package org.apache.wss4j.stax.impl.processor.output;

import java.security.Key;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamException;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SAMLUtil;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.KeyInfoBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.stax.ext.WSSConfigurationException;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurePart;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.utils.WSSUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
import org.apache.xml.security.stax.ext.OutputProcessorChain;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
import org.opensaml.saml.common.SAMLVersion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.class */
public class SAMLTokenOutputProcessor extends AbstractOutputProcessor {
    private static final Logger LOG = LoggerFactory.getLogger(SAMLTokenOutputProcessor.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor$FinalSAMLTokenOutputProcessor.class */
    public class FinalSAMLTokenOutputProcessor extends AbstractOutputProcessor {
        private final OutboundSecurityToken securityToken;
        private final SamlAssertionWrapper samlAssertionWrapper;
        private final String securityTokenReferenceId;
        private boolean senderVouches;
        private boolean includeSTR;

        FinalSAMLTokenOutputProcessor(OutboundSecurityToken outboundSecurityToken, SamlAssertionWrapper samlAssertionWrapper, String str, boolean z, boolean z2) throws XMLSecurityException {
            this.senderVouches = false;
            this.includeSTR = false;
            addAfterProcessor(UsernameTokenOutputProcessor.class);
            addAfterProcessor(SAMLTokenOutputProcessor.class);
            addBeforeProcessor(WSSSignatureOutputProcessor.class);
            this.samlAssertionWrapper = samlAssertionWrapper;
            this.securityTokenReferenceId = str;
            this.senderVouches = z;
            this.securityToken = outboundSecurityToken;
            this.includeSTR = z2;
        }

        public void processEvent(XMLSecEvent xMLSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
            outputProcessorChain.processEvent(xMLSecEvent);
            if (WSSUtils.isSecurityHeaderElement(xMLSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
                OutputProcessorChain createSubChain = outputProcessorChain.createSubChain(this);
                if (includeBST()) {
                    OutputProcessorUtils.updateSecurityHeaderOrder(outputProcessorChain, WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN, getAction(), false);
                    WSSUtils.createBinarySecurityTokenStructure(this, outputProcessorChain, this.securityToken.getId(), this.securityToken.getX509Certificates(), getSecurityProperties().isUseSingleCert());
                }
                OutputProcessorUtils.updateSecurityHeaderOrder(outputProcessorChain, this.samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11 ? WSSConstants.TAG_SAML_ASSERTION : WSSConstants.TAG_SAML2_ASSERTION, getAction(), false);
                try {
                    outputDOMElement(this.samlAssertionWrapper.toDOM(((WSSSecurityProperties) getSecurityProperties()).getDocumentCreator().newDocument()), createSubChain);
                    if (this.includeSTR) {
                        OutputProcessorUtils.updateSecurityHeaderOrder(outputProcessorChain, WSSConstants.TAG_WSSE_SECURITY_TOKEN_REFERENCE, getAction(), false);
                        SAMLTokenOutputProcessor.this.outputSecurityTokenReference(createSubChain, this.samlAssertionWrapper, this.securityTokenReferenceId, this.samlAssertionWrapper.getId());
                    }
                    outputProcessorChain.removeProcessor(this);
                } catch (ParserConfigurationException e) {
                    SAMLTokenOutputProcessor.LOG.debug("Error writing out SAML Assertion", e);
                    throw new XMLSecurityException(e);
                }
            }
        }

        private boolean includeBST() {
            return this.senderVouches && getSecurityProperties().getSignatureKeyIdentifiers().contains(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE) && this.securityToken != null && !(WSSConstants.SAML_TOKEN_SIGNED.equals(this.action) && ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor$SAMLSecurityTokenProvider.class */
    public static class SAMLSecurityTokenProvider implements SecurityTokenProvider<OutboundSecurityToken> {
        private GenericOutboundSecurityToken samlSecurityToken;
        private SAMLCallback samlCallback;
        private String tokenId;
        private Element ref;
        private FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor;
        private WSSSecurityProperties securityProperties;

        SAMLSecurityTokenProvider(SAMLCallback sAMLCallback, WSSSecurityProperties wSSSecurityProperties, String str, Element element, FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor) {
            this.samlCallback = sAMLCallback;
            this.securityProperties = wSSSecurityProperties;
            this.tokenId = str;
            this.ref = element;
            this.finalSAMLTokenOutputProcessor = finalSAMLTokenOutputProcessor;
        }

        /* renamed from: getSecurityToken, reason: merged with bridge method [inline-methods] */
        public OutboundSecurityToken m22getSecurityToken() throws XMLSecurityException {
            if (this.samlSecurityToken != null) {
                return this.samlSecurityToken;
            }
            SecurityTokenConstants.TokenType tokenType = this.samlCallback.getSamlVersion() == SAMLVersion.VERSION_10 ? WSSecurityTokenConstants.SAML_10_TOKEN : this.samlCallback.getSamlVersion() == SAMLVersion.VERSION_11 ? WSSecurityTokenConstants.SAML_11_TOKEN : WSSecurityTokenConstants.SAML_20_TOKEN;
            PrivateKey privateKeyUsingCallback = getPrivateKeyUsingCallback();
            if (privateKeyUsingCallback != null) {
                this.samlSecurityToken = new GenericOutboundSecurityToken(this.tokenId, tokenType, privateKeyUsingCallback, getCertificatesUsingCallback());
            } else {
                this.samlSecurityToken = new GenericOutboundSecurityToken(this.tokenId, tokenType) { // from class: org.apache.wss4j.stax.impl.processor.output.SAMLTokenOutputProcessor.SAMLSecurityTokenProvider.1
                    public Key getSecretKey(String str) throws WSSecurityException {
                        try {
                            Key secretKey = super.getSecretKey(str);
                            if (secretKey != null) {
                                return secretKey;
                            }
                            byte[] secretKeyUsingCallback = SAMLSecurityTokenProvider.this.getSecretKeyUsingCallback();
                            if (secretKeyUsingCallback != null && secretKeyUsingCallback.length > 0) {
                                secretKey = new SecretKeySpec(secretKeyUsingCallback, JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(str));
                                setSecretKey(str, secretKey);
                            }
                            return secretKey;
                        } catch (XMLSecurityException e) {
                            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
                        }
                    }
                };
            }
            this.samlSecurityToken.setProcessor(this.finalSAMLTokenOutputProcessor);
            this.samlSecurityToken.setCustomTokenReference(this.ref);
            return this.samlSecurityToken;
        }

        private PrivateKey getPrivateKeyUsingCallback() throws WSSConfigurationException, WSSecurityException {
            KeyInfoBean keyInfo;
            SubjectBean subject = this.samlCallback.getSubject();
            if (subject == null || (keyInfo = subject.getKeyInfo()) == null) {
                return null;
            }
            X509Certificate certificate = keyInfo.getCertificate();
            if (certificate == null) {
                if (keyInfo.getPublicKey() != null) {
                    return this.securityProperties.getSignatureCrypto().getPrivateKey(this.samlCallback.getIssuerKeyName(), this.samlCallback.getIssuerKeyPassword());
                }
                return null;
            }
            String x509Identifier = this.securityProperties.getSignatureCrypto().getX509Identifier(certificate);
            if (x509Identifier == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "aliasIsNull");
            }
            WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(x509Identifier, 3);
            WSSUtils.doPasswordCallback(this.securityProperties.getCallbackHandler(), wSPasswordCallback);
            new CryptoType(CryptoType.TYPE.ALIAS).setAlias(x509Identifier);
            return this.securityProperties.getSignatureCrypto().getPrivateKey(x509Identifier, wSPasswordCallback.getPassword());
        }

        private X509Certificate[] getCertificatesUsingCallback() throws WSSConfigurationException, WSSecurityException {
            KeyInfoBean keyInfo;
            X509Certificate certificate;
            SubjectBean subject = this.samlCallback.getSubject();
            if (subject == null || (keyInfo = subject.getKeyInfo()) == null || (certificate = keyInfo.getCertificate()) == null) {
                return new X509Certificate[0];
            }
            String x509Identifier = this.securityProperties.getSignatureCrypto().getX509Identifier(certificate);
            if (x509Identifier == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "aliasIsNull");
            }
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(x509Identifier);
            return this.securityProperties.getSignatureCrypto().getX509Certificates(cryptoType);
        }

        private byte[] getSecretKeyUsingCallback() throws WSSConfigurationException, WSSecurityException {
            KeyInfoBean keyInfo;
            SubjectBean subject = this.samlCallback.getSubject();
            return (subject == null || (keyInfo = subject.getKeyInfo()) == null || keyInfo.getCertificate() != null || keyInfo.getPublicKey() != null) ? new byte[0] : keyInfo.getEphemeralKey();
        }

        public String getId() {
            return this.tokenId;
        }
    }

    public SAMLTokenOutputProcessor() throws XMLSecurityException {
        addBeforeProcessor(BinarySecurityTokenOutputProcessor.class);
        addBeforeProcessor(WSSSignatureOutputProcessor.class);
    }

    public void processEvent(XMLSecEvent xMLSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
        FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor;
        SecurityTokenProvider securityTokenProvider;
        try {
            SAMLCallback sAMLCallback = new SAMLCallback();
            SAMLUtil.doSAMLCallback(((WSSSecurityProperties) getSecurityProperties()).getSamlCallbackHandler(), sAMLCallback);
            SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(sAMLCallback);
            if (sAMLCallback.isSignAssertion()) {
                samlAssertionWrapper.signAssertion(sAMLCallback.getIssuerKeyName(), sAMLCallback.getIssuerKeyPassword(), sAMLCallback.getIssuerCrypto(), sAMLCallback.isSendKeyValue(), sAMLCallback.getCanonicalizationAlgorithm(), sAMLCallback.getSignatureAlgorithm(), sAMLCallback.getSignatureDigestAlgorithm());
            }
            boolean z = false;
            boolean z2 = false;
            List confirmationMethods = samlAssertionWrapper.getConfirmationMethods();
            if (confirmationMethods != null && !confirmationMethods.isEmpty()) {
                String str = (String) confirmationMethods.get(0);
                if (OpenSAMLUtil.isMethodSenderVouches(str)) {
                    z = true;
                } else if (OpenSAMLUtil.isMethodHolderOfKey(str)) {
                    z2 = true;
                }
            }
            String generateID = IDGenerator.generateID((String) null);
            String id = samlAssertionWrapper.getId();
            XMLSecurityConstants.Action action = getAction();
            boolean z3 = false;
            GenericOutboundSecurityToken genericOutboundSecurityToken = null;
            String str2 = (String) outputProcessorChain.getSecurityContext().get("PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE");
            if (str2 != null && (securityTokenProvider = outputProcessorChain.getSecurityContext().getSecurityTokenProvider(str2)) != null) {
                genericOutboundSecurityToken = (GenericOutboundSecurityToken) securityTokenProvider.getSecurityToken();
            }
            if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && z) {
                z3 = true;
                if (genericOutboundSecurityToken == null) {
                    genericOutboundSecurityToken = getSecurityToken(sAMLCallback, outputProcessorChain);
                }
                finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(genericOutboundSecurityToken, samlAssertionWrapper, generateID, z, true);
                finalSAMLTokenOutputProcessor.setAction(getAction(), getActionOrder());
                genericOutboundSecurityToken.setProcessor(finalSAMLTokenOutputProcessor);
            } else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && z2) {
                Element customTokenReference = genericOutboundSecurityToken != null ? genericOutboundSecurityToken.getCustomTokenReference() : null;
                finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper, generateID, z, false);
                final SAMLSecurityTokenProvider sAMLSecurityTokenProvider = new SAMLSecurityTokenProvider(sAMLCallback, (WSSSecurityProperties) getSecurityProperties(), id, customTokenReference, finalSAMLTokenOutputProcessor);
                outputProcessorChain.getSecurityContext().registerSecurityEvent(new TokenSecurityEvent<OutboundSecurityToken>(WSSecurityEventConstants.SAML_TOKEN) { // from class: org.apache.wss4j.stax.impl.processor.output.SAMLTokenOutputProcessor.1
                    /* renamed from: getSecurityToken, reason: merged with bridge method [inline-methods] */
                    public OutboundSecurityToken m20getSecurityToken() {
                        try {
                            return sAMLSecurityTokenProvider.m22getSecurityToken();
                        } catch (XMLSecurityException e) {
                            SAMLTokenOutputProcessor.LOG.debug(e.getMessage(), e);
                            return null;
                        }
                    }
                });
                outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(id, sAMLSecurityTokenProvider);
                outputProcessorChain.getSecurityContext().put("PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE", id);
            } else if (WSSConstants.SAML_TOKEN_UNSIGNED.equals(getAction())) {
                QName qName = new QName(WSSConstants.NS_SAML2, "Assertion");
                if (samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) {
                    qName = new QName(WSSConstants.NS_SAML, "Assertion");
                }
                Iterator it = this.securityProperties.getSignatureSecureParts().iterator();
                while (it.hasNext()) {
                    SecurePart securePart = (SecurePart) it.next();
                    if (samlAssertionWrapper.getId().equals(securePart.getIdToSecure()) || qName.equals(securePart.getName())) {
                        z3 = true;
                        it.remove();
                        break;
                    }
                }
                finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper, generateID, z, z3);
                if (z3) {
                    finalSAMLTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class);
                }
            } else {
                finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper, generateID, z, false);
            }
            finalSAMLTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
            finalSAMLTokenOutputProcessor.setAction(action, getActionOrder());
            finalSAMLTokenOutputProcessor.init(outputProcessorChain);
            if (z3) {
                WSSSecurePart wSSSecurePart = new WSSSecurePart(new QName(WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM), SecurePart.Modifier.Element);
                wSSSecurePart.setIdToSecure(id);
                wSSSecurePart.setIdToReference(generateID);
                outputProcessorChain.getSecurityContext().putAsMap("signatureParts", id, wSSSecurePart);
            }
            outputProcessorChain.processEvent(xMLSecEvent);
        } finally {
            outputProcessorChain.removeProcessor(this);
        }
    }

    private GenericOutboundSecurityToken getSecurityToken(SAMLCallback sAMLCallback, OutputProcessorChain outputProcessorChain) throws WSSecurityException {
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(sAMLCallback.getIssuerKeyName());
        X509Certificate[] x509CertificateArr = null;
        if (sAMLCallback.getIssuerCrypto() != null) {
            x509CertificateArr = sAMLCallback.getIssuerCrypto().getX509Certificates(cryptoType);
        }
        if (x509CertificateArr == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"No issuer certs were found to sign the SAML Assertion using issuer name: " + sAMLCallback.getIssuerKeyName()});
        }
        try {
            PrivateKey privateKey = sAMLCallback.getIssuerCrypto().getPrivateKey(sAMLCallback.getIssuerKeyName(), sAMLCallback.getIssuerKeyPassword());
            final String generateID = IDGenerator.generateID((String) null);
            final GenericOutboundSecurityToken genericOutboundSecurityToken = new GenericOutboundSecurityToken(generateID, WSSecurityTokenConstants.X509V3Token, privateKey, x509CertificateArr);
            outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(generateID, new SecurityTokenProvider<OutboundSecurityToken>() { // from class: org.apache.wss4j.stax.impl.processor.output.SAMLTokenOutputProcessor.2
                /* renamed from: getSecurityToken, reason: merged with bridge method [inline-methods] */
                public OutboundSecurityToken m21getSecurityToken() throws WSSecurityException {
                    return genericOutboundSecurityToken;
                }

                public String getId() {
                    return generateID;
                }
            });
            outputProcessorChain.getSecurityContext().put("PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE", generateID);
            return genericOutboundSecurityToken;
        } catch (Exception e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
        }
    }

    private void outputSecurityTokenReference(OutputProcessorChain outputProcessorChain, SamlAssertionWrapper samlAssertionWrapper, String str, String str2) throws XMLStreamException, XMLSecurityException {
        ArrayList arrayList = new ArrayList(2);
        SecurityTokenConstants.TokenType tokenType = WSSecurityTokenConstants.SAML_11_TOKEN;
        if (samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) {
            arrayList.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE));
        } else {
            tokenType = WSSecurityTokenConstants.SAML_20_TOKEN;
            arrayList.add(createAttribute(WSSConstants.ATT_WSSE11_TOKEN_TYPE, WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE));
        }
        arrayList.add(createAttribute(WSSConstants.ATT_WSU_ID, str));
        createStartElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_WSSE_SECURITY_TOKEN_REFERENCE, false, arrayList);
        WSSUtils.createSAMLKeyIdentifierStructure(this, outputProcessorChain, tokenType, str2);
        createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_WSSE_SECURITY_TOKEN_REFERENCE);
    }
}
