package org.apache.ws.security.processor;

import com.sun.security.jgss.ExtendedGSSContext;
import com.sun.security.jgss.InquireType;
import java.io.IOException;
import java.security.Key;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import java.util.Vector;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.KerberosTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSParameterCallback;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.kerberos.KrbSession;
import org.apache.ws.security.kerberos.KrbSessionCache;
import org.apache.ws.security.kerberos.KrbTicketDecoder;
import org.apache.ws.security.message.CredentialsCallbackHandler;
import org.apache.ws.security.message.EnvelopeIdResolver;
import org.apache.ws.security.message.WSSecKerberosToken;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.opensaml.security.crypto.JCAConstants;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/lib/wss4j-1.5.11-wso2v18.jar:org/apache/ws/security/processor/KerberosTokenProcessor.class */
public class KerberosTokenProcessor implements Processor {
    private static Log log = LogFactory.getLog(KerberosTokenProcessor.class);
    private String tokenId;
    private Subject subject;
    private KerberosTokenPrincipal lastPrincipalFound;
    private SecretKey key;
    GSSContext gssContext = null;

    public KerberosTokenProcessor(Vector vector) {
        for (int i = 0; i < vector.size(); i++) {
            WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) vector.get(i);
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (5632 == num.intValue()) {
                this.lastPrincipalFound = (KerberosTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                return;
            } else if (4608 == num.intValue()) {
                this.lastPrincipalFound = (KerberosTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                return;
            } else {
                if (5120 == num.intValue()) {
                    this.lastPrincipalFound = (KerberosTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                    return;
                }
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v5, types: [byte[], byte[][]] */
    @Override // org.apache.ws.security.processor.Processor
    public void handleToken(Element element, Crypto crypto, Crypto crypto2, CallbackHandler callbackHandler, WSDocInfo wSDocInfo, Vector vector, WSSConfig wSSConfig) throws WSSecurityException {
        X509Certificate[] x509CertificateArr = new X509Certificate[1];
        HashSet hashSet = new HashSet();
        TreeSet treeSet = new TreeSet();
        ?? r0 = new byte[1];
        KerberosTokenPrincipal kerberosTokenPrincipal = null;
        this.tokenId = element.getAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id");
        int i = 0;
        while (true) {
            if (i >= vector.size()) {
                break;
            }
            WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) vector.get(i);
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (5632 == num.intValue()) {
                kerberosTokenPrincipal = (KerberosTokenPrincipal) wSSecurityEngineResult.getPrincipal();
                break;
            } else if (4608 == num.intValue()) {
                kerberosTokenPrincipal = (KerberosTokenPrincipal) wSSecurityEngineResult.getPrincipal();
                break;
            } else {
                if (5120 == num.intValue()) {
                    kerberosTokenPrincipal = (KerberosTokenPrincipal) wSSecurityEngineResult.getPrincipal();
                    break;
                }
                i++;
            }
        }
        boolean store = WSDocInfoStore.store(wSDocInfo);
        if (kerberosTokenPrincipal == null) {
            try {
                kerberosTokenPrincipal = validateToken(element, crypto, x509CertificateArr, hashSet, treeSet, r0, callbackHandler);
            } catch (Throwable th) {
                if (store) {
                    WSDocInfoStore.delete(wSDocInfo);
                }
                throw th;
            }
        }
        this.lastPrincipalFound = kerberosTokenPrincipal;
        if (store) {
            WSDocInfoStore.delete(wSDocInfo);
        }
        vector.add(0, new WSSecurityEngineResult(WSConstants.KERBEROS, kerberosTokenPrincipal, (X509Certificate) null, hashSet, treeSet, (byte[]) null));
    }

    protected KerberosTokenPrincipal validateToken(Element element, Crypto crypto, X509Certificate[] x509CertificateArr, Set set, Set set2, byte[][] bArr, CallbackHandler callbackHandler) throws WSSecurityException {
        try {
            authenticate(callbackHandler);
            KerberosSecurity createSecurityToken = createSecurityToken(element);
            GSSContext acceptSecurityContext = acceptSecurityContext(createSecurityToken);
            SecretKey sessionKey = this.key != null ? this.key : getSessionKey(createSecurityToken.getToken());
            if (log.isDebugEnabled()) {
                log.debug("security context accepted with " + acceptSecurityContext.getSrcName().toString() + "," + acceptSecurityContext.getSrcName().getStringNameType().toString());
            }
            KerberosTokenPrincipal kerberosTokenPrincipal = new KerberosTokenPrincipal(acceptSecurityContext.getSrcName().toString());
            kerberosTokenPrincipal.setTokenElement(element);
            if (sessionKey == null) {
                log.error("null secret key");
                throw new WSSecurityException(3, "nullSecretKey", new Object[]{"null secret key"});
            }
            kerberosTokenPrincipal.setSessionKey(sessionKey.getEncoded());
            kerberosTokenPrincipal.setSecretKey(sessionKey);
            KrbSession krbSession = new KrbSession(createSecurityToken.getSHA1(), sessionKey);
            krbSession.setClientPrincipalName(acceptSecurityContext.getSrcName().toString());
            krbSession.setServerPrincipalName(acceptSecurityContext.getTargName().toString());
            KrbSessionCache.getInstance().addSession(krbSession);
            kerberosTokenPrincipal.setClientPrincipalName(krbSession.getClientPrincipalName());
            kerberosTokenPrincipal.setServicePrincipalName(krbSession.getServerPrincipalName());
            return kerberosTokenPrincipal;
        } catch (RuntimeException e) {
            log.error(e.getMessage(), e);
            throw new WSSecurityException(3, "kerberosAcceptCtxFailed", new Object[]{e.getMessage()});
        } catch (LoginException e2) {
            log.error(e2.getMessage(), e2);
            throw new WSSecurityException(3, "kerberosLoginFailed", new Object[]{e2.getMessage()});
        } catch (Exception e3) {
            log.error(e3.getMessage(), e3);
            throw new WSSecurityException(3, "kerberosSTCreateFailed", new Object[]{e3.getMessage()});
        } catch (GSSException e4) {
            log.error(e4.getMessage(), e4);
            throw new WSSecurityException(3, "kerberosSTCreateFailed", new Object[]{e4.getMessage()});
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Principal verifyXMLSignature(Element element, Crypto crypto, X509Certificate[] x509CertificateArr, Set set, List list, byte[][] bArr, CallbackHandler callbackHandler) throws WSSecurityException {
        SecretKey secretKey;
        if (log.isDebugEnabled()) {
            log.debug("KerberosTokenProcessor.verifyXMLSignature invoked");
        }
        try {
            XMLSignature xMLSignature = new XMLSignature(element, null);
            xMLSignature.addResourceResolver(EnvelopeIdResolver.getInstance());
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            KerberosTokenPrincipal kerberosTokenPrincipal = null;
            if (keyInfo == null) {
                throw new WSSecurityException(3, "unsupportedKeyInfo");
            }
            Node directChild = WSSecurityUtil.getDirectChild(keyInfo.getElement(), "SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
            if (directChild == null) {
                throw new WSSecurityException(3, "unsupportedKeyInfo");
            }
            SecurityTokenReference securityTokenReference = new SecurityTokenReference((Element) directChild);
            WSDocInfo lookup = WSDocInfoStore.lookup(element.getOwnerDocument());
            if (!securityTokenReference.containsReference()) {
                throw new WSSecurityException(3, "unsupportedKeyInfo", new Object[]{directChild.toString()});
            }
            Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), lookup, callbackHandler);
            QName qName = new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName());
            if (!qName.equals(WSSecurityEngine.binaryToken)) {
                throw new WSSecurityException(4, "unsupportedKeyInfo", new Object[]{qName.getNamespaceURI()});
            }
            try {
                if (this.lastPrincipalFound == null) {
                    authenticate(callbackHandler);
                    KerberosSecurity createSecurityToken = createSecurityToken(tokenElement);
                    GSSContext acceptSecurityContext = acceptSecurityContext(createSecurityToken);
                    secretKey = this.key != null ? this.key : getSessionKey(createSecurityToken.getToken());
                    if (log.isDebugEnabled()) {
                        log.debug("security context accepted with " + acceptSecurityContext.getSrcName().toString() + "," + acceptSecurityContext.getSrcName().getStringNameType());
                    }
                    kerberosTokenPrincipal = new KerberosTokenPrincipal(acceptSecurityContext.getSrcName().toString());
                    kerberosTokenPrincipal.setTokenElement(tokenElement);
                    kerberosTokenPrincipal.setSessionKey(secretKey.getEncoded());
                    kerberosTokenPrincipal.setSecretKey(secretKey);
                    KrbSession krbSession = new KrbSession(createSecurityToken.getSHA1(), secretKey);
                    krbSession.setClientPrincipalName(acceptSecurityContext.getSrcName().toString());
                    krbSession.setServerPrincipalName(acceptSecurityContext.getTargName().toString());
                    KrbSessionCache.getInstance().addSession(krbSession);
                    kerberosTokenPrincipal.setClientPrincipalName(krbSession.getClientPrincipalName());
                    kerberosTokenPrincipal.setServicePrincipalName(krbSession.getServerPrincipalName());
                } else {
                    secretKey = this.lastPrincipalFound.getSecretKey();
                }
                if (secretKey == null) {
                    throw new WSSecurityException(6);
                }
                try {
                    if (!xMLSignature.checkSignatureValue(secretKey)) {
                        throw new WSSecurityException(6);
                    }
                    bArr[0] = xMLSignature.getSignatureValue();
                    SignedInfo signedInfo = xMLSignature.getSignedInfo();
                    int length = signedInfo.getLength();
                    for (int i = 0; i < length; i++) {
                        try {
                            Reference item = signedInfo.item(i);
                            String uri = item.getURI();
                            if (uri == null || "".equals(uri)) {
                                set.add(item);
                            } else {
                                Element elementByWsuId = WSSecurityUtil.getElementByWsuId(element.getOwnerDocument(), uri);
                                if (elementByWsuId == null) {
                                    elementByWsuId = WSSecurityUtil.getElementByGenId(element.getOwnerDocument(), uri);
                                }
                                if (elementByWsuId == null) {
                                    throw new WSSecurityException(6);
                                }
                                set.add(WSSecurityUtil.getIDfromReference(uri));
                            }
                        } catch (XMLSecurityException e) {
                            throw new WSSecurityException(6);
                        }
                    }
                    return kerberosTokenPrincipal;
                } catch (XMLSignatureException e2) {
                    throw new WSSecurityException(6);
                }
            } catch (RuntimeException e3) {
                log.error(e3.getMessage(), e3);
                throw new WSSecurityException(3, "kerberosAcceptCtxFailed", new Object[]{e3.getMessage()});
            } catch (LoginException e4) {
                log.error(e4.getMessage(), e4);
                throw new WSSecurityException(3, "kerberosLoginFailed", new Object[]{e4.getMessage()});
            } catch (Exception e5) {
                log.error(e5.getMessage(), e5);
                throw new WSSecurityException(3, "kerberosSTCreateFailed", new Object[]{e5.getMessage()});
            } catch (GSSException e6) {
                log.error(e6.getMessage(), e6);
                throw new WSSecurityException(3, "kerberosSTCreateFailed", new Object[]{e6.getMessage()});
            }
        } catch (XMLSecurityException e7) {
            log.error("Fail to build the XMLSignature");
            throw new WSSecurityException(6, "noXMLSig");
        }
    }

    private void authenticate(CallbackHandler callbackHandler) throws LoginException {
        String stringValue;
        WSPasswordCallback[] wSPasswordCallbackArr = {new WSPasswordCallback(WSSecKerberosToken.KERBEROS_SERVICE_PRINCIPLE_UNKNOWN, 9)};
        WSParameterCallback[] wSParameterCallbackArr = {new WSParameterCallback(1)};
        try {
            callbackHandler.handle(wSPasswordCallbackArr);
            if (wSPasswordCallbackArr[0].getPassword() == null || "".equals(wSPasswordCallbackArr[0].getPassword())) {
                callbackHandler.handle(wSParameterCallbackArr);
                stringValue = wSParameterCallbackArr[0].getStringValue();
            } else {
                stringValue = wSPasswordCallbackArr[0].getPassword();
            }
            if (stringValue == null) {
                throw new LoginException("noPasswordForUser");
            }
            LoginContext loginContext = new LoginContext("Server", new CredentialsCallbackHandler(stringValue));
            loginContext.login();
            this.subject = loginContext.getSubject();
        } catch (IOException e) {
            throw new LoginException("errorInGettingPasswordForUser");
        } catch (UnsupportedCallbackException e2) {
            throw new LoginException("errorInGettingPasswordForUser");
        }
    }

    private KerberosSecurity createSecurityToken(Element element) throws WSSecurityException {
        String valueType = new BinarySecurity(element).getValueType();
        if ("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(valueType)) {
            return new KerberosSecurity(element);
        }
        throw new WSSecurityException(1, "unsupportedBinaryTokenType", new Object[]{valueType});
    }

    private GSSContext acceptSecurityContext(final KerberosSecurity kerberosSecurity) throws GSSException {
        Subject.doAs(this.subject, new PrivilegedAction<GSSContext>() { // from class: org.apache.ws.security.processor.KerberosTokenProcessor.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public GSSContext run() {
                try {
                    GSSManager gSSManager = GSSManager.getInstance();
                    KerberosTokenProcessor.this.gssContext = gSSManager.createContext((GSSCredential) null);
                    byte[] token = kerberosSecurity.getToken();
                    KerberosTokenProcessor.this.gssContext.acceptSecContext(token, 0, token.length);
                    if (KerberosTokenProcessor.this.gssContext instanceof ExtendedGSSContext) {
                        KerberosTokenProcessor.this.key = new SecretKeySpec(((Key) KerberosTokenProcessor.this.gssContext.inquireSecContext(InquireType.KRB5_GET_SESSION_KEY)).getEncoded(), JCAConstants.KEY_ALGO_DES);
                    }
                    return KerberosTokenProcessor.this.gssContext;
                } catch (GSSException e) {
                    KerberosTokenProcessor.log.error("Error occurred while accepting securing context", e);
                    return null;
                }
            }
        });
        return this.gssContext;
    }

    protected SecretKey getSessionKey(byte[] bArr) throws Exception {
        return new KrbTicketDecoder(bArr, this.subject).getSessionKey();
    }

    @Override // org.apache.ws.security.processor.Processor
    public String getId() {
        return this.tokenId;
    }

    public KerberosTokenPrincipal getLastPrincipalFound() {
        return this.lastPrincipalFound;
    }
}
