package org.apache.wss4j.stax.impl.processor.output;

import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import org.apache.commons.codec.binary.Base64;
import org.apache.wss4j.common.derivedKey.AlgoFactory;
import org.apache.wss4j.common.derivedKey.DerivationAlgorithm;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xalan.templates.Constants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
import org.apache.xml.security.stax.ext.OutputProcessorChain;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;

/* loaded from: input_file:org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.class */
public class DerivedKeyTokenOutputProcessor extends AbstractOutputProcessor {

    /* loaded from: input_file:org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor$FinalDerivedKeyTokenOutputProcessor.class */
    class FinalDerivedKeyTokenOutputProcessor extends AbstractOutputProcessor {
        private final OutboundSecurityToken securityToken;
        private final int offset;
        private final int length;
        private final String nonce;
        private final boolean use200512Namespace;
        private final String sha1Identifier;

        FinalDerivedKeyTokenOutputProcessor(OutboundSecurityToken outboundSecurityToken, int i, int i2, String str, boolean z, String str2) throws XMLSecurityException {
            this.securityToken = outboundSecurityToken;
            this.offset = i;
            this.length = i2;
            this.nonce = str;
            this.use200512Namespace = z;
            this.sha1Identifier = str2;
        }

        @Override // org.apache.xml.security.stax.ext.AbstractOutputProcessor
        public void processEvent(XMLSecEvent xMLSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
            outputProcessorChain.processEvent(xMLSecEvent);
            if (WSSUtils.isSecurityHeaderElement(xMLSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
                QName headerElementName = getHeaderElementName();
                WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
                OutputProcessorChain createSubChain = outputProcessorChain.createSubChain(this);
                ArrayList arrayList = new ArrayList(1);
                arrayList.add(createAttribute(WSSConstants.ATT_wsu_Id, this.securityToken.getId()));
                createStartElementAndOutputAsEvent(createSubChain, headerElementName, true, (List<XMLSecAttribute>) arrayList);
                createSecurityTokenReferenceStructureForDerivedKey(createSubChain, this.securityToken, ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyKeyIdentifier(), ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference(), getSecurityProperties().isUseSingleCert());
                createStartElementAndOutputAsEvent(createSubChain, getOffsetName(), false, (List<XMLSecAttribute>) null);
                createCharactersAndOutputAsEvent(createSubChain, "" + this.offset);
                createEndElementAndOutputAsEvent(createSubChain, getOffsetName());
                createStartElementAndOutputAsEvent(createSubChain, getLengthName(), false, (List<XMLSecAttribute>) null);
                createCharactersAndOutputAsEvent(createSubChain, "" + this.length);
                createEndElementAndOutputAsEvent(createSubChain, getLengthName());
                createStartElementAndOutputAsEvent(createSubChain, getNonceName(), false, (List<XMLSecAttribute>) null);
                createCharactersAndOutputAsEvent(createSubChain, this.nonce);
                createEndElementAndOutputAsEvent(createSubChain, getNonceName());
                createEndElementAndOutputAsEvent(createSubChain, headerElementName);
                outputProcessorChain.removeProcessor(this);
            }
        }

        protected void createSecurityTokenReferenceStructureForDerivedKey(OutputProcessorChain outputProcessorChain, OutboundSecurityToken outboundSecurityToken, SecurityTokenConstants.KeyIdentifier keyIdentifier, WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference, boolean z) throws XMLStreamException, XMLSecurityException {
            SecurityToken keyWrappingToken = outboundSecurityToken.getKeyWrappingToken();
            ArrayList arrayList = new ArrayList(2);
            arrayList.add(createAttribute(WSSConstants.ATT_wsu_Id, IDGenerator.generateID(null)));
            if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier) && !z) {
                arrayList.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"));
            } else if (derivedKeyTokenReference == WSSConstants.DerivedKeyTokenReference.EncryptedKey || WSSecurityTokenConstants.KeyIdentifier_EncryptedKeySha1Identifier.equals(keyIdentifier)) {
                arrayList.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"));
            } else if (WSSecurityTokenConstants.KerberosToken.equals(keyWrappingToken.getTokenType())) {
                arrayList.add(createAttribute(WSSConstants.ATT_wsse11_TokenType, "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ"));
            }
            createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, false, (List<XMLSecAttribute>) arrayList);
            X509Certificate[] x509Certificates = keyWrappingToken.getX509Certificates();
            String id = keyWrappingToken.getId();
            if (derivedKeyTokenReference == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
                WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, id, "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey", true);
            } else if (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier)) {
                WSSUtils.createX509IssuerSerialStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier.equals(keyIdentifier)) {
                WSSUtils.createX509SubjectKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(keyIdentifier)) {
                WSSUtils.createX509KeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_KerberosSha1Identifier.equals(keyIdentifier)) {
                WSSUtils.createKerberosSha1IdentifierStructure(this, outputProcessorChain, keyWrappingToken.getSha1Identifier());
            } else if (WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier.equals(keyIdentifier)) {
                WSSUtils.createThumbprintKeyIdentifierStructure(this, outputProcessorChain, x509Certificates);
            } else if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(keyIdentifier)) {
                WSSUtils.createBSTReferenceStructure(this, outputProcessorChain, id, WSSecurityTokenConstants.KerberosToken.equals(keyWrappingToken.getTokenType()) ? "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" : (WSSecurityTokenConstants.SpnegoContextToken.equals(keyWrappingToken.getTokenType()) || WSSecurityTokenConstants.SecurityContextToken.equals(keyWrappingToken.getTokenType()) || WSSecurityTokenConstants.SecureConversationToken.equals(keyWrappingToken.getTokenType())) ? ((WSSSecurityProperties) getSecurityProperties()).isUse200512Namespace() ? "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct" : "http://schemas.xmlsoap.org/ws/2005/02/sc/sct" : z ? "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" : "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1", ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken());
            } else {
                if (!WSSecurityTokenConstants.KeyIdentifier_EncryptedKeySha1Identifier.equals(keyIdentifier)) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "unsupportedSecurityToken", new Object[0]);
                }
                WSSUtils.createEncryptedKeySha1IdentifierStructure(this, outputProcessorChain, this.sha1Identifier);
            }
            createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference);
        }

        private QName getHeaderElementName() {
            return this.use200512Namespace ? WSSConstants.TAG_wsc0512_DerivedKeyToken : WSSConstants.TAG_wsc0502_DerivedKeyToken;
        }

        private QName getOffsetName() {
            return this.use200512Namespace ? WSSConstants.TAG_wsc0512_Offset : WSSConstants.TAG_wsc0502_Offset;
        }

        private QName getLengthName() {
            return this.use200512Namespace ? WSSConstants.TAG_wsc0512_Length : WSSConstants.TAG_wsc0502_Length;
        }

        private QName getNonceName() {
            return this.use200512Namespace ? WSSConstants.TAG_wsc0512_Nonce : WSSConstants.TAG_wsc0502_Nonce;
        }
    }

    @Override // org.apache.xml.security.stax.ext.AbstractOutputProcessor
    public void processEvent(XMLSecEvent xMLSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
        byte[] encoded;
        try {
            String str = (String) outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY);
            if (str == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider = outputProcessorChain.getSecurityContext().getSecurityTokenProvider(str);
            if (securityTokenProvider == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            OutboundSecurityToken securityToken = securityTokenProvider.getSecurityToken();
            if (securityToken == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            final String generateID = IDGenerator.generateID(null);
            int i = 0;
            XMLSecurityConstants.Action action = getAction();
            if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
                i = ((WSSSecurityProperties) getSecurityProperties()).getDerivedSignatureKeyLength() > 0 ? ((WSSSecurityProperties) getSecurityProperties()).getDerivedSignatureKeyLength() : JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getSignatureAlgorithm()) / 8;
            } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
                i = ((WSSSecurityProperties) getSecurityProperties()).getDerivedEncryptionKeyLength() > 0 ? ((WSSSecurityProperties) getSecurityProperties()).getDerivedEncryptionKeyLength() : JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getEncryptionSymAlgorithm()) / 8;
            }
            try {
                byte[] bytes = "WS-SecureConversationWS-SecureConversation".getBytes("UTF-8");
                byte[] generateBytes = WSSConstants.generateBytes(16);
                byte[] bArr = new byte[bytes.length + generateBytes.length];
                System.arraycopy(bytes, 0, bArr, 0, bytes.length);
                System.arraycopy(generateBytes, 0, bArr, bytes.length, generateBytes.length);
                DerivationAlgorithm algoFactory = AlgoFactory.getInstance("http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1");
                if (WSSecurityTokenConstants.SecurityContextToken.equals(securityToken.getTokenType())) {
                    WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(generateID, 9);
                    WSSUtils.doSecretKeyCallback(((WSSSecurityProperties) this.securityProperties).getCallbackHandler(), wSPasswordCallback, generateID);
                    if (wSPasswordCallback.getKey() == null) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKey", generateID);
                    }
                    encoded = wSPasswordCallback.getKey();
                } else {
                    encoded = securityToken.getSecretKey("").getEncoded();
                }
                final byte[] createKey = algoFactory.createKey(encoded, bArr, 0, i);
                final GenericOutboundSecurityToken genericOutboundSecurityToken = new GenericOutboundSecurityToken(generateID, WSSecurityTokenConstants.DerivedKeyToken) { // from class: org.apache.wss4j.stax.impl.processor.output.DerivedKeyTokenOutputProcessor.1
                    @Override // org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken, org.apache.xml.security.stax.securityToken.OutboundSecurityToken
                    public Key getSecretKey(String str2) throws WSSecurityException {
                        try {
                            Key secretKey = super.getSecretKey(str2);
                            if (secretKey != null) {
                                return secretKey;
                            }
                            SecretKeySpec secretKeySpec = new SecretKeySpec(createKey, JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(str2));
                            setSecretKey(str2, secretKeySpec);
                            return secretKeySpec;
                        } catch (XMLSecurityException e) {
                            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
                        }
                    }
                };
                genericOutboundSecurityToken.setKeyWrappingToken(securityToken);
                securityToken.addWrappedToken(genericOutboundSecurityToken);
                SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider2 = new SecurityTokenProvider<OutboundSecurityToken>() { // from class: org.apache.wss4j.stax.impl.processor.output.DerivedKeyTokenOutputProcessor.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // org.apache.xml.security.stax.securityToken.SecurityTokenProvider
                    public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
                        return genericOutboundSecurityToken;
                    }

                    @Override // org.apache.xml.security.stax.securityToken.SecurityTokenProvider
                    public String getId() {
                        return generateID;
                    }
                };
                if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
                    outputProcessorChain.getSecurityContext().put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, generateID);
                } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
                    outputProcessorChain.getSecurityContext().put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, generateID);
                }
                outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(generateID, securityTokenProvider2);
                FinalDerivedKeyTokenOutputProcessor finalDerivedKeyTokenOutputProcessor = new FinalDerivedKeyTokenOutputProcessor(genericOutboundSecurityToken, 0, i, new String(Base64.encodeBase64(generateBytes)), ((WSSSecurityProperties) getSecurityProperties()).isUse200512Namespace(), securityToken.getSha1Identifier());
                finalDerivedKeyTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
                finalDerivedKeyTokenOutputProcessor.setAction(getAction());
                if (securityToken.getProcessor() != null) {
                    finalDerivedKeyTokenOutputProcessor.addBeforeProcessor(securityToken.getProcessor());
                } else {
                    finalDerivedKeyTokenOutputProcessor.addAfterProcessor(ReferenceListOutputProcessor.class.getName());
                }
                finalDerivedKeyTokenOutputProcessor.init(outputProcessorChain);
                genericOutboundSecurityToken.setProcessor(finalDerivedKeyTokenOutputProcessor);
                outputProcessorChain.removeProcessor(this);
                outputProcessorChain.processEvent(xMLSecEvent);
            } catch (UnsupportedEncodingException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, Constants.ELEMNAME_EMPTY_STRING, e, "UTF-8 encoding is not supported");
            }
        } catch (Throwable th) {
            outputProcessorChain.removeProcessor(this);
            throw th;
        }
    }
}
