package org.apache.wss4j.dom.action;

import java.util.List;
import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.crypto.dsig.Reference;
import org.apache.wss4j.common.EncryptionActionToken;
import org.apache.wss4j.common.SecurityActionToken;
import org.apache.wss4j.common.SignatureActionToken;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandler;
import org.apache.wss4j.dom.message.WSSecDKSign;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:repository/org/apache/wss4j/wss4j-ws-security-dom/2.4.3/wss4j-ws-security-dom-2.4.3.jar:org/apache/wss4j/dom/action/SignatureDerivedAction.class */
public class SignatureDerivedAction extends AbstractDerivedAction implements Action {
    @Override // org.apache.wss4j.dom.action.Action
    public void execute(WSHandler wSHandler, SecurityActionToken securityActionToken, RequestData requestData) throws WSSecurityException {
        CallbackHandler callbackHandler = requestData.getCallbackHandler();
        if (callbackHandler == null) {
            callbackHandler = wSHandler.getPasswordCallbackHandler(requestData);
        }
        SignatureActionToken signatureActionToken = null;
        if (securityActionToken instanceof SignatureActionToken) {
            signatureActionToken = (SignatureActionToken) securityActionToken;
        }
        if (signatureActionToken == null) {
            signatureActionToken = requestData.getSignatureToken();
        }
        WSPasswordCallback passwordCB = wSHandler.getPasswordCB(signatureActionToken.getUser(), 32768, callbackHandler, requestData);
        WSSecDKSign wSSecDKSign = new WSSecDKSign(requestData.getSecHeader());
        wSSecDKSign.setIdAllocator(requestData.getWssConfig().getIdAllocator());
        wSSecDKSign.setAddInclusivePrefixes(requestData.isAddInclusivePrefixes());
        wSSecDKSign.setWsDocInfo(requestData.getWsDocInfo());
        wSSecDKSign.setExpandXopInclude(requestData.isExpandXopInclude());
        if (signatureActionToken.getSignatureAlgorithm() != null) {
            wSSecDKSign.setSignatureAlgorithm(signatureActionToken.getSignatureAlgorithm());
        }
        if (signatureActionToken.getDigestAlgorithm() != null) {
            wSSecDKSign.setDigestAlgorithm(signatureActionToken.getDigestAlgorithm());
        }
        if (signatureActionToken.getC14nAlgorithm() != null) {
            wSSecDKSign.setSigCanonicalization(signatureActionToken.getC14nAlgorithm());
        }
        wSSecDKSign.setUserInfo(signatureActionToken.getUser(), passwordCB.getPassword());
        if (requestData.isUse200512Namespace()) {
            wSSecDKSign.setWscVersion(2);
        } else {
            wSSecDKSign.setWscVersion(1);
        }
        if (signatureActionToken.getDerivedKeyLength() > 0) {
            wSSecDKSign.setDerivedKeyLength(signatureActionToken.getDerivedKeyLength());
        }
        Document ownerDocument = requestData.getSecHeader().getSecurityHeaderElement().getOwnerDocument();
        String derivedKeyTokenReference = signatureActionToken.getDerivedKeyTokenReference();
        Element element = null;
        SecretKey secretKey = null;
        if ("EncryptedKey".equals(derivedKeyTokenReference)) {
            if (requestData.getEncryptionToken() == null || requestData.getEncryptionToken().getKey() == null || requestData.getEncryptionToken().getKeyIdentifier() == null) {
                secretKey = KeyUtils.getKeyGenerator("http://www.w3.org/2001/04/xmlenc#aes128-cbc").generateKey();
            }
            element = setupEncryptedKeyTokenReference(requestData, signatureActionToken, wSSecDKSign, passwordCB, ownerDocument, secretKey);
        } else if ("SecurityContextToken".equals(derivedKeyTokenReference)) {
            element = setupSCTTokenReference(requestData, signatureActionToken, wSSecDKSign, passwordCB, ownerDocument);
        } else {
            if (signatureActionToken.getDerivedKeyIdentifier() != 0) {
                wSSecDKSign.setKeyIdentifierType(signatureActionToken.getDerivedKeyIdentifier());
            } else {
                wSSecDKSign.setKeyIdentifierType(8);
            }
            wSSecDKSign.setCrypto(signatureActionToken.getCrypto());
        }
        wSSecDKSign.setAttachmentCallbackHandler(requestData.getAttachmentCallbackHandler());
        wSSecDKSign.setStoreBytesInAttachment(requestData.isStoreBytesInAttachment());
        try {
            List<WSEncryptionPart> parts = signatureActionToken.getParts();
            if (parts == null || parts.isEmpty()) {
                wSSecDKSign.getParts().add(WSSecurityUtil.getDefaultEncryptionPart(ownerDocument));
            } else {
                wSSecDKSign.getParts().addAll(parts);
            }
            wSSecDKSign.prepare(getKey(signatureActionToken, requestData.getEncryptionToken(), passwordCB, secretKey));
            List<Reference> addReferencesToSign = wSSecDKSign.addReferencesToSign(wSSecDKSign.getParts());
            Element element2 = null;
            if (element == null && "EncryptedKey".equals(signatureActionToken.getDerivedKeyTokenReference())) {
                element2 = findEncryptedKeySibling(requestData);
            } else if (element == null && "SecurityContextToken".equals(signatureActionToken.getDerivedKeyTokenReference())) {
                element2 = findSCTSibling(requestData);
            }
            if (element2 == null) {
                wSSecDKSign.computeSignature(addReferencesToSign);
            } else {
                wSSecDKSign.computeSignature(addReferencesToSign, true, element2);
            }
            if (element2 == null) {
                wSSecDKSign.prependDKElementToHeader();
            } else {
                requestData.getSecHeader().getSecurityHeaderElement().insertBefore(wSSecDKSign.getdktElement(), wSSecDKSign.getSignatureElement());
            }
            if (element != null) {
                WSSecurityUtil.prependChildElement(requestData.getSecHeader().getSecurityHeaderElement(), element);
            }
            requestData.getSignatureValues().add(wSSecDKSign.getSignatureValue());
            wSSecDKSign.clean();
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty", new Object[]{"Error during Signature: "});
        }
    }

    private Element setupEncryptedKeyTokenReference(RequestData requestData, SignatureActionToken signatureActionToken, WSSecDKSign wSSecDKSign, WSPasswordCallback wSPasswordCallback, Document document, SecretKey secretKey) throws WSSecurityException {
        if (secretKey != null) {
            return setupEKReference(wSSecDKSign, requestData.getSecHeader(), wSPasswordCallback, signatureActionToken, requestData.isUse200512Namespace(), document, null, null, secretKey);
        }
        setupEKReference(wSSecDKSign, requestData.getEncryptionToken());
        return null;
    }

    private Element setupSCTTokenReference(RequestData requestData, SignatureActionToken signatureActionToken, WSSecDKSign wSSecDKSign, WSPasswordCallback wSPasswordCallback, Document document) throws WSSecurityException {
        if (requestData.getEncryptionToken() == null || requestData.getEncryptionToken().getKey() == null || requestData.getEncryptionToken().getKeyIdentifier() == null) {
            return setupSCTReference(wSSecDKSign, wSPasswordCallback, signatureActionToken, requestData.isUse200512Namespace(), document);
        }
        setupSCTReference(wSSecDKSign, requestData.getEncryptionToken(), requestData.isUse200512Namespace());
        return null;
    }

    private byte[] getKey(SignatureActionToken signatureActionToken, EncryptionActionToken encryptionActionToken, WSPasswordCallback wSPasswordCallback, SecretKey secretKey) throws WSSecurityException {
        String derivedKeyTokenReference = signatureActionToken.getDerivedKeyTokenReference();
        boolean z = ("EncryptedKey".equals(derivedKeyTokenReference) || "SecurityContextToken".equals(derivedKeyTokenReference)) ? false : true;
        if (secretKey != null) {
            return secretKey.getEncoded();
        }
        if (!z) {
            return (encryptionActionToken == null || encryptionActionToken.getKey() == null || encryptionActionToken.getKeyIdentifier() == null) ? wSPasswordCallback.getKey() : encryptionActionToken.getKey();
        }
        byte[] bArr = null;
        if (wSPasswordCallback.getKey() != null) {
            bArr = wSPasswordCallback.getKey();
        } else if (signatureActionToken.getKey() != null) {
            bArr = signatureActionToken.getKey();
        } else if (signatureActionToken.getCrypto() != null) {
            bArr = signatureActionToken.getCrypto().getPrivateKey(signatureActionToken.getUser(), wSPasswordCallback.getPassword()).getEncoded();
        }
        return bArr;
    }
}
