package com.ibm.xml.soapsec.enc;

import com.ibm.ws.wssecurity.xss4j.dsig.util.Base64;
import com.ibm.ws.wssecurity.xss4j.enc.KeyInfoResolverBase;
import com.ibm.ws.wssecurity.xss4j.enc.KeyInfoResolvingException;
import com.ibm.ws.wssecurity.xss4j.enc.type.EncryptionMethod;
import com.ibm.ws.wssecurity.xss4j.enc.type.KeyInfo;
import com.ibm.ws.wssecurity.xss4j.enc.type.KeyName;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.config.KeyLocator;
import com.ibm.wsspi.wssecurity.config.KeyLocatorException;
import com.ibm.xml.soapsec.Constants;
import com.ibm.xml.soapsec.util.DOMUtil;
import com.ibm.xml.soapsec.util.Hex;
import com.ibm.xml.soapsec.util.NamespaceUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;
import javax.faces.validator.BeanValidator;
import javax.xml.namespace.QName;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/com.ibm.ws.webservices.thinclient_8.5.0.jar:com/ibm/xml/soapsec/enc/KeyIdentifierKeyResolver.class */
public class KeyIdentifierKeyResolver extends KeyInfoResolverBase {
    private static final String comp = "security.wssecurity";
    private KeyLocator fKeyLocator;
    private Map fId2Name;
    private Map fId602Name;
    private boolean sender;
    private QName _ITSHA1;
    private QName _IT60SHA1;
    private QName _BASE64_BINARY;
    private QName _HEX_BINARY;
    private static final int ITSHA1_OCTETS = 20;
    private static final int IT60SHA1_OCTETS = 8;
    private static final String OID_KEYIDENTIFIER = "2.5.29.14";
    private static final byte BER_SEQUENCE = 48;
    private static final byte BER_BITSTRING = 3;
    private static final TraceComponent tc = Tr.register(KeyIdentifierKeyResolver.class, Constants.TR_GROUP, "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = KeyIdentifierKeyResolver.class.getName();

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyIdentifierKeyResolver(KeyLocator keyLocator, int i, Map map, boolean z) throws KeyLocatorException, NoSuchAlgorithmException, SoapSecurityException {
        this.sender = false;
        this._ITSHA1 = null;
        this._IT60SHA1 = null;
        this._BASE64_BINARY = null;
        this._HEX_BINARY = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "KeyIdentifierKeyResolver(" + keyLocator + BeanValidator.VALIDATION_GROUPS_DELIMITER + i + ")");
        }
        super.setOperationMode(i);
        this.fKeyLocator = keyLocator;
        this.fId2Name = new HashMap();
        this.fId602Name = new HashMap();
        this.sender = z;
        String wssens = Constants.getWSSENS(map);
        if (this.sender) {
            this._ITSHA1 = Constants.getQName(wssens, Constants.ITSHA1_SENT_QNAME);
            this._IT60SHA1 = Constants.getQName(wssens, Constants.IT60SHA1_SENT_QNAME);
            this._BASE64_BINARY = Constants.getQName(wssens, Constants.BASE64_BINARY_SENT_QNAME);
            this._HEX_BINARY = Constants.getQName(wssens, Constants.HEX_BINARY_SENT_QNAME);
        } else {
            this._ITSHA1 = Constants.ITSHA1_RCVR;
            this._IT60SHA1 = Constants.IT60SHA1_RCVR;
            this._BASE64_BINARY = Constants.BASE64_BINARY_RCVR;
            this._HEX_BINARY = Constants.HEX_BINARY_RCVR;
        }
        for (String str : keyLocator.getNames(map)) {
            Certificate certificate = null;
            try {
                certificate = keyLocator.getCertificate(str);
            } catch (KeyLocatorException e) {
            }
            if (certificate != null) {
                this.fId2Name.put(Base64.encode(makeIdentifier(certificate, this._ITSHA1, wssens)), str);
                this.fId602Name.put(Base64.encode(makeIdentifier(certificate, this._IT60SHA1, wssens)), str);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "KeyIdentifierKeyResolver(KeyLocator locator, int operationMode)");
        }
    }

    private boolean isSecurityTokenReference(Element element) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSecurityTokenReference(" + element + ")");
        }
        boolean z = NamespaceUtil.isWsse(element.getNamespaceURI()) && "SecurityTokenReference".equals(element.getLocalName());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isSecurityTokenReference(Element elem) returns " + z);
        }
        return z;
    }

    private Key resolveSecurityTokenReference(Element element) throws KeyInfoResolvingException {
        byte[] decode;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resolveSecurityTokenReference(" + element + ")");
        }
        Element firstChildWsseElement = NamespaceUtil.getFirstChildWsseElement(element, "KeyIdentifier");
        if (firstChildWsseElement == null) {
            Tr.error(tc, "security.wssecurity.resolveSecurityTokenReference.nokid");
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "resolveSecurityTokenReference(Element tokenRef) returns null");
            return null;
        }
        QName qName = this._ITSHA1;
        QName qName2 = this._BASE64_BINARY;
        String attribute = firstChildWsseElement.getAttribute("IdentifierType");
        if (attribute.length() > 0) {
            qName = DOMUtil.getQName(firstChildWsseElement, attribute);
        }
        String attribute2 = firstChildWsseElement.getAttribute("EncodingType");
        if (attribute2.length() > 0) {
            qName2 = DOMUtil.getQName(firstChildWsseElement, attribute2);
        }
        if (this._BASE64_BINARY.equals(qName2)) {
            decode = Base64.decode(DOMUtil.getStringValue(firstChildWsseElement));
        } else {
            if (!this._HEX_BINARY.equals(qName2)) {
                throw new IllegalArgumentException("Internal Error: " + qName2);
            }
            try {
                decode = Hex.decode(DOMUtil.getStringValue(firstChildWsseElement));
            } catch (ParseException e) {
                Tr.processException(e, clsName + ".resolveSecurityTokenReference", "154", this);
                Tr.error(tc, "security.wssecurity.resolveSecurityTokenReference.decode", e);
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.exit(tc, "resolveSecurityTokenReference(Element tokenRef) returns null");
                return null;
            }
        }
        Key key = null;
        if (this.fInEncryptMode) {
            boolean z = true;
            if (!this._ITSHA1.equals(qName)) {
                if (!this._IT60SHA1.equals(qName)) {
                    throw new IllegalArgumentException("Internal Error: " + qName);
                }
                z = false;
            }
            String encode = Base64.encode(decode);
            try {
                String str = z ? (String) this.fId2Name.get(encode) : (String) this.fId602Name.get(encode);
                if (str != null) {
                    key = this.fKeyLocator.getEncryptionKey(str, (Object) null);
                }
            } catch (KeyLocatorException e2) {
                Tr.processException((Throwable) e2, clsName + ".resolveSecurityTokenReference", "186", (Object) this);
                Tr.error(tc, "security.wssecurity.KeyIdentifierKeyResolver.keyloc", e2);
                throw new KeyInfoResolvingException(e2.getMessage());
            }
        } else {
            boolean z2 = true;
            if (!this._ITSHA1.equals(qName)) {
                if (!this._IT60SHA1.equals(qName)) {
                    throw new IllegalArgumentException("Internal Error: " + qName);
                }
                z2 = false;
            }
            String encode2 = Base64.encode(decode);
            try {
                String str2 = z2 ? (String) this.fId2Name.get(encode2) : (String) this.fId602Name.get(encode2);
                if (str2 != null) {
                    key = this.fKeyLocator.getDecryptionKey(str2, (Object) null);
                }
            } catch (KeyLocatorException e3) {
                Tr.processException((Throwable) e3, clsName + ".resolveSecurityTokenReference", "210", (Object) this);
                Tr.error(tc, "security.wssecurity.KeyIdentifierKeyResolver.keyloc", e3);
                throw new KeyInfoResolvingException(e3.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resolveSecurityTokenReference(Element tokenRef) returns " + key);
        }
        return key;
    }

    private static byte[] certToIdentifier(Certificate certificate) {
        byte[] extensionValue;
        if (!(certificate instanceof X509Certificate) || (extensionValue = ((X509Certificate) certificate).getExtensionValue(OID_KEYIDENTIFIER)) == null) {
            return null;
        }
        byte[] bArr = new byte[extensionValue.length - 4];
        System.arraycopy(extensionValue, 4, bArr, 0, extensionValue.length - 4);
        return bArr;
    }

    private static byte[] pubkeyToIdentifier(Certificate certificate, QName qName, String str) throws NoSuchAlgorithmException, SoapSecurityException {
        int i;
        byte[] digest;
        byte[] encoded = certificate.getPublicKey().getEncoded();
        MessageDigest messageDigest = MessageDigest.getInstance("SHA");
        if (encoded[0] != 48) {
            throw new RuntimeException("Unknown encoded key: " + Hex.encode(encoded));
        }
        int i2 = encoded[1] & 255;
        int i3 = (i2 & 128) == 0 ? 2 : 2 + (i2 & 127);
        int i4 = encoded[i3 + 1] & 255;
        if ((i4 & 128) == 0) {
            i = i3 + 2;
        } else {
            int i5 = i3 + 2;
            i = i3 + 2 + (i4 & 127);
            switch (i4 & 127) {
                case 1:
                    i4 = encoded[i5] & 255;
                    break;
                case 2:
                    i4 = ((encoded[i5] & 255) << 8) + (encoded[i5 + 1] & 255);
                    break;
                case 3:
                    i4 = ((encoded[i5] & 255) << 16) + ((encoded[i5 + 1] & 255) << 8) + (encoded[i5 + 2] & 255);
                    break;
                case 4:
                    i4 = ((encoded[i5] & 255) << 24) + ((encoded[i5 + 1] & 255) << 16) + ((encoded[i5 + 2] & 255) << 8) + (encoded[i5 + 3] & 255);
                    break;
                default:
                    throw new RuntimeException("Integer overflow: " + Hex.encode(encoded));
            }
        }
        int i6 = i + i4;
        if (encoded[i6] != 3) {
            throw new RuntimeException("Non BIT STRING: 0x" + Integer.toString(encoded[i6] & 255, 16));
        }
        int i7 = encoded[i6 + 1] & 255;
        int i8 = i6 + ((i7 & 128) == 0 ? 3 : 3 + (i7 & 127));
        if (qName == null || NamespaceUtil.equals(qName, Constants.getQName(str, Constants.ITSHA1_SENT_QNAME)) || NamespaceUtil.equals(qName, Constants.ITSHA1_RCVR)) {
            messageDigest.update(encoded, i8, encoded.length - i8);
            digest = messageDigest.digest();
        } else {
            if (!NamespaceUtil.equals(qName, Constants.getQName(str, Constants.IT60SHA1_SENT_QNAME)) && !NamespaceUtil.equals(qName, Constants.IT60SHA1_RCVR)) {
                throw new IllegalArgumentException("Internal Error: " + qName);
            }
            messageDigest.update(encoded, i8, encoded.length - i8);
            byte[] digest2 = messageDigest.digest();
            digest = new byte[8];
            digest[0] = (byte) (64 + (digest2[digest2.length - 8] & 15));
            System.arraycopy(digest2, (digest2.length - 8) + 1, digest, 1, digest.length - 1);
        }
        return digest;
    }

    private static byte[] makeIdentifier(Certificate certificate, QName qName, String str) throws NoSuchAlgorithmException, SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "makeIdentifier(" + certificate + BeanValidator.VALIDATION_GROUPS_DELIMITER + qName + ")");
        }
        byte[] certToIdentifier = certToIdentifier(certificate);
        if (certToIdentifier == null || qName != null) {
            if (qName == null || NamespaceUtil.equals(qName, Constants.getQName(str, Constants.ITSHA1_SENT_QNAME)) || NamespaceUtil.equals(qName, Constants.ITSHA1_RCVR)) {
                if (certToIdentifier == null || certToIdentifier.length != 20) {
                    certToIdentifier = pubkeyToIdentifier(certificate, qName, str);
                }
            } else {
                if (!NamespaceUtil.equals(qName, Constants.getQName(str, Constants.IT60SHA1_SENT_QNAME)) && !NamespaceUtil.equals(qName, Constants.IT60SHA1_RCVR)) {
                    throw new IllegalArgumentException("Internal Error: " + qName);
                }
                if (certToIdentifier == null || certToIdentifier.length != 8) {
                    certToIdentifier = pubkeyToIdentifier(certificate, qName, str);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "makeIdentifier(KeyStore store, String alias, QName idty) returns " + certToIdentifier);
        }
        return certToIdentifier;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void addKeyId(KeyInfo keyInfo, KeyLocator keyLocator, String str, Document document, QName qName, QName qName2, Object obj) throws KeyLocatorException, NoSuchAlgorithmException, SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addKeyId(" + keyInfo + BeanValidator.VALIDATION_GROUPS_DELIMITER + keyLocator + BeanValidator.VALIDATION_GROUPS_DELIMITER + str + BeanValidator.VALIDATION_GROUPS_DELIMITER + document + BeanValidator.VALIDATION_GROUPS_DELIMITER + qName + BeanValidator.VALIDATION_GROUPS_DELIMITER + qName2 + BeanValidator.VALIDATION_GROUPS_DELIMITER + obj + ")");
        }
        Key encryptionKey = keyLocator.getEncryptionKey(str, obj);
        boolean z = false;
        if (encryptionKey == null) {
            throw new NullPointerException("Key not located: " + str);
        }
        if (encryptionKey instanceof PublicKey) {
            Certificate certificate = keyLocator.getCertificate(encryptionKey);
            if (certificate != null) {
                keyInfo.addKeyId(createElement(document, certificate, qName, qName2, Constants.getWSSENS((Map) obj)));
                z = true;
            }
        } else {
            String name = keyLocator.getName(encryptionKey);
            if (name != null) {
                KeyName keyName = new KeyName();
                keyName.setName(name);
                keyInfo.addKeyName(keyName);
                z = true;
            }
        }
        if (!z) {
            throw new RuntimeException("Key id not added: " + str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addKeyId(KeyInfo keyInfo, KeyLocator locator, String name, Document factory, QName idty, QName encoding, Object context)");
        }
    }

    private static Element createElement(Document document, Certificate certificate, QName qName, QName qName2, String str) throws NoSuchAlgorithmException, SoapSecurityException {
        String encode;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createElement(" + document + BeanValidator.VALIDATION_GROUPS_DELIMITER + certificate + BeanValidator.VALIDATION_GROUPS_DELIMITER + qName + BeanValidator.VALIDATION_GROUPS_DELIMITER + qName2 + ")");
        }
        byte[] makeIdentifier = makeIdentifier(certificate, qName, str);
        if (qName2 == null || NamespaceUtil.equals(qName2, Constants.getQName(str, Constants.BASE64_BINARY_SENT_QNAME)) || NamespaceUtil.equals(qName2, Constants.BASE64_BINARY_RCVR)) {
            encode = Base64.encode(makeIdentifier);
        } else {
            if (!NamespaceUtil.equals(qName2, Constants.getQName(str, Constants.HEX_BINARY_SENT_QNAME)) && !NamespaceUtil.equals(qName2, Constants.HEX_BINARY_RCVR)) {
                throw new IllegalArgumentException("Internal Error: " + qName);
            }
            encode = Hex.encode(makeIdentifier);
        }
        Element createElementNS = document.createElementNS(str, "wsse:KeyIdentifier");
        createElementNS.appendChild(document.createTextNode(encode));
        Element createElementNS2 = document.createElementNS(str, "wsse:SecurityTokenReference");
        createElementNS2.appendChild(createElementNS);
        createElementNS2.setAttributeNS(Constants.NS_XMLNS, "xmlns:wsse", str);
        if (makeIdentifier.length != 20) {
            DOMUtil.setQNameAttr(createElementNS, null, "IdentifierType", Constants.getQName(str, Constants.IT60SHA1_SENT_QNAME));
        }
        if (qName2 != null) {
            DOMUtil.setQNameAttr(createElementNS, null, "EncodingType", qName2);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Created KeyInfo for (cert) " + certificate + " and (content) " + encode);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createElement(Document factory, Certificate cert, QName idty, QName encoding) returns " + createElementNS2);
        }
        return createElementNS2;
    }

    protected Key resolveKeyName(KeyName keyName, EncryptionMethod encryptionMethod, Key key) throws KeyInfoResolvingException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resolveKeyName(" + keyName + BeanValidator.VALIDATION_GROUPS_DELIMITER + encryptionMethod + BeanValidator.VALIDATION_GROUPS_DELIMITER + key + ")");
        }
        if (key == null) {
            String name = keyName.getName();
            if (this.fInEncryptMode) {
                try {
                    key = this.fKeyLocator.getEncryptionKey(name, (Object) null);
                } catch (KeyLocatorException e) {
                    Tr.processException((Throwable) e, clsName + ".resolveKeyName", "455", (Object) this);
                    Tr.error(tc, "security.wssecurity.KeyIdentifierKeyResolver.keyloc", e);
                    throw new KeyInfoResolvingException(e.getMessage());
                }
            } else {
                try {
                    key = this.fKeyLocator.getDecryptionKey(name, (Object) null);
                } catch (KeyLocatorException e2) {
                    Tr.processException((Throwable) e2, clsName + ".resolveKeyName", "464", (Object) this);
                    Tr.error(tc, "security.wssecurity.KeyIdentifierKeyResolver.keyloc", e2);
                    throw new KeyInfoResolvingException(e2.getMessage());
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resolveKeyName(KeyName keyName, EncryptionMethod encMeth, Key key) returns " + key);
        }
        return key;
    }

    protected Key resolveKeyId(Element element, EncryptionMethod encryptionMethod, Key key) throws KeyInfoResolvingException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resolveKeyId(" + element + BeanValidator.VALIDATION_GROUPS_DELIMITER + encryptionMethod + BeanValidator.VALIDATION_GROUPS_DELIMITER + key + ")");
        }
        if (key == null && isSecurityTokenReference(element)) {
            key = resolveSecurityTokenReference(element);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resolveKeyId(Element keyId, EncryptionMethod encMeth, Key key) returns " + key);
        }
        return key;
    }
}
