package org.apache.wss4j.dom.str;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.BinarySecurity;
import org.apache.wss4j.dom.message.token.DerivedKeyToken;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.str.STRParser;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-216.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-dom-2.0.3.jar:org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.class */
public class SecurityTokenRefSTRParser implements STRParser {
    public static final String SIGNATURE_METHOD = "signature_method";
    private byte[] secretKey;
    private Principal principal;

    @Override // org.apache.wss4j.dom.str.STRParser
    public void parseSecurityTokenReference(Element element, RequestData requestData, WSDocInfo wSDocInfo, Map<String, Object> map) throws WSSecurityException {
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(element, requestData.getBSPEnforcer());
        String str = null;
        if (securityTokenReference.containsReference()) {
            str = securityTokenReference.getReference().getURI();
            if (str.charAt(0) == '#') {
                str = str.substring(1);
            }
        } else if (securityTokenReference.containsKeyIdentifier()) {
            str = securityTokenReference.getKeyIdentifierValue();
        }
        WSSecurityEngineResult result = wSDocInfo.getResult(str);
        if (result != null) {
            processPreviousResult(result, securityTokenReference, requestData, map, wSDocInfo);
            if (this.secretKey == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", str);
            }
            return;
        }
        if (securityTokenReference.containsReference()) {
            this.secretKey = getSecretKeyFromToken(str, securityTokenReference.getReference().getValueType(), requestData);
            if (this.secretKey == null) {
                Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler());
                if (new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName()).equals(WSSecurityEngine.BINARY_TOKEN)) {
                    List<WSSecurityEngineResult> handleToken = requestData.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN).handleToken(tokenElement, requestData, wSDocInfo);
                    STRParserUtil.checkBinarySecurityBSPCompliance(securityTokenReference, (BinarySecurity) handleToken.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN), requestData.getBSPEnforcer());
                    this.secretKey = (byte[]) handleToken.get(0).get(WSSecurityEngineResult.TAG_SECRET);
                }
            }
            if (this.secretKey == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", str);
            }
            return;
        }
        if (!securityTokenReference.containsKeyIdentifier()) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "noReference", new Object[0]);
        }
        String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
        if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(keyIdentifierValueType) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID".equals(keyIdentifierValueType)) {
            this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, requestData);
            if (this.secretKey == null) {
                this.secretKey = getSecretKeyFromAssertion(STRParserUtil.getAssertionFromKeyIdentifier(securityTokenReference, element, requestData, wSDocInfo), securityTokenReference, requestData, wSDocInfo);
                return;
            }
            return;
        }
        if (!"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1".equals(keyIdentifierValueType)) {
            if ("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1".equals(keyIdentifierValueType)) {
                STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, requestData.getBSPEnforcer());
            }
            this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), securityTokenReference.getKeyIdentifierValueType(), requestData);
            if (this.secretKey == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", str);
            }
            return;
        }
        this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, requestData);
        if (this.secretKey == null) {
            byte[] sKIBytes = securityTokenReference.getSKIBytes();
            Iterator<WSSecurityEngineResult> it = wSDocInfo.getResultsByTag(4096).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                WSSecurityEngineResult next = it.next();
                if (Arrays.equals(WSSecurityUtil.generateDigest(((BinarySecurity) next.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)).getToken()), sKIBytes)) {
                    this.secretKey = (byte[]) next.get(WSSecurityEngineResult.TAG_SECRET);
                    break;
                }
            }
        }
        if (this.secretKey == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", str);
        }
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public X509Certificate[] getCertificates() {
        return null;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public Principal getPrincipal() {
        return this.principal;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public PublicKey getPublicKey() {
        return null;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public byte[] getSecretKey() {
        return this.secretKey;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public STRParser.REFERENCE_TYPE getCertificatesReferenceType() {
        return null;
    }

    @Override // org.apache.wss4j.dom.str.STRParser
    public boolean isTrustedCredential() {
        return false;
    }

    private byte[] getSecretKeyFromToken(String str, String str2, RequestData requestData) throws WSSecurityException {
        if (str.charAt(0) == '#') {
            str = str.substring(1);
        }
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, str2, 9);
        try {
            Callback[] callbackArr = {wSPasswordCallback};
            if (requestData.getCallbackHandler() == null) {
                return null;
            }
            requestData.getCallbackHandler().handle(callbackArr);
            return wSPasswordCallback.getKey();
        } catch (Exception e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noPassword", e, str);
        }
    }

    private byte[] getSecretKeyFromAssertion(SamlAssertionWrapper samlAssertionWrapper, SecurityTokenReference securityTokenReference, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, samlAssertionWrapper, requestData.getBSPEnforcer());
        SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(samlAssertionWrapper, new WSSSAMLKeyInfoProcessor(requestData, wSDocInfo), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
        if (credentialFromSubject == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLToken", "No Secret Key");
        }
        return credentialFromSubject.getSecret();
    }

    private void processPreviousResult(WSSecurityEngineResult wSSecurityEngineResult, SecurityTokenReference securityTokenReference, RequestData requestData, Map<String, Object> map, WSDocInfo wSDocInfo) throws WSSecurityException {
        int intValue = ((Integer) wSSecurityEngineResult.get("action")).intValue();
        if (4 == intValue) {
            STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, requestData.getBSPEnforcer());
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            return;
        }
        if (2048 == intValue) {
            DerivedKeyToken derivedKeyToken = (DerivedKeyToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
            this.secretKey = derivedKeyToken.deriveKey(KeyUtils.getKeyLength((String) map.get("signature_method")), (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
            this.principal = derivedKeyToken.createPrincipal();
            return;
        }
        if (8 == intValue || 16 == intValue) {
            this.secretKey = getSecretKeyFromAssertion((SamlAssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION), securityTokenReference, requestData, wSDocInfo);
            return;
        }
        if (1024 == intValue || 4096 == intValue) {
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            return;
        }
        if (8192 == intValue || 1 == intValue) {
            STRParserUtil.checkUsernameTokenBSPCompliance(securityTokenReference, requestData.getBSPEnforcer());
            UsernameToken usernameToken = (UsernameToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
            usernameToken.setRawPassword(requestData);
            this.secretKey = usernameToken.getDerivedKey(requestData.getBSPEnforcer());
        }
    }
}
