package com.ibm.ws.wssecurity.cxf.interceptor;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.saml2.Saml20Token;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.sso.common.SsoService;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.wssecurity.caller.CallerConstants;
import com.ibm.ws.wssecurity.caller.SAMLAuthenticator;
import com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator;
import com.ibm.ws.wssecurity.internal.WSSecurityConstants;
import com.ibm.ws.wssecurity.token.TokenUtils;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.Timestamp;
import org.apache.wss4j.policy.SP12Constants;
import org.w3c.dom.Element;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/wssecurity/cxf/interceptor/WSSecurityLibertyCallerInterceptor.class */
public class WSSecurityLibertyCallerInterceptor extends AbstractSoapInterceptor {
    protected static final String multiple_unt_exist_err = "More than one Username token is found in the message, cannot identify caller candidate.";
    protected static final String no_unt_exist_err = "There is no Username token in the message to process caller.";
    protected static final String multiple_saml_exist_err = "More than one Saml token is found in the message, cannot identify caller candidate.";
    protected static final String no_saml_exist_err = "There is no Saml token in the message to process caller.";
    protected static final String no_x509_token_exist_err = "There is no X509 token in the message to process caller.";
    protected static final String unknown_caller_token_name = "Caller token name specified is not valid.";
    protected static final String empty_results_list = "Empty results list";
    protected static final String error_authenticate = "Cannot authenticate caller token";
    protected static final String no_asymmetric_token = "There is no Asymmetric signature token exists in the message";
    protected static final String multiple_asymmetric_token_err = "Multiple Asymmetric signature tokens in the message, cannot identify caller";
    protected static final String internal_err = "Security service is not available.";
    public static final String KEY_SSO_SERVICE = "ssoService";
    static final long serialVersionUID = 4881525334972234599L;
    private static final TraceComponent tc = Tr.register(WSSecurityLibertyCallerInterceptor.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");
    protected static final ConcurrentServiceReferenceMap<String, SsoService> ssoServiceRefs = new ConcurrentServiceReferenceMap<>("ssoService");

    public WSSecurityLibertyCallerInterceptor() {
        super("pre-protocol");
        addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
    }

    public void handleMessage(@Sensitive SoapMessage soapMessage) throws Fault {
        if (soapMessage == null) {
            return;
        }
        boolean isRequestor = MessageUtils.isRequestor(soapMessage);
        if (MessageUtils.isOutbound(soapMessage) || isRequestor) {
            return;
        }
        Map<String, Object> map = (Map) soapMessage.getContextualProperty(WSSecurityConstants.CALLER_CONFIG);
        String str = null;
        if (map != null && !map.isEmpty()) {
            str = (String) map.get(WSSecurityConstants.CALLER_NAME);
        }
        if (str == null || str.isEmpty()) {
            return;
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        if (WSSecurityConstants.UNT_CALLER_NAME.equalsIgnoreCase(str)) {
            z = true;
        } else if (WSSecurityConstants.X509_CALLER_NAME.equalsIgnoreCase(str)) {
            z2 = true;
        } else {
            if (!WSSecurityConstants.SAML_CALLER_NAME.equalsIgnoreCase(str)) {
                throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidTokenType", new Object[]{str}));
            }
            z3 = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " caller config found = ", new Object[]{str});
        }
        if (soapMessage.get("RECV_RESULTS") == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, " NO RESULTS!!!", new Object[0]);
            }
            Tr.error(tc, "no_caller_exist_err", new Object[]{str, str});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "unhandledToken", new Object[]{str}));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " results found", new Object[0]);
        }
        WSHandlerResult wSHandlerResult = (WSHandlerResult) ((List) soapMessage.get("RECV_RESULTS")).get(0);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " ws result = " + wSHandlerResult.getResults(), new Object[0]);
            Tr.debug(tc, " ws action result = " + wSHandlerResult.getActionResults(), new Object[0]);
        }
        if (z) {
            handleUsernameToken(soapMessage, wSHandlerResult);
        } else if (z2) {
            handleX509Token(soapMessage, wSHandlerResult);
        } else if (z3) {
            handleSamlToken(soapMessage, wSHandlerResult, map);
        }
    }

    private void handleSamlToken(SoapMessage soapMessage, WSHandlerResult wSHandlerResult, Map<String, Object> map) {
        SoapFault createSoapFault;
        new ArrayList();
        List<WSSecurityEngineResult> list = (List) wSHandlerResult.getActionResults().get(16);
        if (list.isEmpty()) {
            list = (List) wSHandlerResult.getActionResults().get(8);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " saml caller token results = ", new Object[]{Integer.valueOf(list.size())});
        }
        int i = 0;
        SamlAssertionWrapper samlAssertionWrapper = null;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            samlAssertionWrapper = (SamlAssertionWrapper) wSSecurityEngineResult.get("saml-assertion");
            if (samlAssertionWrapper != null && tc.isDebugEnabled()) {
                Tr.debug(tc, "assertion from the results =   ", new Object[]{samlAssertionWrapper.getId()});
            }
            Principal principal = (Principal) wSSecurityEngineResult.get("principal");
            if (principal != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "principal =   ", new Object[]{principal});
                    Tr.debug(tc, "principal name =   ", new Object[]{principal.getName()});
                }
                i++;
            }
        }
        if (i > 1) {
            Tr.error(tc, "multiple_saml_exist_err", new Object[0]);
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "duplicateError"));
        }
        if (i == 0) {
            Tr.error(tc, "no_caller_exist_err", new Object[]{WSSecurityConstants.SAML_CALLER_NAME, WSSecurityConstants.SAML_CALLER_NAME});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "unhandledToken", new Object[]{WSSecurityConstants.SAML_CALLER_NAME}));
        }
        try {
            Saml20Token handleSamlAssertion = handleSamlAssertion(samlAssertionWrapper);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "token is created successfully =   ", new Object[]{handleSamlAssertion.getSamlID()});
            }
            try {
                AuthenticationResult authenticate = new SAMLAuthenticator(map, handleSamlAssertion).authenticate();
                if (authenticate.getStatus() != AuthResult.SUCCESS) {
                    throw ("User".equalsIgnoreCase((String) map.get(CallerConstants.MAP_TO_UR)) ? new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badSamlToken", new Object[]{"invalid user ID"}) : new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badSamlToken", new Object[]{authenticate.getReason()}));
                }
                Subject subject = authenticate.getSubject();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication successful, authenticated subject = ", new Object[]{subject});
                    Tr.debug(tc, "Authentication successful, runAsSubject before = ", new Object[]{WSSubject.getRunAsSubject()});
                }
                WSSubject.setRunAsSubject(subject);
                new SubjectManager().setCallerSubject(subject);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication successful, runAsSubject after = ", new Object[]{WSSubject.getRunAsSubject()});
                    Tr.debug(tc, "Authentication successful, caller subject = ", new Object[]{WSSubject.getCallerSubject()});
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "313", this, new Object[]{soapMessage, wSHandlerResult, map});
                if (0 != 0) {
                    createSoapFault = createSoapFault(soapMessage.getVersion(), (WSSecurityException) e);
                } else {
                    Tr.error(tc, "error_authenticate", new Object[]{e.getMessage()});
                    createSoapFault = createSoapFault(soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badSamlToken", new Object[]{e.getLocalizedMessage()}));
                }
                throw createSoapFault;
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "260", this, new Object[]{soapMessage, wSHandlerResult, map});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badSamlToken", new Object[]{e2.getCause() != null ? e2.getCause().getLocalizedMessage() : e2.getLocalizedMessage()}));
        }
    }

    private Saml20Token handleSamlAssertion(SamlAssertionWrapper samlAssertionWrapper) throws Exception {
        try {
            return TokenUtils.createSamlTokenFromAssertion(samlAssertionWrapper.getSaml2());
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "339", this, new Object[]{samlAssertionWrapper});
            throw e;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v103, types: [java.util.List] */
    private void handleUsernameToken(@Sensitive SoapMessage soapMessage, WSHandlerResult wSHandlerResult) throws SoapFault {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "results = ", new Object[]{wSHandlerResult});
        }
        ArrayList<WSSecurityEngineResult> arrayList = new ArrayList();
        if (wSHandlerResult.getActionResults().containsKey(1)) {
            arrayList = (List) wSHandlerResult.getActionResults().get(1);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "UNT results = ", new Object[]{arrayList});
        }
        new ArrayList();
        List list = (List) wSHandlerResult.getActionResults().get(8192);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "UNT_NP results = ", new Object[]{list});
        }
        if (list != null) {
            arrayList.addAll(list);
        }
        int i = 0;
        WSUsernameTokenPrincipalImpl wSUsernameTokenPrincipalImpl = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " Number of UNT results = ", new Object[]{Integer.valueOf(arrayList.size())});
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : arrayList) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, " UNT result = ", new Object[]{wSSecurityEngineResult});
            }
            wSUsernameTokenPrincipalImpl = (WSUsernameTokenPrincipalImpl) wSSecurityEngineResult.get("principal");
            if (wSUsernameTokenPrincipalImpl != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, " principal =   ", new Object[]{wSUsernameTokenPrincipalImpl});
                    Tr.debug(tc, " principal name =   ", new Object[]{wSUsernameTokenPrincipalImpl.getName()});
                }
                i++;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, " user name token principal is NULL!!! ", new Object[0]);
            }
        }
        if (i > 1) {
            Tr.error(tc, "multiple_unt_exist_err", new Object[0]);
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "duplicateError"));
        }
        if (i == 0) {
            Tr.error(tc, "no_caller_exist_err", new Object[]{WSSecurityConstants.UNT_CALLER_NAME, WSSecurityConstants.UNT_CALLER_NAME});
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "missingUsernameToken"));
        }
        SecurityService securityService = UsernameTokenValidator.getSecurityService();
        if (securityService == null) {
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badUsernameToken", new Object[]{"Missing Liberty Security Service"}));
        }
        AuthenticationService authenticationService = securityService.getAuthenticationService();
        Subject subject = new Subject();
        Hashtable hashtable = new Hashtable();
        if (!authenticationService.isAllowHashTableLoginWithIdOnly().booleanValue()) {
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        hashtable.put("com.ibm.wsspi.security.cred.userId", wSUsernameTokenPrincipalImpl.getName());
        subject.getPublicCredentials().add(hashtable);
        try {
            Subject authenticate = authenticationService.authenticate("system.WEB_INBOUND", subject);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, authenticated subject = ", new Object[]{authenticate});
                Tr.debug(tc, "Authentication successful, runAsSubject before = ", new Object[]{WSSubject.getRunAsSubject()});
            }
            WSSubject.setRunAsSubject(authenticate);
            new SubjectManager().setCallerSubject(authenticate);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, runAsSubject after = ", new Object[]{WSSubject.getRunAsSubject()});
                Tr.debug(tc, "Authentication successful, caller subject = ", new Object[]{WSSubject.getCallerSubject()});
            }
        } catch (AuthenticationException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "446", this, new Object[]{"<sensitive org.apache.cxf.binding.soap.SoapMessage>", wSHandlerResult});
            FFDCFilter.processException(e, getClass().getName(), "handleMessage", new Object[]{wSUsernameTokenPrincipalImpl.getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e.getMessage()});
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badUsernameToken", new Object[]{e.getLocalizedMessage()}));
        } catch (com.ibm.websphere.security.WSSecurityException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "460", this, new Object[]{"<sensitive org.apache.cxf.binding.soap.SoapMessage>", wSHandlerResult});
            FFDCFilter.processException(e2, getClass().getName(), "handleMessage", new Object[]{wSUsernameTokenPrincipalImpl.getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e2.getMessage()});
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badUsernameToken", new Object[]{e2.getLocalizedMessage()}));
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "472", this, new Object[]{"<sensitive org.apache.cxf.binding.soap.SoapMessage>", wSHandlerResult});
            FFDCFilter.processException(e3, getClass().getName(), "handleMessage", new Object[]{wSUsernameTokenPrincipalImpl.getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e3.getMessage()});
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "badUsernameToken", new Object[]{e3.getMessage()}));
        }
    }

    private void handleX509Token(@Sensitive SoapMessage soapMessage, WSHandlerResult wSHandlerResult) throws SoapFault {
        X509Certificate[] x509CertificateArr = null;
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        boolean z4 = false;
        boolean z5 = false;
        List<WSSecurityEngineResult> arrayList = new ArrayList();
        if (wSHandlerResult.getActionResults().containsKey(2)) {
            arrayList = (List) wSHandlerResult.getActionResults().get(2);
        }
        List list = (List) wSHandlerResult.getActionResults().get(64);
        if (list != null) {
            arrayList.addAll(list);
        }
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        Collection collection = (Collection) assertionInfoMap.get(SP12Constants.ASYMMETRIC_BINDING);
        if (collection != null && !collection.isEmpty()) {
            z = true;
        }
        Collection collection2 = (Collection) assertionInfoMap.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
        if (collection2 != null && !collection2.isEmpty()) {
            z2 = true;
        }
        Collection collection3 = (Collection) assertionInfoMap.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
        if (collection3 != null && !collection3.isEmpty()) {
            z3 = true;
        }
        Collection collection4 = (Collection) assertionInfoMap.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (collection4 != null && !collection4.isEmpty()) {
            z4 = true;
        }
        Collection collection5 = (Collection) assertionInfoMap.get(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (collection5 != null && !collection5.isEmpty()) {
            z5 = true;
        }
        if (z) {
            x509CertificateArr = getClientX509(soapMessage, wSHandlerResult.getResults(), arrayList);
        } else if (z2 || z3 || z4 || z5) {
            x509CertificateArr = getEndorsingX509(soapMessage, wSHandlerResult.getResults(), arrayList);
        }
        if (x509CertificateArr == null) {
            Tr.error(tc, "no_caller_exist_err", new Object[]{WSSecurityConstants.X509_CALLER_NAME, WSSecurityConstants.X509_CALLER_NAME});
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "invalidCertData", new Object[]{"0"}));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Caller DN: " + x509CertificateArr[0].getSubjectDN().getName(), new Object[0]);
        }
        bstCertAuthentication(x509CertificateArr, soapMessage, soapMessage.getVersion());
    }

    private X509Certificate[] getClientX509(@Sensitive SoapMessage soapMessage, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) throws SoapFault {
        String str = null;
        X509Certificate[] x509CertificateArr = null;
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get("x509-certificate");
            if (x509Certificate != null) {
                StringBuffer stringBuffer = new StringBuffer(x509Certificate.getSerialNumber().toString());
                stringBuffer.append(x509Certificate.getIssuerDN().getName());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "issuer sn and dn = ", new Object[]{stringBuffer.toString()});
                }
                if (str == null || stringBuffer.toString().equals(str)) {
                    x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get("x509-certificates");
                    str = stringBuffer.toString();
                } else if (!stringBuffer.toString().equals(str)) {
                    Tr.error(tc, "multiple_asymmetric_token_err", new Object[0]);
                    throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "invalidCertData", new Object[]{"2"}));
                }
            }
        }
        return x509CertificateArr;
    }

    private X509Certificate[] getEndorsingX509(@Sensitive SoapMessage soapMessage, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        X509Certificate[] x509CertificateArr = null;
        if (isTransportBinding(soapMessage)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "looking x509Token which endorse TS", new Object[0]);
            }
            WSSecurityEngineResult fetchActionResult = fetchActionResult(list, 32);
            if (fetchActionResult != null) {
                x509CertificateArr = getEndorsingX509(((Timestamp) fetchActionResult.get("timestamp")).getElement(), list2);
            }
        } else {
            x509CertificateArr = getEndorsingX509(list2);
        }
        return x509CertificateArr;
    }

    public static WSSecurityEngineResult fetchActionResult(List<WSSecurityEngineResult> list, int i) {
        WSSecurityEngineResult wSSecurityEngineResult = null;
        for (WSSecurityEngineResult wSSecurityEngineResult2 : list) {
            if (((Integer) wSSecurityEngineResult2.get("action")).intValue() == i) {
                wSSecurityEngineResult = wSSecurityEngineResult2;
            }
        }
        return wSSecurityEngineResult;
    }

    private X509Certificate[] getEndorsingX509(List<WSSecurityEngineResult> list) {
        List cast;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get("x509-certificates");
            if (x509CertificateArr != null && (cast = CastUtils.cast((List) wSSecurityEngineResult.get("data-ref-uris"))) != null && cast.size() == 1) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (WSConstants.SIGNATURE.equals(((WSDataRef) it.next()).getName())) {
                        return x509CertificateArr;
                    }
                }
            }
        }
        return null;
    }

    private X509Certificate[] getEndorsingX509(Element element, List<WSSecurityEngineResult> list) {
        List cast;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get("x509-certificates");
            if (x509CertificateArr != null && (cast = CastUtils.cast((List) wSSecurityEngineResult.get("data-ref-uris"))) != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (element == ((WSDataRef) it.next()).getProtectedElement()) {
                        return x509CertificateArr;
                    }
                }
            }
        }
        return null;
    }

    private void bstCertAuthentication(X509Certificate[] x509CertificateArr, @Sensitive SoapMessage soapMessage, SoapVersion soapVersion) throws Fault {
        SecurityService securityService = UsernameTokenValidator.getSecurityService();
        if (securityService == null) {
            throw WSS4JUtils.createSoapFault(soapMessage, soapVersion, new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "invalidData", new Object[]{"Missing Liberty Security Service"}));
        }
        AuthenticationService authenticationService = securityService.getAuthenticationService();
        try {
            WSAuthenticationData wSAuthenticationData = new WSAuthenticationData();
            wSAuthenticationData.set("CERTCHAIN", x509CertificateArr);
            Subject authenticate = authenticationService.authenticate("system.WEB_INBOUND", wSAuthenticationData, (Subject) null);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, authenticated subject = ", new Object[]{authenticate});
                Tr.debug(tc, "Authentication successful, runAsSubject before = ", new Object[]{WSSubject.getRunAsSubject()});
            }
            WSSubject.setRunAsSubject(authenticate);
            new SubjectManager().setCallerSubject(authenticate);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, runAsSubject after = ", new Object[]{WSSubject.getRunAsSubject()});
                Tr.debug(tc, "Authentication successful, caller subject = ", new Object[]{WSSubject.getCallerSubject()});
            }
        } catch (AuthenticationException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "718", this, new Object[]{x509CertificateArr, "<sensitive org.apache.cxf.binding.soap.SoapMessage>", soapVersion});
            FFDCFilter.processException(e, getClass().getName(), "bstCertAuthentication", new Object[]{x509CertificateArr[0].getSubjectX500Principal().getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e.getMessage()});
            throw WSS4JUtils.createSoapFault(soapMessage, soapVersion, new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "invalidData", new Object[]{e.getLocalizedMessage()}));
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "731", this, new Object[]{x509CertificateArr, "<sensitive org.apache.cxf.binding.soap.SoapMessage>", soapVersion});
            FFDCFilter.processException(e2, getClass().getName(), "handleMessage", new Object[]{x509CertificateArr[0].getSubjectX500Principal().getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e2.getMessage()});
            throw WSS4JUtils.createSoapFault(soapMessage, soapVersion, new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, "invalidData", new Object[]{e2.getMessage()}));
        }
    }

    private boolean isTransportBinding(@Sensitive SoapMessage soapMessage) {
        boolean z = false;
        Collection collection = (Collection) ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).get(SP12Constants.TRANSPORT_BINDING);
        if (collection != null && !collection.isEmpty()) {
            z = true;
        }
        return z;
    }

    private SoapFault createSoapFault(SoapVersion soapVersion, WSSecurityException wSSecurityException) {
        SoapFault soapFault;
        QName faultCode = wSSecurityException.getFaultCode();
        if (soapVersion.getVersion() != 1.1d || faultCode == null) {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, soapVersion.getSender());
            if (soapVersion.getVersion() != 1.1d && faultCode != null) {
                soapFault.setSubCode(faultCode);
            }
        } else {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, faultCode);
        }
        return soapFault;
    }
}
