package org.apache.wss4j.dom.str;

import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.Reference;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.DerivedKeyToken;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.w3c.dom.Element;

/* loaded from: input_file:repository/org/apache/wss4j/wss4j-ws-security-dom/2.4.3/wss4j-ws-security-dom-2.4.3.jar:org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.class */
public class SecurityTokenRefSTRParser implements STRParser {
    @Override // org.apache.wss4j.dom.str.STRParser
    public STRParserResult parseSecurityTokenReference(STRParserParameters sTRParserParameters) throws WSSecurityException {
        if (sTRParserParameters == null || sTRParserParameters.getData() == null || sTRParserParameters.getData().getWsDocInfo() == null || sTRParserParameters.getStrElement() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter");
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(sTRParserParameters.getStrElement(), sTRParserParameters.getData().getBSPEnforcer());
        String str = null;
        if (securityTokenReference.getReference() != null) {
            str = XMLUtils.getIDFromReference(securityTokenReference.getReference().getURI());
        } else if (securityTokenReference.containsKeyIdentifier()) {
            str = securityTokenReference.getKeyIdentifierValue();
        }
        WSSecurityEngineResult result = sTRParserParameters.getData().getWsDocInfo().getResult(str);
        return result != null ? processPreviousResult(result, securityTokenReference, str, sTRParserParameters) : processSTR(securityTokenReference, str, sTRParserParameters);
    }

    private byte[] getSecretKeyFromAssertion(SamlAssertionWrapper samlAssertionWrapper, SecurityTokenReference securityTokenReference, RequestData requestData) throws WSSecurityException {
        STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, samlAssertionWrapper, requestData.getBSPEnforcer());
        SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(samlAssertionWrapper, new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
        if (credentialFromSubject == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "invalidSAMLToken", new Object[]{"No Secret Key"});
        }
        return credentialFromSubject.getSecret();
    }

    private STRParserResult processPreviousResult(WSSecurityEngineResult wSSecurityEngineResult, SecurityTokenReference securityTokenReference, String str, STRParserParameters sTRParserParameters) throws WSSecurityException {
        STRParserResult sTRParserResult = new STRParserResult();
        RequestData data = sTRParserParameters.getData();
        Integer num = (Integer) wSSecurityEngineResult.get("action");
        if (num != null && 4 == num.intValue()) {
            STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, data.getBSPEnforcer());
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
        } else if (num != null && 2048 == num.intValue()) {
            DerivedKeyToken derivedKeyToken = (DerivedKeyToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
            int length = derivedKeyToken.getLength();
            if (length <= 0 && sTRParserParameters.getDerivationKeyLength() > 0) {
                length = sTRParserParameters.getDerivationKeyLength();
            }
            sTRParserResult.setSecretKey(derivedKeyToken.deriveKey(length, (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET)));
            sTRParserResult.setPrincipal(derivedKeyToken.createPrincipal());
        } else if (num != null && (8 == num.intValue() || 16 == num.intValue())) {
            sTRParserResult.setSecretKey(getSecretKeyFromAssertion((SamlAssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION), securityTokenReference, data));
        } else if (num != null && (1024 == num.intValue() || 4096 == num.intValue())) {
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
        } else if (num != null && (8192 == num.intValue() || 1 == num.intValue())) {
            STRParserUtil.checkUsernameTokenBSPCompliance(securityTokenReference, data.getBSPEnforcer());
            UsernameToken usernameToken = (UsernameToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
            sTRParserResult.setSecretKey(usernameToken.getDerivedKey(data.getBSPEnforcer(), UsernameTokenUtil.getRawPassword(data.getCallbackHandler(), usernameToken.getName(), usernameToken.getPassword(), usernameToken.getPasswordType())));
        }
        if (sTRParserResult.getSecretKey() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", new Object[]{str});
        }
        return sTRParserResult;
    }

    private STRParserResult processSTR(SecurityTokenReference securityTokenReference, String str, STRParserParameters sTRParserParameters) throws WSSecurityException {
        STRParserResult sTRParserResult = new STRParserResult();
        RequestData data = sTRParserParameters.getData();
        Element strElement = sTRParserParameters.getStrElement();
        WSDocInfo wsDocInfo = data.getWsDocInfo();
        if (securityTokenReference.containsReference()) {
            Reference reference = securityTokenReference.getReference();
            byte[] secretKeyFromToken = STRParserUtil.getSecretKeyFromToken(str, reference.getValueType(), 9, data);
            if (secretKeyFromToken == null) {
                Element tokenElement = STRParserUtil.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(), str, reference.getValueType());
                if (new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName()).equals(WSConstants.BINARY_TOKEN)) {
                    List<WSSecurityEngineResult> handleToken = data.getWssConfig().getProcessor(WSConstants.BINARY_TOKEN).handleToken(tokenElement, data);
                    STRParserUtil.checkBinarySecurityBSPCompliance(securityTokenReference, (BinarySecurity) handleToken.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN), data.getBSPEnforcer());
                    secretKeyFromToken = (byte[]) handleToken.get(0).get(WSSecurityEngineResult.TAG_SECRET);
                }
            }
            if (secretKeyFromToken == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", new Object[]{str});
            }
            sTRParserResult.setSecretKey(secretKeyFromToken);
        } else {
            if (!securityTokenReference.containsKeyIdentifier()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "noReference");
            }
            String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
            if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(keyIdentifierValueType) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID".equals(keyIdentifierValueType)) {
                byte[] secretKeyFromToken2 = STRParserUtil.getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, 9, data);
                if (secretKeyFromToken2 == null) {
                    secretKeyFromToken2 = getSecretKeyFromAssertion(STRParserUtil.getAssertionFromKeyIdentifier(securityTokenReference, strElement, data), securityTokenReference, data);
                }
                sTRParserResult.setSecretKey(secretKeyFromToken2);
            } else if ("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1".equals(keyIdentifierValueType)) {
                byte[] secretKeyFromToken3 = STRParserUtil.getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, 9, data);
                if (secretKeyFromToken3 == null) {
                    byte[] sKIBytes = securityTokenReference.getSKIBytes();
                    Iterator<WSSecurityEngineResult> it = wsDocInfo.getResultsByTag(4096).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        WSSecurityEngineResult next = it.next();
                        if (Arrays.equals(KeyUtils.generateDigest(((BinarySecurity) next.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)).getToken()), sKIBytes)) {
                            secretKeyFromToken3 = (byte[]) next.get(WSSecurityEngineResult.TAG_SECRET);
                            break;
                        }
                    }
                }
                if (secretKeyFromToken3 == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", new Object[]{str});
                }
                sTRParserResult.setSecretKey(secretKeyFromToken3);
            } else {
                if ("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1".equals(keyIdentifierValueType)) {
                    STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, data.getBSPEnforcer());
                }
                byte[] secretKeyFromToken4 = STRParserUtil.getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), securityTokenReference.getKeyIdentifierValueType(), 9, data);
                if (secretKeyFromToken4 == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", new Object[]{str});
                }
                sTRParserResult.setSecretKey(secretKeyFromToken4);
            }
        }
        return sTRParserResult;
    }
}
