package org.apache.cxf.sts.token.provider;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.sts.STSConstants;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.request.KeyRequirements;
import org.apache.cxf.sts.request.ReceivedCredential;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.bean.KeyInfoBean;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/sts/token/provider/DefaultSubjectProvider.class */
public class DefaultSubjectProvider implements SubjectProvider {
    private static final Logger LOG = LogUtils.getL7dLogger(DefaultSubjectProvider.class);
    private String subjectNameQualifier = "http://cxf.apache.org/sts";
    private String subjectNameIDFormat;

    public void setSubjectNameQualifier(String str) {
        this.subjectNameQualifier = str;
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Setting Subject Name Qualifier: " + str);
        }
    }

    public void setSubjectNameIDFormat(String str) {
        this.subjectNameIDFormat = str;
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Setting Subject Name format: " + str);
        }
    }

    @Override // org.apache.cxf.sts.token.provider.SubjectProvider
    public SubjectBean getSubject(SubjectProviderParameters subjectProviderParameters) {
        Principal principal = getPrincipal(subjectProviderParameters);
        if (principal == null) {
            LOG.fine("Error in getting principal");
            throw new STSException("Error in getting principal", STSException.REQUEST_FAILED);
        }
        SubjectBean createSubjectBean = createSubjectBean(principal, subjectProviderParameters);
        createSubjectBean.setKeyInfo(createKeyInfo(subjectProviderParameters));
        return createSubjectBean;
    }

    protected Principal getPrincipal(SubjectProviderParameters subjectProviderParameters) {
        TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
        Principal principal = null;
        if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) {
            ReceivedToken onBehalfOf = providerParameters.getTokenRequirements().getOnBehalfOf();
            if (onBehalfOf.getState().equals(ReceivedToken.STATE.VALID)) {
                principal = onBehalfOf.getPrincipal();
            }
        } else if (providerParameters.getTokenRequirements().getValidateTarget() != null) {
            ReceivedToken validateTarget = providerParameters.getTokenRequirements().getValidateTarget();
            if (validateTarget.getState().equals(ReceivedToken.STATE.VALID)) {
                principal = validateTarget.getPrincipal();
            }
        } else {
            principal = providerParameters.getPrincipal();
        }
        return principal;
    }

    /* JADX WARN: Code restructure failed: missing block: B:14:0x0091, code lost:
    
        r15 = (java.lang.String) r0.getValue();
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected org.apache.wss4j.common.saml.bean.SubjectBean createSubjectBean(java.security.Principal r7, org.apache.cxf.sts.token.provider.SubjectProviderParameters r8) {
        /*
            Method dump skipped, instructions count: 307
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.cxf.sts.token.provider.DefaultSubjectProvider.createSubjectBean(java.security.Principal, org.apache.cxf.sts.token.provider.SubjectProviderParameters):org.apache.wss4j.common.saml.bean.SubjectBean");
    }

    protected String getSubjectConfirmationMethod(String str, String str2) {
        return ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(str) || "urn:oasis:names:tc:SAML:1.0:assertion".equals(str)) ? ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(str2) || "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(str2)) ? "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key" : "urn:oasis:names:tc:SAML:1.0:cm:bearer" : ("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(str2) || "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(str2)) ? "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" : "urn:oasis:names:tc:SAML:2.0:cm:bearer";
    }

    protected KeyInfoBean createKeyInfo(SubjectProviderParameters subjectProviderParameters) {
        CryptoType cryptoType;
        TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
        KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
        STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
        String keyType = keyRequirements.getKeyType();
        if (!"http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey".equals(keyType)) {
            if (!"http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey".equals(keyType)) {
                return null;
            }
            ReceivedCredential receivedCredential = keyRequirements.getReceivedCredential();
            if (stsProperties.isValidateUseKey() && stsProperties.getSignatureCrypto() != null) {
                if (receivedCredential.getX509Cert() != null) {
                    try {
                        stsProperties.getSignatureCrypto().verifyTrust(new X509Certificate[]{receivedCredential.getX509Cert()}, false, Collections.emptyList(), null);
                    } catch (WSSecurityException e) {
                        LOG.log(Level.FINE, "Error in trust validation of UseKey: ", (Throwable) e);
                        throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
                    }
                }
                if (receivedCredential.getPublicKey() != null) {
                    try {
                        stsProperties.getSignatureCrypto().verifyTrust(receivedCredential.getPublicKey());
                    } catch (WSSecurityException e2) {
                        LOG.log(Level.FINE, "Error in trust validation of UseKey: ", (Throwable) e2);
                        throw new STSException("Error in trust validation of UseKey", STSException.REQUEST_FAILED);
                    }
                }
            }
            return createPublicKeyKeyInfo(receivedCredential.getX509Cert(), receivedCredential.getPublicKey());
        }
        Crypto encryptionCrypto = stsProperties.getEncryptionCrypto();
        EncryptionProperties encryptionProperties = providerParameters.getEncryptionProperties();
        String encryptionName = encryptionProperties.getEncryptionName();
        if (encryptionName == null) {
            encryptionName = stsProperties.getEncryptionUsername();
        }
        if (encryptionName == null) {
            LOG.fine("No encryption Name is configured for Symmetric KeyType");
            throw new STSException("No Encryption Name is configured", STSException.REQUEST_FAILED);
        }
        if (!STSConstants.USE_ENDPOINT_AS_CERT_ALIAS.equals(encryptionName)) {
            cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(encryptionName);
        } else {
            if (providerParameters.getAppliesToAddress() == null) {
                throw new STSException("AppliesTo is not initilaized for encryption name useEndpointAsCertAlias");
            }
            cryptoType = new CryptoType(CryptoType.TYPE.ENDPOINT);
            cryptoType.setEndpoint(providerParameters.getAppliesToAddress());
        }
        try {
            X509Certificate[] x509Certificates = encryptionCrypto.getX509Certificates(cryptoType);
            if (x509Certificates == null || x509Certificates.length == 0) {
                throw new STSException("Encryption certificate is not found for alias: " + encryptionName);
            }
            return createEncryptedKeyKeyInfo(x509Certificates[0], subjectProviderParameters.getSecret(), subjectProviderParameters.getDoc(), encryptionProperties, encryptionCrypto);
        } catch (WSSecurityException e3) {
            LOG.log(Level.WARNING, "", (Throwable) e3);
            throw new STSException(e3.getMessage(), e3);
        }
    }

    protected static KeyInfoBean createPublicKeyKeyInfo(X509Certificate x509Certificate, PublicKey publicKey) {
        KeyInfoBean keyInfoBean = new KeyInfoBean();
        if (x509Certificate != null) {
            keyInfoBean.setCertificate(x509Certificate);
            keyInfoBean.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);
        } else if (publicKey != null) {
            keyInfoBean.setPublicKey(publicKey);
            keyInfoBean.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.KEY_VALUE);
        }
        return keyInfoBean;
    }

    protected static KeyInfoBean createEncryptedKeyKeyInfo(X509Certificate x509Certificate, byte[] bArr, Document document, EncryptionProperties encryptionProperties, Crypto crypto) throws WSSecurityException {
        KeyInfoBean keyInfoBean = new KeyInfoBean();
        WSSecEncryptedKey wSSecEncryptedKey = new WSSecEncryptedKey(document);
        wSSecEncryptedKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
        wSSecEncryptedKey.setUseThisCert(x509Certificate);
        wSSecEncryptedKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
        wSSecEncryptedKey.prepare(crypto, bArr != null ? KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), bArr) : KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm()).generateKey());
        Element encryptedKeyElement = wSSecEncryptedKey.getEncryptedKeyElement();
        Element createElementNS = document.createElementNS("http://www.w3.org/2000/09/xmldsig#", "ds:KeyInfo");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:ds", "http://www.w3.org/2000/09/xmldsig#");
        createElementNS.appendChild(encryptedKeyElement);
        keyInfoBean.setElement(createElementNS);
        return keyInfoBean;
    }
}
