package coldfusion.saml.util;

import coldfusion.filter.FusionContext;
import com.onelogin.saml2.http.HttpRequest;
import com.onelogin.saml2.logout.LogoutResponse;
import com.onelogin.saml2.servlet.ServletUtils;
import com.onelogin.saml2.settings.Saml2Settings;
import java.io.StringReader;
import java.security.Key;
import java.security.cert.X509Certificate;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;

/* loaded from: input_file:coldfusion/saml/util/SignatureVerifier.class */
public class SignatureVerifier {
    private static DocumentBuilderFactory dbf = Utils.createDocumentFactory();

    /* loaded from: input_file:coldfusion/saml/util/SignatureVerifier$X509KeySelector.class */
    public class X509KeySelector extends KeySelector {
        Key key;

        public X509KeySelector(Key key) {
            this.key = key;
        }

        public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
            if (this.key != null) {
                return new KeySelectorResult() { // from class: coldfusion.saml.util.SignatureVerifier.X509KeySelector.1
                    public Key getKey() {
                        return X509KeySelector.this.key;
                    }
                };
            }
            return null;
        }
    }

    public boolean validateLogoutSignature(Saml2Settings saml2Settings) throws Throwable {
        HttpRequest makeHttpRequest = ServletUtils.makeHttpRequest(FusionContext.getCurrent().getRequest());
        if (makeHttpRequest.getParameter("SAMLResponse") == null) {
            return false;
        }
        NodeList elementsByTagNameNS = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(new LogoutResponse(saml2Settings, makeHttpRequest).getLogoutResponseXml()))).getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new Exception("Cannot find Signature element");
        }
        Node node = null;
        int i = 0;
        while (true) {
            if (i >= elementsByTagNameNS.getLength()) {
                break;
            }
            if (isLogoutResponseChildNode(elementsByTagNameNS.item(i))) {
                node = elementsByTagNameNS.item(i);
                break;
            }
            i++;
        }
        if (node == null) {
            throw new Exception("LogoutResponse node of the response is not signed.");
        }
        if (((saml2Settings.getIdpx509certMulti() == null || saml2Settings.getIdpx509certMulti().size() <= 0) ? saml2Settings.getIdpx509cert() : (X509Certificate) saml2Settings.getIdpx509certMulti().get(0)) == null) {
            throw new Exception("Identity Provider sign certificate is not found");
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(new X509KeySelector(saml2Settings.getIdpx509cert().getPublicKey()), node);
        dOMValidateContext.setIdAttributeNS((Element) node.getParentNode(), (String) null, "ID");
        return xMLSignatureFactory.unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext);
    }

    private boolean isLogoutResponseChildNode(Node node) {
        if (node == null || node.getParentNode() == null) {
            return false;
        }
        String nodeName = node.getParentNode().getNodeName();
        return nodeName.equals("samlp:LogoutResponse") || nodeName.equals("saml2p:LogoutResponse");
    }
}
