package org.apache.ws.security.processor;

import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.str.EncryptedKeySTRParser;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.utils.EncryptionConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;

/* loaded from: input_file:jboss-as-7.1.1.Final/modules/org/apache/ws/security/main/wss4j-1.6.5.jar:org/apache/ws/security/processor/EncryptedKeyProcessor.class */
public class EncryptedKeyProcessor implements Processor {
    private static Log log = LogFactory.getLog(EncryptedKeyProcessor.class);

    @Override // org.apache.ws.security.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        byte[] randomKey;
        if (log.isDebugEnabled()) {
            log.debug("Found encrypted key element");
        }
        if (requestData.getDecCrypto() == null) {
            throw new WSSecurityException(0, "noDecCryptoFile");
        }
        if (requestData.getCallbackHandler() == null) {
            throw new WSSecurityException(0, "noCallback");
        }
        String encAlgo = X509Util.getEncAlgo(element);
        if (encAlgo == null) {
            throw new WSSecurityException(2, "noEncAlgo");
        }
        if (requestData.getWssConfig().isWsiBSPCompliant()) {
            checkBSPCompliance(element, encAlgo);
        }
        Cipher cipherInstance = WSSecurityUtil.getCipherInstance(encAlgo);
        Element directChildElement = WSSecurityUtil.getDirectChildElement(element, "CipherData", "http://www.w3.org/2001/04/xmlenc#");
        Element element2 = null;
        if (directChildElement != null) {
            element2 = WSSecurityUtil.getDirectChildElement(directChildElement, EncryptionConstants._TAG_CIPHERVALUE, "http://www.w3.org/2001/04/xmlenc#");
        }
        if (element2 == null) {
            throw new WSSecurityException(3, "noCipher");
        }
        X509Certificate[] certificatesFromEncryptedKey = getCertificatesFromEncryptedKey(element, requestData, requestData.getDecCrypto(), wSDocInfo);
        try {
            PrivateKey privateKey = requestData.getDecCrypto().getPrivateKey(certificatesFromEncryptedKey[0], requestData.getCallbackHandler());
            OAEPParameterSpec oAEPParameterSpec = null;
            if ("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p".equals(encAlgo)) {
                oAEPParameterSpec = new OAEPParameterSpec("SHA-1", "MGF1", new MGF1ParameterSpec("SHA-1"), PSource.PSpecified.DEFAULT);
            }
            if (oAEPParameterSpec == null) {
                cipherInstance.init(2, privateKey);
            } else {
                cipherInstance.init(2, privateKey, oAEPParameterSpec);
            }
            List<String> dataRefURIs = getDataRefURIs(element);
            byte[] bArr = null;
            try {
                bArr = getDecodedBase64EncodedData(element2);
                randomKey = cipherInstance.doFinal(bArr);
            } catch (IllegalStateException e) {
                throw new WSSecurityException(6, null, null, e);
            } catch (Exception e2) {
                randomKey = getRandomKey(dataRefURIs, element.getOwnerDocument(), wSDocInfo);
            }
            WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(4, randomKey, bArr, decryptDataRefs(dataRefURIs, element.getOwnerDocument(), wSDocInfo, randomKey, requestData), certificatesFromEncryptedKey);
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD, encAlgo);
            wSSecurityEngineResult.put("id", element.getAttributeNS(null, "Id"));
            wSDocInfo.addResult(wSSecurityEngineResult);
            wSDocInfo.addTokenElement(element);
            return Collections.singletonList(wSSecurityEngineResult);
        } catch (Exception e3) {
            throw new WSSecurityException(6, null, null, e3);
        }
    }

    private static byte[] getRandomKey(List<String> list, Document document, WSDocInfo wSDocInfo) throws WSSecurityException {
        try {
            String str = "AES";
            int i = 128;
            if (!list.isEmpty()) {
                String encAlgo = X509Util.getEncAlgo(ReferenceListProcessor.findEncryptedDataElement(document, wSDocInfo, list.iterator().next()));
                str = JCEMapper.getJCEKeyAlgorithmFromURI(encAlgo);
                i = WSSecurityUtil.getKeyLength(encAlgo);
            }
            KeyGenerator keyGenerator = KeyGenerator.getInstance(str);
            keyGenerator.init(i * 8);
            return keyGenerator.generateKey().getEncoded();
        } catch (Exception e) {
            throw new WSSecurityException(6, null, null, e);
        }
    }

    private static byte[] getDecodedBase64EncodedData(Element element) throws WSSecurityException {
        StringBuilder sb = new StringBuilder();
        Node firstChild = element.getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node == null) {
                return Base64.decode(sb.toString());
            }
            if (3 == node.getNodeType()) {
                sb.append(((Text) node).getData());
            }
            firstChild = node.getNextSibling();
        }
    }

    private X509Certificate[] getCertificatesFromEncryptedKey(Element element, RequestData requestData, Crypto crypto, WSDocInfo wSDocInfo) throws WSSecurityException {
        Element directChildElement = WSSecurityUtil.getDirectChildElement(element, "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
        if (directChildElement == null) {
            if (requestData.getWssConfig().isWsiBSPCompliant() || crypto.getDefaultX509Identifier() == null) {
                throw new WSSecurityException(3, "noKeyinfo");
            }
            String defaultX509Identifier = crypto.getDefaultX509Identifier();
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(defaultX509Identifier);
            X509Certificate[] x509Certificates = crypto.getX509Certificates(cryptoType);
            if (x509Certificates == null || x509Certificates.length < 1 || x509Certificates[0] == null) {
                throw new WSSecurityException(0, "noCertsFound", new Object[]{"decryption (KeyId)"});
            }
            return x509Certificates;
        }
        Element element2 = null;
        if (requestData.getWssConfig().isWsiBSPCompliant()) {
            int i = 0;
            Node firstChild = directChildElement.getFirstChild();
            while (true) {
                Node node = firstChild;
                if (node == null) {
                    break;
                }
                if (1 == node.getNodeType()) {
                    i++;
                    element2 = (Element) node;
                }
                firstChild = node.getNextSibling();
            }
            if (i != 1) {
                throw new WSSecurityException(3, "invalidDataRef");
            }
        } else {
            element2 = WSSecurityUtil.getDirectChildElement(directChildElement, "SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        }
        if (element2 == null) {
            throw new WSSecurityException(3, "noSecTokRef");
        }
        EncryptedKeySTRParser encryptedKeySTRParser = new EncryptedKeySTRParser();
        encryptedKeySTRParser.parseSecurityTokenReference(element2, requestData, wSDocInfo, null);
        X509Certificate[] certificates = encryptedKeySTRParser.getCertificates();
        if (certificates == null || certificates.length < 1 || certificates[0] == null) {
            throw new WSSecurityException(0, "noCertsFound", new Object[]{"decryption (KeyId)"});
        }
        return certificates;
    }

    private List<String> getDataRefURIs(Element element) {
        Element directChildElement = WSSecurityUtil.getDirectChildElement(element, "ReferenceList", "http://www.w3.org/2001/04/xmlenc#");
        LinkedList linkedList = new LinkedList();
        if (directChildElement != null) {
            Node firstChild = directChildElement.getFirstChild();
            while (true) {
                Node node = firstChild;
                if (node == null) {
                    break;
                }
                if (1 == node.getNodeType() && "http://www.w3.org/2001/04/xmlenc#".equals(node.getNamespaceURI()) && "DataReference".equals(node.getLocalName())) {
                    String attribute = ((Element) node).getAttribute("URI");
                    if (attribute.charAt(0) == '#') {
                        attribute = attribute.substring(1);
                    }
                    linkedList.add(attribute);
                }
                firstChild = node.getNextSibling();
            }
        }
        return linkedList;
    }

    private List<WSDataRef> decryptDataRefs(List<String> list, Document document, WSDocInfo wSDocInfo, byte[] bArr, RequestData requestData) throws WSSecurityException {
        if (list == null || list.isEmpty()) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(decryptDataRef(document, it.next(), wSDocInfo, bArr, requestData));
        }
        return arrayList;
    }

    private WSDataRef decryptDataRef(Document document, String str, WSDocInfo wSDocInfo, byte[] bArr, RequestData requestData) throws WSSecurityException {
        if (log.isDebugEnabled()) {
            log.debug("found data reference: " + str);
        }
        Element findEncryptedDataElement = ReferenceListProcessor.findEncryptedDataElement(document, wSDocInfo, str);
        if (findEncryptedDataElement != null && requestData.isRequireSignedEncryptedDataElements()) {
            WSSecurityUtil.verifySignedElement(findEncryptedDataElement, document, wSDocInfo.getSecurityHeader());
        }
        String encAlgo = X509Util.getEncAlgo(findEncryptedDataElement);
        try {
            return ReferenceListProcessor.decryptEncryptedData(document, str, findEncryptedDataElement, WSSecurityUtil.prepareSecretKey(encAlgo, bArr), encAlgo);
        } catch (IllegalArgumentException e) {
            throw new WSSecurityException(2, "badEncAlgo", new Object[]{encAlgo});
        }
    }

    private void checkBSPCompliance(Element element, String str) throws WSSecurityException {
        String attribute = element.getAttribute("Type");
        if (attribute != null && !"".equals(attribute)) {
            throw new WSSecurityException(6, "badAttribute", new Object[]{attribute});
        }
        String attribute2 = element.getAttribute("MimeType");
        if (attribute2 != null && !"".equals(attribute2)) {
            throw new WSSecurityException(6, "badAttribute", new Object[]{attribute2});
        }
        String attribute3 = element.getAttribute("Encoding");
        if (attribute3 != null && !"".equals(attribute3)) {
            throw new WSSecurityException(6, "badAttribute", new Object[]{attribute3});
        }
        String attribute4 = element.getAttribute("Recipient");
        if (attribute4 != null && !"".equals(attribute4)) {
            throw new WSSecurityException(6, "badAttribute", new Object[]{attribute4});
        }
        if (!"http://www.w3.org/2001/04/xmlenc#rsa-1_5".equals(str) && !"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p".equals(str)) {
            throw new WSSecurityException(3, "badEncAlgo", new Object[]{str});
        }
    }
}
