package com.sun.xml.ws.security.trust.impl;

import com.sun.xml.ws.api.security.trust.Claims;
import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.config.STSConfiguration;
import com.sun.xml.ws.api.security.trust.config.TrustSPMetadata;
import com.sun.xml.ws.policy.impl.bindings.AppliesTo;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.Token;
import com.sun.xml.ws.security.trust.WSTrustConstants;
import com.sun.xml.ws.security.trust.WSTrustElementFactory;
import com.sun.xml.ws.security.trust.WSTrustFactory;
import com.sun.xml.ws.security.trust.WSTrustVersion;
import com.sun.xml.ws.security.trust.elements.BaseSTSRequest;
import com.sun.xml.ws.security.trust.elements.BaseSTSResponse;
import com.sun.xml.ws.security.trust.elements.BinarySecret;
import com.sun.xml.ws.security.trust.elements.Entropy;
import com.sun.xml.ws.security.trust.elements.OnBehalfOf;
import com.sun.xml.ws.security.trust.elements.RequestSecurityToken;
import com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse;
import com.sun.xml.ws.security.trust.elements.RequestedAttachedReference;
import com.sun.xml.ws.security.trust.elements.RequestedProofToken;
import com.sun.xml.ws.security.trust.elements.RequestedSecurityToken;
import com.sun.xml.ws.security.trust.elements.RequestedUnattachedReference;
import com.sun.xml.ws.security.trust.elements.SecondaryParameters;
import com.sun.xml.ws.security.trust.elements.UseKey;
import com.sun.xml.ws.security.trust.elements.str.SecurityTokenReference;
import com.sun.xml.ws.security.trust.logging.LogDomainConstants;
import com.sun.xml.ws.security.trust.logging.LogStringsMessages;
import com.sun.xml.ws.security.trust.util.WSTrustUtil;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.impl.misc.SecurityUtil;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessController;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;

/* loaded from: input_file:BOOT-INF/lib/webservices-rt-2.4.4.jar:com/sun/xml/ws/security/trust/impl/IssueSamlTokenContract.class */
public abstract class IssueSamlTokenContract implements com.sun.xml.ws.api.security.trust.IssueSamlTokenContract<BaseSTSRequest, BaseSTSResponse> {
    private static final Logger log = Logger.getLogger("com.sun.xml.ws.security.trust", LogDomainConstants.TRUST_IMPL_DOMAIN_BUNDLE);
    protected static final String SAML_HOLDER_OF_KEY_1_0 = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";
    protected static final String SAML_HOLDER_OF_KEY_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key";
    protected static final String SAML_BEARER_1_0 = "urn:oasis:names:tc:SAML:1.0:cm:bearer";
    protected static final String SAML_BEARER_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:bearer";
    protected static final String SAML_SENDER_VOUCHES_1_0 = "urn:oasis:names:tc:SAML:1.0:cm::sender-vouches";
    protected static final String SAML_SENDER_VOUCHES_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches";
    protected STSConfiguration stsConfig;
    protected WSTrustVersion wstVer;
    protected String authnCtxClass;
    protected WSTrustElementFactory eleFac = WSTrustElementFactory.newInstance(WSTrustVersion.WS_TRUST_10);
    private static final int DEFAULT_KEY_SIZE = 256;

    @Override // com.sun.xml.ws.api.security.trust.WSTrustContract
    public void init(STSConfiguration sTSConfiguration) {
        this.stsConfig = sTSConfiguration;
        this.wstVer = (WSTrustVersion) sTSConfiguration.getOtherOptions().get(WSTrustConstants.WST_VERSION);
        this.authnCtxClass = (String) sTSConfiguration.getOtherOptions().get(WSTrustConstants.AUTHN_CONTEXT_CLASS);
        this.eleFac = WSTrustElementFactory.newInstance(this.wstVer);
    }

    @Override // com.sun.xml.ws.api.security.trust.WSTrustContract
    public BaseSTSResponse issue(BaseSTSRequest baseSTSRequest, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        Object any;
        RequestSecurityToken requestSecurityToken = (RequestSecurityToken) baseSTSRequest;
        SecondaryParameters secondaryParameters = this.wstVer.getNamespaceURI().equals("http://docs.oasis-open.org/ws-sx/ws-trust/200512") ? requestSecurityToken.getSecondaryParameters() : null;
        AppliesTo appliesTo = requestSecurityToken.getAppliesTo();
        String str = null;
        Object obj = null;
        if (appliesTo != null) {
            List<Object> parseAppliesTo = WSTrustUtil.parseAppliesTo(appliesTo);
            for (int i = 0; i < parseAppliesTo.size(); i++) {
                Object obj2 = parseAppliesTo.get(i);
                if (obj2 instanceof String) {
                    str = (String) obj2;
                } else if (obj2 instanceof X509Certificate) {
                    obj = (X509Certificate) obj2;
                }
            }
        }
        if (obj != null) {
            issuedTokenContext.getOtherProperties().put(IssuedTokenContext.TARGET_SERVICE_CERTIFICATE, obj);
        }
        TrustSPMetadata trustSPMetadata = this.stsConfig.getTrustSPMetadata(str);
        if (trustSPMetadata == null) {
            trustSPMetadata = this.stsConfig.getTrustSPMetadata("default");
        }
        if (trustSPMetadata == null) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0004_UNKNOWN_SERVICEPROVIDER(str));
            throw new WSTrustException(LogStringsMessages.WST_0004_UNKNOWN_SERVICEPROVIDER(str));
        }
        URI tokenType = requestSecurityToken.getTokenType();
        if (tokenType == null && secondaryParameters != null) {
            tokenType = secondaryParameters.getTokenType();
        }
        String uri = tokenType != null ? tokenType.toString() : trustSPMetadata.getTokenType();
        if (uri == null) {
            uri = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
        }
        URI keyType = requestSecurityToken.getKeyType();
        if (keyType == null && secondaryParameters != null) {
            keyType = secondaryParameters.getKeyType();
        }
        String uri2 = keyType != null ? keyType.toString() : trustSPMetadata.getKeyType();
        if (uri2 == null) {
            uri2 = this.wstVer.getSymmetricKeyTypeURI();
        }
        URI encryptionAlgorithm = requestSecurityToken.getEncryptionAlgorithm();
        if (encryptionAlgorithm == null && secondaryParameters != null) {
            encryptionAlgorithm = secondaryParameters.getEncryptionAlgorithm();
        }
        issuedTokenContext.setEncryptionAlgorithm(encryptionAlgorithm != null ? encryptionAlgorithm.toString() : null);
        URI signatureAlgorithm = requestSecurityToken.getSignatureAlgorithm();
        if (signatureAlgorithm == null && secondaryParameters != null) {
            signatureAlgorithm = secondaryParameters.getSignatureAlgorithm();
        }
        issuedTokenContext.setSignatureAlgorithm(signatureAlgorithm != null ? signatureAlgorithm.toString() : null);
        URI canonicalizationAlgorithm = requestSecurityToken.getCanonicalizationAlgorithm();
        if (canonicalizationAlgorithm == null && secondaryParameters != null) {
            canonicalizationAlgorithm = secondaryParameters.getCanonicalizationAlgorithm();
        }
        issuedTokenContext.setCanonicalizationAlgorithm(canonicalizationAlgorithm != null ? canonicalizationAlgorithm.toString() : null);
        URI keyWrapAlgorithm = secondaryParameters != null ? secondaryParameters.getKeyWrapAlgorithm() : null;
        if (keyWrapAlgorithm != null) {
            issuedTokenContext.getOtherProperties().put(IssuedTokenContext.KEY_WRAP_ALGORITHM, keyWrapAlgorithm.toString());
        }
        Subject requestorSubject = issuedTokenContext.getRequestorSubject();
        if (requestorSubject == null) {
            requestorSubject = Subject.getSubject(AccessController.getContext());
        }
        if (requestorSubject == null) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0030_REQUESTOR_NULL());
            throw new WSTrustException(LogStringsMessages.WST_0030_REQUESTOR_NULL());
        }
        OnBehalfOf onBehalfOf = requestSecurityToken.getOnBehalfOf();
        if (onBehalfOf != null && (any = onBehalfOf.getAny()) != null) {
            requestorSubject.getPublicCredentials().add(this.eleFac.toElement(any));
            Object obj3 = null;
            if (uri.equals("urn:oasis:names:tc:SAML:1.0:assertion") || uri.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) {
                obj3 = SAML_SENDER_VOUCHES_1_0;
            } else if (uri.equals("urn:oasis:names:tc:SAML:2.0:assertion") || uri.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0")) {
                obj3 = "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches";
            }
            if (obj3 != null) {
                this.stsConfig.getOtherOptions().put(WSTrustConstants.SAML_CONFIRMATION_METHOD, obj3);
            }
        }
        if (!WSTrustFactory.getSTSAuthorizationProvider().isAuthorized(requestorSubject, str, uri, uri2)) {
            String name = requestorSubject.getPrincipals().iterator().next().getName();
            log.log(Level.SEVERE, LogStringsMessages.WST_0015_CLIENT_NOT_AUTHORIZED(name, uri, str));
            throw new WSTrustException(LogStringsMessages.WST_0015_CLIENT_NOT_AUTHORIZED(name, uri, str));
        }
        Claims claims = requestSecurityToken.getClaims();
        if (claims == null && secondaryParameters != null) {
            claims = secondaryParameters.getClaims();
        }
        if (claims == null) {
            claims = this.eleFac.createClaims();
        }
        Map<QName, List<String>> claimedAttributes = WSTrustFactory.getSTSAttributeProvider().getClaimedAttributes(requestorSubject, str, uri, claims);
        RequestedProofToken requestedProofToken = null;
        Entropy entropy = null;
        int i2 = 0;
        if (this.wstVer.getSymmetricKeyTypeURI().equals(uri2)) {
            requestedProofToken = this.eleFac.createRequestedProofToken();
            byte[] bArr = null;
            Entropy entropy2 = requestSecurityToken.getEntropy();
            if (entropy2 != null) {
                BinarySecret binarySecret = entropy2.getBinarySecret();
                if (binarySecret != null) {
                    bArr = binarySecret.getRawValue();
                } else if (log.isLoggable(Level.FINE)) {
                    log.log(Level.FINE, LogStringsMessages.WST_1009_NULL_BINARY_SECRET());
                }
            }
            i2 = (int) requestSecurityToken.getKeySize();
            if (i2 < 1 && secondaryParameters != null) {
                i2 = (int) secondaryParameters.getKeySize();
            }
            if (i2 < 1) {
                i2 = 256;
            }
            if (log.isLoggable(Level.FINE)) {
                log.log(Level.FINE, LogStringsMessages.WST_1010_KEY_SIZE(Integer.valueOf(i2), 256));
            }
            byte[] generateRandomSecret = WSTrustUtil.generateRandomSecret(i2 / 8);
            BinarySecret createBinarySecret = this.eleFac.createBinarySecret(generateRandomSecret, this.wstVer.getNonceBinarySecretTypeURI());
            entropy = this.eleFac.createEntropy(createBinarySecret);
            if (bArr != null) {
                try {
                    if (bArr.length > 0) {
                        requestedProofToken.setComputedKey(URI.create(this.wstVer.getCKPSHA1algorithmURI()));
                        requestedProofToken.setProofTokenType("ComputedKey");
                        generateRandomSecret = SecurityUtil.P_SHA1(bArr, generateRandomSecret, i2 / 8);
                        issuedTokenContext.setProofKey(generateRandomSecret);
                    }
                } catch (Exception e) {
                    log.log(Level.SEVERE, LogStringsMessages.WST_0013_ERROR_SECRET_KEY(this.wstVer.getCKPSHA1algorithmURI(), Integer.valueOf(i2), str), (Throwable) e);
                    throw new WSTrustException(LogStringsMessages.WST_0013_ERROR_SECRET_KEY(this.wstVer.getCKPSHA1algorithmURI(), Integer.valueOf(i2), str), e);
                }
            }
            requestedProofToken.setProofTokenType("BinarySecret");
            requestedProofToken.setBinarySecret(createBinarySecret);
            issuedTokenContext.setProofKey(generateRandomSecret);
        } else if (this.wstVer.getPublicKeyTypeURI().equals(uri2)) {
            UseKey useKey = requestSecurityToken.getUseKey();
            if (useKey != null) {
                this.stsConfig.getOtherOptions().put("ConfirmationKeyInfo", this.eleFac.toElement(useKey.getToken().getTokenValue()));
            }
            boolean z = false;
            for (Object obj4 : requestorSubject.getPublicCredentials()) {
                if (obj4 instanceof X509Certificate) {
                    issuedTokenContext.setRequestorCertificate((X509Certificate) obj4);
                    z = true;
                }
            }
            if (!z && useKey == null) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
                throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
            }
        } else if (!this.wstVer.getBearerKeyTypeURI().equals(uri2)) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0025_INVALID_KEY_TYPE(uri2, str));
            throw new WSTrustException(LogStringsMessages.WST_0025_INVALID_KEY_TYPE(uri2, str));
        }
        String str2 = "uuid-" + UUID.randomUUID().toString();
        RequestedSecurityToken createRequestedSecurityToken = this.eleFac.createRequestedSecurityToken();
        Token createSAMLAssertion = createSAMLAssertion(str, uri, uri2, str2, this.stsConfig.getIssuer(), claimedAttributes, issuedTokenContext);
        createRequestedSecurityToken.setToken(createSAMLAssertion);
        String str3 = null;
        if ("urn:oasis:names:tc:SAML:1.0:assertion".equals(uri) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(uri)) {
            str3 = MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE;
        } else if ("urn:oasis:names:tc:SAML:2.0:assertion".equals(uri)) {
            str3 = MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE;
        }
        SecurityTokenReference createSecurityTokenReference = WSTrustUtil.createSecurityTokenReference(str2, str3);
        RequestedAttachedReference createRequestedAttachedReference = this.eleFac.createRequestedAttachedReference(createSecurityTokenReference);
        RequestedUnattachedReference createRequestedUnattachedReference = this.eleFac.createRequestedUnattachedReference(createSecurityTokenReference);
        try {
            URI uri3 = requestSecurityToken.getContext() != null ? new URI(requestSecurityToken.getContext()) : null;
            long currentTimeWithOffset = WSTrustUtil.getCurrentTimeWithOffset();
            RequestSecurityTokenResponse createRSTRForIssue = this.eleFac.createRSTRForIssue(requestSecurityToken.getTokenType(), uri3, createRequestedSecurityToken, appliesTo, createRequestedAttachedReference, createRequestedUnattachedReference, requestedProofToken, entropy, WSTrustUtil.createLifetime(currentTimeWithOffset, this.stsConfig.getIssuedTokenTimeout(), this.wstVer));
            if (i2 > 0) {
                createRSTRForIssue.setKeySize(i2);
            }
            issuedTokenContext.setSecurityToken(createSAMLAssertion);
            issuedTokenContext.setAttachedSecurityTokenReference(createSecurityTokenReference);
            issuedTokenContext.setUnAttachedSecurityTokenReference(createSecurityTokenReference);
            issuedTokenContext.setCreationTime(new Date(currentTimeWithOffset));
            issuedTokenContext.setExpirationTime(new Date(currentTimeWithOffset + this.stsConfig.getIssuedTokenTimeout()));
            if (!this.wstVer.getNamespaceURI().equals(WSTrustVersion.WS_TRUST_13.getNamespaceURI())) {
                return createRSTRForIssue;
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(createRSTRForIssue);
            return this.eleFac.createRSTRC(arrayList);
        } catch (URISyntaxException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0014_URI_SYNTAX(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0014_URI_SYNTAX(), e2);
        }
    }

    public BaseSTSResponse issueMultiple(BaseSTSRequest baseSTSRequest, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        throw new UnsupportedOperationException("Unsupported operation: issueMultiple");
    }

    @Override // com.sun.xml.ws.api.security.trust.WSTrustContract
    public BaseSTSResponse renew(BaseSTSRequest baseSTSRequest, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        throw new UnsupportedOperationException("Unsupported operation: renew");
    }

    @Override // com.sun.xml.ws.api.security.trust.WSTrustContract
    public BaseSTSResponse cancel(BaseSTSRequest baseSTSRequest, IssuedTokenContext issuedTokenContext, Map map) throws WSTrustException {
        throw new UnsupportedOperationException("Unsupported operation: cancel");
    }

    @Override // com.sun.xml.ws.api.security.trust.WSTrustContract
    public BaseSTSResponse validate(BaseSTSRequest baseSTSRequest, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        throw new UnsupportedOperationException("Unsupported operation: validate");
    }

    @Override // com.sun.xml.ws.api.security.trust.WSTrustContract
    public void handleUnsolicited(BaseSTSResponse baseSTSResponse, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        throw new UnsupportedOperationException("Unsupported operation: handleUnsolicited");
    }

    @Override // com.sun.xml.ws.api.security.trust.IssueSamlTokenContract
    public abstract Token createSAMLAssertion(String str, String str2, String str3, String str4, String str5, Map<QName, List<String>> map, IssuedTokenContext issuedTokenContext) throws WSTrustException;
}
