package org.apache.ws.security.message;

import com.sun.security.jgss.ExtendedGSSContext;
import com.sun.security.jgss.InquireType;
import java.security.Key;
import java.security.PrivilegedAction;
import java.util.Set;
import java.util.Vector;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.kerberos.KrbSession;
import org.apache.ws.security.kerberos.KrbSessionCache;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.SecurityUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.SignatureAlgorithm;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.params.InclusiveNamespaces;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.opensaml.security.crypto.JCAConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.wso2.carbon.webapp.mgt.WebappsConstants;

/* loaded from: input_file:org/apache/ws/security/message/WSSecKerberosToken.class */
public class WSSecKerberosToken extends WSSecSignature {
    private static Log log = LogFactory.getLog(WSSecKerberosToken.class);
    public static final String KERBEROS_SERVICE_PRINCIPLE_UNKNOWN = "servicePrincipalUnknown";
    protected String tokenUri;
    protected Subject subject;
    private CredentialsCallbackHandler credHandler;
    protected WSSecHeader wsSecHeader;
    private SecretKey sessionKey;
    private KrbSession krbSession;
    private String servicePrincipalName = KERBEROS_SERVICE_PRINCIPLE_UNKNOWN;
    private boolean receiver = false;

    public KrbSession getKrbSession() {
        return this.krbSession;
    }

    public void setKrbSession(KrbSession krbSession) {
        this.krbSession = krbSession;
    }

    public SecurityTokenReference getSecurityTokenReference() {
        return this.secRef;
    }

    public SecretKey getSessionKey() {
        return this.sessionKey;
    }

    public void setBSTToken(BinarySecurity binarySecurity) {
        this.bstToken = binarySecurity;
    }

    public void setServicePrincipalName(String str) {
        this.servicePrincipalName = str;
    }

    public Document build(Document document, WSSecHeader wSSecHeader) throws WSSecurityException {
        if (log.isDebugEnabled()) {
            log.debug("Beginning kerberos token processing...");
        }
        this.credHandler = new CredentialsCallbackHandler(this.user, this.password);
        this.document = document;
        this.wsSecHeader = wSSecHeader;
        prepare();
        if (this.bstToken != null) {
            prependBSTElementToHeader(wSSecHeader);
        }
        return this.document;
    }

    private KerberosTicket getTicketGrantingTicket() throws LoginException {
        LoginContext loginContext = new LoginContext("Client", this.credHandler);
        loginContext.login();
        this.subject = loginContext.getSubject();
        return (KerberosTicket) this.subject.getPrivateCredentials(KerberosTicket.class).iterator().next();
    }

    private byte[] getServiceTicketData(final String str) throws GSSException {
        return (byte[]) Subject.doAs(this.subject, new PrivilegedAction<byte[]>() { // from class: org.apache.ws.security.message.WSSecKerberosToken.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public byte[] run() {
                try {
                    GSSManager gSSManager = GSSManager.getInstance();
                    ExtendedGSSContext createContext = gSSManager.createContext(gSSManager.createName(str, new Oid("1.2.840.113554.1.2.2.1")), new Oid("1.2.840.113554.1.2.2"), (GSSCredential) null, 0);
                    byte[] bArr = new byte[0];
                    createContext.requestMutualAuth(false);
                    createContext.requestCredDeleg(false);
                    byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
                    if (createContext instanceof ExtendedGSSContext) {
                        WSSecKerberosToken.this.sessionKey = new SecretKeySpec(((Key) createContext.inquireSecContext(InquireType.KRB5_GET_SESSION_KEY)).getEncoded(), JCAConstants.KEY_ALGO_DES);
                    }
                    return initSecContext;
                } catch (GSSException e) {
                    WSSecKerberosToken.log.error("Error occurred while accepting securing context", e);
                    return null;
                }
            }
        });
    }

    private SecretKey getSessionKey(KerberosTicket kerberosTicket) throws WSSecurityException {
        for (Object obj : this.subject.getPrivateCredentials()) {
            if ((obj instanceof KerberosTicket) && !obj.equals(kerberosTicket)) {
                return ((KerberosTicket) obj).getSessionKey();
            }
        }
        throw new WSSecurityException("Could not find service ticket with server principal name " + this.servicePrincipalName);
    }

    public boolean isReceiver() {
        return this.receiver;
    }

    public void setReceiver(boolean z) {
        this.receiver = z;
    }

    private void prepare() throws WSSecurityException {
        boolean z = false;
        KrbSession currentSession = KrbSessionCache.getInstance().getCurrentSession();
        if (currentSession == null) {
            z = true;
        }
        this.secRef = new SecurityTokenReference(this.document);
        this.strUri = "STRId-" + this.secRef.hashCode();
        this.secRef.setID(this.strUri);
        byte[] bArr = null;
        if (z) {
            try {
                KerberosTicket ticketGrantingTicket = getTicketGrantingTicket();
                bArr = getServiceTicketData(this.servicePrincipalName);
                if (this.sessionKey == null) {
                    this.sessionKey = getSessionKey(ticketGrantingTicket);
                }
                currentSession = new KrbSession(SecurityUtil.getSHA1(bArr), this.sessionKey);
                currentSession.setClientPrincipalName(this.user);
                currentSession.setServerPrincipalName(this.servicePrincipalName);
                KrbSessionCache.getInstance().addSession(currentSession);
                if (bArr == null) {
                    throw new WSSecurityException(5, "kerberosSTReqFailed", new Object[]{this.servicePrincipalName, "Check service principal exists in KDC"});
                }
                this.tokenUri = "KerbTokenId-" + bArr.hashCode();
            } catch (LoginException e) {
                throw new WSSecurityException(5, "kerberosLoginFailed", new Object[]{e.getMessage()});
            } catch (Exception e2) {
                throw new WSSecurityException(5, "kerberosSTReqFailed", new Object[]{this.servicePrincipalName, e2.getMessage()});
            } catch (GSSException e3) {
                throw new WSSecurityException(5, "kerberosSTReqFailed", new Object[]{this.servicePrincipalName, e3.getMessage()});
            }
        } else {
            this.keyIdentifierType = 8;
        }
        this.wsDocInfo = new WSDocInfo(this.document);
        switch (this.keyIdentifierType) {
            case 1:
                Reference reference = new Reference(this.document);
                reference.setURI(WebappsConstants.FWD_SLASH_REPLACEMENT + this.tokenUri);
                this.bstToken = new KerberosSecurity(this.document);
                ((KerberosSecurity) this.bstToken).setKerberosToken(bArr);
                reference.setValueType(this.bstToken.getValueType());
                this.secRef.setReference(reference);
                this.bstToken.setID(this.tokenUri);
                this.wsDocInfo.setBst(this.bstToken.getElement());
                return;
            case 8:
                this.secRef.setKerberosIdentifierThumb(currentSession);
                this.sessionKey = currentSession.getSessionKey();
                return;
            default:
                throw new WSSecurityException(0, "unsupportedKeyId");
        }
    }

    public void signMessage() throws WSSecurityException {
        if (this.sigAlgo == null) {
            this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
        }
        if (this.canonAlgo.equals("http://www.w3.org/2001/10/xml-exc-c14n#")) {
            Element createElementInSignatureSpace = XMLUtils.createElementInSignatureSpace(this.document, Constants._TAG_CANONICALIZATIONMETHOD);
            createElementInSignatureSpace.setAttributeNS(null, "Algorithm", this.canonAlgo);
            if (this.wssConfig.isWsiBSPCompliant()) {
                createElementInSignatureSpace.appendChild(new InclusiveNamespaces(this.document, (Set<String>) getInclusivePrefixes(this.wsSecHeader.getSecurityHeader(), false)).getElement());
            }
            try {
                this.sig = new XMLSignature(this.document, (String) null, new SignatureAlgorithm(this.document, this.sigAlgo).getElement(), createElementInSignatureSpace);
            } catch (XMLSecurityException e) {
                log.error("", e);
                throw new WSSecurityException(9, "noXMLSig");
            }
        } else {
            try {
                this.sig = new XMLSignature(this.document, (String) null, this.sigAlgo, this.canonAlgo);
            } catch (XMLSecurityException e2) {
                log.error("", e2);
                throw new WSSecurityException(9, "noXMLSig");
            }
        }
        this.sig.addResourceResolver(EnvelopeIdResolver.getInstance());
        this.sig.setId("Signature-" + this.sig.hashCode());
        this.keyInfo = this.sig.getKeyInfo();
        this.keyInfoUri = "KeyId-" + this.keyInfo.hashCode();
        this.keyInfo.setId(this.keyInfoUri);
        this.keyInfo.addUnknownElement(this.secRef.getElement());
        SOAPConstants sOAPConstants = WSSecurityUtil.getSOAPConstants(this.document.getDocumentElement());
        if (this.parts == null) {
            this.parts = new Vector();
            this.parts.add(new WSEncryptionPart(sOAPConstants.getBodyQName().getLocalPart(), sOAPConstants.getEnvelopeURI(), "Content"));
        }
        addReferencesToSign(this.parts, this.wsSecHeader);
        computeSignature();
    }

    @Override // org.apache.ws.security.message.WSSecSignature
    public void computeSignature() throws WSSecurityException {
        WSDocInfoStore.store(this.wsDocInfo);
        try {
            try {
                this.sig.sign(this.sessionKey);
                this.signatureValue = this.sig.getSignatureValue();
                WSDocInfoStore.delete(this.wsDocInfo);
            } catch (Exception e) {
                throw new WSSecurityException(9, null, null, e);
            }
        } catch (Throwable th) {
            WSDocInfoStore.delete(this.wsDocInfo);
            throw th;
        }
    }

    @Override // org.apache.ws.security.message.WSSecSignature
    public void prependBSTElementToHeader(WSSecHeader wSSecHeader) {
        if (this.bstToken != null) {
            WSSecurityUtil.prependChildElement(this.document, wSSecHeader.getSecurityHeader(), this.bstToken.getElement(), false);
        }
    }
}
