package org.elasticsearch.xpack.idp.saml.support;

import java.security.AccessController;
import java.security.PrivilegedActionException;
import org.elasticsearch.xpack.core.security.support.RestorableContextClassLoader;
import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
import org.opensaml.xmlsec.signature.SignableXMLObject;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.Signer;
import org.opensaml.xmlsec.signature.support.SignerProvider;
import org.w3c.dom.Element;

/* loaded from: input_file:org/elasticsearch/xpack/idp/saml/support/SamlObjectSigner.class */
public class SamlObjectSigner {
    private final SamlIdentityProvider idp;
    private final SamlFactory samlFactory;

    public SamlObjectSigner(SamlFactory samlFactory, SamlIdentityProvider samlIdentityProvider) {
        SamlInit.initialize();
        this.idp = samlIdentityProvider;
        this.samlFactory = samlFactory;
    }

    public Element sign(SignableXMLObject signableXMLObject) {
        Signature buildObject = this.samlFactory.buildObject(Signature.class, Signature.DEFAULT_ELEMENT_NAME);
        buildObject.setSigningCredential(this.idp.getSigningCredential());
        buildObject.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
        buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        signableXMLObject.setSignature(buildObject);
        Element domElement = this.samlFactory.toDomElement(signableXMLObject);
        try {
            AccessController.doPrivileged(() -> {
                try {
                    RestorableContextClassLoader restorableContextClassLoader = new RestorableContextClassLoader(SignerProvider.class);
                    try {
                        Signer.signObject(buildObject);
                        restorableContextClassLoader.close();
                        return null;
                    } finally {
                    }
                } catch (SignatureException e) {
                    throw new SecurityException("failed to sign SAML object " + signableXMLObject, e);
                }
            });
            return domElement;
        } catch (PrivilegedActionException e) {
            throw new SecurityException("failed to sign SAML object " + signableXMLObject, e);
        }
    }
}
