package com.ibm.wsspi.wssecurity.keyinfo;

import com.ibm.ws.webservices.wssecurity.keyinfo.WSSKeyInfoComponent;
import com.ibm.ws.wssecurity.xss4j.dsig.KeyInfo;
import com.ibm.ws.wssecurity.xss4j.dsig.util.Base64;
import com.ibm.wsspi.webservices.rpc.handler.soap.SOAPMessageContext;
import com.ibm.wsspi.wssecurity.Constants;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.token.Token;
import com.ibm.wsspi.wssecurity.auth.token.X509BSToken;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.Hex;
import com.ibm.xml.soapsec.util.NamespaceUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.xml.namespace.QName;

/* loaded from: input_file:com/ibm/wsspi/wssecurity/keyinfo/SignerCertKeyLocator.class */
public class SignerCertKeyLocator implements KeyLocator {
    private static final String comp = "security.wssecurity";
    private static final int ITSHA1_OCTETS = 20;
    private static final int IT60SHA1_OCTETS = 8;
    private static final String OID_KEYIDENTIFIER = "2.5.29.14";
    private static final byte BER_SEQUENCE = 48;
    private static final byte BER_BITSTRING = 3;
    private static final TraceComponent tc = Tr.register(SignerCertKeyLocator.class, "Web Services Security", "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = X509TokenKeyLocator.class.getName();

    @Override // com.ibm.ws.webservices.wssecurity.WSSComponent, com.ibm.wsspi.wssecurity.Initializable
    public void init(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    @Override // com.ibm.wsspi.wssecurity.keyinfo.KeyLocator
    public Key getKey(Map map, Map map2) throws SoapSecurityException {
        boolean isKeyInfoKeyname;
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        boolean isKeyInfoEmb;
        boolean isKeyInfoX509issuer;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKey(Map type,Map context)");
        }
        SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
        String str = (String) map.get(Constants.WSSECURITY_KEYINFO_TYPE);
        if (str == null) {
            isKeyInfoX509issuer = false;
            isKeyInfoEmb = false;
            isKeyInfoStrref = false;
            isKeyInfoKeyid = false;
            isKeyInfoKeyname = false;
        } else {
            isKeyInfoKeyname = ConfigUtil.isKeyInfoKeyname(str);
            isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str);
            isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str);
            isKeyInfoEmb = ConfigUtil.isKeyInfoEmb(str);
            isKeyInfoX509issuer = ConfigUtil.isKeyInfoX509issuer(str);
        }
        String str2 = (String) map.get(Constants.WSSECURITY_KEY_TYPE);
        if (!WSSKeyInfoComponent.KEY_ENCRYPTING.equals(str2)) {
            throw SoapSecurityException.format("security.wssecurity.KeyStoreKeyLocator.getKey02", str2);
        }
        Key publicKey = getPublicKey(isKeyInfoKeyname, isKeyInfoKeyid, isKeyInfoStrref, isKeyInfoEmb, isKeyInfoX509issuer, sOAPMessageContext, map, map2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKey(Map type, Map context) returns Key[" + publicKey + "]");
        }
        return publicKey;
    }

    private Key getPublicKey(boolean z, boolean z2, boolean z3, boolean z4, boolean z5, SOAPMessageContext sOAPMessageContext, Map map, Map map2) throws SoapSecurityException {
        X509Certificate cert;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPublicKey(boolean isKeyName[" + z + "],boolean isKeyId[" + z2 + "],boolean isStrref[" + z3 + "],boolean isEmb[" + z4 + "],boolean isX509[" + z5 + "],SOAPMessageContext messageContext,Map type,Map context)");
        }
        PublicKey publicKey = null;
        X509Certificate certInRequest = getCertInRequest(sOAPMessageContext);
        if (certInRequest != null) {
            publicKey = certInRequest.getPublicKey();
            map2.put(publicKey, certInRequest);
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "(key, certificate) from request put in context");
            }
        }
        Token token = KeyStoreKeyLocator.getToken(z, z2, z3, z4, z5, map, map2);
        if (token == null) {
            setInfo(z, z2, z3, z4, z5, certInRequest, map2);
        } else if ((token instanceof X509BSToken) && certInRequest == null && (cert = ((X509BSToken) token).getCert()) != null) {
            publicKey = cert.getPublicKey();
            if (publicKey != null) {
                map2.put(publicKey, cert);
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "(key, certificate) from token put in context");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPublicKey(boolean isKeyName,boolean isKeyId,boolean isStrref,boolean isEmb,boolean isX509,SOAPMessageContext messageContext,Map context) returns Key[" + publicKey + "]");
        }
        return publicKey;
    }

    private X509Certificate getCertInRequest(SOAPMessageContext sOAPMessageContext) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCertInRequest(SOAPMessageContext messageContext)");
        }
        if (sOAPMessageContext == null) {
            throw SoapSecurityException.format("security.wssecurity.WSSGenerator.s01");
        }
        Object property = sOAPMessageContext.getProperty(com.ibm.xml.soapsec.Constants.REQUEST_CERT);
        if (!(property instanceof X509Certificate)) {
            throw SoapSecurityException.format("security.wssecurity.KeyStoreKeyLocator.setCertToSubject01");
        }
        X509Certificate x509Certificate = (X509Certificate) property;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCertInRequest(SOAPMessageContext messageContext) returns X509Certificate[" + x509Certificate + "]");
        }
        return x509Certificate;
    }

    private static void setInfo(boolean z, boolean z2, boolean z3, boolean z4, boolean z5, X509Certificate x509Certificate, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setInfo(boolean isKeyName[" + z + "],boolean isKeyId[" + z2 + "],boolean isStrref[" + z3 + "],boolean isEmb[" + z4 + "],boolean isX509[" + z5 + "],X509Certificate cert,Map context)");
        }
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (z) {
            str = KeyInfo.X509Data.encodeDName(x509Certificate.getSubjectDN().getName());
        } else if (z2) {
            try {
                QName qName = (QName) map.remove(Constants.WSSECURITY_KEY_ENCODING);
                QName qName2 = (QName) map.remove(Constants.WSSECURITY_KEY_IDTYPE);
                str2 = com.ibm.ws.webservices.wssecurity.Constants.HEX_BINARY.equals(qName) ? com.ibm.ws.webservices.wssecurity.Constants.IT60SHA1.equals(qName2) ? Hex.encode(makeIdentifier(x509Certificate, com.ibm.ws.webservices.wssecurity.Constants.IT60SHA1)) : Hex.encode(makeIdentifier(x509Certificate, null)) : com.ibm.ws.webservices.wssecurity.Constants.IT60SHA1.equals(qName2) ? Base64.encode(makeIdentifier(x509Certificate, com.ibm.ws.webservices.wssecurity.Constants.IT60SHA1)) : Base64.encode(makeIdentifier(x509Certificate, null));
            } catch (InvalidAlgorithmParameterException e) {
                Tr.processException(e, clsName + ".doInit", "288");
                Tr.error(tc, "security.wssecurity.KeyStoreKeyLocator.generateIdentifier01", new Object[]{e});
                throw SoapSecurityException.format("security.wssecurity.KeyStoreKeyLocator.generateIdentifier01", e);
            } catch (NoSuchAlgorithmException e2) {
                Tr.processException(e2, clsName + ".doInit", "284");
                Tr.error(tc, "security.wssecurity.KeyStoreKeyLocator.generateIdentifier01", new Object[]{e2});
                throw SoapSecurityException.format("security.wssecurity.KeyStoreKeyLocator.generateIdentifier01", e2);
            }
        } else if (z3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: TokenGenerator is responsible to set a X509 token to the Subject in case of STRREF.");
            }
        } else if (z4) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: TokenGenerator is responsible to set a X509 token to the Subject in case of EMB.");
            }
        } else if (z5) {
            str3 = KeyInfo.X509Data.encodeDName(x509Certificate.getIssuerDN().getName());
            str4 = x509Certificate.getSerialNumber().toString();
        }
        if (str != null) {
            map.put(Constants.WSSECURITY_KEY_NAME, str);
        } else {
            map.remove(Constants.WSSECURITY_KEY_NAME);
        }
        if (str2 != null) {
            map.put(Constants.WSSECURITY_KEY_ID, str2);
        } else {
            map.remove(Constants.WSSECURITY_KEY_ID);
        }
        if (str3 != null) {
            map.put(Constants.WSSECURITY_KEY_ISSUERNAME, str3);
        } else {
            map.remove(Constants.WSSECURITY_KEY_ISSUERNAME);
        }
        if (str4 != null) {
            map.put(Constants.WSSECURITY_KEY_ISSUERSERIAL, str4);
        } else {
            map.remove(Constants.WSSECURITY_KEY_ISSUERSERIAL);
        }
        map.remove(Constants.WSSECURITY_KEY_EMBID);
        map.remove(Constants.WSSECURITY_KEY_REFERENCE);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setInfo(boolean isKeyName,boolean isKeyId,boolean isStrref,boolean isEmb,boolean isX509,X509Certificate cert,Map context)");
        }
    }

    private static byte[] makeIdentifier(Certificate certificate, QName qName) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "makeIdentifier(Certificate cert,QName idty[" + qName + "])");
        }
        byte[] bArr = null;
        if (certificate != null) {
            bArr = certToIdentifier(certificate);
            if (bArr == null || qName != null) {
                if (qName == null || NamespaceUtil.equals(qName, com.ibm.ws.webservices.wssecurity.Constants.ITSHA1)) {
                    if (bArr == null || bArr.length != 20) {
                        bArr = pubkeyToIdentifier(certificate, qName);
                    }
                } else {
                    if (!NamespaceUtil.equals(qName, com.ibm.ws.webservices.wssecurity.Constants.IT60SHA1)) {
                        throw new IllegalArgumentException("Internal Error: " + qName);
                    }
                    if (bArr == null || bArr.length != 8) {
                        bArr = pubkeyToIdentifier(certificate, qName);
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "makeIdentifier(Certificate cert,QName idty)");
        }
        return bArr;
    }

    private static byte[] certToIdentifier(Certificate certificate) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "certToIdentifier(Certificate cert[" + certificate + "])");
        }
        if (!(certificate instanceof X509Certificate)) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "certToIdentifier(Certificate cert)");
            return null;
        }
        byte[] extensionValue = ((X509Certificate) certificate).getExtensionValue(OID_KEYIDENTIFIER);
        if (extensionValue == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "certToIdentifier(Certificate cert)");
            return null;
        }
        byte[] bArr = new byte[extensionValue.length - 4];
        System.arraycopy(extensionValue, 4, bArr, 0, extensionValue.length - 4);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "certToIdentifier(Certificate cert)");
        }
        return bArr;
    }

    private static byte[] pubkeyToIdentifier(Certificate certificate, QName qName) throws NoSuchAlgorithmException {
        int i;
        byte[] digest;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "pubkeyToIdentifier(Certificate cert[" + certificate + "],QName idty[" + qName + "])");
        }
        byte[] encoded = certificate.getPublicKey().getEncoded();
        MessageDigest messageDigest = MessageDigest.getInstance("SHA");
        if (encoded[0] != 48) {
            throw new RuntimeException("Unknown encoded key: " + Hex.encode(encoded));
        }
        int i2 = encoded[1] & 255;
        int i3 = (i2 & 128) == 0 ? 2 : 2 + (i2 & 127);
        int i4 = encoded[i3 + 1] & 255;
        if ((i4 & 128) == 0) {
            i = i3 + 2;
        } else {
            int i5 = i3 + 2;
            i = i3 + 2 + (i4 & 127);
            switch (i4 & 127) {
                case 1:
                    i4 = encoded[i5] & 255;
                    break;
                case 2:
                    i4 = ((encoded[i5] & 255) << 8) + (encoded[i5 + 1] & 255);
                    break;
                case 3:
                    i4 = ((encoded[i5] & 255) << 16) + ((encoded[i5 + 1] & 255) << 8) + (encoded[i5 + 2] & 255);
                    break;
                case 4:
                    i4 = ((encoded[i5] & 255) << 24) + ((encoded[i5 + 1] & 255) << 16) + ((encoded[i5 + 2] & 255) << 8) + (encoded[i5 + 3] & 255);
                    break;
                default:
                    throw new RuntimeException("Integer overflow: " + Hex.encode(encoded));
            }
        }
        int i6 = i + i4;
        if (encoded[i6] != 3) {
            throw new RuntimeException("Non BIT STRING: 0x" + Integer.toString(encoded[i6] & 255, 16));
        }
        int i7 = encoded[i6 + 1] & 255;
        int i8 = i6 + ((i7 & 128) == 0 ? 3 : 3 + (i7 & 127));
        if (NamespaceUtil.equals(qName, com.ibm.ws.webservices.wssecurity.Constants.ITSHA1) || qName == null) {
            messageDigest.update(encoded, i8, encoded.length - i8);
            digest = messageDigest.digest();
        } else {
            if (!NamespaceUtil.equals(qName, com.ibm.ws.webservices.wssecurity.Constants.IT60SHA1)) {
                throw new IllegalArgumentException("Internal Error: " + qName);
            }
            messageDigest.update(encoded, i8, encoded.length - i8);
            byte[] digest2 = messageDigest.digest();
            digest = new byte[8];
            digest[0] = (byte) (64 + (digest2[digest2.length - 8] & 15));
            System.arraycopy(digest2, (digest2.length - 8) + 1, digest, 1, digest.length - 1);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "pubkeyToIdentifier(Certificate cert,QName idty)");
        }
        return digest;
    }
}
