package com.ibm.ws.wssecurity.saml.config.impl;

import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.saml.security.impl.KeyInfoUtil;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.StringUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/saml/config/impl/TrustedEntryConfigImpl.class */
public class TrustedEntryConfigImpl extends TrustedEntryConfig {
    private static final String comp = "security.wssecurity";
    private HashSet<String> trustedIssuers = new HashSet<>();
    private HashSet<String> trustedDns = new HashSet<>();
    private HashSet<String[]> trustedPairs = new HashSet<>();
    private HashSet<String> pairIssuers = new HashSet<>();
    private HashSet<String> pairDns = new HashSet<>();
    private boolean signatureRequired = true;
    private boolean warningMessageIssued = false;
    private static final String TRUSTED_ISSUER = "trustedIssuer";
    private static final String TRUSTED_SUBJECTDN = "trustedSubjectDN";
    private static final String SIGNATURE_REQUIRED = "signatureRequired";
    private static final String ISSUER = "Issuer";
    private static final TraceComponent tc = Tr.register(TrustedEntryConfigImpl.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = TrustedEntryConfigImpl.class.getName();

    public void clear() {
        this.trustedIssuers = new HashSet<>();
        this.trustedDns = new HashSet<>();
        this.trustedPairs = new HashSet<>();
        this.pairIssuers = new HashSet<>();
        this.pairDns = new HashSet<>();
    }

    public TrustedEntryConfigImpl() {
    }

    public TrustedEntryConfigImpl(Map map) {
        init(map);
    }

    public TrustedEntryConfigImpl(Map map, boolean z) {
        init(map, z);
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public void init(Map map, boolean z) {
        init(map);
        this.signatureRequired = z;
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public void init(Map map) {
        int size = map.size() + 1;
        String[] strArr = new String[size];
        String[] strArr2 = new String[size];
        new ArrayList();
        for (Object obj : map.keySet()) {
            if ((obj instanceof String) && ((String) obj).startsWith(TRUSTED_ISSUER)) {
                addToSortedArray((String) obj, ((String) map.get(obj)).toLowerCase(), strArr);
            } else if ((obj instanceof String) && ((String) obj).startsWith(TRUSTED_SUBJECTDN)) {
                addToSortedArray((String) obj, ((String) map.get(obj)).toLowerCase(), strArr2);
            }
        }
        for (int i = 0; i < size; i++) {
            if (strArr[i] != null || strArr2[i] != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding Issuer[" + strArr[i] + "], SubjectDN[" + strArr2[i] + "]");
                }
                add(strArr[i], strArr2[i]);
            }
        }
    }

    private static void addToSortedArray(String str, String str2, String[] strArr) {
        int lastIndexOf = str.lastIndexOf("_");
        if (lastIndexOf >= 0) {
            strArr[Integer.parseInt(str.substring(lastIndexOf + 1))] = str2;
        } else {
            strArr[0] = str2;
        }
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public ArrayList<String[]> toArray() {
        ArrayList<String[]> arrayList = new ArrayList<>();
        Set<String> trustedIssuers = getTrustedIssuers();
        if (trustedIssuers != null) {
            Iterator<String> it = trustedIssuers.iterator();
            while (it.hasNext()) {
                arrayList.add(new String[]{it.next(), null});
            }
        }
        Set<String> trustedDns = getTrustedDns();
        if (trustedDns != null) {
            Iterator<String> it2 = trustedDns.iterator();
            while (it2.hasNext()) {
                arrayList.add(new String[]{null, it2.next()});
            }
        }
        Set<String[]> trustedPairs = getTrustedPairs();
        if (trustedPairs != null) {
            for (String[] strArr : trustedPairs) {
                arrayList.add(new String[]{strArr[0], strArr[1]});
            }
        }
        return arrayList;
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public Set<String> getTrustedIssuers() {
        HashSet hashSet = null;
        if (!this.trustedIssuers.isEmpty()) {
            hashSet = new HashSet(this.trustedIssuers);
        }
        return hashSet;
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public Set<String> getTrustedDns() {
        HashSet hashSet = null;
        if (!this.trustedDns.isEmpty()) {
            hashSet = new HashSet(this.trustedDns);
        }
        return hashSet;
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public Set<String[]> getTrustedPairs() {
        HashSet hashSet = null;
        if (!this.trustedPairs.isEmpty()) {
            hashSet = new HashSet(this.trustedPairs);
        }
        return hashSet;
    }

    public void addIssuer(String str) {
        if (str != null) {
            this.trustedIssuers.add(StringUtil.removeDNSpace(str).toLowerCase());
        }
    }

    public void addDn(String str) {
        if (str != null) {
            this.trustedDns.add(StringUtil.removeDNSpace(str).toLowerCase());
        }
    }

    public void addPair(String str, String str2) {
        if (str == null || str2 == null) {
            return;
        }
        String lowerCase = StringUtil.removeDNSpace(str).toLowerCase();
        String lowerCase2 = StringUtil.removeDNSpace(str2).toLowerCase();
        this.trustedPairs.add(new String[]{lowerCase, lowerCase2});
        this.pairIssuers.add(lowerCase);
        this.pairDns.add(lowerCase2);
    }

    public void add(String str, String str2) {
        if (str != null && str2 != null) {
            addPair(str, str2);
        } else if (str != null) {
            addIssuer(str);
        } else if (str2 != null) {
            addDn(str2);
        }
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public void setSignatureRequired(boolean z) {
        this.signatureRequired = z;
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public boolean getSignatureRequired() {
        return this.signatureRequired;
    }

    public boolean checkIssuer(String str) {
        boolean z = false;
        if (str != null && !this.trustedIssuers.isEmpty()) {
            if (this.trustedIssuers.contains(StringUtil.removeDNSpace(str).toLowerCase())) {
                z = true;
            }
        }
        return z;
    }

    public boolean checkDn(String str) {
        boolean z = false;
        if (str != null && !this.trustedDns.isEmpty()) {
            if (this.trustedDns.contains(StringUtil.removeDNSpace(str).toLowerCase())) {
                z = true;
            }
        }
        return z;
    }

    public boolean checkPair(String str, String str2) {
        boolean z = false;
        if (str != null && str2 != null && !this.trustedPairs.isEmpty()) {
            String lowerCase = StringUtil.removeDNSpace(str).toLowerCase();
            String lowerCase2 = StringUtil.removeDNSpace(str2).toLowerCase();
            Iterator<String[]> it = this.trustedPairs.iterator();
            while (it.hasNext()) {
                String[] next = it.next();
                if (next[0].equals(lowerCase) && next[1].equals(lowerCase2)) {
                    z = true;
                }
            }
        }
        return z;
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public boolean check(String str, String str2) {
        boolean z = false;
        if (this.trustedIssuers.isEmpty() && this.trustedDns.isEmpty() && this.trustedPairs.isEmpty()) {
            return true;
        }
        if (str == null && str2 == null) {
            return false;
        }
        if (!this.trustedIssuers.isEmpty()) {
            z = checkIssuer(str);
        }
        if (!z && !this.trustedDns.isEmpty()) {
            z = checkDn(str2);
        }
        if (!z && !this.trustedPairs.isEmpty()) {
            z = checkPair(str, str2);
        }
        return z;
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public void validate(SAMLToken sAMLToken) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate(token[" + ConfigUtil.getObjState(sAMLToken) + "])");
        }
        X509Certificate x509Certificate = null;
        String str = null;
        if (sAMLToken != null) {
            x509Certificate = sAMLToken.getSignerCertificate();
            str = sAMLToken.getSAMLIssuerName();
        }
        validate(str, x509Certificate);
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public void validate(String str, X509Certificate x509Certificate) throws LoginException {
        String str2 = null;
        if (x509Certificate != null) {
            str2 = x509Certificate.getSubjectDN().getName();
        }
        validate(str, str2);
    }

    @Override // com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
    public void validate(String str, String str2) throws LoginException {
        if (check(str, str2)) {
            return;
        }
        if (!this.trustedPairs.isEmpty()) {
            if (str != null && this.pairIssuers.contains(StringUtil.removeDNSpace(str).toLowerCase())) {
                throw buildCertException(str, str2);
            }
            if (str2 != null && this.pairDns.contains(StringUtil.removeDNSpace(str2).toLowerCase())) {
                throw buildIssuerException(str, str2);
            }
        }
        if (!this.trustedIssuers.isEmpty() && this.trustedDns.isEmpty()) {
            throw buildIssuerException(str);
        }
        if (this.trustedIssuers.isEmpty() && !this.trustedDns.isEmpty()) {
            throw buildCertException(str2);
        }
        if (str != null && str2 == null) {
            throw buildIssuerException(str);
        }
        if (str == null && str2 != null) {
            throw buildCertException(str2);
        }
        LoginException loginException = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7542E", new String[]{str, str2}, "CWWSS7542E: The [{0}] SAML issuer name or [{1}] signer SubjectDN of the certificate are not trusted."));
        if (str == null && str2 == null) {
            loginException.initCause(new LoginException(MessageHelper.getMessage("security.wssecurity.CWSML7003E", new String[]{"Issuer"}, "CWSML7003E: The [{0}] attribute on the Assertion element is missing or empty.") + " " + ConfigUtil.getMessage("security.wssecurity.CWWSS8047E", new String[]{"signatureRequired"}, "CWWSS8047E: The signer certificate is not available.  Either the SAML Assertion was not signed or it was not required to be signed.  Ensure that the [{0}] custom property is set to true.")));
        }
        throw loginException;
    }

    public LoginException buildCertException(String str) {
        return buildCertException(null, str);
    }

    public LoginException buildCertException(String str, String str2) {
        LoginException loginException;
        LoginException loginException2;
        LoginException loginException3 = null;
        if (str == null) {
            loginException = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS8045E", new String[]{str2}, "CWWSS8045E: The Subject DN [{0}] of the signer certificate in the SAML Assertion is not trusted."));
        } else {
            loginException = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS8044E", new String[]{str, str2}, "CWWSS8044E: The allowed issuer validation failed for the [{0}] SAML issuer name and the [{1}] SubjectDN of the signer certificate.  The SAML issuer and SubjectDN are part of a pair so both must be trusted."));
            loginException3 = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS8045E", new String[]{str2}, "CWWSS8045E: The Subject DN [{0}] of the signer certificate in the SAML Assertion is not trusted."));
            loginException.initCause(loginException3);
        }
        if (str2 == null) {
            if (this.signatureRequired) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "====> CHECK THE SAML TOKEN FOR KeyInfo/KeyValue/RSAKeyValue.  WE CAN'T GET AN X509CERTIFICATE FROM AN RSA KEY <====");
                }
                loginException2 = new LoginException(MessageHelper.getMessage("security.wssecurity.CWSML7029E", new String[]{KeyInfoUtil.getSupportedX509CertList()}, "CWSML7029E: An X.509 certificate was not obtained from the KeyInfo element in the Security Assertion Markup Language (SAML) assertion, so trust cannot be evaluated.  Either use a KeyInfo method that yields a usable X.509 certificate or turn off trust validation.  The supported methods are [{0}]."));
            } else {
                loginException2 = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS8047E", new String[]{"signatureRequired"}, "CWWSS8047E: The signer certificate is not available.  Either the SAML Assertion was not signed or it was not required to be signed.  Ensure that the [{0}] custom property is set to true."));
            }
            if (loginException3 == null) {
                loginException.initCause(loginException2);
            } else {
                loginException3.initCause(loginException2);
            }
        }
        return loginException;
    }

    public LoginException buildIssuerException(String str) {
        return buildIssuerException(str, null);
    }

    public LoginException buildIssuerException(String str, String str2) {
        LoginException loginException;
        LoginException loginException2 = null;
        if (str2 == null) {
            loginException = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS8046E", new String[]{str}, "CWWSS8046E: The Issuer name [{0}] in the SAML Assertion is not trusted."));
        } else {
            loginException = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS8044E", new String[]{str, str2}, "CWWSS8044E: The allowed issuer validation failed for the [{0}] SAML issuer name and the [{1}] SubjectDN of the signer certificate.  The SAML issuer and SubjectDN are part of a pair so both must be trusted."));
            loginException2 = new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS8046E", new String[]{str}, "CWWSS8046E: The Issuer name [{0}] in the SAML Assertion is not trusted."));
            loginException.initCause(loginException2);
        }
        if (str == null) {
            LoginException loginException3 = new LoginException(MessageHelper.getMessage("security.wssecurity.CWSML7003E", new String[]{"Issuer"}, "CWSML7003E: The [{0}] attribute on the Assertion element is missing or empty."));
            if (loginException2 == null) {
                loginException.initCause(loginException3);
            } else {
                loginException2.initCause(loginException3);
            }
        }
        return loginException;
    }
}
