package org.apache.cxf.ws.security.wss4j.policyhandlers;

import com.ibm.ws.sib.processor.SIMPConstants;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.dsig.Reference;
import javax.xml.soap.SOAPMessage;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP11Constants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.KerberosToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SpnegoContextToken;
import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.TokenWrapper;
import org.apache.cxf.ws.security.policy.model.UsernameToken;
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.WSSecBase;
import org.apache.ws.security.message.WSSecDKEncrypt;
import org.apache.ws.security.message.WSSecDKSign;
import org.apache.ws.security.message.WSSecEncrypt;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecUsernameToken;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:wlp/lib/com.ibm.ws.org.apache.cxf.ws.security.2.6.2_1.0.13.jar:org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.class */
public class SymmetricBindingHandler extends AbstractBindingBuilder {
    SymmetricBinding sbinding;
    TokenStore tokenStore;

    public SymmetricBindingHandler(WSSConfig wSSConfig, SymmetricBinding symmetricBinding, SOAPMessage sOAPMessage, WSSecHeader wSSecHeader, AssertionInfoMap assertionInfoMap, SoapMessage soapMessage) {
        super(wSSConfig, symmetricBinding, sOAPMessage, wSSecHeader, assertionInfoMap, soapMessage);
        this.sbinding = symmetricBinding;
        this.tokenStore = getTokenStore();
        this.protectionOrder = symmetricBinding.getProtectionOrder();
    }

    private TokenWrapper getSignatureToken() {
        return this.sbinding.getProtectionToken() != null ? this.sbinding.getProtectionToken() : this.sbinding.getSignatureToken();
    }

    private TokenWrapper getEncryptionToken() {
        return this.sbinding.getProtectionToken() != null ? this.sbinding.getProtectionToken() : this.sbinding.getEncryptionToken();
    }

    public void handleBinding() {
        handleLayout(createTimestamp());
        if (isRequestor()) {
            initializeTokens();
        }
        if (this.sbinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
            doEncryptBeforeSign();
        } else {
            doSignBeforeEncrypt();
        }
        policyAsserted(SP11Constants.TRUST_10);
        policyAsserted(SP12Constants.TRUST_13);
    }

    private void initializeTokens() {
    }

    private void doEncryptBeforeSign() {
        try {
            TokenWrapper encryptionToken = getEncryptionToken();
            Token token = encryptionToken.getToken();
            List<WSEncryptionPart> encryptedParts = getEncryptedParts();
            List<WSEncryptionPart> signedParts = getSignedParts();
            if (token != null && encryptedParts.size() > 0) {
                String str = null;
                SecurityToken securityToken = null;
                if ((token instanceof IssuedToken) || (token instanceof KerberosToken) || (token instanceof SecureConversationToken) || (token instanceof SecurityContextToken) || (token instanceof SpnegoContextToken)) {
                    securityToken = getSecurityToken();
                } else if (token instanceof X509Token) {
                    str = isRequestor() ? setupEncryptedKey(encryptionToken, token) : getEncryptedKey();
                } else if (token instanceof UsernameToken) {
                    str = isRequestor() ? setupUTDerivedKey((UsernameToken) token) : getUTDerivedKey();
                }
                if (securityToken == null) {
                    if (str != null && str.startsWith("#")) {
                        str = str.substring(1);
                    }
                    securityToken = this.tokenStore.getToken(str);
                }
                boolean z = false;
                if (includeToken(token.getInclusion())) {
                    addEncryptedKeyElement(cloneElement(securityToken.getToken()));
                    z = true;
                } else if ((token instanceof X509Token) && isRequestor()) {
                    addEncryptedKeyElement(cloneElement(securityToken.getToken()));
                    z = true;
                }
                WSSecBase doEncryption = doEncryption(encryptionToken, securityToken, z, encryptedParts, true);
                handleEncryptedSignedHeaders(encryptedParts, signedParts);
                if (this.timestampEl != null) {
                    signedParts.add(convertToEncryptionPart(this.timestampEl.getElement()));
                }
                if (isRequestor()) {
                    addSupportingTokens(signedParts);
                } else {
                    addSignatureConfirmation(signedParts);
                }
                if (signedParts.size() > 0) {
                    this.signatures.add(doSignature(signedParts, encryptionToken, token, securityToken, z));
                }
                if (isRequestor()) {
                    doEndorse();
                }
                if (this.sbinding.isSignatureProtection() || (this.encryptedTokensList.size() > 0 && isRequestor())) {
                    ArrayList arrayList = new ArrayList();
                    if (this.sbinding.isSignatureProtection()) {
                        if (this.mainSigId != null) {
                            WSEncryptionPart wSEncryptionPart = new WSEncryptionPart(this.mainSigId, "Element");
                            wSEncryptionPart.setElement(this.bottomUpElement);
                            arrayList.add(wSEncryptionPart);
                        }
                        if (this.sigConfList != null && !this.sigConfList.isEmpty()) {
                            arrayList.addAll(this.sigConfList);
                        }
                    }
                    if (isRequestor()) {
                        arrayList.addAll(this.encryptedTokensList);
                    }
                    if (token.isDerivedKeys() && !arrayList.isEmpty()) {
                        addDerivedKeyElement(((WSSecDKEncrypt) doEncryption).encryptForExternalRef(null, arrayList));
                    } else if (!arrayList.isEmpty()) {
                        addDerivedKeyElement(((WSSecEncrypt) doEncryption).encryptForRef(null, encryptedParts));
                    }
                }
            }
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new Fault(e2);
        }
    }

    private void doSignBeforeEncrypt() {
        TokenWrapper signatureToken = getSignatureToken();
        if (signatureToken == null) {
            policyNotAsserted(signatureToken, "No signature or protection token");
            return;
        }
        Token token = signatureToken.getToken();
        String str = null;
        SecurityToken securityToken = null;
        try {
            if (token == null) {
                policyNotAsserted(this.sbinding, "No signature token");
                return;
            }
            if ((token instanceof SecureConversationToken) || (token instanceof SecurityContextToken) || (token instanceof IssuedToken) || (token instanceof KerberosToken) || (token instanceof SpnegoContextToken)) {
                securityToken = getSecurityToken();
            } else if (token instanceof X509Token) {
                str = isRequestor() ? setupEncryptedKey(signatureToken, token) : getEncryptedKey();
            } else if (token instanceof UsernameToken) {
                str = isRequestor() ? setupUTDerivedKey((UsernameToken) token) : getUTDerivedKey();
            }
            if (securityToken == null && StringUtils.isEmpty(str)) {
                policyNotAsserted(signatureToken, "No signature token id");
                return;
            }
            policyAsserted(signatureToken);
            if (securityToken == null) {
                securityToken = this.tokenStore.getToken(str);
            }
            boolean z = true;
            if (includeToken(token.getInclusion())) {
                addEncryptedKeyElement(cloneElement(securityToken.getToken()));
            } else if (isRequestor() && (token instanceof X509Token)) {
                addEncryptedKeyElement(cloneElement(securityToken.getToken()));
            } else {
                z = false;
            }
            List<WSEncryptionPart> signedParts = getSignedParts();
            if (this.timestampEl != null) {
                signedParts.add(convertToEncryptionPart(this.timestampEl.getElement()));
            }
            if (isRequestor()) {
                addSupportingTokens(signedParts);
                if (!signedParts.isEmpty()) {
                    this.signatures.add(doSignature(signedParts, signatureToken, token, securityToken, z));
                }
                doEndorse();
            } else {
                assertSupportingTokens(signedParts);
                addSignatureConfirmation(signedParts);
                if (!signedParts.isEmpty()) {
                    doSignature(signedParts, signatureToken, token, securityToken, z);
                }
            }
            TokenWrapper encryptionToken = getEncryptionToken();
            if (!token.equals(encryptionToken.getToken())) {
                policyNotAsserted(this.sbinding, "Encryption token does not equal signature token");
                return;
            }
            SecurityToken securityToken2 = securityToken;
            List<WSEncryptionPart> encryptedParts = getEncryptedParts();
            if (this.sbinding.isSignatureProtection()) {
                if (this.mainSigId != null) {
                    WSEncryptionPart wSEncryptionPart = new WSEncryptionPart(this.mainSigId, "Element");
                    wSEncryptionPart.setElement(this.bottomUpElement);
                    encryptedParts.add(wSEncryptionPart);
                }
                if (this.sigConfList != null && !this.sigConfList.isEmpty()) {
                    encryptedParts.addAll(this.sigConfList);
                }
            }
            if (isRequestor()) {
                encryptedParts.addAll(this.encryptedTokensList);
            }
            doEncryption(encryptionToken, securityToken2, z, encryptedParts, false);
        } catch (Exception e) {
            throw new Fault(e);
        }
    }

    private WSSecBase doEncryptionDerived(TokenWrapper tokenWrapper, SecurityToken securityToken, Token token, boolean z, List<WSEncryptionPart> list, boolean z2) {
        try {
            WSSecDKEncrypt wSSecDKEncrypt = new WSSecDKEncrypt(this.wssConfig);
            if (tokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) {
                wSSecDKEncrypt.setWscVersion(2);
            }
            if (z && securityToken.getAttachedReference() != null) {
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), cloneElement(securityToken.getAttachedReference()));
            } else if (securityToken.getUnattachedReference() != null) {
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), cloneElement(securityToken.getUnattachedReference()));
            } else if (!isRequestor() && securityToken.getSHA1() != null) {
                SecurityTokenReference securityTokenReference = new SecurityTokenReference((Document) this.saaj.getSOAPPart());
                securityTokenReference.setKeyIdentifierEncKeySHA1(securityToken.getSHA1());
                String tokenType = securityToken.getTokenType();
                if (tokenType == null) {
                    tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
                }
                securityTokenReference.addTokenType(tokenType);
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), securityTokenReference.getElement());
            } else if (z) {
                String wsuId = securityToken.getWsuId();
                if (wsuId == null && ((token instanceof SecureConversationToken) || (token instanceof SecurityContextToken))) {
                    wSSecDKEncrypt.setTokenIdDirectId(true);
                    wsuId = securityToken.getId();
                } else if (wsuId == null) {
                    wsuId = securityToken.getId();
                }
                if (wsuId.startsWith("#")) {
                    wsuId = wsuId.substring(1);
                }
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), wsuId);
            } else {
                wSSecDKEncrypt.setTokenIdDirectId(true);
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), securityToken.getId());
            }
            if (securityToken.getSHA1() != null) {
                String tokenType2 = securityToken.getTokenType();
                if (tokenType2 == null) {
                    tokenType2 = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
                }
                wSSecDKEncrypt.setCustomValueType(tokenType2);
            } else {
                String tokenType3 = securityToken.getTokenType();
                if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType3) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType3)) {
                    wSSecDKEncrypt.setKeyIdentifierType(12);
                    wSSecDKEncrypt.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType3) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType3)) {
                    wSSecDKEncrypt.setKeyIdentifierType(12);
                    wSSecDKEncrypt.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
                } else if (token instanceof UsernameToken) {
                    wSSecDKEncrypt.setCustomValueType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
                } else {
                    wSSecDKEncrypt.setCustomValueType(tokenType3);
                }
            }
            wSSecDKEncrypt.setSymmetricEncAlgorithm(this.sbinding.getAlgorithmSuite().getEncryption());
            wSSecDKEncrypt.setDerivedKeyLength(this.sbinding.getAlgorithmSuite().getEncryptionDerivedKeyLength() / 8);
            wSSecDKEncrypt.prepare(this.saaj.getSOAPPart());
            addDerivedKeyElement(wSSecDKEncrypt.getdktElement());
            Element encryptForExternalRef = wSSecDKEncrypt.encryptForExternalRef(null, list);
            if (z2) {
                insertBeforeBottomUp(encryptForExternalRef);
            } else {
                addDerivedKeyElement(encryptForExternalRef);
            }
            return wSSecDKEncrypt;
        } catch (Exception e) {
            policyNotAsserted(tokenWrapper, e);
            return null;
        }
    }

    private WSSecBase doEncryption(TokenWrapper tokenWrapper, SecurityToken securityToken, boolean z, List<WSEncryptionPart> list, boolean z2) {
        if (tokenWrapper == null || tokenWrapper.getToken() == null || list.size() <= 0) {
            return null;
        }
        Token token = tokenWrapper.getToken();
        policyAsserted(tokenWrapper);
        policyAsserted(token);
        AlgorithmSuite algorithmSuite = this.sbinding.getAlgorithmSuite();
        if (token.isDerivedKeys()) {
            return doEncryptionDerived(tokenWrapper, securityToken, token, z, list, z2);
        }
        try {
            WSSecEncrypt wSSecEncrypt = new WSSecEncrypt(this.wssConfig);
            String id = securityToken.getId();
            if (z) {
                id = securityToken.getWsuId();
                if (id == null && ((token instanceof SecureConversationToken) || (token instanceof SecurityContextToken))) {
                    wSSecEncrypt.setEncKeyIdDirectId(true);
                    id = securityToken.getId();
                } else if (id == null) {
                    id = securityToken.getId();
                }
                if (id.startsWith("#")) {
                    id = id.substring(1);
                }
            } else {
                wSSecEncrypt.setEncKeyIdDirectId(true);
            }
            if (securityToken.getTokenType() != null) {
                wSSecEncrypt.setCustomReferenceValue(securityToken.getTokenType());
            }
            wSSecEncrypt.setEncKeyId(id);
            wSSecEncrypt.setEphemeralKey(securityToken.getSecret());
            Crypto encryptionCrypto = getEncryptionCrypto(tokenWrapper);
            if (encryptionCrypto != null) {
                this.message.getExchange().put("ws-security.encryption.crypto", encryptionCrypto);
                setEncryptionUser(wSSecEncrypt, tokenWrapper, false, encryptionCrypto);
            }
            wSSecEncrypt.setDocument(this.saaj.getSOAPPart());
            wSSecEncrypt.setEncryptSymmKey(false);
            wSSecEncrypt.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
            if ((token instanceof IssuedToken) || (token instanceof SpnegoContextToken)) {
                Element attachedReference = z ? securityToken.getAttachedReference() : securityToken.getUnattachedReference();
                String tokenType = securityToken.getTokenType();
                if (attachedReference != null) {
                    wSSecEncrypt.setSecurityTokenReference(new SecurityTokenReference(cloneElement(attachedReference), false));
                } else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType)) {
                    wSSecEncrypt.setCustomReferenceValue(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                    wSSecEncrypt.setKeyIdentifierType(12);
                } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType)) {
                    wSSecEncrypt.setCustomReferenceValue(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
                    wSSecEncrypt.setKeyIdentifierType(12);
                } else {
                    wSSecEncrypt.setCustomReferenceValue(tokenType);
                    wSSecEncrypt.setKeyIdentifierType(12);
                }
            } else if (token instanceof UsernameToken) {
                wSSecEncrypt.setCustomReferenceValue("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
            } else if (!isRequestor()) {
                if (securityToken.getSHA1() != null) {
                    wSSecEncrypt.setCustomReferenceValue(securityToken.getSHA1());
                    wSSecEncrypt.setKeyIdentifierType(10);
                } else {
                    wSSecEncrypt.setKeyIdentifierType(6);
                }
            }
            wSSecEncrypt.prepare(this.saaj.getSOAPPart(), encryptionCrypto);
            if (wSSecEncrypt.getBSTTokenId() != null) {
                wSSecEncrypt.prependBSTElementToHeader(this.secHeader);
            }
            Element encryptForRef = wSSecEncrypt.encryptForRef(null, list);
            if (z2) {
                insertBeforeBottomUp(encryptForRef);
            } else {
                addDerivedKeyElement(encryptForRef);
            }
            return wSSecEncrypt;
        } catch (WSSecurityException e) {
            policyNotAsserted(tokenWrapper, e.getMessage());
            return null;
        }
    }

    private byte[] doSignatureDK(List<WSEncryptionPart> list, TokenWrapper tokenWrapper, Token token, SecurityToken securityToken, boolean z) throws WSSecurityException {
        Document sOAPPart = this.saaj.getSOAPPart();
        WSSecDKSign wSSecDKSign = new WSSecDKSign(this.wssConfig);
        if (tokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) {
            wSSecDKSign.setWscVersion(2);
        }
        boolean z2 = false;
        if (includeToken(token.getInclusion())) {
            z2 = true;
        }
        Element attachedReference = z2 ? securityToken.getAttachedReference() : securityToken.getUnattachedReference();
        if (attachedReference != null) {
            wSSecDKSign.setExternalKey(securityToken.getSecret(), cloneElement(attachedReference));
        } else if (isRequestor() || !token.isDerivedKeys() || securityToken.getSHA1() == null) {
            if ((!z2 && !isRequestor()) || (token instanceof SecureConversationToken) || (token instanceof SecurityContextToken)) {
                wSSecDKSign.setTokenIdDirectId(true);
            }
            wSSecDKSign.setExternalKey(securityToken.getSecret(), securityToken.getId());
        } else {
            SecurityTokenReference securityTokenReference = new SecurityTokenReference(sOAPPart);
            if (securityToken.getSHA1() != null) {
                securityTokenReference.setKeyIdentifierEncKeySHA1(securityToken.getSHA1());
                String tokenType = securityToken.getTokenType();
                if (tokenType == null) {
                    tokenType = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
                }
                securityTokenReference.addTokenType(tokenType);
            }
            wSSecDKSign.setExternalKey(securityToken.getSecret(), securityTokenReference.getElement());
        }
        wSSecDKSign.setSignatureAlgorithm(this.sbinding.getAlgorithmSuite().getSymmetricSignature());
        wSSecDKSign.setDerivedKeyLength(this.sbinding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
        if (securityToken.getSHA1() != null) {
            String tokenType2 = securityToken.getTokenType();
            if (tokenType2 == null) {
                tokenType2 = WSConstants.WSS_ENC_KEY_VALUE_TYPE;
            }
            wSSecDKSign.setCustomValueType(tokenType2);
        } else {
            String tokenType3 = securityToken.getTokenType();
            if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType3) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType3)) {
                wSSecDKSign.setKeyIdentifierType(12);
                wSSecDKSign.setCustomValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
            } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType3) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType3)) {
                wSSecDKSign.setKeyIdentifierType(12);
                wSSecDKSign.setCustomValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
            } else if (token instanceof UsernameToken) {
                wSSecDKSign.setCustomValueType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
            } else {
                wSSecDKSign.setCustomValueType(tokenType3);
            }
        }
        try {
            wSSecDKSign.prepare(sOAPPart, this.secHeader);
            if (this.sbinding.isTokenProtection()) {
                String id = securityToken.getId();
                if (z) {
                    id = securityToken.getWsuId();
                    if (id == null) {
                        id = securityToken.getId();
                    }
                    if (id.startsWith("#")) {
                        id = id.substring(1);
                    }
                }
                list.add(new WSEncryptionPart(id));
            }
            wSSecDKSign.setParts(list);
            List<Reference> addReferencesToSign = wSSecDKSign.addReferencesToSign(list, this.secHeader);
            addDerivedKeyElement(wSSecDKSign.getdktElement());
            if (this.bottomUpElement == null) {
                wSSecDKSign.computeSignature(addReferencesToSign, false, null);
            } else {
                wSSecDKSign.computeSignature(addReferencesToSign, true, this.bottomUpElement);
            }
            this.bottomUpElement = wSSecDKSign.getSignatureElement();
            this.mainSigId = wSSecDKSign.getSignatureId();
            return wSSecDKSign.getSignatureValue();
        } catch (ConversationException e) {
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    private byte[] doSignature(List<WSEncryptionPart> list, TokenWrapper tokenWrapper, Token token, SecurityToken securityToken, boolean z) throws WSSecurityException {
        String id;
        if (token.isDerivedKeys()) {
            return doSignatureDK(list, tokenWrapper, token, securityToken, z);
        }
        WSSecSignature wSSecSignature = new WSSecSignature(this.wssConfig);
        wSSecSignature.setWsConfig(this.wssConfig);
        int i = z ? 9 : 11;
        if (token instanceof X509Token) {
            if (isRequestor()) {
                wSSecSignature.setCustomTokenValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
                wSSecSignature.setKeyIdentifierType(i);
            } else {
                wSSecSignature.setEncrKeySha1value(securityToken.getSHA1());
                wSSecSignature.setKeyIdentifierType(10);
            }
        } else if (token instanceof UsernameToken) {
            wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
            wSSecSignature.setKeyIdentifierType(i);
        } else {
            Element attachedReference = z ? securityToken.getAttachedReference() : securityToken.getUnattachedReference();
            if (attachedReference != null) {
                wSSecSignature.setSecurityTokenReference(new SecurityTokenReference(cloneElement(attachedReference), false));
                wSSecSignature.setKeyIdentifierType(12);
            } else {
                String tokenType = securityToken.getTokenType();
                if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType)) {
                    wSSecSignature.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
                    wSSecSignature.setKeyIdentifierType(12);
                } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType)) {
                    wSSecSignature.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
                    wSSecSignature.setKeyIdentifierType(12);
                } else {
                    wSSecSignature.setCustomTokenValueType(tokenType);
                    wSSecSignature.setKeyIdentifierType(i);
                }
            }
        }
        if (z) {
            id = securityToken.getWsuId();
            if (id == null) {
                if ((token instanceof SecureConversationToken) || (token instanceof SecurityContextToken)) {
                    wSSecSignature.setKeyIdentifierType(11);
                }
                id = securityToken.getId();
            }
            if (id.startsWith("#")) {
                id = id.substring(1);
            }
        } else {
            id = securityToken.getId();
        }
        if (z && this.sbinding.isTokenProtection()) {
            list.add(new WSEncryptionPart(id));
        }
        wSSecSignature.setCustomTokenId(id);
        wSSecSignature.setSecretKey(securityToken.getSecret());
        wSSecSignature.setSignatureAlgorithm(this.sbinding.getAlgorithmSuite().getSymmetricSignature());
        Crypto encryptionCrypto = this.sbinding.getProtectionToken() != null ? getEncryptionCrypto(this.sbinding.getProtectionToken()) : getSignatureCrypto(tokenWrapper);
        this.message.getExchange().put("ws-security.signature.crypto", encryptionCrypto);
        wSSecSignature.prepare(this.saaj.getSOAPPart(), encryptionCrypto, this.secHeader);
        wSSecSignature.setParts(list);
        List<Reference> addReferencesToSign = wSSecSignature.addReferencesToSign(list, this.secHeader);
        if (this.bottomUpElement == null) {
            wSSecSignature.computeSignature(addReferencesToSign, false, null);
        } else {
            wSSecSignature.computeSignature(addReferencesToSign, true, this.bottomUpElement);
        }
        this.bottomUpElement = wSSecSignature.getSignatureElement();
        this.mainSigId = wSSecSignature.getId();
        return wSSecSignature.getSignatureValue();
    }

    private String setupEncryptedKey(TokenWrapper tokenWrapper, Token token) throws WSSecurityException {
        WSSecEncryptedKey encryptedKeyBuilder = getEncryptedKeyBuilder(tokenWrapper, token);
        String id = encryptedKeyBuilder.getId();
        byte[] ephemeralKey = encryptedKeyBuilder.getEphemeralKey();
        Date date = new Date();
        Date date2 = new Date();
        date2.setTime(date.getTime() + SIMPConstants.ANYCAST_RESPONSE_INTERVAL);
        SecurityToken securityToken = new SecurityToken(id, encryptedKeyBuilder.getEncryptedKeyElement(), date, date2);
        securityToken.setSecret(ephemeralKey);
        securityToken.setSHA1(getSHA1(encryptedKeyBuilder.getEncryptedEphemeralKey()));
        this.tokenStore.add(securityToken);
        String bSTTokenId = encryptedKeyBuilder.getBSTTokenId();
        if (bSTTokenId != null && bSTTokenId.length() > 0) {
            encryptedKeyBuilder.prependBSTElementToHeader(this.secHeader);
        }
        return id;
    }

    private String setupUTDerivedKey(UsernameToken usernameToken) throws WSSecurityException {
        WSSecUsernameToken addDKUsernameToken = addDKUsernameToken(usernameToken, hasSignedPartsOrElements());
        String id = addDKUsernameToken.getId();
        byte[] derivedKey = addDKUsernameToken.getDerivedKey();
        Date date = new Date();
        Date date2 = new Date();
        date2.setTime(date.getTime() + SIMPConstants.ANYCAST_RESPONSE_INTERVAL);
        SecurityToken securityToken = new SecurityToken(id, addDKUsernameToken.getUsernameTokenElement(), date, date2);
        securityToken.setSecret(derivedKey);
        this.tokenStore.add(securityToken);
        return id;
    }

    private String getEncryptedKey() {
        Iterator it = CastUtils.cast((List<?>) this.message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS)).iterator();
        while (it.hasNext()) {
            for (WSSecurityEngineResult wSSecurityEngineResult : ((WSHandlerResult) it.next()).getResults()) {
                Integer num = (Integer) wSSecurityEngineResult.get("action");
                String str = (String) wSSecurityEngineResult.get("id");
                if (num.intValue() == 4 && str != null && str.length() != 0) {
                    Date date = new Date();
                    Date date2 = new Date();
                    date2.setTime(date.getTime() + SIMPConstants.ANYCAST_RESPONSE_INTERVAL);
                    SecurityToken securityToken = new SecurityToken(str, date, date2);
                    securityToken.setSecret((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
                    securityToken.setSHA1(getSHA1((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
                    this.tokenStore.add(securityToken);
                    return str;
                }
            }
        }
        return null;
    }

    private String getUTDerivedKey() throws WSSecurityException {
        Iterator it = CastUtils.cast((List<?>) this.message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS)).iterator();
        while (it.hasNext()) {
            for (WSSecurityEngineResult wSSecurityEngineResult : ((WSHandlerResult) it.next()).getResults()) {
                Integer num = (Integer) wSSecurityEngineResult.get("action");
                String str = (String) wSSecurityEngineResult.get("id");
                if (num.intValue() == 8192) {
                    if (str == null || str.length() == 0) {
                        str = this.wssConfig.getIdAllocator().createId("UsernameToken-", null);
                    }
                    Date date = new Date();
                    Date date2 = new Date();
                    date2.setTime(date.getTime() + SIMPConstants.ANYCAST_RESPONSE_INTERVAL);
                    SecurityToken securityToken = new SecurityToken(str, date, date2);
                    securityToken.setSecret((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
                    this.tokenStore.add(securityToken);
                    return str;
                }
            }
        }
        return null;
    }

    private String getSHA1(byte[] bArr) {
        try {
            return Base64.encode(WSSecurityUtil.generateDigest(bArr));
        } catch (WSSecurityException e) {
            return null;
        }
    }

    private boolean hasSignedPartsOrElements() {
        Collection<AssertionInfo> assertionInfo = this.aim.getAssertionInfo(SP12Constants.SIGNED_PARTS);
        if (assertionInfo != null && assertionInfo.size() > 0) {
            return true;
        }
        Collection<AssertionInfo> assertionInfo2 = this.aim.getAssertionInfo(SP12Constants.SIGNED_ELEMENTS);
        return assertionInfo2 != null && assertionInfo2.size() > 0;
    }
}
