package org.apache.wss4j.dom.str;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.CustomTokenPrincipal;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.BinarySecurity;
import org.apache.wss4j.dom.message.token.DerivedKeyToken;
import org.apache.wss4j.dom.message.token.SecurityContextToken;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.processor.Processor;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.str.STRParser;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-090.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-dom-2.0.3.jar:org/apache/wss4j/dom/str/SignatureSTRParser.class */
public class SignatureSTRParser implements STRParser {
    public static final String SIGNATURE_METHOD = "signature_method";
    private X509Certificate[] certs;
    private byte[] secretKey;
    private PublicKey publicKey;
    private Principal principal;
    private boolean trustedCredential;
    private STRParser.REFERENCE_TYPE referenceType;

    @Override // org.apache.wss4j.dom.str.STRParser
    public void parseSecurityTokenReference(Element element, RequestData requestData, WSDocInfo wSDocInfo, Map<String, Object> map) throws WSSecurityException {
        SamlAssertionWrapper samlAssertionWrapper;
        Crypto sigVerCrypto = requestData.getSigVerCrypto();
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(element, requestData.getBSPEnforcer());
        String str = null;
        if (securityTokenReference.containsReference()) {
            str = securityTokenReference.getReference().getURI();
            if (str.charAt(0) == '#') {
                str = str.substring(1);
            }
            this.referenceType = STRParser.REFERENCE_TYPE.DIRECT_REF;
        } else if (securityTokenReference.containsKeyIdentifier()) {
            str = securityTokenReference.getKeyIdentifierValue();
            if ("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1".equals(securityTokenReference.getKeyIdentifierValueType())) {
                this.referenceType = STRParser.REFERENCE_TYPE.THUMBPRINT_SHA1;
            } else {
                this.referenceType = STRParser.REFERENCE_TYPE.KEY_IDENTIFIER;
            }
        }
        WSSecurityEngineResult result = wSDocInfo.getResult(str);
        if (result != null) {
            processPreviousResult(result, securityTokenReference, requestData, map);
        } else if (securityTokenReference.containsReference()) {
            this.secretKey = getSecretKeyFromToken(str, securityTokenReference.getReference().getValueType(), requestData);
            this.principal = new CustomTokenPrincipal(str);
            if (this.secretKey == null) {
                Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler());
                QName qName = new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName());
                if (qName.equals(WSSecurityEngine.BINARY_TOKEN)) {
                    List<WSSecurityEngineResult> handleToken = requestData.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN).handleToken(tokenElement, requestData, wSDocInfo);
                    STRParserUtil.checkBinarySecurityBSPCompliance(securityTokenReference, (BinarySecurity) handleToken.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN), requestData.getBSPEnforcer());
                    this.certs = (X509Certificate[]) handleToken.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
                    this.secretKey = (byte[]) handleToken.get(0).get(WSSecurityEngineResult.TAG_SECRET);
                    this.principal = (Principal) handleToken.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
                } else if (qName.equals(WSSecurityEngine.SAML_TOKEN) || qName.equals(WSSecurityEngine.SAML2_TOKEN)) {
                    Processor processor = requestData.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
                    Element findProcessedTokenElement = securityTokenReference.findProcessedTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler(), str, securityTokenReference.getReference().getValueType());
                    if (findProcessedTokenElement == null) {
                        samlAssertionWrapper = (SamlAssertionWrapper) processor.handleToken(tokenElement, requestData, wSDocInfo).get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                    } else {
                        samlAssertionWrapper = new SamlAssertionWrapper(findProcessedTokenElement);
                        samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(requestData, wSDocInfo), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
                    }
                    STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, samlAssertionWrapper, requestData.getBSPEnforcer());
                    SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
                    X509Certificate[] certs = subjectKeyInfo.getCerts();
                    if (certs != null && certs.length > 0) {
                        this.certs = new X509Certificate[]{certs[0]};
                    }
                    this.secretKey = subjectKeyInfo.getSecret();
                    this.principal = createPrincipalFromSAML(samlAssertionWrapper);
                } else if (qName.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
                    STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, requestData.getBSPEnforcer());
                    this.secretKey = (byte[]) requestData.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY).handleToken(tokenElement, requestData, wSDocInfo).get(0).get(WSSecurityEngineResult.TAG_SECRET);
                    this.principal = new CustomTokenPrincipal(tokenElement.getAttributeNS(null, "Id"));
                }
            }
        } else if (securityTokenReference.containsX509Data() || securityTokenReference.containsX509IssuerSerial()) {
            this.referenceType = STRParser.REFERENCE_TYPE.ISSUER_SERIAL;
            X509Certificate[] x509IssuerSerial = securityTokenReference.getX509IssuerSerial(sigVerCrypto);
            if (x509IssuerSerial != null && x509IssuerSerial.length > 0) {
                this.certs = new X509Certificate[]{x509IssuerSerial[0]};
            }
        } else {
            if (!securityTokenReference.containsKeyIdentifier()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "unsupportedKeyInfo", element.toString());
            }
            if (securityTokenReference.getKeyIdentifierValueType().equals("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1")) {
                STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, requestData.getBSPEnforcer());
                String keyIdentifierValue = securityTokenReference.getKeyIdentifierValue();
                this.secretKey = getSecretKeyFromToken(keyIdentifierValue, "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1", requestData);
                this.principal = new CustomTokenPrincipal(keyIdentifierValue);
            } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(securityTokenReference.getKeyIdentifierValueType()) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID".equals(securityTokenReference.getKeyIdentifierValueType())) {
                parseSAMLKeyIdentifier(securityTokenReference, wSDocInfo, requestData);
            } else {
                parseBSTKeyIdentifier(securityTokenReference, sigVerCrypto, wSDocInfo, requestData);
            }
        }
        if (this.certs == null || this.certs.length <= 0 || this.principal != null) {
            return;
        }
        this.principal = this.certs[0].getSubjectX500Principal();
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public X509Certificate[] getCertificates() {
        return this.certs;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public Principal getPrincipal() {
        return this.principal;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public byte[] getSecretKey() {
        return this.secretKey;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public boolean isTrustedCredential() {
        return this.trustedCredential;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public STRParser.REFERENCE_TYPE getCertificatesReferenceType() {
        return this.referenceType;
    }

    private Principal createPrincipalFromSAML(SamlAssertionWrapper samlAssertionWrapper) {
        SAMLTokenPrincipalImpl sAMLTokenPrincipalImpl = new SAMLTokenPrincipalImpl(samlAssertionWrapper);
        String str = null;
        List<String> confirmationMethods = samlAssertionWrapper.getConfirmationMethods();
        if (confirmationMethods != null && confirmationMethods.size() > 0) {
            str = confirmationMethods.get(0);
        }
        if (OpenSAMLUtil.isMethodHolderOfKey(str) && samlAssertionWrapper.isSigned()) {
            this.trustedCredential = true;
        }
        return sAMLTokenPrincipalImpl;
    }

    private byte[] getSecretKeyFromToken(String str, String str2, RequestData requestData) throws WSSecurityException {
        if (str.charAt(0) == '#') {
            str = str.substring(1);
        }
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, str2, 9);
        try {
            Callback[] callbackArr = {wSPasswordCallback};
            if (requestData.getCallbackHandler() == null) {
                return null;
            }
            requestData.getCallbackHandler().handle(callbackArr);
            return wSPasswordCallback.getKey();
        } catch (Exception e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noPassword", e, str);
        }
    }

    private void parseSAMLKeyIdentifier(SecurityTokenReference securityTokenReference, WSDocInfo wSDocInfo, RequestData requestData) throws WSSecurityException {
        this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), securityTokenReference.getKeyIdentifierValueType(), requestData);
        if (this.secretKey == null) {
            SamlAssertionWrapper assertionFromKeyIdentifier = STRParserUtil.getAssertionFromKeyIdentifier(securityTokenReference, securityTokenReference.getElement(), requestData, wSDocInfo);
            STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, assertionFromKeyIdentifier, requestData.getBSPEnforcer());
            SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(assertionFromKeyIdentifier, new WSSSAMLKeyInfoProcessor(requestData, wSDocInfo), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
            X509Certificate[] certs = credentialFromSubject.getCerts();
            if (certs != null && certs.length > 0) {
                this.certs = new X509Certificate[]{certs[0]};
            }
            this.secretKey = credentialFromSubject.getSecret();
            this.publicKey = credentialFromSubject.getPublicKey();
            this.principal = createPrincipalFromSAML(assertionFromKeyIdentifier);
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:54:0x01ac, code lost:
    
        r7.principal = (java.security.Principal) r0.get(org.apache.wss4j.dom.WSSecurityEngineResult.TAG_PRINCIPAL);
        r13 = r0;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void parseBSTKeyIdentifier(org.apache.wss4j.dom.message.token.SecurityTokenReference r8, org.apache.wss4j.common.crypto.Crypto r9, org.apache.wss4j.dom.WSDocInfo r10, org.apache.wss4j.dom.handler.RequestData r11) throws org.apache.wss4j.common.ext.WSSecurityException {
        /*
            Method dump skipped, instructions count: 513
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.wss4j.dom.str.SignatureSTRParser.parseBSTKeyIdentifier(org.apache.wss4j.dom.message.token.SecurityTokenReference, org.apache.wss4j.common.crypto.Crypto, org.apache.wss4j.dom.WSDocInfo, org.apache.wss4j.dom.handler.RequestData):void");
    }

    private void processPreviousResult(WSSecurityEngineResult wSSecurityEngineResult, SecurityTokenReference securityTokenReference, RequestData requestData, Map<String, Object> map) throws WSSecurityException {
        int intValue = ((Integer) wSSecurityEngineResult.get("action")).intValue();
        if (8192 == intValue || 1 == intValue) {
            STRParserUtil.checkUsernameTokenBSPCompliance(securityTokenReference, requestData.getBSPEnforcer());
            UsernameToken usernameToken = (UsernameToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
            usernameToken.setRawPassword(requestData);
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            this.principal = usernameToken.createPrincipal();
            return;
        }
        if (4096 == intValue) {
            STRParserUtil.checkBinarySecurityBSPCompliance(securityTokenReference, (BinarySecurity) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN), requestData.getBSPEnforcer());
            this.certs = (X509Certificate[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            if (((Boolean) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN)).booleanValue()) {
                this.trustedCredential = true;
                return;
            }
            return;
        }
        if (4 == intValue) {
            STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, requestData.getBSPEnforcer());
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            this.principal = new CustomTokenPrincipal((String) wSSecurityEngineResult.get("id"));
            return;
        }
        if (1024 == intValue) {
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            this.principal = new CustomTokenPrincipal(((SecurityContextToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN)).getIdentifier());
            return;
        }
        if (2048 == intValue) {
            DerivedKeyToken derivedKeyToken = (DerivedKeyToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
            int length = derivedKeyToken.getLength();
            if (length <= 0) {
                length = KeyUtils.getKeyLength((String) map.get("signature_method"));
            }
            byte[] bArr = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            this.secretKey = derivedKeyToken.deriveKey(length, bArr);
            this.principal = derivedKeyToken.createPrincipal();
            ((WSDerivedKeyTokenPrincipal) this.principal).setSecret(bArr);
            return;
        }
        if (8 == intValue || 16 == intValue) {
            SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, samlAssertionWrapper, requestData.getBSPEnforcer());
            SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
            if (subjectKeyInfo == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[0]);
            }
            X509Certificate[] certs = subjectKeyInfo.getCerts();
            if (certs != null) {
                this.certs = new X509Certificate[]{certs[0]};
            }
            this.secretKey = subjectKeyInfo.getSecret();
            this.publicKey = subjectKeyInfo.getPublicKey();
            this.principal = createPrincipalFromSAML(samlAssertionWrapper);
        }
    }
}
