package pl.edu.icm.unity.saml.metadata.cfg;

import eu.unicore.security.dsig.DSigException;
import eu.unicore.security.dsig.DigSignatureUtil;
import eu.unicore.security.dsig.IdAttribute;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import org.w3c.dom.Document;
import pl.edu.icm.unity.saml.sp.SAMLSPProperties;
import xmlbeans.org.oasis.saml2.metadata.EntitiesDescriptorDocument;
import xmlbeans.org.oasis.saml2.metadata.EntitiesDescriptorType;
import xmlbeans.org.oasis.saml2.metadata.EntityDescriptorDocument;
import xmlbeans.org.oasis.saml2.metadata.EntityDescriptorType;

/* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/MetadataVerificator.class */
public class MetadataVerificator {
    public static final IdAttribute ID_QNAME = new IdAttribute((String) null, "ID");

    /* loaded from: input_file:pl/edu/icm/unity/saml/metadata/cfg/MetadataVerificator$MetadataValidationException.class */
    public static class MetadataValidationException extends Exception {
        public MetadataValidationException(String str) {
            super(str);
        }

        public MetadataValidationException(String str, Exception exc) {
            super(str, exc);
        }
    }

    public void validate(EntitiesDescriptorDocument entitiesDescriptorDocument, Date date, SAMLSPProperties.MetadataSignatureValidation metadataSignatureValidation, X509Certificate x509Certificate) throws MetadataValidationException {
        EntitiesDescriptorType entitiesDescriptor = entitiesDescriptorDocument.getEntitiesDescriptor();
        if (entitiesDescriptor.isSetValidUntil() && entitiesDescriptor.getValidUntil().after(date)) {
            throw new MetadataValidationException("Metadata or its part expired on " + entitiesDescriptor.getValidUntil());
        }
        if (metadataSignatureValidation == SAMLSPProperties.MetadataSignatureValidation.require && entitiesDescriptor.isSetSignature()) {
            validateSignature(x509Certificate, entitiesDescriptor.getName(), (Document) entitiesDescriptorDocument.getDomNode());
            return;
        }
        EntitiesDescriptorType[] entitiesDescriptorArray = entitiesDescriptor.getEntitiesDescriptorArray();
        if (entitiesDescriptorArray != null) {
            for (EntitiesDescriptorType entitiesDescriptorType : entitiesDescriptorArray) {
                EntitiesDescriptorDocument newInstance = EntitiesDescriptorDocument.Factory.newInstance();
                newInstance.setEntitiesDescriptor(entitiesDescriptorType);
                validate(newInstance, date, metadataSignatureValidation, x509Certificate);
            }
        }
        EntityDescriptorType[] entityDescriptorArray = entitiesDescriptor.getEntityDescriptorArray();
        if (entityDescriptorArray != null) {
            for (EntityDescriptorType entityDescriptorType : entityDescriptorArray) {
                validateSingle(entityDescriptorType, date, metadataSignatureValidation, x509Certificate);
            }
        }
    }

    protected void validateSingle(EntityDescriptorType entityDescriptorType, Date date, SAMLSPProperties.MetadataSignatureValidation metadataSignatureValidation, X509Certificate x509Certificate) throws MetadataValidationException {
        if (entityDescriptorType.isSetValidUntil() && entityDescriptorType.getValidUntil().after(date)) {
            throw new MetadataValidationException("Metadata or its part expired on " + entityDescriptorType.getValidUntil());
        }
        if (metadataSignatureValidation == SAMLSPProperties.MetadataSignatureValidation.require) {
            EntityDescriptorDocument newInstance = EntityDescriptorDocument.Factory.newInstance();
            newInstance.setEntityDescriptor(entityDescriptorType);
            validateSignature(x509Certificate, entityDescriptorType.getEntityID(), (Document) newInstance.getDomNode());
        }
    }

    protected void validateSignature(X509Certificate x509Certificate, String str, Document document) throws MetadataValidationException {
        try {
            if (new DigSignatureUtil().verifyEnvelopedSignature(document, Collections.singletonList(document.getDocumentElement()), ID_QNAME, x509Certificate.getPublicKey())) {
            } else {
                throw new MetadataValidationException("Verification of metadata's signature failed for " + str);
            }
        } catch (DSigException e) {
            throw new MetadataValidationException("Verification of metadata's signature failed for " + str, e);
        }
    }
}
