package com.bea.security.saml2.service.sso;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.security.saml2.Saml2Logger;
import com.bea.security.saml2.binding.BindingReceiver;
import com.bea.security.saml2.config.SAML2ConfigSpi;
import com.bea.security.saml2.providers.registry.WebSSOSPPartner;
import com.bea.security.saml2.service.SAML2DetailedException;
import com.bea.security.saml2.util.SAML2Utils;
import java.security.KeyException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import org.opensaml.common.SAMLVersion;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.saml2.core.NameIDPolicy;
import org.opensaml.saml2.core.Subject;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:com/bea/security/saml2/service/sso/AuthnRequestValidator.class */
class AuthnRequestValidator {
    private SAML2ConfigSpi config;
    private LoggerSpi logger;

    public AuthnRequestValidator(SAML2ConfigSpi sAML2ConfigSpi) {
        this.config = sAML2ConfigSpi;
        this.logger = sAML2ConfigSpi.getLogger();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void verifySignature(WebSSOSPPartner webSSOSPPartner, BindingReceiver bindingReceiver, AuthnRequest authnRequest) throws SAML2DetailedException {
        if (authnRequest == null) {
            throw new IllegalArgumentException("authnReq is null");
        }
        Signature signature = authnRequest.getSignature();
        if (webSSOSPPartner.isWantAuthnRequestsSigned() || this.config.getLocalConfiguration().isWantAuthnRequestsSigned() || signature != null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Verifying the signature of <samlp:AuthnRequest> message.");
            }
            try {
                PublicKey verifyKey = SAML2Utils.getVerifyKey(webSSOSPPartner);
                if (!bindingReceiver.verifySignature(verifyKey)) {
                    SAML2Utils.verifySamlObjectSignature(verifyKey, signature);
                }
            } catch (KeyException e) {
                this.logger.error(e.getMessage(), e);
                throw new SAML2DetailedException(Saml2Logger.getSAML2NoVerifyKeyFor("<samlp:AuthnRequest>"), 403);
            } catch (CertificateException e2) {
                this.logger.error(e2.getMessage(), e2);
                throw new SAML2DetailedException(Saml2Logger.getNoVerifyingCert("<samlp:AuthnRequest>", webSSOSPPartner.getName()), 403);
            } catch (ValidationException e3) {
                this.logger.error(e3.getMessage(), e3);
                throw new SAML2DetailedException(Saml2Logger.getSAML2VerifySignatureFail(), 403).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester");
            }
        }
    }

    public void validate(WebSSOSPPartner webSSOSPPartner, AuthnRequest authnRequest, String str) throws SAML2DetailedException {
        if (!SAMLVersion.VERSION_20.toString().equals(authnRequest.getVersion().toString())) {
            throw new SAML2DetailedException(Saml2Logger.getInvalidVersion("<samlp:AuthnRequest>", authnRequest.getVersion().toString()), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:VersionMismatch");
        }
        if (this.config.getLocalConfiguration().isRecipientCheckEnabled()) {
            String str2 = SAML2Utils.getLocalSiteFromPublishedURL(this.config.getLocalConfiguration().getPublishedSiteURL()) + str;
            if (authnRequest.getDestination() == null || !authnRequest.getDestination().equals(str2)) {
                throw new SAML2DetailedException(Saml2Logger.getAuthnRequestDestinationNotMatch(str2, authnRequest.getDestination()), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester");
            }
        }
        Issuer issuer = authnRequest.getIssuer();
        if (issuer.getFormat() != null && !issuer.getFormat().equals("urn:oasis:names:tc:SAML:2.0:nameid-format:entity")) {
            throw new SAML2DetailedException(Saml2Logger.getInvalidIssuerFormat(issuer.getFormat()), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester");
        }
        if (issuer.getNameQualifier() != null || issuer.getSPNameQualifier() != null || issuer.getSPProvidedID() != null) {
            throw new SAML2DetailedException(Saml2Logger.getInvalidQualifiersInIssuer(), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester");
        }
        Subject subject = authnRequest.getSubject();
        if (subject != null && subject.getSubjectConfirmations() != null) {
            throw new SAML2DetailedException(Saml2Logger.getSubjectConfirmationMustNotExist(), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester");
        }
        NameIDPolicy nameIDPolicy = authnRequest.getNameIDPolicy();
        if (nameIDPolicy != null) {
            if (nameIDPolicy.getFormat() != null && !"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".equals(nameIDPolicy.getFormat())) {
                throw new SAML2DetailedException(Saml2Logger.getOnlySupportUnspecifiedNamedId(), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy");
            }
            if (nameIDPolicy.getSPNameQualifier() != null) {
                throw new SAML2DetailedException(Saml2Logger.getSPNameQualifierNotSupported(), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy");
            }
        }
        if (authnRequest.getRequestedAuthnContext() != null) {
            throw new SAML2DetailedException(Saml2Logger.getRequestedAuthnContextNotSupported(), 404).setStatusCode("urn:oasis:names:tc:SAML:2.0:status:Requester", "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy");
        }
    }
}
