package com.ibm.wsspi.wssecurity.token;

import com.ibm.uddi.promoter.PromoterConstants;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.webservices.wssecurity.Constants;
import com.ibm.ws.webservices.wssecurity.token.TokenManager;
import com.ibm.ws.webservices.wssecurity.util.DOMUtil;
import com.ibm.ws.webservices.wssecurity.util.IdUtil;
import com.ibm.ws.webservices.wssecurity.util.NamespaceUtil;
import com.ibm.ws.wssecurity.xss4j.AlgorithmFactory;
import com.ibm.ws.wssecurity.xss4j.dsig.KeyInfo;
import com.ibm.ws.wssecurity.xss4j.dsig.util.Base64;
import com.ibm.wsspi.webservices.rpc.handler.soap.SOAPMessageContext;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.callback.PropertyCallback;
import com.ibm.wsspi.wssecurity.auth.callback.X509BSCallback;
import com.ibm.wsspi.wssecurity.auth.token.TokenId;
import com.ibm.wsspi.wssecurity.auth.token.X509BSToken;
import com.ibm.wsspi.wssecurity.config.CallbackHandlerConfig;
import com.ibm.wsspi.wssecurity.config.TokenGeneratorConfig;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.Hex;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:com/ibm/wsspi/wssecurity/token/X509TokenGenerator.class */
public class X509TokenGenerator implements TokenGeneratorComponent {
    private static final String comp = "security.wssecurity";
    private static final int ITSHA1_OCTETS = 20;
    private static final int IT60SHA1_OCTETS = 8;
    private static final String OID_KEYIDENTIFIER = "2.5.29.14";
    private static final byte BER_SEQUENCE = 48;
    private static final byte BER_BITSTRING = 3;
    private static final int STATUS_OK = 0;
    private static final int STATUS_CERT_ERROR = 1;
    private static final int STATUS_KEYID_ERROR = 2;
    private static final int STATUS_KEY_ERROR = 4;
    private final Map _cert2info = new Hashtable();
    private boolean _initialized = false;
    private static final TraceComponent tc = Tr.register(X509TokenGenerator.class, UNTConsumeCallbackHandler.TR_GROUP, "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = X509TokenGenerator.class.getName();
    private static final String VALUE_TYPE = "ValueType".intern();
    private static final String ENCODING_TYPE = "EncodingType".intern();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/ibm/wsspi/wssecurity/token/X509TokenGenerator$CertInformation.class */
    public static class CertInformation {
        private String _kspath;
        private String _alias;
        private String _binary;
        private String _subjectDN;
        private String _encSubjectDN;
        private String _issuerDN;
        private String _encIssuerDN;
        private String _issuerSerial;
        private String _b64KeyId;
        private String _b64KeyId60;
        private String _hexKeyId;
        private String _hexKeyId60;
        private int _status;
        private long _expiration;
        private String _errorMes;

        private CertInformation(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, String str12, long j, int i, String str13) {
            this._kspath = str;
            this._alias = str2;
            this._binary = str3;
            this._subjectDN = str4;
            this._encSubjectDN = str5;
            this._issuerDN = str6;
            this._encIssuerDN = str7;
            this._issuerSerial = str8;
            this._b64KeyId = str9;
            this._b64KeyId60 = str10;
            this._hexKeyId = str11;
            this._hexKeyId60 = str12;
            this._expiration = j;
            this._status = i;
            this._errorMes = str13;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getBinary() throws SoapSecurityException {
            if ((this._status & 1) == 1) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._binary;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getSubjectName() throws SoapSecurityException {
            if ((this._status & 1) == 1) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._encSubjectDN;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getIssuerName() throws SoapSecurityException {
            if ((this._status & 1) == 1) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._encIssuerDN;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getIssuerSerial() throws SoapSecurityException {
            if ((this._status & 1) == 1) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._issuerSerial;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getB64KeyId() throws SoapSecurityException {
            if ((this._status & 1) == 1 || (this._status & 2) == 4) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._b64KeyId;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getB64KeyId60() throws SoapSecurityException {
            if ((this._status & 1) == 1 || (this._status & 2) == 4) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._b64KeyId60;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getHexKeyId() throws SoapSecurityException {
            if ((this._status & 1) == 1 || (this._status & 2) == 4) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._hexKeyId;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getHexKeyId60() throws SoapSecurityException {
            if ((this._status & 1) == 1 || (this._status & 2) == 4) {
                throw new SoapSecurityException(this._errorMes);
            }
            checkExpiration();
            return this._hexKeyId60;
        }

        private void checkExpiration() throws SoapSecurityException {
            if (this._expiration >= 0) {
                long currentTimeMillis = this._expiration - System.currentTimeMillis();
                if (currentTimeMillis < 0) {
                    this._status++;
                    this._errorMes = ConfigUtil.getMessage("security.wssecurity.WSEC5181E", new String[]{this._subjectDN, this._alias, this._kspath, "expiration time - current system time = " + currentTimeMillis + " ms."});
                    throw new SoapSecurityException(this._errorMes);
                }
            }
        }

        public String toString() {
            StringBuffer append = new StringBuffer(getClass().getName()).append("(");
            append.append("keystorePath=[").append(this._kspath).append("], ");
            append.append("alias=[").append(this._alias).append("], ");
            append.append("status=[").append(this._status).append("], ");
            append.append(")");
            return append.toString();
        }
    }

    public void init(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this._initialized) {
            this._initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    public void invoke(Document document, Element element, Map map) throws SoapSecurityException {
        boolean isKeyInfoKeyname;
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        boolean isKeyInfoEmb;
        boolean isKeyInfoX509issuer;
        Object property;
        String str;
        String encodeDName;
        Object property2;
        Object obj;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(Document doc[" + DOMUtil.getDisplayName(document) + "],Element parent[" + DOMUtil.getDisplayName(element) + "],Map context)");
        }
        if (element == null) {
            throw SoapSecurityException.format("security.wssecurity.WSSGenerator.s03", AppConstants.NULL_STRING);
        }
        TokenGeneratorConfig tokenGeneratorConfig = (TokenGeneratorConfig) map.remove(TokenGeneratorConfig.CONFIG_KEY);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "TokenGeneratorConfig [" + tokenGeneratorConfig + "].");
        }
        QName type = tokenGeneratorConfig.getType();
        if (!Constants.X509V3.equals(type) && !Constants.X509V3_OLD.equals(type) && !Constants.PKI_PATH.equals(type) && !Constants.PKCS7.equals(type)) {
            throw new SoapSecurityException("Unsupported value type: " + type);
        }
        SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map.get("com.ibm.wsspi.wssecurity.core.messageContext");
        int i = 0;
        Object obj2 = map.get("com.ibm.ws.webservices.wssecurity.constants.wssVersion");
        if (obj2 != null && (obj2 instanceof Integer)) {
            i = ((Integer) obj2).intValue();
        }
        boolean isStandAlone = tokenGeneratorConfig.isStandAlone();
        String str2 = (String) map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEYINFO_TYPE);
        if (str2 == null) {
            isKeyInfoX509issuer = false;
            isKeyInfoEmb = false;
            isKeyInfoStrref = false;
            isKeyInfoKeyid = false;
            isKeyInfoKeyname = false;
        } else {
            isKeyInfoKeyname = ConfigUtil.isKeyInfoKeyname(str2);
            isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str2);
            isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str2);
            isKeyInfoEmb = ConfigUtil.isKeyInfoEmb(str2);
            isKeyInfoX509issuer = ConfigUtil.isKeyInfoX509issuer(str2);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "KeyInfoType: isKeyName, isKeyId, isStrref, isEmb, isX509: " + isKeyInfoKeyname + PromoterConstants.DELIMITER_WITH_SPACE + isKeyInfoKeyid + PromoterConstants.DELIMITER_WITH_SPACE + isKeyInfoStrref + PromoterConstants.DELIMITER_WITH_SPACE + isKeyInfoEmb + PromoterConstants.DELIMITER_WITH_SPACE + isKeyInfoX509issuer + ".");
        }
        CallbackHandlerConfig callbackHandler = tokenGeneratorConfig.getCallbackHandler();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CallbackHandlerConfig [" + tokenGeneratorConfig + "].");
        }
        boolean z = false;
        if (callbackHandler != null && (obj = callbackHandler.getProperties().get(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_USE_IDASSERTION)) != null) {
            z = ConfigUtil.isTrue(obj.toString());
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "identityAssertion is [" + z + "].");
        }
        X509Certificate x509Certificate = null;
        String str3 = null;
        String str4 = null;
        if (z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking the cert of initial sender...");
            }
            if (sOAPMessageContext != null && (property2 = sOAPMessageContext.getProperty("com.ibm.wsspi.wssecurity.username.initialSenderCert")) != null && (property2 instanceof X509Certificate)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The cert of initial sender is used.");
                }
                x509Certificate = (X509Certificate) property2;
                str4 = "Initial sender certificate";
            }
        }
        if (x509Certificate == null && callbackHandler != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Invoking callback handler...");
            }
            HashMap hashMap = new HashMap();
            String className = callbackHandler.getClassName();
            CallbackHandler callbackHandlerConfig = callbackHandler.getInstance();
            if (callbackHandlerConfig == null) {
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Instantiating the callback handler [" + className + "]...");
                    }
                    ClassLoader classLoader = (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.X509TokenGenerator.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return Thread.currentThread().getContextClassLoader();
                        }
                    });
                    Class<?> loadClass = classLoader != null ? classLoader.loadClass(className) : Class.forName(className);
                    if (!CallbackHandler.class.isAssignableFrom(loadClass)) {
                        throw SoapSecurityException.format("security.wssecurity.ConfigUtil.s17", className, CallbackHandler.class.getName());
                    }
                    hashMap.put(CallbackHandlerConfig.CONFIG_KEY, callbackHandler);
                    callbackHandlerConfig = (CallbackHandler) loadClass.getConstructor(Map.class).newInstance(hashMap);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Succeeded to Instantiate the callback handler [" + className + "].");
                    }
                    callbackHandler.setInstance(callbackHandlerConfig);
                } catch (SoapSecurityException e) {
                    throw e;
                } catch (Exception e2) {
                    Tr.processException(e2, clsName + ".invoke", "312");
                    Tr.error(tc, "security.wssecurity.X509TokenGenerator.s01", new Object[]{className, e2});
                    throw SoapSecurityException.format("security.wssecurity.X509TokenGenerator.s01", className, e2);
                }
            }
            if (isStandAlone) {
                str = TokenGeneratorComponent.STANDALONE;
            } else {
                str = (String) map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_NAMEREF);
                if (str != null && (encodeDName = KeyInfo.X509Data.encodeDName(str)) != null && encodeDName.length() > 0) {
                    str = encodeDName;
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Reference name of a key[" + str + "].");
            }
            HashMap hashMap2 = new HashMap();
            if (sOAPMessageContext != null) {
                hashMap2.put("com.ibm.wsspi.wssecurity.core.messageContext", sOAPMessageContext);
            }
            hashMap2.put(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_NAMEREF, str);
            if (tokenGeneratorConfig.getProvider() != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Provider is " + tokenGeneratorConfig.getProvider() + ".");
                }
                hashMap2.put(X509BSToken.PROVIDER, tokenGeneratorConfig.getProvider());
            }
            if (tokenGeneratorConfig.getCertStores() != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "A list of cert stores are " + tokenGeneratorConfig.getCertStores() + ".");
                }
                hashMap2.put(X509BSToken.CERT_STORES, tokenGeneratorConfig.getCertStores());
            }
            Callback[] callbackArr = {new X509BSCallback(), new PropertyCallback(hashMap2)};
            try {
                callbackHandlerConfig.handle(callbackArr);
                X509BSCallback x509BSCallback = (X509BSCallback) callbackArr[0];
                x509Certificate = x509BSCallback.getCert();
                r26 = x509BSCallback.getBinary() != null ? Base64.encode(x509BSCallback.getBinary()) : null;
                str3 = x509BSCallback.getKeyStorePath();
                str4 = x509BSCallback.getAlias();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeeded to invoke the callback handler [" + className + "].");
                }
            } catch (IOException e3) {
                IOException iOException = e3;
                if (e3.getCause() != null) {
                    iOException = e3.getCause();
                }
                Tr.processException(e3, clsName + ".invoke", "389");
                Tr.error(tc, "security.wssecurity.X509TokenGenerator.s02", new Object[]{className, iOException});
                SoapSecurityException format = SoapSecurityException.format("security.wssecurity.X509TokenGenerator.s02", className, iOException);
                format.initCause(e3);
                throw format;
            } catch (UnsupportedCallbackException e4) {
                Tr.processException(e4, clsName + ".invoke", "380");
                Tr.error(tc, "security.wssecurity.X509TokenGenerator.s02", new Object[]{className, e4});
                SoapSecurityException format2 = SoapSecurityException.format("security.wssecurity.X509TokenGenerator.s02", className, e4);
                format2.initCause(e4);
                throw format2;
            }
        }
        CertInformation info = getInfo(this._cert2info, str3, str4, x509Certificate, r26);
        if (info == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: Can't get necessary information about the certificate");
            }
        } else if (r26 == null) {
            r26 = info.getBinary();
        }
        if (x509Certificate == null || r26 == null) {
            throw SoapSecurityException.format("security.wssecurity.KeyStoreKeyLocator.setCertToSubject01");
        }
        X509BSToken checkToken = checkToken(map, tokenGeneratorConfig, str2, x509Certificate);
        boolean z2 = false;
        boolean z3 = true;
        boolean z4 = false;
        boolean z5 = true;
        String str5 = null;
        String str6 = null;
        String str7 = null;
        String str8 = null;
        String str9 = null;
        String str10 = null;
        String str11 = null;
        if (isStandAlone || isKeyInfoStrref || isKeyInfoEmb) {
            boolean z6 = true;
            if (checkToken != null) {
                if (isStandAlone || isKeyInfoStrref) {
                    z6 = false;
                    z3 = false;
                    z5 = false;
                } else if (isKeyInfoEmb) {
                    z3 = false;
                    z5 = true;
                }
            }
            if (z6) {
                if (sOAPMessageContext != null && (property = sOAPMessageContext.getProperty(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_TOKEN_PROPERGATION)) != null && (property instanceof Set)) {
                    for (Object obj3 : (Set) property) {
                        if (obj3 instanceof TokenId) {
                            TokenId tokenId = (TokenId) obj3;
                            if (tokenGeneratorConfig.getType().equals(tokenId.getType())) {
                                if (str6 == null) {
                                    str6 = tokenId.getId();
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "More than one TokenId objects are found. Since the runtime tentatively uses the first identifier + \"" + str6 + "\", it neglects the identifier \"" + tokenId.getId() + "\".");
                                }
                            }
                        }
                    }
                }
                if (str6 == null) {
                    str6 = IdUtil.getInstance().makeUniqueId(document, "x509bst_");
                }
                z2 = true;
                z4 = true;
            } else {
                str6 = checkToken.getId();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "TokenIdentifier [" + str6 + "].");
            }
            if (isKeyInfoStrref) {
                str5 = str6;
                str7 = "#" + str6;
            } else if (isStandAlone) {
                str5 = str6;
            }
        } else if (isKeyInfoKeyid) {
            if (info != null) {
                QName qName = (QName) map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_ENCODING);
                QName qName2 = (QName) map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_IDTYPE);
                if (qName != null && !NamespaceUtil.equals(qName, Constants.BASE64_BINARY)) {
                    if (!NamespaceUtil.equals(qName, Constants.HEX_BINARY)) {
                        throw SoapSecurityException.format("security.wssecurity.BinaryTokenReceiver.token15", qName.toString());
                    }
                    if (qName2 == null || NamespaceUtil.equals(qName2, Constants.ITSHA1)) {
                        str6 = info.getHexKeyId();
                    } else {
                        if (!NamespaceUtil.equals(qName2, Constants.IT60SHA1)) {
                            throw new SoapSecurityException(ConfigUtil.getMessage("security.wssecurityKeyStoreKeyLocator.generateIdentifier01") + ": " + qName2);
                        }
                        str6 = info.getHexKeyId60();
                    }
                } else if (qName2 == null || NamespaceUtil.equals(qName2, Constants.ITSHA1)) {
                    str6 = info.getB64KeyId();
                } else {
                    if (!NamespaceUtil.equals(qName2, Constants.IT60SHA1)) {
                        throw new SoapSecurityException(ConfigUtil.getMessage("security.wssecurityKeyStoreKeyLocator.generateIdentifier01") + ": " + qName2);
                    }
                    str6 = info.getB64KeyId60();
                }
                str8 = str6;
                if (checkToken != null && str6.equals(checkToken.getId())) {
                    z3 = false;
                    z5 = false;
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: Can't get necessary information about the certificate");
            }
        } else if (isKeyInfoKeyname) {
            if (info != null) {
                str6 = info.getSubjectName();
                str9 = str6;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: Can't get necessary information about the certificate");
            }
            if (checkToken != null && str6.equals(checkToken.getId())) {
                z3 = false;
                z5 = false;
            }
        } else if (isKeyInfoX509issuer) {
            if (info != null) {
                str6 = info.getIssuerName() + ":" + info.getIssuerSerial();
                str10 = info.getIssuerName();
                str11 = info.getIssuerSerial();
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: Can't get necessary information about the certificate");
            }
            if (checkToken != null && str6.equals(checkToken.getId())) {
                z3 = false;
                z5 = false;
            }
        }
        if (isKeyInfoEmb) {
            map.put(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_EMBID, str6);
        } else {
            map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_EMBID);
        }
        if (str7 != null) {
            map.put(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_REFERENCE, str7);
        } else {
            map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_REFERENCE);
        }
        if (str8 != null) {
            map.put(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_ID, str8);
        } else {
            map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_ID);
        }
        if (str9 != null) {
            map.put(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_NAME, str9);
        } else {
            map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_NAME);
        }
        if (str10 != null) {
            map.put(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_ISSUERNAME, str10);
        } else {
            map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_ISSUERNAME);
        }
        if (str11 != null) {
            map.put(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_ISSUERSERIAL, str11);
        } else {
            map.remove(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_KEY_ISSUERSERIAL);
        }
        Element element2 = null;
        if (z4 || z5) {
            if (z3) {
                element2 = createTokenElement(document, z2 ? element : null, tokenGeneratorConfig.getType(), r26, str5, i);
            } else if (checkToken != null) {
                element2 = (Element) checkToken.getElement().cloneNode(true);
            }
        }
        if (z4) {
            element2 = (Element) element.insertBefore(element2, element.getFirstChild());
        }
        if (z5) {
            setTokenToSubject(map, tokenGeneratorConfig, x509Certificate, str6, str2, element2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Document doc,Element parent,Map context)");
        }
    }

    private static X509BSToken checkToken(Map map, TokenGeneratorConfig tokenGeneratorConfig, String str, X509Certificate x509Certificate) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkToken(Map context,TokenGeneratorConfig config,String keyInfoType[" + str + "],X509Certificate cert)");
        }
        X509BSToken x509BSToken = null;
        Set tokens = TokenManager.getTokens(map);
        if (tokens != null && tokens.size() > 0) {
            for (Object obj : tokens) {
                if (obj instanceof X509BSToken) {
                    X509BSToken x509BSToken2 = (X509BSToken) obj;
                    if (x509BSToken2.getUsedTokenGenerator().equals(tokenGeneratorConfig) && x509BSToken2.getKeyInfoType().equals(str) && x509BSToken2.getCert().equals(x509Certificate)) {
                        x509BSToken = x509BSToken2;
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkToken(Map context,TokenGeneratorConfig config,String keyInfoType,X509Certificate cert) returns X509BSToken[" + x509BSToken + "]");
        }
        return x509BSToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Element createTokenElement(Document document, Element element, QName qName, String str, String str2, int i) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createTokenElement(Document doc[" + DOMUtil.getDisplayName(document) + "],Element parent[" + DOMUtil.getDisplayName(element) + "],QName tokenType[" + qName + "],String binary,String insertId[" + str2 + "],int wssVersion[" + i + "])");
        }
        String str3 = Constants.NAMESPACES[0][i];
        String str4 = Constants.NAMESPACES[1][i];
        boolean z = false;
        String str5 = null;
        if (element != null) {
            str5 = DOMUtil.getNamespacePrefix(element, str3);
        }
        if (str5 == null) {
            z = true;
            str5 = "wsse:";
        } else if (str5.length() > 0) {
            str5 = str5 + ":";
        }
        Element createElementNS = document.createElementNS(str3, str5 + "BinarySecurityToken");
        if (z) {
            createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsse", str3);
        }
        if (str2 != null) {
            boolean z2 = false;
            String namespacePrefix = DOMUtil.getNamespacePrefix(element, str4);
            if (namespacePrefix == null) {
                z2 = true;
                namespacePrefix = "wsu:";
            } else if (namespacePrefix.length() > 0) {
                namespacePrefix = namespacePrefix + ":";
            }
            if (z2) {
                createElementNS.setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:wsu", str4);
            }
            createElementNS.setAttributeNS(str4, namespacePrefix + "Id", str2);
        }
        DOMUtil.setQNameAttr(createElementNS, (String) null, ENCODING_TYPE, Constants.BASE64_BINARY, i);
        DOMUtil.setQNameAttr(createElementNS, (String) null, VALUE_TYPE, qName, i);
        if (str != null) {
            createElementNS.appendChild(document.createTextNode(str));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createTokenElement(Document doc,Element parent,QName valueType,byte[] binary,String insertId,int wssVersion) returns Element[" + DOMUtil.getDisplayName(createElementNS) + "]");
        }
        return createElementNS;
    }

    private static void setTokenToSubject(Map map, TokenGeneratorConfig tokenGeneratorConfig, X509Certificate x509Certificate, String str, String str2, Element element) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setTokenToSubject(Map context,TokenGeneratorConfig config,X509Certificate cert,String tokenId[" + str + "],String keyInfoType[" + str2 + "],Element elem[" + DOMUtil.getDisplayName(element) + "])");
        }
        X509BSToken x509BSToken = new X509BSToken(str, x509Certificate, tokenGeneratorConfig.getType());
        x509BSToken.setElement(element);
        x509BSToken.setReferenced(!tokenGeneratorConfig.isStandAlone());
        x509BSToken.setUsedTokenGenerator(tokenGeneratorConfig);
        x509BSToken.setKeyInfoType(str2);
        TokenManager.setToken(map, x509BSToken);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setTokenToSubject(Map context,TokenGeneratorConfig config,X509Certificate cert,String tokenId,Element elem)");
        }
    }

    private static CertInformation getInfo(Map map, String str, String str2, X509Certificate x509Certificate, String str3) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInfo(Map cert2info,String kspath[" + str + "],String alias[" + str2 + "],X509Certificate x509,String binary)");
        }
        CertInformation certInformation = (CertInformation) map.get(x509Certificate);
        if (certInformation != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The cached information corresponding the specified certficate is found.");
            }
        } else if (x509Certificate != null) {
            int i = 0;
            String str4 = null;
            String name = x509Certificate.getSubjectDN().getName();
            String encodeDName = KeyInfo.X509Data.encodeDName(name);
            String name2 = x509Certificate.getIssuerDN().getName();
            String encodeDName2 = KeyInfo.X509Data.encodeDName(name2);
            String bigInteger = x509Certificate.getSerialNumber().toString();
            long time = x509Certificate.getNotAfter().getTime();
            if (str3 == null) {
                try {
                    str3 = Base64.encode(x509Certificate.getEncoded());
                } catch (CertificateEncodingException e) {
                    i = 0 + 1;
                    str4 = ConfigUtil.getMessage("security.wssecurity.X509BSToken.getBytes01", new String[]{str2});
                } catch (CertificateExpiredException e2) {
                    i = 0 + 1;
                    str4 = ConfigUtil.getMessage("security.wssecurity.WSEC5181E", new String[]{name, str2, str, e2.getClass().getName() + ": " + e2.getMessage()});
                } catch (CertificateException e3) {
                    i = 0 + 1;
                    str4 = ConfigUtil.getMessage("security.wssecurity.WSEC5182E", new String[]{name, str2, str, e3.getClass().getName() + ": " + e3.getMessage()});
                }
            }
            x509Certificate.checkValidity();
            String str5 = null;
            String str6 = null;
            String str7 = null;
            String str8 = null;
            if (i == 0) {
                try {
                    byte[] makeIdentifier = makeIdentifier(x509Certificate, null);
                    str5 = Base64.encode(makeIdentifier);
                    str7 = Hex.encode(makeIdentifier);
                    byte[] makeIdentifier2 = makeIdentifier(x509Certificate, Constants.IT60SHA1);
                    str6 = Base64.encode(makeIdentifier2);
                    str8 = Hex.encode(makeIdentifier2);
                } catch (InvalidAlgorithmParameterException e4) {
                    i += 2;
                    str4 = ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier01") + ": " + e4.getClass() + ": " + e4.getMessage();
                } catch (NoSuchAlgorithmException e5) {
                    i += 2;
                    str4 = ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier01") + ": " + e5.getClass().getName() + ": " + e5.getMessage();
                }
            }
            certInformation = new CertInformation(str, str2, str3, name, encodeDName, name2, encodeDName2, bigInteger, str5, str6, str7, str8, time, i, str4);
            map.put(x509Certificate, certInformation);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Added Certificate information: " + certInformation + ".");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getInfo(Map cert2info,String kspath,String alias,X509Certificate x509,byte[] binary) returns CertInformation[" + certInformation + "]");
        }
        return certInformation;
    }

    private static byte[] certToIdentifier(Certificate certificate) {
        byte[] extensionValue;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "certToIdentifier(Certificate cert)");
        }
        if (!(certificate instanceof X509Certificate) || (extensionValue = ((X509Certificate) certificate).getExtensionValue(OID_KEYIDENTIFIER)) == null) {
            return null;
        }
        byte[] bArr = new byte[extensionValue.length - 4];
        System.arraycopy(extensionValue, 4, bArr, 0, extensionValue.length - 4);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "certToIdentifier(Certificate cert)");
        }
        return bArr;
    }

    private static byte[] pubkeyToIdentifier(Certificate certificate, QName qName) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        int i;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "pubkeyToIdentifier(Certificate cert,QName idty[" + qName + "])");
        }
        byte[] bArr = null;
        if (certificate != null) {
            byte[] encoded = certificate.getPublicKey().getEncoded();
            if (encoded[0] != BER_SEQUENCE) {
                throw new RuntimeException("Unknown encoded key: " + Hex.encode(encoded));
            }
            int i2 = encoded[1] & 255;
            int i3 = (i2 & 128) == 0 ? 2 : 2 + (i2 & 127);
            int i4 = encoded[i3 + 1] & 255;
            if ((i4 & 128) == 0) {
                i = i3 + 2;
            } else {
                int i5 = i3 + 2;
                i = i3 + 2 + (i4 & 127);
                switch (i4 & 127) {
                    case 1:
                        i4 = encoded[i5] & 255;
                        break;
                    case 2:
                        i4 = ((encoded[i5] & 255) << 8) + (encoded[i5 + 1] & 255);
                        break;
                    case 3:
                        i4 = ((encoded[i5] & 255) << 16) + ((encoded[i5 + 1] & 255) << 8) + (encoded[i5 + 2] & 255);
                        break;
                    case 4:
                        i4 = ((encoded[i5] & 255) << 24) + ((encoded[i5 + 1] & 255) << 16) + ((encoded[i5 + 2] & 255) << 8) + (encoded[i5 + 3] & 255);
                        break;
                    default:
                        throw new RuntimeException("Integer overflow: " + Hex.encode(encoded));
                }
            }
            int i6 = i + i4;
            if (encoded[i6] != 3) {
                throw new RuntimeException("Non BIT STRING: 0x" + Integer.toString(encoded[i6] & 255, 16));
            }
            int i7 = encoded[i6 + 1] & 255;
            int i8 = i6 + ((i7 & 128) == 0 ? 3 : 3 + (i7 & 127));
            AlgorithmFactory algorithmFactory = AlgorithmFactory.getInstance();
            MessageDigest messageDigest = algorithmFactory.getMessageDigest("http://www.w3.org/2000/09/xmldsig#sha1", (AlgorithmParameterSpec) null);
            if (NamespaceUtil.equals(qName, Constants.ITSHA1) || qName == null) {
                messageDigest.update(encoded, i8, encoded.length - i8);
                bArr = messageDigest.digest();
                algorithmFactory.releaseMessageDigest("http://www.w3.org/2000/09/xmldsig#sha1", messageDigest);
            } else {
                if (!NamespaceUtil.equals(qName, Constants.IT60SHA1)) {
                    algorithmFactory.releaseMessageDigest("http://www.w3.org/2000/09/xmldsig#sha1", messageDigest);
                    throw new IllegalArgumentException("Internal Error: " + qName);
                }
                messageDigest.update(encoded, i8, encoded.length - i8);
                byte[] digest = messageDigest.digest();
                algorithmFactory.releaseMessageDigest("http://www.w3.org/2000/09/xmldsig#sha1", messageDigest);
                bArr = new byte[8];
                bArr[0] = (byte) (64 + (digest[digest.length - 8] & 15));
                System.arraycopy(digest, (digest.length - 8) + 1, bArr, 1, bArr.length - 1);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "pubkeyToIdentifier(Certificate cert,QName idty)");
        }
        return bArr;
    }

    private static byte[] makeIdentifier(Certificate certificate, QName qName) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "makeIdentifier(Certificate cert,QName idty[" + qName + "])");
        }
        byte[] bArr = null;
        if (certificate != null) {
            bArr = certToIdentifier(certificate);
            if (bArr == null || qName != null) {
                if (qName == null || NamespaceUtil.equals(qName, Constants.ITSHA1)) {
                    if (bArr == null || bArr.length != 20) {
                        bArr = pubkeyToIdentifier(certificate, qName);
                    }
                } else {
                    if (!NamespaceUtil.equals(qName, Constants.IT60SHA1)) {
                        throw new IllegalArgumentException("Internal Error: " + qName);
                    }
                    if (bArr == null || bArr.length != 8) {
                        bArr = pubkeyToIdentifier(certificate, qName);
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "makeIdentifier(Certificate cert,QName idty)");
        }
        return bArr;
    }
}
