package org.apache.cxf.sts.token.provider;

import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.sts.SignatureProperties;
import org.apache.cxf.sts.request.BinarySecret;
import org.apache.cxf.sts.request.Entropy;
import org.apache.cxf.sts.request.KeyRequirements;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.wss4j.common.derivedKey.P_SHA1;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.util.WSSecurityUtil;

/* loaded from: input_file:m2repo/org/apache/cxf/services/sts/cxf-services-sts-core/3.2.5-jbossorg-1/cxf-services-sts-core-3.2.5-jbossorg-1.jar:org/apache/cxf/sts/token/provider/SymmetricKeyHandler.class */
public class SymmetricKeyHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(SymmetricKeyHandler.class);
    private int keySize;
    private Entropy clientEntropy;
    private byte[] entropyBytes;
    private byte[] secret;
    private boolean computedKey;

    public SymmetricKeyHandler(TokenProviderParameters tokenProviderParameters) {
        this.keySize = 256;
        KeyRequirements keyRequirements = tokenProviderParameters.getKeyRequirements();
        this.keySize = Long.valueOf(keyRequirements.getKeySize()).intValue();
        SignatureProperties signatureProperties = tokenProviderParameters.getStsProperties().getSignatureProperties();
        String encryptWith = keyRequirements.getEncryptWith();
        if (encryptWith != null) {
            if (("http://www.w3.org/2001/04/xmlenc#aes128-cbc".equals(encryptWith) || "http://www.w3.org/2009/xmlenc11#aes128-gcm".equals(encryptWith)) && this.keySize < 128) {
                this.keySize = 128;
            } else if (("http://www.w3.org/2001/04/xmlenc#aes192-cbc".equals(encryptWith) || "http://www.w3.org/2009/xmlenc11#aes192-gcm".equals(encryptWith)) && this.keySize < 192) {
                this.keySize = 192;
            } else if (("http://www.w3.org/2001/04/xmlenc#aes256-cbc".equals(encryptWith) || "http://www.w3.org/2009/xmlenc11#aes256-gcm".equals(encryptWith)) && this.keySize < 256) {
                this.keySize = 256;
            } else if ("http://www.w3.org/2001/04/xmlenc#tripledes-cbc".equals(encryptWith) && this.keySize < 192) {
                this.keySize = 192;
            }
        }
        if (this.keySize < signatureProperties.getMinimumKeySize() || this.keySize > signatureProperties.getMaximumKeySize()) {
            this.keySize = Long.valueOf(signatureProperties.getKeySize()).intValue();
            LOG.log(Level.WARNING, "Received KeySize of " + keyRequirements.getKeySize() + " not accepted so defaulting to " + signatureProperties.getKeySize());
        }
        this.clientEntropy = keyRequirements.getEntropy();
        if (this.clientEntropy == null) {
            LOG.log(Level.WARNING, "A SymmetricKey KeyType is requested, but no client entropy is provided");
            return;
        }
        if (this.clientEntropy.getBinarySecret() == null) {
            if (this.clientEntropy.getDecryptedKey() == null) {
                LOG.log(Level.WARNING, "The user supplied Entropy structure is invalid");
                throw new STSException("The user supplied Entropy structure is invalid", STSException.INVALID_REQUEST);
            }
            byte[] decryptedKey = this.clientEntropy.getDecryptedKey();
            if (decryptedKey.length * 8 < signatureProperties.getMinimumKeySize() || decryptedKey.length * 8 > signatureProperties.getMaximumKeySize()) {
                LOG.log(Level.WARNING, "Received secret of length " + decryptedKey.length + " bits is not accepted");
                LOG.log(Level.WARNING, "User Entropy rejected");
                this.clientEntropy = null;
                return;
            }
            return;
        }
        BinarySecret binarySecret = this.clientEntropy.getBinarySecret();
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce".equals(binarySecret.getBinarySecretType())) {
            byte[] binarySecretValue = binarySecret.getBinarySecretValue();
            if (binarySecretValue == null || binarySecretValue.length < this.keySize / 8) {
                LOG.log(Level.WARNING, "User Entropy rejected");
                this.clientEntropy = null;
            }
            String computedKeyAlgorithm = keyRequirements.getComputedKeyAlgorithm();
            if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1".equals(computedKeyAlgorithm)) {
                return;
            }
            LOG.log(Level.WARNING, "The computed key algorithm of " + computedKeyAlgorithm + " is not supported");
            throw new STSException("Computed Key Algorithm not supported", STSException.INVALID_REQUEST);
        }
        if (!"http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(binarySecret.getBinarySecretType()) && binarySecret.getBinarySecretType() != null) {
            LOG.log(Level.WARNING, "The type " + binarySecret.getBinarySecretType() + " is not supported");
            throw new STSException("No user supplied entropy for SymmetricKey case", STSException.INVALID_REQUEST);
        }
        byte[] binarySecretValue2 = binarySecret.getBinarySecretValue();
        if (binarySecretValue2.length * 8 < signatureProperties.getMinimumKeySize() || binarySecretValue2.length * 8 > signatureProperties.getMaximumKeySize()) {
            LOG.log(Level.WARNING, "Received secret of length " + binarySecretValue2.length + " bits is not accepted");
            LOG.log(Level.WARNING, "User Entropy rejected");
            this.clientEntropy = null;
        }
    }

    public void createSymmetricKey() {
        this.computedKey = false;
        boolean z = true;
        if (this.clientEntropy != null) {
            BinarySecret binarySecret = this.clientEntropy.getBinarySecret();
            if (binarySecret != null && ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(binarySecret.getBinarySecretType()) || binarySecret.getBinarySecretType() == null)) {
                this.secret = binarySecret.getBinarySecretValue();
                z = false;
            } else if (this.clientEntropy.getDecryptedKey() != null) {
                this.secret = this.clientEntropy.getDecryptedKey();
                z = false;
            }
        }
        if (z) {
            try {
                this.entropyBytes = WSSecurityUtil.generateNonce(this.keySize / 8);
                this.secret = this.entropyBytes;
                if (this.clientEntropy == null || this.clientEntropy.getBinarySecret() == null) {
                    return;
                }
                try {
                    this.secret = new P_SHA1().createKey(this.clientEntropy.getBinarySecret().getBinarySecretValue(), this.entropyBytes, 0, this.keySize / 8);
                    this.computedKey = true;
                } catch (WSSecurityException e) {
                    LOG.log(Level.WARNING, "", (Throwable) e);
                    throw new STSException("Error in creating symmetric key", STSException.INVALID_REQUEST);
                }
            } catch (WSSecurityException e2) {
                LOG.log(Level.WARNING, "", (Throwable) e2);
                throw new STSException("Error in creating symmetric key", e2, STSException.INVALID_REQUEST);
            }
        }
    }

    public long getKeySize() {
        return this.keySize;
    }

    public byte[] getEntropyBytes() {
        return this.entropyBytes;
    }

    public byte[] getSecret() {
        return this.secret;
    }

    public boolean isComputedKey() {
        return this.computedKey;
    }
}
