package com.sun.identity.wss.security;

import com.sun.identity.saml.common.SAMLUtils;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.shared.xml.XMLUtils;
import java.security.Key;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ResourceBundle;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.batik.constants.XMLConstants;
import org.forgerock.openam.sdk.org.forgerock.opendj.io.LDAP;
import org.forgerock.openam.sdk.org.ietf.jgss.GSSContext;
import org.forgerock.openam.sdk.org.ietf.jgss.GSSCredential;
import org.forgerock.openam.sdk.org.ietf.jgss.GSSManager;
import org.forgerock.openam.sdk.org.ietf.jgss.Oid;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/wss/security/BinarySecurityToken.class */
public class BinarySecurityToken implements SecurityToken {
    private String[] certAlias;
    private String valueType;
    private String encodingType;
    private String id;
    private String xmlString;
    private String value;
    private static final String BINARY_SECURITY_TOKEN = "BinarySecurityToken";
    private static final String ENCODING_TYPE = "EncodingType";
    private static final String VALUE_TYPE = "ValueType";
    private static final String ID = "Id";
    private static Debug debug = WSSUtils.debug;
    private static ResourceBundle bundle = WSSUtils.bundle;
    private String tokenType;
    private String kerberosToken;
    private Key secretKey;
    private KerberosTokenSpec kbSpec;
    public static final String X509V3 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
    public static final String PKCS7 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7";
    public static final String PKIPATH = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKIPath";
    public static final String BASE64BINARY = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
    public static final String HEXBINARY = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary";

    private BinarySecurityToken() {
        this.certAlias = null;
        this.valueType = null;
        this.encodingType = null;
        this.id = null;
        this.xmlString = null;
        this.value = null;
        this.tokenType = SecurityToken.WSS_X509_TOKEN;
        this.kerberosToken = null;
        this.secretKey = null;
        this.kbSpec = null;
    }

    public BinarySecurityToken(X509TokenSpec x509TokenSpec) throws SecurityException {
        byte[] encoded;
        this.certAlias = null;
        this.valueType = null;
        this.encodingType = null;
        this.id = null;
        this.xmlString = null;
        this.value = null;
        this.tokenType = SecurityToken.WSS_X509_TOKEN;
        this.kerberosToken = null;
        this.secretKey = null;
        this.kbSpec = null;
        if (x509TokenSpec == null) {
            throw new SecurityException(bundle.getString("invalidTokenSpec"));
        }
        this.valueType = x509TokenSpec.getValueType();
        this.encodingType = x509TokenSpec.getEncodingType();
        this.certAlias = x509TokenSpec.getSubjectCertAlias();
        if (this.valueType == null || this.encodingType == null || this.certAlias == null || this.certAlias.length == 0) {
            debug.error("BinarySecurityToken.constructor: invalid token spec");
            throw new SecurityException(bundle.getString("invalidTokenSpec"));
        }
        try {
            if (PKIPATH.equals(this.valueType)) {
                encoded = CertificateFactory.getInstance("X.509").generateCertPath(AMTokenProvider.getX509Certificates(this.certAlias)).getEncoded();
            } else {
                if (!X509V3.equals(this.valueType)) {
                    debug.error("BinarySecurityToken.constructor: unsupportedvalue type. " + this.valueType);
                    throw new SecurityException(bundle.getString("invalidTokenSpec"));
                }
                encoded = AMTokenProvider.getX509Certificate(this.certAlias[0]).getEncoded();
            }
            this.value = Base64.encode(encoded);
            this.id = SAMLUtils.generateID();
        } catch (CertificateEncodingException e) {
            debug.error("BinarySecurityToken.constructor:: Certificate Encoding Exception", e);
            throw new SecurityException(bundle.getString("invalidCertificate"));
        } catch (CertificateException e2) {
            debug.error("BinarySecurityToken.constructor:: Certificate Exception", e2);
            throw new SecurityException(bundle.getString("invalidCertificate"));
        }
    }

    public BinarySecurityToken(X509Certificate x509Certificate, String str, String str2) throws SecurityException {
        this.certAlias = null;
        this.valueType = null;
        this.encodingType = null;
        this.id = null;
        this.xmlString = null;
        this.value = null;
        this.tokenType = SecurityToken.WSS_X509_TOKEN;
        this.kerberosToken = null;
        this.secretKey = null;
        this.kbSpec = null;
        try {
            this.value = Base64.encode(x509Certificate.getEncoded());
            this.valueType = str;
            this.encodingType = str2;
        } catch (CertificateEncodingException e) {
            debug.error("BinarySecurityToken. Invalid Certifcate", e);
            throw new SecurityException(bundle.getString("invalidCertificate"));
        }
    }

    public BinarySecurityToken(KerberosTokenSpec kerberosTokenSpec) throws SecurityException {
        this.certAlias = null;
        this.valueType = null;
        this.encodingType = null;
        this.id = null;
        this.xmlString = null;
        this.value = null;
        this.tokenType = SecurityToken.WSS_X509_TOKEN;
        this.kerberosToken = null;
        this.secretKey = null;
        this.kbSpec = null;
        this.kbSpec = kerberosTokenSpec;
        getKerberosToken();
        this.value = this.kerberosToken;
        this.valueType = kerberosTokenSpec.getValueType();
        this.encodingType = kerberosTokenSpec.getEncodingType();
        this.tokenType = SecurityToken.WSS_KERBEROS_TOKEN;
        this.id = SAMLUtils.generateID();
    }

    public BinarySecurityToken(Element element) throws SecurityException {
        this.certAlias = null;
        this.valueType = null;
        this.encodingType = null;
        this.id = null;
        this.xmlString = null;
        this.value = null;
        this.tokenType = SecurityToken.WSS_X509_TOKEN;
        this.kerberosToken = null;
        this.secretKey = null;
        this.kbSpec = null;
        if (element == null) {
            debug.error("BinarySecurityToken: null input token");
            throw new IllegalArgumentException(bundle.getString("nullInputParameter"));
        }
        String localName = element.getLocalName();
        if (localName == null) {
            debug.error("BinarySecurityToken: local name missing");
            throw new SecurityException(bundle.getString("nullInput"));
        }
        if (!localName.equals("BinarySecurityToken")) {
            debug.error("BinarySecurityToken: invalid binary token");
            throw new SecurityException(bundle.getString("invalidElement") + ":" + localName);
        }
        NamedNodeMap attributes = element.getAttributes();
        if (attributes == null) {
            debug.error("BinarySecurityToken: missing token attrs in element");
            throw new SecurityException(bundle.getString("missingAttribute"));
        }
        int length = attributes.getLength();
        for (int i = 0; i < length; i++) {
            Attr attr = (Attr) attributes.item(i);
            String localName2 = attr.getLocalName();
            if (localName2 != null) {
                if (localName2.equals("Id")) {
                    this.id = attr.getValue();
                } else if (localName2.equals("EncodingType")) {
                    this.encodingType = trimPrefix(attr.getValue());
                } else if (localName2.equals("ValueType")) {
                    this.valueType = trimPrefix(attr.getValue());
                }
            }
        }
        if (this.id == null || this.id.length() == 0) {
            debug.error("BinarySecurityToken: ID missing");
            throw new SecurityException(bundle.getString("missingAttribute") + " : Id");
        }
        if (this.encodingType == null) {
            debug.error("BinarySecurityToken: encoding type missing");
            throw new SecurityException(bundle.getString("missingAttribute") + " : EncodingType");
        }
        if (this.valueType == null) {
            debug.error("BinarySecurityToken: valueType missing");
            throw new SecurityException(bundle.getString("missingAttribute") + " : ValueType");
        }
        if (this.valueType.equals(WSSConstants.KERBEROS_VALUE_TYPE)) {
            this.tokenType = SecurityToken.WSS_KERBEROS_TOKEN;
        }
        try {
            NodeList childNodes = element.getChildNodes();
            for (int i2 = 0; i2 < childNodes.getLength(); i2++) {
                Node item = childNodes.item(i2);
                if (item.getNodeType() != 1 && item.getNodeType() == 3) {
                    this.value = SAMLUtils.removeNewLineChars(item.getNodeValue().trim());
                }
            }
        } catch (Exception e) {
            debug.error("BinarySecurityToken: unable to get value", e);
            this.value = null;
        }
        if (this.value == null || this.value.length() == 0) {
            debug.error("BinarySecurityToken: value missing");
            throw new SecurityException(bundle.getString("missingValue"));
        }
        this.xmlString = XMLUtils.print(element);
    }

    private void getKerberosToken() throws SecurityException {
        Subject kerberosSubject = getKerberosSubject();
        final String servicePrincipal = this.kbSpec.getServicePrincipal();
        try {
            Subject.doAs(kerberosSubject, new PrivilegedExceptionAction() { // from class: com.sun.identity.wss.security.BinarySecurityToken.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    GSSManager gSSManager = GSSManager.getInstance();
                    GSSContext createContext = gSSManager.createContext(gSSManager.createName(servicePrincipal, (Oid) null), new Oid(LDAP.OID_GSSAPI_KERBEROS_V), (GSSCredential) null, 0);
                    byte[] bArr = new byte[0];
                    BinarySecurityToken.this.kerberosToken = Base64.encode(createContext.initSecContext(bArr, 0, bArr.length));
                    return null;
                }
            });
            for (Object obj : kerberosSubject.getPrivateCredentials()) {
                if (obj instanceof KerberosTicket) {
                    KerberosTicket kerberosTicket = (KerberosTicket) obj;
                    if (kerberosTicket.getServer().getName().equals(servicePrincipal)) {
                        this.secretKey = kerberosTicket.getSessionKey();
                        return;
                    }
                }
            }
        } catch (Exception e) {
            debug.error("BinarySecurityToken.getKerberosToken: GSS Error", e);
            throw new SecurityException(e.getMessage());
        }
    }

    private Subject getKerberosSubject() throws SecurityException {
        KerberosConfiguration kerberosConfiguration;
        String kDCDomain = this.kbSpec.getKDCDomain();
        String kDCServer = this.kbSpec.getKDCServer();
        System.setProperty("java.security.krb5.realm", kDCDomain);
        System.setProperty("java.security.krb5.kdc", kDCServer);
        Configuration configuration = Configuration.getConfiguration();
        if (configuration instanceof KerberosConfiguration) {
            kerberosConfiguration = (KerberosConfiguration) configuration;
            kerberosConfiguration.setRefreshConfig("true");
            kerberosConfiguration.setPrincipalName(this.kbSpec.getServicePrincipal());
            kerberosConfiguration.setTicketCacheDir(this.kbSpec.getTicketCacheDir());
        } else {
            kerberosConfiguration = new KerberosConfiguration(configuration);
            kerberosConfiguration.setRefreshConfig("true");
            kerberosConfiguration.setPrincipalName(this.kbSpec.getServicePrincipal());
            kerberosConfiguration.setTicketCacheDir(this.kbSpec.getTicketCacheDir());
        }
        Configuration.setConfiguration(kerberosConfiguration);
        try {
            LoginContext loginContext = new LoginContext(KerberosConfiguration.WSC_CONFIGURATION);
            loginContext.login();
            return loginContext.getSubject();
        } catch (LoginException e) {
            throw new SecurityException(e.getMessage());
        }
    }

    private String trimPrefix(String str) {
        int indexOf;
        if (str.indexOf("wsse") != -1 && (indexOf = str.indexOf(":")) != -1) {
            return indexOf == str.length() ? "" : str.substring(indexOf + 1);
        }
        return str;
    }

    public String getEncodingType() {
        return this.encodingType;
    }

    public String getValueType() {
        return this.valueType;
    }

    public String getId() {
        return this.id;
    }

    public String getTokenValue() {
        return this.value;
    }

    public Key getSecretKey() {
        return this.secretKey;
    }

    public String toString() {
        if (this.xmlString == null) {
            StringBuffer stringBuffer = new StringBuffer(300);
            stringBuffer.append("<").append("wsse").append(":").append("BinarySecurityToken").append(" ").append("xmlns:wsse").append(XMLConstants.XML_EQUAL_QUOT).append("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd").append("\" ").append("xmlns:wsu").append(XMLConstants.XML_EQUAL_QUOT).append("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd").append("\" ").append("wsu:Id").append(XMLConstants.XML_EQUAL_QUOT).append(this.id).append("\" ").append("ValueType").append(XMLConstants.XML_EQUAL_QUOT).append(this.valueType).append("\" ").append("EncodingType").append(XMLConstants.XML_EQUAL_QUOT).append(this.encodingType).append("\">\n").append(this.value.toString()).append("\n").append("</").append("wsse").append(":").append("BinarySecurityToken").append(">\n");
            this.xmlString = stringBuffer.toString();
        }
        return this.xmlString;
    }

    @Override // com.sun.identity.wss.security.SecurityToken
    public String getTokenType() {
        return this.tokenType;
    }

    public String[] getSubjectCertAlias() {
        return this.certAlias;
    }

    public String getSigningId() {
        return this.id;
    }

    @Override // com.sun.identity.wss.security.SecurityToken
    public Element toDocumentElement() throws SecurityException {
        Document dOMDocument = XMLUtils.toDOMDocument(toString(), WSSUtils.debug);
        if (dOMDocument == null) {
            throw new SecurityException(WSSUtils.bundle.getString("cannotConvertToDocument"));
        }
        return dOMDocument.getDocumentElement();
    }
}
