package no.digipost.api.interceptors;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import no.digipost.api.exceptions.ebms.standard.processing.OtherException;
import no.digipost.api.xml.Constants;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.Timestamp;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SignatureTrustValidator;
import org.apache.wss4j.dom.validate.TimestampValidator;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.ws.context.MessageContext;
import org.springframework.ws.server.EndpointExceptionResolver;
import org.springframework.ws.soap.SoapMessage;
import org.springframework.ws.soap.security.AbstractWsSecurityInterceptor;
import org.springframework.ws.soap.security.WsSecurityFaultException;
import org.springframework.ws.soap.security.WsSecuritySecurementException;
import org.springframework.ws.soap.security.WsSecurityValidationException;
import org.springframework.ws.soap.security.callback.CleanupCallback;
import org.springframework.ws.soap.security.wss4j.Wss4jSecuritySecurementException;
import org.springframework.ws.soap.security.wss4j.Wss4jSecurityValidationException;
import org.w3c.dom.Document;

/* loaded from: input_file:no/digipost/api/interceptors/Wss4jInterceptor.class */
public class Wss4jInterceptor extends AbstractWsSecurityInterceptor {
    public static final String SECUREMENT_USER_PROPERTY_NAME = "Wss4jSecurityInterceptor.securementUser";
    public static final String INCOMING_CERTIFICATE = "Wss4jInterceptor.incoming.certificate";
    private String securementActions;
    private List<Integer> securementActionsVector;
    private String securementUsername;
    private CallbackHandler validationCallbackHandler;
    private String validationActions;
    private List<Integer> validationActionsVector;
    private String validationActor;
    private Crypto validationSignatureCrypto;
    private boolean enableSignatureConfirmation;
    private WSSConfig wssConfig;
    private boolean enableRevocation;
    private EndpointExceptionResolver exceptionResolver;
    private String digestAlgorithm;
    private String securementSignatureAlgorithm;
    private final boolean timestampStrict = true;
    private int validationTimeToLive = 120;
    private int securementTimeToLive = 120;
    private final WSSecurityEngine securityEngine = new WSSecurityEngine();
    private final Wss4jHandler handler = new Wss4jHandler();

    public Wss4jInterceptor() {
        setSecurementSignatureAlgorithm(Constants.RSA_SHA256);
        setSecurementSignatureDigestAlgorithm("http://www.w3.org/2001/04/xmlenc#sha256");
        setSecurementSignatureKeyIdentifier("DirectReference");
        setSecurementActions("Timestamp Signature");
        setValidationActions("Timestamp Signature");
    }

    public void setSecurementActions(String str) {
        this.securementActions = str;
        try {
            this.securementActionsVector = WSSecurityUtil.decodeAction(this.securementActions);
        } catch (WSSecurityException e) {
            throw new IllegalArgumentException((Throwable) e);
        }
    }

    public void setSecurementActor(String str) {
        this.handler.setOption("actor", str);
    }

    public void setSecurementPassword(String str) {
        this.handler.setSecurementPassword(str);
    }

    public void setSecurementSignatureAlgorithm(String str) {
        this.handler.setOption("signatureAlgorithm", str);
        this.securementSignatureAlgorithm = str;
    }

    public void setSecurementSignatureDigestAlgorithm(String str) {
        this.handler.setOption("signatureDigestAlgorithm", str);
        this.digestAlgorithm = str;
    }

    public void setSecurementSignatureCrypto(Crypto crypto) {
        this.handler.setSecurementSignatureCrypto(crypto);
    }

    public void setSecurementSignatureKeyIdentifier(String str) {
        this.handler.setOption("signatureKeyIdentifier", str);
    }

    public void setSecurementSignatureParts(String str) {
        this.handler.setOption("signatureParts", str);
    }

    public void setSecurementSignatureIfPresentParts(String str) {
        this.handler.setOption("optionalSignatureParts", str);
    }

    public void setSecurementSignatureUser(String str) {
        this.handler.setOption("signatureUser", str);
    }

    public void setSecurementTimeToLive(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException("timeToLive must be positive");
        }
        this.securementTimeToLive = i;
    }

    public void setValidationTimeToLive(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException("timeToLive must be positive");
        }
        this.validationTimeToLive = i;
    }

    public void setValidationActions(String str) {
        this.validationActions = str;
        try {
            this.validationActionsVector = WSSecurityUtil.decodeAction(str);
        } catch (WSSecurityException e) {
            throw new IllegalArgumentException((Throwable) e);
        }
    }

    public void setValidationSignatureCrypto(Crypto crypto) {
        this.validationSignatureCrypto = crypto;
    }

    public void setEnableRevocation(boolean z) {
        this.enableRevocation = z;
    }

    public void setBspCompliant(boolean z) {
        this.handler.setOption("isBSPCompliant", z);
    }

    public void afterPropertiesSet() throws Exception {
        Assert.isTrue((this.validationActions == null && this.securementActions == null) ? false : true, "validationActions or securementActions are required");
        if (this.validationActions != null) {
            if (this.validationActionsVector.contains(1)) {
                Assert.notNull(this.validationCallbackHandler, "validationCallbackHandler is required");
            }
            if (this.validationActionsVector.contains(2)) {
                Assert.notNull(this.validationSignatureCrypto, "validationSignatureCrypto is required");
            }
        }
    }

    protected boolean handleFaultException(WsSecurityFaultException wsSecurityFaultException, MessageContext messageContext) {
        if (this.logger.isWarnEnabled()) {
            this.logger.warn("Could not handle request: " + wsSecurityFaultException.getMessage());
        }
        if (this.exceptionResolver != null) {
            this.exceptionResolver.resolveException(messageContext, (Object) null, wsSecurityFaultException);
            return false;
        }
        this.logger.error("Exception resolver ikke satt");
        throw new OtherException();
    }

    protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecuritySecurementException {
        boolean z = this.securementActionsVector.isEmpty() || this.securementActionsVector.contains(0);
        if (!z || this.enableSignatureConfirmation) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Securing message [" + soapMessage + "] with actions [" + this.securementActions + "]");
            }
            RequestData initializeRequestData = initializeRequestData(messageContext);
            initializeRequestData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
            Document document = soapMessage.getDocument();
            if (z) {
                try {
                    this.securementActionsVector = new ArrayList(0);
                } catch (WSSecurityException e) {
                    throw new Wss4jSecuritySecurementException(e.getMessage(), e);
                }
            }
            this.handler.doSenderAction(document, initializeRequestData, WSSecurityUtil.decodeHandlerAction(this.securementActions, this.wssConfig), true);
            soapMessage.setDocument(document);
        }
    }

    protected RequestData initializeRequestData(MessageContext messageContext) {
        RequestData requestData = new RequestData();
        requestData.setMsgContext(messageContext);
        String str = (String) messageContext.getProperty(SECUREMENT_USER_PROPERTY_NAME);
        if (StringUtils.hasLength(str)) {
            requestData.setUsername(str);
        } else {
            requestData.setUsername(this.securementUsername);
        }
        requestData.setAppendSignatureAfterTimestamp(true);
        requestData.setTimeToLive(this.securementTimeToLive);
        requestData.setWssConfig(this.wssConfig);
        return requestData;
    }

    protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecurityValidationException {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Validating message [" + soapMessage + "] with actions [" + this.validationActions + "]");
        }
        if (this.validationActionsVector.isEmpty() || this.validationActionsVector.contains(0)) {
            return;
        }
        Document document = soapMessage.getDocument();
        try {
            RequestData requestData = new RequestData();
            requestData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
            requestData.setWssConfig(this.wssConfig);
            requestData.setSigVerCrypto(this.validationSignatureCrypto);
            requestData.setCallbackHandler(this.validationCallbackHandler);
            AlgorithmSuite algorithmSuite = new AlgorithmSuite();
            algorithmSuite.addDigestAlgorithm(this.digestAlgorithm);
            algorithmSuite.addSignatureMethod(this.securementSignatureAlgorithm);
            algorithmSuite.addC14nAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
            requestData.setAlgorithmSuite(algorithmSuite);
            requestData.setEnableTimestampReplayCache(false);
            List<WSSecurityEngineResult> processSecurityHeader = this.securityEngine.processSecurityHeader(document, this.validationActor, requestData);
            if (CollectionUtils.isEmpty(processSecurityHeader)) {
                throw new Wss4jSecurityValidationException("No WS-Security header found");
            }
            updateMessageContextWithCertificate(messageContext, processSecurityHeader);
            checkResults(processSecurityHeader, this.validationActionsVector);
            validateEbmsMessagingIsSigned(document.getDocumentElement().getPrefix(), processSecurityHeader);
            updateContextWithResults(messageContext, processSecurityHeader);
            verifyCertificateTrust(processSecurityHeader);
            verifyTimestamp(processSecurityHeader);
            soapMessage.setDocument(document);
            soapMessage.getEnvelope().getHeader().removeHeaderElement(WS_SECURITY_NAME);
        } catch (WSSecurityException e) {
            throw new Wss4jSecurityValidationException(e.getMessage(), e);
        }
    }

    private void updateMessageContextWithCertificate(MessageContext messageContext, List<WSSecurityEngineResult> list) {
        X509Certificate x509Certificate;
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(list, 2);
        if (fetchActionResult == null || (x509Certificate = (X509Certificate) fetchActionResult.get("x509-certificate")) == null) {
            return;
        }
        messageContext.setProperty(INCOMING_CERTIFICATE, x509Certificate);
    }

    private void validateEbmsMessagingIsSigned(String str, List<WSSecurityEngineResult> list) {
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            if (wSSecurityEngineResult.containsKey("data-ref-uris")) {
                for (WSDataRef wSDataRef : (List) wSSecurityEngineResult.get("data-ref-uris")) {
                    if (wSDataRef.getName().equals(Constants.MESSAGING_QNAME) && wSDataRef.getXpath().equals("/" + str + ":Envelope/" + str + ":Header/" + wSDataRef.getName().getPrefix() + ":" + wSDataRef.getName().getLocalPart())) {
                        return;
                    }
                }
            }
        }
        throw new Wss4jSecurityValidationException("ebms:Messaging was not signed");
    }

    protected void checkResults(List<WSSecurityEngineResult> list, List<Integer> list2) throws Wss4jSecurityValidationException {
        if (!this.handler.checkReceiverResultsAnyOrder(list, list2)) {
            throw new Wss4jSecurityValidationException("Security processing failed (actions mismatch)");
        }
    }

    private void updateContextWithResults(MessageContext messageContext, List<WSSecurityEngineResult> list) {
        List list2 = (List) messageContext.getProperty("RECV_RESULTS");
        List list3 = list2;
        if (list2 == null) {
            list3 = new ArrayList();
            messageContext.setProperty("RECV_RESULTS", list3);
        }
        list3.add(0, new WSHandlerResult(this.validationActor, list));
        messageContext.setProperty("RECV_RESULTS", list3);
    }

    protected void verifyCertificateTrust(List<WSSecurityEngineResult> list) throws WSSecurityException {
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(list, 2);
        if (fetchActionResult != null) {
            X509Certificate x509Certificate = (X509Certificate) fetchActionResult.get("x509-certificate");
            Credential credential = new Credential();
            credential.setCertificates(new X509Certificate[]{x509Certificate});
            RequestData requestData = new RequestData();
            requestData.setSigVerCrypto(this.validationSignatureCrypto);
            requestData.setEnableRevocation(this.enableRevocation);
            new SignatureTrustValidator().validate(credential, requestData);
        }
    }

    protected void verifyTimestamp(List<WSSecurityEngineResult> list) throws WSSecurityException {
        Timestamp timestamp;
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(list, 32);
        if (fetchActionResult == null || (timestamp = (Timestamp) fetchActionResult.get("timestamp")) == null) {
            return;
        }
        Credential credential = new Credential();
        credential.setTimestamp(timestamp);
        RequestData requestData = new RequestData();
        WSSConfig newInstance = WSSConfig.getNewInstance();
        newInstance.setTimeStampTTL(this.validationTimeToLive);
        newInstance.setTimeStampStrict(true);
        requestData.setWssConfig(newInstance);
        new TimestampValidator().validate(credential, requestData);
    }

    protected void cleanUp() {
        if (this.validationCallbackHandler != null) {
            try {
                this.validationCallbackHandler.handle(new Callback[]{new CleanupCallback()});
            } catch (IOException e) {
                this.logger.warn("Cleanup callback resulted in IOException", e);
            } catch (UnsupportedCallbackException e2) {
            }
        }
    }
}
