package org.apache.cxf.ws.security.wss4j.policyhandlers;

import java.time.Instant;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import javax.xml.soap.SOAPPart;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
import org.apache.cxf.ws.security.wss4j.StaxSerializer;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.WSSecBase;
import org.apache.wss4j.dom.message.WSSecDKEncrypt;
import org.apache.wss4j.dom.message.WSSecDKSign;
import org.apache.wss4j.dom.message.WSSecEncrypt;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.WSSecSignature;
import org.apache.wss4j.dom.message.WSSecUsernameToken;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.wss4j.policy.model.SecureConversationToken;
import org.apache.wss4j.policy.model.SecurityContextToken;
import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.SymmetricBinding;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.2.6.jar:org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.class */
public class SymmetricBindingHandler extends AbstractBindingBuilder {
    private final SymmetricBinding sbinding;
    private final TokenStore tokenStore;

    public SymmetricBindingHandler(WSSConfig wSSConfig, SymmetricBinding symmetricBinding, SOAPMessage sOAPMessage, WSSecHeader wSSecHeader, AssertionInfoMap assertionInfoMap, SoapMessage soapMessage) throws SOAPException {
        super(wSSConfig, symmetricBinding, sOAPMessage, wSSecHeader, assertionInfoMap, soapMessage);
        this.sbinding = symmetricBinding;
        this.tokenStore = getTokenStore();
        this.protectionOrder = symmetricBinding.getProtectionOrder();
    }

    private AbstractTokenWrapper getSignatureToken() {
        return this.sbinding.getProtectionToken() != null ? this.sbinding.getProtectionToken() : this.sbinding.getSignatureToken();
    }

    private AbstractTokenWrapper getEncryptionToken() {
        return this.sbinding.getProtectionToken() != null ? this.sbinding.getProtectionToken() : this.sbinding.getEncryptionToken();
    }

    public void handleBinding() {
        handleLayout(createTimestamp());
        assertPolicy(this.sbinding.getName());
        if (this.sbinding.getProtectionOrder() == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
            doEncryptBeforeSign();
            assertPolicy(new QName(this.sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
        } else {
            doSignBeforeEncrypt();
            assertPolicy(new QName(this.sbinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
        }
        reshuffleTimestamp();
        assertAlgorithmSuite(this.sbinding.getAlgorithmSuite());
        assertWSSProperties(this.sbinding.getName().getNamespaceURI());
        assertTrustProperties(this.sbinding.getName().getNamespaceURI());
        assertPolicy(new QName(this.sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
    }

    private void doEncryptBeforeSign() {
        try {
            AbstractTokenWrapper encryptionToken = getEncryptionToken();
            assertTokenWrapper(encryptionToken);
            AbstractToken token = encryptionToken.getToken();
            if (token != null) {
                String str = null;
                SecurityToken securityToken = null;
                if ((token instanceof IssuedToken) || (token instanceof KerberosToken) || (token instanceof SecureConversationToken) || (token instanceof SecurityContextToken) || (token instanceof SpnegoContextToken)) {
                    securityToken = getSecurityToken();
                } else if (token instanceof X509Token) {
                    if (isRequestor()) {
                        str = setupEncryptedKey(encryptionToken, token);
                    } else {
                        securityToken = getEncryptedKey();
                    }
                } else if (token instanceof UsernameToken) {
                    if (isRequestor()) {
                        str = setupUTDerivedKey((UsernameToken) token);
                    } else {
                        securityToken = getUTDerivedKey();
                    }
                }
                if (securityToken == null) {
                    if (str != null && str.startsWith("#")) {
                        str = str.substring(1);
                    }
                    securityToken = this.tokenStore.getToken(str);
                }
                boolean z = false;
                if (isTokenRequired(token.getIncludeTokenType())) {
                    addEncryptedKeyElement(cloneElement(securityToken.getToken()));
                    z = true;
                } else if ((token instanceof X509Token) && isRequestor()) {
                    addEncryptedKeyElement(cloneElement(securityToken.getToken()));
                    z = true;
                }
                ArrayList arrayList = new ArrayList();
                if (this.timestampEl != null) {
                    arrayList.add(convertToEncryptionPart(this.timestampEl.getElement()));
                }
                addSupportingTokens(arrayList);
                arrayList.addAll(getSignedParts(null));
                List<WSEncryptionPart> encryptedParts = getEncryptedParts();
                WSSecBase doEncryption = doEncryption(encryptionToken, securityToken, z, encryptedParts, true);
                handleEncryptedSignedHeaders(encryptedParts, arrayList);
                if (!isRequestor()) {
                    addSignatureConfirmation(arrayList);
                }
                if (!arrayList.isEmpty()) {
                    addSig(doSignature(arrayList, encryptionToken, token, securityToken, z));
                }
                if (isRequestor()) {
                    doEndorse();
                }
                if (this.sbinding.isEncryptSignature() || (!this.encryptedTokensList.isEmpty() && isRequestor())) {
                    ArrayList arrayList2 = new ArrayList();
                    if (this.sbinding.isEncryptSignature()) {
                        if (this.mainSigId != null) {
                            WSEncryptionPart wSEncryptionPart = new WSEncryptionPart(this.mainSigId, "Element");
                            wSEncryptionPart.setElement(this.bottomUpElement);
                            arrayList2.add(wSEncryptionPart);
                        }
                        if (this.sigConfList != null && !this.sigConfList.isEmpty()) {
                            arrayList2.addAll(this.sigConfList);
                        }
                        assertPolicy(new QName(this.sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
                    }
                    if (isRequestor()) {
                        arrayList2.addAll(this.encryptedTokensList);
                    }
                    Element element = null;
                    if (token.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys && !arrayList2.isEmpty()) {
                        element = ((WSSecDKEncrypt) doEncryption).encryptForExternalRef(null, arrayList2);
                    } else if (!arrayList2.isEmpty()) {
                        element = ((WSSecEncrypt) doEncryption).encryptForRef(null, arrayList2);
                    }
                    if (element != null) {
                        addDerivedKeyElement(element);
                    }
                }
            }
        } catch (RuntimeException e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            throw e;
        } catch (Exception e2) {
            LOG.log(Level.FINE, e2.getMessage(), (Throwable) e2);
            throw new Fault(e2);
        }
    }

    private void doSignBeforeEncrypt() {
        AbstractTokenWrapper signatureToken = getSignatureToken();
        assertTokenWrapper(signatureToken);
        AbstractToken token = signatureToken.getToken();
        String str = null;
        SecurityToken securityToken = null;
        try {
            if (token == null) {
                unassertPolicy(this.sbinding, "No signature token");
                return;
            }
            if ((token instanceof SecureConversationToken) || (token instanceof SecurityContextToken) || (token instanceof IssuedToken) || (token instanceof KerberosToken) || (token instanceof SpnegoContextToken)) {
                securityToken = getSecurityToken();
            } else if (token instanceof X509Token) {
                if (isRequestor()) {
                    str = setupEncryptedKey(signatureToken, token);
                } else {
                    securityToken = getEncryptedKey();
                }
            } else if (token instanceof UsernameToken) {
                if (isRequestor()) {
                    str = setupUTDerivedKey((UsernameToken) token);
                } else {
                    securityToken = getUTDerivedKey();
                }
            }
            if (securityToken == null && StringUtils.isEmpty(str)) {
                unassertPolicy(signatureToken, "No signature token id");
                return;
            }
            assertPolicy(signatureToken);
            if (securityToken == null) {
                securityToken = this.tokenStore.getToken(str);
            }
            boolean z = true;
            if (isTokenRequired(token.getIncludeTokenType())) {
                addEncryptedKeyElement(cloneElement(securityToken.getToken()));
            } else if (isRequestor() && (token instanceof X509Token)) {
                addEncryptedKeyElement(cloneElement(securityToken.getToken()));
            } else {
                z = false;
            }
            ArrayList arrayList = new ArrayList();
            if (this.timestampEl != null) {
                arrayList.add(convertToEncryptionPart(this.timestampEl.getElement()));
            }
            addSupportingTokens(arrayList);
            arrayList.addAll(getSignedParts(null));
            if (isRequestor()) {
                if (!arrayList.isEmpty()) {
                    addSig(doSignature(arrayList, signatureToken, token, securityToken, z));
                }
                doEndorse();
            } else {
                addSignatureConfirmation(arrayList);
                if (!arrayList.isEmpty()) {
                    doSignature(arrayList, signatureToken, token, securityToken, z);
                }
            }
            AbstractTokenWrapper encryptionToken = getEncryptionToken();
            if (!token.equals(encryptionToken.getToken())) {
                unassertPolicy(this.sbinding, "Encryption token does not equal signature token");
                return;
            }
            SecurityToken securityToken2 = securityToken;
            List<WSEncryptionPart> encryptedParts = getEncryptedParts();
            if (this.sbinding.isEncryptSignature()) {
                if (this.mainSigId != null) {
                    WSEncryptionPart wSEncryptionPart = new WSEncryptionPart(this.mainSigId, "Element");
                    wSEncryptionPart.setElement(this.bottomUpElement);
                    encryptedParts.add(wSEncryptionPart);
                }
                if (this.sigConfList != null && !this.sigConfList.isEmpty()) {
                    encryptedParts.addAll(this.sigConfList);
                }
                assertPolicy(new QName(this.sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
            }
            if (isRequestor()) {
                encryptedParts.addAll(this.encryptedTokensList);
            }
            doEncryption(encryptionToken, securityToken2, z, encryptedParts, false);
        } catch (Exception e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            throw new Fault(e);
        }
    }

    private WSSecBase doEncryptionDerived(AbstractTokenWrapper abstractTokenWrapper, SecurityToken securityToken, AbstractToken abstractToken, boolean z, List<WSEncryptionPart> list, boolean z2) {
        try {
            WSSecDKEncrypt wSSecDKEncrypt = new WSSecDKEncrypt(this.secHeader);
            wSSecDKEncrypt.setEncryptionSerializer(new StaxSerializer());
            wSSecDKEncrypt.setIdAllocator(this.wssConfig.getIdAllocator());
            wSSecDKEncrypt.setCallbackLookup(this.callbackLookup);
            wSSecDKEncrypt.setAttachmentCallbackHandler(new AttachmentCallbackHandler(this.message));
            wSSecDKEncrypt.setStoreBytesInAttachment(this.storeBytesInAttachment);
            wSSecDKEncrypt.setExpandXopInclude(isExpandXopInclude());
            wSSecDKEncrypt.setWsDocInfo(this.wsDocInfo);
            if (abstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
                wSSecDKEncrypt.setWscVersion(1);
            }
            if (z && securityToken.getAttachedReference() != null) {
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), cloneElement(securityToken.getAttachedReference()));
            } else if (securityToken.getUnattachedReference() != null) {
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), cloneElement(securityToken.getUnattachedReference()));
            } else if (!isRequestor() && securityToken.getSHA1() != null) {
                SecurityTokenReference securityTokenReference = new SecurityTokenReference(this.saaj.getSOAPPart());
                String tokenType = securityToken.getTokenType();
                if (abstractToken instanceof KerberosToken) {
                    securityTokenReference.setKeyIdentifier("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1", securityToken.getSHA1(), true);
                    if (tokenType == null) {
                        tokenType = "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ";
                    }
                } else {
                    securityTokenReference.setKeyIdentifierEncKeySHA1(securityToken.getSHA1());
                    if (tokenType == null) {
                        tokenType = "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
                    }
                }
                securityTokenReference.addTokenType(tokenType);
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), securityTokenReference.getElement());
            } else if (z) {
                String wsuId = securityToken.getWsuId();
                if (wsuId == null && ((abstractToken instanceof SecureConversationToken) || (abstractToken instanceof SecurityContextToken))) {
                    wSSecDKEncrypt.setTokenIdDirectId(true);
                    wsuId = securityToken.getId();
                } else if (wsuId == null) {
                    wsuId = securityToken.getId();
                }
                if (wsuId.startsWith("#")) {
                    wsuId = wsuId.substring(1);
                }
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), wsuId);
            } else {
                wSSecDKEncrypt.setTokenIdDirectId(true);
                wSSecDKEncrypt.setExternalKey(securityToken.getSecret(), securityToken.getId());
            }
            if (securityToken.getSHA1() != null) {
                String tokenType2 = securityToken.getTokenType();
                if (tokenType2 == null) {
                    tokenType2 = "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
                }
                wSSecDKEncrypt.setCustomValueType(tokenType2);
            } else {
                String tokenType3 = securityToken.getTokenType();
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenType3) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType3)) {
                    wSSecDKEncrypt.setKeyIdentifierType(12);
                    wSSecDKEncrypt.setCustomValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID");
                } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenType3) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType3)) {
                    wSSecDKEncrypt.setKeyIdentifierType(12);
                    wSSecDKEncrypt.setCustomValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID");
                } else if (abstractToken instanceof UsernameToken) {
                    wSSecDKEncrypt.setCustomValueType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
                } else {
                    wSSecDKEncrypt.setCustomValueType(tokenType3);
                }
            }
            AlgorithmSuite.AlgorithmSuiteType algorithmSuiteType = this.sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
            wSSecDKEncrypt.setSymmetricEncAlgorithm(algorithmSuiteType.getEncryption());
            wSSecDKEncrypt.setDerivedKeyLength(algorithmSuiteType.getEncryptionDerivedKeyLength() / 8);
            wSSecDKEncrypt.prepare();
            addDerivedKeyElement(wSSecDKEncrypt.getdktElement());
            addAttachmentsForEncryption(z2, wSSecDKEncrypt.encryptForExternalRef(null, list), wSSecDKEncrypt.getAttachmentEncryptedDataElements());
            return wSSecDKEncrypt;
        } catch (Exception e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            unassertPolicy(abstractTokenWrapper, e);
            return null;
        }
    }

    private WSSecBase doEncryption(AbstractTokenWrapper abstractTokenWrapper, SecurityToken securityToken, boolean z, List<WSEncryptionPart> list, boolean z2) {
        if (abstractTokenWrapper == null || abstractTokenWrapper.getToken() == null || list.isEmpty()) {
            return null;
        }
        AbstractToken token = abstractTokenWrapper.getToken();
        assertPolicy(abstractTokenWrapper);
        assertPolicy(token);
        AlgorithmSuite algorithmSuite = this.sbinding.getAlgorithmSuite();
        if (token.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            return doEncryptionDerived(abstractTokenWrapper, securityToken, token, z, list, z2);
        }
        try {
            WSSecEncrypt wSSecEncrypt = new WSSecEncrypt(this.secHeader);
            wSSecEncrypt.setEncryptionSerializer(new StaxSerializer());
            wSSecEncrypt.setIdAllocator(this.wssConfig.getIdAllocator());
            wSSecEncrypt.setCallbackLookup(this.callbackLookup);
            wSSecEncrypt.setAttachmentCallbackHandler(new AttachmentCallbackHandler(this.message));
            wSSecEncrypt.setStoreBytesInAttachment(this.storeBytesInAttachment);
            wSSecEncrypt.setExpandXopInclude(isExpandXopInclude());
            wSSecEncrypt.setWsDocInfo(this.wsDocInfo);
            String id = securityToken.getId();
            if (z) {
                id = securityToken.getWsuId();
                if (id == null && ((token instanceof SecureConversationToken) || (token instanceof SecurityContextToken))) {
                    wSSecEncrypt.setEncKeyIdDirectId(true);
                    id = securityToken.getId();
                } else if (id == null) {
                    id = securityToken.getId();
                }
                if (id.startsWith("#")) {
                    id = id.substring(1);
                }
            } else {
                wSSecEncrypt.setEncKeyIdDirectId(true);
            }
            if (securityToken.getTokenType() != null) {
                wSSecEncrypt.setCustomReferenceValue(securityToken.getTokenType());
            }
            wSSecEncrypt.setEncKeyId(id);
            wSSecEncrypt.setEphemeralKey(securityToken.getSecret());
            Crypto encryptionCrypto = getEncryptionCrypto();
            if (encryptionCrypto != null) {
                setEncryptionUser(wSSecEncrypt, token, false, encryptionCrypto);
            }
            wSSecEncrypt.setEncryptSymmKey(false);
            wSSecEncrypt.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
            wSSecEncrypt.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
            wSSecEncrypt.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
            if ((token instanceof IssuedToken) || (token instanceof SpnegoContextToken) || (token instanceof SecureConversationToken)) {
                Element attachedReference = z ? securityToken.getAttachedReference() : securityToken.getUnattachedReference();
                String tokenType = securityToken.getTokenType();
                if (attachedReference != null) {
                    wSSecEncrypt.setSecurityTokenReference(new SecurityTokenReference(cloneElement(attachedReference), new BSPEnforcer()));
                } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenType) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType)) {
                    wSSecEncrypt.setCustomReferenceValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID");
                    wSSecEncrypt.setKeyIdentifierType(12);
                } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenType) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType)) {
                    wSSecEncrypt.setCustomReferenceValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID");
                    wSSecEncrypt.setKeyIdentifierType(12);
                } else {
                    wSSecEncrypt.setCustomReferenceValue(tokenType);
                    wSSecEncrypt.setKeyIdentifierType(12);
                }
            } else if (token instanceof UsernameToken) {
                wSSecEncrypt.setCustomReferenceValue("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
            } else if ((token instanceof KerberosToken) && !isRequestor()) {
                wSSecEncrypt.setCustomReferenceValue("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
                wSSecEncrypt.setEncKeyId(securityToken.getSHA1());
            } else if (!isRequestor() && securityToken.getSHA1() != null) {
                wSSecEncrypt.setCustomReferenceValue(securityToken.getSHA1());
                wSSecEncrypt.setKeyIdentifierType(10);
            }
            wSSecEncrypt.prepare(encryptionCrypto);
            if (wSSecEncrypt.getBSTTokenId() != null) {
                wSSecEncrypt.prependBSTElementToHeader();
            }
            addAttachmentsForEncryption(z2, wSSecEncrypt.encryptForRef(null, list), wSSecEncrypt.getAttachmentEncryptedDataElements());
            return wSSecEncrypt;
        } catch (WSSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            unassertPolicy(abstractTokenWrapper, e);
            return null;
        }
    }

    private void addAttachmentsForEncryption(boolean z, Element element, List<Element> list) {
        if (z) {
            if (element != null) {
                insertBeforeBottomUp(element);
            }
            if (list != null) {
                Iterator<Element> it = list.iterator();
                while (it.hasNext()) {
                    insertBeforeBottomUp(it.next());
                }
                return;
            }
            return;
        }
        if (element != null) {
            addDerivedKeyElement(element);
        }
        if (list != null) {
            Iterator<Element> it2 = list.iterator();
            while (it2.hasNext()) {
                addDerivedKeyElement(it2.next());
            }
        }
    }

    private byte[] doSignatureDK(List<WSEncryptionPart> list, AbstractTokenWrapper abstractTokenWrapper, AbstractToken abstractToken, SecurityToken securityToken, boolean z) throws WSSecurityException {
        SOAPPart sOAPPart = this.saaj.getSOAPPart();
        WSSecDKSign wSSecDKSign = new WSSecDKSign(this.secHeader);
        wSSecDKSign.setIdAllocator(this.wssConfig.getIdAllocator());
        wSSecDKSign.setCallbackLookup(this.callbackLookup);
        wSSecDKSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(this.message));
        wSSecDKSign.setStoreBytesInAttachment(this.storeBytesInAttachment);
        wSSecDKSign.setExpandXopInclude(isExpandXopInclude());
        wSSecDKSign.setWsDocInfo(this.wsDocInfo);
        if (abstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
            wSSecDKSign.setWscVersion(1);
        }
        boolean z2 = false;
        if (isTokenRequired(abstractToken.getIncludeTokenType())) {
            z2 = true;
        }
        Element attachedReference = z2 ? securityToken.getAttachedReference() : securityToken.getUnattachedReference();
        if (attachedReference != null) {
            wSSecDKSign.setExternalKey(securityToken.getSecret(), cloneElement(attachedReference));
        } else if (isRequestor() || abstractToken.getDerivedKeys() != AbstractToken.DerivedKeys.RequireDerivedKeys || securityToken.getSHA1() == null) {
            if ((!z2 && !isRequestor()) || (abstractToken instanceof SecureConversationToken) || (abstractToken instanceof SecurityContextToken)) {
                wSSecDKSign.setTokenIdDirectId(true);
            }
            wSSecDKSign.setExternalKey(securityToken.getSecret(), securityToken.getId());
        } else {
            SecurityTokenReference securityTokenReference = new SecurityTokenReference(sOAPPart);
            if (securityToken.getSHA1() != null) {
                String tokenType = securityToken.getTokenType();
                if (abstractToken instanceof KerberosToken) {
                    securityTokenReference.setKeyIdentifier("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1", securityToken.getSHA1(), true);
                    if (tokenType == null) {
                        tokenType = "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ";
                    }
                } else {
                    securityTokenReference.setKeyIdentifierEncKeySHA1(securityToken.getSHA1());
                    if (tokenType == null) {
                        tokenType = "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
                    }
                }
                securityTokenReference.addTokenType(tokenType);
            }
            wSSecDKSign.setExternalKey(securityToken.getSecret(), securityTokenReference.getElement());
        }
        wSSecDKSign.setSignatureAlgorithm(this.sbinding.getAlgorithmSuite().getSymmetricSignature());
        wSSecDKSign.setSigCanonicalization(this.sbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuite.AlgorithmSuiteType algorithmSuiteType = this.sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        wSSecDKSign.setDigestAlgorithm(algorithmSuiteType.getDigest());
        wSSecDKSign.setDerivedKeyLength(algorithmSuiteType.getSignatureDerivedKeyLength() / 8);
        wSSecDKSign.setAddInclusivePrefixes(MessageUtils.getContextualBoolean(this.message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true));
        if (securityToken.getSHA1() != null) {
            String tokenType2 = securityToken.getTokenType();
            if (tokenType2 == null) {
                tokenType2 = "http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
            }
            wSSecDKSign.setCustomValueType(tokenType2);
        } else {
            String tokenType3 = securityToken.getTokenType();
            if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenType3) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType3)) {
                wSSecDKSign.setKeyIdentifierType(12);
                wSSecDKSign.setCustomValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID");
            } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenType3) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType3)) {
                wSSecDKSign.setKeyIdentifierType(12);
                wSSecDKSign.setCustomValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID");
            } else if (abstractToken instanceof UsernameToken) {
                wSSecDKSign.setCustomValueType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
            } else {
                wSSecDKSign.setCustomValueType(tokenType3);
            }
        }
        wSSecDKSign.prepare();
        if (this.sbinding.isProtectTokens()) {
            String id = securityToken.getId();
            if (z) {
                id = securityToken.getWsuId();
                if (id == null) {
                    id = securityToken.getId();
                }
                if (id.startsWith("#")) {
                    id = id.substring(1);
                }
            }
            list.add(new WSEncryptionPart(id));
            assertPolicy(new QName(this.sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
        }
        wSSecDKSign.getParts().addAll(list);
        List<Reference> addReferencesToSign = wSSecDKSign.addReferencesToSign(list);
        if (addReferencesToSign.isEmpty()) {
            return null;
        }
        addDerivedKeyElement(wSSecDKSign.getdktElement());
        if (this.bottomUpElement == null) {
            wSSecDKSign.computeSignature(addReferencesToSign, false, null);
        } else {
            wSSecDKSign.computeSignature(addReferencesToSign, true, this.bottomUpElement);
        }
        this.bottomUpElement = wSSecDKSign.getSignatureElement();
        this.mainSigId = wSSecDKSign.getSignatureId();
        return wSSecDKSign.getSignatureValue();
    }

    private byte[] doSignature(List<WSEncryptionPart> list, AbstractTokenWrapper abstractTokenWrapper, AbstractToken abstractToken, SecurityToken securityToken, boolean z) throws WSSecurityException {
        if (abstractToken.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            return doSignatureDK(list, abstractTokenWrapper, abstractToken, securityToken, z);
        }
        WSSecSignature wSSecSignature = new WSSecSignature(this.secHeader);
        wSSecSignature.setIdAllocator(this.wssConfig.getIdAllocator());
        wSSecSignature.setCallbackLookup(this.callbackLookup);
        wSSecSignature.setAttachmentCallbackHandler(new AttachmentCallbackHandler(this.message));
        wSSecSignature.setStoreBytesInAttachment(this.storeBytesInAttachment);
        wSSecSignature.setExpandXopInclude(isExpandXopInclude());
        wSSecSignature.setWsDocInfo(this.wsDocInfo);
        int i = z ? 9 : 11;
        String id = securityToken.getId();
        if (abstractToken instanceof X509Token) {
            if (isRequestor()) {
                wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey");
                wSSecSignature.setKeyIdentifierType(i);
            } else {
                wSSecSignature.setEncrKeySha1value(securityToken.getSHA1());
                wSSecSignature.setKeyIdentifierType(10);
            }
        } else if (abstractToken instanceof UsernameToken) {
            wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken");
            wSSecSignature.setKeyIdentifierType(i);
        } else if (!(abstractToken instanceof KerberosToken)) {
            Element attachedReference = z ? securityToken.getAttachedReference() : securityToken.getUnattachedReference();
            if (attachedReference != null) {
                wSSecSignature.setSecurityTokenReference(new SecurityTokenReference(cloneElement(attachedReference), new BSPEnforcer()));
                wSSecSignature.setKeyIdentifierType(12);
            } else {
                String tokenType = securityToken.getTokenType();
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenType) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType)) {
                    wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID");
                    wSSecSignature.setKeyIdentifierType(12);
                } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenType) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType)) {
                    wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID");
                    wSSecSignature.setKeyIdentifierType(12);
                } else {
                    wSSecSignature.setCustomTokenValueType(tokenType);
                    wSSecSignature.setKeyIdentifierType(i);
                }
            }
        } else if (isRequestor()) {
            wSSecSignature.setCustomTokenValueType(securityToken.getTokenType());
            wSSecSignature.setKeyIdentifierType(i);
        } else {
            wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
            wSSecSignature.setKeyIdentifierType(12);
            id = securityToken.getSHA1();
        }
        if (z) {
            id = securityToken.getWsuId();
            if (id == null) {
                if ((abstractToken instanceof SecureConversationToken) || (abstractToken instanceof SecurityContextToken)) {
                    wSSecSignature.setKeyIdentifierType(11);
                }
                id = securityToken.getId();
            }
            if (id.startsWith("#")) {
                id = id.substring(1);
            }
        }
        if (this.sbinding.isProtectTokens()) {
            assertPolicy(new QName(this.sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
            if (z) {
                list.add(new WSEncryptionPart(id));
            }
        }
        wSSecSignature.setCustomTokenId(id);
        wSSecSignature.setSecretKey(securityToken.getSecret());
        wSSecSignature.setSignatureAlgorithm(this.sbinding.getAlgorithmSuite().getSymmetricSignature());
        wSSecSignature.setAddInclusivePrefixes(MessageUtils.getContextualBoolean(this.message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true));
        wSSecSignature.setDigestAlgo(this.sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest());
        wSSecSignature.setSigCanonicalization(this.sbinding.getAlgorithmSuite().getC14n().getValue());
        Crypto encryptionCrypto = this.sbinding.getProtectionToken() != null ? getEncryptionCrypto() : getSignatureCrypto();
        this.message.getExchange().put(org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_CRYPTO, encryptionCrypto);
        wSSecSignature.prepare(encryptionCrypto);
        wSSecSignature.getParts().addAll(list);
        List<Reference> addReferencesToSign = wSSecSignature.addReferencesToSign(list);
        if (addReferencesToSign.isEmpty()) {
            return null;
        }
        if (this.bottomUpElement == null) {
            wSSecSignature.computeSignature(addReferencesToSign, false, null);
        } else {
            wSSecSignature.computeSignature(addReferencesToSign, true, this.bottomUpElement);
        }
        this.bottomUpElement = wSSecSignature.getSignatureElement();
        this.mainSigId = wSSecSignature.getId();
        return wSSecSignature.getSignatureValue();
    }

    private String setupEncryptedKey(AbstractTokenWrapper abstractTokenWrapper, AbstractToken abstractToken) throws WSSecurityException {
        WSSecEncryptedKey encryptedKeyBuilder = getEncryptedKeyBuilder(abstractToken);
        assertTokenWrapper(abstractTokenWrapper);
        String id = encryptedKeyBuilder.getId();
        byte[] ephemeralKey = encryptedKeyBuilder.getEphemeralKey();
        Instant now = Instant.now();
        SecurityToken securityToken = new SecurityToken(id, encryptedKeyBuilder.getEncryptedKeyElement(), now, now.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(this.message) / 1000));
        securityToken.setSecret(ephemeralKey);
        securityToken.setSHA1(getSHA1(encryptedKeyBuilder.getEncryptedEphemeralKey()));
        this.tokenStore.add(securityToken);
        this.tokenStore.add(securityToken.getSHA1(), securityToken);
        String bSTTokenId = encryptedKeyBuilder.getBSTTokenId();
        if (bSTTokenId != null && bSTTokenId.length() > 0) {
            encryptedKeyBuilder.prependBSTElementToHeader();
        }
        return id;
    }

    private static String getSHA1(byte[] bArr) {
        try {
            return XMLUtils.encodeToString(KeyUtils.generateDigest(bArr));
        } catch (WSSecurityException e) {
            return null;
        }
    }

    private String setupUTDerivedKey(UsernameToken usernameToken) throws WSSecurityException {
        WSSecUsernameToken addDKUsernameToken = addDKUsernameToken(usernameToken, hasSignedPartsOrElements());
        String id = addDKUsernameToken.getId();
        byte[] derivedKey = addDKUsernameToken.getDerivedKey();
        Instant now = Instant.now();
        SecurityToken securityToken = new SecurityToken(id, addDKUsernameToken.getUsernameTokenElement(), now, now.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(this.message) / 1000));
        securityToken.setSecret(derivedKey);
        this.tokenStore.add(securityToken);
        return id;
    }

    private SecurityToken getEncryptedKey() {
        WSSecurityEngineResult encryptedKeyResult = getEncryptedKeyResult();
        if (encryptedKeyResult == null) {
            return null;
        }
        Instant now = Instant.now();
        SecurityToken securityToken = new SecurityToken((String) encryptedKeyResult.get("id"), now, now.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(this.message) / 1000));
        securityToken.setSecret((byte[]) encryptedKeyResult.get(WSSecurityEngineResult.TAG_SECRET));
        securityToken.setSHA1(getSHA1((byte[]) encryptedKeyResult.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
        return securityToken;
    }

    private SecurityToken getUTDerivedKey() throws WSSecurityException {
        Iterator it = CastUtils.cast((List<?>) this.message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS)).iterator();
        while (it.hasNext()) {
            List<WSSecurityEngineResult> list = ((WSHandlerResult) it.next()).getActionResults().get(8192);
            if (list != null) {
                Iterator<WSSecurityEngineResult> it2 = list.iterator();
                if (it2.hasNext()) {
                    WSSecurityEngineResult next = it2.next();
                    String str = (String) next.get("id");
                    if (str == null || str.length() == 0) {
                        str = this.wssConfig.getIdAllocator().createId("UsernameToken-", null);
                    }
                    Instant now = Instant.now();
                    SecurityToken securityToken = new SecurityToken(str, now, now.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(this.message) / 1000));
                    securityToken.setSecret((byte[]) next.get(WSSecurityEngineResult.TAG_SECRET));
                    return securityToken;
                }
            }
        }
        return null;
    }

    private boolean hasSignedPartsOrElements() {
        return (PolicyUtils.getFirstAssertionByLocalname(this.aim, SPConstants.SIGNED_PARTS) == null && PolicyUtils.getFirstAssertionByLocalname(this.aim, SPConstants.SIGNED_ELEMENTS) == null) ? false : true;
    }
}
