package com.ibm.security.krb5.wss.soap;

import com.ibm.crypto.provider.AESKeySpec;
import com.ibm.crypto.provider.RC4KeySpec;
import com.ibm.misc.HexDumpEncoder;
import com.ibm.security.jgss.Debug;
import com.ibm.security.krb5.EncryptedData;
import com.ibm.security.krb5.wss.KerberosTokenConfig;
import com.ibm.security.krb5.wss.KerberosTokenGenerator;
import com.ibm.security.krb5.wss.soap.util.SoapPing;
import com.ibm.security.krb5.wss.util.BinarySecurityToken;
import com.ibm.security.krb5.wss.util.ElementLocalNames;
import com.ibm.security.krb5.wss.util.EncServices;
import com.ibm.security.krb5.wss.util.EncodingTypes;
import com.ibm.security.krb5.wss.util.LocalConstants;
import com.ibm.security.krb5.wss.util.MiscUtils;
import com.ibm.security.krb5.wss.util.Programmable;
import com.ibm.security.krb5.wss.util.RecursiveIDResolver;
import com.ibm.security.krb5.wss.util.Reference;
import com.ibm.security.krb5.wss.util.SecurityTokenReference;
import com.ibm.security.krb5.wss.util.TemplateTool;
import com.ibm.security.krb5.wss.util.TokenTypes;
import com.ibm.security.krb5.wss.util.XMLUtil;
import com.ibm.ws.wssecurity.util.KRBTokenProfileConstants;
import com.ibm.ws.wssecurity.xss4j.dsig.SignatureContext;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.SecretKeySpec;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/security/krb5/wss/soap/KerberosSoapClient.class */
public class KerberosSoapClient extends Programmable implements LocalConstants {
    public static final int WRAPPED = 1;
    public static final int NOT_WRAPPED = 2;
    public static final int RFC_NEEDED = 1;
    public static final String MESSAGE = "message";
    public static final String CLIENTNAME = "clientname";
    public static final String REALMNAME = "realmname";
    public static final String PASSWORD = "password";
    public static final String SERVICENAME = "servicename";
    public static final String LOGINCONF = "loginConfig";
    public static final String APPEND_RFC = "appendRFC";
    private static final String debugPrefix = "KerberosSoapClient: ";
    private byte[] localSubKey;
    private String phaseMessage;
    private boolean rfc;
    private Debug debug;
    private HexDumpEncoder encoder;
    private int encType;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/security/krb5/wss/soap/KerberosSoapClient$Response.class */
    public class Response {
        Element rootE;
        Element wsseE;
        Element bodyE;
        Element pingE;

        Response(Element element, Element element2, Element element3, Element element4) {
            this.rootE = element;
            this.wsseE = element2;
            this.bodyE = element3;
            this.pingE = element4;
        }
    }

    public KerberosSoapClient() {
        super(KerberosSoapClient.class);
        this.localSubKey = null;
        this.phaseMessage = "";
        this.debug = new Debug();
        this.encoder = new HexDumpEncoder();
    }

    public KerberosSoapClient(Map map) {
        super(KerberosSoapClient.class, map);
        this.localSubKey = null;
        this.phaseMessage = "";
        this.debug = new Debug();
        this.encoder = new HexDumpEncoder();
    }

    public Document buildAPREQDoc() {
        RuntimeException runtimeException;
        try {
            this.phaseMessage = "getting new Document";
            Document newDocument = XMLUtil.newDocument();
            this.phaseMessage = "getting LoginContext";
            Integer num = new Integer(2);
            HashMap hashMap = new HashMap();
            hashMap.put(KerberosTokenConfig.CLIENT_REALM_NAME, (String) this.props.get(REALMNAME));
            hashMap.put("serviceName", (String) this.props.get("servicename"));
            hashMap.put(KerberosTokenConfig.CLIENT_NAME, (String) this.props.get(CLIENTNAME));
            hashMap.put(KerberosTokenConfig.CLIENTPASSWORD, (String) this.props.get("password"));
            hashMap.put(KerberosTokenConfig.CLIENTLOGINCONF, (String) this.props.get("loginConfig"));
            hashMap.put("wrapped", num);
            Integer num2 = (Integer) this.props.get(APPEND_RFC);
            if (num2 != null && num2.intValue() == 1) {
                this.rfc = true;
            }
            KerberosTokenGenerator kerberosTokenGenerator = new KerberosTokenGenerator();
            kerberosTokenGenerator.init(hashMap);
            HashMap hashMap2 = new HashMap();
            kerberosTokenGenerator.invoke(hashMap2);
            this.localSubKey = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
            this.encType = ((Integer) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC)).intValue();
            genSoapParts(newDocument, (String) this.props.get("message"), this.localSubKey, (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_APREQ_TOKEN), false);
            return newDocument;
        } catch (Exception e) {
            if (e instanceof RuntimeException) {
                runtimeException = (RuntimeException) e;
                if (runtimeException.getMessage() == null) {
                    runtimeException = new RuntimeException(this.phaseMessage, e);
                }
            } else {
                e.printStackTrace();
                runtimeException = new RuntimeException(this.phaseMessage, e);
            }
            throw runtimeException;
        }
    }

    public Document buildGSSDoc() {
        RuntimeException runtimeException;
        try {
            this.phaseMessage = "getting new Document";
            Document newDocument = XMLUtil.newDocument();
            this.phaseMessage = "getting LoginContext";
            Integer num = new Integer(1);
            HashMap hashMap = new HashMap();
            hashMap.put(KerberosTokenConfig.CLIENT_REALM_NAME, (String) this.props.get(REALMNAME));
            hashMap.put("serviceName", (String) this.props.get("servicename"));
            hashMap.put(KerberosTokenConfig.CLIENT_NAME, (String) this.props.get(CLIENTNAME));
            hashMap.put(KerberosTokenConfig.CLIENTPASSWORD, (String) this.props.get("password"));
            hashMap.put(KerberosTokenConfig.CLIENTLOGINCONF, (String) this.props.get("loginConfig"));
            hashMap.put("wrapped", num);
            Integer num2 = (Integer) this.props.get(APPEND_RFC);
            if (num2 != null && num2.intValue() == 1) {
                this.rfc = true;
            }
            KerberosTokenGenerator kerberosTokenGenerator = new KerberosTokenGenerator();
            kerberosTokenGenerator.init(hashMap);
            HashMap hashMap2 = new HashMap();
            kerberosTokenGenerator.invoke(hashMap2);
            this.localSubKey = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
            this.encType = ((Integer) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC)).intValue();
            genSoapParts(newDocument, (String) this.props.get("message"), this.localSubKey, (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_GSS_TOKEN), true);
            return newDocument;
        } catch (Exception e) {
            if (e instanceof RuntimeException) {
                runtimeException = (RuntimeException) e;
                if (runtimeException.getMessage() == null) {
                    runtimeException = new RuntimeException(this.phaseMessage, e);
                }
            } else {
                e.printStackTrace();
                runtimeException = new RuntimeException(this.phaseMessage, e);
            }
            throw runtimeException;
        }
    }

    public String getReply(Document document) throws Exception {
        requestorSideDecryptResponseMessage(document, this.localSubKey);
        requestorSideVerifySignatureOnResponseMessage(document, (Element) document.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security").item(0), this.localSubKey);
        return requestorSideReturnPingResponse(document);
    }

    private Response genSoapParts(Document document, String str, byte[] bArr, byte[] bArr2, boolean z) {
        SecretKey generateSecret;
        Element createElementNS = document.createElementNS("http://schemas.xmlsoap.org/soap/envelope/", "Envelope");
        createElementNS.setPrefix("soap");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:soap", "http://schemas.xmlsoap.org/soap/envelope/");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:xsd", "http://www.w3.org/2001/XMLSchema");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
        document.appendChild(createElementNS);
        Element createElementNS2 = document.createElementNS("http://schemas.xmlsoap.org/soap/envelope/", "Header");
        createElementNS2.setPrefix("soap");
        createElementNS.appendChild(createElementNS2);
        Element createElementNS3 = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security");
        createElementNS3.setPrefix("wsse");
        createElementNS3.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        createElementNS3.setAttributeNS("http://schemas.xmlsoap.org/soap/envelope/", "soap:mustUnderstand", "1");
        createElementNS2.appendChild(createElementNS3);
        Element createElementNS4 = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", ElementLocalNames.WSU_TIMESTAMP);
        createElementNS4.setPrefix("wsu");
        createElementNS4.setAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", KRBTokenProfileConstants.STR_WSU_ID, "timestamp");
        Element createElementNS5 = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Created");
        createElementNS5.setPrefix("wsu");
        createElementNS5.appendChild(document.createTextNode(MiscUtils.makeDateTime()));
        createElementNS4.appendChild(createElementNS5);
        createElementNS3.appendChild(createElementNS4);
        BinarySecurityToken binarySecurityToken = new BinarySecurityToken();
        if (z) {
            if (this.rfc && (this.encType == 17 || this.encType == 17)) {
                binarySecurityToken.put("ValueType", TokenTypes.KRB5_GSSAPREQ_4120);
            } else if (this.rfc) {
                binarySecurityToken.put("ValueType", TokenTypes.KRB5_GSSAPREQ_1510);
            } else {
                binarySecurityToken.put("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
            }
        } else if (this.rfc && (this.encType == 17 || this.encType == 17)) {
            binarySecurityToken.put("ValueType", TokenTypes.KRB5_APREQ_4120);
        } else if (this.rfc) {
            binarySecurityToken.put("ValueType", TokenTypes.KRB5_APREQ_1510);
        } else {
            binarySecurityToken.put("ValueType", TokenTypes.KRB5_APREQ);
        }
        binarySecurityToken.put("EncodingType", EncodingTypes.B64BINARY);
        binarySecurityToken.put("id", "token");
        binarySecurityToken.put(BinarySecurityToken.BYTEARRAY, bArr2);
        createElementNS3.appendChild(binarySecurityToken.toDom(document));
        Element createElementNS6 = document.createElementNS("http://schemas.xmlsoap.org/soap/envelope/", "Body");
        createElementNS6.setPrefix("soap");
        createElementNS6.setAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", KRBTokenProfileConstants.STR_WSU_ID, "body");
        Element makePingElement = SoapPing.makePingElement(document, str);
        createElementNS6.appendChild(makePingElement);
        createElementNS.appendChild(createElementNS6);
        try {
            Element genSignatureElem = TemplateTool.genSignatureElem(document, new String[]{"timestamp", "body"}, "http://www.w3.org/2000/09/xmldsig#hmac-sha1", false);
            createElementNS3.appendChild(genSignatureElem);
            Reference reference = new Reference();
            if (z) {
                reference.put("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
            } else {
                reference.put("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
            }
            reference.put("URI", "#token");
            SecurityTokenReference securityTokenReference = new SecurityTokenReference();
            securityTokenReference.put("reference", reference);
            genSignatureElem.appendChild(TemplateTool.genKeyInfoElem(document, securityTokenReference.toDom(document), false));
            SignatureContext signatureContext = new SignatureContext();
            signatureContext.setIDResolver(new RecursiveIDResolver());
            this.phaseMessage = "sign the doc";
            this.debug.out(5, debugPrefix + XMLUtil.getStringUnchanged(document));
            if (EncryptedData.isRc4HMacEncType(this.encType)) {
                generateSecret = SecretKeyFactory.getInstance("RC4", "IBMJCE").generateSecret(new RC4KeySpec(bArr));
            } else if (this.encType == 16) {
                generateSecret = SecretKeyFactory.getInstance("DESede", "IBMJCE").generateSecret(new SecretKeySpec(bArr, "DESede"));
            } else if (this.encType == 17) {
                generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
            } else if (this.encType == 18) {
                generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
            } else {
                if (!EncryptedData.isDesEncType(this.encType)) {
                    throw new RuntimeException("Unsupported Encryption Type for the Subsession Key");
                }
                generateSecret = SecretKeyFactory.getInstance("DES", "IBMJCE").generateSecret(new SecretKeySpec(bArr, "DES"));
            }
            signatureContext.sign(genSignatureElem, generateSecret);
            return new Response(createElementNS, createElementNS3, createElementNS6, makePingElement);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private void requestorSideDecryptResponseMessage(Document document, byte[] bArr) throws Exception {
        SecretKey generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
        this.debug.out(5, "KerberosSoapClient: OutputKey:  " + this.encoder.encodeBuffer(generateSecret.getEncoded()));
        this.debug.out(5, "KerberosSoapClient: The XML Soap DOC =\n" + XMLUtil.getStringUnchanged(document));
        Node firstChild = document.getElementsByTagNameNS("http://schemas.xmlsoap.org/soap/envelope/", "Body").item(0).getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node instanceof Element) {
                EncServices.decryptContent(document, generateSecret, (Element) node);
                return;
            }
            firstChild = node.getNextSibling();
        }
    }

    private void requestorSideVerifySignatureOnResponseMessage(Document document, Element element, byte[] bArr) throws Exception {
        SecretKey generateSecret;
        SignatureContext signatureContext = new SignatureContext();
        signatureContext.setIDResolver(new RecursiveIDResolver());
        this.phaseMessage = "verify the signature";
        this.debug.out(5, debugPrefix + XMLUtil.getStringUnchanged(document));
        Element element2 = (Element) element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
        if (EncryptedData.isRc4HMacEncType(this.encType)) {
            generateSecret = SecretKeyFactory.getInstance("RC4", "IBMJCE").generateSecret(new RC4KeySpec(bArr));
        } else if (this.encType == 16) {
            generateSecret = SecretKeyFactory.getInstance("DESede", "IBMJCE").generateSecret(new SecretKeySpec(bArr, "DESede"));
        } else if (this.encType == 17) {
            generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
        } else if (this.encType == 18) {
            generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
        } else {
            if (!EncryptedData.isDesEncType(this.encType)) {
                throw new RuntimeException("Unsupported Encryption Type for the Subsession Key");
            }
            generateSecret = SecretKeyFactory.getInstance("DES", "IBMJCE").generateSecret(new SecretKeySpec(bArr, "DES"));
        }
        if (!signatureContext.verify(element2, generateSecret).getCoreValidity()) {
            throw new RuntimeException("sig validation failed");
        }
    }

    private String requestorSideReturnPingResponse(Document document) {
        this.phaseMessage = "building echo response";
        return XMLUtil.getElementText((Element) document.getElementsByTagNameNS(LocalConstants.PING, "PingResponse").item(0), true);
    }
}
