package org.apache.wss4j.stax.impl.processor.input;

import java.math.BigInteger;
import java.util.Iterator;
import java.util.List;
import org.apache.wss4j.binding.wss10.SecurityTokenReferenceType;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.validate.SignatureTokenValidator;
import org.apache.wss4j.stax.validate.SignatureTokenValidatorImpl;
import org.apache.xml.security.binding.excc14n.InclusiveNamespaces;
import org.apache.xml.security.binding.xmldsig.CanonicalizationMethodType;
import org.apache.xml.security.binding.xmldsig.ManifestType;
import org.apache.xml.security.binding.xmldsig.ObjectType;
import org.apache.xml.security.binding.xmldsig.SignatureType;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.InboundSecurityContext;
import org.apache.xml.security.stax.ext.InputProcessorChain;
import org.apache.xml.security.stax.ext.XMLSecurityProperties;
import org.apache.xml.security.stax.ext.XMLSecurityUtils;
import org.apache.xml.security.stax.impl.processor.input.AbstractSignatureInputHandler;
import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SignatureValueSecurityEvent;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-090.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-stax-2.0.3.jar:org/apache/wss4j/stax/impl/processor/input/WSSSignatureInputHandler.class */
public class WSSSignatureInputHandler extends AbstractSignatureInputHandler {
    private static final transient Logger log = LoggerFactory.getLogger(WSSSignatureInputHandler.class);

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-090.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-stax-2.0.3.jar:org/apache/wss4j/stax/impl/processor/input/WSSSignatureInputHandler$WSSSignatureVerifier.class */
    public class WSSSignatureVerifier extends AbstractSignatureInputHandler.SignatureVerifier {
        public WSSSignatureVerifier(SignatureType signatureType, InboundSecurityContext inboundSecurityContext, XMLSecurityProperties xMLSecurityProperties) throws XMLSecurityException {
            super(signatureType, inboundSecurityContext, xMLSecurityProperties);
        }

        @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureInputHandler.SignatureVerifier
        protected InboundSecurityToken retrieveSecurityToken(SignatureType signatureType, XMLSecurityProperties xMLSecurityProperties, InboundSecurityContext inboundSecurityContext) throws XMLSecurityException {
            InboundSecurityToken securityToken = SecurityTokenFactory.getInstance().getSecurityToken(signatureType.getKeyInfo(), WSSecurityTokenConstants.KeyUsage_Signature_Verification, xMLSecurityProperties, inboundSecurityContext);
            SignatureTokenValidator signatureTokenValidator = (SignatureTokenValidator) ((WSSSecurityProperties) xMLSecurityProperties).getValidator(WSSConstants.TAG_dsig_Signature);
            if (signatureTokenValidator == null) {
                signatureTokenValidator = new SignatureTokenValidatorImpl();
            }
            signatureTokenValidator.validate(securityToken, (WSSSecurityProperties) xMLSecurityProperties);
            securityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_Signature);
            inboundSecurityContext.registerSecurityEvent(WSSUtils.createTokenSecurityEvent(securityToken, signatureType.getId()));
            return securityToken;
        }
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureInputHandler
    protected AbstractSignatureInputHandler.SignatureVerifier newSignatureVerifier(InputProcessorChain inputProcessorChain, XMLSecurityProperties xMLSecurityProperties, SignatureType signatureType) throws XMLSecurityException {
        if (signatureType.getKeyInfo() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
        }
        checkBSPCompliance(inputProcessorChain, signatureType);
        String algorithm = signatureType.getSignedInfo().getSignatureMethod().getAlgorithm();
        if (xMLSecurityProperties.getSignatureAlgorithm() != null && !xMLSecurityProperties.getSignatureAlgorithm().equals(algorithm)) {
            log.debug("The Signature method does not match the requirement");
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
        }
        WSInboundSecurityContext wSInboundSecurityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
        SignatureValueSecurityEvent signatureValueSecurityEvent = new SignatureValueSecurityEvent();
        signatureValueSecurityEvent.setSignatureValue(signatureType.getSignatureValue().getValue());
        signatureValueSecurityEvent.setCorrelationID(signatureType.getId());
        wSInboundSecurityContext.registerSecurityEvent(signatureValueSecurityEvent);
        AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
        algorithmSuiteSecurityEvent.setAlgorithmURI(signatureType.getSignedInfo().getCanonicalizationMethod().getAlgorithm());
        algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.SigC14n);
        algorithmSuiteSecurityEvent.setCorrelationID(signatureType.getId());
        wSInboundSecurityContext.registerSecurityEvent(algorithmSuiteSecurityEvent);
        return new WSSSignatureVerifier(signatureType, inputProcessorChain.getSecurityContext(), xMLSecurityProperties);
    }

    private void checkBSPCompliance(InputProcessorChain inputProcessorChain, SignatureType signatureType) throws WSSecurityException {
        String algorithm = signatureType.getSignedInfo().getSignatureMethod().getAlgorithm();
        WSInboundSecurityContext wSInboundSecurityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
        if (!"http://www.w3.org/2000/09/xmldsig#hmac-sha1".equals(algorithm) && !"http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(algorithm) && !"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256".equals(algorithm) && !"http://www.w3.org/2001/04/xmldsig-more#hmac-sha384".equals(algorithm) && !"http://www.w3.org/2001/04/xmldsig-more#hmac-sha512".equals(algorithm) && !"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".equals(algorithm) && !"http://www.w3.org/2001/04/xmldsig-more#rsa-sha384".equals(algorithm) && !"http://www.w3.org/2001/04/xmldsig-more#rsa-sha512".equals(algorithm)) {
            wSInboundSecurityContext.handleBSPRule(BSPRule.R5421);
        }
        if (((BigInteger) XMLSecurityUtils.getQNameType(signatureType.getSignedInfo().getSignatureMethod().getContent(), WSSConstants.TAG_dsig_HMACOutputLength)) != null) {
            wSInboundSecurityContext.handleBSPRule(BSPRule.R5401);
        }
        List<Object> content = signatureType.getKeyInfo().getContent();
        if (content.size() != 1) {
            wSInboundSecurityContext.handleBSPRule(BSPRule.R5402);
        }
        if (((SecurityTokenReferenceType) XMLSecurityUtils.getQNameType(content, WSSConstants.TAG_wsse_SecurityTokenReference)) == null) {
            wSInboundSecurityContext.handleBSPRule(BSPRule.R5417);
        }
        Iterator<ObjectType> it = signatureType.getObject().iterator();
        while (it.hasNext()) {
            if (((ManifestType) XMLSecurityUtils.getQNameType(it.next().getContent(), WSSConstants.TAG_dsig_Manifest)) != null) {
                wSInboundSecurityContext.handleBSPRule(BSPRule.R5403);
            }
        }
        CanonicalizationMethodType canonicalizationMethod = signatureType.getSignedInfo().getCanonicalizationMethod();
        if (!"http://www.w3.org/2001/10/xml-exc-c14n#".equals(canonicalizationMethod.getAlgorithm())) {
            wSInboundSecurityContext.handleBSPRule(BSPRule.R5404);
        }
        InclusiveNamespaces inclusiveNamespaces = (InclusiveNamespaces) XMLSecurityUtils.getQNameType(canonicalizationMethod.getContent(), WSSConstants.TAG_c14nExcl_InclusiveNamespaces);
        if (inclusiveNamespaces == null || inclusiveNamespaces.getPrefixList().size() != 0) {
            return;
        }
        wSInboundSecurityContext.handleBSPRule(BSPRule.R5406);
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureInputHandler
    protected void addSignatureReferenceInputProcessorToChain(InputProcessorChain inputProcessorChain, XMLSecurityProperties xMLSecurityProperties, SignatureType signatureType, InboundSecurityToken inboundSecurityToken) throws XMLSecurityException {
        inputProcessorChain.addProcessor(new WSSSignatureReferenceVerifyInputProcessor(inputProcessorChain, signatureType, inboundSecurityToken, xMLSecurityProperties));
    }
}
