package org.apache.cxf.rs.security.xml;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.xml.stream.XMLStreamReader;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.SecurityUtils;
import org.apache.cxf.rs.security.common.TrustValidator;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.staxutils.W3CDOMStreamReader;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.class */
public abstract class AbstractXmlEncInHandler extends AbstractXmlSecInHandler {
    private EncryptionProperties encProps;

    public void decryptContent(Message message) {
        Message outMessage = message.getExchange().getOutMessage();
        Document document = getDocument(outMessage == null ? message : outMessage.getExchange().getInMessage());
        if (document == null) {
            return;
        }
        Element documentElement = document.getDocumentElement();
        byte[] symmetricKeyBytes = getSymmetricKeyBytes(message, documentElement);
        String encodingMethodAlgorithm = getEncodingMethodAlgorithm(documentElement);
        if (this.encProps != null && this.encProps.getEncryptionSymmetricKeyAlgo() != null && !this.encProps.getEncryptionSymmetricKeyAlgo().equals(encodingMethodAlgorithm)) {
            throwFault("Encryption Symmetric Key Algorithm is not supported", null);
        }
        byte[] bArr = null;
        try {
            bArr = decryptPayload(documentElement, symmetricKeyBytes, encodingMethodAlgorithm);
        } catch (Exception e) {
            throwFault("Payload can not be decrypted", e);
        }
        Document document2 = null;
        try {
            document2 = StaxUtils.read(new InputStreamReader(new ByteArrayInputStream(bArr), "UTF-8"));
        } catch (Exception e2) {
            throwFault("Payload document can not be created", e2);
        }
        message.setContent(XMLStreamReader.class, new W3CDOMStreamReader(document2));
        message.setContent(InputStream.class, null);
    }

    protected byte[] getSymmetricKeyBytes(Message message, Element element) {
        String str;
        String str2;
        if (SecurityUtils.isSignedAndEncryptedTwoWay(message)) {
            str = SecurityConstants.SIGNATURE_CRYPTO;
            str2 = SecurityConstants.SIGNATURE_PROPERTIES;
        } else {
            str = SecurityConstants.ENCRYPT_CRYPTO;
            str2 = SecurityConstants.ENCRYPT_PROPERTIES;
        }
        Crypto crypto = null;
        try {
            crypto = new CryptoLoader().getCrypto(message, str, str2);
        } catch (Exception e) {
            throwFault("Crypto can not be loaded", e);
        }
        Element node = getNode(element, "http://www.w3.org/2001/04/xmlenc#", "EncryptedKey", 0);
        if (node == null) {
            throwFault("EncryptedKey element is not available", null);
        }
        X509Certificate loadCertificate = loadCertificate(crypto, node);
        try {
            new TrustValidator().validateTrust(crypto, loadCertificate, null);
        } catch (Exception e2) {
            throwFault(e2.getMessage(), e2);
        }
        String encodingMethodAlgorithm = getEncodingMethodAlgorithm(node);
        String digestMethodAlgorithm = getDigestMethodAlgorithm(node);
        if (this.encProps != null) {
            if (this.encProps.getEncryptionKeyTransportAlgo() != null && !this.encProps.getEncryptionKeyTransportAlgo().equals(encodingMethodAlgorithm)) {
                throwFault("Key Transport Algorithm is not supported", null);
            }
            if (this.encProps.getEncryptionDigestAlgo() != null && (digestMethodAlgorithm == null || !this.encProps.getEncryptionDigestAlgo().equals(digestMethodAlgorithm))) {
                throwFault("Digest Algorithm is not supported", null);
            }
        } else if (!SPConstants.KW_RSA_OAEP.equals(encodingMethodAlgorithm)) {
            throwFault("Key Transport Algorithm is not supported", null);
        }
        Element node2 = getNode(node, "http://www.w3.org/2001/04/xmlenc#", "CipherValue", 0);
        if (node2 == null) {
            throwFault("CipherValue element is not available", null);
        }
        try {
            return decryptSymmetricKey(node2.getTextContent().trim(), loadCertificate, crypto, encodingMethodAlgorithm, digestMethodAlgorithm, message);
        } catch (Exception e3) {
            throwFault(e3.getMessage(), e3);
            return null;
        }
    }

    private X509Certificate loadCertificate(Crypto crypto, Element element) {
        Element node;
        Element node2;
        String encryptionKeyIdType = this.encProps != null ? this.encProps.getEncryptionKeyIdType() : null;
        if ((encryptionKeyIdType == null || encryptionKeyIdType.equals(SecurityUtils.X509_CERT)) && (node = getNode(element, "http://www.w3.org/2000/09/xmldsig#", SecurityUtils.X509_CERT, 0)) != null) {
            try {
                return SecurityUtils.loadX509Certificate(crypto, node);
            } catch (Exception e) {
                throwFault("X509Certificate can not be created", e);
            }
        }
        if ((encryptionKeyIdType == null || encryptionKeyIdType.equals(SecurityUtils.X509_ISSUER_SERIAL)) && (node2 = getNode(element, "http://www.w3.org/2000/09/xmldsig#", SecurityUtils.X509_ISSUER_SERIAL, 0)) != null) {
            try {
                return SecurityUtils.loadX509IssuerSerial(crypto, node2);
            } catch (Exception e2) {
                throwFault("X509Certificate can not be created", e2);
            }
        }
        throwFault("Certificate is missing", null);
        return null;
    }

    private String getEncodingMethodAlgorithm(Element element) {
        Element node = getNode(element, "http://www.w3.org/2001/04/xmlenc#", "EncryptionMethod", 0);
        if (node == null) {
            throwFault("EncryptionMethod element is not available", null);
        }
        return node.getAttribute("Algorithm");
    }

    private String getDigestMethodAlgorithm(Element element) {
        Element node;
        Element node2 = getNode(element, "http://www.w3.org/2001/04/xmlenc#", "EncryptionMethod", 0);
        if (node2 == null || (node = getNode(node2, "http://www.w3.org/2000/09/xmldsig#", "DigestMethod", 0)) == null) {
            return null;
        }
        return node.getAttributeNS(null, "Algorithm");
    }

    protected byte[] decryptSymmetricKey(String str, X509Certificate x509Certificate, Crypto crypto, String str2, Message message) throws WSSecurityException {
        return decryptSymmetricKey(str, x509Certificate, crypto, str2, null, message);
    }

    protected byte[] decryptSymmetricKey(String str, X509Certificate x509Certificate, Crypto crypto, String str2, String str3, Message message) throws WSSecurityException {
        PrivateKey privateKey = null;
        try {
            privateKey = crypto.getPrivateKey(x509Certificate, SecurityUtils.getCallbackHandler(message, getClass()));
        } catch (Exception e) {
            throwFault("Encrypted key can not be decrypted", e);
        }
        try {
            return EncryptionUtils.initCipherWithKey(str2, str3, 2, privateKey).doFinal(Base64Utility.decode(str));
        } catch (Base64Exception e2) {
            throwFault("Base64 decoding has failed", e2);
            return null;
        } catch (Exception e3) {
            throwFault("Encrypted key can not be decrypted", e3);
            return null;
        }
    }

    protected byte[] decryptPayload(Element element, byte[] bArr, String str) throws WSSecurityException {
        try {
            return EncryptionUtils.initXMLCipher(str, 2, WSSecurityUtil.prepareSecretKey(str, bArr)).decryptToByteArray(element);
        } catch (XMLEncryptionException e) {
            throw new WSSecurityException(2, (String) null, (Object[]) null, e);
        }
    }

    public void setEncryptionProperties(EncryptionProperties encryptionProperties) {
        this.encProps = encryptionProperties;
    }
}
