package org.apache.ws.security.str;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.xml.namespace.QName;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DerivedKeyToken;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.str.STRParser;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;

/* loaded from: input_file:wlp/dev/api/third-party/com.ibm.websphere.appserver.thirdparty.wsSecurity_2.0.9.jar:org/apache/ws/security/str/SecurityTokenRefSTRParser.class */
public class SecurityTokenRefSTRParser implements STRParser {
    public static final String SIGNATURE_METHOD = "signature_method";
    private byte[] secretKey;
    private Principal principal;

    @Override // org.apache.ws.security.str.STRParser
    public void parseSecurityTokenReference(Element element, RequestData requestData, WSDocInfo wSDocInfo, Map<String, Object> map) throws WSSecurityException {
        boolean z = true;
        WSSConfig wssConfig = requestData.getWssConfig();
        if (wssConfig != null) {
            z = wssConfig.isWsiBSPCompliant();
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(element, z);
        String str = null;
        if (securityTokenReference.containsReference()) {
            str = securityTokenReference.getReference().getURI();
            if (str.charAt(0) == '#') {
                str = str.substring(1);
            }
        } else if (securityTokenReference.containsKeyIdentifier()) {
            str = securityTokenReference.getKeyIdentifierValue();
        }
        WSSecurityEngineResult result = wSDocInfo.getResult(str);
        if (result != null) {
            processPreviousResult(result, securityTokenReference, requestData, map, wSDocInfo, z);
            if (this.secretKey == null) {
                throw new WSSecurityException(6, "unsupportedKeyId", new Object[]{str});
            }
            return;
        }
        if (securityTokenReference.containsReference()) {
            this.secretKey = getSecretKeyFromToken(str, securityTokenReference.getReference().getValueType(), requestData);
            if (this.secretKey == null) {
                Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler());
                if (new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName()).equals(WSSecurityEngine.BINARY_TOKEN)) {
                    List<WSSecurityEngineResult> handleToken = requestData.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN).handleToken(tokenElement, requestData, wSDocInfo);
                    BinarySecurity binarySecurity = (BinarySecurity) handleToken.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                    if (z) {
                        BSPEnforcer.checkBinarySecurityBSPCompliance(securityTokenReference, binarySecurity);
                    }
                    this.secretKey = (byte[]) handleToken.get(0).get(WSSecurityEngineResult.TAG_SECRET);
                }
            }
            if (this.secretKey == null) {
                throw new WSSecurityException(6, "unsupportedKeyId", new Object[]{str});
            }
            return;
        }
        if (!securityTokenReference.containsKeyIdentifier()) {
            throw new WSSecurityException(6, "noReference");
        }
        String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
        if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(keyIdentifierValueType) || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
            this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, requestData);
            if (this.secretKey == null) {
                this.secretKey = getSecretKeyFromAssertion(SAMLUtil.getAssertionFromKeyIdentifier(securityTokenReference, element, requestData, wSDocInfo), securityTokenReference, requestData, wSDocInfo, z);
                return;
            }
            return;
        }
        if (!WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
            if (z && SecurityTokenReference.ENC_KEY_SHA1_URI.equals(keyIdentifierValueType)) {
                BSPEnforcer.checkEncryptedKeyBSPCompliance(securityTokenReference);
            }
            this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), securityTokenReference.getKeyIdentifierValueType(), requestData);
            if (this.secretKey == null) {
                throw new WSSecurityException(6, "unsupportedKeyId", new Object[]{str});
            }
            return;
        }
        this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, requestData);
        if (this.secretKey == null) {
            byte[] sKIBytes = securityTokenReference.getSKIBytes();
            Iterator<WSSecurityEngineResult> it = wSDocInfo.getResultsByTag(4096).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                WSSecurityEngineResult next = it.next();
                if (Arrays.equals(WSSecurityUtil.generateDigest(((BinarySecurity) next.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)).getToken()), sKIBytes)) {
                    this.secretKey = (byte[]) next.get(WSSecurityEngineResult.TAG_SECRET);
                    break;
                }
            }
        }
        if (this.secretKey == null) {
            throw new WSSecurityException(6, "unsupportedKeyId", new Object[]{str});
        }
    }

    @Override // org.apache.ws.security.str.STRParser
    public X509Certificate[] getCertificates() {
        return null;
    }

    @Override // org.apache.ws.security.str.STRParser
    public Principal getPrincipal() {
        return this.principal;
    }

    @Override // org.apache.ws.security.str.STRParser
    public PublicKey getPublicKey() {
        return null;
    }

    @Override // org.apache.ws.security.str.STRParser
    public byte[] getSecretKey() {
        return this.secretKey;
    }

    @Override // org.apache.ws.security.str.STRParser
    public STRParser.REFERENCE_TYPE getCertificatesReferenceType() {
        return null;
    }

    @Override // org.apache.ws.security.str.STRParser
    public boolean isTrustedCredential() {
        return false;
    }

    private byte[] getSecretKeyFromToken(String str, String str2, RequestData requestData) throws WSSecurityException {
        if (str.charAt(0) == '#') {
            str = str.substring(1);
        }
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, str2, 9, requestData);
        try {
            Callback[] callbackArr = {wSPasswordCallback};
            if (requestData.getCallbackHandler() == null) {
                return null;
            }
            requestData.getCallbackHandler().handle(callbackArr);
            return wSPasswordCallback.getKey();
        } catch (Exception e) {
            throw new WSSecurityException(0, "noPassword", new Object[]{str}, e);
        }
    }

    private byte[] getSecretKeyFromAssertion(AssertionWrapper assertionWrapper, SecurityTokenReference securityTokenReference, RequestData requestData, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        if (z) {
            BSPEnforcer.checkSamlTokenBSPCompliance(securityTokenReference, assertionWrapper);
        }
        SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(assertionWrapper, requestData, wSDocInfo, z);
        if (credentialFromSubject == null) {
            throw new WSSecurityException(6, "invalidSAMLToken", new Object[]{"No Secret Key"});
        }
        return credentialFromSubject.getSecret();
    }

    private void processPreviousResult(WSSecurityEngineResult wSSecurityEngineResult, SecurityTokenReference securityTokenReference, RequestData requestData, Map<String, Object> map, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        int intValue = ((Integer) wSSecurityEngineResult.get("action")).intValue();
        if (4 == intValue) {
            if (z) {
                BSPEnforcer.checkEncryptedKeyBSPCompliance(securityTokenReference);
            }
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            return;
        }
        if (2048 == intValue) {
            DerivedKeyToken derivedKeyToken = (DerivedKeyToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
            this.secretKey = derivedKeyToken.deriveKey(WSSecurityUtil.getKeyLength((String) map.get("signature_method")), (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
            this.principal = derivedKeyToken.createPrincipal();
            return;
        }
        if (8 == intValue || 16 == intValue) {
            this.secretKey = getSecretKeyFromAssertion((AssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION), securityTokenReference, requestData, wSDocInfo, z);
            return;
        }
        if (1024 == intValue || 4096 == intValue) {
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            return;
        }
        if (8192 == intValue || 1 == intValue) {
            if (z) {
                BSPEnforcer.checkUsernameTokenBSPCompliance(securityTokenReference);
            }
            UsernameToken usernameToken = (UsernameToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
            usernameToken.setRawPassword(requestData);
            this.secretKey = usernameToken.getDerivedKey();
        }
    }
}
