package com.ibm.security.krb5.wss.soap;

import com.ibm.crypto.provider.AESKeySpec;
import com.ibm.crypto.provider.RC4KeySpec;
import com.ibm.misc.HexDumpEncoder;
import com.ibm.security.jgss.Debug;
import com.ibm.security.krb5.EncryptedData;
import com.ibm.security.krb5.wss.KerberosTokenConfig;
import com.ibm.security.krb5.wss.KerberosTokenConsumer;
import com.ibm.security.krb5.wss.soap.util.SoapPingResponse;
import com.ibm.security.krb5.wss.soap.util.TokenReceiver;
import com.ibm.security.krb5.wss.util.DsigServices;
import com.ibm.security.krb5.wss.util.ElementLocalNames;
import com.ibm.security.krb5.wss.util.EncServices;
import com.ibm.security.krb5.wss.util.EncodingTypes;
import com.ibm.security.krb5.wss.util.KeyIdentifier;
import com.ibm.security.krb5.wss.util.LocalConstants;
import com.ibm.security.krb5.wss.util.MiscUtils;
import com.ibm.security.krb5.wss.util.Programmable;
import com.ibm.security.krb5.wss.util.RecursiveIDResolver;
import com.ibm.security.krb5.wss.util.SecurityTokenReference;
import com.ibm.security.krb5.wss.util.SoapFault;
import com.ibm.security.krb5.wss.util.TemplateTool;
import com.ibm.security.krb5.wss.util.XMLUtil;
import com.ibm.security.krb5.wss.util.XmlHeader;
import com.ibm.ws.wssecurity.core.ElementSelector;
import com.ibm.ws.wssecurity.util.KRBTokenProfileConstants;
import com.ibm.ws.wssecurity.xss4j.dsig.IDResolver;
import com.ibm.ws.wssecurity.xss4j.dsig.SignatureContext;
import com.ibm.ws.wssecurity.xss4j.dsig.Validity;
import com.ibm.ws.wssecurity.xss4j.dsig.transform.ExclusiveC11r;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.SecretKeySpec;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:com/ibm/security/krb5/wss/soap/KerberosSoapReceiver.class */
public class KerberosSoapReceiver extends Programmable implements TokenReceiver, LocalConstants {
    public static final String KEYTABROOTNAME = "keytabrootname";
    public static final String SERVICENAME = "servicename";
    public static final String SUBJECT = "subject";
    public static final String SERVICEPASSWORD = "servicePassword";
    public static final String LOGINCONF = "loginConfig";
    private static final String debugPrefix = "KerberosSoapReceiver: ";
    private Document docIn;
    private Document resp;
    private String pText;
    private String phaseMessage;
    private String faultCode;
    private Debug debug;
    private boolean wrapped;
    private byte[] rawKey;
    private byte[] rawSubKey;
    private int encType;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/ibm/security/krb5/wss/soap/KerberosSoapReceiver$MyIDResolver.class */
    public static class MyIDResolver implements IDResolver {
        private MyIDResolver() {
        }

        public Element resolveID(Document document, String str) {
            Element element = null;
            NodeList elementsByTagName = document.getElementsByTagName("*");
            if (elementsByTagName != null) {
                int i = 0;
                while (true) {
                    if (i >= elementsByTagName.getLength()) {
                        break;
                    }
                    Element element2 = (Element) elementsByTagName.item(i);
                    Attr attributeNode = element2.getAttributeNode(KRBTokenProfileConstants.STR_WSU_ID);
                    if (attributeNode != null && str.equals(attributeNode.getValue())) {
                        element = element2;
                        break;
                    }
                    i++;
                }
            }
            return element;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/ibm/security/krb5/wss/soap/KerberosSoapReceiver$Response.class */
    public class Response {
        Element rootE;
        Element wsseE;
        Element bodyE;
        Element pingE;

        Response(Element element, Element element2, Element element3, Element element4) {
            this.rootE = element;
            this.wsseE = element2;
            this.bodyE = element3;
            this.pingE = element4;
        }
    }

    public KerberosSoapReceiver() {
        super(KerberosSoapReceiver.class);
        this.faultCode = "wst:InvalidRequest";
        this.debug = new Debug();
        this.wrapped = false;
    }

    public KerberosSoapReceiver(Map map) {
        super(KerberosSoapReceiver.class, map);
        this.faultCode = "wst:InvalidRequest";
        this.debug = new Debug();
        this.wrapped = false;
    }

    @Override // com.ibm.security.krb5.wss.soap.util.TokenReceiver
    public void readInput(InputStream inputStream) throws IllegalStateException {
        try {
            this.docIn = XMLUtil.parse(inputStream);
            this.resp = null;
        } catch (Exception e) {
            this.resp = XMLUtil.newDocument();
            this.resp.appendChild(new SoapFault().setDetail("error parsing input").toDom(this.resp));
        }
    }

    @Override // com.ibm.security.krb5.wss.soap.util.TokenReceiver
    public void processInput() throws IllegalStateException {
        SoapFault detail;
        SecretKey generateSecret;
        byte[] bArr;
        SecretKey generateSecret2;
        if (this.resp != null) {
            return;
        }
        this.resp = XMLUtil.newDocument();
        try {
            this.phaseMessage = "looking for wsse:Security element";
            this.debug.out(5, debugPrefix + this.phaseMessage);
            Element element = (Element) this.docIn.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security").item(0);
            byte[] bytes = XMLUtil.getElementText((Element) element.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken").item(0), false).getBytes();
            this.debug.out(5, "KerberosSoapReceiver: The Base64 Encoded ApReqBytes =\n" + new HexDumpEncoder().encodeBuffer(bytes));
            HashMap hashMap = new HashMap();
            hashMap.put(KerberosTokenConfig.SERVICE_KEYTAB, (String) this.props.get(KEYTABROOTNAME));
            hashMap.put("serviceName", (String) this.props.get("servicename"));
            hashMap.put("serverPassword", (String) this.props.get(SERVICEPASSWORD));
            hashMap.put(KerberosTokenConfig.LOGINCONF, (String) this.props.get("loginConfig"));
            hashMap.put(KerberosTokenConfig.BASE64_TOKEN, bytes);
            hashMap.put(KerberosTokenConfig.ENCODING, "UTF-8");
            KerberosTokenConsumer kerberosTokenConsumer = new KerberosTokenConsumer();
            kerberosTokenConsumer.init(hashMap);
            HashMap hashMap2 = new HashMap();
            kerberosTokenConsumer.invoke(hashMap2);
            this.rawKey = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
            this.rawSubKey = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
            this.encType = ((Integer) hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC)).intValue();
            this.debug.out(5, "KerberosSoapReceiver: The Raw SubKey Bytes Used to Verify=\n" + new HexDumpEncoder().encodeBuffer(this.rawSubKey));
            this.debug.out(5, "KerberosSoapReceiver: The Raw Session Key Bytes Used to Verify=\n" + new HexDumpEncoder().encodeBuffer(this.rawKey));
            SignatureContext signatureContext = new SignatureContext();
            signatureContext.setIDResolver(new RecursiveIDResolver());
            this.phaseMessage = "verify the signature";
            this.debug.out(5, debugPrefix + XMLUtil.getStringUnchanged(this.docIn));
            Element element2 = (Element) element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
            if (EncryptedData.isRc4HMacEncType(this.encType)) {
                generateSecret = SecretKeyFactory.getInstance("RC4", "IBMJCE").generateSecret(new RC4KeySpec(this.rawKey));
            } else if (this.encType == 16) {
                generateSecret = SecretKeyFactory.getInstance("DESede", "IBMJCE").generateSecret(new SecretKeySpec(this.rawKey, "DESede"));
            } else if (this.encType == 17) {
                generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(this.rawKey));
            } else if (this.encType == 18) {
                generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(this.rawKey));
            } else {
                if (!EncryptedData.isDesEncType(this.encType)) {
                    throw new RuntimeException("Unsupported Encryption Type for the Subsession Key");
                }
                generateSecret = SecretKeyFactory.getInstance("DES", "IBMJCE").generateSecret(new SecretKeySpec(this.rawKey, "DES"));
            }
            Validity verify = signatureContext.verify(element2, generateSecret);
            if (verify.getCoreValidity() || this.rawSubKey == null) {
                bArr = this.rawKey;
            } else {
                this.debug.out(5, "KerberosSoapReceiver: Retrying the verify with the subSession Key");
                this.encType = ((Integer) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC)).intValue();
                if (EncryptedData.isRc4HMacEncType(this.encType)) {
                    generateSecret2 = SecretKeyFactory.getInstance("RC4", "IBMJCE").generateSecret(new RC4KeySpec(this.rawSubKey));
                } else if (this.encType == 16) {
                    generateSecret2 = SecretKeyFactory.getInstance("DESede", "IBMJCE").generateSecret(new SecretKeySpec(this.rawSubKey, "DESede"));
                } else if (this.encType == 17) {
                    generateSecret2 = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(this.rawSubKey));
                } else if (this.encType == 18) {
                    generateSecret2 = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(this.rawSubKey));
                } else {
                    if (!EncryptedData.isDesEncType(this.encType)) {
                        throw new RuntimeException("Unsupported Encryption Type for the Subsession Key");
                    }
                    generateSecret2 = SecretKeyFactory.getInstance("DES", "IBMJCE").generateSecret(new SecretKeySpec(this.rawSubKey, "DES"));
                }
                verify = signatureContext.verify(element2, generateSecret2);
                bArr = this.rawSubKey;
            }
            if (!verify.getCoreValidity()) {
                this.debug.out(5, "KerberosSoapReceiver: Signiture Validation Failed because: " + debugVerifyFailure(element2.getOwnerDocument(), element2, verify));
                throw new RuntimeException("sig validation failed");
            }
            this.pText = XMLUtil.getElementText((Element) this.docIn.getElementsByTagNameNS(LocalConstants.PING, "Ping").item(0), true);
            genSoapParts(this.resp, this.pText, bArr, bytes);
        } catch (Exception e) {
            this.resp = XMLUtil.newDocument();
            if (e instanceof RuntimeException) {
                if (e instanceof SoapFault) {
                    detail = (SoapFault) e;
                } else {
                    String message = e.getMessage();
                    if (message == null) {
                        message = this.phaseMessage;
                    }
                    detail = new SoapFault(this.faultCode).setDetail(message);
                }
                this.resp.appendChild(detail.toDom(this.resp));
            }
            e.printStackTrace();
        }
    }

    @Override // com.ibm.security.krb5.wss.soap.util.TokenReceiver
    public Document getResponse() throws IllegalStateException {
        return this.resp != null ? this.resp : this.resp;
    }

    @Override // com.ibm.security.krb5.wss.soap.util.TokenReceiver
    public String getResponseString() throws IllegalStateException {
        return new XmlHeader().toString() + XMLUtil.getStringUnchanged(getResponse());
    }

    private Response genSoapParts(Document document, String str, byte[] bArr, byte[] bArr2) {
        SecretKey generateSecret;
        Element createElementNS = document.createElementNS("http://schemas.xmlsoap.org/soap/envelope/", "Envelope");
        createElementNS.setPrefix("soap");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:soap", "http://schemas.xmlsoap.org/soap/envelope/");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:xsd", "http://www.w3.org/2001/XMLSchema");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:xsi", "http://www.w3.org/2001/XMLSchema-instance");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:xenc", "http://www.w3.org/2001/04/xmlenc#");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
        document.appendChild(createElementNS);
        Element createElementNS2 = document.createElementNS("http://schemas.xmlsoap.org/soap/envelope/", "Header");
        createElementNS2.setPrefix("soap");
        createElementNS.appendChild(createElementNS2);
        Element createElementNS3 = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security");
        createElementNS3.setPrefix("wsse");
        createElementNS3.setAttributeNS("http://schemas.xmlsoap.org/soap/envelope/", "soap:mustUnderstand", "1");
        createElementNS2.appendChild(createElementNS3);
        Element createElementNS4 = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", ElementLocalNames.WSU_TIMESTAMP);
        createElementNS4.setPrefix("wsu");
        createElementNS4.setAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", KRBTokenProfileConstants.STR_WSU_ID, ElementSelector.PROCESS_TIMESTAMP);
        Element createElementNS5 = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Created");
        createElementNS5.setPrefix("wsu");
        createElementNS5.appendChild(document.createTextNode(MiscUtils.makeDateTime()));
        createElementNS4.appendChild(createElementNS5);
        createElementNS3.appendChild(createElementNS4);
        createElementNS3.appendChild(DsigServices.makeDataReferenceList(document, new String[]{"response"}, "xenc", false));
        Element createElementNS6 = document.createElementNS("http://schemas.xmlsoap.org/soap/envelope/", "Body");
        createElementNS6.setPrefix("soap");
        createElementNS6.setAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", KRBTokenProfileConstants.STR_WSU_ID, "body");
        Element makePingElement = SoapPingResponse.makePingElement(document, str);
        createElementNS6.appendChild(makePingElement);
        createElementNS.appendChild(createElementNS6);
        try {
            this.debug.out(5, "KerberosSoapReceiver: In genSoapParts, about to sign the parts");
            Element genSignatureElem = TemplateTool.genSignatureElem(document, new String[]{ElementSelector.PROCESS_TIMESTAMP, "body"}, "http://www.w3.org/2000/09/xmldsig#hmac-sha1", false);
            createElementNS3.appendChild(genSignatureElem);
            KeyIdentifier keyIdentifier = new KeyIdentifier();
            if (this.wrapped) {
                keyIdentifier.put("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
            } else {
                keyIdentifier.put("ValueType", "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1");
            }
            keyIdentifier.put("EncodingType", EncodingTypes.B64BINARY);
            keyIdentifier.put("value", bArr2);
            SecurityTokenReference securityTokenReference = new SecurityTokenReference();
            securityTokenReference.put(SecurityTokenReference.KEYIDENTIFIER, keyIdentifier);
            genSignatureElem.appendChild(TemplateTool.genKeyInfoElem(document, securityTokenReference.toDom(document), false));
            SignatureContext signatureContext = new SignatureContext();
            signatureContext.setIDResolver(new RecursiveIDResolver());
            this.phaseMessage = "sign the doc";
            this.debug.out(5, debugPrefix + XMLUtil.getStringUnchanged(document));
            this.debug.out(5, "KerberosSoapReceiver: In genSoapParts, rawKeyBytes =\n" + new HexDumpEncoder().encodeBuffer(bArr));
            if (EncryptedData.isRc4HMacEncType(this.encType)) {
                generateSecret = SecretKeyFactory.getInstance("RC4", "IBMJCE").generateSecret(new RC4KeySpec(bArr));
            } else if (this.encType == 16) {
                generateSecret = SecretKeyFactory.getInstance("DESede", "IBMJCE").generateSecret(new SecretKeySpec(bArr, "DESede"));
            } else if (this.encType == 17) {
                generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
            } else if (this.encType == 18) {
                generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
            } else {
                if (!EncryptedData.isDesEncType(this.encType)) {
                    throw new RuntimeException("Unsupported Encryption Type for the Subsession Key");
                }
                generateSecret = SecretKeyFactory.getInstance("DES", "IBMJCE").generateSecret(new SecretKeySpec(bArr, "DES"));
            }
            signatureContext.sign(genSignatureElem, generateSecret);
            this.debug.out(5, "KerberosSoapReceiver: signed the doc");
            SecretKey generateSecret2 = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(bArr));
            this.debug.out(5, "KerberosSoapReceiver: generated an AES key");
            EncServices.encryptAndReplaceDataContent(document, generateSecret2, "response", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", createElementNS6, TemplateTool.genKeyInfoElem(document, securityTokenReference.toDom(document), true));
            this.debug.out(5, "KerberosSoapReceiver: signed and encrypted doc\n" + XMLUtil.getStringUnchanged(document));
            return new Response(createElementNS, createElementNS3, createElementNS6, makePingElement);
        } catch (Exception e) {
            e.printStackTrace();
            throw new RuntimeException(e);
        }
    }

    void setUseSubjectCredsOnly(boolean z) {
        final String str = z ? "true" : "false";
        this.debug.out(3, "KerberosSoapReceiver: KerberosSoapReceiver: setting useSubjectCredsOnly property to " + z);
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.security.krb5.wss.soap.KerberosSoapReceiver.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                System.setProperty("javax.security.auth.useSubjectCredsOnly", str);
                return null;
            }
        });
    }

    private static String debugVerifyFailure(Document document, Element element, Validity validity) {
        String str = "signature validation failed";
        for (int i = 0; i < validity.getNumberOfReferences(); i++) {
            if (!validity.getReferenceValidity(i)) {
                str = str + " on URI " + validity.getReferenceURI(i) + " because " + validity.getReferenceMessage(i);
                Element resolveID = new MyIDResolver().resolveID(document, validity.getReferenceURI(i).substring(1));
                if (resolveID != null) {
                    try {
                        new ExclusiveC11r().canonicalize(resolveID, new FileOutputStream("c14n.txt"));
                    } catch (IOException e) {
                        e.printStackTrace();
                    }
                }
            }
        }
        return str;
    }
}
