package org.apache.cxf.rs.security.xml;

import java.io.OutputStream;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import javax.crypto.SecretKey;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.StaxOutInterceptor;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.RSSecurityUtils;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.xml.security.Init;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.XMLSec;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.XMLSecurityProperties;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.SecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;

/* loaded from: input_file:org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.class */
public class XmlSecOutInterceptor extends AbstractPhaseInterceptor<Message> {
    public static final String OUTPUT_STREAM_HOLDER = XmlSecOutInterceptor.class.getName() + ".outputstream";
    private static final Logger LOG = LogUtils.getL7dLogger(XmlSecOutInterceptor.class);
    private XmlSecStaxOutInterceptorInternal ending;
    private EncryptionProperties encryptionProperties;
    private SignatureProperties sigProps;
    private boolean encryptSymmetricKey;
    private SecretKey symmetricKey;
    private boolean signRequest;
    private boolean encryptRequest;
    private List<QName> elementsToSign;
    private List<QName> elementsToEncrypt;
    private boolean keyInfoMustBeAvailable;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/cxf/rs/security/xml/XmlSecOutInterceptor$XmlSecStaxOutInterceptorInternal.class */
    public final class XmlSecStaxOutInterceptorInternal extends AbstractPhaseInterceptor<Message> {
        XmlSecStaxOutInterceptorInternal() {
            super("pre-stream-ending");
        }

        public void handleMessage(Message message) throws Fault {
            try {
                XMLStreamWriter xMLStreamWriter = (XMLStreamWriter) message.getContent(XMLStreamWriter.class);
                if (xMLStreamWriter != null) {
                    xMLStreamWriter.writeEndDocument();
                    xMLStreamWriter.flush();
                    xMLStreamWriter.close();
                }
                OutputStream outputStream = (OutputStream) message.get(XmlSecOutInterceptor.OUTPUT_STREAM_HOLDER);
                if (outputStream != null) {
                    message.setContent(OutputStream.class, outputStream);
                }
                message.removeContent(XMLStreamWriter.class);
            } catch (XMLStreamException e) {
                throw new Fault(e);
            }
        }
    }

    public XmlSecOutInterceptor() {
        super("pre-stream");
        this.encryptionProperties = new EncryptionProperties();
        this.sigProps = new SignatureProperties();
        this.encryptSymmetricKey = true;
        this.elementsToSign = new ArrayList();
        this.elementsToEncrypt = new ArrayList();
        this.keyInfoMustBeAvailable = true;
        getBefore().add(StaxOutInterceptor.class.getName());
        this.ending = createEndingInterceptor();
    }

    public void handleMessage(Message message) throws Fault {
        if (message.getExchange().get(Throwable.class) != null) {
            return;
        }
        OutputStream outputStream = (OutputStream) message.getContent(OutputStream.class);
        String encoding = getEncoding(message);
        if (!this.encryptRequest && !this.signRequest) {
            Exception exc = new Exception("Either encryption and/or signature must be enabled");
            throwFault(exc.getMessage(), exc);
        }
        XMLStreamWriter xMLStreamWriter = null;
        try {
            XMLSecurityProperties xMLSecurityProperties = new XMLSecurityProperties();
            if (this.signRequest) {
                configureSignature(message, xMLSecurityProperties);
            }
            if (this.encryptRequest) {
                configureEncryption(message, xMLSecurityProperties);
            }
            xMLStreamWriter = XMLSec.getOutboundXMLSec(xMLSecurityProperties).processOutMessage(outputStream, encoding);
            message.setContent(XMLStreamWriter.class, xMLStreamWriter);
        } catch (XMLSecurityException e) {
            throwFault(e.getMessage(), e);
        } catch (Exception e2) {
            throwFault(e2.getMessage(), e2);
        }
        message.put("disable.outputstream.optimization", Boolean.TRUE);
        message.put("org.apache.cxf.stax.force-start-document", Boolean.TRUE);
        if (MessageUtils.getContextualBoolean(message, "org.apache.cxf.stax.force-start-document", false)) {
            try {
                xMLStreamWriter.writeStartDocument(encoding, "1.0");
                message.removeContent(OutputStream.class);
                message.put(OUTPUT_STREAM_HOLDER, outputStream);
            } catch (XMLStreamException e3) {
                throw new Fault(e3);
            }
        }
        message.getInterceptorChain().add(this.ending);
    }

    private void configureEncryption(Message message, XMLSecurityProperties xMLSecurityProperties) throws Exception {
        X509Certificate certificateFromCrypto;
        String encryptionSymmetricKeyAlgo = this.encryptionProperties.getEncryptionSymmetricKeyAlgo() == null ? "http://www.w3.org/2001/04/xmlenc#aes256-cbc" : this.encryptionProperties.getEncryptionSymmetricKeyAlgo();
        xMLSecurityProperties.setEncryptionSymAlgorithm(encryptionSymmetricKeyAlgo);
        xMLSecurityProperties.setEncryptionKey(getSymmetricKey(encryptionSymmetricKeyAlgo));
        if (this.encryptSymmetricKey) {
            String str = (String) SecurityUtils.getSecurityPropertyValue("security.encryption.username", message);
            if (!RSSecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(str) || MessageUtils.isRequestor(message)) {
                Crypto crypto = new CryptoLoader().getCrypto(message, "security.encryption.crypto", "security.encryption.properties");
                String userName = RSSecurityUtils.getUserName(crypto, str);
                if (StringUtils.isEmpty(userName)) {
                    throw new Exception("User name is not available");
                }
                certificateFromCrypto = getCertificateFromCrypto(crypto, userName);
            } else {
                certificateFromCrypto = (X509Certificate) message.getExchange().getInMessage().getContent(X509Certificate.class);
                if (certificateFromCrypto == null) {
                    certificateFromCrypto = getUseReqSigCert((List) message.getExchange().get(SecurityEvent.class.getName() + ".in"));
                }
            }
            if (certificateFromCrypto == null) {
                throw new Exception("Sending certificate is not available");
            }
            xMLSecurityProperties.setEncryptionUseThisCertificate(certificateFromCrypto);
            xMLSecurityProperties.setEncryptionKeyIdentifier(convertKeyIdentifier(this.encryptionProperties.getEncryptionKeyIdType()));
            if (this.encryptionProperties.getEncryptionKeyTransportAlgo() != null) {
                xMLSecurityProperties.setEncryptionKeyTransportAlgorithm(this.encryptionProperties.getEncryptionKeyTransportAlgo());
            }
            if (this.encryptionProperties.getEncryptionDigestAlgo() != null) {
                xMLSecurityProperties.setEncryptionKeyTransportDigestAlgorithm(this.encryptionProperties.getEncryptionDigestAlgo());
            }
        }
        xMLSecurityProperties.addAction(XMLSecurityConstants.ENCRYPT);
        if (this.elementsToEncrypt != null && !this.elementsToEncrypt.isEmpty()) {
            Iterator<QName> it = this.elementsToEncrypt.iterator();
            while (it.hasNext()) {
                xMLSecurityProperties.addEncryptionPart(new SecurePart(it.next(), SecurePart.Modifier.Element));
            }
        } else {
            LOG.fine("No Elements to encrypt are specified, so the entire request is encrypt");
            SecurePart securePart = new SecurePart((QName) null, SecurePart.Modifier.Element);
            securePart.setSecureEntireRequest(true);
            xMLSecurityProperties.addEncryptionPart(securePart);
        }
    }

    private X509Certificate getUseReqSigCert(List<SecurityEvent> list) throws XMLSecurityException {
        SecurityToken signatureToken = getSignatureToken(list);
        if (signatureToken == null || signatureToken.getX509Certificates() == null || signatureToken.getX509Certificates().length <= 0) {
            return null;
        }
        return signatureToken.getX509Certificates()[0];
    }

    private SecurityToken getSignatureToken(List<SecurityEvent> list) throws XMLSecurityException {
        if (list == null) {
            return null;
        }
        for (int i = 0; i < list.size(); i++) {
            TokenSecurityEvent tokenSecurityEvent = (SecurityEvent) list.get(i);
            if (tokenSecurityEvent instanceof TokenSecurityEvent) {
                TokenSecurityEvent tokenSecurityEvent2 = tokenSecurityEvent;
                if (tokenSecurityEvent2.getSecurityToken().getTokenUsages().contains(SecurityTokenConstants.TokenUsage_Signature)) {
                    return tokenSecurityEvent2.getSecurityToken();
                }
            }
        }
        return null;
    }

    private X509Certificate getCertificateFromCrypto(Crypto crypto, String str) throws Exception {
        return RSSecurityUtils.getCertificates(crypto, str)[0];
    }

    private SecretKey getSymmetricKey(String str) throws Exception {
        SecretKey secretKey;
        synchronized (this) {
            if (this.symmetricKey == null) {
                this.symmetricKey = KeyUtils.getKeyGenerator(str).generateKey();
            }
            secretKey = this.symmetricKey;
        }
        return secretKey;
    }

    private void configureSignature(Message message, XMLSecurityProperties xMLSecurityProperties) throws Exception {
        Crypto crypto = new CryptoLoader().getCrypto(message, "security.signature.crypto", "security.signature.properties");
        String userName = RSSecurityUtils.getUserName(message, crypto, "security.signature.username");
        if (StringUtils.isEmpty(userName) || RSSecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)) {
            throw new Exception("User name is not available");
        }
        String password = RSSecurityUtils.getPassword(message, userName, 3, getClass());
        X509Certificate[] certificates = RSSecurityUtils.getCertificates(crypto, userName);
        xMLSecurityProperties.setSignatureCerts(certificates);
        String signatureAlgo = this.sigProps.getSignatureAlgo() == null ? "http://www.w3.org/2000/09/xmldsig#rsa-sha1" : this.sigProps.getSignatureAlgo();
        if (certificates[0].getPublicKey().getAlgorithm().equalsIgnoreCase("DSA")) {
            signatureAlgo = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
        }
        xMLSecurityProperties.setSignatureAlgorithm(signatureAlgo);
        try {
            xMLSecurityProperties.setSignatureKey(crypto.getPrivateKey(userName, password));
            String signatureDigestAlgo = this.sigProps.getSignatureDigestAlgo() == null ? "http://www.w3.org/2000/09/xmldsig#sha1" : this.sigProps.getSignatureDigestAlgo();
            xMLSecurityProperties.setSignatureDigestAlgorithm(signatureDigestAlgo);
            if (this.keyInfoMustBeAvailable) {
                xMLSecurityProperties.setSignatureKeyIdentifier(convertKeyIdentifier(this.sigProps.getSignatureKeyIdType()));
            } else {
                xMLSecurityProperties.setSignatureKeyIdentifier(SecurityTokenConstants.KeyIdentifier_NoKeyInfo);
            }
            xMLSecurityProperties.setSignatureCanonicalizationAlgorithm(this.sigProps.getSignatureC14nMethod() != null ? this.sigProps.getSignatureC14nMethod() : "http://www.w3.org/TR/2001/REC-xml-c14n-20010315");
            xMLSecurityProperties.addAction(XMLSecurityConstants.SIGNATURE);
            String signatureC14nTransform = this.sigProps.getSignatureC14nTransform() != null ? this.sigProps.getSignatureC14nTransform() : "http://www.w3.org/2001/10/xml-exc-c14n#";
            if (this.elementsToSign != null && !this.elementsToSign.isEmpty()) {
                Iterator<QName> it = this.elementsToSign.iterator();
                while (it.hasNext()) {
                    xMLSecurityProperties.addSignaturePart(new SecurePart(it.next(), SecurePart.Modifier.Element, new String[]{"http://www.w3.org/2000/09/xmldsig#enveloped-signature", signatureC14nTransform}, signatureDigestAlgo));
                }
            } else {
                LOG.fine("No Elements to sign are specified, so the entire request is signed");
                SecurePart securePart = new SecurePart((QName) null, SecurePart.Modifier.Element, new String[]{"http://www.w3.org/2000/09/xmldsig#enveloped-signature", signatureC14nTransform}, signatureDigestAlgo);
                securePart.setSecureEntireRequest(true);
                xMLSecurityProperties.addSignaturePart(securePart);
            }
        } catch (Exception e) {
            LOG.severe("Private key can not be loaded, user:" + userName);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
        }
    }

    protected void throwFault(String str, Exception exc) {
        LOG.warning(str);
        throw ExceptionUtils.toBadRequestException((Throwable) null, JAXRSUtils.toResponseBuilder(400).entity(str).build());
    }

    public void setEncryptionProperties(EncryptionProperties encryptionProperties) {
        this.encryptionProperties = encryptionProperties;
    }

    public void setEncryptionKeyIdentifierType(String str) {
        this.encryptionProperties.setEncryptionKeyIdType(str);
    }

    public void setSymmetricEncAlgorithm(String str) {
        if (!str.startsWith("http://www.w3.org/2001/04/xmlenc#") && !str.startsWith("http://www.w3.org/2009/xmlenc11#")) {
            str = "http://www.w3.org/2001/04/xmlenc#" + str;
        }
        this.encryptionProperties.setEncryptionSymmetricKeyAlgo(str);
    }

    public void setKeyEncAlgorithm(String str) {
        this.encryptionProperties.setEncryptionKeyTransportAlgo(str);
    }

    public void setEncryptionDigestAlgorithm(String str) {
        this.encryptionProperties.setEncryptionDigestAlgo(str);
    }

    public void setKeyInfoMustBeAvailable(boolean z) {
        this.keyInfoMustBeAvailable = z;
    }

    public void setSignatureProperties(SignatureProperties signatureProperties) {
        this.sigProps = signatureProperties;
    }

    public void setSignatureAlgorithm(String str) {
        this.sigProps.setSignatureAlgo(str);
    }

    public void setSignatureDigestAlgorithm(String str) {
        this.sigProps.setSignatureDigestAlgo(str);
    }

    public void setSignatureKeyIdentifierType(String str) {
        this.sigProps.setSignatureKeyIdType(str);
    }

    public final XmlSecStaxOutInterceptorInternal createEndingInterceptor() {
        return new XmlSecStaxOutInterceptorInternal();
    }

    private String getEncoding(Message message) {
        Exchange exchange = message.getExchange();
        String str = (String) message.get(Message.ENCODING);
        if (str == null && exchange.getInMessage() != null) {
            str = (String) exchange.getInMessage().get(Message.ENCODING);
            message.put(Message.ENCODING, str);
        }
        if (str == null) {
            str = "UTF-8";
            message.put(Message.ENCODING, str);
        }
        return str;
    }

    private static SecurityTokenConstants.KeyIdentifier convertKeyIdentifier(String str) {
        return "IssuerSerial".equals(str) ? SecurityTokenConstants.KeyIdentifier_IssuerSerial : "X509KeyIdentifier".equals(str) ? SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier : "SKIKeyIdentifier".equals(str) ? SecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier : "KeyValue".equals(str) ? SecurityTokenConstants.KeyIdentifier_KeyValue : SecurityTokenConstants.KeyIdentifier_X509KeyIdentifier;
    }

    public boolean isSignRequest() {
        return this.signRequest;
    }

    public void setSignRequest(boolean z) {
        this.signRequest = z;
    }

    public boolean isEncryptRequest() {
        return this.encryptRequest;
    }

    public void setEncryptRequest(boolean z) {
        this.encryptRequest = z;
    }

    public void setElementsToEncrypt(List<QName> list) {
        this.elementsToEncrypt = list;
    }

    public void addElementToEncrypt(QName qName) {
        this.elementsToEncrypt.add(qName);
    }

    public void setElementsToSign(List<QName> list) {
        this.elementsToSign = list;
    }

    public void addElementToSign(QName qName) {
        this.elementsToSign.add(qName);
    }

    public boolean isEncryptSymmetricKey() {
        return this.encryptSymmetricKey;
    }

    public void setEncryptSymmetricKey(boolean z) {
        this.encryptSymmetricKey = z;
    }

    public SecretKey getSymmetricKey() {
        return this.symmetricKey;
    }

    public void setSymmetricKey(SecretKey secretKey) {
        this.symmetricKey = secretKey;
    }

    static {
        Init.init();
    }
}
