package org.apache.wss4j.dom.str;

import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-dom-2.3.3.jar:org/apache/wss4j/dom/str/DerivedKeyTokenSTRParser.class */
public class DerivedKeyTokenSTRParser implements STRParser {
    @Override // org.apache.wss4j.dom.str.STRParser
    public STRParserResult parseSecurityTokenReference(STRParserParameters sTRParserParameters) throws WSSecurityException {
        if (sTRParserParameters == null || sTRParserParameters.getData() == null || sTRParserParameters.getData().getWsDocInfo() == null || sTRParserParameters.getStrElement() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSTRParserParameter");
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(sTRParserParameters.getStrElement(), sTRParserParameters.getData().getBSPEnforcer());
        String str = null;
        if (securityTokenReference.getReference() != null) {
            str = XMLUtils.getIDFromReference(securityTokenReference.getReference().getURI());
        } else if (securityTokenReference.containsKeyIdentifier()) {
            str = securityTokenReference.getKeyIdentifierValue();
        }
        WSSecurityEngineResult result = sTRParserParameters.getData().getWsDocInfo().getResult(str);
        return result != null ? processPreviousResult(result, securityTokenReference, sTRParserParameters) : processSTR(securityTokenReference, str, sTRParserParameters);
    }

    private STRParserResult processPreviousResult(WSSecurityEngineResult wSSecurityEngineResult, SecurityTokenReference securityTokenReference, STRParserParameters sTRParserParameters) throws WSSecurityException {
        STRParserResult sTRParserResult = new STRParserResult();
        RequestData data = sTRParserParameters.getData();
        Integer num = (Integer) wSSecurityEngineResult.get("action");
        if (num != null && (8192 == num.intValue() || 1 == num.intValue())) {
            STRParserUtil.checkUsernameTokenBSPCompliance(securityTokenReference, data.getBSPEnforcer());
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
        } else if (num != null && 4 == num.intValue()) {
            STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, data.getBSPEnforcer());
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
        } else if (num != null && (1024 == num.intValue() || 4096 == num.intValue())) {
            sTRParserResult.setSecretKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
        } else {
            if (num == null || !(8 == num.intValue() || 16 == num.intValue())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId");
            }
            SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            STRParserUtil.checkSamlTokenBSPCompliance(securityTokenReference, samlAssertionWrapper, data.getBSPEnforcer());
            sTRParserResult.setSecretKey(SAMLUtil.getCredentialFromSubject(samlAssertionWrapper, new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler()).getSecret());
        }
        return sTRParserResult;
    }

    private STRParserResult processSTR(SecurityTokenReference securityTokenReference, String str, STRParserParameters sTRParserParameters) throws WSSecurityException {
        STRParserResult sTRParserResult = new STRParserResult();
        RequestData data = sTRParserParameters.getData();
        if (securityTokenReference.containsReference()) {
            byte[] secretKeyFromToken = STRParserUtil.getSecretKeyFromToken(str, null, 6, data);
            if (secretKeyFromToken == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", new Object[]{str});
            }
            sTRParserResult.setSecretKey(secretKeyFromToken);
        } else {
            if (!securityTokenReference.containsKeyIdentifier()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId");
            }
            String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
            if (WSS4JConstants.WSS_KRB_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
                byte[] secretKeyFromToken2 = STRParserUtil.getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, 9, data);
                if (secretKeyFromToken2 == null) {
                    byte[] sKIBytes = securityTokenReference.getSKIBytes();
                    Iterator<WSSecurityEngineResult> it = data.getWsDocInfo().getResultsByTag(4096).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        WSSecurityEngineResult next = it.next();
                        if (Arrays.equals(KeyUtils.generateDigest(((BinarySecurity) next.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)).getToken()), sKIBytes)) {
                            secretKeyFromToken2 = (byte[]) next.get(WSSecurityEngineResult.TAG_SECRET);
                            break;
                        }
                    }
                }
                if (secretKeyFromToken2 == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", new Object[]{str});
                }
                sTRParserResult.setSecretKey(secretKeyFromToken2);
            } else {
                if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(keyIdentifierValueType)) {
                    STRParserUtil.checkEncryptedKeyBSPCompliance(securityTokenReference, data.getBSPEnforcer());
                }
                Crypto decCrypto = data.getDecCrypto();
                X509Certificate[] keyIdentifier = securityTokenReference.getKeyIdentifier(decCrypto);
                if (keyIdentifier == null || keyIdentifier.length < 1 || keyIdentifier[0] == null) {
                    byte[] secretKeyFromToken3 = STRParserUtil.getSecretKeyFromToken(securityTokenReference.getKeyIdentifierValue(), keyIdentifierValueType, 9, data);
                    if (secretKeyFromToken3 == null) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "unsupportedKeyId", new Object[]{str});
                    }
                    sTRParserResult.setSecretKey(secretKeyFromToken3);
                } else {
                    sTRParserResult.setSecretKey(decCrypto.getPrivateKey(keyIdentifier[0], data.getCallbackHandler()).getEncoded());
                }
            }
        }
        return sTRParserResult;
    }
}
