package org.picketlink.identity.federation.core.wstrust;

import java.net.URI;
import java.security.KeyPair;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.namespace.QName;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;
import org.picketlink.common.PicketLinkLogger;
import org.picketlink.common.PicketLinkLoggerFactory;
import org.picketlink.common.constants.GeneralConstants;
import org.picketlink.common.constants.WSTrustConstants;
import org.picketlink.common.exceptions.ParsingException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.exceptions.fed.WSTrustException;
import org.picketlink.common.util.Base64;
import org.picketlink.common.util.DocumentUtil;
import org.picketlink.common.util.SystemPropertiesUtil;
import org.picketlink.identity.federation.core.saml.v1.SAML11Constants;
import org.picketlink.identity.federation.core.saml.v2.util.SignatureUtil;
import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
import org.picketlink.identity.federation.core.wstrust.wrappers.RequestSecurityToken;
import org.picketlink.identity.federation.core.wstrust.wrappers.RequestSecurityTokenResponse;
import org.picketlink.identity.federation.ws.policy.AppliesTo;
import org.picketlink.identity.federation.ws.trust.BinarySecretType;
import org.picketlink.identity.federation.ws.trust.ClaimsType;
import org.picketlink.identity.federation.ws.trust.ComputedKeyType;
import org.picketlink.identity.federation.ws.trust.EntropyType;
import org.picketlink.identity.federation.ws.trust.RequestedProofTokenType;
import org.picketlink.identity.federation.ws.trust.RequestedSecurityTokenType;
import org.picketlink.identity.federation.ws.trust.RequestedTokenCancelledType;
import org.picketlink.identity.federation.ws.trust.StatusType;
import org.picketlink.identity.xmlsec.w3.xmldsig.KeyInfoType;
import org.picketlink.identity.xmlsec.w3.xmldsig.X509DataType;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/lib/picketlink-federation-2.7.0.Final.jar:org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.class */
public class StandardRequestHandler implements WSTrustRequestHandler {
    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
    private static long KEY_SIZE = 128;
    private STSConfiguration configuration;
    private boolean base64EncodeSecretKey = Boolean.parseBoolean(SystemPropertiesUtil.getSystemProperty(GeneralConstants.BASE64_ENCODE_WSTRUST_SECRET_KEY, SamlProtocol.ATTRIBUTE_FALSE_VALUE));

    @Override // org.picketlink.identity.federation.core.wstrust.WSTrustRequestHandler
    public void initialize(STSConfiguration sTSConfiguration) {
        this.configuration = sTSConfiguration;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v110 */
    /* JADX WARN: Type inference failed for: r17v2, types: [org.picketlink.identity.federation.ws.trust.RequestedProofTokenType] */
    @Override // org.picketlink.identity.federation.core.wstrust.WSTrustRequestHandler
    public RequestSecurityTokenResponse issue(RequestSecurityToken requestSecurityToken, Principal principal) throws WSTrustException {
        RequestedProofTokenType requestedProofTokenType;
        String parseAppliesTo;
        logger.trace("Issuing token for principal " + principal);
        AppliesTo appliesTo = requestSecurityToken.getAppliesTo();
        X509Certificate x509Certificate = null;
        PublicKey publicKey = null;
        if (appliesTo != null && (parseAppliesTo = WSTrustUtil.parseAppliesTo(appliesTo)) != null) {
            String tokenTypeForService = this.configuration.getTokenTypeForService(parseAppliesTo);
            if (requestSecurityToken.getTokenType() == null && tokenTypeForService != null) {
                requestSecurityToken.setTokenType(URI.create(tokenTypeForService));
            }
            x509Certificate = this.configuration.getServiceProviderCertificate(parseAppliesTo);
            if (x509Certificate != null) {
                publicKey = x509Certificate.getPublicKey();
            }
        }
        WSTrustRequestContext wSTrustRequestContext = new WSTrustRequestContext(requestSecurityToken, principal);
        wSTrustRequestContext.setTokenIssuer(this.configuration.getSTSName());
        if (requestSecurityToken.getLifetime() == null && this.configuration.getIssuedTokenTimeout() != 0) {
            logger.stsTokenTimeoutNotSpecified();
            requestSecurityToken.setLifetime(WSTrustUtil.createDefaultLifetime(this.configuration.getIssuedTokenTimeout()));
        }
        wSTrustRequestContext.setServiceProviderPublicKey(publicKey);
        if (requestSecurityToken.getClaims() != null) {
            ClaimsType claims = requestSecurityToken.getClaims();
            ClaimsProcessor claimsProcessor = this.configuration.getClaimsProcessor(claims.getDialect());
            if (claimsProcessor != null) {
                wSTrustRequestContext.setClaimedAttributes(claimsProcessor.processClaims(claims, principal));
            } else if (logger.isDebugEnabled()) {
                logger.debug("Claims have been specified in the request but no processor was found for dialect " + claims.getDialect());
            }
        }
        if (requestSecurityToken.getOnBehalfOf() != null) {
            wSTrustRequestContext.setOnBehalfOfPrincipal(WSTrustUtil.getOnBehalfOfPrincipal(requestSecurityToken.getOnBehalfOf()));
        }
        URI keyType = requestSecurityToken.getKeyType();
        if (keyType == null) {
            logger.debug("No key type could be found in the request. Using the default BEARER type.");
            keyType = URI.create(WSTrustConstants.KEY_TYPE_BEARER);
            requestSecurityToken.setKeyType(keyType);
        }
        long keySize = requestSecurityToken.getKeySize();
        if (keySize == 0) {
            logger.debug("No key size could be found in the request. Using the default size. (" + KEY_SIZE + ")");
            keySize = KEY_SIZE;
            requestSecurityToken.setKeySize(keySize);
        }
        URI keyWrapAlgorithm = requestSecurityToken.getKeyWrapAlgorithm();
        RequestedProofTokenType requestedProofTokenType2 = null;
        EntropyType entropyType = null;
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equalsIgnoreCase(keyType.toString())) {
            ?? requestedProofTokenType3 = new RequestedProofTokenType();
            byte[] createRandomSecret = WSTrustUtil.createRandomSecret(((int) keySize) / 8);
            BinarySecretType binarySecretType = new BinarySecretType();
            binarySecretType.setType(WSTrustConstants.BS_TYPE_NONCE);
            binarySecretType.setValue(Base64.encodeBytes(createRandomSecret).getBytes());
            byte[] bArr = null;
            EntropyType entropy = requestSecurityToken.getEntropy();
            if (entropy != null) {
                bArr = Base64.decode(new String(WSTrustUtil.getBinarySecret(entropy)));
                entropyType = new EntropyType();
                entropyType.addAny(binarySecretType);
            }
            if (bArr == null || bArr.length == 0) {
                requestedProofTokenType3.add(binarySecretType);
                wSTrustRequestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(createRandomSecret, publicKey, keyWrapAlgorithm, x509Certificate));
                requestedProofTokenType = requestedProofTokenType3;
            } else {
                requestedProofTokenType3.add(new ComputedKeyType(WSTrustConstants.CK_PSHA1));
                try {
                    wSTrustRequestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(this.base64EncodeSecretKey ? Base64.encodeBytes(WSTrustUtil.P_SHA1(bArr, createRandomSecret, ((int) keySize) / 8)).getBytes() : WSTrustUtil.P_SHA1(bArr, createRandomSecret, ((int) keySize) / 8), publicKey, keyWrapAlgorithm, x509Certificate));
                    requestedProofTokenType = requestedProofTokenType3;
                } catch (Exception e) {
                    throw logger.wsTrustCombinedSecretKeyError(e);
                }
            }
        } else {
            requestedProofTokenType = requestedProofTokenType2;
            if (WSTrustConstants.KEY_TYPE_PUBLIC.equalsIgnoreCase(keyType.toString())) {
                Certificate certificate = this.configuration.getCertificate(principal.getName());
                if (certificate != null) {
                    wSTrustRequestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(certificate));
                    requestedProofTokenType = requestedProofTokenType2;
                } else {
                    if (requestSecurityToken.getUseKey() == null) {
                        throw logger.wsTrustClientPublicKeyError();
                    }
                    Iterator<Object> it = requestSecurityToken.getUseKey().getAny().iterator();
                    while (true) {
                        requestedProofTokenType = requestedProofTokenType2;
                        if (it.hasNext()) {
                            Object next = it.next();
                            if (next instanceof Element) {
                                Element element = (Element) next;
                                String localName = element.getLocalName();
                                if (localName.equals("X509Certificate")) {
                                    X509DataType x509DataType = new X509DataType();
                                    x509DataType.add(next);
                                    next = x509DataType;
                                } else if (localName.equals("KeyValue")) {
                                    Object obj = null;
                                    Element childElement = DocumentUtil.getChildElement(element, new QName("RSAKeyValue"));
                                    if (childElement != null) {
                                        try {
                                            obj = SignatureUtil.getRSAKeyValue(childElement);
                                        } catch (ParsingException e2) {
                                            throw logger.stsError(e2);
                                        }
                                    }
                                    if (obj == null && childElement == null) {
                                        Element childElement2 = DocumentUtil.getChildElement(element, new QName("DSAKeyValue"));
                                        if (childElement2 != null) {
                                            try {
                                                obj = SignatureUtil.getDSAKeyValue(childElement2);
                                            } catch (ParsingException e3) {
                                                throw logger.stsError(e3);
                                            }
                                        }
                                        next = obj;
                                    }
                                }
                                KeyInfoType keyInfoType = new KeyInfoType();
                                keyInfoType.addContent(next);
                                wSTrustRequestContext.setProofTokenInfo(keyInfoType);
                            } else {
                                if (!(next instanceof KeyInfoType)) {
                                    throw new WSTrustException(logger.unsupportedType(next.toString()));
                                }
                                wSTrustRequestContext.setProofTokenInfo((KeyInfoType) next);
                            }
                        }
                    }
                }
            }
        }
        try {
            if (requestSecurityToken.getTokenType() != null) {
                wSTrustRequestContext.setTokenType(requestSecurityToken.getTokenType().toString());
            }
            PicketLinkCoreSTS instance = PicketLinkCoreSTS.instance();
            instance.initialize(this.configuration);
            instance.issueToken(wSTrustRequestContext);
            if (wSTrustRequestContext.getSecurityToken() == null) {
                throw new WSTrustException(logger.nullValueError("Token issued by STS"));
            }
            RequestedSecurityTokenType requestedSecurityTokenType = new RequestedSecurityTokenType();
            SecurityToken securityToken = wSTrustRequestContext.getSecurityToken();
            if (securityToken == null) {
                throw new WSTrustException(logger.nullValueError("Security Token from context"));
            }
            requestedSecurityTokenType.add(securityToken.getTokenValue());
            RequestSecurityTokenResponse requestSecurityTokenResponse = new RequestSecurityTokenResponse();
            if (requestSecurityToken.getContext() != null) {
                requestSecurityTokenResponse.setContext(requestSecurityToken.getContext());
            }
            requestSecurityTokenResponse.setTokenType(requestSecurityToken.getTokenType());
            requestSecurityTokenResponse.setLifetime(requestSecurityToken.getLifetime());
            requestSecurityTokenResponse.setAppliesTo(appliesTo);
            requestSecurityTokenResponse.setKeySize(keySize);
            requestSecurityTokenResponse.setKeyType(keyType);
            requestSecurityTokenResponse.setRequestedSecurityToken(requestedSecurityTokenType);
            if (requestedProofTokenType != false) {
                requestSecurityTokenResponse.setRequestedProofToken(requestedProofTokenType);
            }
            if (entropyType != null) {
                requestSecurityTokenResponse.setEntropy(entropyType);
            }
            if (wSTrustRequestContext.getAttachedReference() != null) {
                requestSecurityTokenResponse.setRequestedAttachedReference(wSTrustRequestContext.getAttachedReference());
            }
            if (wSTrustRequestContext.getUnattachedReference() != null) {
                requestSecurityTokenResponse.setRequestedUnattachedReference(wSTrustRequestContext.getUnattachedReference());
            }
            return requestSecurityTokenResponse;
        } catch (ProcessingException e4) {
            throw logger.stsError(e4);
        }
    }

    @Override // org.picketlink.identity.federation.core.wstrust.WSTrustRequestHandler
    public RequestSecurityTokenResponse renew(RequestSecurityToken requestSecurityToken, Principal principal) throws WSTrustException {
        logger.trace("Validating token for renew request " + requestSecurityToken.getContext());
        if (requestSecurityToken.getRenewTargetElement() == null) {
            throw new WSTrustException(logger.nullValueError("renew target"));
        }
        Node firstChild = requestSecurityToken.getRenewTargetElement().getFirstChild();
        if (firstChild == null) {
            throw new WSTrustException(logger.nullValueError("security token"));
        }
        setupIDAttribute(firstChild);
        if (!this.configuration.signIssuedToken() || this.configuration.getSTSKeyPair() == null) {
            logger.stsSecurityTokenSignatureNotVerified();
        } else {
            KeyPair sTSKeyPair = this.configuration.getSTSKeyPair();
            try {
                Document createDocument = DocumentUtil.createDocument();
                createDocument.appendChild(createDocument.importNode(firstChild, true));
                XMLSignatureUtil.propagateIDAttributeSetup(firstChild, createDocument.getDocumentElement());
                if (!XMLSignatureUtil.validate(createDocument, sTSKeyPair.getPublic())) {
                    throw new WSTrustException(logger.signatureInvalidError("Validation failure during renewal", null));
                }
            } catch (Exception e) {
                throw new WSTrustException(logger.signatureInvalidError("Validation failure during renewal:", e));
            }
        }
        if (requestSecurityToken.getLifetime() == null && this.configuration.getIssuedTokenTimeout() != 0) {
            logger.stsTokenTimeoutNotSpecified();
            requestSecurityToken.setLifetime(WSTrustUtil.createDefaultLifetime(this.configuration.getIssuedTokenTimeout()));
        }
        WSTrustRequestContext wSTrustRequestContext = new WSTrustRequestContext(requestSecurityToken, principal);
        wSTrustRequestContext.setTokenIssuer(this.configuration.getSTSName());
        if (requestSecurityToken.getOnBehalfOf() != null) {
            wSTrustRequestContext.setOnBehalfOfPrincipal(WSTrustUtil.getOnBehalfOfPrincipal(requestSecurityToken.getOnBehalfOf()));
        }
        if (firstChild != null) {
            try {
                wSTrustRequestContext.setQName(new QName(firstChild.getNamespaceURI(), firstChild.getLocalName()));
            } catch (ProcessingException e2) {
                throw new WSTrustException(e2.getMessage(), e2);
            }
        }
        PicketLinkCoreSTS instance = PicketLinkCoreSTS.instance();
        instance.initialize(this.configuration);
        instance.renewToken(wSTrustRequestContext);
        RequestedSecurityTokenType requestedSecurityTokenType = new RequestedSecurityTokenType();
        SecurityToken securityToken = wSTrustRequestContext.getSecurityToken();
        if (securityToken == null) {
            throw new WSTrustException(logger.nullValueError("Security Token from context"));
        }
        requestedSecurityTokenType.add(securityToken.getTokenValue());
        RequestSecurityTokenResponse requestSecurityTokenResponse = new RequestSecurityTokenResponse();
        if (requestSecurityToken.getContext() != null) {
            requestSecurityTokenResponse.setContext(requestSecurityToken.getContext());
        }
        requestSecurityTokenResponse.setTokenType(requestSecurityToken.getTokenType());
        requestSecurityTokenResponse.setLifetime(requestSecurityToken.getLifetime());
        requestSecurityTokenResponse.setRequestedSecurityToken(requestedSecurityTokenType);
        if (wSTrustRequestContext.getAttachedReference() != null) {
            requestSecurityTokenResponse.setRequestedAttachedReference(wSTrustRequestContext.getAttachedReference());
        }
        if (wSTrustRequestContext.getUnattachedReference() != null) {
            requestSecurityTokenResponse.setRequestedUnattachedReference(wSTrustRequestContext.getUnattachedReference());
        }
        return requestSecurityTokenResponse;
    }

    @Override // org.picketlink.identity.federation.core.wstrust.WSTrustRequestHandler
    public RequestSecurityTokenResponse validate(RequestSecurityToken requestSecurityToken, Principal principal) throws WSTrustException {
        logger.trace("Started validation for request " + requestSecurityToken.getContext());
        if (requestSecurityToken.getValidateTargetElement() == null) {
            throw new WSTrustException(logger.nullValueError("request does not have a validate target. Unable to validate token"));
        }
        if (requestSecurityToken.getTokenType() == null) {
            requestSecurityToken.setTokenType(URI.create("http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status"));
        }
        Node firstChild = requestSecurityToken.getValidateTargetElement().getFirstChild();
        if (firstChild == null) {
            throw new WSTrustException(logger.nullValueError("security token:Unable to validate token"));
        }
        setupIDAttribute(firstChild);
        WSTrustRequestContext wSTrustRequestContext = new WSTrustRequestContext(requestSecurityToken, principal);
        if (requestSecurityToken.getOnBehalfOf() != null) {
            wSTrustRequestContext.setOnBehalfOfPrincipal(WSTrustUtil.getOnBehalfOfPrincipal(requestSecurityToken.getOnBehalfOf()));
        }
        StatusType statusType = null;
        if (!this.configuration.signIssuedToken() || this.configuration.getSTSKeyPair() == null) {
            logger.stsSecurityTokenSignatureNotVerified();
        } else {
            KeyPair sTSKeyPair = this.configuration.getSTSKeyPair();
            try {
                if (logger.isTraceEnabled()) {
                    try {
                        logger.trace("Going to validate signature for: " + DocumentUtil.getNodeAsString(firstChild));
                    } catch (Exception e) {
                    }
                }
                Document createDocument = DocumentUtil.createDocument();
                createDocument.appendChild(createDocument.importNode(firstChild, true));
                XMLSignatureUtil.propagateIDAttributeSetup(firstChild, createDocument.getDocumentElement());
                if (!XMLSignatureUtil.validate(createDocument, sTSKeyPair.getPublic())) {
                    statusType = new StatusType();
                    statusType.setCode(WSTrustConstants.STATUS_CODE_INVALID);
                    statusType.setReason("Validation failure: digital signature is invalid");
                }
            } catch (Exception e2) {
                statusType = new StatusType();
                statusType.setCode(WSTrustConstants.STATUS_CODE_INVALID);
                statusType.setReason("Validation failure: unable to verify digital signature: " + e2.getMessage());
            }
        }
        if (statusType == null) {
            logger.trace("Delegating token validation to token provider. Token NS: " + firstChild.getNamespaceURI() + " ::LocalName: " + firstChild.getLocalName());
            if (firstChild != null) {
                try {
                    wSTrustRequestContext.setQName(new QName(firstChild.getNamespaceURI(), firstChild.getLocalName()));
                } catch (ProcessingException e3) {
                    throw logger.stsError(e3);
                }
            }
            PicketLinkCoreSTS instance = PicketLinkCoreSTS.instance();
            instance.initialize(this.configuration);
            instance.validateToken(wSTrustRequestContext);
            statusType = wSTrustRequestContext.getStatus();
        }
        RequestSecurityTokenResponse requestSecurityTokenResponse = new RequestSecurityTokenResponse();
        if (requestSecurityToken.getContext() != null) {
            requestSecurityTokenResponse.setContext(requestSecurityToken.getContext());
        }
        requestSecurityTokenResponse.setTokenType(requestSecurityToken.getTokenType());
        requestSecurityTokenResponse.setStatus(statusType);
        return requestSecurityTokenResponse;
    }

    @Override // org.picketlink.identity.federation.core.wstrust.WSTrustRequestHandler
    public RequestSecurityTokenResponse cancel(RequestSecurityToken requestSecurityToken, Principal principal) throws WSTrustException {
        if (requestSecurityToken.getCancelTargetElement() == null) {
            throw new WSTrustException(logger.nullValueError("request does not have a cancel target. Unable to cancel token"));
        }
        Node firstChild = requestSecurityToken.getCancelTargetElement().getFirstChild();
        if (firstChild == null) {
            throw new WSTrustException(logger.nullValueError("security token. Unable to cancel token"));
        }
        WSTrustRequestContext wSTrustRequestContext = new WSTrustRequestContext(requestSecurityToken, principal);
        if (requestSecurityToken.getOnBehalfOf() != null) {
            wSTrustRequestContext.setOnBehalfOfPrincipal(WSTrustUtil.getOnBehalfOfPrincipal(requestSecurityToken.getOnBehalfOf()));
        }
        if (firstChild != null) {
            try {
                wSTrustRequestContext.setQName(new QName(firstChild.getNamespaceURI(), firstChild.getLocalName()));
            } catch (ProcessingException e) {
                throw logger.stsError(e);
            }
        }
        PicketLinkCoreSTS instance = PicketLinkCoreSTS.instance();
        instance.initialize(this.configuration);
        instance.cancelToken(wSTrustRequestContext);
        RequestSecurityTokenResponse requestSecurityTokenResponse = new RequestSecurityTokenResponse();
        if (requestSecurityToken.getContext() != null) {
            requestSecurityTokenResponse.setContext(requestSecurityToken.getContext());
        }
        requestSecurityTokenResponse.setRequestedTokenCancelled(new RequestedTokenCancelledType());
        return requestSecurityTokenResponse;
    }

    @Override // org.picketlink.identity.federation.core.wstrust.WSTrustRequestHandler
    public Document postProcess(Document document, RequestSecurityToken requestSecurityToken) throws WSTrustException {
        if (WSTrustConstants.ISSUE_REQUEST.equals(requestSecurityToken.getRequestType().toString()) || WSTrustConstants.RENEW_REQUEST.equals(requestSecurityToken.getRequestType().toString())) {
            document = DocumentUtil.normalizeNamespaces(document);
            if (this.configuration.signIssuedToken() && this.configuration.getSTSKeyPair() != null) {
                KeyPair sTSKeyPair = this.configuration.getSTSKeyPair();
                URI signatureAlgorithm = requestSecurityToken.getSignatureAlgorithm();
                String uri = signatureAlgorithm != null ? signatureAlgorithm.toString() : "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
                try {
                    Element element = (Element) document.getElementsByTagNameNS(WSTrustConstants.BASE_NAMESPACE, WSTrustConstants.REQUESTED_TOKEN).item(0).getFirstChild();
                    logger.trace("NamespaceURI of element to be signed: " + element.getNamespaceURI());
                    X509Certificate x509Certificate = null;
                    String signingCertificateAlias = this.configuration.getSigningCertificateAlias();
                    if (signingCertificateAlias != null) {
                        x509Certificate = (X509Certificate) this.configuration.getCertificate(signingCertificateAlias);
                    }
                    XMLSignatureUtil.setCanonicalizationMethodType(this.configuration.getXMLDSigCanonicalizationMethod());
                    document = XMLSignatureUtil.sign(document, element, sTSKeyPair, "http://www.w3.org/2000/09/xmldsig#sha1", uri, setupIDAttribute(element), x509Certificate);
                    if (logger.isTraceEnabled()) {
                        try {
                            Document createDocument = DocumentUtil.createDocument();
                            createDocument.appendChild(createDocument.importNode(element, true));
                            logger.trace("valid=" + XMLSignatureUtil.validate(createDocument, sTSKeyPair.getPublic()));
                        } catch (Exception e) {
                        }
                    }
                } catch (Exception e2) {
                    throw new WSTrustException(logger.signatureError(e2));
                }
            }
            if (this.configuration.encryptIssuedToken()) {
                PublicKey publicKey = null;
                if (requestSecurityToken.getAppliesTo() != null) {
                    String parseAppliesTo = WSTrustUtil.parseAppliesTo(requestSecurityToken.getAppliesTo());
                    logger.trace("Locating public key for " + parseAppliesTo);
                    if (parseAppliesTo != null) {
                        publicKey = this.configuration.getServiceProviderPublicKey(parseAppliesTo);
                    }
                }
                if (publicKey == null) {
                    logger.stsSecurityTokenShouldBeEncrypted();
                } else {
                    long keySize = requestSecurityToken.getKeySize();
                    try {
                        XMLEncryptionUtil.encryptElement(document, (Element) document.getElementsByTagNameNS(WSTrustConstants.BASE_NAMESPACE, WSTrustConstants.REQUESTED_TOKEN).item(0).getFirstChild(), publicKey, new SecretKeySpec(WSTrustUtil.createRandomSecret(((int) keySize) / 8), "AES"), (int) keySize);
                    } catch (ProcessingException e3) {
                        throw new WSTrustException(logger.encryptProcessError(e3));
                    }
                }
            }
        }
        return document;
    }

    private static String setupIDAttribute(Node node) {
        if (!(node instanceof Element)) {
            return StackoverflowIdentityProvider.DEFAULT_SCOPE;
        }
        Element element = (Element) node;
        if (!element.getLocalName().equals("Assertion")) {
            return StackoverflowIdentityProvider.DEFAULT_SCOPE;
        }
        if (element.getNamespaceURI().equals(WSTrustConstants.SAML2_ASSERTION_NS) && element.hasAttribute("ID")) {
            element.setIdAttribute("ID", true);
            return "#" + element.getAttribute("ID");
        }
        if (!element.getNamespaceURI().equals("urn:oasis:names:tc:SAML:1.0:assertion") || !element.hasAttribute(SAML11Constants.ASSERTIONID)) {
            return StackoverflowIdentityProvider.DEFAULT_SCOPE;
        }
        element.setIdAttribute(SAML11Constants.ASSERTIONID, true);
        return "#" + element.getAttribute(SAML11Constants.ASSERTIONID);
    }
}
