package se.litsec.opensaml.xmlsec;

import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.SSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.EncryptionConfiguration;
import org.opensaml.xmlsec.EncryptionParameters;
import org.opensaml.xmlsec.SecurityConfigurationSupport;
import org.opensaml.xmlsec.algorithm.AlgorithmRegistry;
import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion;
import org.opensaml.xmlsec.criterion.EncryptionOptionalCriterion;
import org.opensaml.xmlsec.encryption.EncryptedData;
import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
import org.opensaml.xmlsec.encryption.support.Encrypter;
import org.opensaml.xmlsec.encryption.support.EncryptionException;
import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.saml2.metadata.MetadataUtils;
import se.litsec.opensaml.saml2.metadata.provider.MetadataProvider;
import se.swedenconnect.opensaml.xmlsec.ExtendedSAMLMetadataEncryptionParametersResolver;
import se.swedenconnect.opensaml.xmlsec.config.ExtendedDefaultSecurityConfigurationBootstrap;

/* loaded from: input_file:se/litsec/opensaml/xmlsec/SAMLObjectEncrypter.class */
public class SAMLObjectEncrypter {
    private Logger log;
    private MetadataProvider metadataProvider;
    private ExtendedSAMLMetadataEncryptionParametersResolver encryptionParameterResolver;
    private EncryptionConfiguration defaultEncryptionConfiguration;
    private Encrypter encrypter;

    /* loaded from: input_file:se/litsec/opensaml/xmlsec/SAMLObjectEncrypter$Peer.class */
    public static class Peer {
        private String entityID;
        private EntityDescriptor metadata;

        public Peer(String str) {
            Constraint.isNotEmpty(str, "entityID must be set");
            this.entityID = str;
        }

        public Peer(EntityDescriptor entityDescriptor) {
            Constraint.isNotNull(entityDescriptor, "metadata must not be null");
            this.metadata = entityDescriptor;
            this.entityID = entityDescriptor.getEntityID();
        }

        public String getEntityID() {
            return this.entityID;
        }

        public EntityDescriptor getMetadata() {
            return this.metadata;
        }
    }

    public SAMLObjectEncrypter() throws ComponentInitializationException {
        this(null);
    }

    public SAMLObjectEncrypter(MetadataProvider metadataProvider) throws ComponentInitializationException {
        this.log = LoggerFactory.getLogger(SAMLObjectEncrypter.class);
        this.encrypter = new Encrypter();
        if (metadataProvider != null) {
            this.metadataProvider = metadataProvider;
        }
        this.defaultEncryptionConfiguration = SecurityConfigurationSupport.getGlobalEncryptionConfiguration();
        if (this.defaultEncryptionConfiguration == null) {
            this.defaultEncryptionConfiguration = ExtendedDefaultSecurityConfigurationBootstrap.buildDefaultEncryptionConfiguration();
        }
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        metadataCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
        metadataCredentialResolver.initialize();
        this.encryptionParameterResolver = new ExtendedSAMLMetadataEncryptionParametersResolver(metadataCredentialResolver);
        this.encryptionParameterResolver.setMergeMetadataRSAOAEPParametersWithConfig(true);
        this.encryptionParameterResolver.setUseKeyAgreementDefaults(true);
        this.encryptionParameterResolver.setAutoGenerateDataEncryptionCredential(true);
    }

    public EncryptedData encrypt(XMLObject xMLObject, Peer peer) throws EncryptionException {
        return encrypt(xMLObject, peer, this.defaultEncryptionConfiguration);
    }

    public EncryptedData encrypt(XMLObject xMLObject, Peer peer, EncryptionConfiguration encryptionConfiguration) throws EncryptionException {
        Constraint.isNotNull(xMLObject, "xmlObject must not be null");
        Constraint.isNotNull(peer, "peer must not be null");
        if (encryptionConfiguration == null) {
            encryptionConfiguration = this.defaultEncryptionConfiguration;
        }
        EncryptionParameters encryptionParameters = getEncryptionParameters(getPeerMetadata(peer), encryptionConfiguration);
        if (encryptionParameters == null) {
            throw new EncryptionException(String.format("No encryption credentials found for '%s'", peer.getEntityID()));
        }
        return this.encrypter.encryptElement(xMLObject, new DataEncryptionParameters(encryptionParameters), new KeyEncryptionParameters(encryptionParameters, peer.getEntityID()));
    }

    private EntityDescriptor getPeerMetadata(Peer peer) throws EncryptionException {
        EntityDescriptor metadata = peer.getMetadata();
        if (metadata != null) {
            return metadata;
        }
        if (this.metadataProvider == null) {
            throw new EncryptionException("Peer metadata is not available - no metadataProvider has been configured");
        }
        try {
            return this.metadataProvider.getEntityDescriptor(peer.getEntityID()).orElseThrow(() -> {
                return new EncryptionException(String.format("Metadata for '%s' could not be found", peer.getMetadata()));
            });
        } catch (ResolverException e) {
            throw new EncryptionException("Failed to locate peer metadata", e);
        }
    }

    private EncryptionParameters getEncryptionParameters(EntityDescriptor entityDescriptor, EncryptionConfiguration encryptionConfiguration) throws EncryptionException {
        SSODescriptor sSODescriptor = MetadataUtils.getSSODescriptor(entityDescriptor);
        if (sSODescriptor == null) {
            throw new EncryptionException("Bad peer metadata - no SSO descriptor available");
        }
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new RoleDescriptorCriterion(sSODescriptor));
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new EncryptionConfigurationCriterion(new EncryptionConfiguration[]{encryptionConfiguration}));
        criteriaSet.add(new EncryptionOptionalCriterion(false));
        try {
            return this.encryptionParameterResolver.resolveSingle(criteriaSet);
        } catch (ResolverException e) {
            this.log.error("Error during resolve of encryption parameters", e);
            throw new EncryptionException("Error during resolve of encryption parameters", e);
        }
    }

    public void setEncrypter(Encrypter encrypter) {
        if (encrypter != null) {
            this.encrypter = encrypter;
        }
    }

    public void setDefaultEncryptionConfiguration(EncryptionConfiguration encryptionConfiguration) {
        if (encryptionConfiguration != null) {
            this.defaultEncryptionConfiguration = encryptionConfiguration;
        }
    }

    public void setAlgorithmRegistry(AlgorithmRegistry algorithmRegistry) {
        if (algorithmRegistry != null) {
            this.encryptionParameterResolver.setAlgorithmRegistry(algorithmRegistry);
        }
    }
}
