package org.apache.ws.security.str;

import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.ext.AssertionWrapper;

/* loaded from: input_file:wlp/lib/com.ibm.ws.wss4j.1.6.7_1.0.12.jar:org/apache/ws/security/str/BSPEnforcer.class */
public final class BSPEnforcer {
    private BSPEnforcer() {
    }

    public static void checkBinarySecurityBSPCompliance(SecurityTokenReference securityTokenReference, BinarySecurity binarySecurity) throws WSSecurityException {
        if (securityTokenReference.containsReference()) {
            String valueType = securityTokenReference.getReference().getValueType();
            if (((binarySecurity instanceof X509Security) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(valueType)) || (((binarySecurity instanceof PKIPathSecurity) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1".equals(valueType)) || ((binarySecurity instanceof KerberosSecurity) && !"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(valueType)))) {
                throw new WSSecurityException(4, "invalidValueType", new Object[]{valueType});
            }
        } else if (securityTokenReference.containsKeyIdentifier()) {
            String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
            if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier".equals(keyIdentifierValueType) && !SecurityTokenReference.THUMB_URI.equals(keyIdentifierValueType) && !WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(keyIdentifierValueType) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(keyIdentifierValueType)) {
                throw new WSSecurityException(4, "invalidValueType", new Object[]{keyIdentifierValueType});
            }
        }
        if (binarySecurity instanceof PKIPathSecurity) {
            String tokenType = securityTokenReference.getTokenType();
            if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1".equals(tokenType)) {
                throw new WSSecurityException(4, "invalidTokenType", new Object[]{tokenType});
            }
        }
    }

    public static void checkEncryptedKeyBSPCompliance(SecurityTokenReference securityTokenReference) throws WSSecurityException {
        if (securityTokenReference.containsKeyIdentifier()) {
            String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
            if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(keyIdentifierValueType)) {
                throw new WSSecurityException(4, "invalidValueType", new Object[]{keyIdentifierValueType});
            }
        }
        String tokenType = securityTokenReference.getTokenType();
        if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
            throw new WSSecurityException(4, "invalidTokenType", new Object[]{tokenType});
        }
    }

    public static void checkSamlTokenBSPCompliance(SecurityTokenReference securityTokenReference, AssertionWrapper assertionWrapper) throws WSSecurityException {
        String valueType;
        if (securityTokenReference.containsKeyIdentifier()) {
            String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
            if (assertionWrapper.getSaml1() != null && !WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
                throw new WSSecurityException(4, "invalidValueType", new Object[]{keyIdentifierValueType});
            }
            if (assertionWrapper.getSaml2() != null && !WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(keyIdentifierValueType)) {
                throw new WSSecurityException(4, "invalidValueType", new Object[]{keyIdentifierValueType});
            }
            String keyIdentifierEncodingType = securityTokenReference.getKeyIdentifierEncodingType();
            if (keyIdentifierEncodingType != null && !"".equals(keyIdentifierEncodingType)) {
                throw new WSSecurityException(4, "badEncodingType", new Object[]{keyIdentifierEncodingType});
            }
        }
        String tokenType = securityTokenReference.getTokenType();
        if (assertionWrapper.getSaml1() != null && !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
            throw new WSSecurityException(4, "invalidTokenType", new Object[]{tokenType});
        }
        if (assertionWrapper.getSaml2() != null && !WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) {
            throw new WSSecurityException(4, "invalidTokenType", new Object[]{tokenType});
        }
        if (assertionWrapper.getSaml2() != null && securityTokenReference.containsReference() && (valueType = securityTokenReference.getReference().getValueType()) != null && !"".equals(valueType)) {
            throw new WSSecurityException(4, "invalidValueType", new Object[]{valueType});
        }
    }

    public static void checkUsernameTokenBSPCompliance(SecurityTokenReference securityTokenReference) throws WSSecurityException {
        if (!securityTokenReference.containsReference()) {
            throw new WSSecurityException(6, "unsupportedKeyId");
        }
        String valueType = securityTokenReference.getReference().getValueType();
        if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken".equals(valueType)) {
            throw new WSSecurityException(3, "invalidValueType", new Object[]{valueType});
        }
    }
}
