package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.Header;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:wlp/lib/com.ibm.ws.org.apache.cxf.ws.security.2.6.2_1.0.3.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.class */
public abstract class AbstractSupportingTokenPolicyValidator extends AbstractTokenPolicyValidator implements SupportingTokenPolicyValidator {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class);
    private Message message;
    private List<WSSecurityEngineResult> results;
    private List<WSSecurityEngineResult> signedResults;
    private List<WSSecurityEngineResult> encryptedResults;
    private List<WSSecurityEngineResult> utResults;
    private List<WSSecurityEngineResult> samlResults;
    private boolean validateUsernameToken = true;
    private Element timestamp;
    private boolean signed;
    private boolean encrypted;
    private boolean derived;
    private boolean endorsed;
    private SignedEncryptedElements signedElements;
    private SignedEncryptedElements encryptedElements;
    private SignedEncryptedParts signedParts;
    private SignedEncryptedParts encryptedParts;

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SupportingTokenPolicyValidator
    public void setUsernameTokenResults(List<WSSecurityEngineResult> list, boolean z) {
        this.utResults = list;
        this.validateUsernameToken = z;
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SupportingTokenPolicyValidator
    public void setSAMLTokenResults(List<WSSecurityEngineResult> list) {
        this.samlResults = list;
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SupportingTokenPolicyValidator
    public void setTimestampElement(Element element) {
        this.timestamp = element;
    }

    public void setMessage(Message message) {
        this.message = message;
    }

    public void setResults(List<WSSecurityEngineResult> list) {
        this.results = list;
    }

    public void setSignedResults(List<WSSecurityEngineResult> list) {
        this.signedResults = list;
    }

    public void setEncryptedResults(List<WSSecurityEngineResult> list) {
        this.encryptedResults = list;
    }

    public void setSigned(boolean z) {
        this.signed = z;
    }

    public void setEncrypted(boolean z) {
        this.encrypted = z;
    }

    public void setDerived(boolean z) {
        this.derived = z;
    }

    public void setEndorsed(boolean z) {
        this.endorsed = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processUsernameTokens() {
        WSSecurityEngineResult matchingDerivedKey;
        if (!this.validateUsernameToken) {
            return true;
        }
        List<WSSecurityEngineResult> arrayList = new ArrayList<>();
        arrayList.addAll(this.utResults);
        ArrayList arrayList2 = new ArrayList();
        for (WSSecurityEngineResult wSSecurityEngineResult : this.utResults) {
            if (this.derived && (matchingDerivedKey = getMatchingDerivedKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET))) != null) {
                arrayList2.add(matchingDerivedKey);
            }
        }
        if (arrayList.isEmpty()) {
            return false;
        }
        if (this.signed && !areTokensSigned(arrayList)) {
            return false;
        }
        if (this.encrypted && !areTokensEncrypted(arrayList)) {
            return false;
        }
        arrayList.addAll(arrayList2);
        return (!this.endorsed || checkEndorsed(arrayList)) && validateSignedEncryptedPolicies(arrayList);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processSAMLTokens() {
        if (this.samlResults.isEmpty()) {
            return false;
        }
        if (this.signed && !areTokensSigned(this.samlResults)) {
            return false;
        }
        if (!this.encrypted || areTokensEncrypted(this.samlResults)) {
            return (!this.endorsed || checkEndorsed(this.samlResults)) && validateSignedEncryptedPolicies(this.samlResults);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processKerberosTokens() {
        WSSecurityEngineResult matchingDerivedKey;
        List<WSSecurityEngineResult> arrayList = new ArrayList<>();
        ArrayList arrayList2 = new ArrayList();
        for (WSSecurityEngineResult wSSecurityEngineResult : this.results) {
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 4096 && (((BinarySecurity) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)) instanceof KerberosSecurity)) {
                if (this.derived && (matchingDerivedKey = getMatchingDerivedKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET))) != null) {
                    arrayList2.add(matchingDerivedKey);
                }
                arrayList.add(wSSecurityEngineResult);
            }
        }
        if (arrayList.isEmpty()) {
            return false;
        }
        if (this.signed && !areTokensSigned(arrayList)) {
            return false;
        }
        if (this.encrypted && !areTokensEncrypted(arrayList)) {
            return false;
        }
        arrayList.addAll(arrayList2);
        return (!this.endorsed || checkEndorsed(arrayList)) && validateSignedEncryptedPolicies(arrayList);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processX509Tokens() {
        WSSecurityEngineResult processX509DerivedTokenResult;
        List<WSSecurityEngineResult> arrayList = new ArrayList<>();
        ArrayList arrayList2 = new ArrayList();
        for (WSSecurityEngineResult wSSecurityEngineResult : this.results) {
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 4096) {
                BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                if ((binarySecurity instanceof X509Security) || (binarySecurity instanceof PKIPathSecurity)) {
                    if (this.derived && (processX509DerivedTokenResult = processX509DerivedTokenResult(wSSecurityEngineResult)) != null) {
                        arrayList2.add(processX509DerivedTokenResult);
                    }
                    arrayList.add(wSSecurityEngineResult);
                }
            }
        }
        if (arrayList.isEmpty()) {
            return false;
        }
        if (this.signed && !areTokensSigned(arrayList)) {
            return false;
        }
        if (this.encrypted && !areTokensEncrypted(arrayList)) {
            return false;
        }
        arrayList.addAll(arrayList2);
        return (!this.endorsed || checkEndorsed(arrayList)) && validateSignedEncryptedPolicies(arrayList);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processKeyValueTokens() {
        ArrayList arrayList = new ArrayList();
        for (WSSecurityEngineResult wSSecurityEngineResult : this.signedResults) {
            if (((PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY)) != null) {
                arrayList.add(wSSecurityEngineResult);
            }
        }
        if (arrayList.isEmpty()) {
            return false;
        }
        if (this.signed && !areTokensSigned(arrayList)) {
            return false;
        }
        if (!this.encrypted || areTokensEncrypted(arrayList)) {
            return (!this.endorsed || checkEndorsed(arrayList)) && validateSignedEncryptedPolicies(arrayList);
        }
        return false;
    }

    private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> list) {
        return validateSignedEncryptedParts(this.signedParts, false, this.signedResults, list) && validateSignedEncryptedParts(this.encryptedParts, true, this.encryptedResults, list) && validateSignedEncryptedElements(this.signedElements, false, this.signedResults, list) && validateSignedEncryptedElements(this.encryptedElements, false, this.encryptedResults, list);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processSCTokens() {
        WSSecurityEngineResult matchingDerivedKey;
        List<WSSecurityEngineResult> arrayList = new ArrayList<>();
        ArrayList arrayList2 = new ArrayList();
        for (WSSecurityEngineResult wSSecurityEngineResult : this.results) {
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 1024) {
                if (this.derived && (matchingDerivedKey = getMatchingDerivedKey((byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET))) != null) {
                    arrayList2.add(matchingDerivedKey);
                }
                arrayList.add(wSSecurityEngineResult);
            }
        }
        if (arrayList.isEmpty()) {
            return false;
        }
        if (this.signed && !areTokensSigned(arrayList)) {
            return false;
        }
        if (this.encrypted && !areTokensEncrypted(arrayList)) {
            return false;
        }
        arrayList.addAll(arrayList2);
        return (!this.endorsed || checkEndorsed(arrayList)) && validateSignedEncryptedPolicies(arrayList);
    }

    private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult wSSecurityEngineResult) {
        WSSecurityEngineResult matchingDerivedKey;
        WSSecurityEngineResult matchingEncryptedKey = getMatchingEncryptedKey((X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE));
        if (matchingEncryptedKey == null || (matchingDerivedKey = getMatchingDerivedKey((byte[]) matchingEncryptedKey.get(WSSecurityEngineResult.TAG_SECRET))) == null) {
            return null;
        }
        return matchingDerivedKey;
    }

    private WSSecurityEngineResult getMatchingDerivedKey(byte[] bArr) {
        for (WSSecurityEngineResult wSSecurityEngineResult : this.results) {
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 2048 && Arrays.equals(bArr, (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET))) {
                return wSSecurityEngineResult;
            }
        }
        return null;
    }

    private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate x509Certificate) {
        for (WSSecurityEngineResult wSSecurityEngineResult : this.results) {
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 4 && x509Certificate.equals((X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE))) {
                return wSSecurityEngineResult;
            }
        }
        return null;
    }

    private boolean isTLSInUse() {
        return ((TLSSessionInfo) this.message.get(TLSSessionInfo.class)) != null;
    }

    private boolean isTransportBinding() {
        boolean z = false;
        Collection<AssertionInfo> collection = ((AssertionInfoMap) this.message.get(AssertionInfoMap.class)).get(SP12Constants.TRANSPORT_BINDING);
        if (collection != null && !collection.isEmpty()) {
            z = true;
        }
        return z;
    }

    private boolean checkEndorsed(List<WSSecurityEngineResult> list) {
        return isTransportBinding() ? checkTimestampIsSigned(list) : checkSignatureIsSigned(list);
    }

    private boolean areTokensSigned(List<WSSecurityEngineResult> list) {
        if (isTLSInUse()) {
            return true;
        }
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            Element element = (Element) it.next().get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
            if (element == null || !isTokenSigned(element)) {
                return false;
            }
        }
        return true;
    }

    private boolean areTokensEncrypted(List<WSSecurityEngineResult> list) {
        if (isTLSInUse()) {
            return true;
        }
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            Element element = (Element) it.next().get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
            if (element == null || !isTokenEncrypted(element)) {
                return false;
            }
        }
        return true;
    }

    private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> list) {
        for (WSSecurityEngineResult wSSecurityEngineResult : this.signedResults) {
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (this.timestamp == ((WSDataRef) it.next()).getProtectedElement() && checkSignatureOrEncryptionResult(wSSecurityEngineResult, list)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> list) {
        for (WSSecurityEngineResult wSSecurityEngineResult : this.signedResults) {
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null && cast.size() == 1) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (WSSecurityEngine.SIGNATURE.equals(((WSDataRef) it.next()).getName()) && checkSignatureOrEncryptionResult(wSSecurityEngineResult, list)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean checkSignatureOrEncryptionResult(WSSecurityEngineResult wSSecurityEngineResult, List<WSSecurityEngineResult> list) {
        X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        byte[] bArr = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
        PublicKey publicKey = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        for (WSSecurityEngineResult wSSecurityEngineResult2 : list) {
            Integer num = (Integer) wSSecurityEngineResult2.get("action");
            BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if ((binarySecurity instanceof X509Security) || (binarySecurity instanceof PKIPathSecurity)) {
                if (((X509Certificate) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)).equals(x509Certificate)) {
                    return true;
                }
            } else if (num.intValue() == 16 || num.intValue() == 8) {
                SAMLKeyInfo subjectKeyInfo = ((AssertionWrapper) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)).getSubjectKeyInfo();
                if (subjectKeyInfo != null) {
                    X509Certificate[] certs = subjectKeyInfo.getCerts();
                    byte[] secret = subjectKeyInfo.getSecret();
                    PublicKey publicKey2 = subjectKeyInfo.getPublicKey();
                    if (x509Certificate != null && certs != null && x509Certificate.equals(certs[0])) {
                        return true;
                    }
                    if (secret != null && Arrays.equals(secret, bArr)) {
                        return true;
                    }
                    if (publicKey2 != null && publicKey2.equals(publicKey)) {
                        return true;
                    }
                } else {
                    continue;
                }
            } else if (publicKey == null) {
                byte[] bArr2 = (byte[]) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_SECRET);
                byte[] bArr3 = (byte[]) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
                if (bArr2 != null && Arrays.equals(bArr2, bArr)) {
                    return true;
                }
                if (bArr3 != null && Arrays.equals(bArr3, bArr)) {
                    return true;
                }
            } else if (publicKey.equals((PublicKey) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_PUBLIC_KEY))) {
                return true;
            }
        }
        return false;
    }

    private boolean validateSignedEncryptedParts(SignedEncryptedParts signedEncryptedParts, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        if (signedEncryptedParts == null) {
            return true;
        }
        if (signedEncryptedParts.isBody()) {
            try {
                if (!checkProtectionResult(((SOAPMessage) this.message.getContent(SOAPMessage.class)).getSOAPBody(), z, list, list2)) {
                    return false;
                }
            } catch (SOAPException e) {
                LOG.log(Level.FINE, e.getMessage(), e);
                return false;
            }
        }
        for (Header header : signedEncryptedParts.getHeaders()) {
            try {
                SOAPHeader sOAPHeader = ((SOAPMessage) this.message.getContent(SOAPMessage.class)).getSOAPHeader();
                Iterator<Element> it = (header.getName() == null ? DOMUtils.getChildrenWithNamespace(sOAPHeader, header.getNamespace()) : DOMUtils.getChildrenWithName(sOAPHeader, header.getNamespace(), header.getName())).iterator();
                while (it.hasNext()) {
                    if (!checkProtectionResult(it.next(), false, list, list2)) {
                        return false;
                    }
                }
            } catch (SOAPException e2) {
                LOG.log(Level.FINE, e2.getMessage(), e2);
                return false;
            }
        }
        return true;
    }

    private boolean checkProtectionResult(Element element, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            List<WSDataRef> cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                for (WSDataRef wSDataRef : cast) {
                    if (element == wSDataRef.getProtectedElement() && z == wSDataRef.isContent() && checkSignatureOrEncryptionResult(wSSecurityEngineResult, list2)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean validateSignedEncryptedElements(SignedEncryptedElements signedEncryptedElements, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        if (signedEncryptedElements == null) {
            return true;
        }
        Map<String, String> declaredNamespaces = signedEncryptedElements.getDeclaredNamespaces();
        List<String> xPathExpressions = signedEncryptedElements.getXPathExpressions();
        if (xPathExpressions == null) {
            return true;
        }
        Element documentElement = ((SOAPMessage) this.message.getContent(SOAPMessage.class)).getSOAPPart().getDocumentElement();
        Iterator<String> it = xPathExpressions.iterator();
        while (it.hasNext()) {
            if (!checkXPathResult(documentElement, it.next(), declaredNamespaces, list, list2)) {
                return false;
            }
        }
        return true;
    }

    private boolean checkXPathResult(Element element, String str, Map<String, String> map, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        XPath newXPath = XPathFactory.newInstance().newXPath();
        if (map != null) {
            newXPath.setNamespaceContext(new MapNamespaceContext(map));
        }
        Iterator it = Arrays.asList(str).iterator();
        while (it.hasNext()) {
            try {
                NodeList nodeList = (NodeList) newXPath.evaluate((String) it.next(), element, XPathConstants.NODESET);
                if (nodeList.getLength() != 0) {
                    for (int i = 0; i < nodeList.getLength(); i++) {
                        if (!checkProtectionResult((Element) nodeList.item(i), false, list, list2)) {
                            return false;
                        }
                    }
                }
            } catch (XPathExpressionException e) {
                LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
                return false;
            }
        }
        return true;
    }

    private boolean isTokenSigned(Element element) {
        Iterator<WSSecurityEngineResult> it = this.signedResults.iterator();
        while (it.hasNext()) {
            Iterator it2 = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS)).iterator();
            while (it2.hasNext()) {
                if (element == ((WSDataRef) it2.next()).getProtectedElement()) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isTokenEncrypted(Element element) {
        List cast;
        Iterator<WSSecurityEngineResult> it = this.encryptedResults.iterator();
        while (it.hasNext() && (cast = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS))) != null) {
            Iterator it2 = cast.iterator();
            while (it2.hasNext()) {
                if (element == ((WSDataRef) it2.next()).getProtectedElement()) {
                    return true;
                }
            }
        }
        return false;
    }

    public void setUtResults(List<WSSecurityEngineResult> list) {
        this.utResults = list;
    }

    public void setValidateUsernameToken(boolean z) {
        this.validateUsernameToken = z;
    }

    public void setTimestamp(Element element) {
        this.timestamp = element;
    }

    public void setSignedElements(SignedEncryptedElements signedEncryptedElements) {
        this.signedElements = signedEncryptedElements;
    }

    public void setEncryptedElements(SignedEncryptedElements signedEncryptedElements) {
        this.encryptedElements = signedEncryptedElements;
    }

    public void setSignedParts(SignedEncryptedParts signedEncryptedParts) {
        this.signedParts = signedEncryptedParts;
    }

    public void setEncryptedParts(SignedEncryptedParts signedEncryptedParts) {
        this.encryptedParts = signedEncryptedParts;
    }
}
