package org.apache.ws.security.message;

import java.security.Key;
import java.security.KeyException;
import java.security.NoSuchProviderException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DOMX509Data;
import org.apache.ws.security.message.token.DOMX509IssuerSerial;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.kuali.kfs.module.tem.TemConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/wss4j-1.6.18.jar:org/apache/ws/security/message/WSSecSignature.class */
public class WSSecSignature extends WSSecSignatureBase {
    private static Log log = LogFactory.getLog(WSSecSignature.class);
    protected boolean useSingleCert;
    protected String sigAlgo;
    protected String canonAlgo;
    protected byte[] signatureValue;
    protected Document document;
    protected WSDocInfo wsDocInfo;
    protected String certUri;
    protected String keyInfoUri;
    protected SecurityTokenReference secRef;
    protected String strUri;
    protected BinarySecurity bstToken;
    protected KeyInfoFactory keyInfoFactory;
    protected XMLSignatureFactory signatureFactory;
    protected KeyInfo keyInfo;
    protected CanonicalizationMethod c14nMethod;
    protected XMLSignature sig;
    protected byte[] secretKey;
    protected String customTokenValueType;
    protected String customTokenId;
    private String encrKeySha1value;
    private Crypto crypto;
    private String digestAlgo;
    private X509Certificate useThisCert;
    private Element securityHeader;
    private boolean useCustomSecRef;
    private boolean bstAddedToSecurityHeader;

    public WSSecSignature() {
        this.useSingleCert = true;
        this.sigAlgo = null;
        this.canonAlgo = "http://www.w3.org/2001/10/xml-exc-c14n#";
        this.signatureValue = null;
        this.document = null;
        this.wsDocInfo = null;
        this.certUri = null;
        this.keyInfoUri = null;
        this.secRef = null;
        this.strUri = null;
        this.bstToken = null;
        this.secretKey = null;
        this.encrKeySha1value = null;
        this.crypto = null;
        this.digestAlgo = "http://www.w3.org/2000/09/xmldsig#sha1";
        this.useThisCert = null;
        this.securityHeader = null;
        this.bstAddedToSecurityHeader = false;
        init();
    }

    public WSSecSignature(WSSConfig wSSConfig) {
        super(wSSConfig);
        this.useSingleCert = true;
        this.sigAlgo = null;
        this.canonAlgo = "http://www.w3.org/2001/10/xml-exc-c14n#";
        this.signatureValue = null;
        this.document = null;
        this.wsDocInfo = null;
        this.certUri = null;
        this.keyInfoUri = null;
        this.secRef = null;
        this.strUri = null;
        this.bstToken = null;
        this.secretKey = null;
        this.encrKeySha1value = null;
        this.crypto = null;
        this.digestAlgo = "http://www.w3.org/2000/09/xmldsig#sha1";
        this.useThisCert = null;
        this.securityHeader = null;
        this.bstAddedToSecurityHeader = false;
        init();
    }

    private void init() {
        try {
            this.signatureFactory = XMLSignatureFactory.getInstance(TemConstants.TemTripTypes.DOMESTIC, "ApacheXMLDSig");
        } catch (NoSuchProviderException e) {
            this.signatureFactory = XMLSignatureFactory.getInstance(TemConstants.TemTripTypes.DOMESTIC);
        }
        try {
            this.keyInfoFactory = KeyInfoFactory.getInstance(TemConstants.TemTripTypes.DOMESTIC, "ApacheXMLDSig");
        } catch (NoSuchProviderException e2) {
            this.keyInfoFactory = KeyInfoFactory.getInstance(TemConstants.TemTripTypes.DOMESTIC);
        }
    }

    public void prepare(Document document, Crypto crypto, WSSecHeader wSSecHeader) throws WSSecurityException {
        this.crypto = crypto;
        this.document = document;
        this.wsDocInfo = new WSDocInfo(document);
        this.wsDocInfo.setCrypto(crypto);
        this.securityHeader = wSSecHeader.getSecurityHeader();
        X509Certificate[] signingCerts = getSigningCerts();
        try {
            ExcC14NParameterSpec excC14NParameterSpec = null;
            if (getWsConfig().isWsiBSPCompliant() && this.canonAlgo.equals("http://www.w3.org/2001/10/xml-exc-c14n#")) {
                excC14NParameterSpec = new ExcC14NParameterSpec(getInclusivePrefixes(wSSecHeader.getSecurityHeader(), false));
            }
            this.c14nMethod = this.signatureFactory.newCanonicalizationMethod(this.canonAlgo, excC14NParameterSpec);
            this.keyInfoUri = getWsConfig().getIdAllocator().createSecureId("KI-", this.keyInfo);
            if (!this.useCustomSecRef) {
                this.secRef = new SecurityTokenReference(document);
                this.strUri = getWsConfig().getIdAllocator().createSecureId("STR-", this.secRef);
                this.secRef.setID(this.strUri);
                switch (this.keyIdentifierType) {
                    case 1:
                        Reference reference = new Reference(this.document);
                        reference.setURI("#" + this.certUri);
                        if (this.useSingleCert) {
                            this.bstToken = new X509Security(this.document);
                            ((X509Security) this.bstToken).setX509Certificate(signingCerts[0]);
                        } else {
                            this.bstToken = new PKIPathSecurity(this.document);
                            ((PKIPathSecurity) this.bstToken).setX509Certificates(signingCerts, this.crypto);
                            this.secRef.addTokenType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1");
                        }
                        this.bstAddedToSecurityHeader = false;
                        reference.setValueType(this.bstToken.getValueType());
                        this.secRef.setReference(reference);
                        this.bstToken.setID(this.certUri);
                        this.wsDocInfo.addTokenElement(this.bstToken.getElement(), false);
                        break;
                    case 2:
                        this.secRef.setX509Data(new DOMX509Data(document, new DOMX509IssuerSerial(document, signingCerts[0].getIssuerX500Principal().getName(), signingCerts[0].getSerialNumber())));
                        break;
                    case 3:
                        this.secRef.setKeyIdentifier(signingCerts[0]);
                        break;
                    case 4:
                        this.secRef.setKeyIdentifierSKI(signingCerts[0], this.crypto);
                        break;
                    case 5:
                    case 6:
                    case 7:
                    default:
                        throw new WSSecurityException(0, "unsupportedKeyId");
                    case 8:
                        this.secRef.setKeyIdentifierThumb(signingCerts[0]);
                        break;
                    case 9:
                        Reference reference2 = new Reference(this.document);
                        if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(this.customTokenValueType)) {
                            this.secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                            reference2.setValueType(this.customTokenValueType);
                        } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(this.customTokenValueType)) {
                            this.secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
                        } else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(this.customTokenValueType)) {
                            this.secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
                            reference2.setValueType(this.customTokenValueType);
                        } else if (KerberosSecurity.isKerberosToken(this.customTokenValueType)) {
                            this.secRef.addTokenType(this.customTokenValueType);
                            reference2.setValueType(this.customTokenValueType);
                        } else {
                            reference2.setValueType(this.customTokenValueType);
                        }
                        reference2.setURI("#" + this.customTokenId);
                        this.secRef.setReference(reference2);
                        break;
                    case 10:
                        if (this.encrKeySha1value != null) {
                            this.secRef.setKeyIdentifierEncKeySHA1(this.encrKeySha1value);
                        } else {
                            this.secRef.setKeyIdentifierEncKeySHA1(Base64.encode(WSSecurityUtil.generateDigest(this.secretKey)));
                        }
                        this.secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
                        break;
                    case 11:
                        Reference reference3 = new Reference(this.document);
                        if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(this.customTokenValueType)) {
                            this.secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                            reference3.setValueType(this.customTokenValueType);
                        } else if (WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(this.customTokenValueType)) {
                            this.secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
                        } else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(this.customTokenValueType)) {
                            this.secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
                            reference3.setValueType(this.customTokenValueType);
                        } else if (KerberosSecurity.isKerberosToken(this.customTokenValueType)) {
                            this.secRef.addTokenType(this.customTokenValueType);
                            reference3.setValueType(this.customTokenValueType);
                        } else {
                            reference3.setValueType(this.customTokenValueType);
                        }
                        reference3.setURI(this.customTokenId);
                        this.secRef.setReference(reference3);
                        break;
                    case 12:
                        if (!WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(this.customTokenValueType)) {
                            if (!WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(this.customTokenValueType)) {
                                if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(this.customTokenValueType)) {
                                    if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(this.customTokenValueType)) {
                                        if (WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(this.customTokenValueType)) {
                                            this.secRef.setKeyIdentifier(this.customTokenValueType, this.customTokenId, true);
                                            this.secRef.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
                                            break;
                                        }
                                    } else {
                                        this.secRef.setKeyIdentifier(this.customTokenValueType, this.customTokenId, true);
                                        this.secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
                                        break;
                                    }
                                } else {
                                    this.secRef.setKeyIdentifier(this.customTokenValueType, this.customTokenId, true);
                                    this.secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
                                    break;
                                }
                            } else {
                                this.secRef.setKeyIdentifier(this.customTokenValueType, this.customTokenId);
                                this.secRef.addTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
                                break;
                            }
                        } else {
                            this.secRef.setKeyIdentifier(this.customTokenValueType, this.customTokenId);
                            this.secRef.addTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                            break;
                        }
                        break;
                    case 13:
                        try {
                            this.keyInfo = this.keyInfoFactory.newKeyInfo(Collections.singletonList(this.keyInfoFactory.newKeyValue(signingCerts[0].getPublicKey())), this.keyInfoUri);
                            break;
                        } catch (KeyException e) {
                            log.error("", e);
                            throw new WSSecurityException(10, "noXMLSig", null, e);
                        }
                }
            }
            if (this.keyIdentifierType != 13) {
                DOMStructure dOMStructure = new DOMStructure(this.secRef.getElement());
                this.wsDocInfo.addTokenElement(this.secRef.getElement(), false);
                this.keyInfo = this.keyInfoFactory.newKeyInfo(Collections.singletonList(dOMStructure), this.keyInfoUri);
            }
        } catch (Exception e2) {
            log.error("", e2);
            throw new WSSecurityException(10, "noXMLSig", null, e2);
        }
    }

    public Document build(Document document, Crypto crypto, WSSecHeader wSSecHeader) throws WSSecurityException {
        this.doDebug = log.isDebugEnabled();
        if (this.doDebug) {
            log.debug("Beginning signing...");
        }
        prepare(document, crypto, wSSecHeader);
        if (this.parts == null) {
            this.parts = new ArrayList(1);
            this.parts.add(new WSEncryptionPart("Body", WSSecurityUtil.getSOAPNamespace(document.getDocumentElement()), "Content"));
        } else {
            for (WSEncryptionPart wSEncryptionPart : this.parts) {
                if ("STRTransform".equals(wSEncryptionPart.getName()) && wSEncryptionPart.getId() == null) {
                    wSEncryptionPart.setId(this.strUri);
                }
            }
        }
        computeSignature(addReferencesToSign(this.parts, wSSecHeader));
        if (this.bstToken != null) {
            prependBSTElementToHeader(wSSecHeader);
        }
        return document;
    }

    public List<javax.xml.crypto.dsig.Reference> addReferencesToSign(List<WSEncryptionPart> list, WSSecHeader wSSecHeader) throws WSSecurityException {
        return addReferencesToSign(this.document, list, this.wsDocInfo, this.signatureFactory, wSSecHeader, getWsConfig(), this.digestAlgo);
    }

    public Element getSignatureElement() {
        return WSSecurityUtil.getDirectChildElement(this.securityHeader, "Signature", "http://www.w3.org/2000/09/xmldsig#");
    }

    public void prependBSTElementToHeader(WSSecHeader wSSecHeader) {
        if (this.bstToken == null || this.bstAddedToSecurityHeader) {
            return;
        }
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), this.bstToken.getElement());
        this.bstAddedToSecurityHeader = true;
    }

    public void appendBSTElementToHeader(WSSecHeader wSSecHeader) {
        if (this.bstToken == null || this.bstAddedToSecurityHeader) {
            return;
        }
        wSSecHeader.getSecurityHeader().appendChild(this.bstToken.getElement());
        this.bstAddedToSecurityHeader = true;
    }

    public void computeSignature(List<javax.xml.crypto.dsig.Reference> list) throws WSSecurityException {
        computeSignature(list, true, null);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v45, types: [org.w3c.dom.Node] */
    public void computeSignature(List<javax.xml.crypto.dsig.Reference> list, boolean z, Element element) throws WSSecurityException {
        DOMSignContext dOMSignContext;
        try {
            Key privateKey = this.secretKey == null ? this.crypto.getPrivateKey(this.user, this.password) : WSSecurityUtil.prepareSecretKey(this.sigAlgo, this.secretKey);
            this.sig = this.signatureFactory.newXMLSignature(this.signatureFactory.newSignedInfo(this.c14nMethod, this.signatureFactory.newSignatureMethod(this.sigAlgo, null), list), this.keyInfo, null, getWsConfig().getIdAllocator().createId("SIG-", null), null);
            if (z) {
                if (element == null) {
                    Element firstChild = this.securityHeader.getFirstChild();
                    while (firstChild != null && firstChild.getNodeType() != 1) {
                        firstChild = firstChild.getNextSibling();
                    }
                    element = firstChild;
                }
                dOMSignContext = element == null ? new DOMSignContext(privateKey, this.securityHeader) : new DOMSignContext(privateKey, this.securityHeader, element);
            } else {
                dOMSignContext = new DOMSignContext(privateKey, this.securityHeader);
            }
            dOMSignContext.putNamespacePrefix("http://www.w3.org/2000/09/xmldsig#", "ds");
            if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(this.canonAlgo)) {
                dOMSignContext.putNamespacePrefix("http://www.w3.org/2001/10/xml-exc-c14n#", WSConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX);
            }
            dOMSignContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, this.wsDocInfo);
            this.wsDocInfo.setCallbackLookup(this.callbackLookup);
            this.wsDocInfo.setTokensOnContext(dOMSignContext);
            if (this.secRef != null && this.secRef.getElement() != null) {
                WSSecurityUtil.storeElementInContext(dOMSignContext, this.secRef.getElement());
            }
            this.sig.sign(dOMSignContext);
            this.signatureValue = this.sig.getSignatureValue().getValue();
        } catch (Exception e) {
            log.error(e);
            throw new WSSecurityException(10, null, null, e);
        }
    }

    public void setUseSingleCertificate(boolean z) {
        this.useSingleCert = z;
    }

    public boolean isUseSingleCertificate() {
        return this.useSingleCert;
    }

    public void setSignatureAlgorithm(String str) {
        this.sigAlgo = str;
    }

    public String getSignatureAlgorithm() {
        return this.sigAlgo;
    }

    public void setSigCanonicalization(String str) {
        this.canonAlgo = str;
    }

    public String getSigCanonicalization() {
        return this.canonAlgo;
    }

    public String getDigestAlgo() {
        return this.digestAlgo;
    }

    public void setDigestAlgo(String str) {
        this.digestAlgo = str;
    }

    public byte[] getSignatureValue() {
        return this.signatureValue;
    }

    public String getId() {
        if (this.sig == null) {
            return null;
        }
        return this.sig.getId();
    }

    public String getBSTTokenId() {
        if (this.bstToken == null) {
            return null;
        }
        return this.bstToken.getID();
    }

    public void setSecretKey(byte[] bArr) {
        this.secretKey = bArr;
    }

    public void setCustomTokenValueType(String str) {
        this.customTokenValueType = str;
    }

    public void setCustomTokenId(String str) {
        this.customTokenId = str;
    }

    public void setEncrKeySha1value(String str) {
        this.encrKeySha1value = str;
    }

    public void setX509Certificate(X509Certificate x509Certificate) {
        this.useThisCert = x509Certificate;
    }

    public Element getBinarySecurityTokenElement() {
        if (this.bstToken != null) {
            return this.bstToken.getElement();
        }
        return null;
    }

    public String getSecurityTokenReferenceURI() {
        return this.strUri;
    }

    public SecurityTokenReference getSecurityTokenReference() {
        return this.secRef;
    }

    public void setSecurityTokenReference(SecurityTokenReference securityTokenReference) {
        this.useCustomSecRef = true;
        this.secRef = securityTokenReference;
    }

    private X509Certificate[] getSigningCerts() throws WSSecurityException {
        X509Certificate[] x509CertificateArr = null;
        if (this.keyIdentifierType != 9 && this.keyIdentifierType != 11 && this.keyIdentifierType != 10 && this.keyIdentifierType != 12) {
            if (this.useThisCert == null) {
                CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
                cryptoType.setAlias(this.user);
                if (this.crypto == null) {
                    throw new WSSecurityException(0, "noSigCryptoFile");
                }
                x509CertificateArr = this.crypto.getX509Certificates(cryptoType);
            } else {
                x509CertificateArr = new X509Certificate[]{this.useThisCert};
            }
            if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
                throw new WSSecurityException(0, "noUserCertsFound", new Object[]{this.user, "signature"});
            }
            this.certUri = getWsConfig().getIdAllocator().createSecureId("X509-", x509CertificateArr[0]);
            if (this.sigAlgo == null) {
                String algorithm = x509CertificateArr[0].getPublicKey().getAlgorithm();
                log.debug("Automatic signature algorithm detection: " + algorithm);
                if (algorithm.equalsIgnoreCase("DSA")) {
                    this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
                } else {
                    if (!algorithm.equalsIgnoreCase("RSA")) {
                        throw new WSSecurityException(0, "unknownSignatureAlgorithm", new Object[]{algorithm});
                    }
                    this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
                }
            }
        }
        return x509CertificateArr;
    }
}
