package org.apache.cxf.ws.security.wss4j.policyhandlers;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
import org.apache.cxf.ws.security.wss4j.StaxSerializer;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.WSSecBase;
import org.apache.wss4j.dom.message.WSSecDKEncrypt;
import org.apache.wss4j.dom.message.WSSecDKSign;
import org.apache.wss4j.dom.message.WSSecEncrypt;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.WSSecSignature;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.AsymmetricBinding;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.SamlToken;
import org.opensaml.saml.common.SAMLVersion;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:lib/cxf-rt-ws-security-3.1.18.jar:org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.class */
public class AsymmetricBindingHandler extends AbstractBindingBuilder {
    private static final Logger LOG = LogUtils.getL7dLogger(AsymmetricBindingHandler.class);
    AsymmetricBinding abinding;
    private WSSecEncryptedKey encrKey;
    private String encryptedKeyId;
    private byte[] encryptedKeyValue;

    public AsymmetricBindingHandler(WSSConfig wSSConfig, AsymmetricBinding asymmetricBinding, SOAPMessage sOAPMessage, WSSecHeader wSSecHeader, AssertionInfoMap assertionInfoMap, SoapMessage soapMessage) throws SOAPException {
        super(wSSConfig, asymmetricBinding, sOAPMessage, wSSecHeader, assertionInfoMap, soapMessage);
        this.abinding = asymmetricBinding;
        this.protectionOrder = asymmetricBinding.getProtectionOrder();
    }

    public void handleBinding() {
        handleLayout(createTimestamp());
        assertPolicy(this.abinding.getName());
        if (this.abinding.getProtectionOrder() == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
            doEncryptBeforeSign();
            assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
        } else {
            doSignBeforeEncrypt();
            assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
        }
        reshuffleTimestamp();
        assertAlgorithmSuite(this.abinding.getAlgorithmSuite());
        assertWSSProperties(this.abinding.getName().getNamespaceURI());
        assertTrustProperties(this.abinding.getName().getNamespaceURI());
        assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
    }

    private void doSignBeforeEncrypt() {
        AbstractTokenWrapper initiatorEncryptionToken;
        try {
            AbstractTokenWrapper initiatorSignatureToken = this.abinding.getInitiatorSignatureToken();
            if (initiatorSignatureToken == null) {
                initiatorSignatureToken = this.abinding.getInitiatorToken();
            }
            assertTokenWrapper(initiatorSignatureToken);
            boolean z = false;
            if (initiatorSignatureToken != null) {
                AbstractToken token = initiatorSignatureToken.getToken();
                if (token instanceof IssuedToken) {
                    SecurityToken securityToken = getSecurityToken();
                    if (securityToken == null) {
                        unassertPolicy(token, "Security token is not found or expired");
                        return;
                    } else if (isTokenRequired(token.getIncludeTokenType())) {
                        addEncryptedKeyElement(cloneElement(securityToken.getToken()));
                        z = true;
                    }
                } else if ((token instanceof SamlToken) && isRequestor()) {
                    SamlAssertionWrapper addSamlToken = addSamlToken((SamlToken) token);
                    if (addSamlToken != null && isTokenRequired(token.getIncludeTokenType())) {
                        addSupportingElement(addSamlToken.toDOM(this.saaj.getSOAPPart()));
                        storeAssertionAsSecurityToken(addSamlToken);
                    }
                } else if ((token instanceof SamlToken) && getSAMLToken() == null) {
                    unassertPolicy(token, "Security token is not found or expired");
                    return;
                }
                assertToken(token);
            }
            ArrayList arrayList = new ArrayList();
            if (this.timestampEl != null) {
                arrayList.add(convertToEncryptionPart(this.timestampEl.getElement()));
            }
            addSupportingTokens(arrayList);
            arrayList.addAll(getSignedParts(null));
            if (isRequestor() && initiatorSignatureToken != null) {
                doSignature(initiatorSignatureToken, arrayList, z);
                doEndorse();
            } else if (!isRequestor()) {
                addSignatureConfirmation(arrayList);
                AbstractTokenWrapper recipientSignatureToken = this.abinding.getRecipientSignatureToken();
                if (recipientSignatureToken == null) {
                    recipientSignatureToken = this.abinding.getRecipientToken();
                }
                if (recipientSignatureToken != null) {
                    assertTokenWrapper(recipientSignatureToken);
                    assertToken(recipientSignatureToken.getToken());
                    doSignature(recipientSignatureToken, arrayList, z);
                }
            }
            List<WSEncryptionPart> encryptedParts = getEncryptedParts();
            if (this.abinding.isEncryptSignature()) {
                if (this.mainSigId != null) {
                    WSEncryptionPart wSEncryptionPart = new WSEncryptionPart(this.mainSigId, "Element");
                    wSEncryptionPart.setElement(this.bottomUpElement);
                    encryptedParts.add(wSEncryptionPart);
                }
                if (this.sigConfList != null && !this.sigConfList.isEmpty()) {
                    encryptedParts.addAll(this.sigConfList);
                }
                assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
            }
            if (isRequestor()) {
                encryptedParts.addAll(this.encryptedTokensList);
                initiatorEncryptionToken = this.abinding.getRecipientEncryptionToken();
                if (initiatorEncryptionToken == null) {
                    initiatorEncryptionToken = this.abinding.getRecipientToken();
                }
            } else {
                initiatorEncryptionToken = this.abinding.getInitiatorEncryptionToken();
                if (initiatorEncryptionToken == null) {
                    initiatorEncryptionToken = this.abinding.getInitiatorToken();
                }
            }
            doEncryption(initiatorEncryptionToken, encryptedParts, false);
            if (initiatorEncryptionToken != null) {
                assertTokenWrapper(initiatorEncryptionToken);
                assertToken(initiatorEncryptionToken.getToken());
            }
        } catch (Exception e) {
            LOG.log(Level.WARNING, "Sign before encryption failed due to : " + e.getMessage());
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            throw new Fault(e);
        }
    }

    private AbstractTokenWrapper getEncryptBeforeSignWrapper() {
        AbstractTokenWrapper initiatorEncryptionToken;
        if (isRequestor()) {
            initiatorEncryptionToken = this.abinding.getRecipientEncryptionToken();
            if (initiatorEncryptionToken == null) {
                initiatorEncryptionToken = this.abinding.getRecipientToken();
            }
        } else {
            initiatorEncryptionToken = this.abinding.getInitiatorEncryptionToken();
            if (initiatorEncryptionToken == null) {
                initiatorEncryptionToken = this.abinding.getInitiatorToken();
            }
        }
        assertTokenWrapper(initiatorEncryptionToken);
        return initiatorEncryptionToken;
    }

    private void doEncryptBeforeSign() {
        AbstractTokenWrapper encryptBeforeSignWrapper = getEncryptBeforeSignWrapper();
        AbstractToken abstractToken = null;
        if (encryptBeforeSignWrapper != null) {
            abstractToken = encryptBeforeSignWrapper.getToken();
            assertToken(abstractToken);
        }
        AbstractTokenWrapper initiatorSignatureToken = this.abinding.getInitiatorSignatureToken();
        if (initiatorSignatureToken == null) {
            initiatorSignatureToken = this.abinding.getInitiatorToken();
        }
        assertTokenWrapper(initiatorSignatureToken);
        boolean z = false;
        if (initiatorSignatureToken != null) {
            AbstractToken token = initiatorSignatureToken.getToken();
            if (token instanceof IssuedToken) {
                SecurityToken securityToken = getSecurityToken();
                if (securityToken == null) {
                    unassertPolicy(token, "Security token is not found or expired");
                    return;
                } else if (isTokenRequired(token.getIncludeTokenType())) {
                    addEncryptedKeyElement(cloneElement(securityToken.getToken()));
                    z = true;
                }
            } else if ((token instanceof SamlToken) && isRequestor()) {
                try {
                    SamlAssertionWrapper addSamlToken = addSamlToken((SamlToken) token);
                    if (addSamlToken != null && isTokenRequired(token.getIncludeTokenType())) {
                        addSupportingElement(addSamlToken.toDOM(this.saaj.getSOAPPart()));
                        storeAssertionAsSecurityToken(addSamlToken);
                    }
                } catch (Exception e) {
                    LOG.log(Level.WARNING, "Encrypt before sign failed due to : " + e.getMessage());
                    LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
                    throw new Fault(e);
                }
            } else if ((token instanceof SamlToken) && getSAMLToken() == null) {
                unassertPolicy(token, "Security token is not found or expired");
                return;
            }
        }
        List<WSEncryptionPart> arrayList = new ArrayList<>();
        if (this.timestampEl != null) {
            arrayList.add(convertToEncryptionPart(this.timestampEl.getElement()));
        }
        try {
            addSupportingTokens(arrayList);
        } catch (WSSecurityException e2) {
            LOG.log(Level.FINE, e2.getMessage(), (Throwable) e2);
            unassertPolicy(abstractToken, e2);
        }
        try {
            List<WSEncryptionPart> encryptedParts = getEncryptedParts();
            arrayList.addAll(getSignedParts(null));
            WSSecBase wSSecBase = null;
            if (abstractToken != null && encryptedParts.size() > 0) {
                wSSecBase = doEncryption(encryptBeforeSignWrapper, encryptedParts, true);
                handleEncryptedSignedHeaders(encryptedParts, arrayList);
            }
            if (!isRequestor()) {
                addSignatureConfirmation(arrayList);
            }
            try {
                if (arrayList.size() > 0) {
                    if (initiatorSignatureToken != null && isRequestor()) {
                        doSignature(initiatorSignatureToken, arrayList, z);
                    } else if (!isRequestor()) {
                        AbstractTokenWrapper recipientSignatureToken = this.abinding.getRecipientSignatureToken();
                        if (recipientSignatureToken == null) {
                            recipientSignatureToken = this.abinding.getRecipientToken();
                        }
                        if (recipientSignatureToken != null) {
                            assertTokenWrapper(recipientSignatureToken);
                            assertToken(recipientSignatureToken.getToken());
                            doSignature(recipientSignatureToken, arrayList, z);
                        }
                    }
                }
                if (isRequestor()) {
                    doEndorse();
                }
                if (wSSecBase != null) {
                    encryptTokensInSecurityHeader(abstractToken, wSSecBase);
                }
            } catch (SOAPException e3) {
                LOG.log(Level.FINE, e3.getMessage(), (Throwable) e3);
                throw new Fault(e3);
            } catch (WSSecurityException e4) {
                LOG.log(Level.FINE, e4.getMessage(), (Throwable) e4);
                throw new Fault(e4);
            }
        } catch (SOAPException e5) {
            LOG.log(Level.FINE, e5.getMessage(), (Throwable) e5);
            throw new Fault(e5);
        }
    }

    private void encryptTokensInSecurityHeader(AbstractToken abstractToken, WSSecBase wSSecBase) {
        ArrayList arrayList = new ArrayList();
        if (this.abinding.isEncryptSignature()) {
            assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
            if (this.mainSigId != null) {
                WSEncryptionPart wSEncryptionPart = new WSEncryptionPart(this.mainSigId, "Element");
                wSEncryptionPart.setElement(this.bottomUpElement);
                arrayList.add(wSEncryptionPart);
            }
            if (this.sigConfList != null && !this.sigConfList.isEmpty()) {
                arrayList.addAll(this.sigConfList);
            }
        }
        if (isRequestor()) {
            arrayList.addAll(this.encryptedTokensList);
        }
        if (arrayList.isEmpty()) {
            return;
        }
        if (abstractToken.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys && (wSSecBase instanceof WSSecDKEncrypt)) {
            try {
                Element encryptForExternalRef = ((WSSecDKEncrypt) wSSecBase).encryptForExternalRef(null, arrayList, this.secHeader);
                if (encryptForExternalRef != null) {
                    ((WSSecDKEncrypt) wSSecBase).addExternalRefElement(encryptForExternalRef, this.secHeader);
                }
                return;
            } catch (WSSecurityException e) {
                LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
                throw new Fault(e);
            }
        }
        if (wSSecBase instanceof WSSecEncrypt) {
            try {
                Element createElementNS = this.saaj.getSOAPPart().createElementNS("http://www.w3.org/2001/04/xmlenc#", "xenc:ReferenceList");
                if (this.lastEncryptedKeyElement != null) {
                    insertAfter(createElementNS, this.lastEncryptedKeyElement);
                } else {
                    insertBeforeBottomUp(createElementNS);
                }
                ((WSSecEncrypt) wSSecBase).encryptForRef(createElementNS, arrayList, this.secHeader);
            } catch (WSSecurityException e2) {
                LOG.log(Level.FINE, e2.getMessage(), (Throwable) e2);
                throw new Fault(e2);
            }
        }
    }

    private WSSecBase doEncryption(AbstractTokenWrapper abstractTokenWrapper, List<WSEncryptionPart> list, boolean z) {
        if (abstractTokenWrapper == null || abstractTokenWrapper.getToken() == null || list.size() <= 0) {
            return null;
        }
        AbstractToken token = abstractTokenWrapper.getToken();
        assertPolicy(abstractTokenWrapper);
        assertPolicy(token);
        AlgorithmSuite algorithmSuite = this.abinding.getAlgorithmSuite();
        if (token.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            return doEncryptionDerived(abstractTokenWrapper, token, list, algorithmSuite);
        }
        try {
            WSSecEncrypt wSSecEncrypt = new WSSecEncrypt();
            wSSecEncrypt.setEncryptionSerializer(new StaxSerializer());
            wSSecEncrypt.setIdAllocator(this.wssConfig.getIdAllocator());
            wSSecEncrypt.setCallbackLookup(this.callbackLookup);
            wSSecEncrypt.setAttachmentCallbackHandler(new AttachmentCallbackHandler(this.message));
            wSSecEncrypt.setStoreBytesInAttachment(this.storeBytesInAttachment);
            wSSecEncrypt.setDocument(this.saaj.getSOAPPart());
            Crypto encryptionCrypto = getEncryptionCrypto();
            SecurityToken securityToken = getSecurityToken();
            if (isRequestor() || securityToken == null || !(abstractTokenWrapper.getToken() instanceof SamlToken)) {
                setKeyIdentifierType(wSSecEncrypt, token);
            } else {
                String tokenType = securityToken.getTokenType();
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenType) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(tokenType)) {
                    wSSecEncrypt.setCustomEKTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID");
                    wSSecEncrypt.setKeyIdentifierType(12);
                    wSSecEncrypt.setCustomEKTokenId(securityToken.getId());
                } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenType) || "urn:oasis:names:tc:SAML:2.0:assertion".equals(tokenType)) {
                    wSSecEncrypt.setCustomEKTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID");
                    wSSecEncrypt.setKeyIdentifierType(12);
                    wSSecEncrypt.setCustomEKTokenId(securityToken.getId());
                } else {
                    setKeyIdentifierType(wSSecEncrypt, token);
                }
            }
            if (!isRequestor() && securityToken != null && securityToken.getX509Certificate() != null) {
                wSSecEncrypt.setUseThisCert(securityToken.getX509Certificate());
            } else if (isRequestor() || securityToken == null || !(securityToken.getKey() instanceof PublicKey)) {
                setEncryptionUser(wSSecEncrypt, token, false, encryptionCrypto);
            } else {
                wSSecEncrypt.setUseThisPublicKey((PublicKey) securityToken.getKey());
            }
            if (!wSSecEncrypt.isCertSet() && wSSecEncrypt.getUseThisPublicKey() == null && encryptionCrypto == null) {
                unassertPolicy(abstractTokenWrapper, "Missing security configuration. Make sure jaxws:client element is configured with a security.encryption.properties value.");
            }
            AlgorithmSuite.AlgorithmSuiteType algorithmSuiteType = algorithmSuite.getAlgorithmSuiteType();
            wSSecEncrypt.setSymmetricEncAlgorithm(algorithmSuiteType.getEncryption());
            wSSecEncrypt.setKeyEncAlgo(algorithmSuiteType.getAsymmetricKeyWrap());
            wSSecEncrypt.setMGFAlgorithm(algorithmSuiteType.getMGFAlgo());
            wSSecEncrypt.setDigestAlgorithm(algorithmSuiteType.getEncryptionDigest());
            wSSecEncrypt.prepare(this.saaj.getSOAPPart(), encryptionCrypto);
            Element encryptedKeyElement = wSSecEncrypt.getEncryptedKeyElement();
            List<Element> attachmentEncryptedDataElements = wSSecEncrypt.getAttachmentEncryptedDataElements();
            if (z) {
                Element encryptForRef = wSSecEncrypt.encryptForRef(null, list, this.secHeader);
                if (encryptForRef != null) {
                    insertBeforeBottomUp(encryptForRef);
                }
                if (attachmentEncryptedDataElements != null) {
                    Iterator<Element> it = attachmentEncryptedDataElements.iterator();
                    while (it.hasNext()) {
                        insertBeforeBottomUp(it.next());
                    }
                }
                if (encryptForRef != null || (attachmentEncryptedDataElements != null && !attachmentEncryptedDataElements.isEmpty())) {
                    addEncryptedKeyElement(encryptedKeyElement);
                }
            } else {
                Node encryptForRef2 = wSSecEncrypt.encryptForRef(null, list, this.secHeader);
                if (encryptForRef2 != null || (attachmentEncryptedDataElements != null && !attachmentEncryptedDataElements.isEmpty())) {
                    addEncryptedKeyElement(encryptedKeyElement);
                }
                if (encryptForRef2 != null) {
                    encryptedKeyElement.appendChild(encryptForRef2);
                }
                if (attachmentEncryptedDataElements != null) {
                    Iterator<Element> it2 = attachmentEncryptedDataElements.iterator();
                    while (it2.hasNext()) {
                        addEncryptedKeyElement(it2.next());
                    }
                }
            }
            if (wSSecEncrypt.getBSTTokenId() != null) {
                wSSecEncrypt.prependBSTElementToHeader(this.secHeader);
            }
            return wSSecEncrypt;
        } catch (WSSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            unassertPolicy(abstractTokenWrapper, e);
            return null;
        }
    }

    private WSSecBase doEncryptionDerived(AbstractTokenWrapper abstractTokenWrapper, AbstractToken abstractToken, List<WSEncryptionPart> list, AlgorithmSuite algorithmSuite) {
        try {
            WSSecDKEncrypt wSSecDKEncrypt = new WSSecDKEncrypt();
            wSSecDKEncrypt.setEncryptionSerializer(new StaxSerializer());
            wSSecDKEncrypt.setIdAllocator(this.wssConfig.getIdAllocator());
            wSSecDKEncrypt.setCallbackLookup(this.callbackLookup);
            wSSecDKEncrypt.setAttachmentCallbackHandler(new AttachmentCallbackHandler(this.message));
            wSSecDKEncrypt.setStoreBytesInAttachment(this.storeBytesInAttachment);
            if (abstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
                wSSecDKEncrypt.setWscVersion(1);
            }
            if (this.encrKey == null) {
                setupEncryptedKey(abstractTokenWrapper, abstractToken);
            }
            wSSecDKEncrypt.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
            wSSecDKEncrypt.getParts().addAll(list);
            wSSecDKEncrypt.setCustomValueType("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey");
            AlgorithmSuite.AlgorithmSuiteType algorithmSuiteType = algorithmSuite.getAlgorithmSuiteType();
            wSSecDKEncrypt.setSymmetricEncAlgorithm(algorithmSuiteType.getEncryption());
            wSSecDKEncrypt.setDerivedKeyLength(algorithmSuiteType.getEncryptionDerivedKeyLength() / 8);
            wSSecDKEncrypt.prepare(this.saaj.getSOAPPart());
            addDerivedKeyElement(wSSecDKEncrypt.getdktElement());
            Element encryptForExternalRef = wSSecDKEncrypt.encryptForExternalRef(null, list, this.secHeader);
            if (encryptForExternalRef != null) {
                insertBeforeBottomUp(encryptForExternalRef);
            }
            return wSSecDKEncrypt;
        } catch (Exception e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            unassertPolicy(abstractTokenWrapper, e);
            return null;
        }
    }

    private void assertUnusedTokens(AbstractTokenWrapper abstractTokenWrapper) {
        if (abstractTokenWrapper == null) {
            return;
        }
        Collection<AssertionInfo> assertionInfo = this.aim.getAssertionInfo(abstractTokenWrapper.getName());
        if (assertionInfo != null) {
            for (AssertionInfo assertionInfo2 : assertionInfo) {
                if (assertionInfo2.getAssertion() == abstractTokenWrapper) {
                    assertionInfo2.setAsserted(true);
                }
            }
        }
        Collection<AssertionInfo> assertionInfo3 = this.aim.getAssertionInfo(abstractTokenWrapper.getToken().getName());
        if (assertionInfo3 != null) {
            for (AssertionInfo assertionInfo4 : assertionInfo3) {
                if (assertionInfo4.getAssertion() == abstractTokenWrapper.getToken()) {
                    assertionInfo4.setAsserted(true);
                }
            }
        }
    }

    private void doSignature(AbstractTokenWrapper abstractTokenWrapper, List<WSEncryptionPart> list, boolean z) throws WSSecurityException, SOAPException {
        Element binarySecurityTokenElement;
        if (isRequestor()) {
            assertUnusedTokens(this.abinding.getRecipientToken());
            assertUnusedTokens(this.abinding.getRecipientEncryptionToken());
            assertUnusedTokens(this.abinding.getRecipientSignatureToken());
        } else {
            assertUnusedTokens(this.abinding.getInitiatorToken());
            assertUnusedTokens(this.abinding.getInitiatorEncryptionToken());
            assertUnusedTokens(this.abinding.getInitiatorSignatureToken());
        }
        AbstractToken token = abstractTokenWrapper.getToken();
        if (list.isEmpty()) {
            if (z || !isTokenRequired(token.getIncludeTokenType())) {
                return;
            }
            getSignatureBuilder(token, z, false).appendBSTElementToHeader(this.secHeader);
            return;
        }
        if (token.getDerivedKeys() != AbstractToken.DerivedKeys.RequireDerivedKeys) {
            WSSecSignature signatureBuilder = getSignatureBuilder(token, z, false);
            if (this.abinding.isProtectTokens()) {
                assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
                if (signatureBuilder.getCustomTokenId() != null && ((token instanceof SamlToken) || (token instanceof IssuedToken))) {
                    list.add(new WSEncryptionPart(signatureBuilder.getCustomTokenId()));
                } else if (signatureBuilder.getBSTTokenId() != null) {
                    WSEncryptionPart wSEncryptionPart = new WSEncryptionPart(signatureBuilder.getBSTTokenId());
                    wSEncryptionPart.setElement(signatureBuilder.getBinarySecurityTokenElement());
                    list.add(wSEncryptionPart);
                    signatureBuilder.prependBSTElementToHeader(this.secHeader);
                }
            }
            List<Reference> addReferencesToSign = signatureBuilder.addReferencesToSign(list, this.secHeader);
            if (addReferencesToSign.isEmpty()) {
                return;
            }
            if (this.bottomUpElement == null) {
                signatureBuilder.computeSignature(addReferencesToSign, false, null);
            } else {
                signatureBuilder.computeSignature(addReferencesToSign, true, this.bottomUpElement);
            }
            this.bottomUpElement = signatureBuilder.getSignatureElement();
            if (!this.abinding.isProtectTokens() && (binarySecurityTokenElement = signatureBuilder.getBinarySecurityTokenElement()) != null) {
                this.secHeader.getSecurityHeader().insertBefore(binarySecurityTokenElement, this.bottomUpElement);
            }
            addSig(signatureBuilder.getSignatureValue());
            this.mainSigId = signatureBuilder.getId();
            return;
        }
        setupEncryptedKey(abstractTokenWrapper, token);
        WSSecDKSign wSSecDKSign = new WSSecDKSign();
        wSSecDKSign.setIdAllocator(this.wssConfig.getIdAllocator());
        wSSecDKSign.setCallbackLookup(this.callbackLookup);
        wSSecDKSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(this.message));
        wSSecDKSign.setStoreBytesInAttachment(this.storeBytesInAttachment);
        if (abstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
            wSSecDKSign.setWscVersion(1);
        }
        wSSecDKSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
        wSSecDKSign.setSignatureAlgorithm(this.abinding.getAlgorithmSuite().getSymmetricSignature());
        wSSecDKSign.setSigCanonicalization(this.abinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuite.AlgorithmSuiteType algorithmSuiteType = this.abinding.getAlgorithmSuite().getAlgorithmSuiteType();
        wSSecDKSign.setDigestAlgorithm(algorithmSuiteType.getDigest());
        wSSecDKSign.setDerivedKeyLength(algorithmSuiteType.getSignatureDerivedKeyLength() / 8);
        wSSecDKSign.setCustomValueType("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey");
        wSSecDKSign.setAddInclusivePrefixes(MessageUtils.getContextualBoolean(this.message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true));
        try {
            wSSecDKSign.prepare(this.saaj.getSOAPPart(), this.secHeader);
            if (this.abinding.isProtectTokens()) {
                assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
                if (this.bstElement != null) {
                    WSEncryptionPart wSEncryptionPart2 = new WSEncryptionPart(this.bstElement.getAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id"));
                    wSEncryptionPart2.setElement(this.bstElement);
                    list.add(wSEncryptionPart2);
                } else {
                    WSEncryptionPart wSEncryptionPart3 = new WSEncryptionPart(this.encrKey.getId());
                    wSEncryptionPart3.setElement(this.encrKey.getEncryptedKeyElement());
                    list.add(wSEncryptionPart3);
                }
            }
            wSSecDKSign.getParts().addAll(list);
            List<Reference> addReferencesToSign2 = wSSecDKSign.addReferencesToSign(list, this.secHeader);
            if (!addReferencesToSign2.isEmpty()) {
                addDerivedKeyElement(wSSecDKSign.getdktElement());
                if (this.bottomUpElement == null) {
                    wSSecDKSign.computeSignature(addReferencesToSign2, false, null);
                } else {
                    wSSecDKSign.computeSignature(addReferencesToSign2, true, this.bottomUpElement);
                }
                this.bottomUpElement = wSSecDKSign.getSignatureElement();
                addSig(wSSecDKSign.getSignatureValue());
                this.mainSigId = wSSecDKSign.getSignatureId();
            }
        } catch (Exception e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            throw new Fault(e);
        }
    }

    private void setupEncryptedKey(AbstractTokenWrapper abstractTokenWrapper, AbstractToken abstractToken) throws WSSecurityException {
        if (isRequestor() || abstractToken.getDerivedKeys() != AbstractToken.DerivedKeys.RequireDerivedKeys) {
            createEncryptedKey(abstractTokenWrapper, abstractToken);
            return;
        }
        if (this.encryptedKeyId == null || this.encryptedKeyValue == null) {
            if (CastUtils.cast((List<?>) this.message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS)) == null) {
                unassertPolicy(abstractToken, "No security results found");
                return;
            }
            WSSecurityEngineResult encryptedKeyResult = getEncryptedKeyResult();
            if (encryptedKeyResult != null) {
                this.encryptedKeyId = (String) encryptedKeyResult.get("id");
                this.encryptedKeyValue = (byte[]) encryptedKeyResult.get("secret");
            }
            if (this.encryptedKeyId == null && this.encryptedKeyValue == null) {
                createEncryptedKey(abstractTokenWrapper, abstractToken);
            }
        }
    }

    private void createEncryptedKey(AbstractTokenWrapper abstractTokenWrapper, AbstractToken abstractToken) throws WSSecurityException {
        this.encrKey = getEncryptedKeyBuilder(abstractToken);
        if (this.encrKey.getBinarySecurityTokenElement() != null) {
            this.encrKey.prependBSTElementToHeader(this.secHeader);
        }
        addEncryptedKeyElement(this.encrKey.getEncryptedKeyElement());
        this.encryptedKeyValue = this.encrKey.getEphemeralKey();
        this.encryptedKeyId = this.encrKey.getId();
    }

    private String getSAMLToken() {
        Iterator it = CastUtils.cast((List<?>) this.message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS)).iterator();
        while (it.hasNext()) {
            for (WSSecurityEngineResult wSSecurityEngineResult : ((WSHandlerResult) it.next()).getResults()) {
                Integer num = (Integer) wSSecurityEngineResult.get("action");
                if (num.intValue() == 16 || num.intValue() == 8) {
                    Date date = new Date();
                    Date date2 = new Date();
                    date2.setTime(date.getTime() + WSS4JUtils.getSecurityTokenLifetime(this.message));
                    String str = (String) wSSecurityEngineResult.get("id");
                    SecurityToken securityToken = new SecurityToken(str, date, date2);
                    securityToken.setSecret((byte[]) wSSecurityEngineResult.get("secret"));
                    securityToken.setX509Certificate((X509Certificate) wSSecurityEngineResult.get("x509-certificate"), null);
                    if (((SamlAssertionWrapper) wSSecurityEngineResult.get("saml-assertion")).getSamlVersion() == SAMLVersion.VERSION_20) {
                        securityToken.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
                    } else {
                        securityToken.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
                    }
                    this.message.put(SecurityConstants.TOKEN, (Object) securityToken);
                    return str;
                }
            }
        }
        return null;
    }
}
