package org.apache.ws.security.str;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.callback.Callback;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.str.STRParser;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;

/* loaded from: input_file:plugins/cxf-bundle-2.6.1.wso2v1.jar:wss4j-1.6.6.jar:org/apache/ws/security/str/DerivedKeyTokenSTRParser.class */
public class DerivedKeyTokenSTRParser implements STRParser {
    private byte[] secretKey;

    @Override // org.apache.ws.security.str.STRParser
    public void parseSecurityTokenReference(Element element, RequestData requestData, WSDocInfo wSDocInfo, Map<String, Object> map) throws WSSecurityException {
        boolean z = true;
        Crypto decCrypto = requestData.getDecCrypto();
        WSSConfig wssConfig = requestData.getWssConfig();
        if (wssConfig != null) {
            z = wssConfig.isWsiBSPCompliant();
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(element, z);
        String str = null;
        if (securityTokenReference.containsReference()) {
            str = securityTokenReference.getReference().getURI();
            if (str.charAt(0) == '#') {
                str = str.substring(1);
            }
        } else if (securityTokenReference.containsKeyIdentifier()) {
            str = securityTokenReference.getKeyIdentifierValue();
        }
        WSSecurityEngineResult result = wSDocInfo.getResult(str);
        if (result != null) {
            processPreviousResult(result, securityTokenReference, requestData, wSDocInfo, z);
            return;
        }
        if (securityTokenReference.containsReference()) {
            this.secretKey = getSecretKeyFromToken(str, null, 6, requestData);
            if (this.secretKey == null) {
                throw new WSSecurityException(6, "unsupportedKeyId", new Object[]{str});
            }
            return;
        }
        if (!securityTokenReference.containsKeyIdentifier()) {
            throw new WSSecurityException(6, "unsupportedKeyId");
        }
        String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
        if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
            this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, 9, requestData);
            if (this.secretKey == null) {
                byte[] sKIBytes = securityTokenReference.getSKIBytes();
                Iterator<WSSecurityEngineResult> it = wSDocInfo.getResultsByTag(4096).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    WSSecurityEngineResult next = it.next();
                    if (Arrays.equals(WSSecurityUtil.generateDigest(((BinarySecurity) next.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)).getToken()), sKIBytes)) {
                        this.secretKey = (byte[]) next.get(WSSecurityEngineResult.TAG_SECRET);
                        break;
                    }
                }
            }
            if (this.secretKey == null) {
                throw new WSSecurityException(6, "unsupportedKeyId", new Object[]{str});
            }
            return;
        }
        if (z && keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
            BSPEnforcer.checkEncryptedKeyBSPCompliance(securityTokenReference);
        }
        X509Certificate[] keyIdentifier = securityTokenReference.getKeyIdentifier(decCrypto);
        if (keyIdentifier != null && keyIdentifier.length >= 1 && keyIdentifier[0] != null) {
            this.secretKey = decCrypto.getPrivateKey(keyIdentifier[0], requestData.getCallbackHandler()).getEncoded();
            return;
        }
        this.secretKey = getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, 9, requestData);
        if (this.secretKey == null) {
            throw new WSSecurityException(6, "unsupportedKeyId", new Object[]{str});
        }
    }

    @Override // org.apache.ws.security.str.STRParser
    public X509Certificate[] getCertificates() {
        return null;
    }

    @Override // org.apache.ws.security.str.STRParser
    public Principal getPrincipal() {
        return null;
    }

    @Override // org.apache.ws.security.str.STRParser
    public PublicKey getPublicKey() {
        return null;
    }

    @Override // org.apache.ws.security.str.STRParser
    public byte[] getSecretKey() {
        return this.secretKey;
    }

    @Override // org.apache.ws.security.str.STRParser
    public boolean isTrustedCredential() {
        return false;
    }

    @Override // org.apache.ws.security.str.STRParser
    public STRParser.REFERENCE_TYPE getCertificatesReferenceType() {
        return null;
    }

    private byte[] getSecretKeyFromToken(String str, String str2, int i, RequestData requestData) throws WSSecurityException {
        if (str.charAt(0) == '#') {
            str = str.substring(1);
        }
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, str2, i, requestData);
        try {
            Callback[] callbackArr = {wSPasswordCallback};
            if (requestData.getCallbackHandler() == null) {
                return null;
            }
            requestData.getCallbackHandler().handle(callbackArr);
            return wSPasswordCallback.getKey();
        } catch (Exception e) {
            throw new WSSecurityException(0, "noPassword", new Object[]{str}, e);
        }
    }

    private void processPreviousResult(WSSecurityEngineResult wSSecurityEngineResult, SecurityTokenReference securityTokenReference, RequestData requestData, WSDocInfo wSDocInfo, boolean z) throws WSSecurityException {
        int intValue = ((Integer) wSSecurityEngineResult.get("action")).intValue();
        if (8192 == intValue || 1 == intValue) {
            if (z) {
                BSPEnforcer.checkUsernameTokenBSPCompliance(securityTokenReference);
            }
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
            return;
        }
        if (4 == intValue) {
            if (z) {
                BSPEnforcer.checkEncryptedKeyBSPCompliance(securityTokenReference);
            }
            this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
        } else {
            if (1024 == intValue || 4096 == intValue) {
                this.secretKey = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
                return;
            }
            if (8 != intValue && 16 != intValue) {
                throw new WSSecurityException(6, "unsupportedKeyId");
            }
            AssertionWrapper assertionWrapper = (AssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            if (z) {
                BSPEnforcer.checkSamlTokenBSPCompliance(securityTokenReference, assertionWrapper);
            }
            this.secretKey = SAMLUtil.getCredentialFromSubject(assertionWrapper, requestData, wSDocInfo, z).getSecret();
        }
    }
}
