package org.apache.wss4j.dom.message.token;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
import org.apache.wss4j.dom.common.SOAPUtil;
import org.apache.wss4j.dom.common.SecurityTestUtil;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.WSSecEncrypt;
import org.apache.wss4j.dom.message.WSSecHeader;
import org.apache.wss4j.dom.message.WSSecSignature;
import org.apache.wss4j.dom.message.WSSecTimestamp;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.utils.Base64;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:org/apache/wss4j/dom/message/token/BSTKerberosTest.class */
public class BSTKerberosTest extends Assert {
    private static final Logger LOG = LoggerFactory.getLogger(BSTKerberosTest.class);
    private static final String AP_REQ = "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ";
    private static final String BASE64_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
    private WSSecurityEngine secEngine = new WSSecurityEngine();
    private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
    private Crypto crypto;

    /* loaded from: input_file:org/apache/wss4j/dom/message/token/BSTKerberosTest$KerberosValidator.class */
    private static class KerberosValidator implements Validator {
        private KerberosValidator() {
        }

        @Override // org.apache.wss4j.dom.validate.Validator
        public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
            BinarySecurity binarySecurityToken = credential.getBinarySecurityToken();
            if (binarySecurityToken == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            if (!"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(binarySecurityToken.getValueType())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
            }
            if (Arrays.equals(binarySecurityToken.getToken(), "12345678".getBytes())) {
                return credential;
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
    }

    @AfterClass
    public static void cleanup() throws Exception {
        SecurityTestUtil.cleanup();
    }

    public BSTKerberosTest() throws Exception {
        this.crypto = null;
        WSSConfig.init();
        this.crypto = CryptoFactory.getInstance();
    }

    @Test
    public void testCreateBinarySecurityToken() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        binarySecurity.setToken("12345678".getBytes());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(sOAPPart));
        }
        assertTrue("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(binarySecurity.getValueType()));
        assertTrue("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary".equals(binarySecurity.getEncodingType()));
        assertTrue(binarySecurity.getToken() != null);
    }

    @Test
    public void testSignBST() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        binarySecurity.setToken("12345678".getBytes());
        binarySecurity.setID("Id-" + binarySecurity.hashCode());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        WSSecSignature wSSecSignature = new WSSecSignature();
        wSSecSignature.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
        wSSecSignature.setKeyIdentifierType(2);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new WSEncryptionPart(binarySecurity.getID()));
        wSSecSignature.setParts(arrayList);
        Document build = wSSecSignature.build(sOAPPart, this.crypto, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        verify(build);
    }

    @Test
    public void testSignBSTTimestamp() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        binarySecurity.setToken("12345678".getBytes());
        binarySecurity.setID("Id-" + binarySecurity.hashCode());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        WSSecTimestamp wSSecTimestamp = new WSSecTimestamp();
        wSSecTimestamp.setTimeToLive(600);
        wSSecTimestamp.build(sOAPPart, wSSecHeader);
        WSSecSignature wSSecSignature = new WSSecSignature();
        wSSecSignature.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
        wSSecSignature.setKeyIdentifierType(2);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new WSEncryptionPart(binarySecurity.getID()));
        arrayList.add(new WSEncryptionPart(wSSecTimestamp.getId()));
        wSSecSignature.setParts(arrayList);
        Document build = wSSecSignature.build(sOAPPart, this.crypto, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
        verify(build);
    }

    @Test
    public void testProcessToken() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        binarySecurity.setToken("12345678".getBytes());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(sOAPPart));
        }
        BinarySecurity binarySecurity2 = (BinarySecurity) WSSecurityUtil.fetchActionResult(verify(sOAPPart), 4096).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        assertTrue(binarySecurity2 != null);
        assertTrue("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(binarySecurity2.getValueType()));
        assertTrue("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary".equals(binarySecurity2.getEncodingType()));
        assertTrue(binarySecurity2.getToken() != null);
    }

    @Test
    public void testProcessTokenCustomValidator() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        binarySecurity.setToken("12345678".getBytes());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(sOAPPart));
        }
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setValidator(WSSecurityEngine.BINARY_TOKEN, new KerberosValidator());
        wSSecurityEngine.setWssConfig(newInstance);
        wSSecurityEngine.processSecurityHeader(sOAPPart, (String) null, this.callbackHandler, this.crypto);
        binarySecurity.setToken("12345679".getBytes());
        try {
            wSSecurityEngine.processSecurityHeader(sOAPPart, (String) null, this.callbackHandler, this.crypto);
            fail("Failure expected on a bad token");
        } catch (WSSecurityException e) {
        }
    }

    @Test
    public void testKerberosSignatureDRCreation() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
        keyGenerator.init(128);
        byte[] encoded = keyGenerator.generateKey().getEncoded();
        binarySecurity.setToken(encoded);
        binarySecurity.setID("Id-" + binarySecurity.hashCode());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        WSSecSignature wSSecSignature = new WSSecSignature();
        wSSecSignature.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
        wSSecSignature.setKeyIdentifierType(9);
        wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        wSSecSignature.setCustomTokenId(binarySecurity.getID());
        wSSecSignature.setSecretKey(encoded);
        Document build = wSSecSignature.build(sOAPPart, this.crypto, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
    }

    @Test
    public void testKerberosSignatureKICreation() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
        keyGenerator.init(128);
        byte[] encoded = keyGenerator.generateKey().getEncoded();
        binarySecurity.setToken(encoded);
        binarySecurity.setID("Id-" + binarySecurity.hashCode());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        WSSecSignature wSSecSignature = new WSSecSignature();
        wSSecSignature.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
        wSSecSignature.setKeyIdentifierType(12);
        wSSecSignature.setCustomTokenValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
        wSSecSignature.setCustomTokenId(Base64.encode(WSSecurityUtil.generateDigest(encoded)));
        wSSecSignature.setSecretKey(encoded);
        Document build = wSSecSignature.build(sOAPPart, this.crypto, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
    }

    @Test
    public void testKerberosEncryptionDRCreation() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
        keyGenerator.init(128);
        SecretKey generateKey = keyGenerator.generateKey();
        binarySecurity.setToken(generateKey.getEncoded());
        binarySecurity.setID("Id-" + binarySecurity.hashCode());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        WSSecEncrypt wSSecEncrypt = new WSSecEncrypt();
        wSSecEncrypt.setSymmetricEncAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
        wSSecEncrypt.setSymmetricKey(generateKey);
        wSSecEncrypt.setEncryptSymmKey(false);
        wSSecEncrypt.setCustomReferenceValue("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        wSSecEncrypt.setEncKeyId(binarySecurity.getID());
        Document build = wSSecEncrypt.build(sOAPPart, this.crypto, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
    }

    @Test
    public void testKerberosEncryptionKICreation() throws Exception {
        Document sOAPPart = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
        WSSecHeader wSSecHeader = new WSSecHeader();
        wSSecHeader.insertSecurityHeader(sOAPPart);
        BinarySecurity binarySecurity = new BinarySecurity(sOAPPart);
        binarySecurity.setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
        binarySecurity.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
        keyGenerator.init(128);
        SecretKey generateKey = keyGenerator.generateKey();
        byte[] encoded = generateKey.getEncoded();
        binarySecurity.setToken(encoded);
        binarySecurity.setID("Id-" + binarySecurity.hashCode());
        WSSecurityUtil.prependChildElement(wSSecHeader.getSecurityHeader(), binarySecurity.getElement());
        WSSecEncrypt wSSecEncrypt = new WSSecEncrypt();
        wSSecEncrypt.setSymmetricEncAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
        wSSecEncrypt.setSymmetricKey(generateKey);
        wSSecEncrypt.setEncryptSymmKey(false);
        wSSecEncrypt.setCustomReferenceValue("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
        wSSecEncrypt.setEncKeyId(Base64.encode(WSSecurityUtil.generateDigest(encoded)));
        Document build = wSSecEncrypt.build(sOAPPart, this.crypto, wSSecHeader);
        if (LOG.isDebugEnabled()) {
            LOG.debug(XMLUtils.PrettyDocumentToString(build));
        }
    }

    private List<org.apache.wss4j.dom.WSSecurityEngineResult> verify(Document document) throws Exception {
        List<org.apache.wss4j.dom.WSSecurityEngineResult> processSecurityHeader = this.secEngine.processSecurityHeader(document, (String) null, this.callbackHandler, this.crypto);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Verfied and decrypted message:");
            LOG.debug(XMLUtils.PrettyDocumentToString(document));
        }
        return processSecurityHeader;
    }
}
