package com.ibm.ws.wssecurity.saml.security.impl;

import com.ibm.crypto.provider.AESKeySpec;
import com.ibm.ws.wssecurity.common.Constants;
import com.ibm.ws.wssecurity.common.WSSAlgorithmFactory;
import com.ibm.ws.wssecurity.saml.common.SAMLAssertion;
import com.ibm.ws.wssecurity.saml.config.impl.ProviderConfigImpl;
import com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil;
import com.ibm.ws.wssecurity.trust.ext.client.ITrustConstants;
import com.ibm.ws.wssecurity.trust.ext.client.base.TrustProperties;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.util.WSSNonceGenerator;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.ws.wssecurity.xml.xss4j.enc.EncryptionContext;
import com.ibm.ws.wssecurity.xml.xss4j.enc.type.CipherData;
import com.ibm.ws.wssecurity.xml.xss4j.enc.type.CipherValue;
import com.ibm.ws.wssecurity.xml.xss4j.enc.type.EncryptedData;
import com.ibm.ws.wssecurity.xml.xss4j.enc.type.EncryptionMethod;
import com.ibm.ws.wssecurity.xml.xss4j.enc.type.KeyInfo;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.token.config.RequesterConfiguration;
import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.spec.AlgorithmParameterSpec;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.SecretKeySpec;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNode;

/* loaded from: input_file:com/ibm/ws/wssecurity/saml/security/impl/EncryptedKeyGenerate.class */
public class EncryptedKeyGenerate {
    private static final String comp = "security.wssecurity";
    private static final String Default_Data_Encryption_Algorithm = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
    protected static final String algorithmKwAes128 = "http://www.w3.org/2001/04/xmlenc#kw-aes128-cbc";
    protected static final String algorithmKwAes192 = "http://www.w3.org/2001/04/xmlenc#kw-aes192-cbc";
    protected static final String algorithmKwAes256 = "http://www.w3.org/2001/04/xmlenc#kw-aes256-cbc";
    protected static final String algorithmKwTripleDes = "http://www.w3.org/2001/04/xmlenc#kw-tripledes";
    protected static final String algorithmKwRsaOaep = "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
    protected static final String algorithmKwRsa15 = "http://www.w3.org/2001/04/xmlenc#rsa-1_5";
    private static final TraceComponent tc = Tr.register(EncryptedKeyGenerate.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = clsName;
    private static final String clsName = clsName;
    private static final OMFactory omFactory = OMAbstractFactory.getOMFactory();
    private static final WSSAlgorithmFactory _algorithmFactory = (WSSAlgorithmFactory) WSSAlgorithmFactory.getInstance();
    private static String EncryptedAssertion = "EncryptedAssertion";

    public static SAMLEncryptedKey generateEncryptedKey(RequesterConfig requesterConfig, KeyStoreManager.KeyInformation keyInformation, boolean z) throws SoapSecurityException {
        String str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "generateEncryptedKey");
        }
        String str2 = requesterConfig.getRSTTProperties().get(RequesterConfiguration.RSTT.ENCRYPTIONALGORITHM);
        String keyWrapAlgorithm = getKeyWrapAlgorithm(str2, z);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Key wrap Encryption Algorithm : " + keyWrapAlgorithm);
        }
        EncryptionContext encryptionContext = new EncryptionContext();
        encryptionContext.setAlgorithmFactory(_algorithmFactory);
        encryptionContext.setEncAlgorithm(keyWrapAlgorithm);
        SAMLEncryptedKey sAMLEncryptedKey = new SAMLEncryptedKey();
        sAMLEncryptedKey.setEncryptionMethod(createEncryptionMethod(keyWrapAlgorithm, _algorithmFactory));
        sAMLEncryptedKey.setCipherData(createCipherData());
        try {
            sAMLEncryptedKey.setKeyInfo(createKeyInfo(KeyInfoUtil.createKeyInfoContent(requesterConfig.getEncryptionKeyInfoType(), null, keyInformation, null)));
            OMElement createElement = sAMLEncryptedKey.createElement(omFactory, (OMElement) null);
            Key publicOrSecretKey = keyInformation.getPublicOrSecretKey();
            EncryptedData encryptedData = new EncryptedData();
            encryptedData.setEncryptionMethod(createEncryptionMethod(str2, _algorithmFactory));
            encryptedData.setCipherData(createCipherData());
            encryptionContext.setEncryptedType(encryptedData.createElement(omFactory, (OMElement) null), (String) null, (OMElement) null, (OMElement) null);
            int i = 16;
            Map<String, String> rSTTProperties = requesterConfig.getRSTTProperties();
            if (rSTTProperties != null && (str = rSTTProperties.get(RequesterConfiguration.RSTT.KEYSIZE)) != null) {
                i = Integer.parseInt(str) / 8;
            }
            SecretKeySpec secretKeySpec = new SecretKeySpec(WSSNonceGenerator.generateBytes(i), str2);
            encryptionContext.setEncryptedType(createElement, (String) null, (OMElement) null, (OMElement) null);
            encryptionContext.setData(secretKeySpec);
            encryptionContext.setKey(publicOrSecretKey);
            encryptionContext.encrypt();
            sAMLEncryptedKey.setClearKey(secretKeySpec);
            sAMLEncryptedKey.setEncryptedKeyElement(createElement);
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "generateEncryptedKey returns [" + ConfigUtil.getObjType(sAMLEncryptedKey) + "]");
            }
            return sAMLEncryptedKey;
        } catch (Exception e) {
            throw new SoapSecurityException(e.getMessage(), e.getCause());
        }
    }

    public static KeyInfo createKeyInfo(OMElement oMElement) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createKeyInfo(OMElement keyInfo)");
        }
        KeyInfo keyInfo = new KeyInfo();
        keyInfo.addElement(oMElement);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createKeyInfo(OMElement keyInfo) returns KeyInfo[" + keyInfo + "]");
        }
        return keyInfo;
    }

    public static OMElement getKeyInfo(KeyStoreManager.KeyInformation keyInformation) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyInfo");
        }
        OMElement oMElement = null;
        try {
            String str = Constants.NAMESPACES[0][0];
            oMElement = omFactory.createOMElement("SecurityTokenReference", str, "wsse");
            oMElement.declareNamespace(str, "wsse");
            OMElement createOMElement = omFactory.createOMElement("KeyIdentifier", str, "wsse");
            DOMUtils.setQNameAttr(createOMElement, null, "EncodingType", Constants.BASE64_BINARY, 0);
            DOMUtils.setQNameAttr(createOMElement, null, "ValueType", Constants.THUMBPRINTSHA1, 0);
            oMElement.addChild(createOMElement);
            createOMElement.addChild(omFactory.createOMText(keyInformation.getB64Thumbprint()));
        } catch (Exception e) {
            Tr.error(tc, "Fail to generate keyInfo for the EncryptedKey.");
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyInfo returns [" + DOMUtils.getDisplayName((OMNode) oMElement) + "]");
        }
        return oMElement;
    }

    public static CipherData createCipherData() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createCipherData()");
        }
        CipherValue cipherValue = new CipherValue();
        CipherData cipherData = new CipherData();
        cipherData.setCipherValue(cipherValue);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createCipherData() returns CipherData[" + cipherData + "]");
        }
        return cipherData;
    }

    public static EncryptionMethod createEncryptionMethod(String str, WSSAlgorithmFactory wSSAlgorithmFactory) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setEncryptionMethod(AlgorithmConfig encAlgorithm[" + str + "],WSSAlgorithmFactory factory[" + wSSAlgorithmFactory + "])");
        }
        EncryptionMethod encryptionMethod = new EncryptionMethod();
        encryptionMethod.setAlgorithm(str);
        try {
            AlgorithmParameterSpec convertParameter = wSSAlgorithmFactory.convertParameter(str, new HashMap());
            if (convertParameter != null) {
                encryptionMethod.setParameterSpec(wSSAlgorithmFactory, convertParameter);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "setEncryptionMethod(AlgorithmConfig aconfig,WSSAlgorithmFactory factory) returns EncryptionMethod[" + encryptionMethod + "]");
            }
            return encryptionMethod;
        } catch (InvalidAlgorithmParameterException e) {
            throw new SoapSecurityException(e.getMessage(), e.getCause());
        } catch (NoSuchAlgorithmException e2) {
            throw new SoapSecurityException(e2.getMessage(), e2.getCause());
        }
    }

    public static String getKeyWrapAlgorithm(String str, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyWrapAlgorithm");
        }
        String str2 = z ? str.contains("Basic256") ? algorithmKwAes256 : str.contains("Basic192") ? algorithmKwAes192 : str.contains(ITrustConstants.ALGORITHM_SUITE_DEFAULT) ? algorithmKwAes128 : "http://www.w3.org/2001/04/xmlenc#kw-tripledes" : str.contains("Rsa15") ? "http://www.w3.org/2001/04/xmlenc#rsa-1_5" : "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKeyWrapAlgorithm returns [" + str2 + "]");
        }
        return str2;
    }

    public static OMElement GenerateEncryptedData(RequesterConfig requesterConfig, ProviderConfig providerConfig, String str, OMElement oMElement, OMElement oMElement2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "GenerateEncryptedData");
        }
        try {
            OMFactory oMFactory = omFactory;
            if (oMElement2 != null) {
                oMFactory = oMElement2.getOMFactory();
            }
            String keyAliasForAppliesTo = requesterConfig.getKeyAliasForAppliesTo();
            if (keyAliasForAppliesTo == null) {
                keyAliasForAppliesTo = ((ProviderConfigImpl) providerConfig).getEncryptingAlias();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "alias[" + keyAliasForAppliesTo + "]");
            }
            SAMLEncryptedKey generateEncryptedKey = generateEncryptedKey(requesterConfig, SamlConfigUtil.getRequesterKeyInformation(providerConfig, keyAliasForAppliesTo), false);
            SecretKey generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(generateEncryptedKey.getClearKey().getEncoded()));
            String str2 = requesterConfig.getRSTTProperties().get(RequesterConfiguration.RSTT.ENCRYPTIONALGORITHM);
            if (str2 == null) {
                str2 = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
            }
            EncryptionContext encryptionContext = new EncryptionContext();
            encryptionContext.setAlgorithmFactory(_algorithmFactory);
            encryptionContext.setEncAlgorithm(getKeyWrapAlgorithm(str2, false));
            encryptionContext.setData(oMElement);
            EncryptedData encryptedData = new EncryptedData();
            encryptedData.setEncryptionMethod(createEncryptionMethod(str2, _algorithmFactory));
            encryptedData.setCipherData(createCipherData());
            encryptedData.setId(str);
            encryptedData.setType(EncryptedData.ELEMENT);
            OMElement createElement = encryptedData.createElement(oMFactory, (OMElement) null);
            OMElement createOMElement = oMFactory.createOMElement("KeyInfo", Constants.NS_DSIG, "ds");
            createOMElement.declareNamespace(Constants.NS_DSIG, "ds");
            createOMElement.addChild(generateEncryptedKey.getEncryptedKeyElement());
            DOMUtils.getOneChildElement(createElement, Constants.NS_ENC, TrustProperties.LocalNames.xenc.CipherData).insertSiblingBefore(createOMElement);
            new KeyInfo(createOMElement);
            encryptionContext.setKey(generateSecret);
            encryptionContext.setEncryptedType(createElement, (String) null, (OMElement) null, (OMElement) null);
            encryptionContext.encrypt();
            OMElement encryptedTypeAsElement = encryptionContext.getEncryptedTypeAsElement();
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "GenerateEncryptedData returns [" + ConfigUtil.getObjType(encryptedTypeAsElement) + "]");
            }
            return encryptedTypeAsElement;
        } catch (Exception e) {
            throw new SoapSecurityException(e.getMessage(), e.getCause());
        }
    }

    public static OMElement generateEncryptedAssertion(RequesterConfig requesterConfig, ProviderConfig providerConfig, SAMLAssertion sAMLAssertion) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "generateEncryptedAssertion");
        }
        if (tc.isDebugEnabled()) {
            boolean isEncryptSAML = requesterConfig.isEncryptSAML();
            boolean isEncryptSAML2 = ((ProviderConfigImpl) providerConfig).isEncryptSAML();
            Tr.debug(tc, "requester.isEncryptSAML[" + isEncryptSAML + "]");
            Tr.debug(tc, "issuerConfig.isEncryptSAML[" + isEncryptSAML2 + "]");
        }
        OMElement oMElement = null;
        if (requesterConfig.isEncryptSAML() || ((ProviderConfigImpl) providerConfig).isEncryptSAML()) {
            String samlID = sAMLAssertion.getSamlID();
            OMElement xml = sAMLAssertion.getXML();
            oMElement = omFactory.createOMElement(EncryptedAssertion, sAMLAssertion.getAssertionQName().getNamespaceURI(), "");
            oMElement.addChild(GenerateEncryptedData(requesterConfig, providerConfig, samlID, xml, oMElement));
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "generateEncryptedAssertion returns [" + ConfigUtil.getObjType(oMElement) + "]");
        }
        return oMElement;
    }
}
