package org.apache.ws.security.str;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.xml.namespace.QName;
import org.apache.ws.security.CustomTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DerivedKeyToken;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityContextToken;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.processor.Processor;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/ws/security/str/SignatureSTRParser.class */
public class SignatureSTRParser implements STRParser {
    public static final String SIGNATURE_METHOD = "signature_method";
    public static final String SECRET_KEY_LENGTH = "secret_key_length";
    private X509Certificate[] certs;
    private byte[] secretKey;
    private PublicKey publicKey;
    private Principal principal;
    private boolean trustedCredential;

    @Override // org.apache.ws.security.str.STRParser
    public void parseSecurityTokenReference(Element element, RequestData requestData, WSDocInfo wSDocInfo, Map<String, Object> map) throws WSSecurityException {
        AssertionWrapper assertionWrapper;
        boolean z = true;
        Crypto sigCrypto = requestData.getSigCrypto();
        if (requestData.getWssConfig() != null) {
            z = requestData.getWssConfig().isWsiBSPCompliant();
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(element, z);
        if (securityTokenReference.containsReference()) {
            Reference reference = securityTokenReference.getReference();
            String uri = reference.getURI();
            if (uri.charAt(0) == '#') {
                uri = uri.substring(1);
            }
            WSSecurityEngineResult result = wSDocInfo.getResult(uri);
            if (result == null) {
                Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler());
                QName qName = new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName());
                if (qName.equals(WSSecurityEngine.BINARY_TOKEN)) {
                    this.certs = getCertificatesTokenReference(securityTokenReference, tokenElement, sigCrypto, z);
                } else if (qName.equals(WSSecurityEngine.SAML_TOKEN) || qName.equals(WSSecurityEngine.SAML2_TOKEN)) {
                    Processor processor = requestData.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
                    Element findProcessedTokenElement = securityTokenReference.findProcessedTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler(), uri, reference.getValueType());
                    if (findProcessedTokenElement == null) {
                        assertionWrapper = (AssertionWrapper) processor.handleToken(tokenElement, requestData, wSDocInfo).get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                    } else {
                        assertionWrapper = new AssertionWrapper(findProcessedTokenElement);
                        assertionWrapper.parseHOKSubject(requestData, wSDocInfo);
                    }
                    if (z) {
                        BSPEnforcer.checkSamlTokenBSPCompliance(securityTokenReference, assertionWrapper);
                    }
                    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
                    X509Certificate[] certs = subjectKeyInfo.getCerts();
                    if (certs != null) {
                        this.certs = new X509Certificate[]{certs[0]};
                    }
                    this.secretKey = subjectKeyInfo.getSecret();
                    this.principal = createPrincipalFromSAML(assertionWrapper);
                } else if (qName.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
                    if (z) {
                        BSPEnforcer.checkEncryptedKeyBSPCompliance(securityTokenReference);
                    }
                    this.secretKey = (byte[]) requestData.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY).handleToken(tokenElement, requestData, wSDocInfo).get(0).get(WSSecurityEngineResult.TAG_SECRET);
                    this.principal = new CustomTokenPrincipal(tokenElement.getAttribute("Id"));
                } else {
                    String uri2 = securityTokenReference.getReference().getURI();
                    this.secretKey = getSecretKeyFromToken(uri2, null, requestData);
                    this.principal = new CustomTokenPrincipal(uri2);
                }
            } else {
                int intValue = ((Integer) result.get("action")).intValue();
                if (8192 == intValue || 1 == intValue) {
                    if (z) {
                        BSPEnforcer.checkUsernameTokenBSPCompliance(securityTokenReference);
                    }
                    UsernameToken usernameToken = (UsernameToken) result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
                    usernameToken.setRawPassword(requestData);
                    if (usernameToken.isDerivedKey()) {
                        this.secretKey = usernameToken.getDerivedKey();
                    } else {
                        this.secretKey = usernameToken.getSecretKey(((Integer) map.get(SECRET_KEY_LENGTH)).intValue());
                    }
                    this.principal = usernameToken.createPrincipal();
                } else if (4096 == intValue) {
                    if (z) {
                        BSPEnforcer.checkBinarySecurityBSPCompliance(securityTokenReference, (BinarySecurity) result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN));
                    }
                    this.certs = (X509Certificate[]) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
                    if (((Boolean) result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN)).booleanValue()) {
                        this.trustedCredential = true;
                    }
                } else if (4 == intValue) {
                    if (z) {
                        BSPEnforcer.checkEncryptedKeyBSPCompliance(securityTokenReference);
                    }
                    this.secretKey = (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET);
                    this.principal = new CustomTokenPrincipal((String) result.get("id"));
                } else if (1024 == intValue) {
                    this.secretKey = (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET);
                    this.principal = new CustomTokenPrincipal(((SecurityContextToken) result.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN)).getIdentifier());
                } else if (2048 == intValue) {
                    DerivedKeyToken derivedKeyToken = (DerivedKeyToken) result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
                    int length = derivedKeyToken.getLength();
                    if (length <= 0) {
                        length = WSSecurityUtil.getKeyLength((String) map.get("signature_method"));
                    }
                    this.secretKey = derivedKeyToken.deriveKey(length, (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET));
                    this.principal = derivedKeyToken.createPrincipal();
                } else if (8 == intValue || 16 == intValue) {
                    AssertionWrapper assertionWrapper2 = (AssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                    if (z) {
                        BSPEnforcer.checkSamlTokenBSPCompliance(securityTokenReference, assertionWrapper2);
                    }
                    SAMLKeyInfo subjectKeyInfo2 = assertionWrapper2.getSubjectKeyInfo();
                    X509Certificate[] certs2 = subjectKeyInfo2.getCerts();
                    if (certs2 != null) {
                        this.certs = new X509Certificate[]{certs2[0]};
                    }
                    this.secretKey = subjectKeyInfo2.getSecret();
                    this.publicKey = subjectKeyInfo2.getPublicKey();
                    this.principal = createPrincipalFromSAML(assertionWrapper2);
                }
            }
        } else if (securityTokenReference.containsX509Data() || securityTokenReference.containsX509IssuerSerial()) {
            X509Certificate[] x509IssuerSerial = securityTokenReference.getX509IssuerSerial(sigCrypto);
            if (x509IssuerSerial != null) {
                this.certs = new X509Certificate[]{x509IssuerSerial[0]};
            }
        } else {
            if (!securityTokenReference.containsKeyIdentifier()) {
                throw new WSSecurityException(3, "unsupportedKeyInfo", new Object[]{element.toString()});
            }
            if (securityTokenReference.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
                if (z) {
                    BSPEnforcer.checkEncryptedKeyBSPCompliance(securityTokenReference);
                }
                String keyIdentifierValue = securityTokenReference.getKeyIdentifierValue();
                this.secretKey = getSecretKeyFromToken(keyIdentifierValue, SecurityTokenReference.ENC_KEY_SHA1_URI, requestData);
                this.principal = new CustomTokenPrincipal(keyIdentifierValue);
            } else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(securityTokenReference.getKeyIdentifierValueType()) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(securityTokenReference.getKeyIdentifierValueType())) {
                AssertionWrapper assertionFromKeyIdentifier = SAMLUtil.getAssertionFromKeyIdentifier(securityTokenReference, element, requestData, wSDocInfo);
                if (z) {
                    BSPEnforcer.checkSamlTokenBSPCompliance(securityTokenReference, assertionFromKeyIdentifier);
                }
                SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(assertionFromKeyIdentifier, requestData, wSDocInfo, z);
                X509Certificate[] certs3 = credentialFromSubject.getCerts();
                if (certs3 != null) {
                    this.certs = new X509Certificate[]{certs3[0]};
                }
                this.secretKey = credentialFromSubject.getSecret();
                this.publicKey = credentialFromSubject.getPublicKey();
                this.principal = createPrincipalFromSAML(assertionFromKeyIdentifier);
            } else {
                if (z) {
                    BSPEnforcer.checkBinarySecurityBSPCompliance(securityTokenReference, null);
                }
                X509Certificate[] keyIdentifier = securityTokenReference.getKeyIdentifier(sigCrypto);
                if (keyIdentifier != null) {
                    this.certs = new X509Certificate[]{keyIdentifier[0]};
                }
            }
        }
        if (this.certs == null || this.principal != null) {
            return;
        }
        this.principal = this.certs[0].getSubjectX500Principal();
    }

    @Override // org.apache.ws.security.str.STRParser
    public X509Certificate[] getCertificates() {
        return this.certs;
    }

    @Override // org.apache.ws.security.str.STRParser
    public Principal getPrincipal() {
        return this.principal;
    }

    @Override // org.apache.ws.security.str.STRParser
    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    @Override // org.apache.ws.security.str.STRParser
    public byte[] getSecretKey() {
        return this.secretKey;
    }

    @Override // org.apache.ws.security.str.STRParser
    public boolean isTrustedCredential() {
        return this.trustedCredential;
    }

    private static X509Certificate[] getCertificatesTokenReference(SecurityTokenReference securityTokenReference, Element element, Crypto crypto, boolean z) throws WSSecurityException {
        if (crypto == null) {
            throw new WSSecurityException(0, "noSigCryptoFile");
        }
        BinarySecurity createSecurityToken = createSecurityToken(element);
        if (z) {
            BSPEnforcer.checkBinarySecurityBSPCompliance(securityTokenReference, createSecurityToken);
        }
        return createSecurityToken instanceof PKIPathSecurity ? ((PKIPathSecurity) createSecurityToken).getX509Certificates(crypto) : new X509Certificate[]{((X509Security) createSecurityToken).getX509Certificate(crypto)};
    }

    private static BinarySecurity createSecurityToken(Element element) throws WSSecurityException {
        String attribute = element.getAttribute("ValueType");
        if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(attribute)) {
            return new X509Security(element);
        }
        if (PKIPathSecurity.getType().equals(attribute)) {
            return new PKIPathSecurity(element);
        }
        throw new WSSecurityException(1, "unsupportedBinaryTokenType", new Object[]{attribute});
    }

    private Principal createPrincipalFromSAML(AssertionWrapper assertionWrapper) {
        CustomTokenPrincipal customTokenPrincipal = new CustomTokenPrincipal(assertionWrapper.getId());
        customTokenPrincipal.setTokenObject(assertionWrapper);
        String str = null;
        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
        if (confirmationMethods != null && confirmationMethods.size() > 0) {
            str = confirmationMethods.get(0);
        }
        if (OpenSAMLUtil.isMethodHolderOfKey(str) && assertionWrapper.isSigned()) {
            this.trustedCredential = true;
        }
        return customTokenPrincipal;
    }

    private byte[] getSecretKeyFromToken(String str, String str2, RequestData requestData) throws WSSecurityException {
        if (str.charAt(0) == '#') {
            str = str.substring(1);
        }
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, str2, 9, requestData);
        try {
            requestData.getCallbackHandler().handle(new Callback[]{wSPasswordCallback});
            return wSPasswordCallback.getKey();
        } catch (Exception e) {
            throw new WSSecurityException(0, "noPassword", new Object[]{str}, e);
        }
    }
}
