package org.apache.wss4j.dom.processor;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import javax.crypto.SecretKey;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.bsp.BSPEnforcer;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
import org.apache.wss4j.dom.str.SecurityTokenRefSTRParser;
import org.apache.wss4j.dom.util.EncryptionUtils;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.util.X509Util;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/wss4j/dom/processor/EncryptedDataProcessor.class */
public class EncryptedDataProcessor implements Processor {
    private static final Logger LOG = LoggerFactory.getLogger(EncryptedDataProcessor.class);

    @Override // org.apache.wss4j.dom.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        List<WSSecurityEngineResult> handleToken;
        SecretKey prepareSecretKey;
        Element protectedElement;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found EncryptedData element");
        }
        String attributeNS = element.getAttributeNS(null, "Id");
        Element directChildElement = WSSecurityUtil.getDirectChildElement(element, WSConstants.KEYINFO_LN, WSConstants.SIG_NS);
        if (directChildElement == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "noKeyinfo");
        }
        String encAlgo = X509Util.getEncAlgo(element);
        checkBSPCompliance(encAlgo, requestData.getBSPEnforcer());
        Element directChildElement2 = WSSecurityUtil.getDirectChildElement(directChildElement, SecurityTokenReference.SECURITY_TOKEN_REFERENCE, WSConstants.WSSE_NS);
        Element directChildElement3 = WSSecurityUtil.getDirectChildElement(directChildElement, "EncryptedKey", WSConstants.ENC_NS);
        if (requestData.isRequireSignedEncryptedDataElements()) {
            WSSecurityUtil.verifySignedElement(element, wSDocInfo.getResultsByTag(2));
        }
        Principal principal = null;
        if (directChildElement2 != null) {
            SecurityTokenRefSTRParser securityTokenRefSTRParser = new SecurityTokenRefSTRParser();
            HashMap hashMap = new HashMap();
            hashMap.put("signature_method", encAlgo);
            securityTokenRefSTRParser.parseSecurityTokenReference(directChildElement2, requestData, wSDocInfo, hashMap);
            byte[] secretKey = securityTokenRefSTRParser.getSecretKey();
            principal = securityTokenRefSTRParser.getPrincipal();
            prepareSecretKey = KeyUtils.prepareSecretKey(encAlgo, secretKey);
            handleToken = new ArrayList();
        } else {
            if (directChildElement3 == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "noEncKey");
            }
            handleToken = new EncryptedKeyProcessor().handleToken(directChildElement3, requestData, wSDocInfo);
            prepareSecretKey = KeyUtils.prepareSecretKey(encAlgo, (byte[]) handleToken.get(0).get(WSSecurityEngineResult.TAG_SECRET));
        }
        AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite();
        if (algorithmSuite != null) {
            AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite);
            if (principal instanceof WSDerivedKeyTokenPrincipal) {
                algorithmSuiteValidator.checkDerivedKeyAlgorithm(((WSDerivedKeyTokenPrincipal) principal).getAlgorithm());
                algorithmSuiteValidator.checkEncryptionDerivedKeyLength(((WSDerivedKeyTokenPrincipal) principal).getLength());
            }
            algorithmSuiteValidator.checkSymmetricKeyLength(prepareSecretKey.getEncoded().length);
            algorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(encAlgo);
        }
        WSDataRef decryptEncryptedData = EncryptionUtils.decryptEncryptedData(element.getOwnerDocument(), attributeNS, element, prepareSecretKey, encAlgo, requestData);
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(4, (List<WSDataRef>) Collections.singletonList(decryptEncryptedData));
        if (!"".equals(attributeNS)) {
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_ID, attributeNS);
        }
        wSDocInfo.addResult(wSSecurityEngineResult);
        wSDocInfo.addTokenElement(element);
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(handleToken);
        arrayList.add(wSSecurityEngineResult);
        if (requestData.getWssConfig() != null && (protectedElement = decryptEncryptedData.getProtectedElement()) != null) {
            Processor processor = requestData.getWssConfig().getProcessor(new QName(protectedElement.getNamespaceURI(), protectedElement.getLocalName()));
            if (processor != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Processing decrypted element with: " + processor.getClass().getName());
                }
                arrayList.addAll(0, processor.handleToken(protectedElement, requestData, wSDocInfo));
                return arrayList;
            }
        }
        return arrayList;
    }

    private static void checkBSPCompliance(String str, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        if (str == null) {
            bSPEnforcer.handleBSPRule(BSPRule.R5601);
        }
        if (WSConstants.TRIPLE_DES.equals(str) || WSConstants.AES_128.equals(str) || WSConstants.AES_128_GCM.equals(str) || WSConstants.AES_256.equals(str) || WSConstants.AES_256_GCM.equals(str)) {
            return;
        }
        bSPEnforcer.handleBSPRule(BSPRule.R5620);
    }
}
