package com.ibm.ws.wssecurity.saml.security.impl;

import com.ibm.crypto.provider.AESKeySpec;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil;
import com.ibm.ws.wssecurity.saml.security.HoKAssertion;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.ws.wssecurity.xml.xss4j.domutil.DOMUtil;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.token.config.RequesterConfiguration;
import com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig;
import com.ibm.wsspi.wssecurity.saml.config.CredentialConfig;
import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.Key;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.crypto.SecretKeyFactory;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNode;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/saml/security/impl/HoKAssertionImpl.class */
public class HoKAssertionImpl implements HoKAssertion {
    private static final String comp = "security.wssecurity";
    private KeyStoreManager.KeyInformation keyInformation;
    private String thumbprint;
    private byte[] symmetricProofKey;
    private Key key;
    private Key privatekey;
    private SAMLEncryptedKey encryptedKey;
    private OMElement xml;
    private ProviderConfig issueCfg;
    private RequesterConfig requestData;
    private CredentialConfig cred;
    private ConsumerConfig assertionConsumingCfg;
    private static final TraceComponent tc = Tr.register(HoKAssertionImpl.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = HoKAssertionImpl.class.getName();
    private static final OMFactory omFactory = OMAbstractFactory.getOMFactory();

    public HoKAssertionImpl() {
        this.keyInformation = null;
        this.thumbprint = null;
        this.symmetricProofKey = null;
        this.key = null;
        this.privatekey = null;
        this.encryptedKey = null;
        this.xml = null;
        this.issueCfg = null;
        this.requestData = null;
        this.cred = null;
        this.assertionConsumingCfg = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "HoKAssertionImpl()");
        }
    }

    public HoKAssertionImpl(OMElement oMElement) {
        this.keyInformation = null;
        this.thumbprint = null;
        this.symmetricProofKey = null;
        this.key = null;
        this.privatekey = null;
        this.encryptedKey = null;
        this.xml = null;
        this.issueCfg = null;
        this.requestData = null;
        this.cred = null;
        this.assertionConsumingCfg = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "HoKAssertionImpl(OMElement)");
        }
        this.xml = oMElement;
    }

    public HoKAssertionImpl(ConsumerConfig consumerConfig) {
        this.keyInformation = null;
        this.thumbprint = null;
        this.symmetricProofKey = null;
        this.key = null;
        this.privatekey = null;
        this.encryptedKey = null;
        this.xml = null;
        this.issueCfg = null;
        this.requestData = null;
        this.cred = null;
        this.assertionConsumingCfg = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "HoKAssertionImpl(ConsumerConfig)");
        }
        this.assertionConsumingCfg = consumerConfig;
    }

    public HoKAssertionImpl(ProviderConfig providerConfig, RequesterConfig requesterConfig, CredentialConfig credentialConfig) {
        this.keyInformation = null;
        this.thumbprint = null;
        this.symmetricProofKey = null;
        this.key = null;
        this.privatekey = null;
        this.encryptedKey = null;
        this.xml = null;
        this.issueCfg = null;
        this.requestData = null;
        this.cred = null;
        this.assertionConsumingCfg = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "HoKAssertionImpl(ProviderConfig, RequesterConfig, CredentialConfig)");
        }
        this.issueCfg = providerConfig;
        this.requestData = requesterConfig;
        this.cred = credentialConfig;
    }

    public void createHok() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createHok");
        }
        String str = this.requestData.getRSTTProperties().get(RequesterConfiguration.RSTT.KEYTYPE);
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(str)) {
            createSymmetricKeyInfo();
        } else if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(str)) {
            createAsymmetricKeyInfo();
        } else if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer".equals(str)) {
            throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML0000E"));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createHok");
        }
    }

    public void createAsymmetricKeyInfo() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createAsymmetricKeyInfo");
        }
        try {
            this.keyInformation = SamlConfigUtil.getRequesterKeyInformation(this.issueCfg, this.requestData.getKeyAliasForRequester());
            this.key = this.keyInformation.getPublicOrSecretKey();
            this.privatekey = null;
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createAsymmetricKeyInfo");
            }
        } catch (Exception e) {
            Tr.processException(e, clsName + ".createAsymmetricKeyInfo", "171", this);
            throw new SoapSecurityException(e.getMessage(), e.getCause());
        }
    }

    public void createSymmetricKeyInfo() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createSymmetricKeyInfo");
        }
        String keyAliasForAppliesTo = this.requestData.getKeyAliasForAppliesTo();
        if (keyAliasForAppliesTo == null) {
            throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML0001E"));
        }
        this.keyInformation = SamlConfigUtil.getRequesterKeyInformation(this.issueCfg, keyAliasForAppliesTo);
        if (this.keyInformation == null) {
            throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML0001E"));
        }
        this.encryptedKey = EncryptedKeyGenerate.generateEncryptedKey(this.requestData, this.keyInformation, false);
        this.symmetricProofKey = this.encryptedKey.getClearKey().getEncoded();
        this.key = this.encryptedKey.getClearKey();
        this.privatekey = this.key;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createSymmetricKeyInfo");
        }
    }

    public byte[] getSymmetricProofKey() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getSymmetricProofKey");
        }
        return this.symmetricProofKey;
    }

    @Override // com.ibm.ws.wssecurity.saml.security.HoKAssertion
    public Key getPrivateOrSharedKey() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getPrivateOrSharedKey");
        }
        return this.privatekey;
    }

    public void setPrivateKey(Key key) {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "setPrivateKey");
        }
        this.privatekey = key;
    }

    @Override // com.ibm.ws.wssecurity.saml.security.HoKAssertion
    public Key getKey() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getKey");
        }
        return this.key;
    }

    @Override // com.ibm.ws.wssecurity.saml.common.SAMLObjectElement
    public OMElement getXML() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getXML()");
        }
        OMElement marshal = this.xml != null ? this.xml : marshal(null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getXML()");
        }
        return marshal;
    }

    @Override // com.ibm.ws.wssecurity.saml.security.HoKAssertion
    public void setXML(OMElement oMElement) {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "setXML");
        }
        this.xml = oMElement;
    }

    @Override // com.ibm.ws.wssecurity.saml.common.SAMLObjectElement
    public OMElement marshal(OMElement oMElement) throws SoapSecurityException {
        OMElement createOMElement;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "marshal");
        }
        if (this.xml != null) {
            return this.xml;
        }
        if (oMElement == null) {
            createOMElement = omFactory.createOMElement("KeyInfo", "http://www.w3.org/2000/09/xmldsig#", "ds");
            createOMElement.declareNamespace("http://www.w3.org/2000/09/xmldsig#", "ds");
        } else {
            createOMElement = oMElement.getOMFactory().createOMElement("KeyInfo", "http://www.w3.org/2000/09/xmldsig#", "ds");
        }
        if (this.requestData == null) {
            throw new SoapSecurityException(clsName + ".requestData: " + ((Object) null));
        }
        String str = this.requestData.getRSTTProperties().get(RequesterConfiguration.RSTT.KEYTYPE);
        if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(str)) {
            if (this.encryptedKey == null) {
                throw new SoapSecurityException(clsName + ".encryptedKey: " + ((Object) null));
            }
            createOMElement.addChild(this.encryptedKey.getEncryptedKeyElement());
        } else if ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(str)) {
            try {
                createOMElement.addChild(KeyInfoUtil.createKeyInfoContent(this.requestData.getHolderOfKeyKeyInfoType(), this.key, this.keyInformation, null));
            } catch (Exception e) {
                Tr.processException(e, clsName + ".marshal", "322", this);
                throw new SoapSecurityException(e.getMessage(), e.getCause());
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "no proof key generated for Keyless Assertion.");
        }
        this.xml = createOMElement;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "marshal");
        }
        return createOMElement;
    }

    @Override // com.ibm.ws.wssecurity.saml.common.SAMLObjectElement
    public void unMarshal(OMElement oMElement) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "unMarshal");
        }
        this.xml = oMElement;
        if (this.assertionConsumingCfg == null) {
            return;
        }
        OMNode firstChild2 = DOMUtil.getFirstChild2(oMElement);
        while (true) {
            OMNode oMNode = firstChild2;
            if (oMNode == null) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "unMarshal");
                    return;
                }
                return;
            }
            if (oMNode.getType() == 1) {
                OMElement oMElement2 = (OMElement) oMNode;
                String localName = oMElement2.getLocalName();
                if ("KeyValue".equals(localName)) {
                    try {
                        this.key = ProcessKey.createKey(oMElement2);
                        this.privatekey = null;
                    } catch (Exception e) {
                        Tr.processException(e, clsName + ".unMarshal", "362", this);
                        throw new SoapSecurityException(e.getMessage(), e.getCause());
                    }
                } else if ("X509Data".equals(localName)) {
                    this.privatekey = null;
                    try {
                        for (OMNode firstChild22 = DOMUtil.getFirstChild2(oMElement2); firstChild22 != null; firstChild22 = DOMUtil.getNextSibling2(firstChild22)) {
                            if (firstChild22.getType() == 1) {
                                OMElement oMElement3 = (OMElement) firstChild22;
                                if (KeyInfoUtil.isDsigElement(oMElement3) && KeyInfoUtil.isDsigElement(oMElement3, "X509Certificate")) {
                                    X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.decode(DOMUtil.getStringValue(oMElement2))));
                                    this.key = KeyStoreManager.getInstance().getKeyInformation(x509Certificate).getPublicOrSecretKey();
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Holder-of-key for " + x509Certificate.getSubjectDN().getName());
                                    }
                                }
                            }
                        }
                    } catch (Exception e2) {
                        Tr.processException(e2, clsName + ".unMarshal", "392", this);
                        throw new SoapSecurityException(e2.getMessage(), e2.getCause());
                    }
                } else if ("EncryptedKey".equals(localName)) {
                    try {
                        this.key = EncryptedKeyConsume.decryptEncryptedKey(oMElement2, this.assertionConsumingCfg);
                        this.symmetricProofKey = this.key.getEncoded();
                        this.privatekey = this.key;
                    } catch (Exception e3) {
                        Tr.processException(e3, clsName + ".unMarshal", "406", this);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Fail to decrypt EncryptedKey:" + e3.getMessage());
                        }
                        throw new RuntimeException("Fail to decrypt EncryptedKey");
                    }
                } else if ("BinarySecret".equals(localName)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Process BinarySecret");
                    }
                    if (!this.assertionConsumingCfg.getAllowUnencKey()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "The key is not encrypted, but the current configuration specifies to not allow a Holder of Key token with an unencrypted key.  The token is being rejected.");
                        }
                        throw new SoapSecurityException("Unencrypted key in Holder of Key is not allowed");
                    }
                    try {
                        String text = oMElement2.getText();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Encoded key: [" + text + "]");
                        }
                        this.symmetricProofKey = Base64.decode(text);
                        this.privatekey = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(this.symmetricProofKey));
                        this.key = this.privatekey;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Private key has been obtained from the encoded key.");
                        }
                    } catch (Exception e4) {
                        Tr.processException(e4, clsName + ".unMarshal", "442", this);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Fail to decode BinarySecret:" + e4.getMessage());
                        }
                        throw new RuntimeException("Fail to decode BinarySecret");
                    }
                } else {
                    continue;
                }
            }
            firstChild2 = DOMUtil.getNextSibling2(oMNode);
        }
    }

    @Override // com.ibm.ws.wssecurity.saml.common.SAMLObjectElement
    public void create() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "create");
        }
        createHok();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "create");
        }
    }

    @Override // com.ibm.ws.wssecurity.saml.common.SAMLObjectElement
    public boolean validate() throws SoapSecurityException {
        return true;
    }

    private static boolean matchClass(Class cls, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "matchClass (Class [" + (cls == null ? AppConstants.NULL_STRING : cls.getClass().getName()) + "], className [" + str + "])");
        }
        boolean z = false;
        if (cls.getName().equals(str)) {
            z = true;
        } else {
            Class superclass = cls.getSuperclass();
            if (superclass == null || !matchClass(superclass, str)) {
                Class<?>[] interfaces = cls.getInterfaces();
                int i = 0;
                while (true) {
                    if (i >= interfaces.length) {
                        break;
                    }
                    if (matchClass(interfaces[i], str)) {
                        z = true;
                        break;
                    }
                    i++;
                }
            } else {
                z = true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "matchClass returns [" + z + "]");
        }
        return z;
    }

    private static boolean instanceOf(Object obj, String str) {
        return matchClass(obj.getClass(), str);
    }

    private static String encodeBigInteger(BigInteger bigInteger) {
        byte[] byteArray = bigInteger.toByteArray();
        int i = 0;
        while (byteArray[i] == 0) {
            i++;
        }
        return Base64.encode(byteArray, i, byteArray.length - i);
    }
}
