package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.websphere.wssecurity.wssapi.WSSException;
import com.ibm.websphere.wssecurity.wssapi.XMLStructure;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.ws.wssecurity.saml.assertion.wssapi.SAMLAssertionBuilder;
import com.ibm.ws.wssecurity.saml.assertion.wssapi.SAMLAssertionParser;
import com.ibm.ws.wssecurity.saml.assertion.wssapi.SAMLAssertionVerifier;
import com.ibm.ws.wssecurity.saml.common.SAML11Constants;
import com.ibm.ws.wssecurity.saml.common.SAMLAssertion;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.saml.config.impl.RequesterConfigImpl;
import com.ibm.ws.wssecurity.saml.saml11.assertion.utils.SAMLTokenBuilder;
import com.ibm.ws.wssecurity.saml.security.impl.EncryptedDataConsumer;
import com.ibm.ws.wssecurity.saml.security.impl.SAMLSignatureVerification;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.util.WSSecurityFactoryBuilder;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig;
import com.ibm.wsspi.wssecurity.core.token.config.RequesterConfiguration;
import com.ibm.wsspi.wssecurity.core.token.config.WSSConstants;
import com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig;
import com.ibm.wsspi.wssecurity.saml.config.CredentialConfig;
import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import org.apache.axiom.om.OMElement;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/SAML11TokenFactoryImpl.class */
public class SAML11TokenFactoryImpl extends SAMLTokenFactoryImpl {
    private static final String comp = "security.wssecurity";
    private static final TraceComponent tc = Tr.register(SAML11TokenFactoryImpl.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.samlmessages");
    private static final String clsName = SAML11TokenFactoryImpl.class.getName();
    private static String _factoryKey = (String) WSSecurityFactoryBuilder.getImplClassName("com.ibm.ws.wssecurity.platform.SAML11Token");
    private static TokenFactory _tokenFactory = TokenFactoryFactory.getTokenFactory(_factoryKey);

    public SAML11TokenFactoryImpl() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "SAML11TokenFactoryImpl()");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "SAML11TokenFactoryImpl()");
        }
    }

    public SAMLTokenImpl newSecurityToken(String str) throws WSSException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newSecurityToken(" + str + ")");
        }
        SAML11TokenImpl sAML11TokenImpl = (SAML11TokenImpl) _tokenFactory.getToken(true);
        sAML11TokenImpl.setValueType(str);
        return sAML11TokenImpl;
    }

    @Override // com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    public RequesterConfig newBearerTokenGenerateConfig() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newBearerTokenGenerateConfig()");
        }
        RequesterConfigImpl requesterConfigImpl = new RequesterConfigImpl();
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.KEYTYPE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer");
        requesterConfigImpl.setConfirmationMethod(SAML11Constants._BEARER);
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.TOKENTYPE, "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "newBearerTokenGenerateConfig()");
        }
        return requesterConfigImpl;
    }

    @Override // com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    public RequesterConfig newSenderVouchesTokenGenerateConfig() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newSenderVouchesTokenGenerateConfig()");
        }
        RequesterConfigImpl requesterConfigImpl = new RequesterConfigImpl();
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.KEYTYPE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer");
        requesterConfigImpl.setConfirmationMethod(SAML11Constants._SENDER_VOUCHES);
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.TOKENTYPE, "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "newSenderVouchesTokenGenerateConfig()");
        }
        return requesterConfigImpl;
    }

    @Override // com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    public RequesterConfig newSymmetricHolderOfKeyTokenGenerateConfig() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newSymmetricHolderOfKeyTokenGenerateConfig()");
        }
        RequesterConfigImpl requesterConfigImpl = new RequesterConfigImpl();
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.KEYTYPE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey");
        requesterConfigImpl.setConfirmationMethod(SAML11Constants._HOLDER_OF_KEY);
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.TOKENTYPE, "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "newSymmetricHolderOfKeyTokenGenerateConfig()");
        }
        return requesterConfigImpl;
    }

    @Override // com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    public RequesterConfig newAsymmetricHolderOfKeyTokenGenerateConfig() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newAsymmetricHolderOfKeyTokenGenerateConfig()");
        }
        RequesterConfigImpl requesterConfigImpl = new RequesterConfigImpl();
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.KEYTYPE, "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey");
        requesterConfigImpl.setConfirmationMethod(SAML11Constants._HOLDER_OF_KEY);
        requesterConfigImpl.getRSTTProperties().put(RequesterConfiguration.RSTT.TOKENTYPE, "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "newAsymmetricHolderOfKeyTokenGenerateConfig()");
        }
        return requesterConfigImpl;
    }

    @Override // com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    public SAMLToken newSAMLToken(final CredentialConfig credentialConfig, final RequesterConfig requesterConfig, final ProviderConfig providerConfig) throws WSSException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newSAMLToken( CredentialConfig, RequesterConfig, ProviderConfig)");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_NEWSAMLTOKEN_PERM);
        }
        try {
            String str = WSSConstants.SAML.SAML11_VALUE_TYPE;
            SAMLTokenImpl newSecurityToken = newSecurityToken(str);
            if (requesterConfig == null || providerConfig == null) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "newSAMLToken( CredentialConfig, RequesterConfig, ProviderConfig): case of null requester or provider config data");
                }
                return newSecurityToken;
            }
            try {
                SAMLAssertion sAMLAssertion = (SAMLAssertion) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.SAML11TokenFactoryImpl.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws SoapSecurityException {
                        return SAMLAssertionBuilder.createSignedSAMLAssertion(providerConfig, requesterConfig, credentialConfig);
                    }
                });
                if (sAMLAssertion == null) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "SAMLAssertionBuilder.createSignedSAMLAssertion returned a null object");
                    }
                    return newSecurityToken(str);
                }
                SAML11TokenImpl createSAMLToken = SAMLTokenBuilder.createSAMLToken(sAMLAssertion);
                createSAMLToken.setId(createSAMLToken.getSamlID());
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "newSAMLToken( CredentialConfig, RequesterConfig, ProviderConfig)");
                }
                return createSAMLToken;
            } catch (PrivilegedActionException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "caught exception calling doPrivileged method: " + e.getException().getMessage());
                }
                throw new WSSException(e.getException().getMessage(), e.getException().getCause());
            }
        } catch (Exception e2) {
            throw new WSSException(e2.getMessage(), e2.getCause());
        }
    }

    @Override // com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
    public SAMLToken newSAMLToken(final ConsumerConfig consumerConfig, XMLStructure xMLStructure) throws WSSException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newSAMLToken( ConsumerConfig, XMLStructure)");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GET_NEWSAMLTOKEN_PERM);
        }
        try {
            OMElement node = ((OMStructure) xMLStructure).getNode();
            if (node.getLocalName().equals("EncryptedData") || node.getLocalName().equals("EncryptedAssertion")) {
                if ("EncryptedAssertion".equals(node.getLocalName())) {
                    node = DOMUtils.getFirstChildElement(node);
                }
                node = EncryptedDataConsumer.DecryptEncryptedData(node, consumerConfig);
            }
            final OMElement oMElement = node;
            try {
                SAMLAssertion sAMLAssertion = (SAMLAssertion) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.SAML11TokenFactoryImpl.2
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws SoapSecurityException {
                        return SAMLAssertionParser.parseSAML(oMElement, consumerConfig);
                    }
                });
                boolean z = false;
                if (sAMLAssertion != null) {
                    z = sAMLAssertion.validate();
                } else {
                    Tr.debug(tc, "SAMLAssertionParser.parseSAML doPrivileged block returned a null object");
                }
                if (!z) {
                    throw new WSSException(MessageHelper.getMessage("security.wssecurity.WSSML2039E"));
                }
                HashMap hashMap = new HashMap();
                if (consumerConfig != null && consumerConfig.isAssertionSignatureRequired()) {
                    KeyStoreConfig trustStoreConfig = consumerConfig.getTrustStoreConfig();
                    KeyStoreManager keyStoreManager = KeyStoreManager.getInstance();
                    KeyStoreManager.KeyInformation keyInformation = null;
                    if (consumerConfig.getAliasForTokenProvider() != null && !consumerConfig.getAliasForTokenProvider().isEmpty()) {
                        keyInformation = keyStoreManager.getKeyInformation(trustStoreConfig.getPath(), trustStoreConfig.getType(), trustStoreConfig.getPassword().toCharArray(), trustStoreConfig.getKsRef(), consumerConfig.getAliasForTokenProvider(), null, "");
                    }
                    KeyStore keyStore = null;
                    if (!consumerConfig.trustAnySTS()) {
                        keyStore = keyStoreManager.getKeyStore(trustStoreConfig.getPath(), trustStoreConfig.getType(), trustStoreConfig.getPassword().toCharArray(), trustStoreConfig.getKsRef());
                    }
                    if (!SAMLAssertionVerifier.verifySAMLSignature(node, keyInformation, keyStore, hashMap)) {
                        throw new WSSException(MessageHelper.getMessage("security.wssecurity.WSSML2040E"));
                    }
                }
                SAML11TokenImpl createSAMLToken = SAMLTokenBuilder.createSAMLToken(sAMLAssertion);
                createSAMLToken.setId(createSAMLToken.getSamlID());
                createSAMLToken.setSignerCertificate((X509Certificate) hashMap.get(SAMLSignatureVerification.X509CERTIFICATE));
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "newSAMLToken( ConsumerConfig, XMLStructure)");
                }
                return createSAMLToken;
            } catch (PrivilegedActionException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "caught exception calling doPrivileged method: " + e.getException().getMessage());
                }
                throw new WSSException(e.getException().getMessage(), e.getException().getCause());
            }
        } catch (Exception e2) {
            throw new WSSException(e2.getMessage(), e2.getCause());
        }
    }
}
