package com.sun.xml.wss.impl.dsig;

import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.client.IssuedTokenManager;
import com.sun.xml.ws.runtime.util.SessionManager;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.SecurityContextToken;
import com.sun.xml.ws.security.impl.DerivedKeyTokenImpl;
import com.sun.xml.ws.security.secconv.impl.client.DefaultSCTokenConfiguration;
import com.sun.xml.ws.security.trust.WSTrustElementFactory;
import com.sun.xml.ws.security.trust.elements.BinarySecret;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.core.DerivedKeyTokenHeaderBlock;
import com.sun.xml.wss.core.EncryptedKeyToken;
import com.sun.xml.wss.core.KeyInfoHeaderBlock;
import com.sun.xml.wss.core.ReferenceElement;
import com.sun.xml.wss.core.SecurityContextTokenImpl;
import com.sun.xml.wss.core.SecurityToken;
import com.sun.xml.wss.core.SecurityTokenReference;
import com.sun.xml.wss.core.X509SecurityToken;
import com.sun.xml.wss.core.reference.DirectReference;
import com.sun.xml.wss.core.reference.KeyIdentifier;
import com.sun.xml.wss.core.reference.X509IssuerSerial;
import com.sun.xml.wss.impl.AlgorithmSuite;
import com.sun.xml.wss.impl.FilterProcessingContext;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.impl.PolicyTypeUtil;
import com.sun.xml.wss.impl.SecurableSoapMessage;
import com.sun.xml.wss.impl.XMLUtil;
import com.sun.xml.wss.impl.misc.Base64;
import com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl;
import com.sun.xml.wss.impl.misc.KeyResolver;
import com.sun.xml.wss.impl.misc.SecurityUtil;
import com.sun.xml.wss.impl.policy.MLSPolicy;
import com.sun.xml.wss.impl.policy.SecurityPolicy;
import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
import com.sun.xml.wss.impl.policy.mls.MessagePolicy;
import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
import com.sun.xml.wss.logging.LogDomainConstants;
import com.sun.xml.wss.saml.Assertion;
import com.sun.xml.wss.saml.AssertionUtil;
import com.sun.xml.wss.saml.SAMLException;
import com.sun.xml.wss.saml.util.SAMLUtil;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.URIReference;
import javax.xml.crypto.URIReferenceException;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyName;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPElement;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:spg-ui-war-3.0.10.war:WEB-INF/lib/xws-security-3.0.jar:com/sun/xml/wss/impl/dsig/KeySelectorImpl.class */
public class KeySelectorImpl extends KeySelector {
    private static KeySelectorImpl keyResolver;
    private static Logger logger = Logger.getLogger(LogDomainConstants.IMPL_SIGNATURE_DOMAIN, LogDomainConstants.IMPL_SIGNATURE_DOMAIN_BUNDLE);

    /* loaded from: input_file:spg-ui-war-3.0.10.war:WEB-INF/lib/xws-security-3.0.jar:com/sun/xml/wss/impl/dsig/KeySelectorImpl$SimpleKeySelectorResult.class */
    private static class SimpleKeySelectorResult implements KeySelectorResult {
        private Key pk;

        SimpleKeySelectorResult(Key key) {
            this.pk = key;
        }

        public Key getKey() {
            return this.pk;
        }
    }

    private KeySelectorImpl() {
    }

    public static KeySelector getInstance() {
        return keyResolver;
    }

    public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
        if (keyInfo == null) {
            if (logger.getLevel() == Level.SEVERE) {
                logger.log(Level.SEVERE, "WSS1317.keyinfo.null");
            }
            throw new KeySelectorException("Null KeyInfo object!");
        }
        if (logger.isLoggable(Level.FINEST)) {
            logger.log(Level.FINEST, "KeySelectorResult::select Purpose =  " + purpose);
            logger.log(Level.FINEST, "KeySelectorResult::select Algorithm is " + algorithmMethod.getAlgorithm());
            logger.log(Level.FINEST, "KeySelectorResult::select ParameterSpec is " + algorithmMethod.getParameterSpec());
        }
        try {
            SignatureMethod signatureMethod = (SignatureMethod) algorithmMethod;
            List content = keyInfo.getContent();
            FilterProcessingContext filterProcessingContext = (FilterProcessingContext) xMLCryptoContext.get(MessageConstants.WSS_PROCESSING_CONTEXT);
            SecurityPolicy securityPolicy = filterProcessingContext.getSecurityPolicy();
            boolean isBSP = securityPolicy != null ? PolicyTypeUtil.messagePolicy(securityPolicy) ? ((MessagePolicy) securityPolicy).isBSP() : ((WSSPolicy) securityPolicy).isBSP() : false;
            if (isBSP && content.size() > 1) {
                logger.log(Level.SEVERE, "WSS1350.illegal.BSP.Violation.KeyInfo");
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, "BSP Violation of R5402: KeyInfo MUST have exactly one child", null);
            }
            for (int i = 0; i < content.size(); i++) {
                KeyValue keyValue = (XMLStructure) content.get(i);
                if (keyValue instanceof KeyValue) {
                    try {
                        PublicKey publicKey = keyValue.getPublicKey();
                        if (purpose == KeySelector.Purpose.VERIFY) {
                            filterProcessingContext.getSecurityEnvironment().validateCertificate(filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), publicKey, false));
                        }
                        if (algEquals(signatureMethod.getAlgorithm(), publicKey.getAlgorithm())) {
                            return new SimpleKeySelectorResult(publicKey);
                        }
                    } catch (KeyException e) {
                        logger.log(Level.SEVERE, "WSS1351.exception.keyselector.publickey", (Throwable) e);
                        throw new KeySelectorException(e);
                    }
                } else if (keyValue instanceof DOMStructure) {
                    SOAPElement node = ((DOMStructure) keyValue).getNode();
                    if (isSecurityTokenReference(node)) {
                        final Key resolve = resolve(node, xMLCryptoContext, purpose);
                        return new KeySelectorResult() { // from class: com.sun.xml.wss.impl.dsig.KeySelectorImpl.1
                            public Key getKey() {
                                return resolve;
                            }
                        };
                    }
                } else if (keyValue instanceof KeyName) {
                    KeyName keyName = (KeyName) keyValue;
                    SecretKey secretKey = filterProcessingContext.getSecurityEnvironment().getSecretKey(filterProcessingContext.getExtraneousProperties(), keyName.getName(), false);
                    if (secretKey != null) {
                        return new SimpleKeySelectorResult(secretKey);
                    }
                    X509Certificate certificate = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), keyName.getName(), false);
                    if (certificate != null && algEquals(signatureMethod.getAlgorithm(), certificate.getPublicKey().getAlgorithm())) {
                        filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate);
                        return new SimpleKeySelectorResult(certificate.getPublicKey());
                    }
                } else if (keyValue instanceof X509Data) {
                    return new SimpleKeySelectorResult(resolveX509Data(filterProcessingContext, (X509Data) keyValue, purpose));
                }
            }
            if (isBSP && 0 == 0) {
                logger.log(Level.SEVERE, "BSP Violation of R5409: Child element of KeyInfo MUST be a STR element");
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, "BSP Violation of R5409: Child element of KeyInfo MUST be a STR element", null);
            }
            logger.log(Level.SEVERE, "WSS1354.null.keyValue");
            throw new KeySelectorException("No KeyValue element found!");
        } catch (Exception e2) {
            logger.log(Level.SEVERE, "WSS1353.unable.resolve.keyInformation", e2.getMessage());
            throw new KeySelectorException(e2);
        } catch (KeySelectorException e3) {
            logger.log(Level.SEVERE, "WSS1352.exception.keyselector", e3);
            throw e3;
        }
    }

    static boolean algEquals(String str, String str2) {
        if (str2.equalsIgnoreCase("DSA") && str.equalsIgnoreCase(MessageConstants.DSA_SHA1_SIGMETHOD)) {
            return true;
        }
        return str2.equalsIgnoreCase("RSA") && str.equalsIgnoreCase(MessageConstants.RSA_SHA1_SIGMETHOD);
    }

    private static Key resolve(SOAPElement sOAPElement, XMLCryptoContext xMLCryptoContext, KeySelector.Purpose purpose) throws KeySelectorException {
        try {
            FilterProcessingContext filterProcessingContext = (FilterProcessingContext) xMLCryptoContext.get(MessageConstants.WSS_PROCESSING_CONTEXT);
            SecurableSoapMessage securableSoapMessage = filterProcessingContext.getSecurableSoapMessage();
            AlgorithmSuite algorithmSuite = filterProcessingContext.getAlgorithmSuite();
            String str = null;
            boolean z = filterProcessingContext.getMode() == 3;
            if (algorithmSuite != null) {
                str = algorithmSuite.getEncryptionAlgorithm();
            }
            SecurityPolicy securityPolicy = filterProcessingContext.getSecurityPolicy();
            boolean z2 = false;
            if (securityPolicy != null) {
                z2 = PolicyTypeUtil.messagePolicy(securityPolicy) ? ((MessagePolicy) securityPolicy).isBSP() : ((WSSPolicy) securityPolicy).isBSP();
            }
            SecurityTokenReference securityTokenReference = new SecurityTokenReference(sOAPElement, z2);
            ReferenceElement reference = securityTokenReference.getReference();
            HashMap tokenCache = filterProcessingContext.getTokenCache();
            HashMap insertedX509Cache = filterProcessingContext.getInsertedX509Cache();
            SignaturePolicy signaturePolicy = (SignaturePolicy) filterProcessingContext.getInferredPolicy();
            SignaturePolicy signaturePolicy2 = null;
            if (z) {
                int size = filterProcessingContext.getInferredSecurityPolicy().size() - 1;
                if (PolicyTypeUtil.signaturePolicy(filterProcessingContext.getInferredSecurityPolicy().get(size))) {
                    signaturePolicy2 = (SignaturePolicy) filterProcessingContext.getInferredSecurityPolicy().get(size);
                }
            }
            AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding = null;
            if (signaturePolicy != null) {
                x509CertificateBinding = (AuthenticationTokenPolicy.X509CertificateBinding) signaturePolicy.newX509CertificateKeyBinding();
            }
            Key key = null;
            boolean z3 = false;
            if (reference instanceof KeyIdentifier) {
                KeyIdentifier keyIdentifier = (KeyIdentifier) reference;
                if (x509CertificateBinding != null) {
                    x509CertificateBinding.setReferenceType("Identifier");
                    x509CertificateBinding.setValueType(keyIdentifier.getValueType());
                }
                if (MessageConstants.X509SubjectKeyIdentifier_NS.equals(keyIdentifier.getValueType()) || MessageConstants.X509v3SubjectKeyIdentifier_NS.equals(keyIdentifier.getValueType())) {
                    if (z && signaturePolicy2 != null) {
                        MLSPolicy keyBinding = signaturePolicy2.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding2 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding2.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                        x509CertificateBinding2.setReferenceType("Identifier");
                        if (keyBinding == null) {
                            signaturePolicy2.setKeyBinding(x509CertificateBinding2);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding)) {
                            ((SymmetricKeyBinding) keyBinding).setKeyBinding(x509CertificateBinding2);
                            z3 = true;
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding)) {
                            DerivedTokenKeyBinding derivedTokenKeyBinding = (DerivedTokenKeyBinding) keyBinding;
                            if (derivedTokenKeyBinding.getOriginalKeyBinding() == null) {
                                ((DerivedTokenKeyBinding) keyBinding).setOriginalKeyBinding(x509CertificateBinding2);
                            } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding.getOriginalKeyBinding())) {
                                derivedTokenKeyBinding.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding2);
                                z3 = true;
                            }
                        }
                    }
                    if (purpose == KeySelector.Purpose.VERIFY) {
                        byte[] decodedBase64EncodedData = XMLUtil.getDecodedBase64EncodedData(keyIdentifier.getReferenceValue());
                        filterProcessingContext.setExtraneousProperty(MessageConstants.REQUESTER_KEYID, new String(decodedBase64EncodedData));
                        X509Certificate certificate = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), decodedBase64EncodedData);
                        if (!z3) {
                            filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate);
                        }
                        key = certificate.getPublicKey();
                    } else if (purpose == KeySelector.Purpose.SIGN) {
                        key = filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), XMLUtil.getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()));
                    }
                } else if (MessageConstants.ThumbPrintIdentifier_NS.equals(keyIdentifier.getValueType())) {
                    if (z && signaturePolicy2 != null) {
                        MLSPolicy keyBinding2 = signaturePolicy2.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding3 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding3.setValueType(MessageConstants.ThumbPrintIdentifier_NS);
                        x509CertificateBinding3.setReferenceType("Identifier");
                        if (keyBinding2 == null) {
                            signaturePolicy2.setKeyBinding(x509CertificateBinding3);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding2)) {
                            ((SymmetricKeyBinding) keyBinding2).setKeyBinding(x509CertificateBinding3);
                            z3 = true;
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding2)) {
                            DerivedTokenKeyBinding derivedTokenKeyBinding2 = (DerivedTokenKeyBinding) keyBinding2;
                            if (derivedTokenKeyBinding2.getOriginalKeyBinding() == null) {
                                ((DerivedTokenKeyBinding) keyBinding2).setOriginalKeyBinding(x509CertificateBinding3);
                            } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding2.getOriginalKeyBinding())) {
                                derivedTokenKeyBinding2.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding3);
                                z3 = true;
                            }
                        }
                    }
                    if (purpose == KeySelector.Purpose.VERIFY) {
                        byte[] decodedBase64EncodedData2 = XMLUtil.getDecodedBase64EncodedData(keyIdentifier.getReferenceValue());
                        filterProcessingContext.setExtraneousProperty(MessageConstants.REQUESTER_KEYID, new String(decodedBase64EncodedData2));
                        X509Certificate certificate2 = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), decodedBase64EncodedData2, MessageConstants.THUMB_PRINT_TYPE);
                        if (!z3) {
                            filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate2);
                        }
                        key = certificate2.getPublicKey();
                    } else if (purpose == KeySelector.Purpose.SIGN) {
                        key = filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), XMLUtil.getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()), MessageConstants.THUMB_PRINT_TYPE);
                    }
                } else if (MessageConstants.EncryptedKeyIdentifier_NS.equals(keyIdentifier.getValueType())) {
                    if (z && signaturePolicy2 != null) {
                        MLSPolicy keyBinding3 = signaturePolicy2.getKeyBinding();
                        WSSPolicy symmetricKeyBinding = new SymmetricKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding4 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding4.setReferenceType("Identifier");
                        symmetricKeyBinding.setKeyBinding(x509CertificateBinding4);
                        if (keyBinding3 == null) {
                            signaturePolicy2.setKeyBinding(symmetricKeyBinding);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding3) && ((DerivedTokenKeyBinding) keyBinding3).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding3).setOriginalKeyBinding(symmetricKeyBinding);
                        }
                    }
                    String str2 = (String) filterProcessingContext.getExtraneousProperty(MessageConstants.EK_SHA1_TYPE);
                    Key key2 = (Key) filterProcessingContext.getExtraneousProperty("SecretKey");
                    String referenceValue = keyIdentifier.getReferenceValue();
                    if (str2 == null || key2 == null) {
                        logger.log(Level.SEVERE, "WSS1306:unsupported.KeyIdentifier.Reference.Type.encountered", new Object[]{"EncryptedKeySHA1 reference not correct"});
                        throw new KeySelectorException("EncryptedKeySHA1 reference not correct");
                    }
                    if (str2.equals(referenceValue)) {
                        key = key2;
                    }
                } else if (MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType()) || MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE.equals(keyIdentifier.getValueType())) {
                    String referenceValue2 = keyIdentifier.getReferenceValue();
                    Element issuedSAMLToken = filterProcessingContext.getIssuedSAMLToken();
                    if (issuedSAMLToken == null) {
                        Assertion assertion = (Assertion) tokenCache.get(referenceValue2);
                        if (assertion != null) {
                            try {
                                issuedSAMLToken = assertion.toElement(null);
                            } catch (Exception e) {
                                logger.log(Level.SEVERE, "WSS1355.unableto.resolve.SAMLAssertion", e.getMessage());
                                throw new KeySelectorException(e);
                            }
                        } else if (securityTokenReference.getSamlAuthorityBinding() != null) {
                            issuedSAMLToken = filterProcessingContext.getSecurityEnvironment().locateSAMLAssertion(filterProcessingContext.getExtraneousProperties(), securityTokenReference.getSamlAuthorityBinding(), referenceValue2, securableSoapMessage.getSOAPPart());
                        } else {
                            issuedSAMLToken = SAMLUtil.locateSamlAssertion(referenceValue2, securableSoapMessage.getSOAPPart());
                            if (!"true".equals((String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED)) || "false".equals((String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED))) {
                                filterProcessingContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED, "false");
                            }
                        }
                    }
                    if (z && signaturePolicy2 != null) {
                        MLSPolicy keyBinding4 = signaturePolicy2.getKeyBinding();
                        IssuedTokenKeyBinding issuedTokenKeyBinding = new IssuedTokenKeyBinding();
                        if (keyBinding4 == null) {
                            if (filterProcessingContext.hasIssuedToken()) {
                                signaturePolicy2.setKeyBinding(issuedTokenKeyBinding);
                            } else {
                                signaturePolicy2.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
                            }
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding4) && ((DerivedTokenKeyBinding) keyBinding4).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding4).setOriginalKeyBinding(issuedTokenKeyBinding);
                        }
                    }
                    key = resolveSamlAssertion(xMLCryptoContext, issuedSAMLToken, purpose, referenceValue2);
                    addAuthorityId(issuedSAMLToken, filterProcessingContext);
                    if (filterProcessingContext.hasIssuedToken() && key != null) {
                        SecurityUtil.initInferredIssuedTokenContext(filterProcessingContext, securityTokenReference, key);
                    }
                } else {
                    String decodedReferenceValue = keyIdentifier.getDecodedReferenceValue();
                    Element element = null;
                    try {
                        element = resolveSAMLToken(securityTokenReference, decodedReferenceValue, filterProcessingContext);
                    } catch (Exception e2) {
                        if (logger.isLoggable(Level.FINEST)) {
                            logger.log(Level.FINEST, "Error occurred while trying to resolve SAML assertion" + e2.getMessage());
                        }
                    }
                    if (element != null) {
                        if (z && signaturePolicy2 != null) {
                            MLSPolicy keyBinding5 = signaturePolicy2.getKeyBinding();
                            IssuedTokenKeyBinding issuedTokenKeyBinding2 = new IssuedTokenKeyBinding();
                            if (keyBinding5 == null) {
                                if (filterProcessingContext.hasIssuedToken()) {
                                    signaturePolicy2.setKeyBinding(issuedTokenKeyBinding2);
                                } else {
                                    signaturePolicy2.setKeyBinding(new AuthenticationTokenPolicy.SAMLAssertionBinding());
                                }
                            } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding5) && ((DerivedTokenKeyBinding) keyBinding5).getOriginalKeyBinding() == null) {
                                ((DerivedTokenKeyBinding) keyBinding5).setOriginalKeyBinding(issuedTokenKeyBinding2);
                            }
                        }
                        key = resolveSamlAssertion(xMLCryptoContext, element, purpose, decodedReferenceValue);
                        addAuthorityId(element, filterProcessingContext);
                        if (filterProcessingContext.hasIssuedToken() && key != null) {
                            SecurityUtil.initInferredIssuedTokenContext(filterProcessingContext, securityTokenReference, key);
                        }
                    } else {
                        if (z && signaturePolicy2 != null) {
                            MLSPolicy keyBinding6 = signaturePolicy2.getKeyBinding();
                            AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding5 = new AuthenticationTokenPolicy.X509CertificateBinding();
                            x509CertificateBinding5.setValueType(MessageConstants.X509SubjectKeyIdentifier_NS);
                            x509CertificateBinding5.setReferenceType("Identifier");
                            if (keyBinding6 == null) {
                                signaturePolicy2.setKeyBinding(x509CertificateBinding5);
                            } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding6)) {
                                ((SymmetricKeyBinding) keyBinding6).setKeyBinding(x509CertificateBinding5);
                            } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding6)) {
                                DerivedTokenKeyBinding derivedTokenKeyBinding3 = (DerivedTokenKeyBinding) keyBinding6;
                                if (derivedTokenKeyBinding3.getOriginalKeyBinding() == null) {
                                    ((DerivedTokenKeyBinding) keyBinding6).setOriginalKeyBinding(x509CertificateBinding5);
                                } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding3.getOriginalKeyBinding())) {
                                    derivedTokenKeyBinding3.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding5);
                                }
                            }
                        }
                        if (purpose == KeySelector.Purpose.VERIFY) {
                            filterProcessingContext.setExtraneousProperty(MessageConstants.REQUESTER_KEYID, new String(XMLUtil.getDecodedBase64EncodedData(keyIdentifier.getReferenceValue())));
                            X509Certificate certificate3 = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), XMLUtil.getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()));
                            filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate3);
                            key = certificate3.getPublicKey();
                        } else if (purpose == KeySelector.Purpose.SIGN) {
                            key = filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), XMLUtil.getDecodedBase64EncodedData(keyIdentifier.getReferenceValue()));
                        }
                    }
                }
            } else if (reference instanceof DirectReference) {
                if (x509CertificateBinding != null) {
                    x509CertificateBinding.setReferenceType("Direct");
                }
                String uri = ((DirectReference) reference).getURI();
                if (z2 && !uri.startsWith("#")) {
                    logger.log(Level.SEVERE, "WSS1356.Violation.BSP.R5204");
                    throw new XWSSecurityException("Violation of BSP R5204 : When a SECURITY_TOKEN_REFERENCE uses a Direct Reference to an INTERNAL_SECURITY_TOKEN, it MUST use a Shorthand XPointer Reference");
                }
                String valueType = ((DirectReference) reference).getValueType();
                if ("http://schemas.xmlsoap.org/ws/2005/02/sc/dk".equals(valueType)) {
                    valueType = null;
                }
                if (MessageConstants.X509v3_NS.equals(valueType) || MessageConstants.X509v1_NS.equals(valueType)) {
                    if (x509CertificateBinding != null) {
                        x509CertificateBinding.setValueType(valueType);
                    }
                    String idFromFragmentRef = SecurableSoapMessage.getIdFromFragmentRef(uri);
                    X509SecurityToken x509SecurityToken = (X509SecurityToken) insertedX509Cache.get(idFromFragmentRef);
                    if (x509SecurityToken == null) {
                        x509SecurityToken = (X509SecurityToken) resolveToken(idFromFragmentRef, xMLCryptoContext);
                        if (x509SecurityToken == null) {
                            logger.log(Level.SEVERE, "WSS1357.unableto.locate.Token");
                            throw new KeySelectorException("Token with Id " + idFromFragmentRef + "not found");
                        }
                        tokenCache.put(idFromFragmentRef, x509SecurityToken);
                    }
                    if (z && signaturePolicy2 != null) {
                        MLSPolicy keyBinding7 = signaturePolicy2.getKeyBinding();
                        AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding6 = new AuthenticationTokenPolicy.X509CertificateBinding();
                        x509CertificateBinding6.setReferenceType("Direct");
                        x509CertificateBinding6.setValueType(valueType);
                        if (keyBinding7 == null) {
                            signaturePolicy2.setKeyBinding(x509CertificateBinding6);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding7)) {
                            ((SymmetricKeyBinding) keyBinding7).setKeyBinding(x509CertificateBinding6);
                            z3 = true;
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding7)) {
                            DerivedTokenKeyBinding derivedTokenKeyBinding4 = (DerivedTokenKeyBinding) keyBinding7;
                            if (derivedTokenKeyBinding4.getOriginalKeyBinding() == null) {
                                derivedTokenKeyBinding4.setOriginalKeyBinding(x509CertificateBinding6);
                            } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding4.getOriginalKeyBinding())) {
                                derivedTokenKeyBinding4.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding6);
                                z3 = true;
                            }
                        }
                    }
                    key = resolveX509Token(filterProcessingContext, x509SecurityToken, purpose, z3);
                } else if (MessageConstants.EncryptedKey_NS.equals(valueType)) {
                    String idFromFragmentRef2 = SecurableSoapMessage.getIdFromFragmentRef(uri);
                    SecurityToken securityToken = (SecurityToken) tokenCache.get(idFromFragmentRef2);
                    if (securityToken == null) {
                        securityToken = resolveToken(idFromFragmentRef2, xMLCryptoContext);
                        if (securityToken == null) {
                            logger.log(Level.SEVERE, "WSS1357.unableto.locate.Token");
                            throw new KeySelectorException("Token with Id " + idFromFragmentRef2 + "not found");
                        }
                        tokenCache.put(idFromFragmentRef2, securityToken);
                    }
                    SecurityTokenReference securityTokenReference2 = ((EncryptedKeyToken) securityToken).getKeyInfo().getSecurityTokenReference(0);
                    SOAPElement asSoapElement = securityTokenReference2.getAsSoapElement();
                    securityTokenReference2.getReference();
                    if (z && signaturePolicy2 != null) {
                        MLSPolicy keyBinding8 = signaturePolicy2.getKeyBinding();
                        SymmetricKeyBinding symmetricKeyBinding2 = new SymmetricKeyBinding();
                        symmetricKeyBinding2.setKeyBinding(new AuthenticationTokenPolicy.X509CertificateBinding());
                        if (keyBinding8 == null) {
                            signaturePolicy2.setKeyBinding(symmetricKeyBinding2);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding8) && ((DerivedTokenKeyBinding) keyBinding8).getOriginalKeyBinding() == null) {
                            ((DerivedTokenKeyBinding) keyBinding8).setOriginalKeyBinding(symmetricKeyBinding2);
                        }
                    }
                    Key resolve = resolve(asSoapElement, xMLCryptoContext, KeySelector.Purpose.SIGN);
                    filterProcessingContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, Base64.encode(MessageDigest.getInstance(MessageConstants.SHA_1).digest(Base64.decode(((Element) ((EncryptedKeyToken) securityToken).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, MessageConstants.XENC_CIPHER_DATA_LNAME, MessageConstants.XENC_PREFIX)).next()).getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent()))));
                    key = ((EncryptedKeyToken) securityToken).getSecretKey(resolve, str);
                    filterProcessingContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, key);
                } else if ("http://schemas.xmlsoap.org/ws/2005/02/sc/sct".equals(valueType) || MessageConstants.SCT_13_VALUETYPE.equals(valueType)) {
                    String idFromFragmentRef3 = SecurableSoapMessage.getIdFromFragmentRef(uri);
                    SecurityToken securityToken2 = (SecurityToken) tokenCache.get(idFromFragmentRef3);
                    if (securityToken2 == null) {
                        securityToken2 = SecurityUtil.locateBySCTId(filterProcessingContext, uri);
                        if (securityToken2 == null) {
                            securityToken2 = resolveToken(idFromFragmentRef3, xMLCryptoContext);
                        }
                        if (securityToken2 == null) {
                            logger.log(Level.SEVERE, "WSS1358.unableto.locate.SCTToken");
                            throw new KeySelectorException("SCT Token with Id " + idFromFragmentRef3 + "not found");
                        }
                        tokenCache.put(idFromFragmentRef3, securityToken2);
                    }
                    if (!(securityToken2 instanceof SecurityContextToken)) {
                        logger.log(Level.SEVERE, "WSS1359.invalid.valuetype.nonSCTtoken");
                        throw new KeySelectorException("Incorrect ValueType: http://schemas.xmlsoap.org/ws/2005/02/sc/sct, specified for a Non SCT Token");
                    }
                    if (z && signaturePolicy2 != null) {
                        MLSPolicy keyBinding9 = signaturePolicy2.getKeyBinding();
                        SecureConversationTokenKeyBinding secureConversationTokenKeyBinding = new SecureConversationTokenKeyBinding();
                        if (keyBinding9 == null) {
                            signaturePolicy2.setKeyBinding(secureConversationTokenKeyBinding);
                        } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding9)) {
                            ((DerivedTokenKeyBinding) keyBinding9).setOriginalKeyBinding(secureConversationTokenKeyBinding);
                        }
                    }
                    key = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) securityToken2, purpose);
                } else {
                    if (null != valueType) {
                        logger.log(Level.SEVERE, "WSS1307.unsupported.directref.mechanism", new Object[]{((DirectReference) reference).getValueType()});
                        throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, "unsupported directreference ValueType " + ((DirectReference) reference).getValueType(), null);
                    }
                    String idFromFragmentRef4 = SecurableSoapMessage.getIdFromFragmentRef(uri);
                    SecurityToken securityToken3 = (SecurityToken) tokenCache.get(idFromFragmentRef4);
                    if (securityToken3 == null) {
                        securityToken3 = resolveToken(idFromFragmentRef4, xMLCryptoContext);
                        if (securityToken3 == null) {
                            securityToken3 = SecurityUtil.locateBySCTId(filterProcessingContext, uri);
                        }
                        if (securityToken3 == null) {
                            logger.log(Level.SEVERE, "WSS1357.unableto.locate.Token");
                            throw new KeySelectorException("Token with Id " + idFromFragmentRef4 + "not found");
                        }
                        tokenCache.put(idFromFragmentRef4, securityToken3);
                    }
                    if (securityToken3 instanceof X509SecurityToken) {
                        if (z && signaturePolicy2 != null) {
                            MLSPolicy keyBinding10 = signaturePolicy2.getKeyBinding();
                            AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding7 = new AuthenticationTokenPolicy.X509CertificateBinding();
                            x509CertificateBinding7.setReferenceType("Direct");
                            if (keyBinding10 == null) {
                                signaturePolicy2.setKeyBinding(x509CertificateBinding7);
                            } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding10)) {
                                ((SymmetricKeyBinding) keyBinding10).setKeyBinding(x509CertificateBinding7);
                                z3 = true;
                            } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding10)) {
                                DerivedTokenKeyBinding derivedTokenKeyBinding5 = (DerivedTokenKeyBinding) keyBinding10;
                                if (derivedTokenKeyBinding5.getOriginalKeyBinding() == null) {
                                    derivedTokenKeyBinding5.setOriginalKeyBinding(x509CertificateBinding7);
                                } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding5.getOriginalKeyBinding())) {
                                    derivedTokenKeyBinding5.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding7);
                                    z3 = true;
                                }
                            }
                        }
                        key = resolveX509Token(filterProcessingContext, (X509SecurityToken) securityToken3, purpose, z3);
                    } else if (securityToken3 instanceof EncryptedKeyToken) {
                        if (z && signaturePolicy2 != null) {
                            MLSPolicy keyBinding11 = signaturePolicy2.getKeyBinding();
                            SymmetricKeyBinding symmetricKeyBinding3 = new SymmetricKeyBinding();
                            symmetricKeyBinding3.setKeyBinding(new AuthenticationTokenPolicy.X509CertificateBinding());
                            if (keyBinding11 == null) {
                                signaturePolicy2.setKeyBinding(symmetricKeyBinding3);
                            } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding11) && ((DerivedTokenKeyBinding) keyBinding11).getOriginalKeyBinding() == null) {
                                ((DerivedTokenKeyBinding) keyBinding11).setOriginalKeyBinding(symmetricKeyBinding3);
                            }
                        }
                        SecurityTokenReference securityTokenReference3 = ((EncryptedKeyToken) securityToken3).getKeyInfo().getSecurityTokenReference(0);
                        SOAPElement asSoapElement2 = securityTokenReference3.getAsSoapElement();
                        securityTokenReference3.getReference();
                        Key resolve2 = resolve(asSoapElement2, xMLCryptoContext, KeySelector.Purpose.SIGN);
                        filterProcessingContext.setExtraneousProperty(MessageConstants.EK_SHA1_VALUE, Base64.encode(MessageDigest.getInstance(MessageConstants.SHA_1).digest(Base64.decode(((Element) ((EncryptedKeyToken) securityToken3).getAsSoapElement().getChildElements(new QName(MessageConstants.XENC_NS, MessageConstants.XENC_CIPHER_DATA_LNAME, MessageConstants.XENC_PREFIX)).next()).getElementsByTagNameNS(MessageConstants.XENC_NS, "CipherValue").item(0).getTextContent()))));
                        key = ((EncryptedKeyToken) securityToken3).getSecretKey(resolve2, str);
                        filterProcessingContext.setExtraneousProperty(MessageConstants.SECRET_KEY_VALUE, key);
                    } else if (securityToken3 instanceof SecurityContextToken) {
                        if (z && signaturePolicy2 != null) {
                            MLSPolicy keyBinding12 = signaturePolicy2.getKeyBinding();
                            SecureConversationTokenKeyBinding secureConversationTokenKeyBinding2 = new SecureConversationTokenKeyBinding();
                            if (keyBinding12 == null) {
                                signaturePolicy2.setKeyBinding(secureConversationTokenKeyBinding2);
                            } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding12)) {
                                ((DerivedTokenKeyBinding) keyBinding12).setOriginalKeyBinding(secureConversationTokenKeyBinding2);
                            }
                        }
                        key = resolveSCT(filterProcessingContext, (SecurityContextTokenImpl) securityToken3, purpose);
                    } else {
                        if (!(securityToken3 instanceof DerivedKeyTokenHeaderBlock)) {
                            String str3 = " Cannot Resolve URI " + uri;
                            logger.log(Level.SEVERE, "WSS1307.unsupported.directref.mechanism", new Object[]{str3});
                            KeySelectorException keySelectorException = new KeySelectorException(str3);
                            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE, keySelectorException.getMessage(), keySelectorException);
                        }
                        if (z && signaturePolicy2 != null) {
                            MLSPolicy keyBinding13 = signaturePolicy2.getKeyBinding();
                            DerivedTokenKeyBinding derivedTokenKeyBinding6 = new DerivedTokenKeyBinding();
                            if (keyBinding13 == null) {
                                signaturePolicy2.setKeyBinding(derivedTokenKeyBinding6);
                            } else if (!PolicyTypeUtil.derivedTokenKeyBinding(keyBinding13)) {
                                logger.log(Level.SEVERE, "WSS1360.invalid.DerivedKeyToken");
                                throw new XWSSecurityException("A derived Key Token should be a top level key binding");
                            }
                        }
                        key = resolveDKT(xMLCryptoContext, (DerivedKeyTokenHeaderBlock) securityToken3);
                    }
                }
            } else {
                if (!(reference instanceof X509IssuerSerial)) {
                    logger.log(Level.SEVERE, "WSS1308.unsupported.reference.mechanism");
                    KeySelectorException keySelectorException2 = new KeySelectorException("Key reference mechanism not supported");
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN, keySelectorException2.getMessage(), keySelectorException2);
                }
                if (x509CertificateBinding != null) {
                    x509CertificateBinding.setReferenceType("IssuerSerialNumber");
                }
                X509IssuerSerial x509IssuerSerial = (X509IssuerSerial) reference;
                BigInteger serialNumber = x509IssuerSerial.getSerialNumber();
                String issuerName = x509IssuerSerial.getIssuerName();
                if (z && signaturePolicy2 != null) {
                    MLSPolicy keyBinding14 = signaturePolicy2.getKeyBinding();
                    AuthenticationTokenPolicy.X509CertificateBinding x509CertificateBinding8 = new AuthenticationTokenPolicy.X509CertificateBinding();
                    x509CertificateBinding8.setReferenceType("IssuerSerialNumber");
                    if (keyBinding14 == null) {
                        signaturePolicy2.setKeyBinding(x509CertificateBinding8);
                    } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding14)) {
                        ((SymmetricKeyBinding) keyBinding14).setKeyBinding(x509CertificateBinding8);
                    } else if (PolicyTypeUtil.derivedTokenKeyBinding(keyBinding14)) {
                        DerivedTokenKeyBinding derivedTokenKeyBinding7 = (DerivedTokenKeyBinding) keyBinding14;
                        if (derivedTokenKeyBinding7.getOriginalKeyBinding() == null) {
                            derivedTokenKeyBinding7.setOriginalKeyBinding(x509CertificateBinding8);
                        } else if (PolicyTypeUtil.symmetricKeyBinding(derivedTokenKeyBinding7.getOriginalKeyBinding())) {
                            derivedTokenKeyBinding7.getOriginalKeyBinding().setKeyBinding(x509CertificateBinding8);
                        }
                    }
                }
                if (purpose == KeySelector.Purpose.VERIFY) {
                    filterProcessingContext.setExtraneousProperty(MessageConstants.REQUESTER_SERIAL, serialNumber);
                    filterProcessingContext.setExtraneousProperty(MessageConstants.REQUESTER_ISSUERNAME, issuerName);
                    X509Certificate certificate4 = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), serialNumber, issuerName);
                    filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate4);
                    key = certificate4.getPublicKey();
                } else if (purpose == KeySelector.Purpose.SIGN) {
                    key = filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), serialNumber, issuerName);
                }
            }
            return key;
        } catch (MarshalException e3) {
            logger.log(Level.SEVERE, "WSS1353.unable.resolve.keyInformation", e3);
            throw new KeySelectorException(e3);
        } catch (XWSSecurityException e4) {
            logger.log(Level.SEVERE, "WSS1353.unable.resolve.keyInformation", (Throwable) e4);
            throw new KeySelectorException(e4);
        } catch (Exception e5) {
            logger.log(Level.SEVERE, "WSS1353.unable.resolve.keyInformation", (Throwable) e5);
            throw new KeySelectorException(e5);
        }
    }

    private static Key resolveSamlAssertion(XMLCryptoContext xMLCryptoContext, Element element, KeySelector.Purpose purpose, String str) throws MarshalException, KeySelectorException, XWSSecurityException {
        FilterProcessingContext filterProcessingContext = (FilterProcessingContext) xMLCryptoContext.get(MessageConstants.WSS_PROCESSING_CONTEXT);
        String str2 = (String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED);
        Key key = (Key) filterProcessingContext.getSamlIdVSKeyCache().get(str);
        if (key != null) {
            return key;
        }
        if (element == null) {
            logger.log(Level.SEVERE, "WSS1355.unableto.resolve.SAMLAssertion");
            throw new XWSSecurityException("Cannot Resolve SAML Assertion");
        }
        if (purpose == KeySelector.Purpose.VERIFY || "false".equals(str2)) {
            NodeList elementsByTagNameNS = element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            if (elementsByTagNameNS.getLength() == 0) {
                XWSSecurityException xWSSecurityException = new XWSSecurityException("Unsigned SAML Assertion encountered");
                logger.log(Level.SEVERE, "WSS1309.saml.signature.verify.failed", (Throwable) xWSSecurityException);
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, "Exception during Signature verfication in SAML Assertion", xWSSecurityException);
            }
            boolean z = false;
            int i = 0;
            int i2 = 0;
            while (true) {
                if (i2 < elementsByTagNameNS.getLength()) {
                    if (!elementsByTagNameNS.item(i2).getParentNode().getParentNode().getLocalName().equals("Advice")) {
                        z = true;
                        i = i2;
                        break;
                    }
                    i2++;
                } else {
                    break;
                }
            }
            if (!z) {
                XWSSecurityException xWSSecurityException2 = new XWSSecurityException("Unsigned SAML Assertion encountered");
                logger.log(Level.SEVERE, "WSS1309.saml.signature.verify.failed", (Throwable) xWSSecurityException2);
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, "Exception during Signature verfication in SAML Assertion", xWSSecurityException2);
            }
            Element element2 = (Element) elementsByTagNameNS.item(i);
            SignaturePolicy signaturePolicy = (SignaturePolicy) filterProcessingContext.getInferredPolicy();
            if (signaturePolicy != null) {
            }
            try {
                if (!SignatureProcessor.verifySignature(element2, filterProcessingContext)) {
                    logger.log(Level.SEVERE, "WSS1310.saml.signature.invalid");
                    throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, "SAML Assertion has invalid Signature", new Exception("SAML Assertion has invalid Signature"));
                }
            } catch (XWSSecurityException e) {
                logger.log(Level.SEVERE, "WSS1310.saml.signature.invalid");
                throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_FAILED_AUTHENTICATION, "SAML Assertion has invalid Signature", e);
            }
        }
        if ("false".equals(str2)) {
            filterProcessingContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED, "true");
        }
        Iterator it = KeyInfoFactory.getInstance().unmarshalKeyInfo(new DOMStructure(AssertionUtil.getSubjectConfirmationKeyInfo(element))).getContent().iterator();
        if (it.hasNext()) {
            Object next = it.next();
            if (next instanceof KeyName) {
                logger.log(Level.SEVERE, "WSS1361.unsupported.KeyName.SAML");
                throw new XWSSecurityException("Unsupported KeyName under SAML SubjectConfirmation");
            }
            if (next instanceof KeyValue) {
                key = resolveKeyValue(filterProcessingContext, (KeyValue) next, purpose);
            } else if (next instanceof X509Data) {
                key = resolveSAMLX509Data(filterProcessingContext, (X509Data) next, purpose);
            } else {
                if (!(next instanceof DOMStructure)) {
                    logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                    throw new KeySelectorException("Unsupported Key Information");
                }
                SOAPElement node = ((DOMStructure) next).getNode();
                if (isSecurityTokenReference(node)) {
                    key = resolve(node, xMLCryptoContext, purpose);
                } else if (SecurityUtil.isBinarySecret(node)) {
                    try {
                        BinarySecret createBinarySecret = WSTrustElementFactory.newInstance().createBinarySecret(node);
                        if (createBinarySecret.getType() != null && !createBinarySecret.getType().equals("http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey")) {
                            logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                            throw new KeySelectorException("Unsupported wst:BinarySecret Type");
                        }
                        key = new SecretKeySpec(createBinarySecret.getRawValue(), filterProcessingContext.getAlgorithmSuite() != null ? SecurityUtil.getSecretKeyAlgorithm(filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm()) : "AES");
                    } catch (WSTrustException e2) {
                        logger.log(Level.SEVERE, "WSS1362.exception.WSTrust.CreatingBinarySecret", (Throwable) e2);
                        throw new XWSSecurityException(e2);
                    }
                } else {
                    if (!SecurityUtil.isEncryptedKey(node)) {
                        logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                        throw new KeySelectorException("Unsupported Key Information");
                    }
                    EncryptedKeyToken encryptedKeyToken = new EncryptedKeyToken(node);
                    KeyInfoHeaderBlock keyInfo = encryptedKeyToken.getKeyInfo();
                    if (!keyInfo.containsSecurityTokenReference()) {
                        logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                        throw new KeySelectorException("Unsupported Key Information Inside EncryptedKey");
                    }
                    Key processSTR = KeyResolver.processSTR(keyInfo, false, filterProcessingContext);
                    String str3 = MessageConstants.AES_BLOCK_ENCRYPTION_128;
                    if (filterProcessingContext.getAlgorithmSuite() != null) {
                        str3 = filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm();
                    }
                    key = encryptedKeyToken.getSecretKey(processSTR, str3);
                }
            }
        }
        filterProcessingContext.getSamlIdVSKeyCache().put(str, key);
        filterProcessingContext.setExtraneousProperty(MessageConstants.INCOMING_SAML_ASSERTION, element);
        try {
            filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), AssertionUtil.fromElement(element));
        } catch (SAMLException e3) {
        }
        return key;
    }

    private static Key resolveKeyValue(FilterProcessingContext filterProcessingContext, KeyValue keyValue, KeySelector.Purpose purpose) throws KeySelectorException {
        try {
            if (purpose == KeySelector.Purpose.VERIFY) {
                return keyValue.getPublicKey();
            }
            if (purpose == KeySelector.Purpose.SIGN) {
                return filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), keyValue.getPublicKey(), true);
            }
            return null;
        } catch (Exception e) {
            logger.log(Level.SEVERE, "WSS1313.illegal.key.value", e.getMessage());
            throw new KeySelectorException(e);
        }
    }

    private static Key resolveX509Data(FilterProcessingContext filterProcessingContext, X509Data x509Data, KeySelector.Purpose purpose) throws KeySelectorException {
        try {
            for (Object obj : x509Data.getContent()) {
                if (obj instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) obj;
                    if (purpose == KeySelector.Purpose.VERIFY) {
                        filterProcessingContext.getSecurityEnvironment().validateCertificate(x509Certificate);
                        filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), x509Certificate);
                        return x509Certificate.getPublicKey();
                    }
                    if (purpose == KeySelector.Purpose.SIGN) {
                        return filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509Certificate);
                    }
                } else if (obj instanceof byte[]) {
                    byte[] bArr = (byte[]) obj;
                    if (purpose == KeySelector.Purpose.VERIFY) {
                        X509Certificate certificate = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), bArr);
                        filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate);
                        return certificate.getPublicKey();
                    }
                    if (purpose == KeySelector.Purpose.SIGN) {
                        return filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), bArr);
                    }
                } else {
                    if (obj instanceof String) {
                        logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                        throw new KeySelectorException("X509SubjectName child element of X509Data is not yet supported by our implementation");
                    }
                    if (!(obj instanceof javax.xml.crypto.dsig.keyinfo.X509IssuerSerial)) {
                        logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                        throw new KeySelectorException("Unsupported child element of X509Data encountered");
                    }
                    javax.xml.crypto.dsig.keyinfo.X509IssuerSerial x509IssuerSerial = (javax.xml.crypto.dsig.keyinfo.X509IssuerSerial) obj;
                    if (purpose == KeySelector.Purpose.VERIFY) {
                        X509Certificate certificate2 = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), x509IssuerSerial.getSerialNumber(), x509IssuerSerial.getIssuerName());
                        filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate2);
                        return certificate2.getPublicKey();
                    }
                    if (purpose == KeySelector.Purpose.SIGN) {
                        return filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509IssuerSerial.getSerialNumber(), x509IssuerSerial.getIssuerName());
                    }
                }
            }
            return null;
        } catch (Exception e) {
            logger.log(Level.SEVERE, "WSS1314.illegal.x509.data", e.getMessage());
            throw new KeySelectorException(e);
        }
    }

    private static Key resolveSAMLX509Data(FilterProcessingContext filterProcessingContext, X509Data x509Data, KeySelector.Purpose purpose) throws KeySelectorException {
        try {
            Iterator it = x509Data.getContent().iterator();
            if (!it.hasNext()) {
                return null;
            }
            Object next = it.next();
            if (next instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) next;
                filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), x509Certificate);
                return purpose == KeySelector.Purpose.VERIFY ? x509Certificate.getPublicKey() : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509Certificate);
            }
            if (next instanceof byte[]) {
                X509Certificate certificate = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), (byte[]) next);
                filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate);
                return purpose == KeySelector.Purpose.VERIFY ? certificate.getPublicKey() : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), certificate);
            }
            if (next instanceof String) {
                logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                throw new KeySelectorException("X509SubjectName child element of X509Data is not yet supported by our implementation");
            }
            if (!(next instanceof javax.xml.crypto.dsig.keyinfo.X509IssuerSerial)) {
                logger.log(Level.SEVERE, "WSS1312.unsupported.keyinfo");
                throw new KeySelectorException("Unsupported child element of X509Data encountered");
            }
            javax.xml.crypto.dsig.keyinfo.X509IssuerSerial x509IssuerSerial = (javax.xml.crypto.dsig.keyinfo.X509IssuerSerial) next;
            X509Certificate certificate2 = filterProcessingContext.getSecurityEnvironment().getCertificate(filterProcessingContext.getExtraneousProperties(), x509IssuerSerial.getSerialNumber(), x509IssuerSerial.getIssuerName());
            filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate2);
            return purpose == KeySelector.Purpose.VERIFY ? certificate2.getPublicKey() : filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), certificate2);
        } catch (Exception e) {
            logger.log(Level.SEVERE, "WSS1314.illegal.x509.data", e.getMessage());
            throw new KeySelectorException(e);
        }
    }

    private static Key resolveX509Token(FilterProcessingContext filterProcessingContext, X509SecurityToken x509SecurityToken, KeySelector.Purpose purpose, boolean z) throws XWSSecurityException {
        if (purpose == KeySelector.Purpose.VERIFY) {
            X509Certificate certificate = x509SecurityToken.getCertificate();
            if (!z) {
                filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(DefaultSecurityEnvironmentImpl.getSubject(filterProcessingContext), certificate);
            }
            return certificate.getPublicKey();
        }
        if (purpose == KeySelector.Purpose.SIGN || purpose == KeySelector.Purpose.DECRYPT) {
            return filterProcessingContext.getSecurityEnvironment().getPrivateKey(filterProcessingContext.getExtraneousProperties(), x509SecurityToken.getCertificate());
        }
        return null;
    }

    private static boolean isSecurityTokenReference(Element element) {
        return "SecurityTokenReference".equals(element.getLocalName());
    }

    protected static SecurityToken resolveToken(final String str, XMLCryptoContext xMLCryptoContext) throws URIReferenceException, XWSSecurityException {
        URIDereferencer uRIDereferencer = xMLCryptoContext.getURIDereferencer();
        URIReference uRIReference = new URIReference() { // from class: com.sun.xml.wss.impl.dsig.KeySelectorImpl.2
            public String getURI() {
                return str;
            }

            public String getType() {
                return null;
            }
        };
        FilterProcessingContext filterProcessingContext = (FilterProcessingContext) xMLCryptoContext.get(MessageConstants.WSS_PROCESSING_CONTEXT);
        SecurityPolicy securityPolicy = filterProcessingContext.getSecurityPolicy();
        boolean isBSP = securityPolicy != null ? PolicyTypeUtil.messagePolicy(securityPolicy) ? ((MessagePolicy) securityPolicy).isBSP() : ((WSSPolicy) securityPolicy).isBSP() : false;
        try {
            for (SOAPElement sOAPElement : uRIDereferencer.dereference(uRIReference, xMLCryptoContext)) {
                if (MessageConstants.WSSE_BINARY_SECURITY_TOKEN_LNAME.equals(sOAPElement.getLocalName())) {
                    X509SecurityToken x509SecurityToken = new X509SecurityToken(sOAPElement, isBSP);
                    try {
                        if (filterProcessingContext.getSecurityEnvironment().validateCertificate(x509SecurityToken.getCertificate())) {
                            return x509SecurityToken;
                        }
                        logger.log(Level.SEVERE, "WSS1364.unableto.validate.certificate");
                        throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, "Certificate validation failed", null);
                    } catch (XWSSecurityException e) {
                        logger.log(Level.SEVERE, "WSS1363.invalid.security.token");
                        throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY_TOKEN, "A Invalid security token was provided ", e);
                    }
                }
                if ("EncryptedKey".equals(sOAPElement.getLocalName())) {
                    return new EncryptedKeyToken(sOAPElement);
                }
                if (MessageConstants.SECURITY_CONTEXT_TOKEN_LNAME.equals(sOAPElement.getLocalName())) {
                    return new SecurityContextTokenImpl(sOAPElement);
                }
                if (MessageConstants.DERIVEDKEY_TOKEN_LNAME.equals(sOAPElement.getLocalName())) {
                    return new DerivedKeyTokenHeaderBlock(sOAPElement);
                }
            }
            logger.log(Level.SEVERE, "WSS1305.UnSupported.security.token");
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_UNSUPPORTED_SECURITY_TOKEN, "A Unsupported token was provided ", null);
        } catch (URIReferenceException e2) {
            logger.log(Level.SEVERE, "WSS1304.FC_SECURITY_TOKEN_UNAVAILABLE", e2);
            throw SecurableSoapMessage.newSOAPFaultException(MessageConstants.WSSE_SECURITY_TOKEN_UNAVAILABLE, "Referenced Security Token could not be retrieved", e2);
        }
    }

    private static Element resolveSAMLToken(SecurityTokenReference securityTokenReference, String str, FilterProcessingContext filterProcessingContext) throws XWSSecurityException {
        Element issuedSAMLToken = filterProcessingContext.getIssuedSAMLToken();
        if (issuedSAMLToken != null) {
            filterProcessingContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED, "false");
        }
        if (issuedSAMLToken == null) {
            if (securityTokenReference.getSamlAuthorityBinding() != null) {
                issuedSAMLToken = filterProcessingContext.getSecurityEnvironment().locateSAMLAssertion(filterProcessingContext.getExtraneousProperties(), securityTokenReference.getSamlAuthorityBinding(), str, filterProcessingContext.getSOAPMessage().getSOAPPart());
            } else {
                issuedSAMLToken = SAMLUtil.locateSamlAssertion(str, filterProcessingContext.getSOAPMessage().getSOAPPart());
                if (!"true".equals((String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED)) || "false".equals((String) filterProcessingContext.getExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED))) {
                    filterProcessingContext.setExtraneousProperty(MessageConstants.SAML_SIG_RESOLVED, "false");
                }
            }
        }
        try {
            if (MessageConstants.ENCRYPTED_DATA_LNAME.equals(issuedSAMLToken.getLocalName())) {
            }
            return issuedSAMLToken;
        } catch (Exception e) {
            logger.log(Level.SEVERE, "WSS1355.unableto.resolve.SAMLAssertion", (Throwable) e);
            throw new XWSSecurityException(e);
        }
    }

    private static void addAuthorityId(Element element, FilterProcessingContext filterProcessingContext) {
        SignaturePolicy signaturePolicy = (SignaturePolicy) filterProcessingContext.getInferredPolicy();
        if (signaturePolicy != null) {
            ((AuthenticationTokenPolicy.SAMLAssertionBinding) signaturePolicy.newSAMLAssertionKeyBinding()).setAuthorityIdentifier(element.getAttributeNode(MessageConstants.SAML_ID_LNAME) != null ? ((Element) element.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer").item(0)).getTextContent() : element.getAttribute("Issuer"));
        }
    }

    private static Key resolveSCT(FilterProcessingContext filterProcessingContext, SecurityContextTokenImpl securityContextTokenImpl, KeySelector.Purpose purpose) throws XWSSecurityException {
        IssuedTokenContext securityContext;
        Subject requestorSubject;
        filterProcessingContext.setExtraneousProperty(MessageConstants.INCOMING_SCT, securityContextTokenImpl);
        String sCId = securityContextTokenImpl.getSCId();
        if (filterProcessingContext.isClient()) {
            securityContext = IssuedTokenManager.getInstance().createIssuedTokenContext(new DefaultSCTokenConfiguration(filterProcessingContext.getWSSCVersion(filterProcessingContext.getSecurityPolicyVersion()), sCId, !filterProcessingContext.isExpired(), !filterProcessingContext.isInboundMessage()), null);
            try {
                IssuedTokenManager.getInstance().getIssuedToken(securityContext);
            } catch (WSTrustException e) {
                throw new XWSSecurityException(e);
            }
        } else {
            securityContext = SessionManager.getSessionManager().getSecurityContext(sCId, !filterProcessingContext.isExpired());
        }
        if (securityContext == null) {
            logger.log(Level.SEVERE, "WSS1365.unableto.locate.SecureConversation.Session");
            throw new XWSSecurityException("Could not locate SecureConversation session for Id:" + sCId);
        }
        SecurityContextToken securityContextToken = (SecurityContextToken) securityContext.getSecurityToken();
        byte[] proofKey = securityContextToken.getInstance() != null ? filterProcessingContext.isExpired() ? securityContext.getProofKey() : securityContext.getSecurityContextTokenInfo().getInstanceSecret(securityContextToken.getInstance()) : securityContext.getProofKey();
        if (proofKey == null) {
            logger.log(Level.SEVERE, "WSS1365.unableto.locate.SecureConversation.Session");
            throw new XWSSecurityException("Could not locate SecureConversation session for Id:" + sCId);
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(proofKey, filterProcessingContext.getAlgorithmSuite() != null ? SecurityUtil.getSecretKeyAlgorithm(filterProcessingContext.getAlgorithmSuite().getEncryptionAlgorithm()) : "AES");
        if (purpose == KeySelector.Purpose.VERIFY && (requestorSubject = securityContext.getRequestorSubject()) != null && filterProcessingContext.getExtraneousProperty(MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ) == null) {
            filterProcessingContext.getSecurityEnvironment().updateOtherPartySubject(SecurityUtil.getSubject(filterProcessingContext.getExtraneousProperties()), requestorSubject);
            filterProcessingContext.getExtraneousProperties().put(MessageConstants.SCBOOTSTRAP_CRED_IN_SUBJ, "true");
        }
        return secretKeySpec;
    }

    private static Key resolveDKT(XMLCryptoContext xMLCryptoContext, DerivedKeyTokenHeaderBlock derivedKeyTokenHeaderBlock) throws XWSSecurityException {
        AlgorithmSuite algorithmSuite = ((FilterProcessingContext) xMLCryptoContext.get(MessageConstants.WSS_PROCESSING_CONTEXT)).getAlgorithmSuite();
        String str = MessageConstants.AES_BLOCK_ENCRYPTION_128;
        if (algorithmSuite != null) {
            str = algorithmSuite.getEncryptionAlgorithm();
        }
        try {
            byte[] encoded = resolve(derivedKeyTokenHeaderBlock.getDerivedKeyElement().getAsSoapElement(), xMLCryptoContext, KeySelector.Purpose.SIGN).getEncoded();
            byte[] nonce = derivedKeyTokenHeaderBlock.getNonce();
            return new DerivedKeyTokenImpl(derivedKeyTokenHeaderBlock.getOffset(), derivedKeyTokenHeaderBlock.getLength(), encoded, nonce, derivedKeyTokenHeaderBlock.getLabel()).generateSymmetricKey(SecurityUtil.getSecretKeyAlgorithm(str));
        } catch (Exception e) {
            logger.log(Level.SEVERE, "WSS1366.unable.generateSymmetricKey.DKT", (Throwable) e);
            throw new XWSSecurityException(e);
        }
    }

    static {
        keyResolver = null;
        keyResolver = new KeySelectorImpl();
    }
}
