package org.apache.ws.security.processor;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.CustomTokenPrincipal;
import org.apache.ws.security.PublicKeyCallback;
import org.apache.ws.security.PublicKeyPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.EnvelopeIdResolver;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DerivedKeyToken;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.opensaml.SAMLAssertion;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/lib/wss4j-1.5.7.jar:org/apache/ws/security/processor/SignatureProcessor.class */
public class SignatureProcessor implements Processor {
    private static Log log;
    private static Log tlog;
    private String signatureId;
    static Class class$org$apache$ws$security$processor$SignatureProcessor;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v9, types: [byte[], byte[][]] */
    @Override // org.apache.ws.security.processor.Processor
    public void handleToken(Element element, Crypto crypto, Crypto crypto2, CallbackHandler callbackHandler, WSDocInfo wSDocInfo, Vector vector, WSSConfig wSSConfig) throws WSSecurityException {
        if (log.isDebugEnabled()) {
            log.debug("Found signature element");
        }
        boolean store = WSDocInfoStore.store(wSDocInfo);
        X509Certificate[] x509CertificateArr = new X509Certificate[1];
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        ?? r0 = new byte[1];
        try {
            try {
                Principal verifyXMLSignature = verifyXMLSignature(element, crypto, x509CertificateArr, hashSet, arrayList, r0, callbackHandler, wSDocInfo);
                if (store) {
                    WSDocInfoStore.delete(wSDocInfo);
                }
                if (verifyXMLSignature instanceof WSUsernameTokenPrincipal) {
                    vector.add(0, new WSSecurityEngineResult(64, verifyXMLSignature, (X509Certificate) null, hashSet, arrayList, r0[0]));
                } else {
                    vector.add(0, new WSSecurityEngineResult(2, verifyXMLSignature, x509CertificateArr[0], hashSet, arrayList, r0[0]));
                }
                this.signatureId = element.getAttributeNS(null, "Id");
            } catch (WSSecurityException e) {
                throw e;
            }
        } catch (Throwable th) {
            if (store) {
                WSDocInfoStore.delete(wSDocInfo);
            }
            throw th;
        }
    }

    protected Principal verifyXMLSignature(Element element, Crypto crypto, X509Certificate[] x509CertificateArr, Set set, List list, byte[][] bArr, CallbackHandler callbackHandler, WSDocInfo wSDocInfo) throws WSSecurityException {
        String keyIdentifierValue;
        if (log.isDebugEnabled()) {
            log.debug("Verify XML Signature");
        }
        long currentTimeMillis = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
        try {
            XMLSignature xMLSignature = new XMLSignature(element, (String) null);
            xMLSignature.addResourceResolver(EnvelopeIdResolver.getInstance());
            X509Certificate[] x509CertificateArr2 = null;
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            byte[] bArr2 = null;
            UsernameToken usernameToken = null;
            DerivedKeyToken derivedKeyToken = null;
            SAMLKeyInfo sAMLKeyInfo = null;
            String str = null;
            PublicKey publicKey = null;
            if (keyInfo != null && keyInfo.containsKeyValue()) {
                try {
                    publicKey = keyInfo.getPublicKey();
                } catch (Exception e) {
                    throw new WSSecurityException(e.getMessage(), e);
                }
            } else if (keyInfo != null) {
                Node directChild = WSSecurityUtil.getDirectChild(keyInfo.getElement(), "SecurityTokenReference", WSConstants.WSSE_NS);
                if (directChild == null) {
                    throw new WSSecurityException(3, "unsupportedKeyInfo");
                }
                SecurityTokenReference securityTokenReference = new SecurityTokenReference((Element) directChild);
                if (securityTokenReference.containsReference()) {
                    Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), wSDocInfo, callbackHandler);
                    QName qName = new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName());
                    if (qName.equals(WSSecurityEngine.usernameToken)) {
                        usernameToken = ((UsernameTokenProcessor) wSDocInfo.getProcessor(tokenElement.getAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id"))).getUt();
                        bArr2 = usernameToken.isDerivedKey() ? usernameToken.getDerivedKey() : usernameToken.getSecretKey();
                    } else if (qName.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02) || qName.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_12)) {
                        derivedKeyToken = new DerivedKeyToken(tokenElement);
                        bArr2 = ((DerivedKeyTokenProcessor) wSDocInfo.getProcessor(derivedKeyToken.getID())).getKeyBytes(derivedKeyToken.getLength() > 0 ? derivedKeyToken.getLength() : WSSecurityUtil.getKeyLength(xMLSignature.getSignedInfo().getSignatureMethodURI()));
                    } else if (qName.equals(WSSecurityEngine.binaryToken)) {
                        x509CertificateArr2 = getCertificatesTokenReference(tokenElement, crypto);
                    } else if (qName.equals(WSSecurityEngine.SAML_TOKEN)) {
                        if (crypto == null) {
                            throw new WSSecurityException(0, "noSigCryptoFile");
                        }
                        sAMLKeyInfo = SAMLUtil.getSAMLKeyInfo(tokenElement, crypto, callbackHandler);
                        x509CertificateArr2 = sAMLKeyInfo.getCerts();
                        bArr2 = sAMLKeyInfo.getSecret();
                    } else if (qName.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
                        EncryptedKeyProcessor encryptedKeyProcessor = (EncryptedKeyProcessor) wSDocInfo.getProcessor(tokenElement.getAttributeNS(null, "Id"));
                        if (encryptedKeyProcessor == null) {
                            if (crypto == null) {
                                throw new WSSecurityException(0, "noSigCryptoFile");
                            }
                            encryptedKeyProcessor = new EncryptedKeyProcessor();
                            encryptedKeyProcessor.handleEncryptedKey(tokenElement, callbackHandler, crypto);
                        }
                        bArr2 = encryptedKeyProcessor.getDecryptedBytes();
                    } else {
                        String uri = securityTokenReference.getReference().getURI();
                        if (uri.charAt(0) == '#') {
                            uri = uri.substring(1);
                        }
                        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(uri, 7);
                        try {
                            callbackHandler.handle(new Callback[]{wSPasswordCallback});
                            bArr2 = wSPasswordCallback.getKey();
                            str = uri;
                            if (bArr2 == null) {
                                throw new WSSecurityException(3, "unsupportedKeyInfo", new Object[]{qName.toString()});
                            }
                        } catch (Exception e2) {
                            throw new WSSecurityException(0, "noPassword", new Object[]{uri}, e2);
                        }
                    }
                } else if (securityTokenReference.containsX509Data() || securityTokenReference.containsX509IssuerSerial()) {
                    x509CertificateArr2 = securityTokenReference.getX509IssuerSerial(crypto);
                } else {
                    if (!securityTokenReference.containsKeyIdentifier()) {
                        throw new WSSecurityException(3, "unsupportedKeyInfo", new Object[]{directChild.toString()});
                    }
                    if (securityTokenReference.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
                        String keyIdentifierValue2 = securityTokenReference.getKeyIdentifierValue();
                        WSPasswordCallback wSPasswordCallback2 = new WSPasswordCallback(keyIdentifierValue2, null, SecurityTokenReference.ENC_KEY_SHA1_URI, 8);
                        try {
                            callbackHandler.handle(new Callback[]{wSPasswordCallback2});
                            bArr2 = wSPasswordCallback2.getKey();
                        } catch (Exception e3) {
                            throw new WSSecurityException(0, "noPassword", new Object[]{keyIdentifierValue2}, e3);
                        }
                    } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(securityTokenReference.getKeyIdentifierValueType())) {
                        Element keyIdentifierTokenElement = securityTokenReference.getKeyIdentifierTokenElement(element.getOwnerDocument(), wSDocInfo, callbackHandler);
                        if (crypto == null) {
                            throw new WSSecurityException(0, "noSigCryptoFile");
                        }
                        sAMLKeyInfo = SAMLUtil.getSAMLKeyInfo(keyIdentifierTokenElement, crypto, callbackHandler);
                        x509CertificateArr2 = sAMLKeyInfo.getCerts();
                        bArr2 = sAMLKeyInfo.getSecret();
                    } else {
                        x509CertificateArr2 = securityTokenReference.getKeyIdentifier(crypto);
                    }
                }
            } else {
                if (crypto == null) {
                    throw new WSSecurityException(0, "noSigCryptoFile");
                }
                if (crypto.getDefaultX509Alias() == null) {
                    throw new WSSecurityException(3, "unsupportedKeyInfo");
                }
                x509CertificateArr2 = crypto.getCertificates(crypto.getDefaultX509Alias());
            }
            long currentTimeMillis2 = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
            if ((x509CertificateArr2 == null || x509CertificateArr2.length == 0 || x509CertificateArr2[0] == null) && bArr2 == null && publicKey == null) {
                throw new WSSecurityException(6);
            }
            if (x509CertificateArr2 != null) {
                try {
                    x509CertificateArr2[0].checkValidity();
                } catch (CertificateExpiredException e4) {
                    throw new WSSecurityException(6, "invalidCert", null, e4);
                } catch (CertificateNotYetValidException e5) {
                    throw new WSSecurityException(6, "invalidCert", null, e5);
                }
            }
            if (publicKey != null) {
                PublicKeyCallback publicKeyCallback = new PublicKeyCallback(publicKey);
                try {
                    callbackHandler.handle(new Callback[]{publicKeyCallback});
                    if (!publicKeyCallback.isVerified()) {
                        throw new WSSecurityException(5, null, null, null);
                    }
                } catch (Exception e6) {
                    throw new WSSecurityException(5, null, null, e6);
                }
            }
            try {
                if (!(x509CertificateArr2 != null ? xMLSignature.checkSignatureValue(x509CertificateArr2[0]) : publicKey != null ? xMLSignature.checkSignatureValue(publicKey) : xMLSignature.checkSignatureValue(xMLSignature.createSecretKey(bArr2)))) {
                    throw new WSSecurityException(6);
                }
                if (tlog.isDebugEnabled()) {
                    long currentTimeMillis3 = System.currentTimeMillis();
                    tlog.debug(new StringBuffer().append("Verify: total= ").append(currentTimeMillis3 - currentTimeMillis).append(", prepare-cert= ").append(currentTimeMillis2 - currentTimeMillis).append(", verify= ").append(currentTimeMillis3 - currentTimeMillis2).toString());
                }
                bArr[0] = xMLSignature.getSignatureValue();
                SignedInfo signedInfo = xMLSignature.getSignedInfo();
                int length = signedInfo.getLength();
                for (int i = 0; i < length; i++) {
                    try {
                        Reference item = signedInfo.item(i);
                        String uri2 = item.getURI();
                        if (uri2 == null || "".equals(uri2)) {
                            set.add(item);
                        } else {
                            Element elementByWsuId = WSSecurityUtil.getElementByWsuId(element.getOwnerDocument(), uri2);
                            if (elementByWsuId == null) {
                                elementByWsuId = WSSecurityUtil.getElementByGenId(element.getOwnerDocument(), uri2);
                            }
                            if (elementByWsuId == null) {
                                throw new WSSecurityException(6);
                            }
                            WSDataRef wSDataRef = new WSDataRef(uri2);
                            wSDataRef.setWsuId(uri2);
                            wSDataRef.setName(new QName(elementByWsuId.getNamespaceURI(), elementByWsuId.getLocalName()));
                            list.add(wSDataRef);
                            set.add(WSSecurityUtil.getIDFromReference(uri2));
                        }
                    } catch (XMLSecurityException e7) {
                        throw new WSSecurityException(6, null, null, e7);
                    }
                }
                if (x509CertificateArr2 != null) {
                    x509CertificateArr[0] = x509CertificateArr2[0];
                    return x509CertificateArr2[0].getSubjectDN();
                }
                if (publicKey != null) {
                    return new PublicKeyPrincipal(publicKey);
                }
                if (usernameToken != null) {
                    WSUsernameTokenPrincipal wSUsernameTokenPrincipal = new WSUsernameTokenPrincipal(usernameToken.getName(), usernameToken.isHashed());
                    wSUsernameTokenPrincipal.setNonce(usernameToken.getNonce());
                    wSUsernameTokenPrincipal.setPassword(usernameToken.getPassword());
                    wSUsernameTokenPrincipal.setCreatedTime(usernameToken.getCreated());
                    return wSUsernameTokenPrincipal;
                }
                if (derivedKeyToken == null) {
                    if (sAMLKeyInfo == null) {
                        if (bArr2 != null) {
                            return new CustomTokenPrincipal(str);
                        }
                        throw new WSSecurityException("Cannot determine principal");
                    }
                    SAMLAssertion assertion = sAMLKeyInfo.getAssertion();
                    CustomTokenPrincipal customTokenPrincipal = new CustomTokenPrincipal(assertion.getId());
                    customTokenPrincipal.setTokenObject(assertion);
                    return customTokenPrincipal;
                }
                WSDerivedKeyTokenPrincipal wSDerivedKeyTokenPrincipal = new WSDerivedKeyTokenPrincipal(derivedKeyToken.getID());
                wSDerivedKeyTokenPrincipal.setNonce(derivedKeyToken.getNonce());
                wSDerivedKeyTokenPrincipal.setLabel(derivedKeyToken.getLabel());
                wSDerivedKeyTokenPrincipal.setLength(derivedKeyToken.getLength());
                wSDerivedKeyTokenPrincipal.setOffset(derivedKeyToken.getOffset());
                SecurityTokenReference securityTokenReference2 = derivedKeyToken.getSecurityTokenReference();
                if (securityTokenReference2.containsReference()) {
                    keyIdentifierValue = securityTokenReference2.getReference().getURI();
                    if (keyIdentifierValue.charAt(0) == '#') {
                        keyIdentifierValue = keyIdentifierValue.substring(1);
                    }
                } else {
                    keyIdentifierValue = securityTokenReference2.getKeyIdentifierValue();
                }
                wSDerivedKeyTokenPrincipal.setBasetokenId(keyIdentifierValue);
                return wSDerivedKeyTokenPrincipal;
            } catch (XMLSignatureException e8) {
                throw new WSSecurityException(6, null, null, e8);
            }
        } catch (XMLSecurityException e9) {
            throw new WSSecurityException(6, "noXMLSig", null, e9);
        }
    }

    public X509Certificate[] getCertificatesTokenReference(Element element, Crypto crypto) throws WSSecurityException {
        if (crypto == null) {
            throw new WSSecurityException(0, "noSigCryptoFile");
        }
        BinarySecurity createSecurityToken = createSecurityToken(element);
        if (createSecurityToken instanceof PKIPathSecurity) {
            return ((PKIPathSecurity) createSecurityToken).getX509Certificates(false, crypto);
        }
        if (createSecurityToken instanceof X509Security) {
            return new X509Certificate[]{((X509Security) createSecurityToken).getX509Certificate(crypto)};
        }
        return null;
    }

    private BinarySecurity createSecurityToken(Element element) throws WSSecurityException {
        String valueType = new BinarySecurity(element).getValueType();
        if (X509Security.X509_V3_TYPE.equals(valueType)) {
            return new X509Security(element);
        }
        if (PKIPathSecurity.getType().equals(valueType)) {
            return new PKIPathSecurity(element);
        }
        throw new WSSecurityException(1, "unsupportedBinaryTokenType", new Object[]{valueType});
    }

    @Override // org.apache.ws.security.processor.Processor
    public String getId() {
        return this.signatureId;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$apache$ws$security$processor$SignatureProcessor == null) {
            cls = class$("org.apache.ws.security.processor.SignatureProcessor");
            class$org$apache$ws$security$processor$SignatureProcessor = cls;
        } else {
            cls = class$org$apache$ws$security$processor$SignatureProcessor;
        }
        log = LogFactory.getLog(cls.getName());
        tlog = LogFactory.getLog("org.apache.ws.security.TIME");
    }
}
