package org.openid4java.consumer;

import com.google.inject.Inject;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Stack;
import javax.crypto.spec.DHParameterSpec;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.eclipse.jetty.util.URIUtil;
import org.openid4java.OpenIDException;
import org.openid4java.association.Association;
import org.openid4java.association.AssociationException;
import org.openid4java.association.AssociationSessionType;
import org.openid4java.association.DiffieHellmanSession;
import org.openid4java.discovery.Discovery;
import org.openid4java.discovery.DiscoveryException;
import org.openid4java.discovery.DiscoveryInformation;
import org.openid4java.discovery.Identifier;
import org.openid4java.discovery.yadis.YadisResolver;
import org.openid4java.message.AssociationError;
import org.openid4java.message.AssociationRequest;
import org.openid4java.message.AssociationResponse;
import org.openid4java.message.AuthFailure;
import org.openid4java.message.AuthImmediateFailure;
import org.openid4java.message.AuthRequest;
import org.openid4java.message.AuthSuccess;
import org.openid4java.message.DirectError;
import org.openid4java.message.Message;
import org.openid4java.message.MessageException;
import org.openid4java.message.ParameterList;
import org.openid4java.message.VerifyRequest;
import org.openid4java.message.VerifyResponse;
import org.openid4java.server.IncrementalNonceGenerator;
import org.openid4java.server.NonceGenerator;
import org.openid4java.server.RealmVerifier;
import org.openid4java.server.RealmVerifierFactory;
import org.openid4java.util.HttpFetcher;
import org.openid4java.util.HttpFetcherFactory;
import org.openid4java.util.HttpRequestOptions;
import org.openid4java.util.HttpResponse;

/* loaded from: input_file:org/openid4java/consumer/ConsumerManager.class */
public class ConsumerManager {
    private static Log _log = LogFactory.getLog(ConsumerManager.class);
    private static final boolean DEBUG = _log.isDebugEnabled();
    private Discovery _discovery;
    private HttpFetcher _httpFetcher;
    private ConsumerAssociationStore _associations;
    private NonceGenerator _consumerNonceGenerator;
    private ConsumerAssociationStore _privateAssociations;
    private NonceVerifier _nonceVerifier;
    private int _maxAssocAttempts;
    private boolean _allowStateless;
    private AssociationSessionType _minAssocSessEnc;
    private AssociationSessionType _prefAssocSessEnc;
    private DHParameterSpec _dhParams;
    private int _failedAssocExpire;
    private int _preExpiryAssocLockInterval;
    private boolean _immediateAuth;
    private RealmVerifier _realmVerifier;

    public ConsumerManager() {
        this(new RealmVerifierFactory(new YadisResolver(new HttpFetcherFactory())), new Discovery(), new HttpFetcherFactory());
    }

    @Inject
    public ConsumerManager(RealmVerifierFactory realmVerifierFactory, Discovery discovery, HttpFetcherFactory httpFetcherFactory) {
        this._associations = new InMemoryConsumerAssociationStore();
        this._consumerNonceGenerator = new IncrementalNonceGenerator();
        this._privateAssociations = new InMemoryConsumerAssociationStore();
        this._nonceVerifier = new InMemoryNonceVerifier(60);
        this._maxAssocAttempts = 4;
        this._allowStateless = true;
        this._minAssocSessEnc = AssociationSessionType.NO_ENCRYPTION_SHA1MAC;
        this._dhParams = DiffieHellmanSession.getDefaultParameter();
        this._failedAssocExpire = 300;
        this._preExpiryAssocLockInterval = 300;
        this._immediateAuth = false;
        this._realmVerifier = realmVerifierFactory.getRealmVerifierForConsumer();
        this._realmVerifier.setEnforceRpId(false);
        this._discovery = discovery;
        this._httpFetcher = httpFetcherFactory.createFetcher(HttpRequestOptions.getDefaultOptionsForOpCalls());
        if (Association.isHmacSha256Supported()) {
            this._prefAssocSessEnc = AssociationSessionType.DH_SHA256;
        } else {
            this._prefAssocSessEnc = AssociationSessionType.DH_SHA1;
        }
    }

    public Discovery getDiscovery() {
        return this._discovery;
    }

    public void setDiscovery(Discovery discovery) {
        this._discovery = discovery;
    }

    public ConsumerAssociationStore getAssociations() {
        return this._associations;
    }

    @Inject
    public void setAssociations(ConsumerAssociationStore consumerAssociationStore) {
        this._associations = consumerAssociationStore;
    }

    public NonceVerifier getNonceVerifier() {
        return this._nonceVerifier;
    }

    @Inject
    public void setNonceVerifier(NonceVerifier nonceVerifier) {
        this._nonceVerifier = nonceVerifier;
    }

    public void setDHParams(DHParameterSpec dHParameterSpec) {
        this._dhParams = dHParameterSpec;
    }

    public DHParameterSpec getDHParams() {
        return this._dhParams;
    }

    public void setMaxAssocAttempts(int i) {
        if (i <= 0 && !this._allowStateless) {
            throw new IllegalArgumentException("Associations and stateless mode cannot be both disabled at the same time.");
        }
        this._maxAssocAttempts = i;
        if (this._maxAssocAttempts == 0) {
            _log.info("Associations disabled.");
        }
    }

    public int getMaxAssocAttempts() {
        return this._maxAssocAttempts;
    }

    public void allowStateless(boolean z) {
        setAllowStateless(z);
    }

    public void setAllowStateless(boolean z) {
        if (!this._allowStateless && this._maxAssocAttempts <= 0) {
            throw new IllegalArgumentException("Associations and stateless mode cannot be both disabled at the same time.");
        }
        this._allowStateless = z;
    }

    public boolean statelessAllowed() {
        return this._allowStateless;
    }

    public boolean isAllowStateless() {
        return this._allowStateless;
    }

    public void setMinAssocSessEnc(AssociationSessionType associationSessionType) {
        this._minAssocSessEnc = associationSessionType;
    }

    public AssociationSessionType getMinAssocSessEnc() {
        return this._minAssocSessEnc;
    }

    public void setPrefAssocSessEnc(AssociationSessionType associationSessionType) {
        this._prefAssocSessEnc = associationSessionType;
    }

    public AssociationSessionType getPrefAssocSessEnc() {
        return this._prefAssocSessEnc;
    }

    public void setFailedAssocExpire(int i) {
        this._failedAssocExpire = i;
    }

    public int getFailedAssocExpire() {
        return this._failedAssocExpire;
    }

    public int getPreExpiryAssocLockInterval() {
        return this._preExpiryAssocLockInterval;
    }

    public void setPreExpiryAssocLockInterval(int i) {
        this._preExpiryAssocLockInterval = i;
    }

    public void setImmediateAuth(boolean z) {
        this._immediateAuth = z;
    }

    public boolean isImmediateAuth() {
        return this._immediateAuth;
    }

    public RealmVerifier getRealmVerifier() {
        return this._realmVerifier;
    }

    public void setRealmVerifier(RealmVerifier realmVerifier) {
        this._realmVerifier = realmVerifier;
    }

    public int getMaxNonceAge() {
        return this._nonceVerifier.getMaxAge();
    }

    public void setMaxNonceAge(int i) {
        this._nonceVerifier.setMaxAge(i);
    }

    public List discover(String str) throws DiscoveryException {
        return this._discovery.discover(str);
    }

    public void setPrivateAssociationStore(ConsumerAssociationStore consumerAssociationStore) throws ConsumerException {
        if (consumerAssociationStore == null) {
            throw new ConsumerException("Cannot set null private association store, needed for consumer nonces.");
        }
        this._privateAssociations = consumerAssociationStore;
    }

    public ConsumerAssociationStore getPrivateAssociationStore() {
        return this._privateAssociations;
    }

    public void setConnectTimeout(int i) {
        this._httpFetcher.getDefaultRequestOptions().setConnTimeout(i);
    }

    public void setSocketTimeout(int i) {
        this._httpFetcher.getDefaultRequestOptions().setSocketTimeout(i);
    }

    public void setMaxRedirects(int i) {
        this._httpFetcher.getDefaultRequestOptions().setMaxRedirects(i);
    }

    private int call(String str, Message message, ParameterList parameterList) throws MessageException {
        int i = -1;
        try {
            if (DEBUG) {
                _log.debug("Performing HTTP POST on " + str);
            }
            HttpResponse post = this._httpFetcher.post(str, message.getParameterMap());
            i = post.getStatusCode();
            String body = post.getBody();
            parameterList.copyOf(ParameterList.createFromKeyValueForm(body));
            if (DEBUG) {
                _log.debug("Retrived response:\n" + body);
            }
        } catch (IOException e) {
            _log.error("Error talking to " + str + " response code: " + i, e);
        }
        return i;
    }

    public DiscoveryInformation associate(List list) {
        int i = this._maxAssocAttempts;
        Iterator it = list.iterator();
        while (it.hasNext() && i > 0) {
            DiscoveryInformation discoveryInformation = (DiscoveryInformation) it.next();
            i -= associate(discoveryInformation, i);
            Association load = this._associations.load(discoveryInformation.getOPEndpoint().toString());
            if (load != null && !" ".equals(load.getHandle())) {
                return discoveryInformation;
            }
        }
        if (list.size() <= 0) {
            _log.error("Association attempt, but no discovey endpoints provided.");
            return null;
        }
        DiscoveryInformation discoveryInformation2 = (DiscoveryInformation) list.get(0);
        _log.warn("Association failed; using first entry: " + discoveryInformation2.getOPEndpoint());
        return discoveryInformation2;
    }

    private int associate(DiscoveryInformation discoveryInformation, int i) {
        if (this._maxAssocAttempts == 0) {
            return 0;
        }
        URL oPEndpoint = discoveryInformation.getOPEndpoint();
        String url = oPEndpoint.toString();
        _log.info("Trying to associate with " + url + " attempts left: " + i);
        Association load = this._associations.load(url);
        if (load != null && (" ".equals(load.getHandle()) || load.getExpiry().getTime() - System.currentTimeMillis() > this._preExpiryAssocLockInterval * 1000)) {
            _log.info("Found an existing association: " + load.getHandle());
            return 0;
        }
        String str = " ";
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (discoveryInformation.isVersion2()) {
            linkedHashMap.put(AssociationSessionType.NO_ENCRYPTION_SHA1MAC, null);
            linkedHashMap.put(AssociationSessionType.NO_ENCRYPTION_SHA256MAC, null);
            linkedHashMap.put(AssociationSessionType.DH_SHA1, null);
            linkedHashMap.put(AssociationSessionType.DH_SHA256, null);
        } else {
            linkedHashMap.put(AssociationSessionType.NO_ENCRYPTION_COMPAT_SHA1MAC, null);
            linkedHashMap.put(AssociationSessionType.DH_COMPAT_SHA1, null);
        }
        if (this._prefAssocSessEnc.isVersion2() == discoveryInformation.isVersion2()) {
            linkedHashMap.put(this._prefAssocSessEnc, null);
        }
        Stack stack = new Stack();
        Iterator it = linkedHashMap.keySet().iterator();
        while (it.hasNext()) {
            AssociationRequest createAssociationRequest = createAssociationRequest((AssociationSessionType) it.next(), oPEndpoint);
            if (createAssociationRequest != null) {
                stack.push(createAssociationRequest);
            }
        }
        int i2 = i;
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        while (i2 > 0 && !stack.empty()) {
            try {
                i2--;
                AssociationRequest associationRequest = (AssociationRequest) stack.pop();
                if (DEBUG) {
                    _log.debug("Trying association type: " + associationRequest.getType());
                }
                if (!linkedHashMap2.keySet().contains(associationRequest.getType())) {
                    linkedHashMap2.put(associationRequest.getType(), null);
                    ParameterList parameterList = new ParameterList();
                    int call = call(url, associationRequest, parameterList);
                    if (call == 200) {
                        AssociationResponse createAssociationResponse = AssociationResponse.createAssociationResponse(parameterList);
                        Association association = createAssociationResponse.getAssociation(associationRequest.getDHSess());
                        str = association.getHandle();
                        AssociationSessionType type = createAssociationResponse.getType();
                        if (type.equals(associationRequest.getType()) || !(discoveryInformation.isVersion2() || type.getHAlgorithm() != null || createAssociationRequest(type, oPEndpoint) == null)) {
                            this._associations.save(url, association);
                            _log.info("Associated with " + discoveryInformation.getOPEndpoint() + " handle: " + association.getHandle());
                            break;
                        }
                        _log.info("Discarding association response, not matching consumer criteria");
                    } else if (call == 400) {
                        _log.info("Association attempt failed.");
                        AssociationError createAssociationError = AssociationError.createAssociationError(parameterList);
                        AssociationSessionType create = AssociationSessionType.create(createAssociationError.getSessionType(), createAssociationError.getAssocType());
                        if (!linkedHashMap2.keySet().contains(create)) {
                            AssociationRequest createAssociationRequest2 = createAssociationRequest(create, oPEndpoint);
                            if (createAssociationRequest2 != null) {
                                if (DEBUG) {
                                    _log.debug("Retrieved association type from the association error: " + createAssociationRequest2.getType());
                                }
                                stack.push(createAssociationRequest2);
                            }
                        }
                    }
                } else if (DEBUG) {
                    _log.debug("Already tried.");
                }
            } catch (OpenIDException e) {
                _log.error("Error encountered during association attempt.", e);
            }
        }
        if (" ".equals(str) && this._failedAssocExpire > 0) {
            this._associations.save(url, Association.getFailedAssociation(this._failedAssocExpire));
        }
        return i - i2;
    }

    private AssociationRequest createAssociationRequest(AssociationSessionType associationSessionType, URL url) {
        try {
            if (this._minAssocSessEnc.isBetter(associationSessionType)) {
                return null;
            }
            AssociationRequest associationRequest = null;
            if (associationSessionType.getHAlgorithm() != null) {
                DiffieHellmanSession create = DiffieHellmanSession.create(associationSessionType, this._dhParams);
                if (DiffieHellmanSession.isDhSupported(associationSessionType) && Association.isHmacSupported(associationSessionType.getAssociationType())) {
                    associationRequest = AssociationRequest.createAssociationRequest(associationSessionType, create);
                }
            } else if (url.getProtocol().equals(URIUtil.HTTPS) && Association.isHmacSupported(associationSessionType.getAssociationType())) {
                associationRequest = AssociationRequest.createAssociationRequest(associationSessionType);
            }
            if (associationRequest == null) {
                _log.warn("Could not create association of type: " + associationSessionType);
            }
            return associationRequest;
        } catch (OpenIDException e) {
            _log.error("Error trying to create association request.", e);
            return null;
        }
    }

    public AuthRequest authenticate(List list, String str) throws ConsumerException, MessageException {
        return authenticate(list, str, str);
    }

    public AuthRequest authenticate(List list, String str, String str2) throws ConsumerException, MessageException {
        return authenticate(associate(list), str, str2);
    }

    public AuthRequest authenticate(DiscoveryInformation discoveryInformation, String str) throws MessageException, ConsumerException {
        return authenticate(discoveryInformation, str, str);
    }

    public AuthRequest authenticate(DiscoveryInformation discoveryInformation, String str, String str2) throws MessageException, ConsumerException {
        String str3;
        String str4;
        if (discoveryInformation == null) {
            throw new ConsumerException("Authentication cannot continue: no discovery information provided.");
        }
        Association load = this._associations.load(discoveryInformation.getOPEndpoint().toString());
        if (load == null) {
            associate(discoveryInformation, this._maxAssocAttempts);
            load = this._associations.load(discoveryInformation.getOPEndpoint().toString());
        }
        String handle = load != null ? load.getHandle() : " ";
        if (discoveryInformation.hasClaimedIdentifier()) {
            str3 = discoveryInformation.getClaimedIdentifier().getIdentifier();
            str4 = discoveryInformation.hasDelegateIdentifier() ? discoveryInformation.getDelegateIdentifier() : str3;
        } else {
            str3 = AuthRequest.SELECT_ID;
            str4 = AuthRequest.SELECT_ID;
        }
        if (!this._allowStateless && " ".equals(handle)) {
            throw new ConsumerException("Authentication cannot be performed: no association available and stateless mode is disabled");
        }
        _log.info("Creating authentication request for OP-endpoint: " + discoveryInformation.getOPEndpoint() + " claimedID: " + str3 + " OP-specific ID: " + str4);
        if (!discoveryInformation.isVersion2()) {
            str = insertConsumerNonce(discoveryInformation.getOPEndpoint().toString(), str);
        }
        AuthRequest createAuthRequest = AuthRequest.createAuthRequest(str3, str4, !discoveryInformation.isVersion2(), str, handle, str2, this._realmVerifier);
        createAuthRequest.setOPEndpoint(discoveryInformation.getOPEndpoint());
        if (!AuthRequest.SELECT_ID.equals(str3)) {
            createAuthRequest.setImmediate(this._immediateAuth);
        }
        return createAuthRequest;
    }

    public VerificationResult verify(String str, ParameterList parameterList, DiscoveryInformation discoveryInformation) throws MessageException, DiscoveryException, AssociationException {
        VerificationResult verificationResult = new VerificationResult();
        _log.info("Verifying authentication response...");
        if (Message.MODE_CANCEL.equals(parameterList.getParameterValue("openid.mode"))) {
            verificationResult.setAuthResponse(AuthFailure.createAuthFailure(parameterList));
            _log.info("Received auth failure.");
            return verificationResult;
        }
        if (Message.MODE_SETUP_NEEDED.equals(parameterList.getParameterValue("openid.mode")) || (Message.MODE_IDRES.equals(parameterList.getParameterValue("openid.mode")) && parameterList.hasParameter("openid.user_setup_url"))) {
            AuthImmediateFailure createAuthImmediateFailure = AuthImmediateFailure.createAuthImmediateFailure(parameterList);
            verificationResult.setAuthResponse(createAuthImmediateFailure);
            verificationResult.setOPSetupUrl(createAuthImmediateFailure.getUserSetupUrl());
            _log.info("Received auth immediate failure.");
            return verificationResult;
        }
        AuthSuccess createAuthSuccess = AuthSuccess.createAuthSuccess(parameterList);
        _log.info("Received positive auth response.");
        createAuthSuccess.validate();
        verificationResult.setAuthResponse(createAuthSuccess);
        if (!verifyReturnTo(str, createAuthSuccess)) {
            verificationResult.setStatusMsg("Return_To URL verification failed.");
            _log.error("Return_To URL verification failed.");
            return verificationResult;
        }
        DiscoveryInformation verifyDiscovered = verifyDiscovered(createAuthSuccess, discoveryInformation);
        if (verifyDiscovered == null || !verifyDiscovered.hasClaimedIdentifier()) {
            verificationResult.setStatusMsg("Discovered information verification failed.");
            _log.error("Discovered information verification failed.");
            return verificationResult;
        }
        if (verifyNonce(createAuthSuccess, verifyDiscovered)) {
            return verifySignature(createAuthSuccess, verifyDiscovered, verificationResult);
        }
        verificationResult.setStatusMsg("Nonce verification failed.");
        _log.error("Nonce verification failed.");
        return verificationResult;
    }

    public boolean verifyReturnTo(String str, AuthSuccess authSuccess) {
        if (DEBUG) {
            _log.debug("Verifying return URL; receiving: " + str + "\nmessage: " + authSuccess.getReturnTo());
        }
        try {
            URL url = new URL(str);
            URL url2 = new URL(authSuccess.getReturnTo());
            StringBuffer stringBuffer = new StringBuffer(url.getPath());
            if (stringBuffer.length() > 0 && stringBuffer.charAt(stringBuffer.length() - 1) != '/') {
                stringBuffer.append('/');
            }
            StringBuffer stringBuffer2 = new StringBuffer(url2.getPath());
            if (stringBuffer2.length() > 0 && stringBuffer2.charAt(stringBuffer2.length() - 1) != '/') {
                stringBuffer2.append('/');
            }
            if (!url.getProtocol().equals(url2.getProtocol()) || !url.getAuthority().equals(url2.getAuthority()) || !stringBuffer.toString().equals(stringBuffer2.toString())) {
                if (!DEBUG) {
                    return false;
                }
                _log.debug("Return URL schema, authority or path verification failed.");
                return false;
            }
            try {
                Map extractQueryParams = extractQueryParams(url2);
                Map extractQueryParams2 = extractQueryParams(url);
                if (extractQueryParams == null) {
                    return true;
                }
                if (extractQueryParams2 == null) {
                    if (!DEBUG) {
                        return false;
                    }
                    _log.debug("Return URL query parameters verification failed.");
                    return false;
                }
                for (String str2 : extractQueryParams.keySet()) {
                    List list = (List) extractQueryParams2.get(str2);
                    List list2 = (List) extractQueryParams.get(str2);
                    if (list == null || list.size() != list2.size() || !list.containsAll(list2)) {
                        if (!DEBUG) {
                            return false;
                        }
                        _log.debug("Return URL query parameters verification failed.");
                        return false;
                    }
                }
                return true;
            } catch (UnsupportedEncodingException e) {
                _log.error("Error verifying return URL query parameters.", e);
                return false;
            }
        } catch (MalformedURLException e2) {
            _log.error("Invalid return URL.", e2);
            return false;
        }
    }

    public Map extractQueryParams(URL url) throws UnsupportedEncodingException {
        if (url.getQuery() == null) {
            return null;
        }
        HashMap hashMap = new HashMap();
        for (String str : Arrays.asList(url.getQuery().split("&"))) {
            int indexOf = str.indexOf("=");
            String decode = indexOf > -1 ? URLDecoder.decode(str.substring(0, indexOf), "UTF-8") : URLDecoder.decode(str, "UTF-8");
            String decode2 = indexOf <= -1 ? null : indexOf + 1 > str.length() ? "" : URLDecoder.decode(str.substring(indexOf + 1), "UTF-8");
            List list = (List) hashMap.get(decode);
            if (list == null) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(decode2);
                hashMap.put(decode, arrayList);
            } else {
                list.add(decode2);
            }
        }
        return hashMap;
    }

    public boolean verifyNonce(AuthSuccess authSuccess, DiscoveryInformation discoveryInformation) {
        String nonce = authSuccess.getNonce();
        if (nonce == null) {
            nonce = extractConsumerNonce(authSuccess.getReturnTo(), discoveryInformation.getOPEndpoint().toString());
        }
        return nonce != null && 0 == this._nonceVerifier.seen(discoveryInformation.getOPEndpoint().toString(), nonce);
    }

    public String insertConsumerNonce(String str, String str2) {
        String next = this._consumerNonceGenerator.next();
        String str3 = str2 + (str2.indexOf(63) != -1 ? '&' : '?');
        Association load = this._privateAssociations.load(str);
        if (load == null) {
            try {
                if (DEBUG) {
                    _log.debug("Creating private association for opUrl " + str);
                }
                load = Association.generate(getPrefAssocSessEnc().getAssociationType(), "", this._failedAssocExpire);
                this._privateAssociations.save(str, load);
            } catch (AssociationException e) {
                _log.error("Cannot initialize private association.", e);
                return null;
            }
        }
        try {
            String str4 = str3 + "openid.rpnonce=" + URLEncoder.encode(next, "UTF-8");
            String str5 = str4 + "&openid.rpsig=" + URLEncoder.encode(load.sign(str4), "UTF-8");
            _log.info("Inserted consumer nonce: " + next);
            if (DEBUG) {
                _log.debug("return_to:" + str5);
            }
            return str5;
        } catch (Exception e2) {
            _log.error("Error inserting consumre nonce.", e2);
            return null;
        }
    }

    public String extractConsumerNonce(String str, String str2) {
        if (DEBUG) {
            _log.debug("Extracting consumer nonce...");
        }
        String str3 = null;
        String str4 = null;
        try {
            for (String str5 : new URL(str).getQuery().split("&")) {
                String[] split = str5.split("=", 2);
                try {
                    if (split.length == 2 && "openid.rpnonce".equals(split[0])) {
                        str3 = URLDecoder.decode(split[1], "UTF-8");
                        if (DEBUG) {
                            _log.debug("Extracted consumer nonce: " + str3);
                        }
                    }
                    if (split.length == 2 && "openid.rpsig".equals(split[0])) {
                        str4 = URLDecoder.decode(split[1], "UTF-8");
                        if (DEBUG) {
                            _log.debug("Extracted consumer nonce signature: " + str4);
                        }
                    }
                } catch (UnsupportedEncodingException e) {
                    _log.error("Error extracting consumer nonce / signarure.", e);
                    return null;
                }
            }
            if (str4 == null) {
                _log.error("Null consumer nonce signature.");
                return null;
            }
            String substring = str.substring(0, str.indexOf("&openid.rpsig="));
            if (DEBUG) {
                _log.debug("Consumer signed text:\n" + substring);
            }
            try {
                if (DEBUG) {
                    _log.debug("Loading private association for opUrl " + str2);
                }
                Association load = this._privateAssociations.load(str2);
                if (load == null) {
                    _log.error("Null private association.");
                    return null;
                }
                if (load.verifySignature(substring, str4)) {
                    _log.info("Consumer nonce signature verified.");
                    return str3;
                }
                _log.error("Consumer nonce signature failed.");
                return null;
            } catch (AssociationException e2) {
                _log.error("Error verifying consumer nonce signature.", e2);
                return null;
            }
        } catch (MalformedURLException e3) {
            _log.error("Invalid return_to: " + str, e3);
            return null;
        }
    }

    private DiscoveryInformation verifyDiscovered(AuthSuccess authSuccess, DiscoveryInformation discoveryInformation) throws DiscoveryException {
        if (authSuccess != null && authSuccess.getIdentity() != null) {
            return authSuccess.isVersion2() ? verifyDiscovered2(authSuccess, discoveryInformation) : verifyDiscovered1(authSuccess, discoveryInformation);
        }
        _log.info("Assertion is not about an identifier");
        return null;
    }

    private DiscoveryInformation verifyDiscovered1(AuthSuccess authSuccess, DiscoveryInformation discoveryInformation) throws DiscoveryException {
        if (authSuccess == null || authSuccess.isVersion2() || authSuccess.getIdentity() == null) {
            if (!DEBUG) {
                return null;
            }
            _log.error("Invalid authentication response: cannot verify v1 discovered information");
            return null;
        }
        String identity = authSuccess.getIdentity();
        if (discoveryInformation != null && !discoveryInformation.isVersion2() && discoveryInformation.getClaimedIdentifier() != null) {
            if (DEBUG) {
                _log.debug("Verifying discovered information for OpenID1 assertion about ClaimedID: " + discoveryInformation.getClaimedIdentifier().getIdentifier());
            }
            if (identity.equals(discoveryInformation.hasDelegateIdentifier() ? discoveryInformation.getDelegateIdentifier() : discoveryInformation.getClaimedIdentifier().getIdentifier())) {
                return discoveryInformation;
            }
        }
        _log.info("Proceeding with stateless mode / bare response verification...");
        DiscoveryInformation discoveryInformation2 = null;
        if (DEBUG) {
            _log.debug("Performing discovery on the ClaimedID in the assertion: " + identity);
        }
        for (DiscoveryInformation discoveryInformation3 : this._discovery.discover(identity)) {
            if (!discoveryInformation3.isVersion2() && discoveryInformation3.hasClaimedIdentifier() && !discoveryInformation3.hasDelegateIdentifier() && identity.equals(discoveryInformation3.getClaimedIdentifier().getIdentifier())) {
                if (DEBUG) {
                    _log.debug("Found matching service: " + discoveryInformation3);
                }
                if (discoveryInformation2 == null) {
                    discoveryInformation2 = discoveryInformation3;
                }
                if (this._associations.load(discoveryInformation3.getOPEndpoint().toString(), authSuccess.getHandle()) != null) {
                    if (DEBUG) {
                        _log.debug("Found existing association for  " + discoveryInformation3 + " Not looking for another service endpoint.");
                    }
                    return discoveryInformation3;
                }
            }
        }
        if (discoveryInformation2 == null) {
            _log.error("No service element found to match the identifier in the assertion.");
        }
        return discoveryInformation2;
    }

    private DiscoveryInformation verifyDiscovered2(AuthSuccess authSuccess, DiscoveryInformation discoveryInformation) throws DiscoveryException {
        if (authSuccess == null || !authSuccess.isVersion2() || authSuccess.getIdentity() == null || authSuccess.getClaimed() == null) {
            if (!DEBUG) {
                return null;
            }
            _log.debug("Discovered information doesn't match auth response / version");
            return null;
        }
        String identity = authSuccess.getIdentity();
        Identifier parseIdentifier = this._discovery.parseIdentifier(authSuccess.getClaimed(), true);
        String opEndpoint = authSuccess.getOpEndpoint();
        if (DEBUG) {
            _log.debug("Verifying discovered information for OpenID2 assertion about ClaimedID: " + parseIdentifier.getIdentifier());
        }
        if (discoveryInformation != null && discoveryInformation.hasClaimedIdentifier() && discoveryInformation.getClaimedIdentifier().equals(parseIdentifier)) {
            if ((discoveryInformation.hasDelegateIdentifier() ? discoveryInformation.getDelegateIdentifier() : discoveryInformation.getClaimedIdentifier().getIdentifier()).equals(identity) && discoveryInformation.isVersion2() && discoveryInformation.getOPEndpoint().toString().equals(opEndpoint)) {
                if (DEBUG) {
                    _log.debug("ClaimedID in the assertion was previously discovered: " + parseIdentifier);
                }
                return discoveryInformation;
            }
        }
        DiscoveryInformation discoveryInformation2 = null;
        if (DEBUG) {
            _log.debug("Performing discovery on the ClaimedID in the assertion: " + parseIdentifier);
        }
        List<DiscoveryInformation> discover = this._discovery.discover(parseIdentifier);
        if (DEBUG) {
            _log.debug("Looking for a service element to match the ClaimedID and OP endpoint in the assertion...");
        }
        for (DiscoveryInformation discoveryInformation3 : discover) {
            if (!DiscoveryInformation.OPENID2_OP.equals(discoveryInformation3.getVersion())) {
                if ((discoveryInformation3.hasDelegateIdentifier() ? discoveryInformation3.getDelegateIdentifier() : discoveryInformation3.getClaimedIdentifier().getIdentifier()).equals(identity) && discoveryInformation3.isVersion2() && discoveryInformation3.getOPEndpoint().toString().equals(opEndpoint)) {
                    if (discoveryInformation2 == null) {
                        if (DEBUG) {
                            _log.debug("Found matching service: " + discoveryInformation3);
                        }
                        discoveryInformation2 = discoveryInformation3;
                    }
                    if (this._associations.load(discoveryInformation3.getOPEndpoint().toString(), authSuccess.getHandle()) != null) {
                        if (DEBUG) {
                            _log.debug("Found existing association, not looking for another service endpoint.");
                        }
                        return discoveryInformation3;
                    }
                }
            }
        }
        if (discoveryInformation2 == null) {
            _log.error("No service element found to match the ClaimedID / OP-endpoint in the assertion.");
        }
        return discoveryInformation2;
    }

    private VerificationResult verifySignature(AuthSuccess authSuccess, DiscoveryInformation discoveryInformation, VerificationResult verificationResult) throws AssociationException, MessageException, DiscoveryException {
        if (discoveryInformation == null || authSuccess == null) {
            _log.error("Can't verify signature: null assertion or discovered information.");
            verificationResult.setStatusMsg("Can't verify signature: null assertion or discovered information.");
            return verificationResult;
        }
        Identifier parseIdentifier = discoveryInformation.isVersion2() ? this._discovery.parseIdentifier(authSuccess.getClaimed()) : discoveryInformation.getClaimedIdentifier();
        String handle = authSuccess.getHandle();
        URL oPEndpoint = discoveryInformation.getOPEndpoint();
        Association load = this._associations.load(oPEndpoint.toString(), handle);
        if (load != null) {
            _log.info("Found association: " + load.getHandle() + " verifying signature locally...");
            if (load.verifySignature(authSuccess.getSignedText(), authSuccess.getSignature())) {
                verificationResult.setVerifiedId(parseIdentifier);
                if (DEBUG) {
                    _log.debug("Local signature verification succeeded.");
                }
            } else if (DEBUG) {
                _log.debug("Local signature verification failed.");
                verificationResult.setStatusMsg("Local signature verification failed");
            }
        } else {
            _log.info("No association found, contacting the OP for direct verification...");
            VerifyRequest createVerifyRequest = VerifyRequest.createVerifyRequest(authSuccess);
            ParameterList parameterList = new ParameterList();
            if (200 == call(oPEndpoint.toString(), createVerifyRequest, parameterList)) {
                VerifyResponse createVerifyResponse = VerifyResponse.createVerifyResponse(parameterList);
                createVerifyResponse.validate();
                if (createVerifyResponse.isSignatureVerified()) {
                    String invalidateHandle = createVerifyResponse.getInvalidateHandle();
                    if (invalidateHandle != null) {
                        this._associations.remove(oPEndpoint.toString(), invalidateHandle);
                    }
                    verificationResult.setVerifiedId(parseIdentifier);
                    if (DEBUG) {
                        _log.debug("Direct signature verification succeeded with OP: " + oPEndpoint);
                    }
                } else {
                    if (DEBUG) {
                        _log.debug("Direct signature verification failed with OP: " + oPEndpoint);
                    }
                    verificationResult.setStatusMsg("Direct signature verification failed.");
                }
            } else {
                DirectError createDirectError = DirectError.createDirectError(parameterList);
                if (DEBUG) {
                    _log.debug("Error verifying signature with the OP: " + oPEndpoint + " error message: " + createDirectError.keyValueFormEncoding());
                }
                verificationResult.setStatusMsg("Error verifying signature with the OP: " + createDirectError.getErrorMsg());
            }
        }
        Identifier verifiedId = verificationResult.getVerifiedId();
        if (verifiedId != null) {
            _log.info("Verification succeeded for: " + verifiedId);
        } else {
            _log.error("Verification failed for: " + authSuccess.getClaimed() + " reason: " + verificationResult.getStatusMsg());
        }
        return verificationResult;
    }

    HttpFetcher getHttpFetcher() {
        return this._httpFetcher;
    }
}
