package org.apache.cxf.ws.security.wss4j.policyhandlers;

import jakarta.xml.soap.SOAPException;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils;
import org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.AsymmetricBinding;
import org.apache.wss4j.policy.model.InitiatorToken;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.RecipientToken;
import org.apache.wss4j.policy.model.SamlToken;
import org.apache.wss4j.policy.model.SecurityContextToken;
import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.stax.ext.OutboundSecurityContext;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.apache.xml.security.utils.Constants;

/* loaded from: input_file:lib/cxf-shade-9.0.0-M8.jar:org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.class */
public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(StaxAsymmetricBindingHandler.class);
    private AsymmetricBinding abinding;
    private SoapMessage message;

    public StaxAsymmetricBindingHandler(WSSSecurityProperties wSSSecurityProperties, SoapMessage soapMessage, AsymmetricBinding asymmetricBinding, OutboundSecurityContext outboundSecurityContext) {
        super(wSSSecurityProperties, soapMessage, asymmetricBinding, outboundSecurityContext);
        this.message = soapMessage;
        this.abinding = asymmetricBinding;
    }

    public void handleBinding() {
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) getMessage().get(AssertionInfoMap.class);
        configureTimestamp(assertionInfoMap);
        assertPolicy(this.abinding.getName());
        String str = (String) getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
        if (str != null && this.abinding.getAlgorithmSuite() != null) {
            this.abinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(str);
        }
        String str2 = (String) getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
        if (str2 != null && this.abinding.getAlgorithmSuite() != null) {
            this.abinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(str2);
        }
        if (this.abinding.getProtectionOrder() == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
            doEncryptBeforeSign();
            assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), "EncryptBeforeSigning"));
        } else {
            doSignBeforeEncrypt();
            assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), "SignBeforeEncrypting"));
        }
        configureLayout(assertionInfoMap);
        assertAlgorithmSuite(this.abinding.getAlgorithmSuite());
        assertWSSProperties(this.abinding.getName().getNamespaceURI());
        assertTrustProperties(this.abinding.getName().getNamespaceURI());
        assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), "OnlySignEntireHeadersAndBody"));
        if (this.abinding.isProtectTokens()) {
            assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), "ProtectTokens"));
        }
    }

    private void doSignBeforeEncrypt() {
        RecipientToken initiatorEncryptionToken;
        try {
            InitiatorToken initiatorSignatureToken = this.abinding.getInitiatorSignatureToken();
            if (initiatorSignatureToken == null) {
                initiatorSignatureToken = this.abinding.getInitiatorToken();
            }
            if (initiatorSignatureToken != null) {
                assertTokenWrapper(initiatorSignatureToken);
                AbstractToken token = initiatorSignatureToken.getToken();
                if (token instanceof IssuedToken) {
                    SecurityToken securityToken = getSecurityToken();
                    addIssuedToken(token, securityToken, false, true);
                    if (securityToken != null) {
                        storeSecurityToken(token, securityToken);
                        this.outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
                    }
                    WSSSecurityProperties properties = getProperties();
                    properties.setCallbackHandler(new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(this.message)));
                } else if (token instanceof SamlToken) {
                    addSamlToken((SamlToken) token, false, true);
                }
                assertToken(token);
            }
            ArrayList arrayList = new ArrayList();
            if (this.timestampAdded) {
                arrayList.add(new SecurePart(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Timestamp"), SecurePart.Modifier.Element));
            }
            arrayList.addAll(getSignedParts());
            if (isRequestor() && initiatorSignatureToken != null) {
                doSignature(initiatorSignatureToken, arrayList);
            } else if (!isRequestor()) {
                addSignatureConfirmation(arrayList);
                RecipientToken recipientSignatureToken = this.abinding.getRecipientSignatureToken();
                if (recipientSignatureToken == null) {
                    recipientSignatureToken = this.abinding.getRecipientToken();
                }
                if (recipientSignatureToken != null) {
                    assertTokenWrapper(recipientSignatureToken);
                    assertToken(recipientSignatureToken.getToken());
                }
                if (recipientSignatureToken != null && !arrayList.isEmpty()) {
                    doSignature(recipientSignatureToken, arrayList);
                }
            }
            addSupportingTokens();
            removeSignatureIfSignedSAML();
            prependSignatureToSC();
            List<SecurePart> encryptedParts = getEncryptedParts();
            if (this.abinding.isEncryptSignature()) {
                encryptedParts.add(new SecurePart(new QName("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_SIGNATURE), SecurePart.Modifier.Element));
                if (this.signatureConfirmationAdded) {
                    encryptedParts.add(new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, SecurePart.Modifier.Element));
                }
                assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), "EncryptSignature"));
            }
            if (isRequestor()) {
                encryptedParts.addAll(this.encryptedTokensList);
                initiatorEncryptionToken = this.abinding.getRecipientEncryptionToken();
                if (initiatorEncryptionToken == null) {
                    initiatorEncryptionToken = this.abinding.getRecipientToken();
                }
            } else {
                initiatorEncryptionToken = this.abinding.getInitiatorEncryptionToken();
                if (initiatorEncryptionToken == null) {
                    initiatorEncryptionToken = this.abinding.getInitiatorToken();
                }
            }
            if (initiatorEncryptionToken != null) {
                assertTokenWrapper(initiatorEncryptionToken);
                assertToken(initiatorEncryptionToken.getToken());
            }
            doEncryption(initiatorEncryptionToken, encryptedParts);
            putCustomTokenAfterSignature();
        } catch (Exception e) {
            LOG.log(Level.WARNING, "Sign before encryption failed due to : " + e.getMessage());
            throw new Fault(e);
        }
    }

    private void doEncryptBeforeSign() {
        RecipientToken initiatorEncryptionToken;
        try {
            AbstractToken abstractToken = null;
            if (isRequestor()) {
                initiatorEncryptionToken = this.abinding.getRecipientEncryptionToken();
                if (initiatorEncryptionToken == null) {
                    initiatorEncryptionToken = this.abinding.getRecipientToken();
                }
            } else {
                initiatorEncryptionToken = this.abinding.getInitiatorEncryptionToken();
                if (initiatorEncryptionToken == null) {
                    initiatorEncryptionToken = this.abinding.getInitiatorToken();
                }
            }
            assertTokenWrapper(initiatorEncryptionToken);
            if (initiatorEncryptionToken != null) {
                abstractToken = initiatorEncryptionToken.getToken();
                assertToken(abstractToken);
            }
            InitiatorToken initiatorSignatureToken = this.abinding.getInitiatorSignatureToken();
            if (initiatorSignatureToken == null) {
                initiatorSignatureToken = this.abinding.getInitiatorToken();
            }
            if (initiatorSignatureToken != null) {
                assertTokenWrapper(initiatorSignatureToken);
                AbstractToken token = initiatorSignatureToken.getToken();
                if (token instanceof IssuedToken) {
                    SecurityToken securityToken = getSecurityToken();
                    addIssuedToken(token, securityToken, false, true);
                    if (securityToken != null) {
                        storeSecurityToken(token, securityToken);
                        this.outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
                    }
                    WSSSecurityProperties properties = getProperties();
                    properties.setCallbackHandler(new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(this.message)));
                } else if (token instanceof SamlToken) {
                    addSamlToken((SamlToken) token, false, true);
                }
            }
            try {
                List<SecurePart> encryptedParts = getEncryptedParts();
                List<SecurePart> signedParts = getSignedParts();
                addSupportingTokens();
                if (abstractToken != null && !encryptedParts.isEmpty()) {
                    if (isRequestor()) {
                        encryptedParts.addAll(this.encryptedTokensList);
                    } else {
                        addSignatureConfirmation(signedParts);
                    }
                    if (this.abinding.isEncryptSignature()) {
                        encryptedParts.add(new SecurePart(new QName("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_SIGNATURE), SecurePart.Modifier.Element));
                        if (this.signatureConfirmationAdded) {
                            encryptedParts.add(new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, SecurePart.Modifier.Element));
                        }
                        assertPolicy(new QName(this.abinding.getName().getNamespaceURI(), "EncryptSignature"));
                    }
                    doEncryption(initiatorEncryptionToken, encryptedParts);
                }
                if (this.timestampAdded) {
                    signedParts.add(new SecurePart(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Timestamp"), SecurePart.Modifier.Element));
                }
                if (!signedParts.isEmpty()) {
                    if (initiatorSignatureToken != null && isRequestor()) {
                        doSignature(initiatorSignatureToken, signedParts);
                    } else if (!isRequestor()) {
                        RecipientToken recipientSignatureToken = this.abinding.getRecipientSignatureToken();
                        if (recipientSignatureToken == null) {
                            recipientSignatureToken = this.abinding.getRecipientToken();
                        }
                        if (recipientSignatureToken != null) {
                            assertTokenWrapper(recipientSignatureToken);
                            assertToken(recipientSignatureToken.getToken());
                            doSignature(recipientSignatureToken, signedParts);
                        }
                    }
                }
                removeSignatureIfSignedSAML();
                enforceEncryptBeforeSigningWithSignedSAML();
                prependSignatureToSC();
                putCustomTokenAfterSignature();
            } catch (SOAPException e) {
                throw new Fault(e);
            }
        } catch (Exception e2) {
            LOG.log(Level.WARNING, "Encrypt before signing failed due to : " + e2.getMessage());
            throw new Fault(e2);
        }
    }

    private void doEncryption(AbstractTokenWrapper abstractTokenWrapper, List<SecurePart> list) throws SOAPException {
        if (abstractTokenWrapper == null || abstractTokenWrapper.getToken() == null || list.isEmpty()) {
            return;
        }
        AbstractToken token = abstractTokenWrapper.getToken();
        AlgorithmSuite algorithmSuite = this.abinding.getAlgorithmSuite();
        WSSSecurityProperties properties = getProperties();
        XMLSecurityConstants.Action action = XMLSecurityConstants.ENCRYPTION;
        if (abstractTokenWrapper.getToken().getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            action = WSSConstants.ENCRYPTION_WITH_DERIVED_KEY;
        }
        properties.addAction(action);
        properties.getEncryptionSecureParts().addAll(list);
        properties.setEncryptionKeyIdentifier(getKeyIdentifierType(token));
        SecurityTokenConstants.KeyIdentifier encryptionKeyIdentifier = properties.getEncryptionKeyIdentifier();
        if ((token instanceof X509Token) && isTokenRequired(token.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(encryptionKeyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(encryptionKeyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(encryptionKeyIdentifier))) {
            properties.setIncludeEncryptionToken(true);
        } else {
            properties.setIncludeEncryptionToken(false);
        }
        properties.setEncryptionKeyTransportAlgorithm(algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
        properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
        properties.setEncryptionKeyTransportDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
        properties.setEncryptionKeyTransportMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
        String str = (String) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.ENCRYPT_USERNAME, this.message);
        if (str == null) {
            str = (String) SecurityUtils.getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.USERNAME, this.message);
        }
        if (str != null && properties.getEncryptionUser() == null) {
            properties.setEncryptionUser(str);
        }
        if ("useReqSigCert".equals(str)) {
            properties.setUseReqSigCertForEncryption(true);
        }
        if (isRequestor() || !(abstractTokenWrapper.getToken() instanceof IssuedToken)) {
            return;
        }
        properties.setUseReqSigCertForEncryption(true);
    }

    private void doSignature(AbstractTokenWrapper abstractTokenWrapper, List<SecurePart> list) throws WSSecurityException, SOAPException {
        WSSSecurityProperties properties = getProperties();
        XMLSecurityConstants.Action action = XMLSecurityConstants.SIGNATURE;
        if (abstractTokenWrapper.getToken().getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            action = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
        }
        List actions = properties.getActions();
        boolean z = false;
        int i = 0;
        while (true) {
            if (i >= actions.size()) {
                break;
            }
            if (((XMLSecurityConstants.Action) actions.get(i)).equals(WSSConstants.KERBEROS_TOKEN)) {
                actions.add(i, action);
                z = true;
                break;
            }
            i++;
        }
        if (!z) {
            actions.add(action);
        }
        properties.getSignatureSecureParts().addAll(list);
        AbstractToken token = abstractTokenWrapper.getToken();
        configureSignature(token, false);
        if (this.abinding.isProtectTokens() && (token instanceof X509Token) && token.getIncludeTokenType() != SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER) {
            properties.addSignaturePart(new SecurePart(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), SecurePart.Modifier.Element));
        } else if ((token instanceof IssuedToken) || (token instanceof SecurityContextToken) || (token instanceof SpnegoContextToken) || (token instanceof SamlToken)) {
            properties.setIncludeSignatureToken(false);
        }
        if (token.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys) {
            properties.setSignatureAlgorithm(this.abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
        }
    }
}
