package org.apache.wss4j.stax.impl.processor.output;

import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import org.apache.commons.codec.binary.Base64;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
import org.apache.xml.security.stax.ext.OutputProcessorChain;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;

/* loaded from: input_file:org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.class */
public class EncryptedKeyOutputProcessor extends AbstractOutputProcessor {

    /* loaded from: input_file:org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor$FinalEncryptedKeyOutputProcessor.class */
    class FinalEncryptedKeyOutputProcessor extends AbstractOutputProcessor {
        private final OutboundSecurityToken securityToken;
        private boolean outputReferenceList = true;

        FinalEncryptedKeyOutputProcessor(OutboundSecurityToken outboundSecurityToken) throws XMLSecurityException {
            addAfterProcessor(FinalEncryptedKeyOutputProcessor.class.getName());
            this.securityToken = outboundSecurityToken;
        }

        protected void setOutputReferenceList(boolean z) {
            this.outputReferenceList = z;
        }

        public void processEvent(XMLSecEvent xMLSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
            outputProcessorChain.processEvent(xMLSecEvent);
            if (WSSUtils.isSecurityHeaderElement(xMLSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
                QName qName = WSSConstants.TAG_xenc_EncryptedKey;
                WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, qName, getAction(), false);
                OutputProcessorChain createSubChain = outputProcessorChain.createSubChain(this);
                X509Certificate x509Certificate = this.securityToken.getKeyWrappingToken().getX509Certificates()[0];
                String encryptionKeyTransportAlgorithm = getSecurityProperties().getEncryptionKeyTransportAlgorithm();
                ArrayList arrayList = new ArrayList(1);
                arrayList.add(createAttribute(WSSConstants.ATT_NULL_Id, this.securityToken.getId()));
                createStartElementAndOutputAsEvent(createSubChain, qName, true, arrayList);
                ArrayList arrayList2 = new ArrayList(1);
                arrayList2.add(createAttribute(WSSConstants.ATT_NULL_Algorithm, encryptionKeyTransportAlgorithm));
                createStartElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_xenc_EncryptionMethod, false, arrayList2);
                String encryptionKeyTransportMGFAlgorithm = getSecurityProperties().getEncryptionKeyTransportMGFAlgorithm();
                if ("http://www.w3.org/2009/xmlenc11#rsa-oaep".equals(encryptionKeyTransportAlgorithm) || "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p".equals(encryptionKeyTransportAlgorithm)) {
                    byte[] encryptionKeyTransportOAEPParams = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
                    if (encryptionKeyTransportOAEPParams != null) {
                        createStartElementAndOutputAsEvent(createSubChain, XMLSecurityConstants.TAG_xenc_OAEPparams, false, null);
                        createCharactersAndOutputAsEvent(createSubChain, Base64.encodeBase64String(encryptionKeyTransportOAEPParams));
                        createEndElementAndOutputAsEvent(createSubChain, XMLSecurityConstants.TAG_xenc_OAEPparams);
                    }
                    String encryptionKeyTransportDigestAlgorithm = getSecurityProperties().getEncryptionKeyTransportDigestAlgorithm();
                    if (encryptionKeyTransportDigestAlgorithm != null) {
                        ArrayList arrayList3 = new ArrayList(1);
                        arrayList3.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportDigestAlgorithm));
                        createStartElementAndOutputAsEvent(createSubChain, XMLSecurityConstants.TAG_dsig_DigestMethod, true, arrayList3);
                        createEndElementAndOutputAsEvent(createSubChain, XMLSecurityConstants.TAG_dsig_DigestMethod);
                    }
                    if (encryptionKeyTransportMGFAlgorithm != null) {
                        ArrayList arrayList4 = new ArrayList(1);
                        arrayList4.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportMGFAlgorithm));
                        createStartElementAndOutputAsEvent(createSubChain, XMLSecurityConstants.TAG_xenc11_MGF, true, arrayList4);
                        createEndElementAndOutputAsEvent(createSubChain, XMLSecurityConstants.TAG_xenc11_MGF);
                    }
                }
                createEndElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_xenc_EncryptionMethod);
                createStartElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_dsig_KeyInfo, true, null);
                createSecurityTokenReferenceStructureForEncryptedKey(createSubChain, this.securityToken, ((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier(), getSecurityProperties().isUseSingleCert());
                createEndElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_dsig_KeyInfo);
                createStartElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_xenc_CipherData, false, null);
                createStartElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_xenc_CipherValue, false, null);
                try {
                    Cipher cipher = Cipher.getInstance(JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportAlgorithm));
                    OAEPParameterSpec oAEPParameterSpec = null;
                    if ("http://www.w3.org/2009/xmlenc11#rsa-oaep".equals(encryptionKeyTransportAlgorithm) || "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p".equals(encryptionKeyTransportAlgorithm)) {
                        String encryptionKeyTransportDigestAlgorithm2 = getSecurityProperties().getEncryptionKeyTransportDigestAlgorithm();
                        String translateURItoJCEID = encryptionKeyTransportDigestAlgorithm2 != null ? JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportDigestAlgorithm2) : "SHA-1";
                        PSource.PSpecified pSpecified = PSource.PSpecified.DEFAULT;
                        byte[] encryptionKeyTransportOAEPParams2 = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
                        if (encryptionKeyTransportOAEPParams2 != null) {
                            pSpecified = new PSource.PSpecified(encryptionKeyTransportOAEPParams2);
                        }
                        MGF1ParameterSpec mGF1ParameterSpec = new MGF1ParameterSpec("SHA-1");
                        if (encryptionKeyTransportMGFAlgorithm != null) {
                            mGF1ParameterSpec = new MGF1ParameterSpec(JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportMGFAlgorithm));
                        }
                        oAEPParameterSpec = new OAEPParameterSpec(translateURItoJCEID, "MGF1", mGF1ParameterSpec, pSpecified);
                    }
                    cipher.init(3, x509Certificate.getPublicKey(), oAEPParameterSpec);
                    Key secretKey = this.securityToken.getSecretKey("");
                    int blockSize = cipher.getBlockSize();
                    if (blockSize > 0 && blockSize < secretKey.getEncoded().length) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "unsupportedKeyTransp", new Object[]{"public key algorithm too weak to encrypt symmetric key"});
                    }
                    byte[] wrap = cipher.wrap(secretKey);
                    if (((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler() != null) {
                        Callback wSPasswordCallback = new WSPasswordCallback(this.securityToken.getId(), 9);
                        wSPasswordCallback.setKey(wrap);
                        try {
                            ((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler().handle(new Callback[]{wSPasswordCallback});
                        } catch (IOException e) {
                        } catch (UnsupportedCallbackException e2) {
                        }
                    }
                    createCharactersAndOutputAsEvent(createSubChain, new Base64(76, new byte[]{10}).encodeToString(wrap));
                    createEndElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_xenc_CipherValue);
                    createEndElementAndOutputAsEvent(createSubChain, WSSConstants.TAG_xenc_CipherData);
                    if (this.outputReferenceList && WSSConstants.ENCRYPT.equals(getAction())) {
                        WSSUtils.createReferenceListStructureForEncryption(this, createSubChain);
                    }
                    createEndElementAndOutputAsEvent(createSubChain, qName);
                    outputProcessorChain.removeProcessor(this);
                } catch (InvalidAlgorithmParameterException e3) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e3);
                } catch (InvalidKeyException e4) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e4);
                } catch (NoSuchAlgorithmException e5) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e5);
                } catch (IllegalBlockSizeException e6) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e6);
                } catch (NoSuchPaddingException e7) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e7);
                }
            }
        }

        protected void createSecurityTokenReferenceStructureForEncryptedKey(OutputProcessorChain outputProcessorChain, OutboundSecurityToken outboundSecurityToken, SecurityTokenConstants.KeyIdentifier keyIdentifier, boolean z) throws XMLStreamException, XMLSecurityException {
            if (outboundSecurityToken.getCustomTokenReference() != null) {
                outputDOMElement(outboundSecurityToken.getCustomTokenReference(), outputProcessorChain);
                return;
            }
            ArrayList arrayList = new ArrayList(2);
            arrayList.add(createAttribute(WSSConstants.ATT_wsu_Id, IDGenerator.generateID((String) null)));
            if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier) && !z) {
                arrayList.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, WSSConstants.NS_X509PKIPathv1));
            }
            createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, false, arrayList);
            X509Certificate[] x509Certificates = outboundSecurityToken.getKeyWrappingToken().getX509Certificates();
            String id = outboundSecurityToken.getKeyWrappingToken().getId();
            if (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier)) {
                WSSUtils.createX509IssuerSerialStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier.equals(keyIdentifier)) {
                WSSUtils.createX509SubjectKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(keyIdentifier)) {
                WSSUtils.createX509KeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier.equals(keyIdentifier)) {
                WSSUtils.createThumbprintKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_EncryptedKeySha1Identifier.equals(keyIdentifier)) {
                WSSUtils.createThumbprintKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
            } else {
                if (!WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier)) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "unsupportedSecurityToken", new Object[0]);
                }
                WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, id, z ? WSSConstants.NS_X509_V3_TYPE : WSSConstants.NS_X509PKIPathv1, true);
            }
            createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference);
        }
    }

    public void processEvent(XMLSecEvent xMLSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
        try {
            String str = (String) outputProcessorChain.getSecurityContext().get("PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY");
            if (str == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            SecurityTokenProvider securityTokenProvider = outputProcessorChain.getSecurityContext().getSecurityTokenProvider(str);
            if (securityTokenProvider == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            OutboundSecurityToken outboundSecurityToken = (OutboundSecurityToken) securityTokenProvider.getSecurityToken();
            if (outboundSecurityToken == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            String str2 = (String) outputProcessorChain.getSecurityContext().get("PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE");
            String str3 = (String) outputProcessorChain.getSecurityContext().get("PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION");
            if (str3 == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            SecurityTokenProvider securityTokenProvider2 = outputProcessorChain.getSecurityContext().getSecurityTokenProvider(str3);
            if (securityTokenProvider2 == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            GenericOutboundSecurityToken genericOutboundSecurityToken = (GenericOutboundSecurityToken) securityTokenProvider2.getSecurityToken();
            boolean equals = str3.equals(str2);
            FinalEncryptedKeyOutputProcessor finalEncryptedKeyOutputProcessor = new FinalEncryptedKeyOutputProcessor(genericOutboundSecurityToken);
            finalEncryptedKeyOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
            finalEncryptedKeyOutputProcessor.setAction(getAction());
            XMLSecurityConstants.Action action = getAction();
            if (WSSConstants.ENCRYPT.equals(action)) {
                if (outboundSecurityToken.getProcessor() != null) {
                    finalEncryptedKeyOutputProcessor.addBeforeProcessor(outboundSecurityToken.getProcessor());
                    finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
                } else if (equals) {
                    finalEncryptedKeyOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
                    if (getSecurityProperties().getActions().indexOf(WSSConstants.ENCRYPT) < getSecurityProperties().getActions().indexOf(WSSConstants.SIGNATURE)) {
                        finalEncryptedKeyOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
                        finalEncryptedKeyOutputProcessor.setAction(WSSConstants.SIGNATURE);
                    }
                    finalEncryptedKeyOutputProcessor.setOutputReferenceList(false);
                    finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
                    ReferenceListOutputProcessor referenceListOutputProcessor = new ReferenceListOutputProcessor();
                    referenceListOutputProcessor.addBeforeProcessor(finalEncryptedKeyOutputProcessor);
                    referenceListOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
                    referenceListOutputProcessor.setAction(getAction());
                    referenceListOutputProcessor.init(outputProcessorChain);
                } else {
                    finalEncryptedKeyOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
                    finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
                }
            } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
                if (outboundSecurityToken.getProcessor() != null) {
                    finalEncryptedKeyOutputProcessor.addBeforeProcessor(outboundSecurityToken.getProcessor());
                } else {
                    finalEncryptedKeyOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
                }
                finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
            } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
                if (outboundSecurityToken.getProcessor() != null) {
                    finalEncryptedKeyOutputProcessor.addBeforeProcessor(outboundSecurityToken.getProcessor());
                    finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
                } else if (equals) {
                    finalEncryptedKeyOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
                    finalEncryptedKeyOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
                    if (getSecurityProperties().getActions().indexOf(WSSConstants.ENCRYPT_WITH_DERIVED_KEY) < getSecurityProperties().getActions().indexOf(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
                        finalEncryptedKeyOutputProcessor.setAction(WSSConstants.SIGNATURE_WITH_DERIVED_KEY);
                    }
                    finalEncryptedKeyOutputProcessor.setOutputReferenceList(false);
                    finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
                } else {
                    finalEncryptedKeyOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
                    finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
                }
                ReferenceListOutputProcessor referenceListOutputProcessor2 = new ReferenceListOutputProcessor();
                referenceListOutputProcessor2.addBeforeProcessor(finalEncryptedKeyOutputProcessor);
                referenceListOutputProcessor2.setXMLSecurityProperties(getSecurityProperties());
                referenceListOutputProcessor2.setAction(getAction());
                referenceListOutputProcessor2.init(outputProcessorChain);
            } else {
                finalEncryptedKeyOutputProcessor.init(outputProcessorChain);
            }
            outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(genericOutboundSecurityToken.getId(), securityTokenProvider2);
            genericOutboundSecurityToken.setProcessor(finalEncryptedKeyOutputProcessor);
            outputProcessorChain.removeProcessor(this);
            outputProcessorChain.processEvent(xMLSecEvent);
        } catch (Throwable th) {
            outputProcessorChain.removeProcessor(this);
            throw th;
        }
    }
}
