package com.sun.xml.wss.impl.misc;

import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
import com.sun.org.apache.xml.internal.security.keys.content.KeyValue;
import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.client.IssuedTokenManager;
import com.sun.xml.ws.runtime.util.SessionManager;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.SecurityContextToken;
import com.sun.xml.ws.security.impl.DerivedKeyTokenImpl;
import com.sun.xml.ws.security.secconv.impl.client.DefaultSCTokenConfiguration;
import com.sun.xml.ws.security.trust.elements.BinarySecret;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.core.DerivedKeyTokenHeaderBlock;
import com.sun.xml.wss.core.EncryptedKeyToken;
import com.sun.xml.wss.core.KeyInfoHeaderBlock;
import com.sun.xml.wss.core.ReferenceElement;
import com.sun.xml.wss.core.SecurityContextTokenImpl;
import com.sun.xml.wss.core.SecurityToken;
import com.sun.xml.wss.core.SecurityTokenReference;
import com.sun.xml.wss.core.X509SecurityToken;
import com.sun.xml.wss.core.reference.DirectReference;
import com.sun.xml.wss.core.reference.KeyIdentifier;
import com.sun.xml.wss.core.reference.X509IssuerSerial;
import com.sun.xml.wss.impl.FilterProcessingContext;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.impl.PolicyTypeUtil;
import com.sun.xml.wss.impl.SecurableSoapMessage;
import com.sun.xml.wss.impl.WssSoapFaultException;
import com.sun.xml.wss.impl.XMLUtil;
import com.sun.xml.wss.impl.dsig.SignatureProcessor;
import com.sun.xml.wss.impl.policy.MLSPolicy;
import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
import com.sun.xml.wss.saml.AssertionUtil;
import com.sun.xml.wss.saml.util.SAMLUtil;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPElement;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:spg-ui-war-2.1.1.war:WEB-INF/lib/xws-security-3.0.jar:com/sun/xml/wss/impl/misc/KeyResolver.class */
public class KeyResolver {
    private static Logger log = Logger.getLogger("javax.enterprise.resource.xml.webservices.security", "com.sun.xml.wss.logging.LogStrings");

    public static Key getKey(KeyInfoHeaderBlock keyInfoHeaderBlock, boolean z, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        Key secretKeySpec;
        try {
            SecurableSoapMessage securableSoapMessage = filterProcessingContext.getSecurableSoapMessage();
            if (keyInfoHeaderBlock.containsSecurityTokenReference()) {
                return processSecurityTokenReference(keyInfoHeaderBlock, z, filterProcessingContext);
            }
            if (keyInfoHeaderBlock.containsKeyName()) {
                EncryptionPolicy encryptionPolicy = (EncryptionPolicy) filterProcessingContext.getInferredPolicy();
                String keyNameString = keyInfoHeaderBlock.getKeyNameString(0);
                if (encryptionPolicy != null) {
                    ((SymmetricKeyBinding) encryptionPolicy.newSymmetricKeyBinding()).setKeyIdentifier(keyNameString);
                }
                secretKeySpec = filterProcessingContext.getSecurityEnvironment().getSecretKey(filterProcessingContext.getExtraneousProperties(), keyNameString, false);
            } else if (keyInfoHeaderBlock.containsKeyValue()) {
                secretKeySpec = resolveKeyValue(securableSoapMessage, keyInfoHeaderBlock.getKeyValue(0), z, filterProcessingContext);
            } else if (keyInfoHeaderBlock.containsX509Data()) {
                secretKeySpec = resolveX509Data(securableSoapMessage, keyInfoHeaderBlock.getX509Data(0), z, filterProcessingContext);
            } else if (keyInfoHeaderBlock.containsEncryptedKeyToken()) {
                EncryptedKeyToken encryptedKey = keyInfoHeaderBlock.getEncryptedKey(0);
                KeyInfoHeaderBlock keyInfo = encryptedKey.getKeyInfo();
                if (!keyInfo.containsSecurityTokenReference()) {
                    log.log(Level.SEVERE, "WSS0335.unsupported.referencetype");
                    throw new XWSSecurityException("Unsupported reference type under EncryptedKey");
                }
                keyInfo.getSecurityTokenReference(0);
                String str = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
                if (filterProcessingContext.getAlgorithmSuite() != null) {
                    str = filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm();
                } else if (filterProcessingContext.getDataEncryptionAlgorithm() != null) {
                    str = filterProcessingContext.getDataEncryptionAlgorithm();
                }
                secretKeySpec = encryptedKey.getSecretKey(getKey(keyInfo, false, filterProcessingContext), str);
            } else {
                if (!keyInfoHeaderBlock.containsBinarySecret()) {
                    log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
                    XWSSecurityException xWSSecurityException = new XWSSecurityException("Support for processing information in the given ds:KeyInfo is not present");
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, xWSSecurityException.getMessage(), xWSSecurityException);
                }
                BinarySecret binarySecret = keyInfoHeaderBlock.getBinarySecret(0);
                if (binarySecret.getType() != null && !binarySecret.getType().equals("http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey")) {
                    log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
                    throw new XWSSecurityException("Unsupported wst:BinarySecret Type");
                }
                secretKeySpec = new SecretKeySpec(binarySecret.getRawValue(), filterProcessingContext.getAlgorithmSuite() != null ? SecurityUtil.getSecretKeyAlgorithm(filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm()) : "AES");
            }
            if (secretKeySpec != null) {
                return secretKeySpec;
            }
            log.log(Level.SEVERE, "WSS0600.illegal.token.reference");
            XWSSecurityException xWSSecurityException2 = new XWSSecurityException("Referenced security token could not be retrieved");
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE, xWSSecurityException2.getMessage(), xWSSecurityException2);
        } catch (XWSSecurityException e) {
            log.log(Level.SEVERE, "WSS0284.WSS.SOAP.Fault.Exception", (Throwable) e);
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE, e.getMessage(), e);
        } catch (WssSoapFaultException e2) {
            log.log(Level.SEVERE, "WSS0284.WSS.SOAP.Fault.Exception", (Throwable) e2);
            throw e2;
        }
    }

    public static Key resolveSamlAssertion(SecurableSoapMessage securableSoapMessage, Element element, boolean z, FilterProcessingContext filterProcessingContext, String str) throws XWSSecurityException {
        try {
            Key key = (Key) filterProcessingContext.getSamlIdVSKeyCache().get(str);
            String str2 = (String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED);
            if (key != null) {
                return key;
            }
            if (element == null) {
                log.log(Level.SEVERE, "WSS0235.failed.locate.SAMLAssertion");
                throw new XWSSecurityException("Cannot Locate SAML Assertion");
            }
            if ("false".equals(str2)) {
                NodeList elementsByTagNameNS = element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
                if (elementsByTagNameNS.getLength() == 0) {
                    XWSSecurityException xWSSecurityException = new XWSSecurityException("Unsigned SAML Assertion encountered");
                    log.log(Level.SEVERE, "WSS1309.saml.signature.verify.failed", (Throwable) xWSSecurityException);
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, "Exception during Signature verfication in SAML Assertion", xWSSecurityException);
                }
                try {
                    if (!SignatureProcessor.verifySignature((Element) elementsByTagNameNS.item(0), filterProcessingContext)) {
                        log.log(Level.SEVERE, "WSS1310.saml.signature.invalid");
                        throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, "SAML Assertion has invalid Signature", new Exception("SAML Assertion has invalid Signature"));
                    }
                } catch (XWSSecurityException e) {
                    log.log(Level.SEVERE, "WSS1310.saml.signature.invalid");
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, "SAML Assertion has invalid Signature", e);
                }
            }
            if ("false".equals(str2)) {
                filterProcessingContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED, "true");
            }
            Key key2 = getKey(new KeyInfoHeaderBlock(XMLUtil.convertToSoapElement(securableSoapMessage.getSOAPPart(), AssertionUtil.getSubjectConfirmationKeyInfo(element))), z, filterProcessingContext);
            filterProcessingContext.getSamlIdVSKeyCache().put(str, key2);
            return key2;
        } catch (Exception e2) {
            log.log(Level.SEVERE, "WSS0238.failed.Resolve.SAMLAssertion");
            throw new XWSSecurityException(e2);
        }
    }

    public static Key processSecurityTokenReference(KeyInfoHeaderBlock keyInfoHeaderBlock, boolean z, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        Key key = null;
        HashMap tokenCache = filterProcessingContext.getTokenCache();
        SecurableSoapMessage securableSoapMessage = filterProcessingContext.getSecurableSoapMessage();
        SecurityTokenReference securityTokenReference = keyInfoHeaderBlock.getSecurityTokenReference(0);
        ReferenceElement reference = securityTokenReference.getReference();
        EncryptionPolicy encryptionPolicy = (EncryptionPolicy) filterProcessingContext.getInferredPolicy();
        EncryptionPolicy encryptionPolicy2 = null;
        boolean z2 = filterProcessingContext.getMode() == 3;
        if (z2) {
            try {
                encryptionPolicy2 = (EncryptionPolicy) filterProcessingContext.getInferredSecurityPolicy().get(filterProcessingContext.getInferredSecurityPolicy().size() - 1);
            } catch (Exception e) {
                log.log(Level.SEVERE, "WSS0239.failed.process.SecurityTokenReference", (Throwable) e);
                throw new XWSSecurityException(e);
            }
        }
        if (reference instanceof KeyIdentifier) {
            KeyIdentifier keyIdentifier = (KeyIdentifier) reference;
            if (MessageConstants.X509SubjectKeyIdentifier_NS.equals(keyIdentifier.getValueType()) || MessageConstants.X509v3SubjectKeyIdentifier_NS.equals(keyIdentifier.getValueType())) {
                if (encryptionPolicy != null) {
                    ((AuthenticationTokenPolicy.X509CertificateBinding) encryptionPolicy.newX509CertificateKeyBinding()).setReferenceType("Identifier");
                }
                if (z2) {
                    MLSPolicy keyBinding = encryptionPolicy2.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                    x509CertificateBinding.setReferenceType("Identifier");
                    if (keyBinding == null) {
                        encryptionPolicy2.setKeyBinding(x509CertificateBinding);
                    } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding)) {
                        ((SymmetricKeyBinding) keyBinding).setKeyBinding(x509CertificateBinding);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding)) {
                        DerivedTokenKeyBinding derivedTokenKeyBinding = (DerivedTokenKeyBinding) keyBinding;
                        if (derivedTokenKeyBinding.getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding).setOriginalKeyBinding(x509CertificateBinding);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding.getOriginalKeyBinding())) {
                            derivedTokenKeyBinding.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding);
                        }
                    }
                }
                key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue())) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()));
            } else if (MessageConstants.ThumbPrintIdentifier_NS.equals(keyIdentifier.getValueType())) {
                if (encryptionPolicy != null) {
                    ((AuthenticationTokenPolicy.X509CertificateBinding) encryptionPolicy.newX509CertificateKeyBinding()).setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
                }
                if (z2) {
                    MLSPolicy keyBinding2 = encryptionPolicy2.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding2 = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding2.setValueType(MessageConstants.ThumbPrintIdentifier_NS);
                    x509CertificateBinding2.setReferenceType("Identifier");
                    if (keyBinding2 == null) {
                        encryptionPolicy2.setKeyBinding(x509CertificateBinding2);
                    } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding2)) {
                        ((SymmetricKeyBinding) keyBinding2).setKeyBinding(x509CertificateBinding2);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding2)) {
                        DerivedTokenKeyBinding derivedTokenKeyBinding2 = (DerivedTokenKeyBinding) keyBinding2;
                        if (derivedTokenKeyBinding2.getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding2).setOriginalKeyBinding(x509CertificateBinding2);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding2.getOriginalKeyBinding())) {
                            derivedTokenKeyBinding2.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding2);
                        }
                    }
                }
                key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()), MessageConstants.THUMB_PRINT_TYPE) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()), MessageConstants.THUMB_PRINT_TYPE);
            } else if (MessageConstants.EncryptedKeyIdentifier_NS.equals(keyIdentifier.getValueType())) {
                if (z2) {
                    MLSPolicy keyBinding3 = encryptionPolicy2.getKeyBinding();
                    WSSPolicy symmetricKeyBinding = new SymmetricKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding3 = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding3.setReferenceType("Identifier");
                    symmetricKeyBinding.setKeyBinding(x509CertificateBinding3);
                    if (keyBinding3 == null) {
                        encryptionPolicy2.setKeyBinding(symmetricKeyBinding);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding3) && ((DerivedTokenKeyBinding) keyBinding3).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding3).setOriginalKeyBinding(symmetricKeyBinding);
                    }
                }
                String str = (String) filterProcessingContext.getExtraneousProperty(MessageConstants.EK_SHA1_TYPE);
                Key key2 = (Key) filterProcessingContext.getExtraneousProperty("SecretKey");
                String referenceValue = keyIdentifier.getReferenceValue();
                if (str == null || key2 == null) {
                    log.log(Level.SEVERE, "WSS0240.invalid.EncryptedKeySHA1.reference");
                    throw new XWSSecurityException("EncryptedKeySHA1 reference not correct");
                }
                if (str.equals(referenceValue)) {
                    key = key2;
                }
            } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType()) || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType())) {
                if (encryptionPolicy != null) {
                    ((AuthenticationTokenPolicy.SAMLAssertionBinding) encryptionPolicy.newSAMLAssertionKeyBinding()).setReferenceType(keyIdentifier.getValueType());
                }
                String decodedReferenceValue = keyIdentifier.getDecodedReferenceValue();
                Element resolveSAMLToken = resolveSAMLToken(securityTokenReference, decodedReferenceValue, filterProcessingContext);
                if (z2) {
                    MLSPolicy keyBinding4 = encryptionPolicy2.getKeyBinding();
                    IssuedTokenKeyBinding issuedTokenKeyBinding = new IssuedTokenKeyBinding();
                    if (keyBinding4 == null) {
                        if (filterProcessingContext.hasIssuedToken()) {
                            encryptionPolicy2.setKeyBinding(issuedTokenKeyBinding);
                        } else {
                            encryptionPolicy2.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
                        }
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding4) && ((DerivedTokenKeyBinding) keyBinding4).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding4).setOriginalKeyBinding(issuedTokenKeyBinding);
                    }
                }
                key = resolveSamlAssertion(securableSoapMessage, resolveSAMLToken, z, filterProcessingContext, decodedReferenceValue);
                if (filterProcessingContext.hasIssuedToken() && key != null) {
                    SecurityUtil.initInferredIssuedTokenContext(filterProcessingContext, securityTokenReference, key);
                }
            } else {
                if (encryptionPolicy != null) {
                }
                Element element = null;
                String decodedReferenceValue2 = keyIdentifier.getDecodedReferenceValue();
                try {
                    element = resolveSAMLToken(securityTokenReference, decodedReferenceValue2, filterProcessingContext);
                } catch (Exception e2) {
                }
                if (element != null) {
                    if (z2) {
                        MLSPolicy keyBinding5 = encryptionPolicy2.getKeyBinding();
                        IssuedTokenKeyBinding issuedTokenKeyBinding2 = new IssuedTokenKeyBinding();
                        if (keyBinding5 == null) {
                            encryptionPolicy2.setKeyBinding(issuedTokenKeyBinding2);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding5) && ((DerivedTokenKeyBinding) keyBinding5).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding5).setOriginalKeyBinding(issuedTokenKeyBinding2);
                        }
                    }
                    key = resolveSamlAssertion(securableSoapMessage, element, z, filterProcessingContext, decodedReferenceValue2);
                    if (filterProcessingContext.hasIssuedToken() && key != null) {
                        SecurityUtil.initInferredIssuedTokenContext(filterProcessingContext, securityTokenReference, key);
                    }
                } else {
                    if (z2) {
                        MLSPolicy keyBinding6 = encryptionPolicy2.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding4 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding4.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                        x509CertificateBinding4.setReferenceType("Identifier");
                        if (keyBinding6 == null) {
                            encryptionPolicy2.setKeyBinding(x509CertificateBinding4);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding6)) {
                            ((SymmetricKeyBinding) keyBinding6).setKeyBinding(x509CertificateBinding4);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding6)) {
                            DerivedTokenKeyBinding derivedTokenKeyBinding3 = (DerivedTokenKeyBinding) keyBinding6;
                            if (derivedTokenKeyBinding3.getOriginalKeyBinding() == null) {
                                ((DerivedTokenKeyBinding) keyBinding6).setOriginalKeyBinding(x509CertificateBinding4);
                            } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding3.getOriginalKeyBinding())) {
                                derivedTokenKeyBinding3.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding4);
                            }
                        }
                    }
                    key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue())) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()));
                }
            }
        } else if (reference instanceof DirectReference) {
            String uri = ((DirectReference) reference).getURI();
            String valueType = ((DirectReference) reference).getValueType();
            if ("http://schemas.xmlsoap.org/ws/2005/02/sc/dk".equals(valueType)) {
                valueType = null;
            }
            if (encryptionPolicy != null) {
                AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding5 = (AuthenticationTokenPolicy.X509CertificateBinding) encryptionPolicy.newX509CertificateKeyBinding();
                x509CertificateBinding5.setReferenceType("Direct");
                x509CertificateBinding5.setValueType(valueType);
            }
            if (MessageConstants.X509v3_NS.equals(valueType) || MessageConstants.X509v1_NS.equals(valueType)) {
                HashMap insertedX509Cache = filterProcessingContext.getInsertedX509Cache();
                String idFromFragmentRef = SecurableSoapMessage.getIdFromFragmentRef(uri);
                X509SecurityToken x509SecurityToken = (X509SecurityToken) insertedX509Cache.get(idFromFragmentRef);
                if (x509SecurityToken == null) {
                    x509SecurityToken = (X509SecurityToken) resolveToken(idFromFragmentRef, filterProcessingContext, securableSoapMessage);
                }
                if (z2) {
                    MLSPolicy keyBinding7 = encryptionPolicy2.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding6 = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding6.setReferenceType("Direct");
                    x509CertificateBinding6.setValueType(valueType);
                    if (keyBinding7 == null) {
                        encryptionPolicy2.setKeyBinding(x509CertificateBinding6);
                    } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding7)) {
                        ((SymmetricKeyBinding) keyBinding7).setKeyBinding(x509CertificateBinding6);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding7)) {
                        DerivedTokenKeyBinding derivedTokenKeyBinding4 = (DerivedTokenKeyBinding) keyBinding7;
                        if (derivedTokenKeyBinding4.getOriginalKeyBinding() == null) {
                            derivedTokenKeyBinding4.setOriginalKeyBinding(x509CertificateBinding6);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding4.getOriginalKeyBinding())) {
                            derivedTokenKeyBinding4.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding6);
                        }
                    }
                }
                key = resolveX509Token(securableSoapMessage, x509SecurityToken, z, filterProcessingContext);
            } else if (MessageConstants.EncryptedKey_NS.equals(valueType)) {
                SecurityToken resolveToken = resolveToken(SecurableSoapMessage.getIdFromFragmentRef(uri), filterProcessingContext, securableSoapMessage);
                KeyInfoHeaderBlock keyInfo = ((EncryptedKeyToken) resolveToken).getKeyInfo();
                keyInfo.getSecurityTokenReference(0);
                String str2 = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
                if (filterProcessingContext.getAlgorithmSuite() != null) {
                    str2 = filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm();
                } else if (filterProcessingContext.getDataEncryptionAlgorithm() != null) {
                    str2 = filterProcessingContext.getDataEncryptionAlgorithm();
                }
                try {
                    filterProcessingContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, Base64.encode(MessageDigest.getInstance(MessageConstants.SHA_1).digest(Base64.decode(((Element) ((EncryptedKeyToken) resolveToken).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, MessageConstants.XENC_CIPHER_DATA_LNAME, MessageConstants.XENC_PREFIX)).next()).getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent()))));
                    if (z2) {
                        MLSPolicy keyBinding8 = encryptionPolicy2.getKeyBinding();
                        SymmetricKeyBinding symmetricKeyBinding2 = new SymmetricKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding7 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        symmetricKeyBinding2.setKeyBinding(x509CertificateBinding7);
                        if (keyBinding8 == null) {
                            encryptionPolicy2.setKeyBinding(symmetricKeyBinding2);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding8)) {
                            ((SymmetricKeyBinding) keyBinding8).setKeyBinding(x509CertificateBinding7);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding8)) {
                            DerivedTokenKeyBinding derivedTokenKeyBinding5 = (DerivedTokenKeyBinding) keyBinding8;
                            if (derivedTokenKeyBinding5.getOriginalKeyBinding() == null) {
                                derivedTokenKeyBinding5.setOriginalKeyBinding(x509CertificateBinding7);
                            } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding5.getOriginalKeyBinding())) {
                                derivedTokenKeyBinding5.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding7);
                            }
                        }
                    }
                    key = ((EncryptedKeyToken) resolveToken).getSecretKey(getKey(keyInfo, z, filterProcessingContext), str2);
                    filterProcessingContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, key);
                } catch (Exception e3) {
                    log.log(Level.SEVERE, "WSS0241.unable.set.EKSHA1.OnContext", (Throwable) e3);
                    throw new XWSSecurityException(e3);
                }
            } else if ("http://schemas.xmlsoap.org/ws/2005/02/sc/sct".equals(valueType) || MessageConstants.SCT_13_VALUETYPE.equals(valueType)) {
                String idFromFragmentRef2 = SecurableSoapMessage.getIdFromFragmentRef(uri);
                SecurityToken securityToken = (SecurityToken) tokenCache.get(idFromFragmentRef2);
                if (securityToken == null) {
                    securityToken = SecurityUtil.locateBySCTId(filterProcessingContext, uri);
                    if (securityToken == null) {
                        securityToken = resolveToken(idFromFragmentRef2, filterProcessingContext, securableSoapMessage);
                    }
                    if (securityToken == null) {
                        log.log(Level.SEVERE, "WSS0242.unableto.locate.SCT");
                        throw new XWSSecurityException("SCT Token with Id " + idFromFragmentRef2 + "not found");
                    }
                    tokenCache.put(idFromFragmentRef2, securityToken);
                }
                if (!(securityToken instanceof SecurityContextToken)) {
                    log.log(Level.SEVERE, "WSS0243.invalid.valueType.NonSCTToken");
                    throw new XWSSecurityException("Incorrect ValueType: http://schemas.xmlsoap.org/ws/2005/02/sc/sct, specified for a Non SCT Token");
                }
                byte[] resolveSCT = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) securityToken, z);
                String secretKeyAlgorithm = filterProcessingContext.getAlgorithmSuite() != null ? SecurityUtil.getSecretKeyAlgorithm(filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm()) : "AES";
                if (z2) {
                    MLSPolicy keyBinding9 = encryptionPolicy2.getKeyBinding();
                    SecureConversationTokenKeyBinding secureConversationTokenKeyBinding = new SecureConversationTokenKeyBinding();
                    if (keyBinding9 == null) {
                        encryptionPolicy2.setKeyBinding(secureConversationTokenKeyBinding);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding9) && ((DerivedTokenKeyBinding) keyBinding9).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding9).setOriginalKeyBinding(secureConversationTokenKeyBinding);
                    }
                }
                key = new SecretKeySpec(resolveSCT, secretKeyAlgorithm);
            } else {
                if (null != valueType) {
                    log.log(Level.SEVERE, "WSS0337.unsupported.directref.mechanism", new Object[]{((DirectReference) reference).getValueType()});
                    XWSSecurityException xWSSecurityException = new XWSSecurityException("unsupported directreference ValueType " + ((DirectReference) reference).getValueType());
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, xWSSecurityException.getMessage(), xWSSecurityException);
                }
                String idFromFragmentRef3 = SecurableSoapMessage.getIdFromFragmentRef(uri);
                SOAPElement locateBySCTId = SecurityUtil.locateBySCTId(filterProcessingContext, idFromFragmentRef3);
                if (locateBySCTId == null) {
                    locateBySCTId = resolveToken(idFromFragmentRef3, filterProcessingContext, securableSoapMessage);
                }
                if (locateBySCTId instanceof X509SecurityToken) {
                    if (z2) {
                        MLSPolicy keyBinding10 = encryptionPolicy2.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding8 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding8.setReferenceType("Direct");
                        if (keyBinding10 == null) {
                            encryptionPolicy2.setKeyBinding(x509CertificateBinding8);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding10) && ((DerivedTokenKeyBinding) keyBinding10).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding10).setOriginalKeyBinding(x509CertificateBinding8);
                        }
                    }
                    key = resolveX509Token(securableSoapMessage, (X509SecurityToken) locateBySCTId, z, filterProcessingContext);
                } else if (locateBySCTId instanceof EncryptedKeyToken) {
                    KeyInfoHeaderBlock keyInfo2 = ((EncryptedKeyToken) locateBySCTId).getKeyInfo();
                    keyInfo2.getSecurityTokenReference(0).getReference();
                    String str3 = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
                    if (filterProcessingContext.getAlgorithmSuite() != null) {
                        str3 = filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm();
                    } else if (filterProcessingContext.getDataEncryptionAlgorithm() != null) {
                        str3 = filterProcessingContext.getDataEncryptionAlgorithm();
                    }
                    try {
                        filterProcessingContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, Base64.encode(MessageDigest.getInstance(MessageConstants.SHA_1).digest(Base64.decode(((Element) ((EncryptedKeyToken) locateBySCTId).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, MessageConstants.XENC_CIPHER_DATA_LNAME, MessageConstants.XENC_PREFIX)).next()).getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent()))));
                        if (z2) {
                            MLSPolicy keyBinding11 = encryptionPolicy2.getKeyBinding();
                            SymmetricKeyBinding symmetricKeyBinding3 = new SymmetricKeyBinding();
                            symmetricKeyBinding3.setKeyBinding(new AuthenticationTokenPolicy.X509CertificateBinding());
                            if (keyBinding11 == null) {
                                encryptionPolicy2.setKeyBinding(symmetricKeyBinding3);
                            } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding11) && ((DerivedTokenKeyBinding) keyBinding11).getOriginalKeyBinding() == null) {
                                ((DerivedTokenKeyBinding) keyBinding11).setOriginalKeyBinding(symmetricKeyBinding3);
                            }
                        }
                        key = ((EncryptedKeyToken) locateBySCTId).getSecretKey(getKey(keyInfo2, z, filterProcessingContext), str3);
                        filterProcessingContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, key);
                    } catch (Exception e4) {
                        log.log(Level.SEVERE, "WSS0241.unableto.set.EKSHA1.OnContext", (Throwable) e4);
                        throw new XWSSecurityException(e4);
                    }
                } else if (locateBySCTId instanceof SecurityContextToken) {
                    byte[] resolveSCT2 = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) locateBySCTId, z);
                    String secretKeyAlgorithm2 = filterProcessingContext.getAlgorithmSuite() != null ? SecurityUtil.getSecretKeyAlgorithm(filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm()) : "AES";
                    if (z2) {
                        MLSPolicy keyBinding12 = encryptionPolicy2.getKeyBinding();
                        SecureConversationTokenKeyBinding secureConversationTokenKeyBinding2 = new SecureConversationTokenKeyBinding();
                        if (keyBinding12 == null) {
                            encryptionPolicy2.setKeyBinding(secureConversationTokenKeyBinding2);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding12) && ((DerivedTokenKeyBinding) keyBinding12).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding12).setOriginalKeyBinding(secureConversationTokenKeyBinding2);
                        }
                    }
                    key = new SecretKeySpec(resolveSCT2, secretKeyAlgorithm2);
                } else {
                    if (!(locateBySCTId instanceof DerivedKeyTokenHeaderBlock)) {
                        String str4 = " Cannot Resolve URI " + uri;
                        log.log(Level.SEVERE, "WSS0337.unsupported.directref.mechanism", new Object[]{str4});
                        XWSSecurityException xWSSecurityException2 = new XWSSecurityException(str4);
                        throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE, xWSSecurityException2.getMessage(), xWSSecurityException2);
                    }
                    if (z2) {
                        MLSPolicy keyBinding13 = encryptionPolicy2.getKeyBinding();
                        DerivedTokenKeyBinding derivedTokenKeyBinding6 = new DerivedTokenKeyBinding();
                        if (keyBinding13 == null) {
                            encryptionPolicy2.setKeyBinding(derivedTokenKeyBinding6);
                        } else if (!PolicyTypeUtil.derivedTokenKeyBinding(keyBinding13)) {
                            log.log(Level.SEVERE, "WSS0244.invalid.level.DKT");
                            throw new XWSSecurityException("A derived Key Token should be a top level key binding");
                        }
                    }
                    key = resolveDKT(filterProcessingContext, (DerivedKeyTokenHeaderBlock) locateBySCTId);
                }
            }
        } else {
            if (!(reference instanceof X509IssuerSerial)) {
                log.log(Level.SEVERE, "WSS0338.unsupported.reference.mechanism");
                XWSSecurityException xWSSecurityException3 = new XWSSecurityException("Key reference mechanism not supported");
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN, xWSSecurityException3.getMessage(), xWSSecurityException3);
            }
            BigInteger serialNumber = ((X509IssuerSerial) reference).getSerialNumber();
            String issuerName = ((X509IssuerSerial) reference).getIssuerName();
            if (z2) {
                MLSPolicy keyBinding14 = encryptionPolicy2.getKeyBinding();
                AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding9 = new AuthenticationTokenPolicy.X509CertificateBinding();
                x509CertificateBinding9.setReferenceType("IssuerSerialNumber");
                if (keyBinding14 == null) {
                    encryptionPolicy2.setKeyBinding(x509CertificateBinding9);
                } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding14)) {
                    ((SymmetricKeyBinding) keyBinding14).setKeyBinding(x509CertificateBinding9);
                } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding14)) {
                    DerivedTokenKeyBinding derivedTokenKeyBinding7 = (DerivedTokenKeyBinding) keyBinding14;
                    if (derivedTokenKeyBinding7.getOriginalKeyBinding() == null) {
                        derivedTokenKeyBinding7.setOriginalKeyBinding(x509CertificateBinding9);
                    } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding7.getOriginalKeyBinding())) {
                        derivedTokenKeyBinding7.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding9);
                    }
                }
            }
            key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), serialNumber, issuerName) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), serialNumber, issuerName);
        }
        return key;
    }

    public static Key resolveX509Token(SecurableSoapMessage securableSoapMessage, X509SecurityToken x509SecurityToken, boolean z, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        if (!z) {
            return filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509SecurityToken.getCertificate());
        }
        X509Certificate certificate = x509SecurityToken.getCertificate();
        filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate);
        if (filterProcessingContext.getTrustCredentialHolder() != null) {
            filterProcessingContext.getTrustCredentialHolder().setRequestorCertificate(certificate);
        }
        return certificate.getPublicKey();
    }

    public static Key resolveKeyValue(SecurableSoapMessage securableSoapMessage, KeyValue keyValue, boolean z, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        keyValue.getElement().normalize();
        try {
            return z ? keyValue.getPublicKey() : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), keyValue.getPublicKey(), false);
        } catch (Exception e) {
            log.log(Level.SEVERE, "WSS0601.illegal.key.value", e.getMessage());
            throw new XWSSecurityException(e);
        }
    }

    public static Key resolveX509Data(SecurableSoapMessage securableSoapMessage, X509Data x509Data, boolean z, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        x509Data.getElement().normalize();
        try {
            if (x509Data.containsCertificate()) {
                X509Certificate x509Certificate = x509Data.itemCertificate(0).getX509Certificate();
                return z ? x509Certificate.getPublicKey() : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509Certificate);
            }
            if (x509Data.containsSKI()) {
                return z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), x509Data.itemSKI(0).getSKIBytes()) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509Data.itemSKI(0).getSKIBytes());
            }
            if (x509Data.containsSubjectName()) {
                log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
                throw new XWSSecurityException("X509SubjectName child element of X509Data is not yet supported by our implementation");
            }
            if (x509Data.containsIssuerSerial()) {
                return z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), x509Data.itemIssuerSerial(0).getSerialNumber(), x509Data.itemIssuerSerial(0).getIssuerName()) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509Data.itemIssuerSerial(0).getSerialNumber(), x509Data.itemIssuerSerial(0).getIssuerName());
            }
            log.log(Level.SEVERE, "WSS0339.unsupported.keyinfo");
            throw new XWSSecurityException("Unsupported child element of X509Data encountered");
        } catch (Exception e) {
            log.log(Level.SEVERE, "WSS0602.illegal.x509.data", e.getMessage());
            throw new XWSSecurityException(e);
        }
    }

    private static byte[] getDecodedBase64EncodedData(String str) throws XWSSecurityException {
        try {
            return Base64.decode(str);
        } catch (Base64DecodingException e) {
            log.log(Level.SEVERE, "WSS0144.unableto.decode.base64.data", e);
            throw new XWSSecurityException("Unable to decode Base64 encoded data", e);
        }
    }

    private static SecurityToken resolveToken(String str, FilterProcessingContext filterProcessingContext, SecurableSoapMessage securableSoapMessage) throws XWSSecurityException {
        try {
            HashMap tokenCache = filterProcessingContext.getTokenCache();
            SecurityToken securityToken = (SecurityToken) tokenCache.get(str);
            if (securityToken != null) {
                return securityToken;
            }
            if (securityToken == null) {
                SOAPElement elementById = securableSoapMessage.getElementById(str);
                elementById.normalize();
                if (MessageConstants.WSSE_BINARY_SECURITY_TOKEN_LNAME.equals(elementById.getLocalName())) {
                    securityToken = new X509SecurityToken(elementById);
                } else if ("EncryptedKey".equals(elementById.getLocalName())) {
                    securityToken = new EncryptedKeyToken(elementById);
                } else if (MessageConstants.SECURITY_CONTEXT_TOKEN_LNAME.equals(elementById.getLocalName())) {
                    securityToken = new SecurityContextTokenImpl(elementById);
                } else if (MessageConstants.DERIVEDKEY_TOKEN_LNAME.equals(elementById.getLocalName())) {
                    securityToken = new DerivedKeyTokenHeaderBlock(elementById);
                }
            }
            tokenCache.put(str, securityToken);
            return securityToken;
        } catch (Exception e) {
            log.log(Level.SEVERE, "WSS0245.failed.resolve.SecurityToken", (Throwable) e);
            throw new XWSSecurityException(e);
        }
    }

    private static Element resolveSAMLToken(SecurityTokenReference securityTokenReference, String str, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        Element element = (Element) filterProcessingContext.getExtraneousProperties().get(MessageConstants.SAML_ASSERTION_CLIENT_CACHE);
        if (element != null) {
            return element;
        }
        Element issuedSAMLToken = filterProcessingContext.getIssuedSAMLToken();
        if (issuedSAMLToken != null) {
            filterProcessingContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED, "false");
        }
        if (issuedSAMLToken == null) {
            if (securityTokenReference.getSamlAuthorityBinding() != null) {
                issuedSAMLToken = filterProcessingContext.getSecurityEnvironment().locateSAMLAssertion(filterProcessingContext.getExtraneousProperties(), securityTokenReference.getSamlAuthorityBinding(), str, filterProcessingContext.getSOAPMessage().getSOAPPart());
            } else {
                issuedSAMLToken = SAMLUtil.locateSamlAssertion(str, filterProcessingContext.getSOAPMessage().getSOAPPart());
                if (!"true".equals((String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED)) || "false".equals((String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED))) {
                    filterProcessingContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED, "false");
                }
            }
        }
        addAuthorityId(issuedSAMLToken, filterProcessingContext);
        try {
            if (MessageConstants.ENCRYPTED_DATA_LNAME.equals(issuedSAMLToken.getLocalName())) {
                return null;
            }
            return issuedSAMLToken;
        } catch (Exception e) {
            log.log(Level.SEVERE, "WSS0238.failed.Resolve.SAMLAssertion", (Throwable) e);
            throw new XWSSecurityException(e);
        }
    }

    private static void addAuthorityId(Element element, FilterProcessingContext filterProcessingContext) {
        EncryptionPolicy encryptionPolicy = (EncryptionPolicy) filterProcessingContext.getInferredPolicy();
        if (encryptionPolicy != null) {
            ((AuthenticationTokenPolicy.SAMLAssertionBinding) encryptionPolicy.newSAMLAssertionKeyBinding()).setAuthorityIdentifier(element.getAttribute("Issuer"));
        }
    }

    private static byte[] resolveSCT(FilterProcessingContext filterProcessingContext, SecurityContextTokenImpl securityContextTokenImpl, boolean z) throws XWSSecurityException {
        IssuedTokenContext securityContext;
        filterProcessingContext.setExtraneousProperty(MessageConstants.INCOMING_SCT, securityContextTokenImpl);
        String sCId = securityContextTokenImpl.getSCId();
        if (filterProcessingContext.isClient()) {
            securityContext = IssuedTokenManager.getInstance().createIssuedTokenContext(new DefaultSCTokenConfiguration(filterProcessingContext.getWSSCVersion(filterProcessingContext.getSecurityPolicyVersion()), sCId, !filterProcessingContext.isExpired(), !filterProcessingContext.isInboundMessage()), null);
            try {
                IssuedTokenManager.getInstance().getIssuedToken(securityContext);
            } catch (WSTrustException e) {
                throw new XWSSecurityException(e);
            }
        } else {
            securityContext = SessionManager.getSessionManager().getSecurityContext(sCId, !filterProcessingContext.isExpired());
        }
        if (securityContext == null) {
            log.log(Level.SEVERE, "WSS0246.unableto.locate.SecureConversationSession");
            throw new XWSSecurityException("Could not locate SecureConversation session for Id:" + sCId);
        }
        Subject requestorSubject = securityContext.getRequestorSubject();
        if (requestorSubject != null && filterProcessingContext.getExtraneousProperty(MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ) == null) {
            filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(SecurityUtil.getSubject(filterProcessingContext.getExtraneousProperties()), requestorSubject);
            filterProcessingContext.getExtraneousProperties().put(MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ, "true");
        }
        SecurityContextToken securityContextToken = (SecurityContextToken) securityContext.getSecurityToken();
        return securityContextToken.getInstance() != null ? filterProcessingContext.isExpired() ? securityContext.getProofKey() : securityContext.getSecurityContextTokenInfo().getInstanceSecret(securityContextToken.getInstance()) : securityContext.getProofKey();
    }

    private static Key resolveDKT(FilterProcessingContext filterProcessingContext, DerivedKeyTokenHeaderBlock derivedKeyTokenHeaderBlock) throws XWSSecurityException {
        byte[] encoded;
        String str = MessageConstants.AES_BLOCK_ENCRYPTION_128;
        if (filterProcessingContext.getAlgorithmSuite() != null) {
            str = filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm();
        }
        SecurableSoapMessage securableSoapMessage = filterProcessingContext.getSecurableSoapMessage();
        EncryptionPolicy encryptionPolicy = null;
        boolean z = filterProcessingContext.getMode() == 3;
        if (z) {
            try {
                encryptionPolicy = (EncryptionPolicy) filterProcessingContext.getInferredSecurityPolicy().get(filterProcessingContext.getInferredSecurityPolicy().size() - 1);
            } catch (Exception e) {
                log.log(Level.SEVERE, "WSS0247.failed.resolve.DerivedKeyToken");
                throw new XWSSecurityException(e);
            }
        }
        SecurityTokenReference derivedKeyElement = derivedKeyTokenHeaderBlock.getDerivedKeyElement();
        if (derivedKeyElement == null) {
            log.log(Level.SEVERE, "WSS0248.null.STR");
            throw new XWSSecurityException("Invalid DerivedKey Token encountered, no STR found");
        }
        ReferenceElement reference = derivedKeyElement.getReference();
        if (reference instanceof DirectReference) {
            String uri = ((DirectReference) reference).getURI();
            String valueType = ((DirectReference) reference).getValueType();
            String idFromFragmentRef = SecurableSoapMessage.getIdFromFragmentRef(uri);
            SOAPElement locateBySCTId = SecurityUtil.locateBySCTId(filterProcessingContext, idFromFragmentRef);
            if (locateBySCTId == null) {
                locateBySCTId = resolveToken(idFromFragmentRef, filterProcessingContext, securableSoapMessage);
                if (valueType == null && (locateBySCTId instanceof EncryptedKeyToken)) {
                    valueType = MessageConstants.EncryptedKey_NS;
                }
            }
            if (MessageConstants.EncryptedKey_NS.equals(valueType)) {
                try {
                    filterProcessingContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, Base64.encode(MessageDigest.getInstance(MessageConstants.SHA_1).digest(Base64.decode(((Element) ((EncryptedKeyToken) locateBySCTId).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, MessageConstants.XENC_CIPHER_DATA_LNAME, MessageConstants.XENC_PREFIX)).next()).getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent()))));
                    if (z) {
                        MLSPolicy keyBinding = encryptionPolicy.getKeyBinding();
                        SymmetricKeyBinding symmetricKeyBinding = new SymmetricKeyBinding();
                        symmetricKeyBinding.setKeyBinding(new AuthenticationTokenPolicy.X509CertificateBinding());
                        if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding) && ((DerivedTokenKeyBinding) keyBinding).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding).setOriginalKeyBinding(symmetricKeyBinding);
                        }
                    }
                    Key secretKey = ((EncryptedKeyToken) locateBySCTId).getSecretKey(getKey(((EncryptedKeyToken) locateBySCTId).getKeyInfo(), false, filterProcessingContext), str);
                    encoded = secretKey.getEncoded();
                    filterProcessingContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, secretKey);
                } catch (Exception e2) {
                    log.log(Level.SEVERE, "WSS0241.unableto.set.EKSHA1.OnContext", (Throwable) e2);
                    throw new XWSSecurityException(e2);
                }
            } else if ("http://schemas.xmlsoap.org/ws/2005/02/sc/sct".equals(valueType) || MessageConstants.SCT_13_VALUETYPE.equals(valueType)) {
                if (!(locateBySCTId instanceof SecurityContextToken)) {
                    log.log(Level.SEVERE, "WSS0243.invalid.valueType.NonSCTToken");
                    throw new XWSSecurityException("Incorrect ValueType: http://schemas.xmlsoap.org/ws/2005/02/sc/sct, specified for a Non SCT Token");
                }
                if (z) {
                    MLSPolicy keyBinding2 = encryptionPolicy.getKeyBinding();
                    SecureConversationTokenKeyBinding secureConversationTokenKeyBinding = new SecureConversationTokenKeyBinding();
                    if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding2) && ((DerivedTokenKeyBinding) keyBinding2).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding2).setOriginalKeyBinding(secureConversationTokenKeyBinding);
                    }
                }
                encoded = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) locateBySCTId, false);
            } else {
                if (null != valueType) {
                    log.log(Level.SEVERE, "WSS0249.unsupported.TokenType.DKT");
                    throw new XWSSecurityException("Unsupported TokenType " + locateBySCTId + " under DerivedKeyToken");
                }
                if (!(locateBySCTId instanceof SecurityContextToken)) {
                    log.log(Level.SEVERE, "WSS0249.unsupported.TokenType.DKT");
                    throw new XWSSecurityException("Unsupported TokenType " + locateBySCTId + " under DerivedKeyToken");
                }
                if (z) {
                    MLSPolicy keyBinding3 = encryptionPolicy.getKeyBinding();
                    SecureConversationTokenKeyBinding secureConversationTokenKeyBinding2 = new SecureConversationTokenKeyBinding();
                    if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding3)) {
                        ((DerivedTokenKeyBinding) keyBinding3).setOriginalKeyBinding(secureConversationTokenKeyBinding2);
                    }
                }
                encoded = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) locateBySCTId, false);
            }
        } else {
            if (!(reference instanceof KeyIdentifier)) {
                log.log(Level.SEVERE, "WSS0283.unsupported.ReferenceType.DKT");
                throw new XWSSecurityException("Unsupported ReferenceType " + reference + " under DerivedKeyToken");
            }
            KeyIdentifier keyIdentifier = (KeyIdentifier) reference;
            if (MessageConstants.EncryptedKeyIdentifier_NS.equals(keyIdentifier.getValueType())) {
                if (z) {
                    MLSPolicy keyBinding4 = encryptionPolicy.getKeyBinding();
                    WSSPolicy symmetricKeyBinding2 = new SymmetricKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding.setReferenceType("Identifier");
                    symmetricKeyBinding2.setKeyBinding(x509CertificateBinding);
                    if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding4) && ((DerivedTokenKeyBinding) keyBinding4).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding4).setOriginalKeyBinding(symmetricKeyBinding2);
                    }
                }
                String str2 = (String) filterProcessingContext.getExtraneousProperty(MessageConstants.EK_SHA1_TYPE);
                Key key = (Key) filterProcessingContext.getExtraneousProperty("SecretKey");
                String referenceValue = keyIdentifier.getReferenceValue();
                if (str2 == null || key == null) {
                    log.log(Level.SEVERE, "WSS0240.invalid.EncryptedKeySHA1.reference");
                    throw new XWSSecurityException("EncryptedKeySHA1 reference not correct");
                }
                if (!str2.equals(referenceValue)) {
                    log.log(Level.SEVERE, "WSS0240.invalid.EncryptedKeySHA1.reference");
                    throw new XWSSecurityException("EncryptedKeySHA1 reference not correct");
                }
                encoded = key.getEncoded();
            } else {
                if (!MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType()) && !MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType())) {
                    log.log(Level.SEVERE, "WSS0282.unsupported.KeyIdentifier.Reference.DKT");
                    throw new XWSSecurityException("Unsupported KeyIdentifier Reference " + keyIdentifier + " under DerivedKeyToken");
                }
                if (z) {
                    MLSPolicy keyBinding5 = encryptionPolicy.getKeyBinding();
                    IssuedTokenKeyBinding issuedTokenKeyBinding = new IssuedTokenKeyBinding();
                    if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding5) && ((DerivedTokenKeyBinding) keyBinding5).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding5).setOriginalKeyBinding(issuedTokenKeyBinding);
                    }
                }
                String referenceValue2 = keyIdentifier.getReferenceValue();
                Key resolveSamlAssertion = resolveSamlAssertion(securableSoapMessage, resolveSAMLToken(derivedKeyElement, referenceValue2, filterProcessingContext), true, filterProcessingContext, referenceValue2);
                if (filterProcessingContext.hasIssuedToken() && resolveSamlAssertion != null) {
                    SecurityUtil.initInferredIssuedTokenContext(filterProcessingContext, derivedKeyElement, resolveSamlAssertion);
                }
                encoded = resolveSamlAssertion.getEncoded();
            }
        }
        try {
            return new DerivedKeyTokenImpl(derivedKeyTokenHeaderBlock.getOffset(), derivedKeyTokenHeaderBlock.getLength(), encoded, derivedKeyTokenHeaderBlock.getNonce(), derivedKeyTokenHeaderBlock.getLabel()).generateSymmetricKey(SecurityUtil.getSecretKeyAlgorithm(str));
        } catch (UnsupportedEncodingException e3) {
            log.log(Level.SEVERE, "WSS0247.failed.resolve.DerivedKeyToken");
            throw new XWSSecurityException(e3);
        } catch (InvalidKeyException e4) {
            log.log(Level.SEVERE, "WSS0247.failed.resolve.DerivedKeyToken");
            throw new XWSSecurityException(e4);
        } catch (NoSuchAlgorithmException e5) {
            log.log(Level.SEVERE, "WSS0247.failed.resolve.DerivedKeyToken");
            throw new XWSSecurityException(e5);
        }
    }

    public static Key processSTR(KeyInfoHeaderBlock keyInfoHeaderBlock, boolean z, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        Key key = null;
        HashMap tokenCache = filterProcessingContext.getTokenCache();
        SecurableSoapMessage securableSoapMessage = filterProcessingContext.getSecurableSoapMessage();
        SecurityTokenReference securityTokenReference = keyInfoHeaderBlock.getSecurityTokenReference(0);
        ReferenceElement reference = securityTokenReference.getReference();
        SignaturePolicy signaturePolicy = (SignaturePolicy) filterProcessingContext.getInferredPolicy();
        SignaturePolicy signaturePolicy2 = null;
        boolean z2 = filterProcessingContext.getMode() == 3;
        if (z2) {
            try {
                signaturePolicy2 = (SignaturePolicy) filterProcessingContext.getInferredSecurityPolicy().get(filterProcessingContext.getInferredSecurityPolicy().size() - 1);
            } catch (Exception e) {
                log.log(Level.SEVERE, "WSS0250.failed.process.STR", (Throwable) e);
                throw new XWSSecurityException(e);
            }
        }
        if (reference instanceof KeyIdentifier) {
            KeyIdentifier keyIdentifier = (KeyIdentifier) reference;
            if (MessageConstants.X509SubjectKeyIdentifier_NS.equals(keyIdentifier.getValueType()) || MessageConstants.X509v3SubjectKeyIdentifier_NS.equals(keyIdentifier.getValueType())) {
                if (signaturePolicy != null) {
                    ((AuthenticationTokenPolicy.X509CertificateBinding) signaturePolicy.newX509CertificateKeyBinding()).setReferenceType("Identifier");
                }
                if (z2) {
                    MLSPolicy keyBinding = signaturePolicy2.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                    x509CertificateBinding.setReferenceType("Identifier");
                    if (keyBinding == null) {
                        signaturePolicy2.setKeyBinding(x509CertificateBinding);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding) && ((DerivedTokenKeyBinding) keyBinding).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding).setOriginalKeyBinding(x509CertificateBinding);
                    }
                }
                key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue())) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()));
            } else if (MessageConstants.ThumbPrintIdentifier_NS.equals(keyIdentifier.getValueType())) {
                if (signaturePolicy != null) {
                    ((AuthenticationTokenPolicy.X509CertificateBinding) signaturePolicy.newX509CertificateKeyBinding()).setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
                }
                if (z2) {
                    MLSPolicy keyBinding2 = signaturePolicy2.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding2 = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding2.setValueType(MessageConstants.ThumbPrintIdentifier_NS);
                    x509CertificateBinding2.setReferenceType("Identifier");
                    if (keyBinding2 == null) {
                        signaturePolicy2.setKeyBinding(x509CertificateBinding2);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding2) && ((DerivedTokenKeyBinding) keyBinding2).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding2).setOriginalKeyBinding(x509CertificateBinding2);
                    }
                }
                key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()), MessageConstants.THUMB_PRINT_TYPE) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()), MessageConstants.THUMB_PRINT_TYPE);
            } else if (MessageConstants.EncryptedKeyIdentifier_NS.equals(keyIdentifier.getValueType())) {
                if (z2) {
                    MLSPolicy keyBinding3 = signaturePolicy2.getKeyBinding();
                    SymmetricKeyBinding symmetricKeyBinding = new SymmetricKeyBinding();
                    symmetricKeyBinding.setKeyBinding(new AuthenticationTokenPolicy.X509CertificateBinding());
                    if (keyBinding3 == null) {
                        signaturePolicy2.setKeyBinding(symmetricKeyBinding);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding3) && ((DerivedTokenKeyBinding) keyBinding3).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding3).setOriginalKeyBinding(symmetricKeyBinding);
                    }
                }
                String str = (String) filterProcessingContext.getExtraneousProperty(MessageConstants.EK_SHA1_TYPE);
                Key key2 = (Key) filterProcessingContext.getExtraneousProperty("SecretKey");
                String referenceValue = keyIdentifier.getReferenceValue();
                if (str == null || key2 == null) {
                    log.log(Level.SEVERE, "WSS0240.invalid.EncryptedKeySHA1.reference");
                    throw new XWSSecurityException("EncryptedKeySHA1 reference not correct");
                }
                if (str.equals(referenceValue)) {
                    key = key2;
                }
            } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType()) || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType())) {
                if (signaturePolicy != null) {
                    ((AuthenticationTokenPolicy.SAMLAssertionBinding) signaturePolicy.newSAMLAssertionKeyBinding()).setReferenceType(keyIdentifier.getValueType());
                }
                String decodedReferenceValue = keyIdentifier.getDecodedReferenceValue();
                Element resolveSAMLToken = resolveSAMLToken(securityTokenReference, decodedReferenceValue, filterProcessingContext);
                if (z2) {
                    MLSPolicy keyBinding4 = signaturePolicy2.getKeyBinding();
                    IssuedTokenKeyBinding issuedTokenKeyBinding = new IssuedTokenKeyBinding();
                    if (keyBinding4 == null) {
                        if (filterProcessingContext.hasIssuedToken()) {
                            signaturePolicy2.setKeyBinding(issuedTokenKeyBinding);
                        } else {
                            signaturePolicy2.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
                        }
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding4) && ((DerivedTokenKeyBinding) keyBinding4).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding4).setOriginalKeyBinding(issuedTokenKeyBinding);
                    }
                }
                key = resolveSamlAssertion(securableSoapMessage, resolveSAMLToken, z, filterProcessingContext, decodedReferenceValue);
                if (filterProcessingContext.hasIssuedToken() && key != null) {
                    SecurityUtil.initInferredIssuedTokenContext(filterProcessingContext, securityTokenReference, key);
                }
            } else {
                if (signaturePolicy != null) {
                }
                Element element = null;
                String decodedReferenceValue2 = keyIdentifier.getDecodedReferenceValue();
                try {
                    element = resolveSAMLToken(securityTokenReference, decodedReferenceValue2, filterProcessingContext);
                } catch (Exception e2) {
                }
                if (element != null) {
                    if (z2) {
                        MLSPolicy keyBinding5 = signaturePolicy2.getKeyBinding();
                        IssuedTokenKeyBinding issuedTokenKeyBinding2 = new IssuedTokenKeyBinding();
                        if (keyBinding5 == null) {
                            if (filterProcessingContext.hasIssuedToken()) {
                                signaturePolicy2.setKeyBinding(issuedTokenKeyBinding2);
                            } else {
                                signaturePolicy2.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
                            }
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding5) && ((DerivedTokenKeyBinding) keyBinding5).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding5).setOriginalKeyBinding(issuedTokenKeyBinding2);
                        }
                    }
                    key = resolveSamlAssertion(securableSoapMessage, element, z, filterProcessingContext, decodedReferenceValue2);
                    if (filterProcessingContext.hasIssuedToken() && key != null) {
                        SecurityUtil.initInferredIssuedTokenContext(filterProcessingContext, securityTokenReference, key);
                    }
                } else {
                    if (z2) {
                        MLSPolicy keyBinding6 = signaturePolicy2.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding3 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding3.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                        x509CertificateBinding3.setReferenceType("Identifier");
                        if (keyBinding6 == null) {
                            signaturePolicy2.setKeyBinding(x509CertificateBinding3);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding6) && ((DerivedTokenKeyBinding) keyBinding6).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding6).setOriginalKeyBinding(x509CertificateBinding3);
                        }
                    }
                    key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue())) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()));
                }
            }
        } else if (reference instanceof DirectReference) {
            String uri = ((DirectReference) reference).getURI();
            String valueType = ((DirectReference) reference).getValueType();
            if ("http://schemas.xmlsoap.org/ws/2005/02/sc/dk".equals(valueType)) {
                valueType = null;
            }
            if (signaturePolicy != null) {
                AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding4 = (AuthenticationTokenPolicy.X509CertificateBinding) signaturePolicy.newX509CertificateKeyBinding();
                x509CertificateBinding4.setReferenceType("Direct");
                x509CertificateBinding4.setValueType(valueType);
            }
            if (MessageConstants.X509v3_NS.equals(valueType) || MessageConstants.X509v1_NS.equals(valueType)) {
                HashMap insertedX509Cache = filterProcessingContext.getInsertedX509Cache();
                String idFromFragmentRef = SecurableSoapMessage.getIdFromFragmentRef(uri);
                X509SecurityToken x509SecurityToken = (X509SecurityToken) insertedX509Cache.get(idFromFragmentRef);
                if (x509SecurityToken == null) {
                    x509SecurityToken = (X509SecurityToken) resolveToken(idFromFragmentRef, filterProcessingContext, securableSoapMessage);
                }
                if (z2) {
                    MLSPolicy keyBinding7 = signaturePolicy2.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding5 = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding5.setReferenceType("Direct");
                    x509CertificateBinding5.setValueType(valueType);
                    if (keyBinding7 == null) {
                        signaturePolicy2.setKeyBinding(x509CertificateBinding5);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding7) && ((DerivedTokenKeyBinding) keyBinding7).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding7).setOriginalKeyBinding(x509CertificateBinding5);
                    }
                }
                key = resolveX509Token(securableSoapMessage, x509SecurityToken, z, filterProcessingContext);
            } else if (MessageConstants.EncryptedKey_NS.equals(valueType)) {
                SecurityToken resolveToken = resolveToken(SecurableSoapMessage.getIdFromFragmentRef(uri), filterProcessingContext, securableSoapMessage);
                KeyInfoHeaderBlock keyInfo = ((EncryptedKeyToken) resolveToken).getKeyInfo();
                keyInfo.getSecurityTokenReference(0);
                String str2 = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
                if (filterProcessingContext.getAlgorithmSuite() != null) {
                    str2 = filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm();
                } else if (filterProcessingContext.getDataEncryptionAlgorithm() != null) {
                    str2 = filterProcessingContext.getDataEncryptionAlgorithm();
                }
                try {
                    filterProcessingContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, Base64.encode(MessageDigest.getInstance(MessageConstants.SHA_1).digest(Base64.decode(((Element) ((EncryptedKeyToken) resolveToken).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, MessageConstants.XENC_CIPHER_DATA_LNAME, MessageConstants.XENC_PREFIX)).next()).getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent()))));
                    if (z2) {
                        MLSPolicy keyBinding8 = signaturePolicy2.getKeyBinding();
                        SymmetricKeyBinding symmetricKeyBinding2 = new SymmetricKeyBinding();
                        symmetricKeyBinding2.setKeyBinding(new AuthenticationTokenPolicy.X509CertificateBinding());
                        if (keyBinding8 == null) {
                            signaturePolicy2.setKeyBinding(symmetricKeyBinding2);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding8) && ((DerivedTokenKeyBinding) keyBinding8).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding8).setOriginalKeyBinding(symmetricKeyBinding2);
                        }
                    }
                    key = ((EncryptedKeyToken) resolveToken).getSecretKey(getKey(keyInfo, z, filterProcessingContext), str2);
                    filterProcessingContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, key);
                } catch (Exception e3) {
                    log.log(Level.SEVERE, "WSS0241.unableto.set.EKSHA1.OnContext", (Throwable) e3);
                    throw new XWSSecurityException(e3);
                }
            } else if ("http://schemas.xmlsoap.org/ws/2005/02/sc/sct".equals(valueType) || MessageConstants.SCT_13_VALUETYPE.equals(valueType)) {
                String idFromFragmentRef2 = SecurableSoapMessage.getIdFromFragmentRef(uri);
                SecurityToken securityToken = (SecurityToken) tokenCache.get(idFromFragmentRef2);
                if (securityToken == null) {
                    securityToken = SecurityUtil.locateBySCTId(filterProcessingContext, uri);
                    if (securityToken == null) {
                        securityToken = resolveToken(idFromFragmentRef2, filterProcessingContext, securableSoapMessage);
                    }
                    if (securityToken == null) {
                        log.log(Level.SEVERE, "WSS0242.unableto.locate.SCT");
                        throw new XWSSecurityException("SCT Token with Id " + idFromFragmentRef2 + "not found");
                    }
                    tokenCache.put(idFromFragmentRef2, securityToken);
                }
                if (!(securityToken instanceof SecurityContextToken)) {
                    log.log(Level.SEVERE, "WSS0243.invalid.valueType.NonSCTToken");
                    throw new XWSSecurityException("Incorrect ValueType: http://schemas.xmlsoap.org/ws/2005/02/sc/sct, specified for a Non SCT Token");
                }
                byte[] resolveSCT = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) securityToken, z);
                String secretKeyAlgorithm = filterProcessingContext.getAlgorithmSuite() != null ? SecurityUtil.getSecretKeyAlgorithm(filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm()) : "AES";
                if (z2) {
                    MLSPolicy keyBinding9 = signaturePolicy2.getKeyBinding();
                    SecureConversationTokenKeyBinding secureConversationTokenKeyBinding = new SecureConversationTokenKeyBinding();
                    if (keyBinding9 == null) {
                        signaturePolicy2.setKeyBinding(secureConversationTokenKeyBinding);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding9) && ((DerivedTokenKeyBinding) keyBinding9).getOriginalKeyBinding() == null) {
                        ((DerivedTokenKeyBinding) keyBinding9).setOriginalKeyBinding(secureConversationTokenKeyBinding);
                    }
                }
                key = new SecretKeySpec(resolveSCT, secretKeyAlgorithm);
            } else {
                if (null != valueType) {
                    log.log(Level.SEVERE, "WSS0337.unsupported.directref.mechanism", new Object[]{((DirectReference) reference).getValueType()});
                    XWSSecurityException xWSSecurityException = new XWSSecurityException("unsupported directreference ValueType " + ((DirectReference) reference).getValueType());
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, xWSSecurityException.getMessage(), xWSSecurityException);
                }
                String idFromFragmentRef3 = SecurableSoapMessage.getIdFromFragmentRef(uri);
                SOAPElement locateBySCTId = SecurityUtil.locateBySCTId(filterProcessingContext, idFromFragmentRef3);
                if (locateBySCTId == null) {
                    locateBySCTId = resolveToken(idFromFragmentRef3, filterProcessingContext, securableSoapMessage);
                }
                if (locateBySCTId instanceof X509SecurityToken) {
                    if (z2) {
                        MLSPolicy keyBinding10 = signaturePolicy2.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding6 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding6.setReferenceType("Direct");
                        if (keyBinding10 == null) {
                            signaturePolicy2.setKeyBinding(x509CertificateBinding6);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding10) && ((DerivedTokenKeyBinding) keyBinding10).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding10).setOriginalKeyBinding(x509CertificateBinding6);
                        }
                    }
                    key = resolveX509Token(securableSoapMessage, (X509SecurityToken) locateBySCTId, z, filterProcessingContext);
                } else if (locateBySCTId instanceof EncryptedKeyToken) {
                    KeyInfoHeaderBlock keyInfo2 = ((EncryptedKeyToken) locateBySCTId).getKeyInfo();
                    keyInfo2.getSecurityTokenReference(0).getReference();
                    String str3 = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
                    if (filterProcessingContext.getAlgorithmSuite() != null) {
                        str3 = filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm();
                    } else if (filterProcessingContext.getDataEncryptionAlgorithm() != null) {
                        str3 = filterProcessingContext.getDataEncryptionAlgorithm();
                    }
                    try {
                        filterProcessingContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, Base64.encode(MessageDigest.getInstance(MessageConstants.SHA_1).digest(Base64.decode(((Element) ((EncryptedKeyToken) locateBySCTId).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, MessageConstants.XENC_CIPHER_DATA_LNAME, MessageConstants.XENC_PREFIX)).next()).getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent()))));
                        if (z2) {
                            MLSPolicy keyBinding11 = signaturePolicy2.getKeyBinding();
                            SymmetricKeyBinding symmetricKeyBinding3 = new SymmetricKeyBinding();
                            symmetricKeyBinding3.setKeyBinding(new AuthenticationTokenPolicy.X509CertificateBinding());
                            if (keyBinding11 == null) {
                                signaturePolicy2.setKeyBinding(symmetricKeyBinding3);
                            } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding11) && ((DerivedTokenKeyBinding) keyBinding11).getOriginalKeyBinding() == null) {
                                ((DerivedTokenKeyBinding) keyBinding11).setOriginalKeyBinding(symmetricKeyBinding3);
                            }
                        }
                        key = ((EncryptedKeyToken) locateBySCTId).getSecretKey(getKey(keyInfo2, z, filterProcessingContext), str3);
                        filterProcessingContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, key);
                    } catch (Exception e4) {
                        log.log(Level.SEVERE, "WSS0241.unableto.set.EKSHA1.OnContext", (Throwable) e4);
                        throw new XWSSecurityException(e4);
                    }
                } else if (locateBySCTId instanceof SecurityContextToken) {
                    byte[] resolveSCT2 = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) locateBySCTId, z);
                    String secretKeyAlgorithm2 = filterProcessingContext.getAlgorithmSuite() != null ? SecurityUtil.getSecretKeyAlgorithm(filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm()) : "AES";
                    if (z2) {
                        MLSPolicy keyBinding12 = signaturePolicy2.getKeyBinding();
                        SecureConversationTokenKeyBinding secureConversationTokenKeyBinding2 = new SecureConversationTokenKeyBinding();
                        if (keyBinding12 == null) {
                            signaturePolicy2.setKeyBinding(secureConversationTokenKeyBinding2);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding12) && ((DerivedTokenKeyBinding) keyBinding12).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding12).setOriginalKeyBinding(secureConversationTokenKeyBinding2);
                        }
                    }
                    key = new SecretKeySpec(resolveSCT2, secretKeyAlgorithm2);
                } else {
                    if (!(locateBySCTId instanceof DerivedKeyTokenHeaderBlock)) {
                        String str4 = " Cannot Resolve URI " + uri;
                        log.log(Level.SEVERE, "WSS0337.unsupported.directref.mechanism", new Object[]{str4});
                        XWSSecurityException xWSSecurityException2 = new XWSSecurityException(str4);
                        throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE, xWSSecurityException2.getMessage(), xWSSecurityException2);
                    }
                    if (z2) {
                        MLSPolicy keyBinding13 = signaturePolicy2.getKeyBinding();
                        DerivedTokenKeyBinding derivedTokenKeyBinding = new DerivedTokenKeyBinding();
                        if (keyBinding13 != null) {
                            log.log(Level.SEVERE, "WSS0244.invalid.level.DKT");
                            throw new XWSSecurityException("A derived Key Token should be a top level key binding");
                        }
                        signaturePolicy2.setKeyBinding(derivedTokenKeyBinding);
                    }
                    key = resolveDKT(filterProcessingContext, (DerivedKeyTokenHeaderBlock) locateBySCTId);
                }
            }
        } else {
            if (!(reference instanceof X509IssuerSerial)) {
                log.log(Level.SEVERE, "WSS0338.unsupported.reference.mechanism");
                XWSSecurityException xWSSecurityException3 = new XWSSecurityException("Key reference mechanism not supported");
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN, xWSSecurityException3.getMessage(), xWSSecurityException3);
            }
            BigInteger serialNumber = ((X509IssuerSerial) reference).getSerialNumber();
            String issuerName = ((X509IssuerSerial) reference).getIssuerName();
            if (z2) {
                MLSPolicy keyBinding14 = signaturePolicy2.getKeyBinding();
                AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding7 = new AuthenticationTokenPolicy.X509CertificateBinding();
                x509CertificateBinding7.setReferenceType("IssuerSerialNumber");
                if (keyBinding14 == null) {
                    signaturePolicy2.setKeyBinding(x509CertificateBinding7);
                } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding14) && ((DerivedTokenKeyBinding) keyBinding14).getOriginalKeyBinding() == null) {
                    ((DerivedTokenKeyBinding) keyBinding14).setOriginalKeyBinding(x509CertificateBinding7);
                }
            }
            key = z ? filterProcessingContext.getSecurityEnvironment().getPublicKey(filterProcessingContext.getExtraneousProperties(), serialNumber, issuerName) : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), serialNumber, issuerName);
        }
        return key;
    }
}
