package org.apache.wss4j.stax.impl.processor.input;

import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.InvocationTargetException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.crypto.Cipher;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import org.apache.wss4j.binding.wss10.SecurityTokenReferenceType;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.ext.Attachment;
import org.apache.wss4j.common.ext.AttachmentRequestCallback;
import org.apache.wss4j.common.ext.AttachmentResultCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.AttachmentUtils;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityEvent.EncryptedPartSecurityEvent;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.binding.xmldsig.KeyInfoType;
import org.apache.xml.security.binding.xmldsig.TransformType;
import org.apache.xml.security.binding.xmldsig.TransformsType;
import org.apache.xml.security.binding.xmlenc.CipherReferenceType;
import org.apache.xml.security.binding.xmlenc.EncryptedDataType;
import org.apache.xml.security.binding.xmlenc.ReferenceList;
import org.apache.xml.security.binding.xmlenc.ReferenceType;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.config.ConfigurationProperties;
import org.apache.xml.security.stax.config.TransformerAlgorithmMapper;
import org.apache.xml.security.stax.ext.DocumentContext;
import org.apache.xml.security.stax.ext.InboundSecurityContext;
import org.apache.xml.security.stax.ext.InputProcessorChain;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.XMLSecurityProperties;
import org.apache.xml.security.stax.ext.XMLSecurityUtils;
import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
import org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor;
import org.apache.xml.security.stax.impl.util.LimitingInputStream;
import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-177.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-stax-2.0.3.jar:org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.class */
public class DecryptInputProcessor extends AbstractDecryptInputProcessor {
    private static final transient Logger log = LoggerFactory.getLogger(DecryptInputProcessor.class);
    private static final Long maximumAllowedDecompressedBytes = Long.valueOf(ConfigurationProperties.getProperty("MaximumAllowedDecompressedBytes"));
    private List<DeferredAttachment> attachmentReferences;

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-177.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-stax-2.0.3.jar:org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor$DecryptedEventReaderInputProcessor.class */
    class DecryptedEventReaderInputProcessor extends AbstractDecryptInputProcessor.AbstractDecryptedEventReaderInputProcessor {
        DecryptedEventReaderInputProcessor(XMLSecurityProperties xMLSecurityProperties, SecurePart.Modifier modifier, boolean z, XMLSecStartElement xMLSecStartElement, EncryptedDataType encryptedDataType, DecryptInputProcessor decryptInputProcessor, InboundSecurityToken inboundSecurityToken) {
            super(xMLSecurityProperties, modifier, z, xMLSecStartElement, encryptedDataType, decryptInputProcessor, inboundSecurityToken);
        }

        @Override // org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor.AbstractDecryptedEventReaderInputProcessor
        protected void handleEncryptedElement(InputProcessorChain inputProcessorChain, XMLSecStartElement xMLSecStartElement, InboundSecurityToken inboundSecurityToken, EncryptedDataType encryptedDataType) throws XMLSecurityException {
            DocumentContext documentContext = inputProcessorChain.getDocumentContext();
            List<QName> elementPath = xMLSecStartElement.getElementPath();
            if (elementPath.size() == 3 && WSSUtils.isInSOAPHeader(elementPath)) {
                EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(inboundSecurityToken, true, documentContext.getProtectionOrder());
                encryptedPartSecurityEvent.setElementPath(elementPath);
                encryptedPartSecurityEvent.setXmlSecEvent(xMLSecStartElement);
                encryptedPartSecurityEvent.setCorrelationID(encryptedDataType.getId());
                inputProcessorChain.getSecurityContext().registerSecurityEvent(encryptedPartSecurityEvent);
                return;
            }
            EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(inboundSecurityToken, true, documentContext.getProtectionOrder());
            encryptedElementSecurityEvent.setElementPath(elementPath);
            encryptedElementSecurityEvent.setXmlSecEvent(xMLSecStartElement);
            encryptedElementSecurityEvent.setCorrelationID(encryptedDataType.getId());
            inputProcessorChain.getSecurityContext().registerSecurityEvent(encryptedElementSecurityEvent);
        }
    }

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-177.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-stax-2.0.3.jar:org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor$DeferredAttachment.class */
    private class DeferredAttachment {
        private EncryptedDataType encryptedDataType;
        private Cipher cipher;
        private InboundSecurityToken inboundSecurityToken;

        private DeferredAttachment(EncryptedDataType encryptedDataType, Cipher cipher, InboundSecurityToken inboundSecurityToken) {
            this.encryptedDataType = encryptedDataType;
            this.cipher = cipher;
            this.inboundSecurityToken = inboundSecurityToken;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public EncryptedDataType getEncryptedDataType() {
            return this.encryptedDataType;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Cipher getCipher() {
            return this.cipher;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public InboundSecurityToken getInboundSecurityToken() {
            return this.inboundSecurityToken;
        }
    }

    public DecryptInputProcessor(KeyInfoType keyInfoType, ReferenceList referenceList, WSSSecurityProperties wSSSecurityProperties, WSInboundSecurityContext wSInboundSecurityContext) throws XMLSecurityException {
        super(keyInfoType, referenceList, wSSSecurityProperties);
        this.attachmentReferences = new ArrayList();
        checkBSPCompliance(keyInfoType, referenceList, wSInboundSecurityContext, BSPRule.R3006);
    }

    private void checkBSPCompliance(KeyInfoType keyInfoType, ReferenceList referenceList, WSInboundSecurityContext wSInboundSecurityContext, BSPRule bSPRule) throws WSSecurityException {
        if (keyInfoType != null) {
            if (keyInfoType.getContent().size() != 1) {
                wSInboundSecurityContext.handleBSPRule(BSPRule.R5424);
            }
            if (((SecurityTokenReferenceType) XMLSecurityUtils.getQNameType(keyInfoType.getContent(), WSSConstants.TAG_wsse_SecurityTokenReference)) == null) {
                wSInboundSecurityContext.handleBSPRule(BSPRule.R5426);
            }
        }
        if (referenceList != null) {
            Iterator<JAXBElement<ReferenceType>> it = referenceList.getDataReferenceOrKeyReference().iterator();
            while (it.hasNext()) {
                if (!((ReferenceType) it.next().getValue()).getURI().startsWith("#")) {
                    wSInboundSecurityContext.handleBSPRule(bSPRule);
                }
            }
        }
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor
    protected InputStream applyTransforms(ReferenceType referenceType, InputStream inputStream) throws XMLSecurityException {
        TransformsType transformsType;
        if (referenceType != null && (transformsType = (TransformsType) XMLSecurityUtils.getQNameType(referenceType.getAny(), XMLSecurityConstants.TAG_dsig_Transforms)) != null) {
            List<TransformType> transform = transformsType.getTransform();
            if (transform.size() > 1) {
                throw new XMLSecurityException("stax.encryption.Transforms.NotYetImplemented");
            }
            try {
                inputStream = new LimitingInputStream((InputStream) TransformerAlgorithmMapper.getTransformerClass(transform.get(0).getAlgorithm(), XMLSecurityConstants.DIRECTION.IN).getConstructor(InputStream.class).newInstance(inputStream), maximumAllowedDecompressedBytes.longValue());
            } catch (IllegalAccessException e) {
                throw new XMLSecurityException(e);
            } catch (InstantiationException e2) {
                throw new XMLSecurityException(e2);
            } catch (NoSuchMethodException e3) {
                throw new XMLSecurityException(e3);
            } catch (InvocationTargetException e4) {
                throw new XMLSecurityException(e4);
            }
        }
        return inputStream;
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor
    protected void handleEncryptedContent(InputProcessorChain inputProcessorChain, XMLSecStartElement xMLSecStartElement, InboundSecurityToken inboundSecurityToken, EncryptedDataType encryptedDataType) throws XMLSecurityException {
        DocumentContext documentContext = inputProcessorChain.getDocumentContext();
        List<QName> elementPath = xMLSecStartElement.getElementPath();
        if (elementPath.size() == 2 && WSSUtils.isInSOAPBody(elementPath)) {
            EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(inboundSecurityToken, true, documentContext.getProtectionOrder());
            encryptedPartSecurityEvent.setElementPath(elementPath);
            encryptedPartSecurityEvent.setXmlSecEvent(xMLSecStartElement);
            encryptedPartSecurityEvent.setCorrelationID(encryptedDataType.getId());
            inputProcessorChain.getSecurityContext().registerSecurityEvent(encryptedPartSecurityEvent);
            return;
        }
        ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(inboundSecurityToken, true, documentContext.getProtectionOrder());
        contentEncryptedElementSecurityEvent.setElementPath(elementPath);
        contentEncryptedElementSecurityEvent.setXmlSecEvent(xMLSecStartElement);
        contentEncryptedElementSecurityEvent.setCorrelationID(encryptedDataType.getId());
        inputProcessorChain.getSecurityContext().registerSecurityEvent(contentEncryptedElementSecurityEvent);
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor
    protected void handleCipherReference(InputProcessorChain inputProcessorChain, EncryptedDataType encryptedDataType, Cipher cipher, InboundSecurityToken inboundSecurityToken) throws XMLSecurityException {
        String type = encryptedDataType.getType();
        if (type != null) {
            if ("http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Only".equals(type) || "http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete".equals(type)) {
                CipherReferenceType cipherReference = encryptedDataType.getCipherData().getCipherReference();
                if (cipherReference == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
                }
                String uri = cipherReference.getURI();
                if (uri == null || uri.length() < 5) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
                }
                if (!uri.startsWith("cid:")) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
                }
                this.attachmentReferences.add(new DeferredAttachment(encryptedDataType, cipher, inboundSecurityToken));
            }
        }
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor
    protected AbstractDecryptInputProcessor.AbstractDecryptedEventReaderInputProcessor newDecryptedEventReaderInputProcessor(boolean z, XMLSecStartElement xMLSecStartElement, EncryptedDataType encryptedDataType, InboundSecurityToken inboundSecurityToken, InboundSecurityContext inboundSecurityContext) throws XMLSecurityException {
        String algorithm = encryptedDataType.getEncryptionMethod().getAlgorithm();
        if (getSecurityProperties().getEncryptionSymAlgorithm() != null && !getSecurityProperties().getEncryptionSymAlgorithm().equals(algorithm)) {
            log.debug("The Key encryption method does not match the requirement");
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
        }
        if (!"http://www.w3.org/2001/04/xmlenc#tripledes-cbc".equals(algorithm) && !"http://www.w3.org/2001/04/xmlenc#aes128-cbc".equals(algorithm) && !"http://www.w3.org/2009/xmlenc11#aes128-gcm".equals(algorithm) && !"http://www.w3.org/2001/04/xmlenc#aes256-cbc".equals(algorithm) && !"http://www.w3.org/2009/xmlenc11#aes256-gcm".equals(algorithm)) {
            ((WSInboundSecurityContext) inboundSecurityContext).handleBSPRule(BSPRule.R5620);
        }
        return new DecryptedEventReaderInputProcessor(getSecurityProperties(), SecurePart.Modifier.getModifier(encryptedDataType.getType()), z, xMLSecStartElement, encryptedDataType, this, inboundSecurityToken);
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor
    protected void handleSecurityToken(InboundSecurityToken inboundSecurityToken, InboundSecurityContext inboundSecurityContext, EncryptedDataType encryptedDataType) throws XMLSecurityException {
        inboundSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_Encryption);
        inboundSecurityContext.registerSecurityEvent(WSSUtils.createTokenSecurityEvent(inboundSecurityToken, encryptedDataType.getId()));
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor, org.apache.xml.security.stax.ext.AbstractInputProcessor, org.apache.xml.security.stax.ext.InputProcessor
    public void doFinal(InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
        List asList = inputProcessorChain.getSecurityContext().getAsList(WSSConstants.PROP_ENCRYPTED_DATA_REFS);
        if (asList != null && !asList.isEmpty()) {
            Map<String, ReferenceType> references = getReferences();
            List<ReferenceType> processedReferences = getProcessedReferences();
            if (references != null) {
                Iterator<Map.Entry<String, ReferenceType>> it = references.entrySet().iterator();
                while (it.hasNext()) {
                    ReferenceType value = it.next().getValue();
                    String dropReferenceMarker = WSSUtils.dropReferenceMarker(value.getURI());
                    Iterator it2 = asList.iterator();
                    while (it2.hasNext()) {
                        if (((String) it2.next()).equals(dropReferenceMarker)) {
                            processedReferences.add(value);
                        }
                    }
                }
            }
        }
        super.doFinal(inputProcessorChain);
        for (int i = 0; i < this.attachmentReferences.size(); i++) {
            DeferredAttachment deferredAttachment = this.attachmentReferences.get(i);
            EncryptedDataType encryptedDataType = deferredAttachment.getEncryptedDataType();
            InboundSecurityToken inboundSecurityToken = deferredAttachment.getInboundSecurityToken();
            Cipher cipher = deferredAttachment.getCipher();
            String substring = encryptedDataType.getCipherData().getCipherReference().getURI().substring(4);
            CallbackHandler attachmentCallbackHandler = ((WSSSecurityProperties) getSecurityProperties()).getAttachmentCallbackHandler();
            if (attachmentCallbackHandler == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "empty", "no attachment callbackhandler supplied");
            }
            AttachmentRequestCallback attachmentRequestCallback = new AttachmentRequestCallback();
            attachmentRequestCallback.setAttachmentId(substring);
            try {
                attachmentCallbackHandler.handle(new Callback[]{attachmentRequestCallback});
                List<Attachment> attachments = attachmentRequestCallback.getAttachments();
                if (attachments == null || attachments.isEmpty() || !substring.equals(attachments.get(0).getId())) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "empty", "Attachment not found");
                }
                Attachment attachment = attachments.get(0);
                String algorithm = encryptedDataType.getEncryptionMethod().getAlgorithm();
                InputStream inputStream = AttachmentUtils.setupAttachmentDecryptionStream(algorithm, cipher, inboundSecurityToken.getSecretKey(algorithm, XMLSecurityConstants.Enc, encryptedDataType.getId()), attachment.getSourceStream());
                Attachment attachment2 = new Attachment();
                attachment2.setId(attachment.getId());
                attachment2.setMimeType(encryptedDataType.getMimeType());
                attachment2.setSourceStream(inputStream);
                attachment2.addHeaders(attachment.getHeaders());
                if ("http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete".equals(encryptedDataType.getType())) {
                    try {
                        AttachmentUtils.readAndReplaceEncryptedAttachmentHeaders(attachment2.getHeaders(), inputStream);
                    } catch (IOException e) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
                    }
                }
                AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
                attachmentResultCallback.setAttachment(attachment2);
                attachmentResultCallback.setAttachmentId(attachment2.getId());
                try {
                    attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
                    EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(inboundSecurityToken, true, inputProcessorChain.getDocumentContext().getProtectionOrder());
                    encryptedPartSecurityEvent.setAttachment(true);
                    encryptedPartSecurityEvent.setCorrelationID(encryptedDataType.getId());
                    inputProcessorChain.getSecurityContext().registerSecurityEvent(encryptedPartSecurityEvent);
                } catch (Exception e2) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e2);
                }
            } catch (Exception e3) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e3);
            }
        }
    }
}
