package org.apache.cxf.rs.security.xml;

import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.logging.Logger;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.SecurityUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.message.token.DOMX509Data;
import org.apache.wss4j.dom.message.token.DOMX509IssuerSerial;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.apache.xml.security.utils.Base64;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.w3c.dom.Text;

/* loaded from: input_file:org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.class */
public class XmlEncOutInterceptor extends AbstractXmlSecOutInterceptor {
    private static final Logger LOG = LogUtils.getL7dLogger(XmlEncOutInterceptor.class);
    private static final String DEFAULT_RETRIEVAL_METHOD_TYPE = "http://www.w3.org/2001/04/xmlenc#EncryptedKey";
    private SecretKey symmetricKey;
    private boolean encryptSymmetricKey = true;
    private EncryptionProperties encProps = new EncryptionProperties();

    public XmlEncOutInterceptor() {
        addAfter(XmlSigOutInterceptor.class.getName());
    }

    public void setEncryptionProperties(EncryptionProperties encryptionProperties) {
        this.encProps = encryptionProperties;
    }

    public void setKeyIdentifierType(String str) {
        this.encProps.setEncryptionKeyIdType(str);
    }

    public void setSymmetricEncAlgorithm(String str) {
        if (!str.startsWith("http://www.w3.org/2001/04/xmlenc#") && !str.startsWith("http://www.w3.org/2009/xmlenc11#")) {
            str = "http://www.w3.org/2001/04/xmlenc#" + str;
        }
        this.encProps.setEncryptionSymmetricKeyAlgo(str);
    }

    public void setKeyEncAlgorithm(String str) {
        this.encProps.setEncryptionKeyTransportAlgo(str);
    }

    public void setDigestAlgorithm(String str) {
        this.encProps.setEncryptionDigestAlgo(str);
    }

    @Override // org.apache.cxf.rs.security.xml.AbstractXmlSecOutInterceptor
    protected Document processDocument(Message message, Document document) throws Exception {
        return encryptDocument(message, document);
    }

    protected Document encryptDocument(Message message, Document document) throws Exception {
        String encryptionSymmetricKeyAlgo = this.encProps.getEncryptionSymmetricKeyAlgo() == null ? "http://www.w3.org/2001/04/xmlenc#aes256-cbc" : this.encProps.getEncryptionSymmetricKeyAlgo();
        byte[] symmetricKey = getSymmetricKey(encryptionSymmetricKeyAlgo);
        Document createDocument = DOMUtils.createDocument();
        Element createEncryptedDataElement = createEncryptedDataElement(createDocument, encryptionSymmetricKeyAlgo);
        if (this.encryptSymmetricKey) {
            X509Certificate x509Certificate = null;
            String str = (String) message.getContextualProperty("ws-security.encryption.username");
            if (str == null || !SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(str) || MessageUtils.isRequestor(message)) {
                Crypto crypto = new CryptoLoader().getCrypto(message, "ws-security.encryption.crypto", "ws-security.encryption.properties");
                String userName = SecurityUtils.getUserName(crypto, str);
                if (StringUtils.isEmpty(userName)) {
                    throw new Exception("User name is not available");
                }
                x509Certificate = getReceiverCertificateFromCrypto(crypto, userName);
            } else {
                XMLSignature xMLSignature = (XMLSignature) message.getExchange().getInMessage().getContent(XMLSignature.class);
                if (xMLSignature != null) {
                    x509Certificate = xMLSignature.getKeyInfo().getX509Certificate();
                }
            }
            if (x509Certificate == null) {
                throw new Exception("Receiver certificate is not available");
            }
            String encryptionKeyTransportAlgo = this.encProps.getEncryptionKeyTransportAlgo() == null ? "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" : this.encProps.getEncryptionKeyTransportAlgo();
            String encryptionDigestAlgo = this.encProps.getEncryptionDigestAlgo();
            addEncryptedKeyElement(createEncryptedDataElement, x509Certificate, encryptSymmetricKey(symmetricKey, x509Certificate, encryptionKeyTransportAlgo, encryptionDigestAlgo), encryptionKeyTransportAlgo, encryptionDigestAlgo);
        }
        NodeList elementsByTagNameNS = EncryptionUtils.initXMLCipher(encryptionSymmetricKeyAlgo, 1, this.symmetricKey).doFinal(document, document.getDocumentElement(), false).getElementsByTagNameNS("http://www.w3.org/2001/04/xmlenc#", "CipherValue");
        if (elementsByTagNameNS.getLength() != 1) {
            throw new Exception("Payload CipherData is missing");
        }
        createCipherValue(createDocument, createDocument.getDocumentElement()).appendChild(createDocument.createTextNode(((Element) elementsByTagNameNS.item(0)).getTextContent().trim()));
        return createDocument;
    }

    private byte[] getSymmetricKey(String str) throws Exception {
        byte[] encoded;
        synchronized (this) {
            if (this.symmetricKey == null) {
                this.symmetricKey = getKeyGenerator(str).generateKey();
            }
            encoded = this.symmetricKey.getEncoded();
        }
        return encoded;
    }

    private X509Certificate getReceiverCertificateFromCrypto(Crypto crypto, String str) throws Exception {
        return SecurityUtils.getCertificates(crypto, str)[0];
    }

    private KeyGenerator getKeyGenerator(String str) throws WSSecurityException {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(JCEMapper.getJCEKeyAlgorithmFromURI(str));
            if (str.equalsIgnoreCase("http://www.w3.org/2001/04/xmlenc#aes128-cbc") || str.equalsIgnoreCase("http://www.w3.org/2009/xmlenc11#aes128-gcm")) {
                keyGenerator.init(128);
            } else if (str.equalsIgnoreCase("http://www.w3.org/2001/04/xmlenc#aes192-cbc") || str.equalsIgnoreCase("http://www.w3.org/2009/xmlenc11#aes192-gcm")) {
                keyGenerator.init(192);
            } else if (str.equalsIgnoreCase("http://www.w3.org/2001/04/xmlenc#aes256-cbc") || str.equalsIgnoreCase("http://www.w3.org/2009/xmlenc11#aes256-gcm")) {
                keyGenerator.init(256);
            }
            return keyGenerator;
        } catch (NoSuchAlgorithmException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e);
        }
    }

    protected byte[] encryptSymmetricKey(byte[] bArr, X509Certificate x509Certificate, String str, String str2) throws WSSecurityException {
        Cipher initCipherWithCert = EncryptionUtils.initCipherWithCert(str, str2, 1, x509Certificate);
        int blockSize = initCipherWithCert.getBlockSize();
        if (blockSize > 0 && blockSize < bArr.length) {
            LOG.severe("Public key algorithm too weak to encrypt symmetric key");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "unsupportedKeyTransp", new Object[]{"Public key algorithm too weak to encrypt symmetric key"});
        }
        try {
            return initCipherWithCert.doFinal(bArr);
        } catch (IllegalStateException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, (String) null, (Exception) null, new Object[]{e});
        } catch (BadPaddingException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, (String) null, (Exception) null, new Object[]{e2});
        } catch (IllegalBlockSizeException e3) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, (String) null, (Exception) null, new Object[]{e3});
        }
    }

    private void addEncryptedKeyElement(Element element, X509Certificate x509Certificate, byte[] bArr, String str, String str2) throws Exception {
        Document ownerDocument = element.getOwnerDocument();
        String encode = Base64Utility.encode(bArr);
        Element createEncryptedKeyElement = createEncryptedKeyElement(ownerDocument, str, str2);
        createEncryptedKeyElement.setAttributeNS(null, "Id", IDGenerator.generateID("EK-"));
        createEncryptedKeyElement.appendChild(createKeyInfoElement(ownerDocument, x509Certificate));
        createCipherValue(ownerDocument, createEncryptedKeyElement).appendChild(ownerDocument.createTextNode(encode));
        Element createElementNS = ownerDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "ds:KeyInfo");
        Element createElementNS2 = ownerDocument.createElementNS("http://www.w3.org/2000/09/xmldsig#", "ds:RetrievalMethod");
        createElementNS2.setAttribute("Type", DEFAULT_RETRIEVAL_METHOD_TYPE);
        createElementNS.appendChild(createElementNS2);
        createElementNS.appendChild(createEncryptedKeyElement);
        element.appendChild(createElementNS);
    }

    protected Element createCipherValue(Document document, Element element) {
        Element createElementNS = document.createElementNS("http://www.w3.org/2001/04/xmlenc#", "xenc:CipherData");
        Element createElementNS2 = document.createElementNS("http://www.w3.org/2001/04/xmlenc#", "xenc:CipherValue");
        createElementNS.appendChild(createElementNS2);
        element.appendChild(createElementNS);
        return createElementNS2;
    }

    private Element createKeyInfoElement(Document document, X509Certificate x509Certificate) throws Exception {
        Element element;
        Element createElementNS = document.createElementNS("http://www.w3.org/2000/09/xmldsig#", "ds:KeyInfo");
        String encryptionKeyIdType = this.encProps.getEncryptionKeyIdType() == null ? SecurityUtils.X509_CERT : this.encProps.getEncryptionKeyIdType();
        if (encryptionKeyIdType.equals(SecurityUtils.X509_CERT)) {
            try {
                Text createTextNode = document.createTextNode(Base64.encode(x509Certificate.getEncoded()));
                Element createElementNS2 = document.createElementNS("http://www.w3.org/2000/09/xmldsig#", "ds:X509Certificate");
                createElementNS2.appendChild(createTextNode);
                Element createElementNS3 = document.createElementNS("http://www.w3.org/2000/09/xmldsig#", "ds:X509Data");
                createElementNS3.appendChild(createElementNS2);
                element = createElementNS3;
            } catch (CertificateEncodingException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "encodeError", e);
            }
        } else {
            if (!encryptionKeyIdType.equals(SecurityUtils.X509_ISSUER_SERIAL)) {
                throw new Exception("Unsupported key identifier:" + encryptionKeyIdType);
            }
            element = new DOMX509Data(document, new DOMX509IssuerSerial(document, x509Certificate.getIssuerDN().getName(), x509Certificate.getSerialNumber())).getElement();
        }
        createElementNS.appendChild(element);
        return createElementNS;
    }

    protected Element createEncryptedKeyElement(Document document, String str, String str2) {
        Element createElementNS = document.createElementNS("http://www.w3.org/2001/04/xmlenc#", "xenc:EncryptedKey");
        Element createElementNS2 = document.createElementNS("http://www.w3.org/2001/04/xmlenc#", "xenc:EncryptionMethod");
        createElementNS2.setAttributeNS(null, "Algorithm", str);
        if (str2 != null) {
            Element createElementNS3 = document.createElementNS("http://www.w3.org/2000/09/xmldsig#", "ds:DigestMethod");
            createElementNS3.setAttributeNS(null, "Algorithm", str2);
            createElementNS2.appendChild(createElementNS3);
        }
        createElementNS.appendChild(createElementNS2);
        return createElementNS;
    }

    protected Element createEncryptedDataElement(Document document, String str) {
        Element createElementNS = document.createElementNS("http://www.w3.org/2001/04/xmlenc#", "xenc:EncryptedData");
        WSSecurityUtil.setNamespace(createElementNS, "http://www.w3.org/2001/04/xmlenc#", "xenc");
        Element createElementNS2 = document.createElementNS("http://www.w3.org/2001/04/xmlenc#", "xenc:EncryptionMethod");
        createElementNS2.setAttributeNS(null, "Algorithm", str);
        createElementNS.appendChild(createElementNS2);
        document.appendChild(createElementNS);
        return createElementNS;
    }
}
