package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.saml.ext.OpenSAMLUtil;

/* loaded from: input_file:org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.class */
public abstract class AbstractSamlPolicyValidator extends AbstractTokenPolicyValidator {
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractTokenPolicyValidator
    public boolean isTokenRequired(Token token, Message message) {
        SPConstants.IncludeTokenType inclusion = token.getInclusion();
        if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER) {
            return false;
        }
        if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
            return true;
        }
        boolean isRequestor = MessageUtils.isRequestor(message);
        if (isRequestor && inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
            return true;
        }
        if (isRequestor) {
            return false;
        }
        return inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE || inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT;
    }

    public boolean checkHolderOfKey(AssertionWrapper assertionWrapper, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        Iterator it = assertionWrapper.getConfirmationMethods().iterator();
        while (it.hasNext()) {
            if (OpenSAMLUtil.isMethodHolderOfKey((String) it.next()) && ((certificateArr == null && (list == null || list.isEmpty())) || !compareCredentials(assertionWrapper.getSubjectKeyInfo(), list, certificateArr))) {
                return false;
            }
        }
        return true;
    }

    private boolean compareCredentials(SAMLKeyInfo sAMLKeyInfo, List<WSSecurityEngineResult> list, Certificate[] certificateArr) {
        X509Certificate[] certs = sAMLKeyInfo.getCerts();
        PublicKey publicKey = sAMLKeyInfo.getPublicKey();
        byte[] secret = sAMLKeyInfo.getSecret();
        if (certificateArr != null && certificateArr.length > 0 && certs != null && certs.length > 0 && certificateArr[0].equals(certs[0])) {
            return true;
        }
        if (certificateArr != null && certificateArr.length > 0 && publicKey != null && certificateArr[0].getPublicKey().equals(publicKey)) {
            return true;
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get("x509-certificates");
            PublicKey publicKey2 = (PublicKey) wSSecurityEngineResult.get("public-key");
            byte[] bArr = (byte[]) wSSecurityEngineResult.get("secret");
            if (x509CertificateArr != null && x509CertificateArr.length > 0 && certs != null && certs.length > 0 && x509CertificateArr[0].equals(certs[0])) {
                return true;
            }
            if ((publicKey2 != null && publicKey2.equals(publicKey)) || checkSecretKey(bArr, secret, wSSecurityEngineResult)) {
                return true;
            }
        }
        return false;
    }

    private boolean checkSecretKey(byte[] bArr, byte[] bArr2, WSSecurityEngineResult wSSecurityEngineResult) {
        if (bArr == null || bArr2 == null) {
            return false;
        }
        if (Arrays.equals(bArr, bArr2)) {
            return true;
        }
        WSDerivedKeyTokenPrincipal wSDerivedKeyTokenPrincipal = (Principal) wSSecurityEngineResult.get("principal");
        return (wSDerivedKeyTokenPrincipal instanceof WSDerivedKeyTokenPrincipal) && Arrays.equals(wSDerivedKeyTokenPrincipal.getSecret(), bArr2);
    }
}
