package com.ibm.ws.wssecurity.saml.security.impl;

import com.ibm.ws.wssecurity.common.Constants;
import com.ibm.ws.wssecurity.dsig.WSSSignatureContext;
import com.ibm.ws.wssecurity.saml.binding.saml20.SAMLSpConstants;
import com.ibm.ws.wssecurity.saml.common.util.IdUtils;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil;
import com.ibm.ws.wssecurity.util.CertificateUtil;
import com.ibm.ws.wssecurity.util.CommonLogUtils;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.ws.wssecurity.xml.xss4j.AlgorithmFactory;
import com.ibm.ws.wssecurity.xml.xss4j.domutil.DOMUtil;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.IDResolver;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.KeyInfo;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.ReferenceObject;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.ResourceShower;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.SignatureObject;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.Validity;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig;
import java.io.ByteArrayInputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMDocument;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axiom.om.impl.builder.StAXBuilder;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/saml/security/impl/SAMLSignatureVerification.class */
public class SAMLSignatureVerification {
    private static final String comp = "security.wssecurity";
    public static final String X509CERTIFICATE = "x509Certificate";
    private static final TraceComponent tc = Tr.register(SAMLSignatureVerification.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = SAMLSignatureVerification.class.getName();
    private static final QName ALGORITHM_Q = new QName("", "Algorithm");
    private static final QName TYPE_Q = new QName("", "Type");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/saml/security/impl/SAMLSignatureVerification$PkixParams.class */
    public static class PkixParams {
        public PKIXBuilderParameters pkixParameters;
        public KeyStore trustAnchor;

        public PkixParams() {
            this.pkixParameters = null;
            this.trustAnchor = null;
        }

        public PkixParams(PKIXBuilderParameters pKIXBuilderParameters, KeyStore keyStore) {
            this.pkixParameters = null;
            this.trustAnchor = null;
            this.pkixParameters = pKIXBuilderParameters;
            this.trustAnchor = keyStore;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/saml/security/impl/SAMLSignatureVerification$ShowerImpl.class */
    public static class ShowerImpl implements ResourceShower {
        private static ShowerImpl _instance = new ShowerImpl();

        private ShowerImpl() {
        }

        private static ShowerImpl getInstance() {
            return _instance;
        }

        @Override // com.ibm.ws.wssecurity.xml.xss4j.dsig.ResourceShower
        public void showSignedResource(OMElement oMElement, int i, String str, String str2, byte[] bArr, String str3) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            if (i < 0) {
                Tr.debug(SAMLSignatureVerification.tc, "ResourceShower logs verify-SignedInfo: ");
                CommonLogUtils.logDebug(byteArrayInputStream, str3, SAMLSignatureVerification.tc);
            } else if (str == null || str.length() == 0) {
                Tr.debug(SAMLSignatureVerification.tc, "ResourceShower logs verify-resource_" + i + ": ");
                CommonLogUtils.logDebug(byteArrayInputStream, str3, SAMLSignatureVerification.tc);
            } else {
                Tr.debug(SAMLSignatureVerification.tc, "ResourceShower logs verify-" + str + ": ");
                CommonLogUtils.logDebug(byteArrayInputStream, str3, SAMLSignatureVerification.tc);
            }
            try {
                byteArrayInputStream.close();
            } catch (Exception e) {
                Tr.debug(SAMLSignatureVerification.tc, "Caugh exception closing input stream: e=" + e.getMessage());
            }
        }

        @Override // com.ibm.ws.wssecurity.xml.xss4j.dsig.ResourceShower
        public void showSignedResource(OMElement oMElement, int i, String str, String str2, byte[] bArr, int i2, int i3, String str3) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr, i2, i3);
            if (i < 0) {
                Tr.debug(SAMLSignatureVerification.tc, "ResourceShower logs verify-SignedInfo: ");
                CommonLogUtils.logDebug(byteArrayInputStream, str3, SAMLSignatureVerification.tc);
            } else if (str == null || str.length() == 0) {
                Tr.debug(SAMLSignatureVerification.tc, "ResourceShower logs verify-resource_" + i + ": ");
                CommonLogUtils.logDebug(byteArrayInputStream, str3, SAMLSignatureVerification.tc);
            } else {
                Tr.debug(SAMLSignatureVerification.tc, "ResourceShower logs verify-" + str + ": ");
                CommonLogUtils.logDebug(byteArrayInputStream, str3, SAMLSignatureVerification.tc);
            }
            try {
                byteArrayInputStream.close();
            } catch (Exception e) {
                Tr.debug(SAMLSignatureVerification.tc, "Caugh exception closing input stream: e=" + e.getMessage());
            }
        }

        static /* synthetic */ ShowerImpl access$000() {
            return getInstance();
        }
    }

    public static boolean verify(OMElement oMElement, KeyStoreManager.KeyInformation keyInformation, KeyStore keyStore) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "SAMLSignatureVerification.verify(OMElement,KeyInformation,KeyStore)");
        }
        boolean verify = verify(oMElement, keyInformation, keyStore, null, new HashMap());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "SAMLSignatureVerification.verify(OMElement,KeyInformation,KeyStore): " + verify);
        }
        return verify;
    }

    public static boolean verify(OMElement oMElement, ConsumerConfig consumerConfig, HashMap hashMap) throws SoapSecurityException {
        boolean verify;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "SAMLSignatureVerification.verify(OMElement,ConsumerConfig,HashMap)");
        }
        KeyStoreManager.KeyInformation tokenProviderKeyInformation = SamlConfigUtil.getTokenProviderKeyInformation(consumerConfig);
        SamlConfigUtil.getTrustStore(consumerConfig);
        PkixParams createPKIXBuilderParameters = createPKIXBuilderParameters(consumerConfig, false);
        try {
            verify = verify(oMElement, tokenProviderKeyInformation, createPKIXBuilderParameters.trustAnchor, createPKIXBuilderParameters.pkixParameters, hashMap);
        } catch (Exception e) {
            boolean isTrueProperty = ConfigUtil.getIsTrueProperty(hashMap, SAMLSpConstants.RETRY_TRUST);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "retryOnceAfterTrustFailure[" + isTrueProperty + "]");
                Tr.debug(tc, "trustAnySTS[" + consumerConfig.trustAnySTS() + "]");
                Tr.debug(tc, "pkixParameters[" + createPKIXBuilderParameters.pkixParameters + "]");
                Tr.debug(tc, "ex[" + ConfigUtil.getObjType(e) + "]");
                Tr.debug(tc, "cause[" + ConfigUtil.getObjType(e.getCause()) + "]");
            }
            boolean z = true;
            if (!isTrueProperty) {
                z = false;
            } else if (createPKIXBuilderParameters.pkixParameters == null) {
                z = false;
            }
            if (!z) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No retry, rethrowing exception.");
                }
                if (e instanceof SoapSecurityException) {
                    throw ((SoapSecurityException) e);
                }
                throw new SoapSecurityException((Throwable) e, true);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Validation failed, rebuild pkixBuilderParams and try again.");
            }
            PkixParams createPKIXBuilderParameters2 = createPKIXBuilderParameters(consumerConfig, true);
            verify = verify(oMElement, tokenProviderKeyInformation, createPKIXBuilderParameters2.trustAnchor, createPKIXBuilderParameters2.pkixParameters, hashMap);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "SAMLSignatureVerification.verify(OMElement,ConsumerConfig,HashMap): " + verify);
        }
        return verify;
    }

    public static boolean verify(OMElement oMElement, KeyStoreManager.KeyInformation keyInformation, KeyStore keyStore, PKIXBuilderParameters pKIXBuilderParameters, HashMap hashMap) throws SoapSecurityException {
        Key extractKey;
        X509Certificate x509Certificate;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "SAMLSignatureVerification.verify(OMElement,KeyInformation,KeyStore,PKIXBuilderParameters,HashMap)");
        }
        OMElement searchForKeyInfo = KeyInfo.searchForKeyInfo(DOMUtils.getOneChildElement(oMElement, Constants.NS_DSIG, "Signature"));
        if (keyInformation != null) {
            extractKey = KeyInfoUtil.getKey(keyInformation, searchForKeyInfo, true);
            x509Certificate = (X509Certificate) keyInformation.getCertificate();
            hashMap.put(X509CERTIFICATE, x509Certificate);
        } else {
            extractKey = KeyInfoUtil.extractKey(searchForKeyInfo, hashMap);
            x509Certificate = (X509Certificate) hashMap.get(X509CERTIFICATE);
        }
        if (extractKey == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Can not locate KeyInfo to verify SAML signature.");
            }
            throw new SoapSecurityException("security.wssecurity.WSEC7074E");
        }
        if (pKIXBuilderParameters != null) {
            if (x509Certificate == null) {
                String message = MessageHelper.getMessage("security.wssecurity.CWSML7029E", new String[]{"SecurityTokenReference", getSupportedX509CertList()});
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate is null");
                    Tr.debug(tc, message);
                }
                throw SoapSecurityException.format(message);
            }
            validateX509(pKIXBuilderParameters, x509Certificate);
        }
        if (SignatureCache.match(oMElement, x509Certificate)) {
            if (!tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "SAML Assertion signature is verified with cache");
            return true;
        }
        WSSSignatureContext wSSSignatureContext = new WSSSignatureContext();
        wSSSignatureContext.setAlgorithmFactory(AlgorithmFactory.getInstance());
        wSSSignatureContext.setIDResolver(IdUtils.getInstance());
        wSSSignatureContext.setResourceShower(ShowerImpl.access$000());
        SignatureObject signatureObject = new SignatureObject();
        OMDocument createDocument = DOMUtils.createDocument();
        OMElement cloneOMElement = oMElement.cloneOMElement();
        if (cloneOMElement.getParent() != null) {
            cloneOMElement.detach();
            StAXBuilder builder = cloneOMElement.getBuilder();
            if (builder != null) {
                builder.releaseParserOnClose(true);
            }
        }
        createDocument.setOMDocumentElement(cloneOMElement);
        wSSSignatureContext.setDocument(createDocument);
        OMElement oneChildElement = DOMUtils.getOneChildElement(cloneOMElement, Constants.NS_DSIG, "Signature");
        signatureObject.setOwnerDocument(createDocument);
        OMElement firstElement = DOMUtils.getFirstElement((OMNode) oneChildElement);
        while (true) {
            OMElement oMElement2 = firstElement;
            if (oMElement2 == null) {
                break;
            }
            String namespaceURI = oMElement2.getNamespace() == null ? null : oMElement2.getNamespace().getNamespaceURI();
            String localName = oMElement2.getLocalName();
            int hashCode = (namespaceURI == null ? 0 : namespaceURI.hashCode() * 31) + (localName == null ? 0 : localName.hashCode());
            if (hashCode == Constants.HASH_DS_SIGNEDINFO) {
                signatureObject.setSignedInfoElement(oMElement2);
                checkSignedInfo(createDocument, oMElement2, signatureObject, wSSSignatureContext.getIDResolver());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " is OK.");
                }
            } else if (hashCode == Constants.HASH_DS_KEYINFO) {
                signatureObject.setKey(oMElement2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " is OK.");
                }
            } else if (hashCode == Constants.HASH_DS_SIGNATUREVALUE) {
                signatureObject.setSignatureValue(DOMUtil.getStringValue(oMElement2));
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " is OK.");
                }
            } else if (hashCode == Constants.HASH_DS_OBJECT) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " is OK. But this consumer ignores it.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, DOMUtils.getQualifiedName(oMElement2), DOMUtils.getQualifiedName(oneChildElement));
            }
            firstElement = DOMUtils.getNextElement(oMElement2);
        }
        Validity verify = wSSSignatureContext.verify(oneChildElement, extractKey, signatureObject);
        boolean coreValidity = verify.getCoreValidity();
        String str = null;
        if (!coreValidity) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Core validity=");
            stringBuffer.append(coreValidity);
            stringBuffer.append(" Signed info validity=");
            stringBuffer.append(verify.getSignedInfoValidity());
            stringBuffer.append(" Signed info message='");
            stringBuffer.append(verify.getSignedInfoMessage());
            stringBuffer.append("'");
            int numberOfReferences = verify.getNumberOfReferences();
            for (int i = 0; i < numberOfReferences; i++) {
                stringBuffer.append("(validity=");
                stringBuffer.append(verify.getReferenceValidity(i));
                stringBuffer.append(" message='");
                stringBuffer.append(verify.getReferenceMessage(i));
                stringBuffer.append("' uri='");
                stringBuffer.append(verify.getReferenceURI(i));
                stringBuffer.append("' type='");
                stringBuffer.append(verify.getReferenceType(i));
                stringBuffer.append("')");
            }
            str = stringBuffer.toString();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML Assertion signature verification failed: " + str);
            }
        }
        if (str != null) {
            throw SoapSecurityException.format("security.wssecurity.SignatureConsumer.s01", str);
        }
        SignatureCache.put(oMElement, x509Certificate);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SAML Assertion signature is verified:" + coreValidity);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "SAMLSignatureVerification.verify(OMElement,KeyInformation,KeyStore,PKIXBuilderParameters,HashMap): " + coreValidity);
        }
        return coreValidity;
    }

    private static void checkSignedInfo(OMDocument oMDocument, OMElement oMElement, SignatureObject signatureObject, IDResolver iDResolver) throws SoapSecurityException {
        OMElement firstElement = DOMUtils.getFirstElement((OMNode) oMElement);
        while (true) {
            OMElement oMElement2 = firstElement;
            if (oMElement2 == null) {
                return;
            }
            String namespaceURI = oMElement2.getNamespace() == null ? null : oMElement2.getNamespace().getNamespaceURI();
            String localName = oMElement2.getLocalName();
            int hashCode = (namespaceURI == null ? 0 : namespaceURI.hashCode() * 31) + (localName == null ? 0 : localName.hashCode());
            if (hashCode == Constants.HASH_DS_C14NMETHOD) {
                String attribute = DOMUtils.getAttribute(oMElement2, "Algorithm");
                signatureObject.setC14NMethod(attribute);
                signatureObject.setC14NMethodElement(oMElement2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " [" + attribute + "] is OK.");
                }
            } else if (hashCode == Constants.HASH_DS_SIGNATUREMETHOD) {
                String attribute2 = DOMUtils.getAttribute(oMElement2, "Algorithm");
                signatureObject.setSignatureMethod(attribute2);
                signatureObject.setSignatureMethodElement(oMElement2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " [" + attribute2 + "] is OK.");
                }
            } else if (hashCode == Constants.HASH_DS_REFERENCE) {
                checkReference(oMDocument, oMElement2, iDResolver, signatureObject);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " is OK.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, DOMUtils.getQualifiedName(oMElement2), DOMUtils.getQualifiedName(oMElement));
            }
            firstElement = DOMUtils.getNextElement(oMElement2);
        }
    }

    private static void checkReference(OMDocument oMDocument, OMElement oMElement, IDResolver iDResolver, SignatureObject signatureObject) throws SoapSecurityException {
        OMElement resolveID;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkReference(Document doc[" + DOMUtils.getDisplayName(oMDocument) + "],Element reference[" + DOMUtils.getDisplayName((OMNode) oMElement) + "],IDResolver idResolver[" + iDResolver + "],SignatureObject signatureObject[" + signatureObject + "],Map context)");
        }
        ReferenceObject referenceObject = new ReferenceObject();
        OMElement firstElement = DOMUtils.getFirstElement((OMNode) oMElement);
        while (true) {
            OMElement oMElement2 = firstElement;
            if (oMElement2 == null) {
                break;
            }
            String namespaceURI = oMElement2.getNamespace() == null ? null : oMElement2.getNamespace().getNamespaceURI();
            String localName = oMElement2.getLocalName();
            int hashCode = (namespaceURI == null ? 0 : namespaceURI.hashCode() * 31) + (localName == null ? 0 : localName.hashCode());
            if (hashCode == Constants.HASH_DS_TRANSFORMS) {
                referenceObject.setTransformsElement(oMElement2);
                OMElement firstElement2 = DOMUtils.getFirstElement((OMNode) oMElement2);
                while (true) {
                    OMElement oMElement3 = firstElement2;
                    if (oMElement3 != null) {
                        String namespaceURI2 = oMElement3.getNamespace() == null ? null : oMElement3.getNamespace().getNamespaceURI();
                        String localName2 = oMElement3.getLocalName();
                        if ((namespaceURI2 == null ? 0 : namespaceURI2.hashCode() * 31) + (localName2 == null ? 0 : localName2.hashCode()) == Constants.HASH_DS_TRANSFORM) {
                            referenceObject.addTransformAlgorithmAndParameter(oMElement3.getAttributeValue(ALGORITHM_Q), DOMUtil.getFirstChildElement(oMElement3));
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, localName2 + " is OK.");
                            }
                        }
                        firstElement2 = DOMUtils.getNextElement(oMElement3);
                    }
                }
            } else if (hashCode == Constants.HASH_DS_DIGESTMETHOD) {
                String attribute = DOMUtils.getAttribute(oMElement2, "Algorithm");
                referenceObject.setDigestAlgorithm(attribute);
                referenceObject.setDigestMethod(oMElement2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " [" + attribute + "] is OK.");
                }
            } else if (hashCode == Constants.HASH_DS_DIGESTVALUE) {
                referenceObject.setDigestValue(DOMUtil.getStringValue(oMElement2));
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, localName + " is OK.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.warning(tc, "security.wssecurity.WSEC6833W", new Object[]{DOMUtils.getQualifiedName(oMElement2), DOMUtils.getQualifiedName(oMElement)});
            }
            firstElement = DOMUtils.getNextElement(oMElement2);
        }
        String attribute2 = DOMUtils.getAttribute(oMElement, "URI");
        referenceObject.setUriRef(attribute2);
        referenceObject.setType(oMElement.getAttributeValue(TYPE_Q));
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Processing URI [" + attribute2 + "]...");
        }
        if (attribute2.length() == 0) {
            resolveID = oMDocument.getOMDocumentElement();
        } else {
            if (attribute2.length() < 2 || attribute2.charAt(0) != '#') {
                throw SoapSecurityException.format("security.wssecurity.SignatureConsumer.s02", attribute2);
            }
            attribute2 = attribute2.substring(1);
            resolveID = iDResolver.resolveID(oMDocument, attribute2);
        }
        if (resolveID == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The URI [" + attribute2 + "] is not supported.  Either the id is defined in the wrong namespace or no id's have a matching value.");
            }
            throw SoapSecurityException.format("security.wssecurity.SignatureConsumer.s02", attribute2);
        }
        if (!resolveID.equals(oMDocument.getOMDocumentElement())) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The URI [" + attribute2 + "] is resolved to a wrapped element.  The whole document is expected to be signed. There may be a signature wrapping attack.");
            }
            throw SoapSecurityException.format("security.wssecurity.SignatureConsumer.s02", attribute2);
        }
        referenceObject.setOwnerDocument(signatureObject.getOwnerDocument());
        signatureObject.add(referenceObject);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkReference(Document doc,Element reference,IDResolver idResolver,SignatureObject signatureObject");
        }
    }

    private static final boolean validateX509(PKIXBuilderParameters pKIXBuilderParameters, X509Certificate x509Certificate) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "SAMLSignatureVerification.validateX509(pkixBuilderParams[" + (pKIXBuilderParameters == null ? "null" : "not null") + "], cert[" + (x509Certificate == null ? "null" : "not null") + "])");
        }
        try {
            CertificateUtil.validateX509Certificate(x509Certificate, null, pKIXBuilderParameters);
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "SAMLSignatureVerification.validateX509");
            return true;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".validateX509", "916");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception caught: " + e.getMessage() + ": " + e.getCause());
            }
            throw new SoapSecurityException((Throwable) e, true);
        }
    }

    private static PkixParams createPKIXBuilderParameters(ConsumerConfig consumerConfig, boolean z) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createPKIXBuilderParameters(ConsumerConfig[" + ConfigUtil.getObjState(consumerConfig) + "], reloadKeystore[" + z + "])");
        }
        PkixParams pkixParams = new PkixParams();
        PKIXBuilderParameters pKIXBuilderParameters = null;
        KeyStore keyStore = null;
        if (!consumerConfig.trustAnySTS()) {
            keyStore = SamlConfigUtil.getTrustStore(consumerConfig, z);
            if (keyStore == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Valid TrustAnchor is required.");
                }
                throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML2040E"));
            }
            try {
                pKIXBuilderParameters = CertificateUtil.createPKIXBuilderParameters(keyStore, (List) consumerConfig.getCertStores(), consumerConfig.getRevocationEnabled(), false);
            } catch (LoginException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caught exception from CertificateUtil.createPKIXBuilderParameters: " + e);
                }
                Tr.processException(e, clsName + ".createPKIXBuilderParameters(OMElement,ConsumerConfig,HashMap)", "565");
                throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML2040E"), e);
            }
        }
        pkixParams.pkixParameters = pKIXBuilderParameters;
        pkixParams.trustAnchor = keyStore;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createPKIXBuilderParameters returns pkixParameters[" + ConfigUtil.getObjState(pkixParams.pkixParameters) + "], trustAnchor[" + ConfigUtil.getObjState(pkixParams.trustAnchor) + "]");
        }
        return pkixParams;
    }

    private static String getSupportedX509CertList() {
        return "X509Data, KeyName";
    }
}
