package org.apache.wss4j.dom.message;

import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.crypto.SecretKey;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.derivedKey.AlgoFactory;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.Reference;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.message.token.DerivedKeyToken;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.xml.security.utils.XMLUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/wss4j-ws-security-dom-2.3.2.jar:org/apache/wss4j/dom/message/WSSecDerivedKeyBase.class */
public abstract class WSSecDerivedKeyBase extends WSSecSignatureBase {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) WSSecDerivedKeyBase.class);
    private DerivedKeyToken dkt;
    private String clientLabel;
    private String serviceLabel;
    private String tokenIdentifier;
    private boolean tokenIdDirectId;
    private Element strElem;
    private String dktId;
    private byte[] derivedKeyBytes;
    private int wscVersion;
    private String customValueType;
    private X509Certificate useThisCert;
    private Crypto crypto;

    public WSSecDerivedKeyBase(WSSecHeader wSSecHeader) {
        super(wSSecHeader);
        this.clientLabel = "WS-SecureConversation";
        this.serviceLabel = "WS-SecureConversation";
        this.wscVersion = 2;
        setKeyIdentifierType(0);
    }

    public WSSecDerivedKeyBase(Document document) {
        super(document);
        this.clientLabel = "WS-SecureConversation";
        this.serviceLabel = "WS-SecureConversation";
        this.wscVersion = 2;
        setKeyIdentifierType(0);
    }

    protected abstract int getDerivedKeyLength() throws WSSecurityException;

    public Element getStrElem() {
        return this.strElem;
    }

    public void setStrElem(Element element) {
        this.strElem = element;
    }

    public void setTokenIdentifier(String str) {
        this.tokenIdentifier = str;
    }

    public String getTokenIdentifier() {
        return this.tokenIdentifier;
    }

    public void setX509Certificate(X509Certificate x509Certificate) {
        this.useThisCert = x509Certificate;
    }

    public String getId() {
        return this.dktId;
    }

    public void setClientLabel(String str) {
        this.clientLabel = str;
    }

    public void setServiceLabel(String str) {
        this.serviceLabel = str;
    }

    public void prepare(byte[] bArr) throws WSSecurityException {
        if (bArr == null || bArr.length == 0) {
            LOG.debug("No ephemeral key is supplied for id: " + this.tokenIdentifier);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
        }
        int derivedKeyLength = getDerivedKeyLength();
        byte[] bytes = (this.clientLabel + this.serviceLabel).getBytes(StandardCharsets.UTF_8);
        byte[] generateNonce = WSSecurityUtil.generateNonce(16);
        byte[] bArr2 = new byte[bytes.length + generateNonce.length];
        System.arraycopy(bytes, 0, bArr2, 0, bytes.length);
        System.arraycopy(generateNonce, 0, bArr2, bytes.length, generateNonce.length);
        this.derivedKeyBytes = AlgoFactory.getInstance("http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1").createKey(bArr, bArr2, 0, derivedKeyLength);
        this.dkt = new DerivedKeyToken(this.wscVersion, getDocument());
        this.dktId = getIdAllocator().createId("DK-", this.dkt);
        this.dkt.setOffset(0);
        this.dkt.setLength(derivedKeyLength);
        this.dkt.setNonce(XMLUtils.encodeToString(generateNonce));
        this.dkt.setID(this.dktId);
        if (this.addWSUNamespace) {
            this.dkt.addWSUNamespace();
        }
        if (this.strElem != null) {
            this.dkt.setSecurityTokenReference(this.strElem);
            return;
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(getDocument());
        securityTokenReference.setID(getIdAllocator().createSecureId("STR-", securityTokenReference));
        if (this.addWSUNamespace) {
            securityTokenReference.addWSUNamespace();
        }
        X509Certificate[] signingCerts = getSigningCerts();
        switch (this.keyIdentifierType) {
            case 3:
                securityTokenReference.setKeyIdentifier(signingCerts[0]);
                break;
            case 4:
                securityTokenReference.setKeyIdentifierSKI(signingCerts[0], this.crypto);
                break;
            case 5:
            case 6:
            case 7:
            case 9:
            case 10:
            case 11:
            default:
                Reference reference = new Reference(getDocument());
                if (this.tokenIdDirectId) {
                    reference.setURI(this.tokenIdentifier);
                } else {
                    reference.setURI("#" + this.tokenIdentifier);
                }
                if (this.customValueType != null && !"".equals(this.customValueType)) {
                    reference.setValueType(this.customValueType);
                }
                if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(this.customValueType)) {
                    securityTokenReference.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
                    reference.setValueType(this.customValueType);
                } else if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID".equals(this.customValueType)) {
                    securityTokenReference.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
                } else if ("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey".equals(this.customValueType)) {
                    securityTokenReference.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey");
                    reference.setValueType(this.customValueType);
                } else if (KerberosSecurity.isKerberosToken(this.customValueType)) {
                    securityTokenReference.addTokenType(this.customValueType);
                    reference.setValueType(this.customValueType);
                } else if ("http://schemas.xmlsoap.org/ws/2005/02/sc/sct".equals(this.customValueType) || "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct".equals(this.customValueType)) {
                    reference.setValueType(this.customValueType);
                } else if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken".equals(this.customValueType)) {
                    securityTokenReference.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey");
                }
                securityTokenReference.setReference(reference);
                break;
            case 8:
                securityTokenReference.setKeyIdentifierThumb(signingCerts[0]);
                break;
            case 12:
                securityTokenReference.setKeyIdentifier(this.customValueType, this.tokenIdentifier);
                if (!"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(this.customValueType)) {
                    if (!"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID".equals(this.customValueType)) {
                        if ("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey".equals(this.customValueType)) {
                            securityTokenReference.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey");
                            break;
                        }
                    } else {
                        securityTokenReference.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
                        break;
                    }
                } else {
                    securityTokenReference.addTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
                    break;
                }
                break;
        }
        this.dkt.setSecurityTokenReference(securityTokenReference);
    }

    public void prependDKElementToHeader() {
        WSSecurityUtil.prependChildElement(getSecurityHeader().getSecurityHeaderElement(), this.dkt.getElement());
    }

    public void appendDKElementToHeader() {
        getSecurityHeader().getSecurityHeaderElement().appendChild(this.dkt.getElement());
    }

    public void setWscVersion(int i) {
        this.wscVersion = i;
    }

    public int getWscVersion() {
        return this.wscVersion;
    }

    public Element getdktElement() {
        return this.dkt.getElement();
    }

    public void setCustomValueType(String str) {
        this.customValueType = str;
    }

    public void setTokenIdDirectId(boolean z) {
        this.tokenIdDirectId = z;
    }

    private X509Certificate[] getSigningCerts() throws WSSecurityException {
        X509Certificate[] x509CertificateArr = null;
        if (this.keyIdentifierType == 2 || this.keyIdentifierType == 3 || this.keyIdentifierType == 4 || this.keyIdentifierType == 8) {
            if (this.useThisCert == null) {
                CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
                cryptoType.setAlias(this.user);
                if (this.crypto == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
                }
                x509CertificateArr = this.crypto.getX509Certificates(cryptoType);
            } else {
                x509CertificateArr = new X509Certificate[]{this.useThisCert};
            }
            if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noUserCertsFound", new Object[]{this.user, "signature"});
            }
        }
        return x509CertificateArr;
    }

    public void setCrypto(Crypto crypto) {
        this.crypto = crypto;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecretKey getDerivedKey(String str) {
        return KeyUtils.prepareSecretKey(str, this.derivedKeyBytes);
    }

    @Override // org.apache.wss4j.dom.message.WSSecBase
    public void clean() {
        super.clean();
        if (this.derivedKeyBytes != null) {
            Arrays.fill(this.derivedKeyBytes, (byte) 0);
        }
    }
}
