package org.apache.ws.security.processor;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import javax.crypto.SecretKey;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.AlgorithmSuite;
import org.apache.ws.security.components.crypto.AlgorithmSuiteValidator;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.CallbackLookup;
import org.apache.ws.security.message.DOMCallbackLookup;
import org.apache.ws.security.str.SecurityTokenRefSTRParser;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:org/apache/ws/security/processor/ReferenceListProcessor.class */
public class ReferenceListProcessor implements Processor {
    private static Log log = LogFactory.getLog(ReferenceListProcessor.class);

    @Override // org.apache.ws.security.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        if (log.isDebugEnabled()) {
            log.debug("Found reference list element");
        }
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(4, handleReferenceList(element, requestData, wSDocInfo));
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_ID, element.getAttributeNS(null, "Id"));
        wSDocInfo.addTokenElement(element);
        wSDocInfo.addResult(wSSecurityEngineResult);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    private List<WSDataRef> handleReferenceList(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        ArrayList arrayList = new ArrayList();
        boolean z = WSSecurityUtil.getDirectChildElement(wSDocInfo.getSecurityHeader(), "EncryptedKey", WSConstants.ENC_NS) != null;
        Node firstChild = element.getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node == null) {
                return arrayList;
            }
            if (1 == node.getNodeType() && WSConstants.ENC_NS.equals(node.getNamespaceURI()) && "DataReference".equals(node.getLocalName())) {
                String attributeNS = ((Element) node).getAttributeNS(null, "URI");
                if (attributeNS.charAt(0) == '#') {
                    attributeNS = attributeNS.substring(1);
                }
                if (wSDocInfo.getResultByTag(4, attributeNS) == null) {
                    arrayList.add(decryptDataRefEmbedded(element.getOwnerDocument(), attributeNS, requestData, wSDocInfo, z));
                }
            }
            firstChild = node.getNextSibling();
        }
    }

    private WSDataRef decryptDataRefEmbedded(Document document, String str, RequestData requestData, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        SecretKey prepareSecretKey;
        if (log.isDebugEnabled()) {
            log.debug("Found data reference: " + str);
        }
        Element findEncryptedDataElement = findEncryptedDataElement(document, wSDocInfo, str);
        if (findEncryptedDataElement != null && z && requestData.isRequireSignedEncryptedDataElements()) {
            WSSecurityUtil.verifySignedElement(findEncryptedDataElement, document, wSDocInfo.getSecurityHeader());
        }
        String encAlgo = X509Util.getEncAlgo(findEncryptedDataElement);
        Element directChildElement = WSSecurityUtil.getDirectChildElement(findEncryptedDataElement, WSConstants.KEYINFO_LN, WSConstants.SIG_NS);
        if (directChildElement == null) {
            throw new WSSecurityException(3, "noKeyinfo");
        }
        if (requestData.getWssConfig().isWsiBSPCompliant()) {
            checkBSPCompliance(directChildElement, encAlgo);
        }
        Element directChildElement2 = WSSecurityUtil.getDirectChildElement(directChildElement, "SecurityTokenReference", WSConstants.WSSE_NS);
        Principal principal = null;
        if (directChildElement2 == null) {
            prepareSecretKey = X509Util.getSharedKey(directChildElement, encAlgo, requestData.getCallbackHandler());
        } else {
            SecurityTokenRefSTRParser securityTokenRefSTRParser = new SecurityTokenRefSTRParser();
            HashMap hashMap = new HashMap();
            hashMap.put("signature_method", encAlgo);
            securityTokenRefSTRParser.parseSecurityTokenReference(directChildElement2, requestData, wSDocInfo, hashMap);
            byte[] secretKey = securityTokenRefSTRParser.getSecretKey();
            principal = securityTokenRefSTRParser.getPrincipal();
            prepareSecretKey = WSSecurityUtil.prepareSecretKey(encAlgo, secretKey);
        }
        AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite();
        if (algorithmSuite != null) {
            AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite);
            if (principal instanceof WSDerivedKeyTokenPrincipal) {
                algorithmSuiteValidator.checkDerivedKeyAlgorithm(((WSDerivedKeyTokenPrincipal) principal).getAlgorithm());
                algorithmSuiteValidator.checkEncryptionDerivedKeyLength(((WSDerivedKeyTokenPrincipal) principal).getLength());
            }
            algorithmSuiteValidator.checkSymmetricKeyLength(prepareSecretKey.getEncoded().length);
            algorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(encAlgo);
        }
        return decryptEncryptedData(document, str, findEncryptedDataElement, prepareSecretKey, encAlgo);
    }

    private static void checkBSPCompliance(Element element, String str) throws WSSecurityException {
        int i = 0;
        Element element2 = null;
        for (Node firstChild = element.getFirstChild(); firstChild != null; firstChild = firstChild.getNextSibling()) {
            if (1 == firstChild.getNodeType()) {
                i++;
                element2 = (Element) firstChild;
            }
        }
        if (i != 1) {
            throw new WSSecurityException(3, "invalidDataRef");
        }
        if (!WSConstants.WSSE_NS.equals(element2.getNamespaceURI()) || !"SecurityTokenReference".equals(element2.getLocalName())) {
            throw new WSSecurityException(3, "noSecTokRef");
        }
        if (str == null) {
            throw new WSSecurityException(2, "noEncAlgo");
        }
        if (!WSConstants.TRIPLE_DES.equals(str) && !WSConstants.AES_128.equals(str) && !WSConstants.AES_128_GCM.equals(str) && !WSConstants.AES_256.equals(str) && !WSConstants.AES_256_GCM.equals(str)) {
            throw new WSSecurityException(3, "badEncAlgo", new Object[]{str});
        }
    }

    public static Element findEncryptedDataElement(Document document, WSDocInfo wSDocInfo, String str) throws WSSecurityException {
        Node node;
        CallbackLookup callbackLookup = wSDocInfo.getCallbackLookup();
        if (callbackLookup == null) {
            callbackLookup = new DOMCallbackLookup(document);
        }
        Element element = callbackLookup.getElement(str, null, true);
        if (element == null) {
            throw new WSSecurityException(3, "dataRef", new Object[]{str});
        }
        if (!element.getLocalName().equals(WSConstants.ENCRYPTED_HEADER) || !element.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
            return element;
        }
        Node firstChild = element.getFirstChild();
        while (true) {
            node = firstChild;
            if (node == null || node.getNodeType() == 1) {
                break;
            }
            firstChild = node.getNextSibling();
        }
        return (Element) node;
    }

    public static WSDataRef decryptEncryptedData(Document document, String str, Element element, SecretKey secretKey, String str2) throws WSSecurityException {
        try {
            XMLCipher xMLCipher = XMLCipher.getInstance(str2);
            xMLCipher.setSecureValidation(true);
            xMLCipher.init(2, secretKey);
            WSDataRef wSDataRef = new WSDataRef();
            wSDataRef.setWsuId(str);
            wSDataRef.setAlgorithm(str2);
            boolean isContent = X509Util.isContent(element);
            wSDataRef.setContent(isContent);
            Node parentNode = element.getParentNode();
            Node previousSibling = element.getPreviousSibling();
            if (isContent) {
                element = (Element) element.getParentNode();
                parentNode = element.getParentNode();
            }
            try {
                xMLCipher.doFinal(document, element, isContent);
                if (parentNode.getLocalName().equals(WSConstants.ENCRYPTED_HEADER) && parentNode.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
                    Node firstChild = parentNode.getFirstChild();
                    parentNode.getParentNode().replaceChild(firstChild, parentNode);
                    wSDataRef.setProtectedElement((Element) firstChild);
                    wSDataRef.setXpath(getXPath(firstChild));
                } else if (isContent) {
                    wSDataRef.setProtectedElement(element);
                    wSDataRef.setXpath(getXPath(element));
                } else {
                    Node firstChild2 = previousSibling == null ? parentNode.getFirstChild() : previousSibling.getNextSibling();
                    if (firstChild2 != null && 1 == firstChild2.getNodeType()) {
                        wSDataRef.setProtectedElement((Element) firstChild2);
                    }
                    wSDataRef.setXpath(getXPath(firstChild2));
                }
                return wSDataRef;
            } catch (Exception e) {
                throw new WSSecurityException(6, null, null, e);
            }
        } catch (XMLEncryptionException e2) {
            throw new WSSecurityException(2, null, null, e2);
        }
    }

    public String getId() {
        return null;
    }

    public static String getXPath(Node node) {
        String prependFullPath;
        if (node == null) {
            return null;
        }
        if (1 == node.getNodeType()) {
            prependFullPath = prependFullPath(node.getNodeName(), node.getParentNode());
        } else {
            if (2 != node.getNodeType()) {
                return null;
            }
            prependFullPath = prependFullPath("@" + node.getNodeName(), ((Attr) node).getOwnerElement());
        }
        return prependFullPath;
    }

    private static String prependFullPath(String str, Node node) {
        if (node == null) {
            return null;
        }
        return 1 == node.getNodeType() ? prependFullPath(node.getNodeName() + "/" + str, node.getParentNode()) : 9 == node.getNodeType() ? "/" + str : prependFullPath(str, node.getParentNode());
    }
}
