package org.apache.wss4j.dom.processor;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.crypto.SecretKey;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.str.STRParserParameters;
import org.apache.wss4j.dom.str.STRParserResult;
import org.apache.wss4j.dom.str.SecurityTokenRefSTRParser;
import org.apache.wss4j.dom.util.EncryptionUtils;
import org.apache.wss4j.dom.util.SignatureUtils;
import org.apache.wss4j.dom.util.X509Util;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:BOOT-INF/lib/wss4j-ws-security-dom-2.2.2.redhat-00002.jar:org/apache/wss4j/dom/processor/ReferenceListProcessor.class */
public class ReferenceListProcessor implements Processor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ReferenceListProcessor.class);

    @Override // org.apache.wss4j.dom.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData) throws WSSecurityException {
        LOG.debug("Found reference list element");
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(4, handleReferenceList(element, requestData));
        String attributeNS = element.getAttributeNS(null, "Id");
        if (!"".equals(attributeNS)) {
            wSSecurityEngineResult.put("id", attributeNS);
        }
        requestData.getWsDocInfo().addTokenElement(element);
        requestData.getWsDocInfo().addResult(wSSecurityEngineResult);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    private List<WSDataRef> handleReferenceList(Element element, RequestData requestData) throws WSSecurityException {
        ArrayList arrayList = new ArrayList();
        Node firstChild = element.getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node == null) {
                return arrayList;
            }
            if (1 == node.getNodeType() && "http://www.w3.org/2001/04/xmlenc#".equals(node.getNamespaceURI()) && "DataReference".equals(node.getLocalName())) {
                String iDFromReference = XMLUtils.getIDFromReference(((Element) node).getAttributeNS(null, "URI"));
                if (!requestData.getWsDocInfo().hasResult(4, iDFromReference)) {
                    arrayList.add(decryptDataRefEmbedded(element.getOwnerDocument(), iDFromReference, requestData));
                }
            }
            firstChild = node.getNextSibling();
        }
    }

    private WSDataRef decryptDataRefEmbedded(Document document, String str, RequestData requestData) throws WSSecurityException {
        SecretKey prepareSecretKey;
        LOG.debug("Found data reference: {}", str);
        Element findEncryptedDataElement = EncryptionUtils.findEncryptedDataElement(document, requestData.getWsDocInfo(), str);
        if (findEncryptedDataElement != null && requestData.isRequireSignedEncryptedDataElements()) {
            SignatureUtils.verifySignedElement(findEncryptedDataElement, requestData.getWsDocInfo().getResultsByTag(2));
        }
        String encAlgo = X509Util.getEncAlgo(findEncryptedDataElement);
        Element directChildElement = XMLUtils.getDirectChildElement(findEncryptedDataElement, "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
        if (directChildElement == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noKeyinfo");
        }
        checkBSPCompliance(directChildElement, encAlgo, requestData.getBSPEnforcer());
        Element directChildElement2 = XMLUtils.getDirectChildElement(directChildElement, "SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        Principal principal = null;
        if (directChildElement2 == null) {
            prepareSecretKey = KeyUtils.prepareSecretKey(encAlgo, X509Util.getSecretKey(directChildElement, encAlgo, requestData.getCallbackHandler(), null));
        } else {
            STRParserParameters sTRParserParameters = new STRParserParameters();
            sTRParserParameters.setData(requestData);
            sTRParserParameters.setStrElement(directChildElement2);
            if (encAlgo != null) {
                sTRParserParameters.setDerivationKeyLength(KeyUtils.getKeyLength(encAlgo));
            }
            STRParserResult parseSecurityTokenReference = new SecurityTokenRefSTRParser().parseSecurityTokenReference(sTRParserParameters);
            byte[] secretKey = parseSecurityTokenReference.getSecretKey();
            principal = parseSecurityTokenReference.getPrincipal();
            prepareSecretKey = KeyUtils.prepareSecretKey(encAlgo, secretKey);
        }
        AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite();
        if (algorithmSuite != null) {
            AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite);
            if (principal instanceof WSDerivedKeyTokenPrincipal) {
                algorithmSuiteValidator.checkDerivedKeyAlgorithm(((WSDerivedKeyTokenPrincipal) principal).getAlgorithm());
                algorithmSuiteValidator.checkEncryptionDerivedKeyLength(((WSDerivedKeyTokenPrincipal) principal).getLength());
            }
            algorithmSuiteValidator.checkSymmetricKeyLength(prepareSecretKey.getEncoded().length);
            algorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(encAlgo);
        }
        return EncryptionUtils.decryptEncryptedData(document, str, findEncryptedDataElement, prepareSecretKey, encAlgo, requestData.getAttachmentCallbackHandler(), requestData.getEncryptionSerializer());
    }

    private static void checkBSPCompliance(Element element, String str, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        int i = 0;
        Element element2 = null;
        for (Node firstChild = element.getFirstChild(); firstChild != null; firstChild = firstChild.getNextSibling()) {
            if (1 == firstChild.getNodeType()) {
                i++;
                element2 = (Element) firstChild;
            }
        }
        if (i != 1) {
            bSPEnforcer.handleBSPRule(BSPRule.R5424);
        }
        if (element2 == null || !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(element2.getNamespaceURI()) || !"SecurityTokenReference".equals(element2.getLocalName())) {
            bSPEnforcer.handleBSPRule(BSPRule.R5426);
        }
        if (str == null) {
            bSPEnforcer.handleBSPRule(BSPRule.R5601);
        }
        if ("http://www.w3.org/2001/04/xmlenc#tripledes-cbc".equals(str) || "http://www.w3.org/2001/04/xmlenc#aes128-cbc".equals(str) || "http://www.w3.org/2009/xmlenc11#aes128-gcm".equals(str) || "http://www.w3.org/2001/04/xmlenc#aes256-cbc".equals(str) || "http://www.w3.org/2009/xmlenc11#aes256-gcm".equals(str)) {
            return;
        }
        bSPEnforcer.handleBSPRule(BSPRule.R5620);
    }
}
