package com.sun.xml.ws.security.trust.impl;

import com.sun.xml.security.core.dsig.ObjectFactory;
import com.sun.xml.security.core.xenc.CipherDataType;
import com.sun.xml.security.core.xenc.EncryptedDataType;
import com.sun.xml.security.core.xenc.EncryptionMethodType;
import com.sun.xml.ws.api.SOAPVersion;
import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.config.TrustSPMetadata;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.Token;
import com.sun.xml.ws.security.opt.api.EncryptedKey;
import com.sun.xml.ws.security.opt.api.SecurityHeaderElement;
import com.sun.xml.ws.security.opt.crypto.dsig.Signature;
import com.sun.xml.ws.security.opt.crypto.dsig.keyinfo.KeyInfo;
import com.sun.xml.ws.security.opt.crypto.dsig.keyinfo.KeyValue;
import com.sun.xml.ws.security.opt.crypto.dsig.keyinfo.X509Data;
import com.sun.xml.ws.security.opt.crypto.jaxb.JAXBSignContext;
import com.sun.xml.ws.security.opt.crypto.jaxb.JAXBSignatureFactory;
import com.sun.xml.ws.security.opt.impl.crypto.SSEData;
import com.sun.xml.ws.security.opt.impl.dsig.EnvelopedSignedMessageHeader;
import com.sun.xml.ws.security.opt.impl.dsig.JAXBSignatureHeaderElement;
import com.sun.xml.ws.security.opt.impl.enc.JAXBEncryptedData;
import com.sun.xml.ws.security.opt.impl.keyinfo.SAMLToken;
import com.sun.xml.ws.security.opt.impl.reference.KeyIdentifier;
import com.sun.xml.ws.security.opt.impl.util.NamespaceContextEx;
import com.sun.xml.ws.security.opt.impl.util.WSSElementFactory;
import com.sun.xml.ws.security.trust.GenericToken;
import com.sun.xml.ws.security.trust.WSTrustConstants;
import com.sun.xml.ws.security.trust.logging.LogDomainConstants;
import com.sun.xml.ws.security.trust.logging.LogStringsMessages;
import com.sun.xml.ws.security.trust.util.WSTrustUtil;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.impl.callback.EncryptionKeyCallback;
import com.sun.xml.wss.impl.callback.SignatureKeyCallback;
import com.sun.xml.wss.saml.Advice;
import com.sun.xml.wss.saml.Assertion;
import com.sun.xml.wss.saml.AttributeStatement;
import com.sun.xml.wss.saml.Conditions;
import com.sun.xml.wss.saml.NameID;
import com.sun.xml.wss.saml.SAMLAssertionFactory;
import com.sun.xml.wss.saml.SAMLException;
import com.sun.xml.wss.saml.Subject;
import com.sun.xml.wss.saml.SubjectConfirmation;
import com.sun.xml.wss.saml.SubjectConfirmationData;
import com.sun.xml.wss.saml.util.SAMLJAXBUtil;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.crypto.Data;
import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.URIReference;
import javax.xml.crypto.URIReferenceException;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.namespace.QName;
import org.opensaml.security.crypto.JCAConstants;

/* loaded from: input_file:BOOT-INF/lib/webservices-rt-2.4.4.jar:com/sun/xml/ws/security/trust/impl/SBIssuedSamlTokenContractImpl.class */
public class SBIssuedSamlTokenContractImpl extends IssueSamlTokenContract {
    private static final String SAML_HOLDER_OF_KEY = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";
    protected static final String PRINCIPAL = "principal";
    private SOAPVersion soapVersion;
    WSSElementFactory wef;
    private static final Logger log = Logger.getLogger("com.sun.xml.ws.security.trust", LogDomainConstants.TRUST_IMPL_DOMAIN_BUNDLE);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/webservices-rt-2.4.4.jar:com/sun/xml/ws/security/trust/impl/SBIssuedSamlTokenContractImpl$DSigResolver.class */
    public static class DSigResolver implements URIDereferencer {
        public Data data;

        DSigResolver(Data data) {
            this.data = null;
            this.data = data;
        }

        public Data dereference(URIReference uRIReference, XMLCryptoContext xMLCryptoContext) throws URIReferenceException {
            return this.data;
        }
    }

    public SBIssuedSamlTokenContractImpl(SOAPVersion sOAPVersion) {
        this.soapVersion = SOAPVersion.SOAP_11;
        this.wef = new WSSElementFactory(SOAPVersion.SOAP_11);
        this.soapVersion = sOAPVersion;
    }

    public SBIssuedSamlTokenContractImpl() {
        this.soapVersion = SOAPVersion.SOAP_11;
        this.wef = new WSSElementFactory(SOAPVersion.SOAP_11);
    }

    @Override // com.sun.xml.ws.security.trust.impl.IssueSamlTokenContract, com.sun.xml.ws.api.security.trust.IssueSamlTokenContract
    public Token createSAMLAssertion(String str, String str2, String str3, String str4, String str5, Map<QName, List<String>> map, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        SAMLToken sAMLToken;
        GenericToken genericToken;
        CallbackHandler callbackHandler = this.stsConfig.getCallbackHandler();
        try {
            SOAPVersion sOAPVersion = this.soapVersion;
            SOAPVersion sOAPVersion2 = this.soapVersion;
            NamespaceContextEx namespaceContextEx = sOAPVersion == SOAPVersion.SOAP_11 ? new NamespaceContextEx() : new NamespaceContextEx(true);
            namespaceContextEx.addEncryptionNS();
            namespaceContextEx.addExc14NS();
            namespaceContextEx.addSAMLNS();
            namespaceContextEx.addSignatureNS();
            namespaceContextEx.addWSSNS();
            X509Certificate serviceCertificate = getServiceCertificate(callbackHandler, this.stsConfig.getTrustSPMetadata(str), str);
            KeyInfo createKeyInfo = createKeyInfo(str3, serviceCertificate, issuedTokenContext);
            if ("urn:oasis:names:tc:SAML:1.0:assertion".equals(str2) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(str2)) {
                sAMLToken = new SAMLToken(createSAML11Assertion(str4, str5, str, createKeyInfo, map), SAMLJAXBUtil.getJAXBContext(), this.soapVersion);
            } else {
                if (!"urn:oasis:names:tc:SAML:2.0:assertion".equals(str2)) {
                    log.log(Level.SEVERE, LogStringsMessages.WST_0031_UNSUPPORTED_TOKEN_TYPE(str2, str));
                    throw new WSTrustException(LogStringsMessages.WST_0031_UNSUPPORTED_TOKEN_TYPE(str2, str));
                }
                sAMLToken = new SAMLToken(createSAML20Assertion(str4, str5, str, createKeyInfo, map), SAMLJAXBUtil.getJAXBContext(), this.soapVersion);
            }
            SignatureKeyCallback.DefaultPrivKeyCertRequest defaultPrivKeyCertRequest = new SignatureKeyCallback.DefaultPrivKeyCertRequest();
            callbackHandler.handle(new Callback[]{new SignatureKeyCallback(defaultPrivKeyCertRequest)});
            SecurityHeaderElement createSignature = createSignature(defaultPrivKeyCertRequest.getX509Certificate().getPublicKey(), defaultPrivKeyCertRequest.getPrivateKey(), sAMLToken, namespaceContextEx);
            new GenericToken(createSignature);
            if (this.stsConfig.getEncryptIssuedToken()) {
                String str6 = "uuid-" + UUID.randomUUID().toString();
                SecretKeySpec secretKeySpec = new SecretKeySpec(WSTrustUtil.generateRandomSecret(32), JCAConstants.KEY_ALGO_AES);
                KeyInfo keyInfo = new KeyInfo();
                keyInfo.getContent().add(encryptKey(secretKeySpec, serviceCertificate));
                genericToken = new GenericToken(new JAXBEncryptedData(createEncryptedData(str6, "http://www.w3.org/2001/04/xmlenc#aes256-cbc", keyInfo, false), new SSEData(createSignature, false, namespaceContextEx), this.soapVersion));
            } else {
                genericToken = new GenericToken(createSignature);
            }
            return genericToken;
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        } catch (Exception e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e2);
        }
    }

    private Assertion createSAML11Assertion(String str, String str2, String str3, KeyInfo keyInfo, Map<QName, List<String>> map) throws WSTrustException {
        try {
            SAMLAssertionFactory newInstance = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML1_1);
            GregorianCalendar gregorianCalendar = new GregorianCalendar();
            GregorianCalendar gregorianCalendar2 = new GregorianCalendar();
            gregorianCalendar2.add(14, (int) this.stsConfig.getIssuedTokenTimeout());
            Conditions createConditions = newInstance.createConditions(gregorianCalendar, gregorianCalendar2, null, null, null);
            Advice createAdvice = newInstance.createAdvice(null, null, null);
            ArrayList arrayList = new ArrayList();
            arrayList.add("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");
            SubjectConfirmation createSubjectConfirmation = newInstance.createSubjectConfirmation(arrayList, (SubjectConfirmationData) null, keyInfo);
            Subject subject = null;
            ArrayList arrayList2 = new ArrayList();
            for (Map.Entry<QName, List<String>> entry : map.entrySet()) {
                QName key = entry.getKey();
                List<String> value = entry.getValue();
                if (value != null && value.size() > 0) {
                    if ("NameID".equals(key.getLocalPart()) && subject == null) {
                        subject = newInstance.createSubject(newInstance.createNameIdentifier(value.get(0), key.getNamespaceURI(), null), createSubjectConfirmation);
                    } else {
                        arrayList2.add(newInstance.createAttribute(key.getLocalPart(), key.getNamespaceURI(), value));
                    }
                }
            }
            AttributeStatement createAttributeStatement = newInstance.createAttributeStatement(subject, arrayList2);
            ArrayList arrayList3 = new ArrayList();
            arrayList3.add(createAttributeStatement);
            return newInstance.createAssertion(str, str2, gregorianCalendar, createConditions, createAdvice, arrayList3);
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        } catch (SAMLException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e2);
        }
    }

    private Assertion createSAML20Assertion(String str, String str2, String str3, KeyInfo keyInfo, Map<QName, List<String>> map) throws WSTrustException {
        try {
            SAMLAssertionFactory newInstance = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0);
            GregorianCalendar gregorianCalendar = new GregorianCalendar();
            GregorianCalendar gregorianCalendar2 = new GregorianCalendar();
            gregorianCalendar2.add(14, (int) this.stsConfig.getIssuedTokenTimeout());
            Conditions createConditions = newInstance.createConditions(gregorianCalendar, gregorianCalendar2, null, null, null, null);
            SubjectConfirmation createSubjectConfirmation = newInstance.createSubjectConfirmation((NameID) null, newInstance.createSubjectConfirmationData((String) null, (String) null, gregorianCalendar, gregorianCalendar2, str3, keyInfo), "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");
            Subject subject = null;
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<QName, List<String>> entry : map.entrySet()) {
                QName key = entry.getKey();
                List<String> value = entry.getValue();
                if (value != null && value.size() > 0) {
                    if ("NameID".equals(key.getLocalPart()) && subject == null) {
                        subject = newInstance.createSubject(newInstance.createNameIdentifier(value.get(0), key.getNamespaceURI(), null), createSubjectConfirmation);
                    } else {
                        arrayList.add(newInstance.createAttribute(key.getLocalPart(), value));
                    }
                }
            }
            AttributeStatement createAttributeStatement = newInstance.createAttributeStatement(arrayList);
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(createAttributeStatement);
            return newInstance.createAssertion(str, newInstance.createNameID(str2, null, null), gregorianCalendar, createConditions, (Advice) null, subject, arrayList2);
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        } catch (SAMLException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e2);
        }
    }

    private KeyInfo createKeyInfo(String str, X509Certificate x509Certificate, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        KeyInfo keyInfo = new KeyInfo();
        if ("http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey".equals(str)) {
            byte[] proofKey = issuedTokenContext.getProofKey();
            if (this.stsConfig.getEncryptIssuedToken() || !this.stsConfig.getEncryptIssuedKey()) {
                keyInfo.getContent().add(this.eleFac.createBinarySecret(proofKey, this.wstVer.getSymmetricKeyTypeURI()));
            } else {
                try {
                    keyInfo.getContent().add(encryptKey(new SecretKeySpec(proofKey, JCAConstants.KEY_ALGO_AES), x509Certificate));
                } catch (Exception e) {
                    throw new WSTrustException(e.getMessage(), e);
                }
            }
        } else if (WSTrustConstants.PUBLIC_KEY.equals(str)) {
            X509Data x509Data = new X509Data();
            Set<Object> publicCredentials = issuedTokenContext.getRequestorSubject().getPublicCredentials();
            if (publicCredentials == null) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
                throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
            }
            boolean z = false;
            ObjectFactory objectFactory = new ObjectFactory();
            for (Object obj : publicCredentials) {
                if (obj instanceof X509Certificate) {
                    try {
                        x509Data.getContent().add(objectFactory.createX509DataTypeX509Certificate(((X509Certificate) obj).getEncoded()));
                        z = true;
                    } catch (CertificateEncodingException e2) {
                        throw new WSTrustException("Unable to create KeyInfo", e2);
                    }
                }
            }
            if (!z) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
                throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
            }
            keyInfo.getContent().add(x509Data);
        }
        return keyInfo;
    }

    private EncryptedKey encryptKey(Key key, X509Certificate x509Certificate) throws XWSSecurityException {
        KeyIdentifier createKeyIdentifier = this.wef.createKeyIdentifier();
        createKeyIdentifier.setValueType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier");
        createKeyIdentifier.updateReferenceValue(x509Certificate);
        createKeyIdentifier.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        return this.wef.createEncryptedKey(null, "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", this.wef.createKeyInfo(this.wef.createSecurityTokenReference(createKeyIdentifier)), x509Certificate.getPublicKey(), key);
    }

    private X509Certificate getServiceCertificate(CallbackHandler callbackHandler, TrustSPMetadata trustSPMetadata, String str) throws WSTrustException {
        EncryptionKeyCallback.AliasX509CertificateRequest aliasX509CertificateRequest = new EncryptionKeyCallback.AliasX509CertificateRequest(trustSPMetadata.getCertAlias());
        try {
            callbackHandler.handle(new Callback[]{new EncryptionKeyCallback(aliasX509CertificateRequest)});
            return aliasX509CertificateRequest.getX509Certificate();
        } catch (IOException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), e);
        } catch (UnsupportedCallbackException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), e2);
        }
    }

    public EncryptedDataType createEncryptedData(String str, String str2, KeyInfo keyInfo, boolean z) {
        EncryptedDataType encryptedDataType = new EncryptedDataType();
        if (z) {
            encryptedDataType.setType("http://www.w3.org/2001/04/xmlenc#Content");
        } else {
            encryptedDataType.setType("http://www.w3.org/2001/04/xmlenc#Element");
        }
        EncryptionMethodType encryptionMethodType = new EncryptionMethodType();
        encryptionMethodType.setAlgorithm(str2);
        encryptedDataType.setEncryptionMethod(encryptionMethodType);
        CipherDataType cipherDataType = new CipherDataType();
        cipherDataType.setCipherValue("ed".getBytes());
        encryptedDataType.setCipherData(cipherDataType);
        encryptedDataType.setId(str);
        if (keyInfo != null) {
            encryptedDataType.setKeyInfo(keyInfo);
        }
        return encryptedDataType;
    }

    private SecurityHeaderElement createSignature(PublicKey publicKey, Key key, SAMLToken sAMLToken, NamespaceContextEx namespaceContextEx) throws WSTrustException {
        KeyValue newKeyValue;
        try {
            JAXBSignatureFactory newInstance = JAXBSignatureFactory.newInstance();
            CanonicalizationMethod newCanonicalizationMethod = newInstance.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null);
            DigestMethod newDigestMethod = newInstance.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null);
            SignatureMethod newSignatureMethod = newInstance.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", null);
            ArrayList arrayList = new ArrayList();
            Transform newTransform = newInstance.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null);
            Transform newTransform2 = newInstance.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null);
            arrayList.add(newTransform);
            arrayList.add(newTransform2);
            Reference newReference = newInstance.newReference("#uuid-" + UUID.randomUUID().toString(), newDigestMethod, arrayList, null, null);
            SignedInfo newSignedInfo = newInstance.newSignedInfo(newCanonicalizationMethod, newSignatureMethod, Collections.singletonList(newReference));
            if (publicKey instanceof DSAPublicKey) {
                DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
                newKeyValue = newInstance.newKeyValue(Collections.singletonList(newInstance.newDSAKeyValue(dSAPublicKey.getParams().getP().toByteArray(), dSAPublicKey.getParams().getQ().toByteArray(), dSAPublicKey.getParams().getG().toByteArray(), dSAPublicKey.getY().toByteArray(), null, null, null)));
            } else {
                if (!(publicKey instanceof RSAPublicKey)) {
                    throw new WSTrustException("Unsupported PublicKey");
                }
                RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                newKeyValue = newInstance.newKeyValue(Collections.singletonList(newInstance.newRSAKeyValue(rSAPublicKey.getModulus().toByteArray(), rSAPublicKey.getPublicExponent().toByteArray())));
            }
            javax.xml.crypto.dsig.keyinfo.KeyInfo newKeyInfo = newInstance.newKeyInfo(Collections.singletonList(newKeyValue));
            JAXBSignContext jAXBSignContext = new JAXBSignContext(key);
            jAXBSignContext.setURIDereferencer(new DSigResolver(null));
            return new EnvelopedSignedMessageHeader(sAMLToken, (com.sun.xml.ws.security.opt.crypto.dsig.Reference) newReference, new JAXBSignatureHeaderElement((Signature) newInstance.newXMLSignature(newSignedInfo, newKeyInfo), this.soapVersion, jAXBSignContext), namespaceContextEx);
        } catch (InvalidAlgorithmParameterException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0035_UNABLE_CREATE_SIGN_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0035_UNABLE_CREATE_SIGN_SAML_ASSERTION(), e);
        } catch (NoSuchAlgorithmException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0035_UNABLE_CREATE_SIGN_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0035_UNABLE_CREATE_SIGN_SAML_ASSERTION(), e2);
        }
    }
}
