package org.apache.rampart;

import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Iterator;
import java.util.Set;
import java.util.Vector;
import javax.xml.namespace.QName;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axis2.Constants;
import org.apache.axis2.description.java2wsdl.Java2WSDLConstants;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.HttpsToken;
import org.apache.ws.secpolicy.model.IssuedToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:META-INF/lib/rampart-core-1.4.jar:org/apache/rampart/PolicyBasedResultsValidator.class */
public class PolicyBasedResultsValidator implements PolicyValidatorCallbackHandler {
    private static Log log;
    static Class class$org$apache$rampart$PolicyBasedResultsValidator;

    @Override // org.apache.rampart.PolicyValidatorCallbackHandler
    public void validate(ValidatorData validatorData, Vector vector) throws RampartException {
        Timestamp timestamp;
        X509Certificate x509Certificate;
        SignedEncryptedParts signedParts;
        SignedEncryptedParts signedParts2;
        RampartMessageData rampartMessageData = validatorData.getRampartMessageData();
        RampartPolicyData policyData = rampartMessageData.getPolicyData();
        if (policyData != null && vector == null) {
            throw new RampartException("noSecurityResults");
        }
        if (policyData != null && policyData.isIncludeTimestamp() && WSSecurityUtil.fetchActionResult(vector, 32) == null) {
            throw new RampartException("timestampMissing");
        }
        Vector encryptedParts = RampartUtil.getEncryptedParts(rampartMessageData);
        if (policyData != null && policyData.isSignatureProtection() && isSignatureRequired(rampartMessageData)) {
            RampartUtil.getSigElementId(rampartMessageData);
            encryptedParts.add(new WSEncryptionPart("Signature", "http://www.w3.org/2000/09/xmldsig#", "Element"));
        }
        Vector signedParts3 = RampartUtil.getSignedParts(rampartMessageData);
        if (policyData != null && policyData.isIncludeTimestamp() && !policyData.isTransportBinding()) {
            signedParts3.add(new WSEncryptionPart(WSSecurityEngineResult.TAG_TIMESTAMP));
        }
        if (!rampartMessageData.isInitiator()) {
            SupportingToken endorsingSupportingTokens = policyData.getEndorsingSupportingTokens();
            if (endorsingSupportingTokens != null && (((signedParts2 = endorsingSupportingTokens.getSignedParts()) != null && (signedParts2.isBody() || signedParts2.getHeaders().size() > 0)) || policyData.isIncludeTimestamp())) {
                signedParts3.add(new WSEncryptionPart(SPConstants.ENDORSING_SUPPORTING_TOKENS));
            }
            SupportingToken signedEndorsingSupportingTokens = policyData.getSignedEndorsingSupportingTokens();
            if (signedEndorsingSupportingTokens != null && (((signedParts = signedEndorsingSupportingTokens.getSignedParts()) != null && (signedParts.isBody() || signedParts.getHeaders().size() > 0)) || policyData.isIncludeTimestamp())) {
                signedParts3.add(new WSEncryptionPart(SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS));
            }
        }
        validateEncrSig(validatorData, encryptedParts, signedParts3, vector);
        if (!policyData.isTransportBinding()) {
            validateProtectionOrder(validatorData, vector);
        }
        if (policyData.isTransportBinding() && !rampartMessageData.isInitiator() && (policyData.getTransportToken() instanceof HttpsToken)) {
            String incomingTransportName = rampartMessageData.getMsgContext().getIncomingTransportName();
            if (!incomingTransportName.equals(Constants.TRANSPORT_HTTPS)) {
                throw new RampartException("invalidTransport", new String[]{incomingTransportName});
            }
        }
        validateEncryptedParts(validatorData, encryptedParts, vector);
        validateSignedPartsHeaders(validatorData, signedParts3, vector);
        validateRequiredElements(validatorData);
        if (!rampartMessageData.isInitiator()) {
            validateSupportingTokens(validatorData, vector);
        }
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(vector, 2);
        if (fetchActionResult != null && (x509Certificate = (X509Certificate) fetchActionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) != null && !verifyTrust(x509Certificate, rampartMessageData)) {
            throw new RampartException("trustVerificationError");
        }
        WSSecurityEngineResult fetchActionResult2 = WSSecurityUtil.fetchActionResult(vector, 32);
        if (fetchActionResult2 != null && (timestamp = (Timestamp) fetchActionResult2.get(WSSecurityEngineResult.TAG_TIMESTAMP)) != null && !verifyTimestamp(timestamp, rampartMessageData)) {
            throw new RampartException("cannotValidateTimestamp");
        }
    }

    protected void validateEncrSig(ValidatorData validatorData, Vector vector, Vector vector2, Vector vector3) throws RampartException {
        boolean z = false;
        boolean z2 = false;
        Iterator it = getSigEncrActions(vector3).iterator();
        while (it.hasNext()) {
            Integer num = (Integer) it.next();
            if (num.intValue() == 2) {
                z = true;
            } else if (num.intValue() == 4) {
                z2 = true;
            }
        }
        RampartPolicyData policyData = validatorData.getRampartMessageData().getPolicyData();
        SupportingToken signedSupportingTokens = policyData.getSignedSupportingTokens();
        SupportingToken signedEndorsingSupportingTokens = policyData.getSignedEndorsingSupportingTokens();
        if (z && vector2.size() == 0 && ((signedSupportingTokens == null || signedSupportingTokens.getTokens().size() == 0) && (signedEndorsingSupportingTokens == null || signedEndorsingSupportingTokens.getTokens().size() == 0))) {
            throw new RampartException("unexprectedSignature");
        }
        if (!z && vector2.size() > 0) {
            throw new RampartException("signatureMissing");
        }
        if (!z2 || vector.size() != 0) {
            if (!z2 && vector.size() > 0) {
                throw new RampartException("encryptionMissing");
            }
            return;
        }
        boolean z3 = false;
        Iterator it2 = getResults(vector3, 4).iterator();
        while (it2.hasNext()) {
            ArrayList arrayList = (ArrayList) ((WSSecurityEngineResult) it2.next()).get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
            if (arrayList != null && arrayList.size() != 0) {
                z3 = true;
            }
        }
        if (z3 && !isUsernameTokenPresent(validatorData)) {
            throw new RampartException("unexprectedEncryptedPart");
        }
    }

    protected void validateSupportingTokens(ValidatorData validatorData, Vector vector) throws RampartException {
        RampartPolicyData policyData = validatorData.getRampartMessageData().getPolicyData();
        handleSupportingTokens(vector, policyData.getSupportingTokens());
        handleSupportingTokens(vector, policyData.getSignedSupportingTokens());
        handleSupportingTokens(vector, policyData.getSignedEndorsingSupportingTokens());
        handleSupportingTokens(vector, policyData.getEndorsingSupportingTokens());
    }

    protected void handleSupportingTokens(Vector vector, SupportingToken supportingToken) throws RampartException {
        if (supportingToken == null) {
            return;
        }
        Iterator it = supportingToken.getTokens().iterator();
        while (it.hasNext()) {
            Token token = (Token) it.next();
            if (token instanceof UsernameToken) {
                if (WSSecurityUtil.fetchActionResult(vector, 1) == null) {
                    throw new RampartException("usernameTokenMissing");
                }
            } else if (token instanceof IssuedToken) {
                if (WSSecurityUtil.fetchActionResult(vector, 8) == null) {
                    throw new RampartException("samlTokenMissing");
                }
            } else if ((token instanceof X509Token) && WSSecurityUtil.fetchActionResult(vector, 4096) == null) {
                throw new RampartException("binaryTokenMissing");
            }
        }
    }

    protected void validateProtectionOrder(ValidatorData validatorData, Vector vector) throws RampartException {
        String protectionOrder = validatorData.getRampartMessageData().getPolicyData().getProtectionOrder();
        ArrayList sigEncrActions = getSigEncrActions(vector);
        if (sigEncrActions.size() < 2) {
            return;
        }
        boolean z = true;
        boolean z2 = true;
        Iterator it = sigEncrActions.iterator();
        while (it.hasNext()) {
            Integer num = (Integer) it.next();
            if (num.intValue() == 2) {
                z = false;
            } else if (num.intValue() == 4) {
                z2 = false;
            }
        }
        if (z || z2) {
            return;
        }
        boolean z3 = false;
        if (!"SignBeforeEncrypting".equals(protectionOrder)) {
            boolean z4 = false;
            Iterator it2 = sigEncrActions.iterator();
            while (it2.hasNext()) {
                Integer num2 = (Integer) it2.next();
                if (num2.intValue() == 2 && !z4) {
                    break;
                }
                if (num2.intValue() == 4) {
                    z4 = true;
                } else if (z4) {
                    z3 = true;
                }
            }
        } else {
            boolean z5 = false;
            Iterator it3 = sigEncrActions.iterator();
            while (true) {
                if (!it3.hasNext() && z3) {
                    break;
                }
                Integer num3 = (Integer) it3.next();
                if (num3.intValue() == 4 && !z5) {
                    break;
                }
                if (num3.intValue() == 2) {
                    z5 = true;
                } else if (z5) {
                    z3 = true;
                }
            }
        }
        if (!z3) {
            throw new RampartException("protectionOrderMismatch");
        }
    }

    protected ArrayList getSigEncrActions(Vector vector) {
        ArrayList arrayList = new ArrayList();
        Iterator it = vector.iterator();
        while (it.hasNext()) {
            int intValue = ((Integer) ((WSSecurityEngineResult) it.next()).get("action")).intValue();
            if (2 == intValue || 4 == intValue) {
                arrayList.add(Integer.valueOf(intValue));
            }
        }
        return arrayList;
    }

    protected void validateEncryptedParts(ValidatorData validatorData, Vector vector, Vector vector2) throws RampartException {
        RampartMessageData rampartMessageData = validatorData.getRampartMessageData();
        ArrayList encryptedReferences = getEncryptedReferences(vector2);
        if (rampartMessageData.getPolicyData().isEncryptBody() && !isRefIdPresent(encryptedReferences, validatorData.getBodyEncrDataId())) {
            throw new RampartException("encryptedPartMissing", new String[]{validatorData.getBodyEncrDataId()});
        }
        for (int i = 0; i < vector.size(); i++) {
            WSEncryptionPart wSEncryptionPart = (WSEncryptionPart) vector.get(i);
            if (wSEncryptionPart.getType() != 2) {
                if (("Signature".equals(wSEncryptionPart.getName()) && "http://www.w3.org/2000/09/xmldsig#".equals(wSEncryptionPart.getNamespace())) || wSEncryptionPart.getType() == 1) {
                    if (!isRefIdPresent(encryptedReferences, new QName(wSEncryptionPart.getNamespace(), wSEncryptionPart.getName()))) {
                        throw new RampartException("encryptedPartMissing", new String[]{new StringBuffer().append(wSEncryptionPart.getNamespace()).append(Java2WSDLConstants.COLON_SEPARATOR).append(wSEncryptionPart.getName()).toString()});
                    }
                } else {
                    if (wSEncryptionPart.getEncId() == null) {
                        throw new RampartException("encryptedPartMissing", new String[]{new StringBuffer().append(wSEncryptionPart.getNamespace()).append(Java2WSDLConstants.COLON_SEPARATOR).append(wSEncryptionPart.getName()).toString()});
                    }
                    if (!isRefIdPresent(encryptedReferences, wSEncryptionPart.getEncId())) {
                        throw new RampartException("encryptedPartMissing", new String[]{new StringBuffer().append(wSEncryptionPart.getNamespace()).append(Java2WSDLConstants.COLON_SEPARATOR).append(wSEncryptionPart.getName()).toString()});
                    }
                }
            }
        }
    }

    public void validateRequiredElements(ValidatorData validatorData) throws RampartException {
        RampartMessageData rampartMessageData = validatorData.getRampartMessageData();
        RampartPolicyData policyData = rampartMessageData.getPolicyData();
        SOAPEnvelope envelope = rampartMessageData.getMsgContext().getEnvelope();
        Iterator it = policyData.getRequiredElements().iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (!RampartUtil.checkRequiredElements(envelope, policyData.getDeclaredNamespaces(), str)) {
                throw new RampartException("requiredElementsMissing", new String[]{str});
            }
        }
    }

    protected void validateSignedPartsHeaders(ValidatorData validatorData, Vector vector, Vector vector2) throws RampartException {
        Node firstChild = validatorData.getRampartMessageData().getDocument().getFirstChild();
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(vector2, 2);
        Vector vector3 = new Vector();
        if (fetchActionResult != null) {
            Iterator it = ((Set) fetchActionResult.get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS)).iterator();
            while (it.hasNext()) {
                vector3.add(WSSecurityUtil.findElementById(firstChild, (String) it.next(), "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"));
            }
        }
        for (int i = 0; i < vector.size(); i++) {
            WSEncryptionPart wSEncryptionPart = (WSEncryptionPart) vector.get(i);
            Element element = (Element) WSSecurityUtil.findElement(firstChild, wSEncryptionPart.getName(), wSEncryptionPart.getNamespace());
            if (element != null && !vector3.contains(element)) {
                throw new RampartException("signedPartHeaderNotSigned", new String[]{wSEncryptionPart.getName()});
            }
        }
    }

    protected boolean isSignatureRequired(RampartMessageData rampartMessageData) {
        RampartPolicyData policyData = rampartMessageData.getPolicyData();
        return (policyData.isSymmetricBinding() && policyData.getSignatureToken() != null) || !(policyData.isSymmetricBinding() || policyData.isTransportBinding() || ((policyData.getInitiatorToken() == null || !rampartMessageData.isInitiator()) && (policyData.getRecipientToken() == null || rampartMessageData.isInitiator())));
    }

    protected boolean verifyTimestamp(Timestamp timestamp, RampartMessageData rampartMessageData) throws RampartException {
        Calendar created = timestamp.getCreated();
        if (created == null) {
            return true;
        }
        long timeInMillis = Calendar.getInstance().getTimeInMillis();
        long timestampMaxSkew = RampartUtil.getTimestampMaxSkew(rampartMessageData);
        if (timestampMaxSkew > 0) {
            timeInMillis += timestampMaxSkew * 1000;
        }
        return created.getTimeInMillis() <= timeInMillis;
    }

    protected boolean verifyTrust(X509Certificate x509Certificate, RampartMessageData rampartMessageData) throws RampartException {
        if (x509Certificate == null) {
            return false;
        }
        String name = x509Certificate.getSubjectDN().getName();
        String name2 = x509Certificate.getIssuerDN().getName();
        BigInteger serialNumber = x509Certificate.getSerialNumber();
        boolean isDebugEnabled = log.isDebugEnabled();
        if (isDebugEnabled) {
            log.debug(new StringBuffer().append("WSHandler: Transmitted certificate has subject ").append(name).toString());
            log.debug(new StringBuffer().append("WSHandler: Transmitted certificate has issuer ").append(name2).append(" (serial ").append(serialNumber).append(")").toString());
        }
        try {
            String aliasForX509Cert = RampartUtil.getSignatureCrypto(rampartMessageData.getPolicyData().getRampartConfig(), rampartMessageData.getCustomClassLoader()).getAliasForX509Cert(name2, serialNumber);
            if (aliasForX509Cert != null) {
                try {
                    X509Certificate[] certificates = RampartUtil.getSignatureCrypto(rampartMessageData.getPolicyData().getRampartConfig(), rampartMessageData.getCustomClassLoader()).getCertificates(aliasForX509Cert);
                    if (certificates != null && certificates.length > 0 && x509Certificate.equals(certificates[0])) {
                        if (!isDebugEnabled) {
                            return true;
                        }
                        log.debug(new StringBuffer().append("Direct trust for certificate with ").append(name).toString());
                        return true;
                    }
                } catch (WSSecurityException e) {
                    throw new RampartException("noCertForAlias", new String[]{aliasForX509Cert}, e);
                }
            } else if (isDebugEnabled) {
                log.debug(new StringBuffer().append("No alias found for subject from issuer with ").append(name2).append(" (serial ").append(serialNumber).append(")").toString());
            }
            try {
                String[] aliasesForDN = RampartUtil.getSignatureCrypto(rampartMessageData.getPolicyData().getRampartConfig(), rampartMessageData.getCustomClassLoader()).getAliasesForDN(name2);
                if (aliasesForDN == null || aliasesForDN.length < 1) {
                    if (!isDebugEnabled) {
                        return false;
                    }
                    log.debug(new StringBuffer().append("No aliases found in keystore for issuer ").append(name2).append(" of certificate for ").append(name).toString());
                    return false;
                }
                for (String str : aliasesForDN) {
                    if (isDebugEnabled) {
                        log.debug(new StringBuffer().append("Preparing to validate certificate path with alias ").append(str).append(" for issuer ").append(name2).toString());
                    }
                    try {
                        X509Certificate[] certificates2 = RampartUtil.getSignatureCrypto(rampartMessageData.getPolicyData().getRampartConfig(), rampartMessageData.getCustomClassLoader()).getCertificates(str);
                        if (certificates2 == null || certificates2.length < 1) {
                            throw new RampartException("noCertForAlias", new String[]{str});
                        }
                        X509Certificate[] x509CertificateArr = new X509Certificate[certificates2.length + 1];
                        x509CertificateArr[0] = x509Certificate;
                        for (int i = 0; i < certificates2.length; i++) {
                            x509Certificate = certificates2[i];
                            x509CertificateArr[i + 1] = x509Certificate;
                        }
                        try {
                            if (RampartUtil.getSignatureCrypto(rampartMessageData.getPolicyData().getRampartConfig(), rampartMessageData.getCustomClassLoader()).validateCertPath(x509CertificateArr)) {
                                if (!isDebugEnabled) {
                                    return true;
                                }
                                log.debug(new StringBuffer().append("WSHandler: Certificate path has been verified for certificate with subject ").append(name).toString());
                                return true;
                            }
                        } catch (WSSecurityException e2) {
                            throw new RampartException("certPathVerificationFailed", new String[]{name}, e2);
                        }
                    } catch (WSSecurityException e3) {
                        throw new RampartException("noCertForAlias", new String[]{str}, e3);
                    }
                }
                log.debug(new StringBuffer().append("WSHandler: Certificate path could not be verified for certificate with subject ").append(name).toString());
                return false;
            } catch (WSSecurityException e4) {
                throw new RampartException("cannotFindAliasForCert", new String[]{name2}, e4);
            }
        } catch (WSSecurityException e5) {
            throw new RampartException("cannotFindAliasForCert", new String[]{name}, e5);
        }
    }

    protected ArrayList getEncryptedReferences(Vector vector) {
        ArrayList results = getResults(vector, 4);
        ArrayList arrayList = new ArrayList();
        Iterator it = results.iterator();
        while (it.hasNext()) {
            ArrayList arrayList2 = (ArrayList) ((WSSecurityEngineResult) it.next()).get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
            if (arrayList2 != null) {
                Iterator it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    arrayList.add((WSDataRef) it2.next());
                }
            }
        }
        return arrayList;
    }

    protected ArrayList getResults(Vector vector, int i) {
        ArrayList arrayList = new ArrayList();
        for (int i2 = 0; i2 < vector.size(); i2++) {
            if (((Integer) ((WSSecurityEngineResult) vector.get(i2)).get("action")).intValue() == i) {
                arrayList.add((WSSecurityEngineResult) vector.get(i2));
            }
        }
        return arrayList;
    }

    protected boolean isUsernameTokenPresent(ValidatorData validatorData) {
        RampartPolicyData policyData = validatorData.getRampartMessageData().getPolicyData();
        return isUsernameTokenPresent(policyData.getSupportingTokens()) || isUsernameTokenPresent(policyData.getSignedSupportingTokens()) || isUsernameTokenPresent(policyData.getSignedEndorsingSupportingTokens()) || isUsernameTokenPresent(policyData.getEndorsingSupportingTokens());
    }

    protected boolean isUsernameTokenPresent(SupportingToken supportingToken) {
        if (supportingToken == null) {
            return false;
        }
        Iterator it = supportingToken.getTokens().iterator();
        while (it.hasNext()) {
            if (((Token) it.next()) instanceof UsernameToken) {
                return true;
            }
        }
        return false;
    }

    private boolean isRefIdPresent(ArrayList arrayList, String str) {
        for (int i = 0; i < arrayList.size(); i++) {
            WSDataRef wSDataRef = (WSDataRef) arrayList.get(i);
            if (wSDataRef != null) {
                String wsuId = wSDataRef.getWsuId();
                if (wsuId == null) {
                    wsuId = wSDataRef.getDataref();
                }
                if (wsuId != null && wsuId.equals(str)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isRefIdPresent(ArrayList arrayList, QName qName) {
        QName name;
        for (int i = 0; i < arrayList.size(); i++) {
            WSDataRef wSDataRef = (WSDataRef) arrayList.get(i);
            if (wSDataRef != null && (name = wSDataRef.getName()) != null && name.equals(qName)) {
                return true;
            }
        }
        return false;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$apache$rampart$PolicyBasedResultsValidator == null) {
            cls = class$("org.apache.rampart.PolicyBasedResultsValidator");
            class$org$apache$rampart$PolicyBasedResultsValidator = cls;
        } else {
            cls = class$org$apache$rampart$PolicyBasedResultsValidator;
        }
        log = LogFactory.getLog(cls);
    }
}
