package se.litsec.swedisheid.opensaml.saml2.signservice;

import java.util.Collection;
import java.util.List;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.DecryptionParameters;
import org.opensaml.xmlsec.encryption.support.Decrypter;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.litsec.opensaml.xmlsec.SAMLObjectDecrypter;
import se.litsec.swedisheid.opensaml.saml2.signservice.dss.Message;
import se.litsec.swedisheid.opensaml.saml2.signservice.dss.SignMessage;
import se.swedenconnect.opensaml.xmlsec.encryption.support.Pkcs11Decrypter;

/* loaded from: input_file:se/litsec/swedisheid/opensaml/saml2/signservice/SignMessageDecrypter.class */
public class SignMessageDecrypter {
    private KeyInfoCredentialResolver keyEncryptionKeyResolver;
    private Collection<String> blacklistedAlgorithms;
    private Collection<String> whitelistedAlgorithms;
    private Decrypter decrypter;
    private Logger logger = LoggerFactory.getLogger(SignMessageDecrypter.class);
    private EncryptedKeyResolver encryptedKeyResolver = new InlineEncryptedKeyResolver();
    private boolean pkcs11Workaround = false;

    public SignMessageDecrypter(Credential credential) {
        this.keyEncryptionKeyResolver = new StaticKeyInfoCredentialResolver(credential);
    }

    public SignMessageDecrypter(List<Credential> list) {
        this.keyEncryptionKeyResolver = new StaticKeyInfoCredentialResolver(list);
    }

    public SignMessageDecrypter(KeyInfoCredentialResolver keyInfoCredentialResolver) {
        this.keyEncryptionKeyResolver = keyInfoCredentialResolver;
    }

    public SignMessageDecrypter(SAMLObjectDecrypter sAMLObjectDecrypter) {
    }

    public Message decrypt(SignMessage signMessage) throws DecryptionException {
        if (signMessage.getEncryptedMessage() == null && signMessage.getMessage() != null) {
            this.logger.info("No decryption required - SignMessage contains cleartext message");
            return signMessage.getMessage();
        }
        if (signMessage.getEncryptedMessage() != null) {
            return getDecrypter().decryptData(signMessage.getEncryptedMessage().getEncryptedData());
        }
        this.logger.error("No message available");
        throw new DecryptionException("No message available");
    }

    private Decrypter getDecrypter() {
        if (this.decrypter == null) {
            DecryptionParameters decryptionParameters = new DecryptionParameters();
            decryptionParameters.setKEKKeyInfoCredentialResolver(this.keyEncryptionKeyResolver);
            decryptionParameters.setEncryptedKeyResolver(this.encryptedKeyResolver);
            decryptionParameters.setBlacklistedAlgorithms(this.blacklistedAlgorithms);
            decryptionParameters.setWhitelistedAlgorithms(this.whitelistedAlgorithms);
            this.decrypter = this.pkcs11Workaround ? new Pkcs11Decrypter(decryptionParameters) : new Decrypter(decryptionParameters);
            this.decrypter.setRootInNewDocument(true);
        }
        return this.decrypter;
    }

    public void setBlacklistedAlgorithms(Collection<String> collection) {
        this.blacklistedAlgorithms = collection;
    }

    public void setWhitelistedAlgorithms(Collection<String> collection) {
        this.whitelistedAlgorithms = collection;
    }

    public void setPkcs11Workaround(boolean z) {
        this.pkcs11Workaround = z;
    }
}
