package com.ibm.rational.ttt.common.cxf.security;

import java.security.KeyException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.PublicKeyPrincipalImpl;
import org.apache.wss4j.common.principal.UsernameTokenPrincipal;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.processor.Processor;
import org.apache.wss4j.dom.str.STRParser;
import org.apache.wss4j.dom.str.SignatureSTRParser;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.utils.Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:coremdl.jar:com/ibm/rational/ttt/common/cxf/security/SignatureProcessor.class */
public class SignatureProcessor implements Processor {
    private static final Logger LOG = LoggerFactory.getLogger(SignatureProcessor.class);
    private XMLSignatureFactory signatureFactory;

    public SignatureProcessor() {
        try {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException unused) {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM");
        }
    }

    @Override // org.apache.wss4j.dom.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        Element directChildElement = WSSecurityUtil.getDirectChildElement(element, "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
        X509Certificate[] x509CertificateArr = null;
        Principal principal = null;
        PublicKey publicKey = null;
        byte[] bArr = null;
        String signatureMethod = getSignatureMethod(element);
        STRParser.REFERENCE_TYPE reference_type = null;
        Credential credential = new Credential();
        Validator validator = requestData.getValidator(WSSecurityEngine.SIGNATURE);
        if (directChildElement != null) {
            int i = 0;
            Element element2 = null;
            for (Node firstChild = directChildElement.getFirstChild(); firstChild != null; firstChild = firstChild.getNextSibling()) {
                if (1 == firstChild.getNodeType()) {
                    i++;
                    element2 = (Element) firstChild;
                }
            }
            if (i != 1) {
                requestData.getBSPEnforcer().handleBSPRule(BSPRule.R5402);
            }
            if ("SecurityTokenReference".equals(element2.getLocalName()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(element2.getNamespaceURI())) {
                SignatureSTRParser signatureSTRParser = new SignatureSTRParser();
                HashMap hashMap = new HashMap();
                hashMap.put("signature_method", signatureMethod);
                signatureSTRParser.parseSecurityTokenReference(element2, requestData, wSDocInfo, hashMap);
                principal = signatureSTRParser.getPrincipal();
                x509CertificateArr = signatureSTRParser.getCertificates();
                publicKey = signatureSTRParser.getPublicKey();
                bArr = signatureSTRParser.getSecretKey();
                reference_type = signatureSTRParser.getCertificatesReferenceType();
                if (!signatureSTRParser.isTrustedCredential() && ((publicKey != null || x509CertificateArr != null) && validator != null)) {
                    credential.setPublicKey(publicKey);
                    credential.setCertificates(x509CertificateArr);
                    credential.setPrincipal(principal);
                    credential = validator.validate(credential, requestData);
                }
            } else {
                requestData.getBSPEnforcer().handleBSPRule(BSPRule.R5417);
                publicKey = parseKeyValue(directChildElement);
                if (validator != null) {
                    credential.setPublicKey(publicKey);
                    principal = new PublicKeyPrincipalImpl(publicKey);
                    credential.setPrincipal(principal);
                    credential = validator.validate(credential, requestData);
                }
            }
        }
        AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite();
        if (algorithmSuite != null) {
            AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite);
            if (principal instanceof WSDerivedKeyTokenPrincipal) {
                algorithmSuiteValidator.checkDerivedKeyAlgorithm(((WSDerivedKeyTokenPrincipal) principal).getAlgorithm());
                algorithmSuiteValidator.checkSignatureDerivedKeyLength(((WSDerivedKeyTokenPrincipal) principal).getLength());
            } else if (x509CertificateArr != null && x509CertificateArr[0] != null) {
                x509CertificateArr[0].getPublicKey();
            } else if (publicKey != null) {
            }
        }
        ArrayList arrayList = new ArrayList();
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(principal instanceof UsernameTokenPrincipal ? 64 : 2, principal, x509CertificateArr, arrayList, new byte[0]);
        wSSecurityEngineResult.put("signature-method", signatureMethod);
        wSSecurityEngineResult.put("canonicalization-method", "");
        String attributeNS = element.getAttributeNS(null, "Id");
        if (!"".equals(attributeNS)) {
            wSSecurityEngineResult.put("id", attributeNS);
        }
        wSSecurityEngineResult.put("secret", bArr);
        wSSecurityEngineResult.put("public-key", publicKey);
        wSSecurityEngineResult.put("x509-reference-type", reference_type);
        wSSecurityEngineResult.put("token-element", element);
        if (validator != null) {
            wSSecurityEngineResult.put("validated-token", Boolean.TRUE);
            if (credential != null) {
                wSSecurityEngineResult.put("subject", credential.getSubject());
            }
        }
        wSDocInfo.addResult(wSSecurityEngineResult);
        wSDocInfo.addTokenElement(element);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    private X509Certificate[] getDefaultCerts(Crypto crypto) throws WSSecurityException {
        if (crypto.getDefaultX509Identifier() == null) {
            return new X509Certificate[0];
        }
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(crypto.getDefaultX509Identifier());
        return crypto.getX509Certificates(cryptoType);
    }

    private PublicKey parseKeyValue(Element element) throws WSSecurityException {
        try {
            KeyValue keyValue = getKeyValue(element);
            if (keyValue == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "unsupportedKeyInfo", new Object[0]);
            }
            try {
                return keyValue.getPublicKey();
            } catch (KeyException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e);
            }
        } catch (MarshalException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e2);
        }
    }

    private KeyValue getKeyValue(Element element) throws MarshalException {
        List content = this.signatureFactory.getKeyInfoFactory().unmarshalKeyInfo(new DOMStructure(element)).getContent();
        for (int i = 0; i < content.size(); i++) {
            KeyValue keyValue = (XMLStructure) content.get(i);
            if (keyValue instanceof KeyValue) {
                return keyValue;
            }
        }
        return null;
    }

    private static String getSignatureMethod(Element element) {
        Element directChildElement;
        Element directChildElement2 = WSSecurityUtil.getDirectChildElement(element, "SignedInfo", "http://www.w3.org/2000/09/xmldsig#");
        if (directChildElement2 == null || (directChildElement = WSSecurityUtil.getDirectChildElement(directChildElement2, Constants._TAG_SIGNATUREMETHOD, "http://www.w3.org/2000/09/xmldsig#")) == null) {
            return null;
        }
        return directChildElement.getAttributeNS(null, "Algorithm");
    }
}
