package org.apache.wss4j.dom.str;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.CustomTokenPrincipal;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.Reference;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.DerivedKeyToken;
import org.apache.wss4j.dom.message.token.SecurityContextToken;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.processor.Processor;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
import org.apache.wss4j.dom.str.STRParser;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/wss4j/dom/str/SignatureSTRParser.class */
public class SignatureSTRParser implements STRParser {
    @Override // org.apache.wss4j.dom.str.STRParser
    public STRParserResult parseSecurityTokenReference(STRParserParameters sTRParserParameters) throws WSSecurityException {
        if (sTRParserParameters == null || sTRParserParameters.getData() == null || sTRParserParameters.getData().getWsDocInfo() == null || sTRParserParameters.getStrElement() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter");
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(sTRParserParameters.getStrElement(), sTRParserParameters.getData().getBSPEnforcer());
        String str = null;
        if (securityTokenReference.getReference() != null) {
            str = XMLUtils.getIDFromReference(securityTokenReference.getReference().getURI());
        } else if (securityTokenReference.containsKeyIdentifier()) {
            str = securityTokenReference.getKeyIdentifierValue();
        }
        WSSecurityEngineResult result = sTRParserParameters.getData().getWsDocInfo().getResult(str);
        return result != null ? processPreviousResult(result, securityTokenReference, sTRParserParameters) : processSTR(securityTokenReference, str, sTRParserParameters);
    }

    private Principal createPrincipalFromSAML(SamlAssertionWrapper samlAssertionWrapper, STRParserResult sTRParserResult) {
        SAMLTokenPrincipalImpl sAMLTokenPrincipalImpl = new SAMLTokenPrincipalImpl(samlAssertionWrapper);
        String str = null;
        List<String> confirmationMethods = samlAssertionWrapper.getConfirmationMethods();
        if (confirmationMethods != null && !confirmationMethods.isEmpty()) {
            str = confirmationMethods.get(0);
        }
        if (OpenSAMLUtil.isMethodHolderOfKey(str) && samlAssertionWrapper.isSigned()) {
            sTRParserResult.setTrustedCredential(true);
        }
        return sAMLTokenPrincipalImpl;
    }

    private void parseSAMLKeyIdentifier(SecurityTokenReference securityTokenReference, RequestData requestData, STRParserResult sTRParserResult) throws WSSecurityException {
        byte[] secretKeyFromToken = STRParserUtil.getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), securityTokenReference.getKeyIdentifierValueType(), 9, requestData);
        if (secretKeyFromToken == null || secretKeyFromToken.length == 0) {
            SamlAssertionWrapper assertionFromKeyIdentifier = STRParserUtil.getAssertionFromKeyIdentifier(securityTokenReference, securityTokenReference.getElement(), requestData);
            STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, assertionFromKeyIdentifier, requestData.getBSPEnforcer());
            SAMLKeyInfo credentialFromSubject = SAMLUtil.getCredentialFromSubject(assertionFromKeyIdentifier, new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto());
            X509Certificate[] certs = credentialFromSubject.getCerts();
            if (certs != null && certs.length > 0) {
                sTRParserResult.setCerts(new X509Certificate[]{certs[0]});
            }
            secretKeyFromToken = credentialFromSubject.getSecret();
            sTRParserResult.setPublicKey(credentialFromSubject.getPublicKey());
            sTRParserResult.setPrincipal(createPrincipalFromSAML(assertionFromKeyIdentifier, sTRParserResult));
        }
        sTRParserResult.setSecretKey(secretKeyFromToken);
    }

    /* JADX WARN: Code restructure failed: missing block: B:66:0x01c7, code lost:
    
        r11.setPrincipal((java.security.Principal) r0.get(org.apache.wss4j.dom.engine.WSSecurityEngineResult.TAG_PRINCIPAL));
        r13 = r0;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void parseBSTKeyIdentifier(org.apache.wss4j.common.token.SecurityTokenReference r8, org.apache.wss4j.common.crypto.Crypto r9, org.apache.wss4j.dom.handler.RequestData r10, org.apache.wss4j.dom.str.STRParserResult r11) throws org.apache.wss4j.common.ext.WSSecurityException {
        /*
            Method dump skipped, instructions count: 528
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.wss4j.dom.str.SignatureSTRParser.parseBSTKeyIdentifier(org.apache.wss4j.common.token.SecurityTokenReference, org.apache.wss4j.common.crypto.Crypto, org.apache.wss4j.dom.handler.RequestData, org.apache.wss4j.dom.str.STRParserResult):void");
    }

    private STRParserResult processPreviousResult(WSSecurityEngineResult wSSecurityEngineResult, SecurityTokenReference securityTokenReference, STRParserParameters sTRParserParameters) throws WSSecurityException {
        STRParserResult sTRParserResult = new STRParserResult();
        RequestData data = sTRParserParameters.getData();
        Integer num = (Integer) wSSecurityEngineResult.get("action");
        if (num != null && (8192 == num.intValue() || 1 == num.intValue())) {
            STRParserUtil.checkUsernameTokenBSPCompliance(securityTokenReference, data.getBSPEnforcer());
            UsernameToken usernameToken = (UsernameToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get("secret"));
            sTRParserResult.setPrincipal(usernameToken.createPrincipal());
        } else if (num != null && 4096 == num.intValue()) {
            STRParserUtil.checkBinarySecurityBSPCompliance(securityTokenReference, (BinarySecurity) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN), data.getBSPEnforcer());
            sTRParserResult.setCerts((X509Certificate[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES));
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get("secret"));
            if (((Boolean) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN)).booleanValue()) {
                sTRParserResult.setTrustedCredential(true);
            }
        } else if (num != null && 4 == num.intValue()) {
            STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, data.getBSPEnforcer());
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get("secret"));
            sTRParserResult.setPrincipal(new CustomTokenPrincipal((String) wSSecurityEngineResult.get("id")));
        } else if (num != null && 1024 == num.intValue()) {
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get("secret"));
            sTRParserResult.setPrincipal(new CustomTokenPrincipal(((SecurityContextToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN)).getIdentifier()));
        } else if (num != null && 2048 == num.intValue()) {
            DerivedKeyToken derivedKeyToken = (DerivedKeyToken) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
            int length = derivedKeyToken.getLength();
            if (length <= 0 && sTRParserParameters.getDerivationKeyLength() > 0) {
                length = sTRParserParameters.getDerivationKeyLength();
            }
            byte[] bArr = (byte[]) wSSecurityEngineResult.get("secret");
            Principal createPrincipal = derivedKeyToken.createPrincipal();
            ((WSDerivedKeyTokenPrincipal) createPrincipal).setSecret(bArr);
            sTRParserResult.setPrincipal(createPrincipal);
            sTRParserResult.setSecretKey(derivedKeyToken.deriveKey(length, bArr));
        } else if (num != null && (8 == num.intValue() || 16 == num.intValue())) {
            SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, samlAssertionWrapper, data.getBSPEnforcer());
            SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
            if (subjectKeyInfo == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
            }
            X509Certificate[] certs = subjectKeyInfo.getCerts();
            if (certs != null && certs.length > 0) {
                sTRParserResult.setCerts(new X509Certificate[]{certs[0]});
            }
            sTRParserResult.setSecretKey(subjectKeyInfo.getSecret());
            sTRParserResult.setPublicKey(subjectKeyInfo.getPublicKey());
            sTRParserResult.setPrincipal(createPrincipalFromSAML(samlAssertionWrapper, sTRParserResult));
        }
        STRParser.REFERENCE_TYPE referenceType = getReferenceType(securityTokenReference);
        if (referenceType != null) {
            sTRParserResult.setReferenceType(referenceType);
        }
        return sTRParserResult;
    }

    private STRParserResult processSTR(SecurityTokenReference securityTokenReference, String str, STRParserParameters sTRParserParameters) throws WSSecurityException {
        SamlAssertionWrapper samlAssertionWrapper;
        STRParserResult sTRParserResult = new STRParserResult();
        RequestData data = sTRParserParameters.getData();
        WSDocInfo wsDocInfo = data.getWsDocInfo();
        Element strElement = sTRParserParameters.getStrElement();
        if (securityTokenReference.containsReference()) {
            Reference reference = securityTokenReference.getReference();
            byte[] secretKeyFromToken = STRParserUtil.getSecretKeyFromToken(str, reference.getValueType(), 9, data);
            Principal customTokenPrincipal = new CustomTokenPrincipal(str);
            if (secretKeyFromToken == null || secretKeyFromToken.length == 0) {
                Element tokenElement = STRParserUtil.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(), str, reference.getValueType());
                QName qName = new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName());
                if (qName.equals(WSConstants.BINARY_TOKEN)) {
                    List<WSSecurityEngineResult> handleToken = data.getWssConfig().getProcessor(WSConstants.BINARY_TOKEN).handleToken(tokenElement, sTRParserParameters.getData());
                    STRParserUtil.checkBinarySecurityBSPCompliance(securityTokenReference, (BinarySecurity) handleToken.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN), data.getBSPEnforcer());
                    sTRParserResult.setCerts((X509Certificate[]) handleToken.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES));
                    secretKeyFromToken = (byte[]) handleToken.get(0).get("secret");
                    customTokenPrincipal = (Principal) handleToken.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
                } else if (qName.equals(WSConstants.SAML_TOKEN) || qName.equals(WSConstants.SAML2_TOKEN)) {
                    Processor processor = data.getWssConfig().getProcessor(WSConstants.SAML_TOKEN);
                    Element findProcessedTokenElement = STRParserUtil.findProcessedTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler(), str, securityTokenReference.getReference().getValueType());
                    if (findProcessedTokenElement == null) {
                        samlAssertionWrapper = (SamlAssertionWrapper) processor.handleToken(tokenElement, data).get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                    } else {
                        samlAssertionWrapper = new SamlAssertionWrapper(findProcessedTokenElement);
                        samlAssertionWrapper.parseSubject(new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto());
                    }
                    STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, samlAssertionWrapper, data.getBSPEnforcer());
                    SAMLKeyInfo subjectKeyInfo = samlAssertionWrapper.getSubjectKeyInfo();
                    X509Certificate[] certs = subjectKeyInfo.getCerts();
                    if (certs != null && certs.length > 0) {
                        sTRParserResult.setCerts(new X509Certificate[]{certs[0]});
                    }
                    secretKeyFromToken = subjectKeyInfo.getSecret();
                    customTokenPrincipal = createPrincipalFromSAML(samlAssertionWrapper, sTRParserResult);
                } else if (qName.equals(WSConstants.ENCRYPTED_KEY)) {
                    STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, data.getBSPEnforcer());
                    secretKeyFromToken = (byte[]) data.getWssConfig().getProcessor(WSConstants.ENCRYPTED_KEY).handleToken(tokenElement, data).get(0).get("secret");
                    customTokenPrincipal = new CustomTokenPrincipal(tokenElement.getAttributeNS(null, "Id"));
                }
            }
            sTRParserResult.setSecretKey(secretKeyFromToken);
            sTRParserResult.setPrincipal(customTokenPrincipal);
        } else if (securityTokenReference.containsX509Data() || securityTokenReference.containsX509IssuerSerial()) {
            sTRParserResult.setReferenceType(STRParser.REFERENCE_TYPE.ISSUER_SERIAL);
            X509Certificate[] x509IssuerSerial = securityTokenReference.getX509IssuerSerial(data.getSigVerCrypto());
            if (x509IssuerSerial != null && x509IssuerSerial.length > 0) {
                sTRParserResult.setCerts(new X509Certificate[]{x509IssuerSerial[0]});
            }
        } else {
            if (!securityTokenReference.containsKeyIdentifier()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "unsupportedKeyInfo", new Object[]{strElement.toString()});
            }
            if (securityTokenReference.getKeyIdentifierValueType().equals("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1")) {
                STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, data.getBSPEnforcer());
                String keyIdentifierValue = securityTokenReference.getKeyIdentifierValue();
                sTRParserResult.setSecretKey(STRParserUtil.getSecretKeyFromToken(keyIdentifierValue, "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1", 9, data));
                sTRParserResult.setPrincipal(new CustomTokenPrincipal(keyIdentifierValue));
            } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(securityTokenReference.getKeyIdentifierValueType()) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID".equals(securityTokenReference.getKeyIdentifierValueType())) {
                parseSAMLKeyIdentifier(securityTokenReference, data, sTRParserResult);
            } else {
                parseBSTKeyIdentifier(securityTokenReference, data.getSigVerCrypto(), data, sTRParserResult);
            }
        }
        STRParser.REFERENCE_TYPE referenceType = getReferenceType(securityTokenReference);
        if (referenceType != null) {
            sTRParserResult.setReferenceType(referenceType);
        }
        return sTRParserResult;
    }

    private STRParser.REFERENCE_TYPE getReferenceType(SecurityTokenReference securityTokenReference) {
        if (securityTokenReference.containsReference()) {
            return STRParser.REFERENCE_TYPE.DIRECT_REF;
        }
        if (securityTokenReference.containsKeyIdentifier()) {
            return "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1".equals(securityTokenReference.getKeyIdentifierValueType()) ? STRParser.REFERENCE_TYPE.THUMBPRINT_SHA1 : STRParser.REFERENCE_TYPE.KEY_IDENTIFIER;
        }
        return null;
    }
}
