package xsul.dsig.saml.authorization;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.XMLUtils;
import org.globus.gsi.CertUtil;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.opensaml.XML;
import org.w3c.dom.Element;
import xsul.MLogger;
import xsul.dsig.globus.security.authentication.wssec.WSConstants;

/* loaded from: input_file:xsul/dsig/saml/authorization/CapabilityVerifier.class */
public class CapabilityVerifier {
    private static final MLogger logger = MLogger.getLogger();
    private String owner;

    protected CapabilityVerifier() {
        this.owner = "";
    }

    protected CapabilityVerifier(String str) {
        this.owner = "";
        this.owner = str;
    }

    public static CapabilityVerifier newInstance(String str) {
        return new CapabilityVerifier(str);
    }

    public void verify(Capability capability) throws CapabilityException {
        SAMLAssertion[] allAssertions = capability.getAllAssertions();
        for (int i = 0; i < allAssertions.length; i++) {
            logger.finest(new StringBuffer().append("assertion: ").append(i).append(" ").append(allAssertions[i].toString()).toString());
            try {
                allAssertions[i].verify();
                Element element = (Element) allAssertions[i].toDOM();
                if (element == null) {
                    throw new CapabilityException("could not find corresponding assertion");
                }
                try {
                    printElement(element);
                    Principal subjectDN = getSubjectDN(element);
                    logger.info(new StringBuffer().append("subject DN=\n").append(subjectDN.getName()).toString());
                    if (!CapabilityUtil.compareSubjects(this.owner, subjectDN.getName())) {
                        logger.info(new StringBuffer().append("owner: ").append(this.owner).toString());
                        throw new CapabilityException("the capability is not signed by the owner");
                    }
                    Date date = new Date(System.currentTimeMillis());
                    Date notBefore = allAssertions[i].getNotBefore();
                    Date notOnOrAfter = allAssertions[i].getNotOnOrAfter();
                    if (date.before(notBefore)) {
                        throw new CapabilityExpirationException(new StringBuffer().append("the capability is not effective yet until: ").append(notBefore).toString());
                    }
                    if (date.after(notOnOrAfter)) {
                        throw new CapabilityExpirationException(new StringBuffer().append("the capability has expired since: ").append(notOnOrAfter).toString());
                    }
                } catch (CapabilityException e) {
                    throw e;
                } catch (XMLSecurityException e2) {
                    throw new CapabilityException(e2.getMessage());
                } catch (IOException e3) {
                    throw new CapabilityException(e3.getMessage());
                } catch (GeneralSecurityException e4) {
                    throw new CapabilityException(e4.getMessage());
                }
            } catch (SAMLException e5) {
                throw new CapabilityException(e5.getMessage());
            }
        }
    }

    private void printElement(Element element) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        XMLUtils.outputDOM(element, byteArrayOutputStream);
        logger.finest(new StringBuffer().append("the signatureElemen==\n").append(byteArrayOutputStream.toString()).toString());
        byteArrayOutputStream.close();
    }

    private Principal getSubjectDN(Element element) throws CapabilityException, XMLSecurityException, IOException, GeneralSecurityException {
        KeyInfo keyInfo = new XMLSignature(XML.getFirstChildElement(element, WSConstants.SIG_NS, "Signature"), (String) null).getKeyInfo();
        X509Certificate[] x509CertificateArr = null;
        if (keyInfo.containsX509Data()) {
            logger.info("keyinfo contains x509 data");
            int lengthX509Data = keyInfo.lengthX509Data();
            if (lengthX509Data != 1) {
                throw new CapabilityException(new StringBuffer().append("invalidX509Data: length=").append(lengthX509Data).toString());
            }
            X509Data itemX509Data = keyInfo.itemX509Data(0);
            int lengthCertificate = itemX509Data.lengthCertificate();
            if (lengthCertificate <= 0) {
                throw new CapabilityException(new StringBuffer().append("invalidCertData: length=").append(lengthCertificate).toString());
            }
            x509CertificateArr = new X509Certificate[lengthCertificate];
            for (int i = 0; i < lengthCertificate; i++) {
                x509CertificateArr[i] = CertUtil.loadCertificate(new ByteArrayInputStream(itemX509Data.itemCertificate(i).getCertificateBytes()));
            }
        } else {
            logger.info("try to get x509 data from security token");
        }
        return x509CertificateArr[0].getSubjectDN();
    }
}
