAssertions().add(getEncrypter(baseSAML2ProfileRequestContext.getInboundMessageIssuer()).encrypt(buildAssertion));
                } catch (SecurityException e) {
                    this.log.error("Unable to construct encrypter", e);
                    baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Unable to encrypt assertion"));
                    throw new ProfileException("Unable to construct encrypter", e);
                } catch (EncryptionException e2) {
                    this.log.error("Unable to encrypt assertion", e2);
                    baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Unable to encrypt assertion"));
                    throw new ProfileException("Unable to encrypt assertion", e2);
                }
            } else {
                buildObject.getAssertions().add(buildAssertion);
            }
        }
        buildObject.setStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Success", null, null));
        postProcessResponse(baseSAML2ProfileRequestContext, buildObject);
        return buildObject;
    }

    /* JADX WARN: Code restructure failed: missing block: B:8:0x002d, code lost:
    
        if (r0.providesMessageConfidentiality(r5) == false) goto L9;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected boolean isEncryptAssertion(edu.internet2.middleware.shibboleth.idp.profile.saml2.BaseSAML2ProfileRequestContext<?, ?, ?> r5) throws edu.internet2.middleware.shibboleth.common.profile.ProfileException {
        /*
            r4 = this;
            r0 = r4
            r1 = r5
            org.opensaml.common.binding.encoding.SAMLMessageEncoder r0 = r0.getOutboundMessageEncoder(r1)
            r6 = r0
            r0 = r5
            edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration r0 = r0.getProfileConfiguration()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration r0 = (edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration) r0     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r0 = r0.getEncryptAssertion()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r1 = edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel.always     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            if (r0 == r1) goto L30
            r0 = r5
            edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration r0 = r0.getProfileConfiguration()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration r0 = (edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration) r0     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r0 = r0.getEncryptAssertion()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r1 = edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel.conditional     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            if (r0 != r1) goto L34
            r0 = r6
            r1 = r5
            boolean r0 = r0.providesMessageConfidentiality(r1)     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L36
            if (r0 != 0) goto L34
        L30:
            r0 = 1
            goto L35
        L34:
            r0 = 0
        L35:
            return r0
        L36:
            r7 = move-exception
            r0 = r4
            org.slf4j.Logger r0 = r0.log
            java.lang.String r1 = "Unable to determine if outbound encoding '{}' can provide confidentiality"
            r2 = r6
            java.lang.String r2 = r2.getBindingURI()
            r0.error(r1, r2)
            edu.internet2.middleware.shibboleth.common.profile.ProfileException r0 = new edu.internet2.middleware.shibboleth.common.profile.ProfileException
            r1 = r0
            java.lang.String r2 = "Unable to determine if assertions should be encrypted"
            r1.<init>(r2)
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.isEncryptAssertion(edu.internet2.middleware.shibboleth.idp.profile.saml2.BaseSAML2ProfileRequestContext):boolean");
    }

    protected void postProcessResponse(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, Response response) throws ProfileException {
    }

    protected void postProcessAssertion(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, Assertion assertion) throws ProfileException {
    }

    protected Assertion buildAssertion(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, DateTime dateTime) {
        Assertion buildObject = this.assertionBuilder.buildObject();
        buildObject.setID(getIdGenerator().generateIdentifier());
        buildObject.setIssueInstant(dateTime);
        buildObject.setVersion(SAMLVersion.VERSION_20);
        buildObject.setIssuer(buildEntityIssuer(baseSAML2ProfileRequestContext));
        buildObject.setConditions(buildConditions(baseSAML2ProfileRequestContext, dateTime));
        return buildObject;
    }

    protected Issuer buildEntityIssuer(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) {
        Issuer buildObject = this.issuerBuilder.buildObject();
        buildObject.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        buildObject.setValue(baseSAML2ProfileRequestContext.getLocalEntityId());
        return buildObject;
    }

    protected Conditions buildConditions(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, DateTime dateTime) {
        AbstractSAML2ProfileConfiguration profileConfiguration = baseSAML2ProfileRequestContext.getProfileConfiguration();
        Conditions buildObject = this.conditionsBuilder.buildObject();
        buildObject.setNotBefore(dateTime);
        buildObject.setNotOnOrAfter(dateTime.plus(profileConfiguration.getAssertionLifetime()));
        AudienceRestriction buildObject2 = this.audienceRestrictionBuilder.buildObject();
        Audience buildObject3 = this.audienceBuilder.buildObject();
        buildObject3.setAudienceURI(baseSAML2ProfileRequestContext.getInboundMessageIssuer());
        buildObject2.getAudiences().add(buildObject3);
        Collection<String> assertionAudiences = profileConfiguration.getAssertionAudiences();
        if (assertionAudiences != null && assertionAudiences.size() > 0) {
            for (String str : assertionAudiences) {
                Audience buildObject4 = this.audienceBuilder.buildObject();
                buildObject4.setAudienceURI(str);
                buildObject2.getAudiences().add(buildObject4);
            }
        }
        buildObject.getAudienceRestrictions().add(buildObject2);
        Collection<String> proxyAudiences = profileConfiguration.getProxyAudiences();
        if (proxyAudiences != null && proxyAudiences.size() > 0) {
            ProxyRestriction buildObject5 = this.proxyRestrictionBuilder.buildObject();
            for (String str2 : proxyAudiences) {
                Audience buildObject6 = this.audienceBuilder.buildObject();
                buildObject6.setAudienceURI(str2);
                buildObject5.getAudiences().add(buildObject6);
            }
            buildObject5.setProxyCount(Integer.valueOf(profileConfiguration.getProxyCount()));
            buildObject.getConditions().add(buildObject5);
        }
        return buildObject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void populateStatusResponse(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, StatusResponseType statusResponseType) {
        statusResponseType.setID(getIdGenerator().generateIdentifier());
        statusResponseType.setInResponseTo(baseSAML2ProfileRequestContext.getInboundSAMLMessageId());
        statusResponseType.setIssuer(buildEntityIssuer(baseSAML2ProfileRequestContext));
        statusResponseType.setVersion(SAMLVersion.VERSION_20);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void resolveAttributes(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) throws ProfileException {
        SAML2AttributeAuthority attributeAuthority = baseSAML2ProfileRequestContext.getProfileConfiguration().getAttributeAuthority();
        try {
            this.log.debug("Resolving attributes for principal '{}' for SAML request from relying party '{}'", baseSAML2ProfileRequestContext.getPrincipalName(), baseSAML2ProfileRequestContext.getInboundMessageIssuer());
            baseSAML2ProfileRequestContext.setAttributes(attributeAuthority.getAttributes(baseSAML2ProfileRequestContext));
        } catch (AttributeRequestException e) {
            this.log.warn("Error resolving attributes for principal '{}'.  No name identifier or attribute statement will be included in response", baseSAML2ProfileRequestContext.getPrincipalName());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AttributeStatement buildAttributeStatement(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) throws ProfileException {
        if (baseSAML2ProfileRequestContext.getAttributes() == null) {
            return null;
        }
        this.log.debug("Creating attribute statement in response to SAML request '{}' from relying party '{}'", baseSAML2ProfileRequestContext.getInboundSAMLMessageId(), baseSAML2ProfileRequestContext.getInboundMessageIssuer());
        SAML2AttributeAuthority attributeAuthority = baseSAML2ProfileRequestContext.getProfileConfiguration().getAttributeAuthority();
        try {
            return baseSAML2ProfileRequestContext.getInboundSAMLMessage() instanceof AttributeQuery ? attributeAuthority.buildAttributeStatement(baseSAML2ProfileRequestContext.getInboundSAMLMessage(), baseSAML2ProfileRequestContext.getAttributes().values()) : attributeAuthority.buildAttributeStatement((AttributeQuery) null, baseSAML2ProfileRequestContext.getAttributes().values());
        } catch (AttributeRequestException e) {
            baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Error resolving attributes"));
            String format = MessageFormatter.format("Error encoding attributes for principal '{}'", baseSAML2ProfileRequestContext.getPrincipalName());
            this.log.error(format, e);
            throw new ProfileException(format, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void resolvePrincipal(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) throws ProfileException {
        AbstractSAML2ProfileConfiguration profileConfiguration = baseSAML2ProfileRequestContext.getProfileConfiguration();
        if (profileConfiguration == null) {
            baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:RequestDenied", "Error resolving principal"));
            String format = MessageFormatter.format("Unable to resolve principal, no SAML 2 profile configuration for relying party '{}'", baseSAML2ProfileRequestContext.getInboundMessageIssuer());
            this.log.warn(format);
            throw new ProfileException(format);
        }
        SAML2AttributeAuthority attributeAuthority = profileConfiguration.getAttributeAuthority();
        this.log.debug("Resolving principal name for subject of SAML request '{}' from relying party '{}'", baseSAML2ProfileRequestContext.getInboundSAMLMessageId(), baseSAML2ProfileRequestContext.getInboundMessageIssuer());
        try {
            baseSAML2ProfileRequestContext.setPrincipalName(attributeAuthority.getPrincipal(baseSAML2ProfileRequestContext));
        } catch (AttributeRequestException e) {
            baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal", "Error resolving principal"));
            String format2 = MessageFormatter.format("Error resolving principal name for SAML request '{}' from relying party '{}'", baseSAML2ProfileRequestContext.getInboundSAMLMessageId(), baseSAML2ProfileRequestContext.getInboundMessageIssuer());
            this.log.error(format2, e);
            throw new ProfileException(format2, e);
        }
    }

    protected void signAssertion(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, Assertion assertion) throws ProfileException {
        this.log.debug("Determining if SAML assertion to relying party '{}' should be signed", baseSAML2ProfileRequestContext.getInboundMessageIssuer());
        if (isSignAssertion(baseSAML2ProfileRequestContext)) {
            AbstractSAML2ProfileConfiguration profileConfiguration = baseSAML2ProfileRequestContext.getProfileConfiguration();
            this.log.debug("Determining signing credntial for assertion to relying party '{}'", baseSAML2ProfileRequestContext.getInboundMessageIssuer());
            Credential signingCredential = profileConfiguration.getSigningCredential();
            if (signingCredential == null) {
                signingCredential = baseSAML2ProfileRequestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
            }
            if (signingCredential == null) {
                String format = MessageFormatter.format("No signing credential is specified for relying party configuration '{}'", baseSAML2ProfileRequestContext.getRelyingPartyConfiguration().getProviderId());
                this.log.warn(format);
                throw new ProfileException(format);
            }
            this.log.debug("Signing assertion to relying party {}", baseSAML2ProfileRequestContext.getInboundMessageIssuer());
            Signature buildObject = this.signatureBuilder.buildObject(Signature.DEFAULT_ELEMENT_NAME);
            buildObject.setSigningCredential(signingCredential);
            try {
                SecurityHelper.prepareSignatureParams(buildObject, signingCredential, (SecurityConfiguration) null, (String) null);
                assertion.setSignature(buildObject);
                try {
                    Configuration.getMarshallerFactory().getMarshaller(assertion).marshall(assertion);
                    Signer.signObject(buildObject);
                } catch (MarshallingException e) {
                    this.log.error("Unable to marshall assertion for signing", e);
                    throw new ProfileException("Unable to marshall assertion for signing", e);
                } catch (SignatureException e2) {
                    this.log.error("Unable to sign assertion", e2);
                    throw new ProfileException("Unable to sign assertion", e2);
                }
            } catch (SecurityException e3) {
                this.log.error("Error preparing signature for signing");
                throw new ProfileException("Error preparing signature for signing", e3);
            }
        }
    }

    protected boolean isSignAssertion(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) throws ProfileException {
        SAMLMessageEncoder outboundMessageEncoder = getOutboundMessageEncoder(baseSAML2ProfileRequestContext);
        AbstractSAML2ProfileConfiguration profileConfiguration = baseSAML2ProfileRequestContext.getProfileConfiguration();
        try {
            boolean z = profileConfiguration.getSignAssertions() == CryptoOperationRequirementLevel.always || (profileConfiguration.getSignAssertions() == CryptoOperationRequirementLevel.conditional && !outboundMessageEncoder.providesMessageIntegrity(baseSAML2ProfileRequestContext));
            this.log.debug("IdP relying party configuration '{}' indicates to sign assertions: {}", baseSAML2ProfileRequestContext.getRelyingPartyConfiguration().getRelyingPartyId(), Boolean.valueOf(z));
            if (!z && (baseSAML2ProfileRequestContext.getPeerEntityRoleMetadata() instanceof SPSSODescriptor)) {
                SPSSODescriptor peerEntityRoleMetadata = baseSAML2ProfileRequestContext.getPeerEntityRoleMetadata();
                if (peerEntityRoleMetadata.getWantAssertionsSigned() != null) {
                    z = peerEntityRoleMetadata.getWantAssertionsSigned().booleanValue();
                    this.log.debug("Entity metadata for relying party '{} 'indicates to sign assertions: {}", baseSAML2ProfileRequestContext.getInboundMessageIssuer(), Boolean.valueOf(z));
                }
            }
            return z;
        } catch (MessageEncodingException e) {
            this.log.error("Unable to determine if outbound encoding '{}' provides message integrity protection", outboundMessageEncoder.getBindingURI());
            throw new ProfileException("Unable to determine if outbound assertion should be signed");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Status buildStatus(String str, String str2, String str3) {
        Status buildObject = this.statusBuilder.buildObject();
        StatusCode buildObject2 = this.statusCodeBuilder.buildObject();
        buildObject2.setValue(DatatypeHelper.safeTrimOrNullString(str));
        buildObject.setStatusCode(buildObject2);
        if (str2 != null) {
            StatusCode buildObject3 = this.statusCodeBuilder.buildObject();
            buildObject3.setValue(DatatypeHelper.safeTrimOrNullString(str2));
            buildObject2.setStatusCode(buildObject3);
        }
        if (str3 != null) {
            StatusMessage buildObject4 = this.statusMessageBuilder.buildObject();
            buildObject4.setMessage(str3);
            buildObject.setStatusMessage(buildObject4);
        }
        return buildObject;
    }

    protected Subject buildSubject(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, String str, DateTime dateTime) throws ProfileException {
        Subject buildObject = this.subjectBuilder.buildObject();
        buildObject.getSubjectConfirmations().add(buildSubjectConfirmation(baseSAML2ProfileRequestContext, str, dateTime));
        NameID buildNameId = buildNameId(baseSAML2ProfileRequestContext);
        if (buildNameId == null) {
            return buildObject;
        }
        baseSAML2ProfileRequestContext.setSubjectNameIdentifier(buildNameId);
        if (isEncryptNameID(baseSAML2ProfileRequestContext)) {
            this.log.debug("Attempting to encrypt NameID to relying party '{}'", baseSAML2ProfileRequestContext.getInboundMessageIssuer());
            try {
                buildObject.setEncryptedID(getEncrypter(baseSAML2ProfileRequestContext.getInboundMessageIssuer()).encrypt(buildNameId));
            } catch (SecurityException e) {
                this.log.error("Unable to construct encrypter", e);
                baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Unable to encrypt NameID"));
                throw new ProfileException("Unable to construct encrypter", e);
            } catch (EncryptionException e2) {
                this.log.error("Unable to encrypt NameID", e2);
                baseSAML2ProfileRequestContext.setFailureStatus(buildStatus("urn:oasis:names:tc:SAML:2.0:status:Responder", null, "Unable to encrypt NameID"));
                throw new ProfileException("Unable to encrypt NameID", e2);
            }
        } else {
            buildObject.setNameID(buildNameId);
        }
        return buildObject;
    }

    /* JADX WARN: Code restructure failed: missing block: B:8:0x0036, code lost:
    
        if (r0.providesMessageConfidentiality(r5) == false) goto L9;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected boolean isEncryptNameID(edu.internet2.middleware.shibboleth.idp.profile.saml2.BaseSAML2ProfileRequestContext<?, ?, ?> r5) throws edu.internet2.middleware.shibboleth.common.profile.ProfileException {
        /*
            r4 = this;
            r0 = r4
            r1 = r5
            boolean r0 = r0.isRequestRequiresEncryptNameID(r1)
            r6 = r0
            r0 = r4
            r1 = r5
            org.opensaml.common.binding.encoding.SAMLMessageEncoder r0 = r0.getOutboundMessageEncoder(r1)
            r7 = r0
            r0 = 0
            r8 = r0
            r0 = r5
            edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration r0 = r0.getProfileConfiguration()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration r0 = (edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration) r0     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r0 = r0.getEncryptNameID()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r1 = edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel.always     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            if (r0 == r1) goto L39
            r0 = r5
            edu.internet2.middleware.shibboleth.common.relyingparty.ProfileConfiguration r0 = r0.getProfileConfiguration()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration r0 = (edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AbstractSAML2ProfileConfiguration) r0     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r0 = r0.getEncryptNameID()     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel r1 = edu.internet2.middleware.shibboleth.common.relyingparty.provider.CryptoOperationRequirementLevel.conditional     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            if (r0 != r1) goto L3d
            r0 = r7
            r1 = r5
            boolean r0 = r0.providesMessageConfidentiality(r1)     // Catch: org.opensaml.ws.message.encoder.MessageEncodingException -> L43
            if (r0 != 0) goto L3d
        L39:
            r0 = 1
            goto L3e
        L3d:
            r0 = 0
        L3e:
            r8 = r0
            goto L67
        L43:
            r9 = move-exception
            java.lang.String r0 = "Unable to determine if outbound encoding '{}' provides message confidentiality protection"
            r1 = r7
            java.lang.String r1 = r1.getBindingURI()
            java.lang.String r0 = org.slf4j.helpers.MessageFormatter.format(r0, r1)
            r10 = r0
            r0 = r4
            org.slf4j.Logger r0 = r0.log
            r1 = r10
            r0.error(r1)
            edu.internet2.middleware.shibboleth.common.profile.ProfileException r0 = new edu.internet2.middleware.shibboleth.common.profile.ProfileException
            r1 = r0
            r2 = r10
            r1.<init>(r2)
            throw r0
        L67:
            r0 = r6
            if (r0 != 0) goto L70
            r0 = r8
            if (r0 == 0) goto L74
        L70:
            r0 = 1
            goto L75
        L74:
            r0 = 0
        L75:
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.isEncryptNameID(edu.internet2.middleware.shibboleth.idp.profile.saml2.BaseSAML2ProfileRequestContext):boolean");
    }

    protected boolean isRequestRequiresEncryptNameID(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) {
        NameIDPolicy nameIDPolicy;
        boolean z = false;
        if ((baseSAML2ProfileRequestContext.getInboundSAMLMessage() instanceof AuthnRequest) && (nameIDPolicy = baseSAML2ProfileRequestContext.getInboundSAMLMessage().getNameIDPolicy()) != null && DatatypeHelper.safeEquals(nameIDPolicy.getFormat(), "urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted")) {
            z = true;
        }
        return z;
    }

    protected SubjectConfirmation buildSubjectConfirmation(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext, String str, DateTime dateTime) {
        SubjectConfirmationData buildObject = this.subjectConfirmationDataBuilder.buildObject();
        buildObject.setAddress(baseSAML2ProfileRequestContext.getInboundMessageTransport().getPeerAddress());
        buildObject.setInResponseTo(baseSAML2ProfileRequestContext.getInboundSAMLMessageId());
        buildObject.setNotOnOrAfter(dateTime.plus(baseSAML2ProfileRequestContext.getProfileConfiguration().getAssertionLifetime()));
        Endpoint peerEntityEndpoint = baseSAML2ProfileRequestContext.getPeerEntityEndpoint();
        if (peerEntityEndpoint != null) {
            if (peerEntityEndpoint.getResponseLocation() != null) {
                buildObject.setRecipient(peerEntityEndpoint.getResponseLocation());
            } else {
                buildObject.setRecipient(peerEntityEndpoint.getLocation());
            }
        }
        SubjectConfirmation buildObject2 = this.subjectConfirmationBuilder.buildObject();
        buildObject2.setMethod(str);
        buildObject2.setSubjectConfirmationData(buildObject);
        return buildObject2;
    }

    /* JADX WARN: Code restructure failed: missing block: B:47:0x0156, code lost:
    
        r11 = r0;
        r12 = (edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder) r0;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected org.opensaml.saml2.core.NameID buildNameId(edu.internet2.middleware.shibboleth.idp.profile.saml2.BaseSAML2ProfileRequestContext<?, ?, ?> r8) throws edu.internet2.middleware.shibboleth.common.profile.ProfileException {
        /*
            Method dump skipped, instructions count: 559
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.buildNameId(edu.internet2.middleware.shibboleth.idp.profile.saml2.BaseSAML2ProfileRequestContext):org.opensaml.saml2.core.NameID");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response buildErrorResponse(BaseSAML2ProfileRequestContext<?, ?, ?> baseSAML2ProfileRequestContext) {
        Response buildObject = this.responseBuilder.buildObject();
        buildObject.setIssueInstant(new DateTime());
        populateStatusResponse(baseSAML2ProfileRequestContext, buildObject);
        buildObject.setStatus(baseSAML2ProfileRequestContext.getFailureStatus());
        return buildObject;
    }

    protected Encrypter getEncrypter(String str) throws SecurityException {
        SecurityConfiguration globalSecurityConfiguration = Configuration.getGlobalSecurityConfiguration();
        EncryptionParameters buildDataEncryptionParams = SecurityHelper.buildDataEncryptionParams((Credential) null, globalSecurityConfiguration, (String) null);
        Credential keyEncryptionCredential = getKeyEncryptionCredential(str);
        if (keyEncryptionCredential == null) {
            this.log.error("Could not resolve a key encryption credential for peer entity: {}", str);
            throw new SecurityException("Could not resolve key encryption credential");
        }
        Encrypter encrypter = new Encrypter(buildDataEncryptionParams, SecurityHelper.buildKeyEncryptionParams(keyEncryptionCredential, SecurityHelper.getKeyAlgorithmFromURI(buildDataEncryptionParams.getAlgorithm()), globalSecurityConfiguration, (String) null, (String) null));
        encrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);
        return encrypter;
    }

    protected Credential getKeyEncryptionCredential(String str) throws SecurityException {
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver(getMetadataProvider());
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIDCriteria(str));
        criteriaSet.add(new MetadataCriteria(SPSSODescriptor.DEFAULT_ELEMENT_NAME, "urn:oasis:names:tc:SAML:2.0:protocol"));
        criteriaSet.add(new UsageCriteria(UsageType.ENCRYPTION));
        return metadataCredentialResolver.resolveSingle(criteriaSet);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler
    public void writeAuditLogEntry(BaseSAMLProfileRequestContext baseSAMLProfileRequestContext) {
        SAML2AuditLogEntry sAML2AuditLogEntry = new SAML2AuditLogEntry();
        sAML2AuditLogEntry.setSAMLResponse((StatusResponseType) baseSAMLProfileRequestContext.getOutboundSAMLMessage());
        sAML2AuditLogEntry.setMessageProfile(getProfileId());
        sAML2AuditLogEntry.setPrincipalAuthenticationMethod(baseSAMLProfileRequestContext.getPrincipalAuthenticationMethod());
        sAML2AuditLogEntry.setPrincipalName(baseSAMLProfileRequestContext.getPrincipalName());
        sAML2AuditLogEntry.setAssertingPartyId(baseSAMLProfileRequestContext.getLocalEntityId());
        sAML2AuditLogEntry.setRelyingPartyId(baseSAMLProfileRequestContext.getInboundMessageIssuer());
        sAML2AuditLogEntry.setRequestBinding(baseSAMLProfileRequestContext.getMessageDecoder().getBindingURI());
        sAML2AuditLogEntry.setRequestId(baseSAMLProfileRequestContext.getInboundSAMLMessageId());
        sAML2AuditLogEntry.setResponseBinding(baseSAMLProfileRequestContext.getMessageEncoder().getBindingURI());
        sAML2AuditLogEntry.setResponseId(baseSAMLProfileRequestContext.getOutboundSAMLMessageId());
        if (baseSAMLProfileRequestContext.getReleasedAttributes() != null) {
            sAML2AuditLogEntry.getReleasedAttributes().addAll(baseSAMLProfileRequestContext.getReleasedAttributes());
        }
        getAduitLog().info(sAML2AuditLogEntry.toString());
    }
}
