package io.fusionauth.samlv2.service;

import com.sun.org.apache.xerces.internal.jaxp.datatype.XMLGregorianCalendarImpl;
import io.fusionauth.samlv2.domain.Algorithm;
import io.fusionauth.samlv2.domain.AuthenticationRequest;
import io.fusionauth.samlv2.domain.AuthenticationResponse;
import io.fusionauth.samlv2.domain.Binding;
import io.fusionauth.samlv2.domain.Conditions;
import io.fusionauth.samlv2.domain.ConfirmationMethod;
import io.fusionauth.samlv2.domain.LogoutRequest;
import io.fusionauth.samlv2.domain.LogoutResponse;
import io.fusionauth.samlv2.domain.MetaData;
import io.fusionauth.samlv2.domain.NameIDFormat;
import io.fusionauth.samlv2.domain.ResponseStatus;
import io.fusionauth.samlv2.domain.SAMLException;
import io.fusionauth.samlv2.domain.SAMLRequest;
import io.fusionauth.samlv2.domain.SignatureLocation;
import io.fusionauth.samlv2.domain.SignatureNotFoundException;
import io.fusionauth.samlv2.domain.Subject;
import io.fusionauth.samlv2.domain.SubjectConfirmation;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AssertionType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AttributeStatementType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AttributeType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AudienceRestrictionType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AuthnContextType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.AuthnStatementType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.ConditionAbstractType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.ConditionsType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.EncryptedElementType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.NameIDType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.StatementAbstractType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.SubjectConfirmationDataType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.SubjectConfirmationType;
import io.fusionauth.samlv2.domain.jaxb.oasis.assertion.SubjectType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.EndpointType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.EntityDescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.IDPSSODescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.IndexedEndpointType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.KeyDescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.KeyTypes;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.RoleDescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.SPSSODescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.metadata.SSODescriptorType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.AuthnRequestType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.LogoutRequestType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.NameIDPolicyType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.ObjectFactory;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.ResponseType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.StatusCodeType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.StatusResponseType;
import io.fusionauth.samlv2.domain.jaxb.oasis.protocol.StatusType;
import io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.KeyInfoType;
import io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.X509DataType;
import io.fusionauth.samlv2.service.SAMLv2Service;
import io.fusionauth.samlv2.util.SAMLTools;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.xml.bind.JAXBElement;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.transform.TransformerException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:io/fusionauth/samlv2/service/DefaultSAMLv2Service.class */
public class DefaultSAMLv2Service implements SAMLv2Service {
    static final ObjectFactory PROTOCOL_OBJECT_FACTORY = new ObjectFactory();
    private static final io.fusionauth.samlv2.domain.jaxb.oasis.assertion.ObjectFactory ASSERTION_OBJECT_FACTORY = new io.fusionauth.samlv2.domain.jaxb.oasis.assertion.ObjectFactory();
    private static final io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.ObjectFactory DSIG_OBJECT_FACTORY = new io.fusionauth.samlv2.domain.jaxb.w3c.xmldsig.ObjectFactory();
    private static final io.fusionauth.samlv2.domain.jaxb.oasis.metadata.ObjectFactory METADATA_OBJECT_FACTORY = new io.fusionauth.samlv2.domain.jaxb.oasis.metadata.ObjectFactory();
    private static final Logger logger = LoggerFactory.getLogger(DefaultSAMLv2Service.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/fusionauth/samlv2/service/DefaultSAMLv2Service$AuthnRequestParseResult.class */
    public static class AuthnRequestParseResult {
        public AuthnRequestType authnRequest;
        public Document document;
        public AuthenticationRequest request;

        private AuthnRequestParseResult() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/fusionauth/samlv2/service/DefaultSAMLv2Service$LogoutRequestParseResult.class */
    public static class LogoutRequestParseResult {
        public Document document;
        public LogoutRequestType logoutRequest;
        public LogoutRequest request;

        private LogoutRequestParseResult() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/fusionauth/samlv2/service/DefaultSAMLv2Service$LogoutResponseParseResult.class */
    public static class LogoutResponseParseResult {
        public Document document;
        public StatusResponseType logoutResponse;
        public LogoutResponse response;

        private LogoutResponseParseResult() {
        }
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildAuthnResponse(AuthenticationResponse authenticationResponse, boolean z, PrivateKey privateKey, X509Certificate x509Certificate, Algorithm algorithm, String str, SignatureLocation signatureLocation) throws SAMLException {
        Element documentElement;
        ResponseType responseType = new ResponseType();
        StatusType statusType = new StatusType();
        statusType.setStatusCode(new StatusCodeType());
        statusType.getStatusCode().setValue(authenticationResponse.status.code.toSAMLFormat());
        statusType.setStatusMessage(authenticationResponse.status.message);
        responseType.setStatus(statusType);
        responseType.setID(authenticationResponse.id);
        responseType.setIssuer(new NameIDType());
        responseType.getIssuer().setValue(authenticationResponse.issuer);
        responseType.setVersion(authenticationResponse.version);
        responseType.setInResponseTo(authenticationResponse.inResponseTo);
        responseType.setIssueInstant(SAMLTools.toXMLGregorianCalendar(authenticationResponse.issueInstant));
        responseType.setDestination(authenticationResponse.destination);
        AssertionType assertionType = new AssertionType();
        if (authenticationResponse.assertion != null && authenticationResponse.status.code == ResponseStatus.Success) {
            ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
            assertionType.setID("_" + UUID.randomUUID().toString());
            assertionType.setIssuer(responseType.getIssuer());
            assertionType.setIssueInstant(SAMLTools.toXMLGregorianCalendar(now));
            assertionType.setVersion(authenticationResponse.version);
            if (authenticationResponse.assertion.subject != null) {
                SubjectType subjectType = new SubjectType();
                if (authenticationResponse.assertion.subject.nameID != null) {
                    NameIDType nameIDType = new NameIDType();
                    nameIDType.setValue(authenticationResponse.assertion.subject.nameID.id);
                    nameIDType.setFormat(authenticationResponse.assertion.subject.nameID.format.toSAMLFormat());
                    subjectType.getContent().add(ASSERTION_OBJECT_FACTORY.createNameID(nameIDType));
                }
                if (authenticationResponse.assertion.subject.subjectConfirmation != null) {
                    SubjectConfirmationDataType subjectConfirmationDataType = new SubjectConfirmationDataType();
                    subjectConfirmationDataType.setInResponseTo(authenticationResponse.assertion.subject.subjectConfirmation.inResponseTo);
                    subjectConfirmationDataType.setNotBefore(SAMLTools.toXMLGregorianCalendar(authenticationResponse.assertion.subject.subjectConfirmation.notBefore));
                    subjectConfirmationDataType.setNotOnOrAfter(SAMLTools.toXMLGregorianCalendar(authenticationResponse.assertion.subject.subjectConfirmation.notOnOrAfter));
                    subjectConfirmationDataType.setRecipient(authenticationResponse.assertion.subject.subjectConfirmation.recipient);
                    SubjectConfirmationType subjectConfirmationType = new SubjectConfirmationType();
                    subjectConfirmationType.setSubjectConfirmationData(subjectConfirmationDataType);
                    if (authenticationResponse.assertion.subject.subjectConfirmation.method != null) {
                        subjectConfirmationType.setMethod(authenticationResponse.assertion.subject.subjectConfirmation.method.toSAMLFormat());
                    }
                    subjectType.getContent().add(ASSERTION_OBJECT_FACTORY.createSubjectConfirmation(subjectConfirmationType));
                }
                assertionType.setSubject(subjectType);
            }
            if (authenticationResponse.assertion.conditions != null) {
                ConditionsType conditionsType = new ConditionsType();
                conditionsType.setNotBefore(SAMLTools.toXMLGregorianCalendar(authenticationResponse.assertion.conditions.notBefore));
                conditionsType.setNotOnOrAfter(SAMLTools.toXMLGregorianCalendar(authenticationResponse.assertion.conditions.notOnOrAfter));
                assertionType.setConditions(conditionsType);
                if (authenticationResponse.assertion.conditions.audiences.size() > 0) {
                    AudienceRestrictionType audienceRestrictionType = new AudienceRestrictionType();
                    audienceRestrictionType.getAudience().addAll(authenticationResponse.assertion.conditions.audiences);
                    conditionsType.getConditionOrAudienceRestrictionOrOneTimeUse().add(audienceRestrictionType);
                }
            }
            AttributeStatementType attributeStatementType = new AttributeStatementType();
            authenticationResponse.assertion.attributes.forEach((str2, list) -> {
                AttributeType attributeType = new AttributeType();
                attributeType.setName(str2);
                attributeType.getAttributeValue().addAll(list);
                attributeStatementType.getAttributeOrEncryptedAttribute().add(attributeType);
            });
            assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(attributeStatementType);
            AuthnStatementType authnStatementType = new AuthnStatementType();
            authnStatementType.setAuthnInstant(SAMLTools.toXMLGregorianCalendar(now));
            authnStatementType.setAuthnContext(new AuthnContextType());
            authnStatementType.getAuthnContext().getContent().add(ASSERTION_OBJECT_FACTORY.createAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password"));
            authnStatementType.setSessionIndex(authenticationResponse.sessionIndex);
            authnStatementType.setSessionNotOnOrAfter(SAMLTools.toXMLGregorianCalendar(authenticationResponse.sessionExpiry));
            assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(authnStatementType);
            responseType.getAssertionOrEncryptedAssertion().add(assertionType);
        }
        Document marshallToDocument = SAMLTools.marshallToDocument(PROTOCOL_OBJECT_FACTORY.createResponse(responseType), ResponseType.class);
        if (!z) {
            try {
                return new String(Base64.getEncoder().encode(SAMLTools.marshallToString(marshallToDocument).getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
            } catch (TransformerException e) {
                throw new SAMLException("Unable to marshal the SAML response to XML.", e);
            }
        }
        try {
            Node node = null;
            if (authenticationResponse.status.code != ResponseStatus.Success || signatureLocation != SignatureLocation.Assertion) {
                documentElement = marshallToDocument.getDocumentElement();
                NodeList childNodes = documentElement.getChildNodes();
                int i = 0;
                while (true) {
                    if (i >= childNodes.getLength()) {
                        break;
                    }
                    Node item = childNodes.item(i);
                    if (item instanceof Element) {
                        node = item.getLocalName().equals("Issuer") ? item.getNextSibling() : item;
                    } else {
                        i++;
                    }
                }
            } else {
                documentElement = (Element) marshallToDocument.getElementsByTagName("Assertion").item(0);
                node = documentElement.getElementsByTagName("Issuer").item(0).getNextSibling();
            }
            return new String(Base64.getEncoder().encode(signXML(privateKey, x509Certificate, algorithm, str, marshallToDocument, documentElement, node).getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
        } catch (Exception e2) {
            throw new SAMLException("Unable to sign XML SAML response", e2);
        }
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildMetadataResponse(MetaData metaData) throws SAMLException {
        EntityDescriptorType entityDescriptorType = new EntityDescriptorType();
        entityDescriptorType.setID("_" + metaData.id);
        entityDescriptorType.setEntityID(metaData.entityId);
        if (metaData.idp != null) {
            IDPSSODescriptorType iDPSSODescriptorType = new IDPSSODescriptorType();
            iDPSSODescriptorType.getProtocolSupportEnumeration().add("urn:oasis:names:tc:SAML:2.0:protocol");
            iDPSSODescriptorType.setWantAuthnRequestsSigned(Boolean.valueOf(metaData.idp.wantAuthnRequestsSigned));
            metaData.idp.redirectBindingSignInEndpoints.forEach(str -> {
                EndpointType endpointType = new EndpointType();
                endpointType.setBinding(Binding.HTTP_Redirect.toSAMLFormat());
                endpointType.setLocation(str);
                iDPSSODescriptorType.getSingleSignOnService().add(endpointType);
            });
            metaData.idp.postBindingSignInEndpoints.forEach(str2 -> {
                EndpointType endpointType = new EndpointType();
                endpointType.setBinding(Binding.HTTP_POST.toSAMLFormat());
                endpointType.setLocation(str2);
                iDPSSODescriptorType.getSingleSignOnService().add(endpointType);
            });
            metaData.idp.redirectBindingLogoutEndpoints.forEach(str3 -> {
                EndpointType endpointType = new EndpointType();
                endpointType.setBinding(Binding.HTTP_Redirect.toSAMLFormat());
                endpointType.setLocation(str3);
                iDPSSODescriptorType.getSingleLogoutService().add(endpointType);
            });
            metaData.idp.postBindingLogoutEndpoints.forEach(str4 -> {
                EndpointType endpointType = new EndpointType();
                endpointType.setBinding(Binding.HTTP_POST.toSAMLFormat());
                endpointType.setLocation(str4);
                iDPSSODescriptorType.getSingleLogoutService().add(endpointType);
            });
            addKeyDescriptors(iDPSSODescriptorType, metaData.idp.certificates);
            entityDescriptorType.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor().add(iDPSSODescriptorType);
        }
        if (metaData.sp != null) {
            SPSSODescriptorType sPSSODescriptorType = new SPSSODescriptorType();
            sPSSODescriptorType.getProtocolSupportEnumeration().add("urn:oasis:names:tc:SAML:2.0:protocol");
            sPSSODescriptorType.setAuthnRequestsSigned(Boolean.valueOf(metaData.sp.authnRequestsSigned));
            sPSSODescriptorType.setWantAssertionsSigned(Boolean.valueOf(metaData.sp.wantAssertionsSigned));
            if (metaData.sp.acsEndpoint != null) {
                IndexedEndpointType indexedEndpointType = new IndexedEndpointType();
                indexedEndpointType.setBinding(Binding.HTTP_POST.toSAMLFormat());
                indexedEndpointType.setLocation(metaData.sp.acsEndpoint);
                sPSSODescriptorType.getAssertionConsumerService().add(indexedEndpointType);
            }
            if (metaData.sp.nameIDFormat != null) {
                sPSSODescriptorType.getNameIDFormat().add(metaData.sp.nameIDFormat.toSAMLFormat());
            }
            addKeyDescriptors(sPSSODescriptorType, metaData.sp.certificates);
            entityDescriptorType.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor().add(sPSSODescriptorType);
        }
        return new String(SAMLTools.marshallToBytes(METADATA_OBJECT_FACTORY.createEntityDescriptor(entityDescriptorType), EntityDescriptorType.class), StandardCharsets.UTF_8);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildPostAuthnRequest(AuthenticationRequest authenticationRequest, boolean z, PrivateKey privateKey, X509Certificate x509Certificate, Algorithm algorithm, String str) throws SAMLException {
        return buildPostRequest(PROTOCOL_OBJECT_FACTORY.createAuthnRequest(toAuthnRequest(authenticationRequest, "2.0")), AuthnRequestType.class, z, privateKey, x509Certificate, algorithm, str);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildPostLogoutRequest(LogoutRequest logoutRequest, boolean z, PrivateKey privateKey, X509Certificate x509Certificate, Algorithm algorithm, String str) throws SAMLException {
        return buildPostRequest(PROTOCOL_OBJECT_FACTORY.createLogoutRequest(toLogoutRequest(logoutRequest, "2.0")), LogoutRequestType.class, z, privateKey, x509Certificate, algorithm, str);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildPostLogoutResponse(LogoutResponse logoutResponse, boolean z, PrivateKey privateKey, X509Certificate x509Certificate, Algorithm algorithm, String str) throws SAMLException {
        return buildPostRequest(PROTOCOL_OBJECT_FACTORY.createLogoutResponse(toLogoutResponse(logoutResponse, "2.0")), StatusResponseType.class, z, privateKey, x509Certificate, algorithm, str);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildRedirectAuthnRequest(AuthenticationRequest authenticationRequest, String str, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        return buildRedirectRequest(PROTOCOL_OBJECT_FACTORY.createAuthnRequest(toAuthnRequest(authenticationRequest, "2.0")), AuthnRequestType.class, str, z, privateKey, algorithm);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildRedirectLogoutRequest(LogoutRequest logoutRequest, String str, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        return buildRedirectRequest(PROTOCOL_OBJECT_FACTORY.createLogoutRequest(toLogoutRequest(logoutRequest, "2.0")), LogoutRequestType.class, str, z, privateKey, algorithm);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public String buildRedirectLogoutResponse(LogoutResponse logoutResponse, String str, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        return buildRedirectResponse(PROTOCOL_OBJECT_FACTORY.createLogoutResponse(toLogoutResponse(logoutResponse, "2.0")), StatusResponseType.class, str, z, privateKey, algorithm);
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public LogoutRequest parseLogoutRequestPostBinding(String str, Function<LogoutRequest, SAMLv2Service.PostBindingSignatureHelper> function) throws SAMLException {
        LogoutRequestParseResult parseLogoutRequest = parseLogoutRequest(Base64.getMimeDecoder().decode(str));
        SAMLv2Service.PostBindingSignatureHelper apply = function.apply(parseLogoutRequest.request);
        if (apply.verifySignature()) {
            verifyEmbeddedSignature(parseLogoutRequest.document, apply.keySelector(), parseLogoutRequest.request);
        }
        return parseLogoutRequest.request;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public LogoutRequest parseLogoutRequestRedirectBinding(String str, String str2, Function<LogoutRequest, SAMLv2Service.RedirectBindingSignatureHelper> function) throws SAMLException {
        LogoutRequestParseResult parseLogoutRequest = parseLogoutRequest(SAMLTools.decodeAndInflate(str));
        SAMLv2Service.RedirectBindingSignatureHelper apply = function.apply(parseLogoutRequest.request);
        if (apply.verifySignature()) {
            verifyRequestSignature(str, str2, apply, parseLogoutRequest.request);
        }
        return parseLogoutRequest.request;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public LogoutResponse parseLogoutResponsePostBinding(String str, Function<LogoutResponse, SAMLv2Service.PostBindingSignatureHelper> function) throws SAMLException {
        LogoutResponseParseResult parseLogoutResponse = parseLogoutResponse(Base64.getMimeDecoder().decode(str));
        SAMLv2Service.PostBindingSignatureHelper apply = function.apply(parseLogoutResponse.response);
        if (apply.verifySignature()) {
            verifyEmbeddedSignature(parseLogoutResponse.document, apply.keySelector(), parseLogoutResponse.response);
        }
        return parseLogoutResponse.response;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public LogoutResponse parseLogoutResponseRedirectBinding(String str, String str2, Function<LogoutResponse, SAMLv2Service.RedirectBindingSignatureHelper> function) throws SAMLException {
        LogoutResponseParseResult parseLogoutResponse = parseLogoutResponse(SAMLTools.decodeAndInflate(str));
        SAMLv2Service.RedirectBindingSignatureHelper apply = function.apply(parseLogoutResponse.response);
        if (apply.verifySignature()) {
            verifyRequestSignature(str, str2, apply, parseLogoutResponse.response);
        }
        return parseLogoutResponse.response;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public MetaData parseMetaData(String str) throws SAMLException {
        EntityDescriptorType entityDescriptorType = (EntityDescriptorType) SAMLTools.unmarshallFromDocument(SAMLTools.newDocumentFromBytes(str.getBytes(StandardCharsets.UTF_8)), EntityDescriptorType.class);
        MetaData metaData = new MetaData();
        metaData.id = entityDescriptorType.getID();
        metaData.entityId = entityDescriptorType.getEntityID();
        List<RoleDescriptorType> roleDescriptorOrIDPSSODescriptorOrSPSSODescriptor = entityDescriptorType.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor();
        Optional<RoleDescriptorType> findFirst = roleDescriptorOrIDPSSODescriptorOrSPSSODescriptor.stream().filter(roleDescriptorType -> {
            return roleDescriptorType instanceof IDPSSODescriptorType;
        }).findFirst();
        if (findFirst.isPresent()) {
            IDPSSODescriptorType iDPSSODescriptorType = (IDPSSODescriptorType) findFirst.get();
            metaData.idp = new MetaData.IDPMetaData();
            for (EndpointType endpointType : iDPSSODescriptorType.getSingleSignOnService()) {
                if (Binding.HTTP_Redirect.toSAMLFormat().equals(endpointType.getBinding())) {
                    metaData.idp.redirectBindingSignInEndpoints.add(endpointType.getLocation());
                } else if (Binding.HTTP_POST.toSAMLFormat().equals(endpointType.getBinding())) {
                    metaData.idp.postBindingSignInEndpoints.add(endpointType.getLocation());
                }
            }
            for (EndpointType endpointType2 : iDPSSODescriptorType.getSingleLogoutService()) {
                if (Binding.HTTP_Redirect.toSAMLFormat().equals(endpointType2.getBinding())) {
                    metaData.idp.redirectBindingLogoutEndpoints.add(endpointType2.getLocation());
                } else if (Binding.HTTP_POST.toSAMLFormat().equals(endpointType2.getBinding())) {
                    metaData.idp.postBindingLogoutEndpoints.add(endpointType2.getLocation());
                }
            }
            try {
                metaData.idp.certificates = (List) iDPSSODescriptorType.getKeyDescriptor().stream().filter(keyDescriptorType -> {
                    return keyDescriptorType.getUse() == KeyTypes.SIGNING;
                }).map(SAMLTools::toCertificate).filter((v0) -> {
                    return Objects.nonNull(v0);
                }).collect(Collectors.toList());
            } catch (IllegalArgumentException e) {
                throw new SAMLException(e.getCause());
            }
        }
        Optional<RoleDescriptorType> findFirst2 = roleDescriptorOrIDPSSODescriptorOrSPSSODescriptor.stream().filter(roleDescriptorType2 -> {
            return roleDescriptorType2 instanceof SPSSODescriptorType;
        }).findFirst();
        if (findFirst2.isPresent()) {
            SPSSODescriptorType sPSSODescriptorType = (SPSSODescriptorType) findFirst2.get();
            metaData.sp = new MetaData.SPMetaData();
            metaData.sp.acsEndpoint = sPSSODescriptorType.getAssertionConsumerService().size() > 0 ? sPSSODescriptorType.getAssertionConsumerService().get(0).getLocation() : null;
            try {
                metaData.sp.nameIDFormat = sPSSODescriptorType.getNameIDFormat().size() > 0 ? NameIDFormat.fromSAMLFormat(sPSSODescriptorType.getNameIDFormat().get(0)) : null;
            } catch (Exception e2) {
                throw new SAMLException(e2.getCause());
            }
        }
        return metaData;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public AuthenticationRequest parseRequestPostBinding(String str, Function<AuthenticationRequest, SAMLv2Service.PostBindingSignatureHelper> function) throws SAMLException {
        AuthnRequestParseResult parseRequest = parseRequest(Base64.getMimeDecoder().decode(str));
        SAMLv2Service.PostBindingSignatureHelper apply = function.apply(parseRequest.request);
        if (apply.verifySignature()) {
            verifyEmbeddedSignature(parseRequest.document, apply.keySelector(), parseRequest.request);
        }
        return parseRequest.request;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public AuthenticationRequest parseRequestRedirectBinding(String str, String str2, Function<AuthenticationRequest, SAMLv2Service.RedirectBindingSignatureHelper> function) throws SAMLException {
        AuthnRequestParseResult parseRequest = parseRequest(SAMLTools.decodeAndInflate(str));
        SAMLv2Service.RedirectBindingSignatureHelper apply = function.apply(parseRequest.request);
        if (apply.verifySignature()) {
            verifyRequestSignature(str, str2, apply, parseRequest.request);
        }
        return parseRequest.request;
    }

    @Override // io.fusionauth.samlv2.service.SAMLv2Service
    public AuthenticationResponse parseResponse(String str, boolean z, KeySelector keySelector) throws SAMLException {
        AuthenticationResponse authenticationResponse = new AuthenticationResponse();
        byte[] decode = Base64.getMimeDecoder().decode(str);
        authenticationResponse.rawResponse = new String(decode, StandardCharsets.UTF_8);
        Document newDocumentFromBytes = SAMLTools.newDocumentFromBytes(decode);
        if (z) {
            verifyEmbeddedSignature(newDocumentFromBytes, keySelector, null);
        }
        ResponseType responseType = (ResponseType) SAMLTools.unmarshallFromDocument(newDocumentFromBytes, ResponseType.class);
        authenticationResponse.status.code = ResponseStatus.fromSAMLFormat(responseType.getStatus().getStatusCode().getValue());
        authenticationResponse.id = responseType.getID();
        authenticationResponse.inResponseTo = responseType.getInResponseTo();
        authenticationResponse.issuer = responseType.getIssuer() != null ? responseType.getIssuer().getValue() : null;
        authenticationResponse.issueInstant = SAMLTools.toZonedDateTime(responseType.getIssueInstant());
        authenticationResponse.destination = responseType.getDestination();
        authenticationResponse.version = responseType.getVersion();
        for (Object obj : responseType.getAssertionOrEncryptedAssertion()) {
            if (obj instanceof EncryptedElementType) {
                logger.warn("SAML response contained encrypted attribute. It was ignored.");
            } else {
                AssertionType assertionType = (AssertionType) obj;
                SubjectType subject = assertionType.getSubject();
                if (subject != null) {
                    authenticationResponse.assertion.subject = new Subject();
                    for (JAXBElement<?> jAXBElement : subject.getContent()) {
                        Class declaredType = jAXBElement.getDeclaredType();
                        if (declaredType == NameIDType.class) {
                            if (authenticationResponse.assertion.subject.nameID != null) {
                                logger.warn("SAML response contained multiple NameID elements. Only the first one was used.");
                            } else {
                                authenticationResponse.assertion.subject.nameID = SAMLTools.parseNameId((NameIDType) jAXBElement.getValue());
                            }
                        } else if (declaredType == SubjectConfirmationType.class) {
                            authenticationResponse.assertion.subject.subjectConfirmation = parseConfirmation((SubjectConfirmationType) jAXBElement.getValue());
                        } else if (declaredType == EncryptedElementType.class) {
                            throw new SAMLException("This library currently doesn't handle encrypted assertions");
                        }
                    }
                }
                ConditionsType conditions = assertionType.getConditions();
                if (conditions != null) {
                    authenticationResponse.assertion.conditions = new Conditions();
                    authenticationResponse.assertion.conditions.notBefore = SAMLTools.convertToZonedDateTime(conditions.getNotBefore());
                    authenticationResponse.assertion.conditions.notOnOrAfter = SAMLTools.convertToZonedDateTime(conditions.getNotOnOrAfter());
                    for (ConditionAbstractType conditionAbstractType : conditions.getConditionOrAudienceRestrictionOrOneTimeUse()) {
                        if (conditionAbstractType instanceof AudienceRestrictionType) {
                            authenticationResponse.assertion.conditions.audiences.addAll(((AudienceRestrictionType) conditionAbstractType).getAudience());
                        }
                    }
                }
                for (StatementAbstractType statementAbstractType : assertionType.getStatementOrAuthnStatementOrAuthzDecisionStatement()) {
                    if (statementAbstractType instanceof AttributeStatementType) {
                        for (Object obj2 : ((AttributeStatementType) statementAbstractType).getAttributeOrEncryptedAttribute()) {
                            if (!(obj2 instanceof AttributeType)) {
                                throw new SAMLException("This library currently doesn't support encrypted attributes");
                            }
                            AttributeType attributeType = (AttributeType) obj2;
                            authenticationResponse.assertion.attributes.computeIfAbsent(attributeType.getName(), str2 -> {
                                return new ArrayList();
                            }).addAll((List) attributeType.getAttributeValue().stream().map(SAMLTools::attributeToString).collect(Collectors.toList()));
                        }
                    }
                }
            }
        }
        return authenticationResponse;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T> String buildPostRequest(JAXBElement<T> jAXBElement, Class<T> cls, boolean z, PrivateKey privateKey, X509Certificate x509Certificate, Algorithm algorithm, String str) throws SAMLException {
        Document marshallToDocument = SAMLTools.marshallToDocument(jAXBElement, cls);
        try {
            return new String(Base64.getEncoder().encode((z ? signXML(privateKey, x509Certificate, algorithm, str, marshallToDocument, marshallToDocument.getDocumentElement(), null) : SAMLTools.marshallToString(marshallToDocument)).getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
        } catch (Exception e) {
            throw new SAMLException("Unable to sign XML SAML response", e);
        }
    }

    <T> String buildRedirect(JAXBElement<T> jAXBElement, Class<T> cls, String str, boolean z, PrivateKey privateKey, Algorithm algorithm, String str2) throws SAMLException {
        try {
            String str3 = str2 + "=" + URLEncoder.encode(SAMLTools.deflateAndEncode(SAMLTools.marshallToBytes(jAXBElement, cls)), "UTF-8");
            if (str != null) {
                str3 = str3 + "&RelayState=" + URLEncoder.encode(str, "UTF-8");
            }
            if (z && privateKey != null && algorithm != null) {
                String str4 = str3 + "&SigAlg=" + URLEncoder.encode(algorithm.uri, "UTF-8");
                Signature signature = Signature.getInstance(algorithm.name);
                signature.initSign(privateKey);
                signature.update(str4.getBytes(StandardCharsets.UTF_8));
                str3 = str4 + "&Signature=" + URLEncoder.encode(new String(Base64.getEncoder().encode(signature.sign()), StandardCharsets.UTF_8), "UTF-8");
            }
            return str3;
        } catch (Exception e) {
            throw new SAMLException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T> String buildRedirectRequest(JAXBElement<T> jAXBElement, Class<T> cls, String str, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        return buildRedirect(jAXBElement, cls, str, z, privateKey, algorithm, "SAMLRequest");
    }

    <T> String buildRedirectResponse(JAXBElement<T> jAXBElement, Class<T> cls, String str, boolean z, PrivateKey privateKey, Algorithm algorithm) throws SAMLException {
        return buildRedirect(jAXBElement, cls, str, z, privateKey, algorithm, "SAMLResponse");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthnRequestType toAuthnRequest(AuthenticationRequest authenticationRequest, String str) {
        AuthnRequestType authnRequestType = new AuthnRequestType();
        authnRequestType.setAssertionConsumerServiceURL(authenticationRequest.acsURL);
        authnRequestType.setDestination(authenticationRequest.destination);
        authnRequestType.setIssuer(new NameIDType());
        authnRequestType.getIssuer().setValue(authenticationRequest.issuer);
        authnRequestType.setNameIDPolicy(new NameIDPolicyType());
        authnRequestType.getNameIDPolicy().setFormat(NameIDFormat.EmailAddress.toSAMLFormat());
        authnRequestType.getNameIDPolicy().setAllowCreate(false);
        authnRequestType.setID(authenticationRequest.id);
        authnRequestType.setVersion(str);
        authnRequestType.setIssueInstant(new XMLGregorianCalendarImpl(GregorianCalendar.from(ZonedDateTime.now())));
        return authnRequestType;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LogoutRequestType toLogoutRequest(LogoutRequest logoutRequest, String str) {
        LogoutRequestType logoutRequestType = new LogoutRequestType();
        logoutRequestType.setDestination(logoutRequest.destination);
        logoutRequestType.setIssuer(new NameIDType());
        logoutRequestType.getIssuer().setValue(logoutRequest.issuer);
        logoutRequestType.setNameID(new NameIDType());
        logoutRequestType.getNameID().setFormat(NameIDFormat.EmailAddress.toSAMLFormat());
        logoutRequestType.setID(logoutRequest.id);
        logoutRequestType.getSessionIndex().add(logoutRequest.sessionIndex);
        logoutRequestType.setVersion(str);
        logoutRequestType.setIssueInstant(new XMLGregorianCalendarImpl(GregorianCalendar.from(ZonedDateTime.now())));
        return logoutRequestType;
    }

    StatusResponseType toLogoutResponse(LogoutResponse logoutResponse, String str) {
        StatusResponseType statusResponseType = new StatusResponseType();
        statusResponseType.setDestination(logoutResponse.destination);
        statusResponseType.setIssuer(new NameIDType());
        statusResponseType.getIssuer().setValue(logoutResponse.issuer);
        statusResponseType.setID(logoutResponse.id);
        statusResponseType.setVersion(str);
        statusResponseType.setInResponseTo(logoutResponse.inResponseTo);
        statusResponseType.setIssueInstant(new XMLGregorianCalendarImpl(GregorianCalendar.from(ZonedDateTime.now())));
        StatusType statusType = new StatusType();
        statusType.setStatusCode(new StatusCodeType());
        statusType.getStatusCode().setValue(logoutResponse.status.code.toSAMLFormat());
        statusType.setStatusMessage(logoutResponse.status.message);
        statusResponseType.setStatus(statusType);
        return statusResponseType;
    }

    private void addKeyDescriptors(SSODescriptorType sSODescriptorType, List<Certificate> list) {
        list.forEach(certificate -> {
            KeyDescriptorType keyDescriptorType = new KeyDescriptorType();
            keyDescriptorType.setUse(KeyTypes.SIGNING);
            KeyInfoType keyInfoType = new KeyInfoType();
            keyDescriptorType.setKeyInfo(keyInfoType);
            X509DataType x509DataType = new X509DataType();
            keyInfoType.getContent().add(DSIG_OBJECT_FACTORY.createX509Data(x509DataType));
            try {
                x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(DSIG_OBJECT_FACTORY.createX509DataTypeX509Certificate(certificate.getEncoded()));
                sSODescriptorType.getKeyDescriptor().add(keyDescriptorType);
            } catch (Exception e) {
                throw new IllegalArgumentException(e);
            }
        });
    }

    private void fixIDs(Element element) {
        NamedNodeMap attributes = element.getAttributes();
        for (int i = 0; i < attributes.getLength(); i++) {
            Attr attr = (Attr) attributes.item(i);
            if (attr.getLocalName().equalsIgnoreCase("id")) {
                element.setIdAttributeNode(attr, true);
            }
        }
        NodeList childNodes = element.getChildNodes();
        for (int i2 = 0; i2 < childNodes.getLength(); i2++) {
            Node item = childNodes.item(i2);
            if (item.getNodeType() == 1) {
                fixIDs((Element) item);
            }
        }
    }

    private SubjectConfirmation parseConfirmation(SubjectConfirmationType subjectConfirmationType) {
        SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
        SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
        if (subjectConfirmationData != null) {
            subjectConfirmation.address = subjectConfirmationData.getAddress();
            subjectConfirmation.inResponseTo = subjectConfirmationData.getInResponseTo();
            subjectConfirmation.notBefore = SAMLTools.toZonedDateTime(subjectConfirmationData.getNotBefore());
            subjectConfirmation.notOnOrAfter = SAMLTools.toZonedDateTime(subjectConfirmationData.getNotOnOrAfter());
            subjectConfirmation.recipient = subjectConfirmationData.getRecipient();
        }
        subjectConfirmation.method = ConfirmationMethod.fromSAMLFormat(subjectConfirmationType.getMethod());
        return subjectConfirmation;
    }

    private LogoutRequestParseResult parseLogoutRequest(byte[] bArr) throws SAMLException {
        String str = new String(bArr, StandardCharsets.UTF_8);
        if (logger.isDebugEnabled()) {
            logger.debug("SAMLRequest XML is\n{}", str);
        }
        LogoutRequestParseResult logoutRequestParseResult = new LogoutRequestParseResult();
        logoutRequestParseResult.document = SAMLTools.newDocumentFromBytes(bArr);
        logoutRequestParseResult.logoutRequest = (LogoutRequestType) SAMLTools.unmarshallFromDocument(logoutRequestParseResult.document, LogoutRequestType.class);
        logoutRequestParseResult.request = new LogoutRequest();
        logoutRequestParseResult.request.xml = str;
        logoutRequestParseResult.request.id = logoutRequestParseResult.logoutRequest.getID();
        logoutRequestParseResult.request.issuer = logoutRequestParseResult.logoutRequest.getIssuer().getValue();
        logoutRequestParseResult.request.issueInstant = logoutRequestParseResult.logoutRequest.getIssueInstant().toGregorianCalendar().toZonedDateTime();
        NameIDType nameID = logoutRequestParseResult.logoutRequest.getNameID();
        if (nameID == null) {
            logoutRequestParseResult.request.nameIdFormat = NameIDFormat.EmailAddress;
        } else {
            logoutRequestParseResult.request.nameIdFormat = NameIDFormat.fromSAMLFormat(nameID.getFormat());
        }
        List<String> sessionIndex = logoutRequestParseResult.logoutRequest.getSessionIndex();
        logoutRequestParseResult.request.sessionIndex = sessionIndex.isEmpty() ? null : sessionIndex.get(0);
        logoutRequestParseResult.request.version = logoutRequestParseResult.logoutRequest.getVersion();
        return logoutRequestParseResult;
    }

    private LogoutResponseParseResult parseLogoutResponse(byte[] bArr) throws SAMLException {
        String str = new String(bArr, StandardCharsets.UTF_8);
        if (logger.isDebugEnabled()) {
            logger.debug("SAMLRequest XML is\n{}", str);
        }
        LogoutResponseParseResult logoutResponseParseResult = new LogoutResponseParseResult();
        logoutResponseParseResult.document = SAMLTools.newDocumentFromBytes(bArr);
        logoutResponseParseResult.logoutResponse = (StatusResponseType) SAMLTools.unmarshallFromDocument(logoutResponseParseResult.document, StatusResponseType.class);
        logoutResponseParseResult.response = new LogoutResponse();
        logoutResponseParseResult.response.xml = str;
        logoutResponseParseResult.response.id = logoutResponseParseResult.logoutResponse.getID();
        logoutResponseParseResult.response.issuer = logoutResponseParseResult.logoutResponse.getIssuer().getValue();
        logoutResponseParseResult.response.issueInstant = logoutResponseParseResult.logoutResponse.getIssueInstant().toGregorianCalendar().toZonedDateTime();
        logoutResponseParseResult.response.version = logoutResponseParseResult.logoutResponse.getVersion();
        return logoutResponseParseResult;
    }

    private AuthnRequestParseResult parseRequest(byte[] bArr) throws SAMLException {
        String str = new String(bArr, StandardCharsets.UTF_8);
        if (logger.isDebugEnabled()) {
            logger.debug("SAMLRequest XML is\n{}", str);
        }
        AuthnRequestParseResult authnRequestParseResult = new AuthnRequestParseResult();
        authnRequestParseResult.document = SAMLTools.newDocumentFromBytes(bArr);
        authnRequestParseResult.authnRequest = (AuthnRequestType) SAMLTools.unmarshallFromDocument(authnRequestParseResult.document, AuthnRequestType.class);
        authnRequestParseResult.request = new AuthenticationRequest();
        authnRequestParseResult.request.xml = str;
        authnRequestParseResult.request.id = authnRequestParseResult.authnRequest.getID();
        authnRequestParseResult.request.issuer = authnRequestParseResult.authnRequest.getIssuer().getValue();
        authnRequestParseResult.request.issueInstant = authnRequestParseResult.authnRequest.getIssueInstant().toGregorianCalendar().toZonedDateTime();
        NameIDPolicyType nameIDPolicy = authnRequestParseResult.authnRequest.getNameIDPolicy();
        if (nameIDPolicy == null) {
            authnRequestParseResult.request.nameIdFormat = NameIDFormat.EmailAddress;
        } else {
            authnRequestParseResult.request.nameIdFormat = NameIDFormat.fromSAMLFormat(nameIDPolicy.getFormat());
        }
        authnRequestParseResult.request.version = authnRequestParseResult.authnRequest.getVersion();
        return authnRequestParseResult;
    }

    private String signXML(PrivateKey privateKey, X509Certificate x509Certificate, Algorithm algorithm, String str, Document document, Element element, Node node) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, MarshalException, XMLSignatureException, TransformerException {
        element.setIdAttributeNode(element.getAttributeNode("ID"), true);
        DOMSignContext dOMSignContext = new DOMSignContext(privateKey, element);
        dOMSignContext.setNextSibling(node);
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        Transform newCanonicalizationMethod = xMLSignatureFactory.newCanonicalizationMethod(str, (C14NMethodParameterSpec) null);
        SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(newCanonicalizationMethod, xMLSignatureFactory.newSignatureMethod(algorithm.uri, (SignatureMethodParameterSpec) null), Collections.singletonList(xMLSignatureFactory.newReference("#" + element.getAttribute("ID"), xMLSignatureFactory.newDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256", (DigestMethodParameterSpec) null), Arrays.asList(xMLSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null), newCanonicalizationMethod), (String) null, (String) null)));
        KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
        xMLSignatureFactory.newXMLSignature(newSignedInfo, keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(Collections.singletonList(x509Certificate))))).sign(dOMSignContext);
        return SAMLTools.marshallToString(document);
    }

    private void verifyEmbeddedSignature(Document document, KeySelector keySelector, SAMLRequest sAMLRequest) throws SAMLException {
        fixIDs(document.getDocumentElement());
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new SignatureNotFoundException("Invalid SAML v2.0 operation. The signature is missing from the XML but is required.", sAMLRequest);
        }
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            DOMValidateContext dOMValidateContext = new DOMValidateContext(keySelector, elementsByTagNameNS.item(i));
            try {
                if (!XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext)) {
                    throw new SAMLException("Invalid SAML v2.0 operation. The signature is invalid.", sAMLRequest);
                }
            } catch (MarshalException e) {
                throw new SAMLException("Unable to verify XML signature in the SAML v2.0 XML. We couldn't unmarshall the XML Signature element.", sAMLRequest, e);
            } catch (XMLSignatureException e2) {
                throw new SAMLException("Unable to verify XML signature in the SAML v2.0 XML. The signature was unmarshalled but we couldn't validate it. Possible reasons include a key was not provided that was eligible to verify the signature, or an un-expected exception occurred.", sAMLRequest, e2);
            }
        }
    }

    private void verifyRequestSignature(String str, String str2, SAMLv2Service.RedirectBindingSignatureHelper redirectBindingSignatureHelper, SAMLRequest sAMLRequest) throws SAMLException {
        if (redirectBindingSignatureHelper.signature() == null || redirectBindingSignatureHelper.publicKey() == null || redirectBindingSignatureHelper.algorithm() == null) {
            throw new SignatureNotFoundException("You must specify a signature, key and algorithm if you want to verify the SAML request signature", sAMLRequest);
        }
        try {
            String str3 = "SAMLRequest=" + URLEncoder.encode(str, "UTF-8");
            if (str2 != null) {
                str3 = str3 + "&RelayState=" + URLEncoder.encode(str2, "UTF-8");
            }
            String str4 = str3 + "&SigAlg=" + URLEncoder.encode(redirectBindingSignatureHelper.algorithm().uri, "UTF-8");
            Signature signature = Signature.getInstance(redirectBindingSignatureHelper.algorithm().name);
            signature.initVerify(redirectBindingSignatureHelper.publicKey());
            signature.update(str4.getBytes(StandardCharsets.UTF_8));
            if (signature.verify(Base64.getMimeDecoder().decode(redirectBindingSignatureHelper.signature().getBytes(StandardCharsets.UTF_8)))) {
            } else {
                throw new SAMLException("Invalid SAML v2.0 operation. The signature is invalid.", sAMLRequest);
            }
        } catch (UnsupportedEncodingException | GeneralSecurityException e) {
            throw new SAMLException("Unable to verify signature", sAMLRequest, e);
        }
    }

    static {
        if (!Boolean.parseBoolean(System.getProperty("com.sun.org.apache.xml.internal.security.ignoreLineBreaks"))) {
            throw new IllegalStateException("When the fusionauth-samlv2 jar is included in the classpath, you must set the following system property:\n-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true");
        }
    }
}
