package org.apache.ws.security;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.rmi.RemoteException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Iterator;
import java.util.Vector;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.SecretKey;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.EnvelopeIdResolver;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLException;
import org.opensaml.SAMLObject;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.Text;

/* loaded from: input_file:org/apache/ws/security/WSSecurityEngine.class */
public class WSSecurityEngine {
    private static final String VALUE_TYPE = "ValueType";
    private static Log log;
    private static Log tlog;
    private static final Class[] constructorType;
    private static WSSecurityEngine engine;
    private byte[] decryptedBytes;
    private boolean doDebug;
    protected WSSConfig wssConfig;
    protected QName binaryToken;
    protected QName usernameToken;
    protected QName timeStamp;
    protected static final QName SIGNATURE;
    protected static final QName ENCRYPTED_KEY;
    protected static final QName REFERENCE_LIST;
    protected static final QName SAML_TOKEN;
    static Class class$org$apache$ws$security$WSSecurityEngine;
    static Class class$org$apache$ws$security$WSSConfig;
    static Class class$org$w3c$dom$Element;
    static Class class$org$apache$ws$security$message$token$X509Security;
    static Class class$org$apache$ws$security$message$token$PKIPathSecurity;

    public WSSecurityEngine() {
        this(WSSConfig.getDefaultWSConfig());
    }

    public WSSecurityEngine(WSSConfig wSSConfig) {
        this.decryptedBytes = null;
        this.doDebug = false;
        this.wssConfig = WSSConfig.getDefaultWSConfig();
        this.wssConfig = wSSConfig;
        this.binaryToken = new QName(wSSConfig.getWsseNS(), WSConstants.BINARY_TOKEN_LN);
        this.usernameToken = new QName(wSSConfig.getWsseNS(), "UsernameToken");
        this.timeStamp = new QName(wSSConfig.getWsuNS(), "Timestamp");
    }

    public static synchronized WSSecurityEngine getInstance() {
        if (engine == null) {
            engine = new WSSecurityEngine();
        }
        return engine;
    }

    public static synchronized WSSecurityEngine getInstance(WSSConfig wSSConfig) {
        if (engine == null) {
            engine = new WSSecurityEngine(wSSConfig);
        }
        return engine;
    }

    public Vector processSecurityHeader(Document document, String str, CallbackHandler callbackHandler, Crypto crypto) throws WSSecurityException {
        return processSecurityHeader(document, str, callbackHandler, crypto, crypto);
    }

    public Vector processSecurityHeader(Document document, String str, CallbackHandler callbackHandler, Crypto crypto, Crypto crypto2) throws WSSecurityException {
        this.doDebug = log.isDebugEnabled();
        if (this.doDebug) {
            log.debug("enter processSecurityHeader()");
        }
        if (str == null) {
            str = "";
        }
        Vector vector = null;
        Element securityHeader = WSSecurityUtil.getSecurityHeader(this.wssConfig, document, str, WSSecurityUtil.getSOAPConstants(document.getDocumentElement()));
        if (securityHeader != null) {
            if (this.doDebug) {
                log.debug(new StringBuffer().append("Processing WS-Security header for '").append(str).append("' actor.").toString());
            }
            vector = processSecurityHeader(securityHeader, callbackHandler, crypto, crypto2);
        }
        return vector;
    }

    protected Vector processSecurityHeader(Element element, CallbackHandler callbackHandler, Crypto crypto, Crypto crypto2) throws WSSecurityException {
        long currentTimeMillis = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
        WSDocInfo wSDocInfo = new WSDocInfo(element.getOwnerDocument().hashCode());
        wSDocInfo.setCrypto(crypto);
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        long currentTimeMillis2 = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
        Vector vector = new Vector();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 1) {
                QName qName = new QName(item.getNamespaceURI(), item.getLocalName());
                if (qName.equals(SIGNATURE)) {
                    if (this.doDebug) {
                        log.debug("Found signature element");
                    }
                    WSDocInfoStore.store(wSDocInfo);
                    X509Certificate[] x509CertificateArr = new X509Certificate[1];
                    Vector[] vectorArr = new Vector[1];
                    try {
                        try {
                            Principal verifyXMLSignature = verifyXMLSignature((Element) item, crypto, x509CertificateArr, vectorArr);
                            WSDocInfoStore.delete(wSDocInfo);
                            if (verifyXMLSignature instanceof WSUsernameTokenPrincipal) {
                                vector.add(0, new WSSecurityEngineResult(64, verifyXMLSignature, null, vectorArr[0]));
                            } else {
                                vector.add(0, new WSSecurityEngineResult(2, verifyXMLSignature, x509CertificateArr[0], vectorArr[0]));
                            }
                        } catch (WSSecurityException e) {
                            throw e;
                        }
                    } catch (Throwable th) {
                        WSDocInfoStore.delete(wSDocInfo);
                        throw th;
                    }
                } else if (qName.equals(ENCRYPTED_KEY)) {
                    if (this.doDebug) {
                        log.debug("Found encrypted key element");
                    }
                    if (crypto2 == null) {
                        throw new WSSecurityException(0, "noDecCryptoFile");
                    }
                    if (callbackHandler == null) {
                        throw new WSSecurityException(0, "noCallback");
                    }
                    handleEncryptedKey((Element) item, callbackHandler, crypto2);
                    vector.add(0, new WSSecurityEngineResult(4, null, null, null));
                } else if (qName.equals(REFERENCE_LIST)) {
                    if (this.doDebug) {
                        log.debug("Found reference list element");
                    }
                    if (callbackHandler == null) {
                        throw new WSSecurityException(0, "noCallback");
                    }
                    handleReferenceList((Element) item, callbackHandler);
                    vector.add(0, new WSSecurityEngineResult(4, null, null, null));
                } else if (qName.equals(this.usernameToken)) {
                    if (this.doDebug) {
                        log.debug("Found UsernameToken list element");
                    }
                    vector.add(0, new WSSecurityEngineResult(1, handleUsernameToken((Element) item, callbackHandler), null, null));
                } else if (qName.equals(SAML_TOKEN)) {
                    if (this.doDebug) {
                        log.debug("Found SAML Assertion element");
                    }
                    SAMLAssertion handleSAMLToken = handleSAMLToken((Element) item);
                    wSDocInfo.setAssertion((Element) item);
                    vector.add(0, new WSSecurityEngineResult(8, handleSAMLToken));
                } else if (qName.equals(this.timeStamp)) {
                    if (this.doDebug) {
                        log.debug("Found Timestamp list element");
                    }
                    Timestamp timestamp = new Timestamp(this.wssConfig, (Element) item);
                    handleTimestamp(timestamp);
                    vector.add(0, new WSSecurityEngineResult(32, timestamp));
                } else if (this.doDebug) {
                    log.debug(new StringBuffer().append("Unknown Element: ").append(item.getLocalName()).append(" ").append(item.getNamespaceURI()).toString());
                }
            }
        }
        if (tlog.isDebugEnabled()) {
            long currentTimeMillis3 = System.currentTimeMillis();
            tlog.debug(new StringBuffer().append("processHeader: total= ").append(currentTimeMillis3 - currentTimeMillis).append(", prepare= ").append(currentTimeMillis2 - currentTimeMillis).append(", handle= ").append(currentTimeMillis3 - currentTimeMillis2).toString());
        }
        return vector;
    }

    protected Principal verifyXMLSignature(Element element, Crypto crypto, X509Certificate[] x509CertificateArr, Vector[] vectorArr) throws WSSecurityException {
        if (this.doDebug) {
            log.debug("Verify XML Signature");
        }
        long currentTimeMillis = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
        try {
            XMLSignature xMLSignature = new XMLSignature(element, (String) null);
            xMLSignature.addResourceResolver(EnvelopeIdResolver.getInstance(this.wssConfig));
            X509Certificate[] x509CertificateArr2 = null;
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            byte[] bArr = null;
            UsernameToken usernameToken = null;
            if (keyInfo != null) {
                Node directChildWSSE = this.wssConfig.getProcessNonCompliantMessages() ? WSSecurityUtil.getDirectChildWSSE(keyInfo.getElement(), "SecurityTokenReference") : WSSecurityUtil.getDirectChild(keyInfo.getElement(), "SecurityTokenReference", this.wssConfig.getWsseNS());
                if (directChildWSSE == null) {
                    throw new WSSecurityException(3, "unsupportedKeyInfo");
                }
                SecurityTokenReference securityTokenReference = new SecurityTokenReference(this.wssConfig, (Element) directChildWSSE);
                WSDocInfo lookup = WSDocInfoStore.lookup(element.getOwnerDocument().hashCode());
                if (securityTokenReference.containsReference()) {
                    Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), lookup);
                    QName qName = new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName());
                    if (tokenElement.getLocalName().equals(UsernameToken.TOKEN)) {
                        usernameToken = new UsernameToken(this.wssConfig, tokenElement);
                        bArr = usernameToken.getSecretKey();
                    } else {
                        if (crypto == null) {
                            throw new WSSecurityException(0, "noSigCryptoFile");
                        }
                        if (tokenElement.getLocalName().equals(this.binaryToken.getLocalPart())) {
                            x509CertificateArr2 = getCertificatesTokenReference(tokenElement, crypto);
                        } else {
                            if (!qName.equals(SAML_TOKEN)) {
                                throw new WSSecurityException(3, "unsupportedKeyInfo", new Object[]{qName.toString()});
                            }
                            x509CertificateArr2 = getCertificatesFromSAML(tokenElement, crypto);
                        }
                    }
                } else if (securityTokenReference.containsX509IssuerSerial()) {
                    x509CertificateArr2 = securityTokenReference.getX509IssuerSerial(crypto);
                } else {
                    if (!securityTokenReference.containsKeyIdentifier()) {
                        throw new WSSecurityException(3, "unsupportedKeyInfo", new Object[]{directChildWSSE.toString()});
                    }
                    x509CertificateArr2 = securityTokenReference.getKeyIdentifier(crypto);
                }
            } else {
                if (crypto == null) {
                    throw new WSSecurityException(0, "noSigCryptoFile");
                }
                if (crypto.getDefaultX509Alias() == null) {
                    throw new WSSecurityException(3, "unsupportedKeyInfo");
                }
                x509CertificateArr2 = crypto.getCertificates(crypto.getDefaultX509Alias());
            }
            long currentTimeMillis2 = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
            if ((x509CertificateArr2 == null || x509CertificateArr2.length == 0 || x509CertificateArr2[0] == null) && bArr == null) {
                throw new WSSecurityException(6);
            }
            if (x509CertificateArr2 != null) {
                try {
                    x509CertificateArr2[0].checkValidity();
                } catch (CertificateExpiredException e) {
                    throw new WSSecurityException(6, "invalidCert");
                } catch (CertificateNotYetValidException e2) {
                    throw new WSSecurityException(6, "invalidCert");
                }
            }
            try {
                if (!(x509CertificateArr2 != null ? xMLSignature.checkSignatureValue(x509CertificateArr2[0]) : xMLSignature.checkSignatureValue(xMLSignature.createSecretKey(bArr)))) {
                    throw new WSSecurityException(6);
                }
                if (tlog.isDebugEnabled()) {
                    long currentTimeMillis3 = System.currentTimeMillis();
                    tlog.debug(new StringBuffer().append("Verify: total= ").append(currentTimeMillis3 - currentTimeMillis).append(", prepare-cert= ").append(currentTimeMillis2 - currentTimeMillis).append(", verify= ").append(currentTimeMillis3 - currentTimeMillis2).toString());
                }
                SignedInfo signedInfo = xMLSignature.getSignedInfo();
                int length = signedInfo.getLength();
                Vector vector = new Vector(length);
                for (int i = 0; i < length; i++) {
                    try {
                        String uri = signedInfo.item(i).getURI();
                        Element elementByWsuId = WSSecurityUtil.getElementByWsuId(this.wssConfig, element.getOwnerDocument(), uri);
                        if (elementByWsuId == null) {
                            elementByWsuId = WSSecurityUtil.getElementByGenId(element.getOwnerDocument(), uri);
                        }
                        if (elementByWsuId == null) {
                            throw new WSSecurityException(6);
                        }
                        vector.add(new QName(elementByWsuId.getNamespaceURI(), elementByWsuId.getLocalName()));
                    } catch (XMLSecurityException e3) {
                        throw new WSSecurityException(6);
                    }
                }
                vectorArr[0] = vector;
                if (x509CertificateArr2 != null) {
                    x509CertificateArr[0] = x509CertificateArr2[0];
                    return x509CertificateArr2[0].getSubjectDN();
                }
                WSUsernameTokenPrincipal wSUsernameTokenPrincipal = new WSUsernameTokenPrincipal(usernameToken.getName(), usernameToken.isHashed());
                wSUsernameTokenPrincipal.setNonce(usernameToken.getNonce());
                wSUsernameTokenPrincipal.setPassword(usernameToken.getPassword());
                wSUsernameTokenPrincipal.setCreatedTime(usernameToken.getCreated());
                return wSUsernameTokenPrincipal;
            } catch (XMLSignatureException e4) {
                throw new WSSecurityException(6);
            }
        } catch (XMLSecurityException e5) {
            throw new WSSecurityException(6, "noXMLSig");
        }
    }

    public X509Certificate[] getCertificatesTokenReference(Element element, Crypto crypto) throws WSSecurityException {
        BinarySecurity createSecurityToken = createSecurityToken(element);
        if (createSecurityToken instanceof PKIPathSecurity) {
            return ((PKIPathSecurity) createSecurityToken).getX509Certificates(false, crypto);
        }
        if (createSecurityToken instanceof X509Security) {
            return new X509Certificate[]{((X509Security) createSecurityToken).getX509Certificate(crypto)};
        }
        throw new WSSecurityException(1, "unhandledToken", new Object[]{createSecurityToken.getClass().getName()});
    }

    protected X509Certificate[] getCertificatesFromSAML(Element element, Crypto crypto) throws WSSecurityException {
        try {
            SAMLSubjectStatement sAMLSubjectStatement = null;
            Iterator statements = new SAMLAssertion(element).getStatements();
            while (true) {
                if (!statements.hasNext()) {
                    break;
                }
                SAMLObject sAMLObject = (SAMLObject) statements.next();
                if (sAMLObject instanceof SAMLSubjectStatement) {
                    sAMLSubjectStatement = (SAMLSubjectStatement) sAMLObject;
                    break;
                }
            }
            SAMLSubject sAMLSubject = null;
            if (sAMLSubjectStatement != null) {
                sAMLSubject = sAMLSubjectStatement.getSubject();
            }
            if (sAMLSubject == null) {
                throw new WSSecurityException(0, "invalidSAMLToken", new Object[]{"for Signature (no Subject)"});
            }
            X509Certificate[] x509CertificateArr = null;
            try {
                KeyInfo keyInfo = new KeyInfo(sAMLSubject.getKeyInfo(), (String) null);
                if (keyInfo.containsX509Data()) {
                    X509Data itemX509Data = keyInfo.itemX509Data(0);
                    XMLX509Certificate xMLX509Certificate = null;
                    if (itemX509Data != null && itemX509Data.containsCertificate()) {
                        xMLX509Certificate = itemX509Data.itemCertificate(0);
                    }
                    if (xMLX509Certificate != null) {
                        x509CertificateArr = new X509Certificate[]{xMLX509Certificate.getX509Certificate()};
                    }
                }
                return x509CertificateArr;
            } catch (XMLSecurityException e) {
                throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate (key holder)"});
            }
        } catch (SAMLException e2) {
            throw new WSSecurityException(0, "invalidSAMLToken", new Object[]{"for Signature (cannot parse)"});
        }
    }

    private BinarySecurity createSecurityToken(Element element) throws WSSecurityException {
        Class cls;
        Class cls2;
        Class cls3;
        Class cls4;
        String valueType = new BinarySecurity(this.wssConfig, element).getValueType();
        Class cls5 = null;
        if (this.wssConfig.getProcessNonCompliantMessages() || this.wssConfig.isBSTValuesPrefixed()) {
            if (valueType.endsWith(X509Security.X509_V3)) {
                if (class$org$apache$ws$security$message$token$X509Security == null) {
                    cls2 = class$("org.apache.ws.security.message.token.X509Security");
                    class$org$apache$ws$security$message$token$X509Security = cls2;
                } else {
                    cls2 = class$org$apache$ws$security$message$token$X509Security;
                }
                cls5 = cls2;
            } else if (valueType.endsWith(PKIPathSecurity.X509PKI_PATH)) {
                if (class$org$apache$ws$security$message$token$PKIPathSecurity == null) {
                    cls = class$("org.apache.ws.security.message.token.PKIPathSecurity");
                    class$org$apache$ws$security$message$token$PKIPathSecurity = cls;
                } else {
                    cls = class$org$apache$ws$security$message$token$PKIPathSecurity;
                }
                cls5 = cls;
            }
        } else if (valueType.equals(X509Security.getType(this.wssConfig))) {
            if (class$org$apache$ws$security$message$token$X509Security == null) {
                cls4 = class$("org.apache.ws.security.message.token.X509Security");
                class$org$apache$ws$security$message$token$X509Security = cls4;
            } else {
                cls4 = class$org$apache$ws$security$message$token$X509Security;
            }
            cls5 = cls4;
        } else if (valueType.equals(PKIPathSecurity.getType(this.wssConfig))) {
            if (class$org$apache$ws$security$message$token$PKIPathSecurity == null) {
                cls3 = class$("org.apache.ws.security.message.token.PKIPathSecurity");
                class$org$apache$ws$security$message$token$PKIPathSecurity = cls3;
            } else {
                cls3 = class$org$apache$ws$security$message$token$PKIPathSecurity;
            }
            cls5 = cls3;
        }
        if (cls5 == null) {
            throw new WSSecurityException(1, "unsupportedBinaryTokenType", new Object[]{valueType});
        }
        try {
            Constructor constructor = cls5.getConstructor(constructorType);
            if (constructor == null) {
                throw new WSSecurityException(0, "invalidConstructor", new Object[]{cls5});
            }
            return (BinarySecurity) constructor.newInstance(this.wssConfig, element);
        } catch (IllegalAccessException e) {
            throw new WSSecurityException(0, null, null, e);
        } catch (InstantiationException e2) {
            throw new WSSecurityException(0, null, null, e2);
        } catch (NoSuchMethodException e3) {
            throw new WSSecurityException(0, null, null, e3);
        } catch (InvocationTargetException e4) {
            RemoteException targetException = e4.getTargetException();
            if (targetException instanceof WSSecurityException) {
                throw ((WSSecurityException) targetException);
            }
            throw new WSSecurityException(0, null, null, e4);
        }
    }

    public WSUsernameTokenPrincipal handleUsernameToken(Element element, CallbackHandler callbackHandler) throws WSSecurityException {
        UsernameToken usernameToken = new UsernameToken(this.wssConfig, element);
        String name = usernameToken.getName();
        String password = usernameToken.getPassword();
        String nonce = usernameToken.getNonce();
        String created = usernameToken.getCreated();
        String passwordType = usernameToken.getPasswordType();
        if (this.doDebug) {
            log.debug(new StringBuffer().append("UsernameToken user ").append(name).toString());
            log.debug(new StringBuffer().append("UsernameToken password ").append(password).toString());
        }
        Callback[] callbackArr = new Callback[1];
        if (usernameToken.isHashed()) {
            if (callbackHandler == null) {
                throw new WSSecurityException(0, "noCallback");
            }
            WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(name, 2);
            callbackArr[0] = wSPasswordCallback;
            try {
                callbackHandler.handle(callbackArr);
                String password2 = wSPasswordCallback.getPassword();
                if (this.doDebug) {
                    log.debug(new StringBuffer().append("UsernameToken callback password ").append(password2).toString());
                }
                if (password2 == null) {
                    throw new WSSecurityException(0, "noPassword", new Object[]{name});
                }
                if (nonce != null && created != null && !UsernameToken.doPasswordDigest(nonce, created, password2).equals(password)) {
                    throw new WSSecurityException(5);
                }
            } catch (IOException e) {
                throw new WSSecurityException(0, "noPassword", new Object[]{name});
            } catch (UnsupportedCallbackException e2) {
                throw new WSSecurityException(0, "noPassword", new Object[]{name});
            }
        } else if (callbackHandler != null) {
            callbackArr[0] = new WSPasswordCallback(name, password, passwordType, 5);
            try {
                callbackHandler.handle(callbackArr);
            } catch (IOException e3) {
                throw new WSSecurityException(0, "noPassword", new Object[]{name});
            } catch (UnsupportedCallbackException e4) {
                throw new WSSecurityException(0, "noPassword", new Object[]{name});
            }
        }
        WSUsernameTokenPrincipal wSUsernameTokenPrincipal = new WSUsernameTokenPrincipal(name, usernameToken.isHashed());
        wSUsernameTokenPrincipal.setNonce(nonce);
        wSUsernameTokenPrincipal.setPassword(password);
        wSUsernameTokenPrincipal.setCreatedTime(created);
        wSUsernameTokenPrincipal.setPasswordType(passwordType);
        return wSUsernameTokenPrincipal;
    }

    public SAMLAssertion handleSAMLToken(Element element) throws WSSecurityException {
        try {
            SAMLAssertion sAMLAssertion = new SAMLAssertion(element);
            if (this.doDebug) {
                log.debug(new StringBuffer().append("SAML Assertion issuer ").append(sAMLAssertion.getIssuer()).toString());
            }
            if (1 == 0) {
                throw new WSSecurityException(5);
            }
            return sAMLAssertion;
        } catch (SAMLException e) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", null, e);
        }
    }

    public void handleTimestamp(Timestamp timestamp) throws WSSecurityException {
        if (this.doDebug) {
            log.debug("Preparing to verify the timestamp");
            XmlSchemaDateFormat xmlSchemaDateFormat = new XmlSchemaDateFormat();
            log.debug(new StringBuffer().append("Current time: ").append(xmlSchemaDateFormat.format(Calendar.getInstance().getTime())).toString());
            log.debug(new StringBuffer().append("Timestamp created: ").append(xmlSchemaDateFormat.format(timestamp.getCreated().getTime())).toString());
            log.debug(new StringBuffer().append("Timestamp expires: ").append(xmlSchemaDateFormat.format(timestamp.getExpires().getTime())).toString());
        }
        if (timestamp.getExpires().before(Calendar.getInstance())) {
            throw new WSSecurityException(3, "invalidTimestamp", new Object[]{"The security semantics of message have expired"});
        }
    }

    public void handleEncryptedKey(Element element, CallbackHandler callbackHandler, Crypto crypto) throws WSSecurityException {
        handleEncryptedKey(element, callbackHandler, crypto, null);
    }

    public void handleEncryptedKey(Element element, PrivateKey privateKey) throws WSSecurityException {
        handleEncryptedKey(element, null, null, privateKey);
    }

    public void handleEncryptedKey(Element element, CallbackHandler callbackHandler, Crypto crypto, PrivateKey privateKey) throws WSSecurityException {
        String defaultX509Alias;
        X509Security x509Security;
        long currentTimeMillis = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
        Document ownerDocument = element.getOwnerDocument();
        Element element2 = (Element) WSSecurityUtil.getDirectChild(element, "EncryptionMethod", WSConstants.ENC_NS);
        String attribute = element2 != null ? element2.getAttribute("Algorithm") : null;
        if (attribute == null) {
            throw new WSSecurityException(2, "noEncAlgo");
        }
        Cipher cipherInstance = WSSecurityUtil.getCipherInstance(attribute);
        Element element3 = (Element) WSSecurityUtil.getDirectChild(element, "CipherData", WSConstants.ENC_NS);
        Element element4 = element3 != null ? (Element) WSSecurityUtil.getDirectChild(element3, "CipherValue", WSConstants.ENC_NS) : null;
        if (element4 == null) {
            throw new WSSecurityException(3, "noCipher");
        }
        if (privateKey == null) {
            Element element5 = (Element) WSSecurityUtil.getDirectChild(element, "KeyInfo", WSConstants.SIG_NS);
            if (element5 != null) {
                Element element6 = this.wssConfig.getProcessNonCompliantMessages() ? (Element) WSSecurityUtil.getDirectChildWSSE(element5, "SecurityTokenReference") : (Element) WSSecurityUtil.getDirectChild(element5, "SecurityTokenReference", this.wssConfig.getWsseNS());
                if (element6 == null) {
                    element6 = (Element) WSSecurityUtil.getDirectChild(element5, SecurityTokenReference.KEY_NAME, WSConstants.SIG_NS);
                }
                if (element6 == null) {
                    throw new WSSecurityException(3, "noSecTokRef");
                }
                SecurityTokenReference securityTokenReference = new SecurityTokenReference(this.wssConfig, element6);
                if (securityTokenReference.containsX509IssuerSerial()) {
                    defaultX509Alias = securityTokenReference.getX509IssuerSerialAlias(crypto);
                    if (this.doDebug) {
                        log.debug(new StringBuffer().append("X509IssuerSerial alias: ").append(defaultX509Alias).toString());
                    }
                } else if (securityTokenReference.containsKeyIdentifier()) {
                    X509Certificate[] keyIdentifier = securityTokenReference.getKeyIdentifier(crypto);
                    if (keyIdentifier == null || keyIdentifier.length < 1 || keyIdentifier[0] == null) {
                        throw new WSSecurityException(0, "invalidX509Data", new Object[]{"for decryption (KeyId)"});
                    }
                    defaultX509Alias = crypto.getAliasForX509Cert(keyIdentifier[0]);
                    if (this.doDebug) {
                        log.debug(new StringBuffer().append("cert: ").append(keyIdentifier[0]).toString());
                        log.debug(new StringBuffer().append("KeyIdentifier Alias: ").append(defaultX509Alias).toString());
                    }
                } else if (securityTokenReference.containsReference()) {
                    Element tokenElement = securityTokenReference.getTokenElement(ownerDocument, null);
                    if (!new QName(tokenElement.getNamespaceURI(), tokenElement.getLocalName()).equals(this.binaryToken)) {
                        throw new WSSecurityException(3, "unsupportedToken", null);
                    }
                    String attribute2 = tokenElement.getAttribute(VALUE_TYPE);
                    if (this.wssConfig.getProcessNonCompliantMessages()) {
                        for (int i = 0; i < WSConstants.WSSE_NS_ARRAY.length && attribute2.length() == 0; i++) {
                            attribute2 = tokenElement.getAttributeNS(WSConstants.WSSE_NS_ARRAY[i], VALUE_TYPE);
                        }
                    }
                    if (!attribute2.endsWith(X509Security.X509_V3) || (x509Security = new X509Security(this.wssConfig, tokenElement)) == null) {
                        throw new WSSecurityException(1, "unsupportedBinaryTokenType", new Object[]{"for decryption (BST)"});
                    }
                    X509Certificate x509Certificate = x509Security.getX509Certificate(crypto);
                    if (x509Certificate == null) {
                        throw new WSSecurityException(0, "invalidX509Data", new Object[]{"for decryption"});
                    }
                    defaultX509Alias = crypto.getAliasForX509Cert(x509Certificate);
                    if (this.doDebug) {
                        log.debug(new StringBuffer().append("BST Alias: ").append(defaultX509Alias).toString());
                    }
                } else {
                    if (!securityTokenReference.containsKeyName()) {
                        throw new WSSecurityException(0, "unsupportedKeyId");
                    }
                    defaultX509Alias = crypto.getAliasForX509Cert(securityTokenReference.getKeyNameValue());
                    if (this.doDebug) {
                        log.debug(new StringBuffer().append("KeyName alias: ").append(defaultX509Alias).toString());
                    }
                }
            } else {
                if (crypto.getDefaultX509Alias() == null) {
                    throw new WSSecurityException(3, "noKeyinfo");
                }
                defaultX509Alias = crypto.getDefaultX509Alias();
            }
            WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(defaultX509Alias, 1);
            try {
                callbackHandler.handle(new Callback[]{wSPasswordCallback});
                String password = wSPasswordCallback.getPassword();
                if (password == null) {
                    throw new WSSecurityException(0, "noPassword", new Object[]{defaultX509Alias});
                }
                try {
                    privateKey = crypto.getPrivateKey(defaultX509Alias, password);
                } catch (Exception e) {
                    throw new WSSecurityException(8, null, null, e);
                }
            } catch (IOException e2) {
                throw new WSSecurityException(0, "noPassword", new Object[]{defaultX509Alias});
            } catch (UnsupportedCallbackException e3) {
                throw new WSSecurityException(0, "noPassword", new Object[]{defaultX509Alias});
            }
        }
        try {
            cipherInstance.init(2, privateKey);
            try {
                this.decryptedBytes = cipherInstance.doFinal(getDecodedBase64EncodedData(element4));
                long currentTimeMillis2 = tlog.isDebugEnabled() ? System.currentTimeMillis() : 0L;
                Element element7 = (Element) WSSecurityUtil.getDirectChild(element, WSConstants.REF_LIST_LN, WSConstants.ENC_NS);
                if (element7 != null) {
                    Node firstChild = element7.getFirstChild();
                    while (true) {
                        Node node = firstChild;
                        if (node == null) {
                            break;
                        }
                        if (node.getNodeType() == 1 && node.getNamespaceURI().equals(WSConstants.ENC_NS) && node.getLocalName().equals("DataReference")) {
                            decryptDataRef(ownerDocument, ((Element) node).getAttribute("URI"), this.decryptedBytes);
                        }
                        firstChild = node.getNextSibling();
                    }
                }
                if (tlog.isDebugEnabled()) {
                    long currentTimeMillis3 = System.currentTimeMillis();
                    tlog.debug(new StringBuffer().append("XMLDecrypt: total= ").append(currentTimeMillis3 - currentTimeMillis).append(", get-sym-key= ").append(currentTimeMillis2 - currentTimeMillis).append(", decrypt= ").append(currentTimeMillis3 - currentTimeMillis2).toString());
                }
            } catch (IllegalStateException e4) {
                throw new WSSecurityException(8, null, null, e4);
            } catch (BadPaddingException e5) {
                throw new WSSecurityException(8, null, null, e5);
            } catch (IllegalBlockSizeException e6) {
                throw new WSSecurityException(8, null, null, e6);
            }
        } catch (Exception e7) {
            throw new WSSecurityException(8, null, null, e7);
        }
    }

    private void decryptDataRef(Document document, String str, byte[] bArr) throws WSSecurityException {
        if (this.doDebug) {
            log.debug(new StringBuffer().append("found data refernce: ").append(str).toString());
        }
        Element elementByWsuId = WSSecurityUtil.getElementByWsuId(this.wssConfig, document, str);
        Element element = elementByWsuId;
        if (elementByWsuId == null) {
            element = WSSecurityUtil.getElementByGenId(document, str);
        }
        if (element == null) {
            throw new WSSecurityException(3, "dataRef", new Object[]{str});
        }
        boolean isContent = isContent(element);
        String encAlgo = getEncAlgo(element);
        SecretKey prepareSecretKey = WSSecurityUtil.prepareSecretKey(encAlgo, bArr);
        try {
            XMLCipher xMLCipher = XMLCipher.getInstance(encAlgo);
            xMLCipher.init(2, prepareSecretKey);
            if (isContent) {
                element = (Element) element.getParentNode();
            }
            try {
                xMLCipher.doFinal(document, element, isContent);
            } catch (Exception e) {
                throw new WSSecurityException(8, null, null, e);
            }
        } catch (XMLEncryptionException e2) {
            throw new WSSecurityException(2, null, null, e2);
        }
    }

    private void handleReferenceList(Element element, CallbackHandler callbackHandler) throws WSSecurityException {
        Document ownerDocument = element.getOwnerDocument();
        Node firstChild = element.getFirstChild();
        while (true) {
            Node node = firstChild;
            if (node == null) {
                return;
            }
            if (node.getNodeType() == 1 && node.getNamespaceURI().equals(WSConstants.ENC_NS) && node.getLocalName().equals("DataReference")) {
                decryptDataRefEmbedded(ownerDocument, ((Element) node).getAttribute("URI"), callbackHandler);
            }
            firstChild = node.getNextSibling();
        }
    }

    public void decryptDataRefEmbedded(Document document, String str, CallbackHandler callbackHandler) throws WSSecurityException {
        if (this.doDebug) {
            log.debug(new StringBuffer().append("Embedded found data refernce: ").append(str).toString());
        }
        Element elementByWsuId = WSSecurityUtil.getElementByWsuId(this.wssConfig, document, str);
        Element element = elementByWsuId;
        if (elementByWsuId == null) {
            element = WSSecurityUtil.getElementByGenId(document, str);
        }
        if (element == null) {
            throw new WSSecurityException(3, "dataRef", new Object[]{str});
        }
        boolean isContent = isContent(element);
        String encAlgo = getEncAlgo(element);
        SecretKey sharedKey = getSharedKey((Element) WSSecurityUtil.findElement(element, "KeyInfo", WSConstants.SIG_NS), encAlgo, callbackHandler);
        try {
            XMLCipher xMLCipher = XMLCipher.getInstance(encAlgo);
            xMLCipher.init(2, sharedKey);
            if (isContent) {
                element = (Element) element.getParentNode();
            }
            try {
                xMLCipher.doFinal(document, element, isContent);
            } catch (Exception e) {
                throw new WSSecurityException(8, null, null, e);
            }
        } catch (XMLEncryptionException e2) {
            throw new WSSecurityException(2, null, null, e2);
        }
    }

    private boolean isContent(Node node) {
        Element element = (Element) WSSecurityUtil.findElement(node, "EncryptedData", WSConstants.ENC_NS);
        String str = null;
        boolean z = true;
        if (element != null) {
            str = element.getAttribute("Type");
        }
        if (str != null) {
            z = str.equals("http://www.w3.org/2001/04/xmlenc#Content");
        }
        return z;
    }

    private String getEncAlgo(Node node) throws WSSecurityException {
        Element element = (Element) WSSecurityUtil.findElement(node, "EncryptionMethod", WSConstants.ENC_NS);
        String str = null;
        if (element != null) {
            str = element.getAttribute("Algorithm");
        }
        if (str == null) {
            throw new WSSecurityException(2, "noEncAlgo");
        }
        if (this.doDebug) {
            log.debug(new StringBuffer().append("Sym Enc Algo: ").append(str).toString());
        }
        return str;
    }

    protected SecretKey getSharedKey(Element element, String str, CallbackHandler callbackHandler) throws WSSecurityException {
        String str2 = null;
        Element element2 = (Element) WSSecurityUtil.getDirectChild(element, SecurityTokenReference.KEY_NAME, WSConstants.SIG_NS);
        if (element2 != null) {
            element2.normalize();
            Node firstChild = element2.getFirstChild();
            if (firstChild != null && firstChild.getNodeType() == 3) {
                str2 = firstChild.getNodeValue();
            }
        }
        if (str2 == null) {
            throw new WSSecurityException(3, "noKeyname");
        }
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str2, 4);
        try {
            callbackHandler.handle(new Callback[]{wSPasswordCallback});
            byte[] key = wSPasswordCallback.getKey();
            if (key == null) {
                throw new WSSecurityException(0, "noPassword", new Object[]{str2});
            }
            return WSSecurityUtil.prepareSecretKey(str, key);
        } catch (IOException e) {
            throw new WSSecurityException(0, "noPassword", new Object[]{str2});
        } catch (UnsupportedCallbackException e2) {
            throw new WSSecurityException(0, "noPassword", new Object[]{str2});
        }
    }

    public static byte[] getDecodedBase64EncodedData(Element element) throws WSSecurityException {
        StringBuffer stringBuffer = new StringBuffer();
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 3) {
                stringBuffer.append(((Text) item).getData());
            }
        }
        return Base64.decode(stringBuffer.toString());
    }

    public byte[] getDecryptedBytes() {
        return this.decryptedBytes;
    }

    public void setPrecisionInMilliSeconds(boolean z) {
        this.wssConfig.setPrecisionInMilliSeconds(z);
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        Class cls2;
        Class cls3;
        if (class$org$apache$ws$security$WSSecurityEngine == null) {
            cls = class$("org.apache.ws.security.WSSecurityEngine");
            class$org$apache$ws$security$WSSecurityEngine = cls;
        } else {
            cls = class$org$apache$ws$security$WSSecurityEngine;
        }
        log = LogFactory.getLog(cls.getName());
        tlog = LogFactory.getLog("org.apache.ws.security.TIME");
        Class[] clsArr = new Class[2];
        if (class$org$apache$ws$security$WSSConfig == null) {
            cls2 = class$("org.apache.ws.security.WSSConfig");
            class$org$apache$ws$security$WSSConfig = cls2;
        } else {
            cls2 = class$org$apache$ws$security$WSSConfig;
        }
        clsArr[0] = cls2;
        if (class$org$w3c$dom$Element == null) {
            cls3 = class$("org.w3c.dom.Element");
            class$org$w3c$dom$Element = cls3;
        } else {
            cls3 = class$org$w3c$dom$Element;
        }
        clsArr[1] = cls3;
        constructorType = clsArr;
        engine = null;
        SIGNATURE = new QName(WSConstants.SIG_NS, "Signature");
        ENCRYPTED_KEY = new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN);
        REFERENCE_LIST = new QName(WSConstants.ENC_NS, WSConstants.REF_LIST_LN);
        SAML_TOKEN = new QName(WSConstants.SAML_NS, WSConstants.ASSERTION_LN);
    }
}
