package com.sun.xml.ws.security.trust.impl;

import com.sun.org.apache.xml.internal.security.encryption.EncryptedData;
import com.sun.org.apache.xml.internal.security.encryption.EncryptedKey;
import com.sun.org.apache.xml.internal.security.encryption.XMLCipher;
import com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException;
import com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException;
import com.sun.org.apache.xml.internal.security.keys.KeyInfo;
import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
import com.sun.xml.ws.api.security.trust.STSAttributeProvider;
import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.config.TrustSPMetadata;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.Token;
import com.sun.xml.ws.security.trust.GenericToken;
import com.sun.xml.ws.security.trust.WSTrustConstants;
import com.sun.xml.ws.security.trust.WSTrustElementFactory;
import com.sun.xml.ws.security.trust.impl.elements.str.KeyIdentifierImpl;
import com.sun.xml.ws.security.trust.impl.elements.str.SecurityTokenReferenceImpl;
import com.sun.xml.ws.security.trust.logging.LogDomainConstants;
import com.sun.xml.ws.security.trust.logging.LogStringsMessages;
import com.sun.xml.ws.security.trust.util.WSTrustUtil;
import com.sun.xml.wss.SecurityEnvironment;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.core.reference.X509SubjectKeyIdentifier;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.impl.callback.EncryptionKeyCallback;
import com.sun.xml.wss.impl.callback.SignatureKeyCallback;
import com.sun.xml.wss.impl.misc.Base64;
import com.sun.xml.wss.saml.Advice;
import com.sun.xml.wss.saml.Assertion;
import com.sun.xml.wss.saml.Conditions;
import com.sun.xml.wss.saml.KeyInfoConfirmationData;
import com.sun.xml.wss.saml.NameID;
import com.sun.xml.wss.saml.SAMLAssertionFactory;
import com.sun.xml.wss.saml.SAMLException;
import com.sun.xml.wss.saml.Subject;
import com.sun.xml.wss.saml.SubjectConfirmation;
import com.sun.xml.wss.saml.internal.saml20.jaxb20.SubjectType;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/webservices-rt-2.1-b16.jar:com/sun/xml/ws/security/trust/impl/IssueSamlTokenContractImpl.class */
public class IssueSamlTokenContractImpl extends IssueSamlTokenContract {
    private static final Logger log = Logger.getLogger("com.sun.xml.ws.security.trust", LogDomainConstants.TRUST_IMPL_DOMAIN_BUNDLE);

    @Override // com.sun.xml.ws.security.trust.impl.IssueSamlTokenContract, com.sun.xml.ws.api.security.trust.IssueSamlTokenContract
    public Token createSAMLAssertion(String str, String str2, String str3, String str4, String str5, Map<QName, List<String>> map, IssuedTokenContext issuedTokenContext) throws WSTrustException {
        Assertion createSAML11Assertion;
        GenericToken genericToken;
        TrustSPMetadata trustSPMetadata = this.stsConfig.getTrustSPMetadata(str);
        if (trustSPMetadata == null) {
            trustSPMetadata = this.stsConfig.getTrustSPMetadata("default");
        }
        X509Certificate x509Certificate = (X509Certificate) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.STS_CERTIFICATE);
        if (x509Certificate == null) {
            x509Certificate = getServiceCertificate(trustSPMetadata, str);
        }
        KeyInfo createKeyInfo = createKeyInfo(str3, x509Certificate, issuedTokenContext, str);
        if ("urn:oasis:names:tc:SAML:1.0:assertion".equals(str2) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(str2)) {
            createSAML11Assertion = createSAML11Assertion(str4, str5, str, createKeyInfo, map, str3);
        } else {
            if (!"urn:oasis:names:tc:SAML:2.0:assertion".equals(str2)) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0031_UNSUPPORTED_TOKEN_TYPE(str2, str));
                throw new WSTrustException(LogStringsMessages.WST_0031_UNSUPPORTED_TOKEN_TYPE(str2, str));
            }
            createSAML11Assertion = createSAML20Assertion(str4, str5, str, createKeyInfo, map, str3);
        }
        Object[] sTSCertAndPrivateKey = getSTSCertAndPrivateKey();
        try {
            Element sign = createSAML11Assertion.sign((X509Certificate) sTSCertAndPrivateKey[0], (PrivateKey) sTSCertAndPrivateKey[1], true, issuedTokenContext.getSignatureAlgorithm(), issuedTokenContext.getCanonicalizationAlgorithm());
            if (this.stsConfig.getEncryptIssuedToken()) {
                genericToken = new GenericToken(encryptToken(sign, x509Certificate, str, issuedTokenContext.getEncryptionAlgorithm(), (String) issuedTokenContext.getOtherProperties().get(IssuedTokenContext.KEY_WRAP_ALGORITHM)));
            } else {
                genericToken = new GenericToken(sign);
            }
            return genericToken;
        } catch (SAMLException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        }
    }

    private EncryptedKey encryptKey(Document document, byte[] bArr, X509Certificate x509Certificate, String str, String str2) throws WSTrustException {
        try {
            PublicKey publicKey = x509Certificate.getPublicKey();
            XMLCipher xMLCipher = str2 != null ? XMLCipher.getInstance(str2) : XMLCipher.getInstance("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
            xMLCipher.init(3, publicKey);
            EncryptedKey encryptKey = xMLCipher.encryptKey(document, new SecretKeySpec(bArr, "AES"));
            KeyInfo keyInfo = new KeyInfo(document);
            byte[] subjectKeyIdentifier = X509SubjectKeyIdentifier.getSubjectKeyIdentifier(x509Certificate);
            if (subjectKeyIdentifier == null || subjectKeyIdentifier.length <= 0) {
                X509Data x509Data = new X509Data(document);
                x509Data.addCertificate(x509Certificate);
                keyInfo.add(x509Data);
            } else {
                KeyIdentifierImpl keyIdentifierImpl = new KeyIdentifierImpl(MessageConstants.X509SubjectKeyIdentifier_NS, null);
                keyIdentifierImpl.setValue(Base64.encode(subjectKeyIdentifier));
                keyInfo.addUnknownElement((Element) document.importNode(WSTrustElementFactory.newInstance().toElement(new SecurityTokenReferenceImpl(keyIdentifierImpl), (Document) null), true));
            }
            encryptKey.setKeyInfo(keyInfo);
            return encryptKey;
        } catch (XMLEncryptionException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), e);
        } catch (XMLSecurityException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), e2);
        } catch (XWSSecurityException e3) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), (Throwable) e3);
            throw new WSTrustException(LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), e3);
        }
    }

    private Element encryptToken(Element element, X509Certificate x509Certificate, String str, String str2, String str3) throws WSTrustException {
        try {
            XMLCipher xMLCipher = str2 != null ? XMLCipher.getInstance(str2) : XMLCipher.getInstance("http://www.w3.org/2001/04/xmlenc#aes256-cbc");
            byte[] generateRandomSecret = WSTrustUtil.generateRandomSecret(32);
            xMLCipher.init(1, new SecretKeySpec(generateRandomSecret, "AES"));
            Document ownerDocument = element.getOwnerDocument();
            EncryptedData encryptData = xMLCipher.encryptData(ownerDocument, element);
            encryptData.setId("uuid-" + UUID.randomUUID().toString());
            KeyInfo keyInfo = new KeyInfo(ownerDocument);
            keyInfo.add(encryptKey(ownerDocument, generateRandomSecret, x509Certificate, str, str3));
            encryptData.setKeyInfo(keyInfo);
            return xMLCipher.martial(encryptData);
        } catch (XMLEncryptionException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0044_ERROR_ENCRYPT_ISSUED_TOKEN(str), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), e);
        } catch (Exception e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0044_ERROR_ENCRYPT_ISSUED_TOKEN(str), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str), e2);
        }
    }

    private X509Certificate getServiceCertificate(TrustSPMetadata trustSPMetadata, String str) throws WSTrustException {
        X509Certificate certificate;
        String certAlias = trustSPMetadata.getCertAlias();
        CallbackHandler callbackHandler = this.stsConfig.getCallbackHandler();
        if (callbackHandler != null) {
            EncryptionKeyCallback.AliasX509CertificateRequest aliasX509CertificateRequest = new EncryptionKeyCallback.AliasX509CertificateRequest(trustSPMetadata.getCertAlias());
            try {
                callbackHandler.handle(new Callback[]{new EncryptionKeyCallback(aliasX509CertificateRequest)});
                certificate = aliasX509CertificateRequest.getX509Certificate();
            } catch (IOException e) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), (Throwable) e);
                throw new WSTrustException(LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), e);
            } catch (UnsupportedCallbackException e2) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), (Throwable) e2);
                throw new WSTrustException(LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), e2);
            }
        } else {
            try {
                certificate = ((SecurityEnvironment) this.stsConfig.getOtherOptions().get(WSTrustConstants.SECURITY_ENVIRONMENT)).getCertificate((Map) this.stsConfig.getOtherOptions(), certAlias, false);
            } catch (XWSSecurityException e3) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), (Throwable) e3);
                throw new WSTrustException(LogStringsMessages.WST_0033_UNABLE_GET_SERVICE_CERT(str), e3);
            }
        }
        return certificate;
    }

    private Object[] getSTSCertAndPrivateKey() throws WSTrustException {
        X509Certificate defaultCertificate;
        PrivateKey privateKey;
        CallbackHandler callbackHandler = this.stsConfig.getCallbackHandler();
        if (callbackHandler != null) {
            SignatureKeyCallback.DefaultPrivKeyCertRequest defaultPrivKeyCertRequest = new SignatureKeyCallback.DefaultPrivKeyCertRequest();
            try {
                callbackHandler.handle(new Callback[]{new SignatureKeyCallback(defaultPrivKeyCertRequest)});
                privateKey = defaultPrivKeyCertRequest.getPrivateKey();
                defaultCertificate = defaultPrivKeyCertRequest.getX509Certificate();
            } catch (IOException e) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0043_UNABLE_GET_STS_KEY(), (Throwable) e);
                throw new WSTrustException(LogStringsMessages.WST_0043_UNABLE_GET_STS_KEY(), e);
            } catch (UnsupportedCallbackException e2) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0043_UNABLE_GET_STS_KEY(), (Throwable) e2);
                throw new WSTrustException(LogStringsMessages.WST_0043_UNABLE_GET_STS_KEY(), e2);
            }
        } else {
            SecurityEnvironment securityEnvironment = (SecurityEnvironment) this.stsConfig.getOtherOptions().get(WSTrustConstants.SECURITY_ENVIRONMENT);
            try {
                defaultCertificate = securityEnvironment.getDefaultCertificate(this.stsConfig.getOtherOptions());
                privateKey = securityEnvironment.getPrivateKey(this.stsConfig.getOtherOptions(), defaultCertificate);
            } catch (XWSSecurityException e3) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0043_UNABLE_GET_STS_KEY(), (Throwable) e3);
                throw new WSTrustException(LogStringsMessages.WST_0043_UNABLE_GET_STS_KEY(), e3);
            }
        }
        return new Object[]{defaultCertificate, privateKey};
    }

    private KeyInfo createKeyInfo(String str, X509Certificate x509Certificate, IssuedTokenContext issuedTokenContext, String str2) throws WSTrustException {
        Element element = (Element) this.stsConfig.getOtherOptions().get("ConfirmationKeyInfo");
        if (element != null) {
            try {
                return new KeyInfo(element, null);
            } catch (XMLSecurityException e) {
                log.log(Level.SEVERE, LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), (Throwable) e);
                throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), e);
            }
        }
        try {
            Document newDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
            KeyInfo keyInfo = new KeyInfo(newDocument);
            if (this.wstVer.getSymmetricKeyTypeURI().equals(str)) {
                byte[] proofKey = issuedTokenContext.getProofKey();
                if (this.stsConfig.getEncryptIssuedKey()) {
                    try {
                        keyInfo.add(encryptKey(newDocument, proofKey, x509Certificate, str2, null));
                    } catch (XMLEncryptionException e2) {
                        log.log(Level.SEVERE, LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str2), (Throwable) e2);
                        throw new WSTrustException(LogStringsMessages.WST_0040_ERROR_ENCRYPT_PROOFKEY(str2), e2);
                    }
                } else {
                    keyInfo.addUnknownElement(this.eleFac.toElement(this.eleFac.createBinarySecret(proofKey, this.wstVer.getSymmetricKeyTypeURI()), newDocument));
                }
            } else if (this.wstVer.getPublicKeyTypeURI().equals(str)) {
                X509Data x509Data = new X509Data(newDocument);
                try {
                    x509Data.addCertificate(issuedTokenContext.getRequestorCertificate());
                    keyInfo.add(x509Data);
                } catch (XMLSecurityException e3) {
                    log.log(Level.SEVERE, LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), (Throwable) e3);
                    throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT(), e3);
                }
            }
            return keyInfo;
        } catch (ParserConfigurationException e4) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0039_ERROR_CREATING_DOCFACTORY(), (Throwable) e4);
            throw new WSTrustException(LogStringsMessages.WST_0039_ERROR_CREATING_DOCFACTORY(), e4);
        }
    }

    protected Assertion createSAML11Assertion(String str, String str2, String str3, KeyInfo keyInfo, Map<QName, List<String>> map, String str4) throws WSTrustException {
        try {
            SAMLAssertionFactory newInstance = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML1_1);
            TimeZone timeZone = TimeZone.getTimeZone("UTC");
            GregorianCalendar gregorianCalendar = new GregorianCalendar(timeZone);
            GregorianCalendar gregorianCalendar2 = new GregorianCalendar(timeZone);
            gregorianCalendar2.add(14, (int) this.stsConfig.getIssuedTokenTimeout());
            ArrayList arrayList = null;
            if (str3 != null) {
                arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(str3);
                arrayList.add(newInstance.createAudienceRestrictionCondition(arrayList2));
            }
            ArrayList arrayList3 = new ArrayList();
            String str5 = (String) this.stsConfig.getOtherOptions().get(WSTrustConstants.SAML_CONFIRMATION_METHOD);
            if (str5 == null) {
                str5 = str4.equals(this.wstVer.getBearerKeyTypeURI()) ? "urn:oasis:names:tc:SAML:1.0:cm:bearer" : MessageConstants.SAML_HOLDER_OF_KEY;
            }
            Element element = null;
            if (keyInfo != null && !this.wstVer.getBearerKeyTypeURI().equals(str4)) {
                element = keyInfo.getElement();
            }
            arrayList3.add(str5);
            SubjectConfirmation createSubjectConfirmation = newInstance.createSubjectConfirmation(arrayList3, (Element) null, element);
            Conditions createConditions = newInstance.createConditions(gregorianCalendar, gregorianCalendar2, null, arrayList, null);
            Advice createAdvice = newInstance.createAdvice(null, null, null);
            Subject subject = null;
            QName qName = null;
            for (Map.Entry<QName, List<String>> entry : map.entrySet()) {
                QName key = entry.getKey();
                List<String> value = entry.getValue();
                if (value != null && value.size() > 0 && STSAttributeProvider.NAME_IDENTIFIER.equals(key.getLocalPart()) && subject == null) {
                    subject = newInstance.createSubject(newInstance.createNameIdentifier(value.get(0), key.getNamespaceURI(), null), createSubjectConfirmation);
                    qName = key;
                }
            }
            if (qName != null) {
                map.remove(qName);
            }
            ArrayList arrayList4 = new ArrayList();
            if (map.isEmpty()) {
                arrayList4.add(newInstance.createAuthenticationStatement(null, gregorianCalendar, subject, null, null));
            } else {
                arrayList4.add(newInstance.createAttributeStatement(subject, null));
            }
            Assertion createAssertion = newInstance.createAssertion(str, str2, gregorianCalendar, createConditions, createAdvice, arrayList4);
            return !map.isEmpty() ? WSTrustUtil.addSamlAttributes(createAssertion, map) : createAssertion;
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        } catch (SAMLException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e2);
        }
    }

    protected Assertion createSAML20Assertion(String str, String str2, String str3, KeyInfo keyInfo, Map<QName, List<String>> map, String str4) throws WSTrustException {
        try {
            SAMLAssertionFactory newInstance = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0);
            TimeZone timeZone = TimeZone.getTimeZone("UTC");
            GregorianCalendar gregorianCalendar = new GregorianCalendar(timeZone);
            GregorianCalendar gregorianCalendar2 = new GregorianCalendar(timeZone);
            gregorianCalendar2.add(14, (int) this.stsConfig.getIssuedTokenTimeout());
            ArrayList arrayList = null;
            if (str3 != null) {
                arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(str3);
                arrayList.add(newInstance.createAudienceRestriction(arrayList2));
            }
            KeyInfoConfirmationData keyInfoConfirmationData = null;
            String str5 = (String) this.stsConfig.getOtherOptions().get(WSTrustConstants.SAML_CONFIRMATION_METHOD);
            if (str5 == null) {
                if (str4.equals(this.wstVer.getBearerKeyTypeURI())) {
                    str5 = "urn:oasis:names:tc:SAML:2.0:cm:bearer";
                } else {
                    str5 = MessageConstants.SAML2_HOLDER_OF_KEY;
                    if (keyInfo != null) {
                        keyInfoConfirmationData = newInstance.createKeyInfoConfirmationData(keyInfo.getElement());
                    }
                }
            }
            Conditions createConditions = newInstance.createConditions(gregorianCalendar, gregorianCalendar2, null, arrayList, null, null);
            SubjectConfirmation createSubjectConfirmation = newInstance.createSubjectConfirmation((NameID) null, keyInfoConfirmationData, str5);
            Subject subject = null;
            QName qName = null;
            for (Map.Entry<QName, List<String>> entry : map.entrySet()) {
                QName key = entry.getKey();
                List<String> value = entry.getValue();
                if (value != null && value.size() > 0 && STSAttributeProvider.NAME_IDENTIFIER.equals(key.getLocalPart()) && subject == null) {
                    subject = newInstance.createSubject(newInstance.createNameID(value.get(0), key.getNamespaceURI(), null), createSubjectConfirmation);
                    qName = key;
                }
            }
            if (qName != null) {
                map.remove(qName);
            }
            ArrayList arrayList3 = new ArrayList();
            if (map.isEmpty()) {
                arrayList3.add(newInstance.createAuthnStatement(gregorianCalendar, null, newInstance.createAuthnContext(this.authnCtxClass, null), null, null));
            } else {
                arrayList3.add(newInstance.createAttributeStatement(null));
            }
            Assertion createAssertion = newInstance.createAssertion(str, newInstance.createNameID(str2, null, null), gregorianCalendar, createConditions, (Advice) null, (Subject) null, arrayList3);
            if (!map.isEmpty()) {
                createAssertion = WSTrustUtil.addSamlAttributes(createAssertion, map);
            }
            ((com.sun.xml.wss.saml.assertion.saml20.jaxb20.Assertion) createAssertion).setSubject((SubjectType) subject);
            return createAssertion;
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e);
        } catch (SAMLException e2) {
            log.log(Level.SEVERE, LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), (Throwable) e2);
            throw new WSTrustException(LogStringsMessages.WST_0032_ERROR_CREATING_SAML_ASSERTION(), e2);
        }
    }
}
