package org.apache.cxf.ws.security.wss4j.policyhandlers;

import java.io.IOException;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.bean.KeyInfoBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.Version;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.Attachments;
import org.apache.wss4j.policy.model.ContentEncryptedElements;
import org.apache.wss4j.policy.model.EncryptedElements;
import org.apache.wss4j.policy.model.EncryptedParts;
import org.apache.wss4j.policy.model.Header;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.wss4j.policy.model.KeyValueToken;
import org.apache.wss4j.policy.model.Layout;
import org.apache.wss4j.policy.model.SamlToken;
import org.apache.wss4j.policy.model.SignedElements;
import org.apache.wss4j.policy.model.SignedParts;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.SymmetricBinding;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.Wss10;
import org.apache.wss4j.policy.model.Wss11;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.policy.model.XPath;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.OutboundSecurityContext;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.3.1.jar:org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.class */
public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHandler {
    protected boolean timestampAdded;
    protected boolean signatureConfirmationAdded;
    protected Set<SecurePart> encryptedTokensList;
    protected Map<AbstractToken, SecurePart> endEncSuppTokMap;
    protected Map<AbstractToken, SecurePart> endSuppTokMap;
    protected Map<AbstractToken, SecurePart> sgndEndEncSuppTokMap;
    protected Map<AbstractToken, SecurePart> sgndEndSuppTokMap;
    protected final OutboundSecurityContext outboundSecurityContext;
    private final WSSSecurityProperties properties;
    private AbstractBinding binding;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.3.1.jar:org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler$UTCallbackHandler.class */
    public static class UTCallbackHandler implements CallbackHandler {
        private final String username;
        private final String password;

        UTCallbackHandler(String str, String str2) {
            this.username = str;
            this.password = str2;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof WSPasswordCallback) {
                    WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callback;
                    if (wSPasswordCallback.getIdentifier().equals(this.username)) {
                        wSPasswordCallback.setPassword(this.password);
                    }
                }
            }
        }
    }

    public AbstractStaxBindingHandler(WSSSecurityProperties wSSSecurityProperties, SoapMessage soapMessage, AbstractBinding abstractBinding, OutboundSecurityContext outboundSecurityContext) {
        super(soapMessage);
        this.encryptedTokensList = new HashSet();
        this.properties = wSSSecurityProperties;
        this.binding = abstractBinding;
        this.outboundSecurityContext = outboundSecurityContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurePart addUsernameToken(UsernameToken usernameToken) {
        String str;
        assertToken(usernameToken);
        if (!isTokenRequired(usernameToken.getIncludeTokenType())) {
            return null;
        }
        this.properties.addAction(WSSConstants.USERNAMETOKEN);
        UsernameToken.PasswordType passwordType = usernameToken.getPasswordType();
        if (passwordType == UsernameToken.PasswordType.HashPassword) {
            this.properties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
        } else if (passwordType == UsernameToken.PasswordType.NoPassword) {
            this.properties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
        } else {
            this.properties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
        }
        if (usernameToken.isNonce()) {
            this.properties.setAddUsernameTokenNonce(true);
        }
        if (usernameToken.isCreated()) {
            this.properties.setAddUsernameTokenCreated(true);
        }
        if (this.properties.getCallbackHandler() == null && (str = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.PASSWORD, this.message)) != null) {
            this.properties.setCallbackHandler(new UTCallbackHandler((String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, this.message), str));
        }
        return new SecurePart(WSSConstants.TAG_WSSE_USERNAME_TOKEN, SecurePart.Modifier.Element);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurePart addKerberosToken(KerberosToken kerberosToken, boolean z, boolean z2, boolean z3) throws WSSecurityException {
        String elementText;
        assertToken(kerberosToken);
        if (!isTokenRequired(kerberosToken.getIncludeTokenType())) {
            return null;
        }
        final SecurityToken securityToken = getSecurityToken();
        if (securityToken == null) {
            unassertPolicy(kerberosToken, "Could not find KerberosToken");
        }
        byte[] bArr = null;
        if (securityToken.getToken() != null && (elementText = XMLUtils.getElementText(securityToken.getToken())) != null) {
            bArr = org.apache.xml.security.utils.XMLUtils.decode(elementText);
        }
        final KerberosClientSecurityToken kerberosClientSecurityToken = new KerberosClientSecurityToken(bArr, securityToken.getKey(), securityToken.getId()) { // from class: org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractStaxBindingHandler.1
            @Override // org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken, org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken, org.apache.xml.security.stax.securityToken.OutboundSecurityToken
            public Key getSecretKey(String str) throws XMLSecurityException {
                return (securityToken.getSecret() == null || str == null || "".equals(str)) ? securityToken.getKey() : KeyUtils.prepareSecretKey(str, securityToken.getSecret());
            }
        };
        kerberosClientSecurityToken.setSha1Identifier(securityToken.getSHA1());
        SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider = new SecurityTokenProvider<OutboundSecurityToken>() { // from class: org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractStaxBindingHandler.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.xml.security.stax.securityToken.SecurityTokenProvider
            public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
                return kerberosClientSecurityToken;
            }

            @Override // org.apache.xml.security.stax.securityToken.SecurityTokenProvider
            public String getId() {
                return kerberosClientSecurityToken.getId();
            }
        };
        this.outboundSecurityContext.registerSecurityTokenProvider(securityTokenProvider.getId(), securityTokenProvider);
        this.outboundSecurityContext.put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS, securityTokenProvider.getId());
        if (z3) {
            this.outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, securityTokenProvider.getId());
        }
        if (z2) {
            this.outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, securityTokenProvider.getId());
        }
        this.properties.addAction(WSSConstants.KERBEROS_TOKEN);
        SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN, SecurePart.Modifier.Element);
        securePart.setIdToSign(kerberosClientSecurityToken.getId());
        return securePart;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurePart addSamlToken(SamlToken samlToken, boolean z, boolean z2) throws WSSecurityException {
        assertToken(samlToken);
        if (!isTokenRequired(samlToken.getIncludeTokenType())) {
            return null;
        }
        try {
            CallbackHandler callbackHandler = SecurityUtils.getCallbackHandler(SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_CALLBACK_HANDLER, this.message));
            if (callbackHandler == null) {
                unassertPolicy(samlToken, "No SAML CallbackHandler available");
                return null;
            }
            this.properties.setSamlCallbackHandler(callbackHandler);
            XMLSecurityConstants.Action action = WSSConstants.SAML_TOKEN_UNSIGNED;
            if (z || z2) {
                action = WSSConstants.SAML_TOKEN_SIGNED;
            }
            this.properties.addAction(action);
            QName qName = WSSConstants.TAG_SAML2_ASSERTION;
            SamlToken.SamlTokenType samlTokenType = samlToken.getSamlTokenType();
            if (samlTokenType == SamlToken.SamlTokenType.WssSamlV11Token10 || samlTokenType == SamlToken.SamlTokenType.WssSamlV11Token11) {
                qName = WSSConstants.TAG_SAML_ASSERTION;
            }
            return new SecurePart(qName, SecurePart.Modifier.Element);
        } catch (Exception e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurePart addIssuedToken(AbstractToken abstractToken, SecurityToken securityToken, boolean z, boolean z2) {
        SubjectBean subjectBean;
        assertToken(abstractToken);
        if (!isTokenRequired(abstractToken.getIncludeTokenType())) {
            return null;
        }
        final Element token = securityToken.getToken();
        if (token == null || !"Assertion".equals(token.getLocalName()) || (!"urn:oasis:names:tc:SAML:1.0:assertion".equals(token.getNamespaceURI()) && !"urn:oasis:names:tc:SAML:2.0:assertion".equals(token.getNamespaceURI()))) {
            if (!isRequestor()) {
                return null;
            }
            this.properties.addAction(WSSConstants.CUSTOM_TOKEN);
            return null;
        }
        XMLSecurityConstants.Action action = WSSConstants.SAML_TOKEN_UNSIGNED;
        if (z2) {
            action = WSSConstants.SAML_TOKEN_SIGNED;
        }
        this.properties.addAction(action);
        if (z || z2) {
            KeyInfoBean keyInfoBean = new KeyInfoBean();
            keyInfoBean.setCertificate(securityToken.getX509Certificate());
            keyInfoBean.setEphemeralKey(securityToken.getSecret());
            subjectBean = new SubjectBean("", "", "");
            subjectBean.setKeyInfo(keyInfoBean);
        } else {
            subjectBean = null;
        }
        final SubjectBean subjectBean2 = subjectBean;
        this.properties.setSamlCallbackHandler(new CallbackHandler() { // from class: org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractStaxBindingHandler.3
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof SAMLCallback) {
                        SAMLCallback sAMLCallback = (SAMLCallback) callback;
                        sAMLCallback.setAssertionElement(token);
                        sAMLCallback.setSubject(subjectBean2);
                        if ("urn:oasis:names:tc:SAML:1.0:assertion".equals(token.getNamespaceURI())) {
                            sAMLCallback.setSamlVersion(Version.SAML_11);
                        } else {
                            sAMLCallback.setSamlVersion(Version.SAML_20);
                        }
                    }
                }
            }
        });
        QName qName = WSSConstants.TAG_SAML2_ASSERTION;
        if ("urn:oasis:names:tc:SAML:1.0:assertion".equals(token.getNamespaceURI())) {
            qName = WSSConstants.TAG_SAML_ASSERTION;
        }
        return new SecurePart(qName, SecurePart.Modifier.Element);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void storeSecurityToken(AbstractToken abstractToken, SecurityToken securityToken) {
        SecurityTokenConstants.TokenType tokenType = WSSecurityTokenConstants.EncryptedKeyToken;
        if (securityToken.getTokenType() != null) {
            if (securityToken.getTokenType().startsWith(WSSConstants.NS_KERBEROS11_TOKEN_PROFILE)) {
                tokenType = WSSecurityTokenConstants.KERBEROS_TOKEN;
            } else if (securityToken.getTokenType().startsWith("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0") || securityToken.getTokenType().startsWith("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1")) {
                tokenType = WSSecurityTokenConstants.SAML_11_TOKEN;
            } else if (securityToken.getTokenType().startsWith("http://schemas.xmlsoap.org/ws/2005/02/sc") || securityToken.getTokenType().startsWith("http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512")) {
                tokenType = WSSecurityTokenConstants.SECURE_CONVERSATION_TOKEN;
            }
        }
        final Key key = securityToken.getKey();
        final byte[] secret = securityToken.getSecret();
        X509Certificate[] x509CertificateArr = new X509Certificate[1];
        if (securityToken.getX509Certificate() != null) {
            x509CertificateArr[0] = securityToken.getX509Certificate();
        }
        final GenericOutboundSecurityToken genericOutboundSecurityToken = new GenericOutboundSecurityToken(securityToken.getId(), tokenType, key, x509CertificateArr) { // from class: org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractStaxBindingHandler.4
            @Override // org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken, org.apache.xml.security.stax.securityToken.OutboundSecurityToken
            public Key getSecretKey(String str) throws XMLSecurityException {
                if (secret != null && str != null && !"".equals(str)) {
                    return KeyUtils.prepareSecretKey(str, secret);
                }
                if (key != null) {
                    return key;
                }
                if (secret == null) {
                    return super.getSecretKey(str);
                }
                String jCEKeyAlgorithmFromURI = JCEMapper.getJCEKeyAlgorithmFromURI(str);
                if (jCEKeyAlgorithmFromURI == null || "".equals(jCEKeyAlgorithmFromURI)) {
                    jCEKeyAlgorithmFromURI = "HmacSHA1";
                }
                return new SecretKeySpec(secret, jCEKeyAlgorithmFromURI);
            }
        };
        Element attachedReference = isTokenRequired(abstractToken.getIncludeTokenType()) ? securityToken.getAttachedReference() : securityToken.getUnattachedReference();
        if (attachedReference != null && (abstractToken instanceof IssuedToken)) {
            genericOutboundSecurityToken.setCustomTokenReference(attachedReference);
        }
        SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider = new SecurityTokenProvider<OutboundSecurityToken>() { // from class: org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractStaxBindingHandler.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.xml.security.stax.securityToken.SecurityTokenProvider
            public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
                return genericOutboundSecurityToken;
            }

            @Override // org.apache.xml.security.stax.securityToken.SecurityTokenProvider
            public String getId() {
                return genericOutboundSecurityToken.getId();
            }
        };
        genericOutboundSecurityToken.setSha1Identifier(securityToken.getSHA1());
        this.outboundSecurityContext.registerSecurityTokenProvider(securityTokenProvider.getId(), securityTokenProvider);
        this.outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, securityTokenProvider.getId());
        this.outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, securityTokenProvider.getId());
        this.outboundSecurityContext.put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_CUSTOM_TOKEN, securityTokenProvider.getId());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureTimestamp(AssertionInfoMap assertionInfoMap) {
        if (this.binding == null || !this.binding.isIncludeTimestamp()) {
            return;
        }
        this.timestampAdded = true;
        assertPolicy(new QName(this.binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureLayout(AssertionInfoMap assertionInfoMap) {
        AssertionInfo firstAssertionByLocalname = PolicyUtils.getFirstAssertionByLocalname(assertionInfoMap, SPConstants.LAYOUT);
        Layout layout = null;
        if (firstAssertionByLocalname != null) {
            layout = (Layout) firstAssertionByLocalname.getAssertion();
            firstAssertionByLocalname.setAsserted(true);
        }
        if (layout != null && layout.getLayoutType() != null) {
            assertPolicy(new QName(layout.getName().getNamespaceURI(), layout.getLayoutType().name()));
        }
        if (this.timestampAdded) {
            boolean z = layout != null && layout.getLayoutType() == Layout.LayoutType.LaxTsLast;
            XMLSecurityConstants.Action action = WSSConstants.TIMESTAMP;
            List<XMLSecurityConstants.Action> actions = this.properties.getActions();
            if (z) {
                actions.add(0, action);
            } else {
                actions.add(action);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public WSSSecurityProperties getProperties() {
        return this.properties;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureSignature(AbstractToken abstractToken, boolean z) throws WSSecurityException {
        X509Token.TokenType tokenType;
        if ((abstractToken instanceof X509Token) && ((tokenType = ((X509Token) abstractToken).getTokenType()) == X509Token.TokenType.WssX509PkiPathV1Token10 || tokenType == X509Token.TokenType.WssX509PkiPathV1Token11)) {
            this.properties.setUseSingleCert(false);
        }
        this.properties.setSignatureKeyIdentifier(getKeyIdentifierType(abstractToken));
        this.properties.setIncludeSignatureToken(false);
        for (SecurityTokenConstants.KeyIdentifier keyIdentifier : this.properties.getSignatureKeyIdentifiers()) {
            if ((abstractToken instanceof X509Token) && isTokenRequired(abstractToken.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
                this.properties.setIncludeSignatureToken(true);
            }
        }
        String str = SecurityConstants.SIGNATURE_USERNAME;
        if (this.binding instanceof SymmetricBinding) {
            str = SecurityConstants.ENCRYPT_USERNAME;
            this.properties.setSignatureAlgorithm(this.binding.getAlgorithmSuite().getSymmetricSignature());
        } else {
            this.properties.setSignatureAlgorithm(this.binding.getAlgorithmSuite().getAsymmetricSignature());
        }
        this.properties.setSignatureCanonicalizationAlgorithm(this.binding.getAlgorithmSuite().getC14n().getValue());
        String str2 = (String) SecurityUtils.getSecurityPropertyValue(str, this.message);
        if (str2 == null) {
            str2 = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, this.message);
        }
        if (str2 != null && this.properties.getSignatureUser() == null) {
            this.properties.setSignatureUser(str2);
        }
        this.properties.setSignatureDigestAlgorithm(this.binding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest());
        this.properties.setAddExcC14NInclusivePrefixes(MessageUtils.getContextualBoolean(this.message, org.apache.cxf.ws.security.SecurityConstants.ADD_INCLUSIVE_PREFIXES, true));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityTokenConstants.KeyIdentifier getKeyIdentifierType(AbstractToken abstractToken) {
        SecurityTokenConstants.KeyIdentifier keyIdentifier = null;
        if (abstractToken instanceof X509Token) {
            X509Token x509Token = (X509Token) abstractToken;
            if (x509Token.isRequireIssuerSerialReference()) {
                keyIdentifier = WSSecurityTokenConstants.KeyIdentifier_IssuerSerial;
            } else if (x509Token.isRequireKeyIdentifierReference()) {
                keyIdentifier = WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier;
            } else if (x509Token.isRequireThumbprintReference()) {
                keyIdentifier = WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER;
            }
        } else if (abstractToken instanceof KeyValueToken) {
            keyIdentifier = WSSecurityTokenConstants.KeyIdentifier_KeyValue;
        }
        if (keyIdentifier != null) {
            return keyIdentifier;
        }
        if (abstractToken.getIncludeTokenType() == SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER) {
            Wss10 wss10 = getWss10();
            if (wss10 == null || wss10.isMustSupportRefKeyIdentifier()) {
                keyIdentifier = WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier;
            } else if (wss10.isMustSupportRefIssuerSerial()) {
                keyIdentifier = WSSecurityTokenConstants.KeyIdentifier_IssuerSerial;
            } else if ((wss10 instanceof Wss11) && ((Wss11) wss10).isMustSupportRefThumbprint()) {
                keyIdentifier = WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER;
            }
        } else if (abstractToken.getIncludeTokenType() == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT && !isRequestor() && (abstractToken instanceof X509Token)) {
            keyIdentifier = WSSecurityTokenConstants.KeyIdentifier_IssuerSerial;
        } else if (abstractToken.getIncludeTokenType() == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR && isRequestor() && (abstractToken instanceof X509Token)) {
            keyIdentifier = WSSecurityTokenConstants.KeyIdentifier_IssuerSerial;
        }
        return keyIdentifier != null ? keyIdentifier : WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE;
    }

    protected Map<AbstractToken, SecurePart> handleSupportingTokens(Collection<AssertionInfo> collection, boolean z, boolean z2) throws Exception {
        if (collection == null || collection.isEmpty()) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        for (AssertionInfo assertionInfo : collection) {
            if (assertionInfo.getAssertion() instanceof SupportingTokens) {
                assertionInfo.setAsserted(true);
                handleSupportingTokens((SupportingTokens) assertionInfo.getAssertion(), z, z2, hashMap);
            }
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<AbstractToken, SecurePart> handleSupportingTokens(SupportingTokens supportingTokens, boolean z, boolean z2) throws Exception {
        return handleSupportingTokens(supportingTokens, z, z2, new HashMap());
    }

    protected Map<AbstractToken, SecurePart> handleSupportingTokens(SupportingTokens supportingTokens, boolean z, boolean z2, Map<AbstractToken, SecurePart> map) throws Exception {
        SecurePart addSamlToken;
        if (supportingTokens == null) {
            return map;
        }
        for (AbstractToken abstractToken : supportingTokens.getTokens()) {
            assertToken(abstractToken);
            if (isTokenRequired(abstractToken.getIncludeTokenType())) {
                if (abstractToken instanceof UsernameToken) {
                    handleUsernameTokenSupportingToken((UsernameToken) abstractToken, z2, supportingTokens.isEncryptedToken(), map);
                } else if (abstractToken instanceof IssuedToken) {
                    SecurePart addIssuedToken = addIssuedToken(abstractToken, getSecurityToken(), z, z2);
                    if (addIssuedToken != null) {
                        map.put(abstractToken, addIssuedToken);
                        if (supportingTokens.isEncryptedToken()) {
                            this.encryptedTokensList.add(addIssuedToken);
                        }
                    }
                } else if (abstractToken instanceof KerberosToken) {
                    SecurePart addKerberosToken = addKerberosToken((KerberosToken) abstractToken, z, z2, false);
                    if (addKerberosToken != null) {
                        map.put(abstractToken, addKerberosToken);
                        if (supportingTokens.isEncryptedToken()) {
                            this.encryptedTokensList.add(addKerberosToken);
                        }
                    }
                } else if ((abstractToken instanceof X509Token) || (abstractToken instanceof KeyValueToken)) {
                    assertToken(abstractToken);
                    configureSignature(abstractToken, false);
                    if (supportingTokens.isEncryptedToken()) {
                        this.encryptedTokensList.add(new SecurePart(WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN, SecurePart.Modifier.Element));
                    }
                    map.put(abstractToken, new SecurePart(XMLSecurityConstants.TAG_dsig_Signature, SecurePart.Modifier.Element));
                } else if ((abstractToken instanceof SamlToken) && (addSamlToken = addSamlToken((SamlToken) abstractToken, z, z2)) != null) {
                    map.put(abstractToken, addSamlToken);
                    if (supportingTokens.isEncryptedToken()) {
                        this.encryptedTokensList.add(addSamlToken);
                    }
                }
            }
        }
        return map;
    }

    protected void handleUsernameTokenSupportingToken(UsernameToken usernameToken, boolean z, boolean z2, Map<AbstractToken, SecurePart> map) throws Exception {
        if (z) {
            throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
        }
        SecurePart addUsernameToken = addUsernameToken(usernameToken);
        if (addUsernameToken != null) {
            map.put(usernameToken, addUsernameToken);
            if (z2 || MessageUtils.getContextualBoolean(this.message, org.apache.cxf.ws.security.SecurityConstants.ALWAYS_ENCRYPT_UT, true)) {
                this.encryptedTokensList.add(addUsernameToken);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void addSupportingTokens() throws Exception {
        Collection<AssertionInfo> allAssertionsByLocalname = getAllAssertionsByLocalname(SPConstants.SIGNED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname.isEmpty()) {
            addSignatureParts(handleSupportingTokens(allAssertionsByLocalname, true, false));
        }
        Collection<AssertionInfo> allAssertionsByLocalname2 = getAllAssertionsByLocalname(SPConstants.ENDORSING_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname2.isEmpty()) {
            this.endSuppTokMap = handleSupportingTokens(allAssertionsByLocalname2, false, true);
        }
        Collection<AssertionInfo> allAssertionsByLocalname3 = getAllAssertionsByLocalname(SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname3.isEmpty()) {
            this.sgndEndSuppTokMap = handleSupportingTokens(allAssertionsByLocalname3, true, true);
            addSignatureParts(this.sgndEndSuppTokMap);
        }
        Collection<AssertionInfo> allAssertionsByLocalname4 = getAllAssertionsByLocalname(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname4.isEmpty()) {
            addSignatureParts(handleSupportingTokens(allAssertionsByLocalname4, true, false));
        }
        Collection<AssertionInfo> allAssertionsByLocalname5 = getAllAssertionsByLocalname(SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname5.isEmpty()) {
            this.endEncSuppTokMap = handleSupportingTokens(allAssertionsByLocalname5, false, true);
        }
        Collection<AssertionInfo> allAssertionsByLocalname6 = getAllAssertionsByLocalname(SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname6.isEmpty()) {
            this.sgndEndEncSuppTokMap = handleSupportingTokens(allAssertionsByLocalname6, true, true);
            addSignatureParts(this.sgndEndEncSuppTokMap);
        }
        Collection<AssertionInfo> allAssertionsByLocalname7 = getAllAssertionsByLocalname(SPConstants.SUPPORTING_TOKENS);
        if (!allAssertionsByLocalname7.isEmpty()) {
            handleSupportingTokens(allAssertionsByLocalname7, false, false);
        }
        Collection<AssertionInfo> allAssertionsByLocalname8 = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
        if (allAssertionsByLocalname8.isEmpty()) {
            return;
        }
        handleSupportingTokens(allAssertionsByLocalname8, false, false);
    }

    protected void addSignatureParts(Map<AbstractToken, SecurePart> map) {
        if (map != null) {
            Iterator<Map.Entry<AbstractToken, SecurePart>> it = map.entrySet().iterator();
            while (it.hasNext()) {
                SecurePart value = it.next().getValue();
                QName name = value.getName();
                List<XMLSecurityConstants.Action> actions = this.properties.getActions();
                if ((!WSSConstants.TAG_SAML_ASSERTION.equals(name) && !WSSConstants.TAG_SAML2_ASSERTION.equals(name)) || actions == null || !actions.contains(WSSConstants.SAML_TOKEN_SIGNED)) {
                    this.properties.addSignaturePart(value);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void addSignatureConfirmation(List<SecurePart> list) {
        Wss10 wss10 = getWss10();
        if ((wss10 instanceof Wss11) && ((Wss11) wss10).isRequireSignatureConfirmation()) {
            if (isRequestor()) {
                this.properties.setEnableSignatureConfirmationVerification(true);
            } else {
                this.properties.getActions().add(WSSConstants.SIGNATURE_CONFIRMATION);
            }
            if (list != null) {
                list.add(new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, SecurePart.Modifier.Element));
            }
            this.signatureConfirmationAdded = true;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<SecurePart> getSignedParts() throws SOAPException {
        SignedParts signedParts = null;
        SignedElements signedElements = null;
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) this.message.get(AssertionInfoMap.class);
        AssertionInfo firstAssertionByLocalname = PolicyUtils.getFirstAssertionByLocalname(assertionInfoMap, SPConstants.SIGNED_PARTS);
        if (firstAssertionByLocalname != null) {
            signedParts = (SignedParts) firstAssertionByLocalname.getAssertion();
            firstAssertionByLocalname.setAsserted(true);
        }
        AssertionInfo firstAssertionByLocalname2 = PolicyUtils.getFirstAssertionByLocalname(assertionInfoMap, SPConstants.SIGNED_ELEMENTS);
        if (firstAssertionByLocalname2 != null) {
            signedElements = (SignedElements) firstAssertionByLocalname2.getAssertion();
            firstAssertionByLocalname2.setAsserted(true);
        }
        ArrayList arrayList = new ArrayList();
        if (signedParts != null) {
            if (signedParts.isBody()) {
                arrayList.add(new SecurePart(new QName("http://www.w3.org/2003/05/soap-envelope", "Body"), SecurePart.Modifier.Element));
            }
            for (Header header : signedParts.getHeaders()) {
                String name = header.getName();
                if (name == null) {
                    name = "*";
                }
                SecurePart securePart = new SecurePart(new QName(header.getNamespace(), name), SecurePart.Modifier.Element);
                securePart.setRequired(false);
                arrayList.add(securePart);
            }
            Attachments attachments = signedParts.getAttachments();
            if (attachments != null) {
                SecurePart.Modifier modifier = SecurePart.Modifier.Element;
                if (attachments.isContentSignatureTransform()) {
                    modifier = SecurePart.Modifier.Content;
                }
                SecurePart securePart2 = new SecurePart("cid:Attachments", modifier);
                securePart2.setRequired(false);
                arrayList.add(securePart2);
            }
        }
        if (signedElements != null && signedElements.getXPaths() != null) {
            Iterator<XPath> it = signedElements.getXPaths().iterator();
            while (it.hasNext()) {
                List<QName> elementPath = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(it.next());
                if (!elementPath.isEmpty()) {
                    arrayList.add(new SecurePart(elementPath.get(elementPath.size() - 1), SecurePart.Modifier.Element));
                }
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<SecurePart> getEncryptedParts() throws SOAPException {
        EncryptedParts encryptedParts = null;
        EncryptedElements encryptedElements = null;
        ContentEncryptedElements contentEncryptedElements = null;
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) this.message.get(AssertionInfoMap.class);
        Collection<AssertionInfo> allAssertionsByLocalname = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ENCRYPTED_PARTS);
        if (!allAssertionsByLocalname.isEmpty()) {
            for (AssertionInfo assertionInfo : allAssertionsByLocalname) {
                encryptedParts = (EncryptedParts) assertionInfo.getAssertion();
                assertionInfo.setAsserted(true);
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname2 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.ENCRYPTED_ELEMENTS);
        if (!allAssertionsByLocalname2.isEmpty()) {
            for (AssertionInfo assertionInfo2 : allAssertionsByLocalname2) {
                encryptedElements = (EncryptedElements) assertionInfo2.getAssertion();
                assertionInfo2.setAsserted(true);
            }
        }
        Collection<AssertionInfo> allAssertionsByLocalname3 = PolicyUtils.getAllAssertionsByLocalname(assertionInfoMap, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
        if (!allAssertionsByLocalname3.isEmpty()) {
            for (AssertionInfo assertionInfo3 : allAssertionsByLocalname3) {
                contentEncryptedElements = (ContentEncryptedElements) assertionInfo3.getAssertion();
                assertionInfo3.setAsserted(true);
            }
        }
        ArrayList arrayList = new ArrayList();
        if (encryptedParts != null) {
            if (encryptedParts.isBody()) {
                arrayList.add(new SecurePart(new QName("http://www.w3.org/2003/05/soap-envelope", "Body"), SecurePart.Modifier.Content));
            }
            for (Header header : encryptedParts.getHeaders()) {
                String name = header.getName();
                if (name == null) {
                    name = "*";
                }
                SecurePart securePart = new SecurePart(new QName(header.getNamespace(), name), SecurePart.Modifier.Element);
                securePart.setRequired(false);
                arrayList.add(securePart);
            }
            if (encryptedParts.getAttachments() != null) {
                SecurePart securePart2 = new SecurePart("cid:Attachments", SecurePart.Modifier.Element);
                if (MessageUtils.getContextualBoolean(this.message, org.apache.cxf.ws.security.SecurityConstants.USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM, false)) {
                    securePart2.setModifier(SecurePart.Modifier.Content);
                }
                securePart2.setRequired(false);
                arrayList.add(securePart2);
            }
        }
        if (encryptedElements != null && encryptedElements.getXPaths() != null) {
            Iterator<XPath> it = encryptedElements.getXPaths().iterator();
            while (it.hasNext()) {
                List<QName> elementPath = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(it.next());
                if (!elementPath.isEmpty()) {
                    arrayList.add(new SecurePart(elementPath.get(elementPath.size() - 1), SecurePart.Modifier.Element));
                }
            }
        }
        if (contentEncryptedElements != null && contentEncryptedElements.getXPaths() != null) {
            Iterator<XPath> it2 = contentEncryptedElements.getXPaths().iterator();
            while (it2.hasNext()) {
                List<QName> elementPath2 = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(it2.next());
                if (!elementPath2.isEmpty()) {
                    arrayList.add(new SecurePart(elementPath2.get(elementPath2.size() - 1), SecurePart.Modifier.Content));
                }
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public org.apache.xml.security.stax.securityToken.SecurityToken findInboundSecurityToken(SecurityEventConstants.Event event) throws XMLSecurityException {
        List<SecurityEvent> list = (List) this.message.getExchange().get(SecurityEvent.class.getName() + ".in");
        if (list == null) {
            return null;
        }
        for (SecurityEvent securityEvent : list) {
            if (event == securityEvent.getSecurityEventType()) {
                return ((TokenSecurityEvent) securityEvent).getSecurityToken();
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void removeSignatureIfSignedSAML() {
        if (this.properties.getActions() != null) {
            List<XMLSecurityConstants.Action> actions = this.properties.getActions();
            if (actions.contains(WSSConstants.SAML_TOKEN_SIGNED) && actions.contains(XMLSecurityConstants.SIGNATURE)) {
                actions.remove(XMLSecurityConstants.SIGNATURE);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void prependSignatureToSC() {
        if (this.properties.getActions() != null) {
            List<XMLSecurityConstants.Action> actions = this.properties.getActions();
            boolean contains = actions.contains(WSSConstants.SIGNATURE_CONFIRMATION);
            if (contains && actions.contains(XMLSecurityConstants.SIGNATURE)) {
                actions.remove(WSSConstants.SIGNATURE_CONFIRMATION);
                actions.add(actions.indexOf(XMLSecurityConstants.SIGNATURE) + 1, WSSConstants.SIGNATURE_CONFIRMATION);
            } else if (contains && actions.contains(WSSConstants.SIGNATURE_WITH_DERIVED_KEY)) {
                actions.remove(WSSConstants.SIGNATURE_CONFIRMATION);
                actions.add(actions.indexOf(WSSConstants.SIGNATURE_WITH_DERIVED_KEY) + 1, WSSConstants.SIGNATURE_CONFIRMATION);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void enforceEncryptBeforeSigningWithSignedSAML() {
        if (this.properties.getActions() != null) {
            List<XMLSecurityConstants.Action> actions = this.properties.getActions();
            if (actions.contains(WSSConstants.SAML_TOKEN_SIGNED)) {
                actions.remove(WSSConstants.SAML_TOKEN_SIGNED);
                actions.add(WSSConstants.SAML_TOKEN_SIGNED);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void putCustomTokenAfterSignature() {
        if (this.properties.getActions() != null) {
            List<XMLSecurityConstants.Action> actions = this.properties.getActions();
            if ((actions.contains(XMLSecurityConstants.SIGNATURE) || actions.contains(WSSConstants.SIGNATURE_WITH_DERIVED_KEY) || actions.contains(WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN)) && actions.contains(WSSConstants.CUSTOM_TOKEN)) {
                getProperties().getActions().remove(WSSConstants.CUSTOM_TOKEN);
                getProperties().getActions().add(WSSConstants.CUSTOM_TOKEN);
            }
        }
    }
}
