package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.Timestamp;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.EncryptionToken;
import org.apache.wss4j.policy.model.ProtectionToken;
import org.apache.wss4j.policy.model.SignatureToken;
import org.apache.wss4j.policy.model.X509Token;
import org.w3c.dom.Element;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/layers/base/org/apache/cxf/ws-security/main/cxf-rt-ws-security-3.1.6.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.class */
public abstract class AbstractBindingPolicyValidator implements SecurityPolicyValidator {
    private static final QName SIG_QNAME = new QName("http://www.w3.org/2000/09/xmldsig#", "Signature");

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validateTimestamp(boolean z, boolean z2, WSHandlerResult wSHandlerResult, List<WSSecurityEngineResult> list, Message message) {
        List<WSSecurityEngineResult> list2 = wSHandlerResult.getActionResults().get(32);
        if (z && (list2 == null || list2.size() != 1)) {
            return false;
        }
        if (!z) {
            return list2 == null || list2.isEmpty();
        }
        if (z2) {
            return true;
        }
        if (list.isEmpty()) {
            return false;
        }
        Timestamp timestamp = (Timestamp) list2.get(0).get("timestamp");
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            Iterator it2 = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS)).iterator();
            while (it2.hasNext()) {
                if (timestamp.getElement() == ((WSDataRef) it2.next()).getProtectedElement()) {
                    return true;
                }
            }
        }
        return false;
    }

    protected boolean validateEntireHeaderAndBodySignatures(List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            List cast = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                Iterator it2 = cast.iterator();
                while (it2.hasNext()) {
                    String xpath = ((WSDataRef) it2.next()).getXpath();
                    if (xpath != null) {
                        String[] split = StringUtils.split(xpath, "/");
                        if (split.length < 3 || split.length > 5) {
                            return false;
                        }
                        if (!split[2].contains("Header") && !split[2].contains("Body")) {
                            return false;
                        }
                        if (split.length == 5 && !split[3].contains("Security")) {
                            return false;
                        }
                        if (split.length == 4 && split[2].contains("Body")) {
                            return false;
                        }
                    }
                }
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkProperties(AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding, AssertionInfo assertionInfo, AssertionInfoMap assertionInfoMap, WSHandlerResult wSHandlerResult, List<WSSecurityEngineResult> list, Message message) {
        if (!validateTimestamp(abstractSymmetricAsymmetricBinding.isIncludeTimestamp(), false, wSHandlerResult, list, message)) {
            assertionInfo.setNotAsserted("Received Timestamp does not match the requirements");
            return false;
        }
        String namespaceURI = abstractSymmetricAsymmetricBinding.getName().getNamespaceURI();
        PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.INCLUDE_TIMESTAMP));
        if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody() && !validateEntireHeaderAndBodySignatures(list)) {
            assertionInfo.setNotAsserted("OnlySignEntireHeadersAndBody does not match the requirements");
            return false;
        }
        PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
        if (abstractSymmetricAsymmetricBinding.isEncryptSignature() && !isSignatureEncrypted(wSHandlerResult.getResults())) {
            assertionInfo.setNotAsserted("The signature is not protected");
            return false;
        }
        PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.ENCRYPT_SIGNATURE));
        PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.PROTECT_TOKENS));
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkProtectionOrder(AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding, AssertionInfoMap assertionInfoMap, AssertionInfo assertionInfo, List<WSSecurityEngineResult> list) {
        AbstractSymmetricAsymmetricBinding.ProtectionOrder protectionOrder = abstractSymmetricAsymmetricBinding.getProtectionOrder();
        String namespaceURI = abstractSymmetricAsymmetricBinding.getName().getNamespaceURI();
        if (protectionOrder == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
            if (abstractSymmetricAsymmetricBinding.isProtectTokens() || !isSignedBeforeEncrypted(list)) {
                PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.ENCRYPT_BEFORE_SIGNING));
                return true;
            }
            assertionInfo.setNotAsserted("Not encrypted before signed");
            return false;
        }
        if (protectionOrder != AbstractSymmetricAsymmetricBinding.ProtectionOrder.SignBeforeEncrypting) {
            return true;
        }
        if (isEncryptedBeforeSigned(list)) {
            assertionInfo.setNotAsserted("Not signed before encrypted");
            return false;
        }
        PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.SIGN_BEFORE_ENCRYPTING));
        return true;
    }

    private boolean isSignedBeforeEncrypted(List<WSSecurityEngineResult> list) {
        boolean z = false;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (num.intValue() == 2 && cast != null && (cast.size() != 1 || !((WSDataRef) cast.get(0)).getName().equals(SIG_QNAME))) {
                z = true;
            }
            if (num.intValue() == 4 && cast != null) {
                return z;
            }
        }
        return false;
    }

    private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> list) {
        boolean z = false;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (num.intValue() == 4 && cast != null) {
                z = true;
            }
            if (num.intValue() == 2 && cast != null && (cast.size() != 1 || !((WSDataRef) cast.get(0)).getName().equals(SIG_QNAME))) {
                return z;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkDerivedKeys(AbstractTokenWrapper abstractTokenWrapper, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        AbstractToken token = abstractTokenWrapper.getToken();
        boolean z2 = token.getDerivedKeys() == AbstractToken.DerivedKeys.RequireDerivedKeys;
        if (!(token instanceof X509Token) || !z2) {
            return true;
        }
        if ((abstractTokenWrapper instanceof EncryptionToken) && !z && !list2.isEmpty()) {
            return false;
        }
        if (!(abstractTokenWrapper instanceof SignatureToken) || z || list.isEmpty()) {
            return !(abstractTokenWrapper instanceof ProtectionToken) || z || list.isEmpty() || list2.isEmpty();
        }
        return false;
    }

    protected boolean isTokenProtected(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            WSSecurityEngineResult findCorrespondingToken = findCorrespondingToken(wSSecurityEngineResult, list);
            if (findCorrespondingToken == null) {
                return false;
            }
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            boolean z = false;
            if (cast != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    Element protectedElement = ((WSDataRef) it.next()).getProtectedElement();
                    if (protectedElement != null && protectedElement.equals(findCorrespondingToken.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) {
                        z = true;
                    }
                }
            }
            if (!z) {
                return false;
            }
        }
        return true;
    }

    private WSSecurityEngineResult findCorrespondingToken(WSSecurityEngineResult wSSecurityEngineResult, List<WSSecurityEngineResult> list) {
        X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        PublicKey publicKey = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        for (WSSecurityEngineResult wSSecurityEngineResult2 : list) {
            Integer num = (Integer) wSSecurityEngineResult2.get("action");
            if (num.intValue() != 2) {
                BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                PublicKey publicKey2 = (PublicKey) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
                if ((binarySecurity instanceof X509Security) || (binarySecurity instanceof PKIPathSecurity)) {
                    if (((X509Certificate) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)).equals(x509Certificate)) {
                        return wSSecurityEngineResult2;
                    }
                } else if (num.intValue() == 16 || num.intValue() == 8) {
                    SAMLKeyInfo subjectKeyInfo = ((SamlAssertionWrapper) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)).getSubjectKeyInfo();
                    if (subjectKeyInfo != null) {
                        X509Certificate[] certs = subjectKeyInfo.getCerts();
                        PublicKey publicKey3 = subjectKeyInfo.getPublicKey();
                        if ((x509Certificate != null && certs != null && x509Certificate.equals(certs[0])) || (publicKey3 != null && publicKey3.equals(publicKey))) {
                            return wSSecurityEngineResult2;
                        }
                    } else {
                        continue;
                    }
                } else if (publicKey != null && publicKey.equals(publicKey2)) {
                    return wSSecurityEngineResult2;
                }
            }
        }
        return null;
    }

    protected boolean isSignatureEncrypted(List<WSSecurityEngineResult> list) {
        Element element;
        boolean z = false;
        for (int size = list.size() - 1; size >= 0; size--) {
            WSSecurityEngineResult wSSecurityEngineResult = list.get(size);
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (num.intValue() == 2 && !z) {
                z = true;
                Element element2 = (Element) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
                if (element2 == null || !isElementEncrypted(element2, list)) {
                    return false;
                }
            } else if (num.intValue() == 128 && ((element = (Element) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT)) == null || !isElementEncrypted(element, list))) {
                return false;
            }
        }
        return true;
    }

    private boolean isElementEncrypted(Element element, List<WSSecurityEngineResult> list) {
        List cast;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 4 && (cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS))) != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (element.equals(((WSDataRef) it.next()).getProtectedElement())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
