package org.apache.servicemix.soap.handlers.security;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import org.apache.servicemix.jbi.security.auth.AuthenticationService;
import org.apache.servicemix.jbi.security.keystore.KeystoreManager;
import org.apache.servicemix.soap.Context;
import org.apache.servicemix.soap.Handler;
import org.apache.servicemix.soap.SoapFault;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandler;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.processor.Processor;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/servicemix-soap-fuse-3.2.0.0.jar:org/apache/servicemix/soap/handlers/security/WSSecurityHandler.class */
public class WSSecurityHandler extends WSHandler implements Handler {
    private AuthenticationService authenticationService;
    private boolean required;
    private String sendAction;
    private String receiveAction;
    private String actor;
    private String username;
    private String keystore;
    private Crypto crypto;
    private static ThreadLocal currentHandler = new ThreadLocal();
    private Map properties = new HashMap();
    private String domain = "servicemix-domain";
    private CallbackHandler handler = new DefaultHandler();
    private ThreadLocal currentSubject = new ThreadLocal();

    /* loaded from: input_file:WEB-INF/lib/servicemix-soap-fuse-3.2.0.0.jar:org/apache/servicemix/soap/handlers/security/WSSecurityHandler$DefaultHandler.class */
    protected class DefaultHandler extends BaseSecurityCallbackHandler {
        protected DefaultHandler() {
        }

        @Override // org.apache.servicemix.soap.handlers.security.BaseSecurityCallbackHandler
        protected void processSignature(WSPasswordCallback wSPasswordCallback) throws IOException, UnsupportedCallbackException {
            wSPasswordCallback.setPassword("");
        }

        @Override // org.apache.servicemix.soap.handlers.security.BaseSecurityCallbackHandler
        protected void processUsernameTokenUnkown(WSPasswordCallback wSPasswordCallback) throws IOException, UnsupportedCallbackException {
            try {
                WSSecurityHandler.this.checkUser(wSPasswordCallback.getIdentifer(), wSPasswordCallback.getPassword());
            } catch (GeneralSecurityException e) {
                throw new UnsupportedCallbackException(wSPasswordCallback, "Unable to authenticate user");
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/servicemix-soap-fuse-3.2.0.0.jar:org/apache/servicemix/soap/handlers/security/WSSecurityHandler$ServiceMixWssConfig.class */
    private static class ServiceMixWssConfig extends WSSConfig {
        private ServiceMixWssConfig() {
        }

        @Override // org.apache.ws.security.WSSConfig
        public Processor getProcessor(QName qName) throws WSSecurityException {
            return qName.equals(WSSecurityEngine.SIGNATURE) ? new SignatureProcessor() : super.getProcessor(qName);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/servicemix-soap-fuse-3.2.0.0.jar:org/apache/servicemix/soap/handlers/security/WSSecurityHandler$SignatureProcessor.class */
    private static class SignatureProcessor extends org.apache.ws.security.processor.SignatureProcessor {
        private String signatureId;

        private SignatureProcessor() {
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r0v5, types: [byte[], byte[][]] */
        @Override // org.apache.ws.security.processor.SignatureProcessor, org.apache.ws.security.processor.Processor
        public void handleToken(Element element, Crypto crypto, Crypto crypto2, CallbackHandler callbackHandler, WSDocInfo wSDocInfo, Vector vector, WSSConfig wSSConfig) throws WSSecurityException {
            WSDocInfoStore.store(wSDocInfo);
            X509Certificate[] x509CertificateArr = new X509Certificate[1];
            HashSet hashSet = new HashSet();
            ?? r0 = new byte[1];
            try {
                try {
                    WSSecurityHandler currentHandler = WSSecurityHandler.getCurrentHandler();
                    Principal verifyXMLSignature = verifyXMLSignature(element, crypto, x509CertificateArr, hashSet, r0);
                    if (verifyXMLSignature instanceof WSUsernameTokenPrincipal) {
                        WSUsernameTokenPrincipal wSUsernameTokenPrincipal = (WSUsernameTokenPrincipal) verifyXMLSignature;
                        currentHandler.checkUser(wSUsernameTokenPrincipal.getName(), wSUsernameTokenPrincipal.getPassword());
                    } else {
                        currentHandler.checkUser(x509CertificateArr[0].getSubjectX500Principal().getName(), x509CertificateArr[0]);
                    }
                    if (verifyXMLSignature instanceof WSUsernameTokenPrincipal) {
                        vector.add(0, new WSSecurityEngineResult(64, verifyXMLSignature, null, hashSet, r0[0]));
                    } else {
                        vector.add(0, new WSSecurityEngineResult(2, verifyXMLSignature, x509CertificateArr[0], hashSet, r0[0]));
                    }
                    this.signatureId = element.getAttributeNS(null, "Id");
                } catch (GeneralSecurityException e) {
                    throw new WSSecurityException("Unable to authenticate user", e);
                }
            } finally {
                WSDocInfoStore.delete(wSDocInfo);
            }
        }

        @Override // org.apache.ws.security.processor.SignatureProcessor, org.apache.ws.security.processor.Processor
        public String getId() {
            return this.signatureId;
        }
    }

    public WSSecurityHandler() {
        WSSecurityEngine.setWssConfig(new ServiceMixWssConfig());
    }

    static WSSecurityHandler getCurrentHandler() {
        return (WSSecurityHandler) currentHandler.get();
    }

    public AuthenticationService getAuthenticationService() {
        return this.authenticationService;
    }

    public void setAuthenticationService(AuthenticationService authenticationService) {
        this.authenticationService = authenticationService;
    }

    public String getUsername() {
        return this.username;
    }

    public void setUsername(String str) {
        this.username = str;
    }

    public Crypto getCrypto() {
        return this.crypto;
    }

    public void setCrypto(Crypto crypto) {
        this.crypto = crypto;
    }

    public String getActor() {
        return this.actor;
    }

    public void setActor(String str) {
        this.actor = str;
    }

    public String getDomain() {
        return this.domain;
    }

    public void setDomain(String str) {
        this.domain = str;
    }

    public String getReceiveAction() {
        return this.receiveAction;
    }

    public void setReceiveAction(String str) {
        this.receiveAction = str;
    }

    public String getSendAction() {
        return this.sendAction;
    }

    public void setSendAction(String str) {
        this.sendAction = str;
    }

    @Override // org.apache.servicemix.soap.Handler
    public boolean isRequired() {
        return this.required;
    }

    @Override // org.apache.servicemix.soap.Handler
    public boolean requireDOM() {
        return true;
    }

    @Override // org.apache.servicemix.soap.Handler
    public void setRequired(boolean z) {
        this.required = z;
    }

    @Override // org.apache.ws.security.handler.WSHandler
    public Object getOption(String str) {
        return this.properties.get(str);
    }

    public void setOption(String str, Object obj) {
        this.properties.put(str, obj);
    }

    @Override // org.apache.ws.security.handler.WSHandler
    public String getPassword(Object obj) {
        return (String) ((Context) obj).getProperty("password");
    }

    @Override // org.apache.ws.security.handler.WSHandler
    public Object getProperty(Object obj, String str) {
        return WSHandlerConstants.PW_CALLBACK_REF.equals(str) ? this.handler : ((Context) obj).getProperty(str);
    }

    @Override // org.apache.ws.security.handler.WSHandler
    public void setPassword(Object obj, String str) {
        ((Context) obj).setProperty("password", str);
    }

    @Override // org.apache.ws.security.handler.WSHandler
    public void setProperty(Object obj, String str, Object obj2) {
        ((Context) obj).setProperty(str, obj2);
    }

    @Override // org.apache.ws.security.handler.WSHandler
    protected Crypto loadDecryptionCrypto(RequestData requestData) throws WSSecurityException {
        return this.crypto;
    }

    @Override // org.apache.ws.security.handler.WSHandler
    protected Crypto loadEncryptionCrypto(RequestData requestData) throws WSSecurityException {
        return this.crypto;
    }

    @Override // org.apache.ws.security.handler.WSHandler
    public Crypto loadSignatureCrypto(RequestData requestData) throws WSSecurityException {
        return this.crypto;
    }

    @Override // org.apache.servicemix.soap.Handler
    public void onReceive(Context context) throws Exception {
        Timestamp timestamp;
        X509Certificate certificate;
        RequestData requestData = new RequestData();
        init(context);
        try {
            requestData.setNoSerialization(true);
            requestData.setMsgContext(context);
            Vector vector = new Vector();
            String str = this.receiveAction;
            if (str == null) {
                throw new IllegalStateException("WSSecurityHandler: No receiveAction defined");
            }
            int decodeAction = WSSecurityUtil.decodeAction(str, vector);
            Document document = context.getInMessage().getDocument();
            if (document == null) {
                throw new IllegalStateException("WSSecurityHandler: The soap message has not been parsed using DOM");
            }
            doReceiverAction(decodeAction, requestData);
            try {
                Vector processSecurityHeader = secEngine.processSecurityHeader(document, this.actor, this.handler, requestData.getSigCrypto(), requestData.getDecCrypto());
                if (processSecurityHeader == null) {
                    if (decodeAction != 0) {
                        throw new SoapFault(new WSSecurityException("WSSecurityHandler: Request does not contain required Security header"));
                    }
                    return;
                }
                if (requestData.getWssConfig().isEnableSignatureConfirmation()) {
                    checkSignatureConfirmation(requestData, processSecurityHeader);
                }
                WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(processSecurityHeader, 2);
                if (fetchActionResult != null && (certificate = fetchActionResult.getCertificate()) != null && !verifyTrust(certificate, requestData)) {
                    throw new SoapFault(new WSSecurityException("WSSecurityHandler: the certificate used for the signature is not trusted"));
                }
                WSSecurityEngineResult fetchActionResult2 = WSSecurityUtil.fetchActionResult(processSecurityHeader, 32);
                if (fetchActionResult2 != null && (timestamp = fetchActionResult2.getTimestamp()) != null && !verifyTimestamp(timestamp, decodeTimeToLive(requestData))) {
                    throw new SoapFault(new WSSecurityException("WSSecurityHandler: the timestamp could not be validated"));
                }
                if (!checkReceiverResults(processSecurityHeader, vector)) {
                    throw new SoapFault(new WSSecurityException("WSSecurityHandler: security processing failed (actions mismatch)"));
                }
                Vector vector2 = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS);
                Vector vector3 = vector2;
                if (vector2 == null) {
                    vector3 = new Vector();
                    context.setProperty(WSHandlerConstants.RECV_RESULTS, vector3);
                }
                vector3.add(0, new WSHandlerResult(this.actor, processSecurityHeader));
                Iterator it = vector3.iterator();
                while (it.hasNext()) {
                    Iterator it2 = ((WSHandlerResult) it.next()).getResults().iterator();
                    while (it2.hasNext()) {
                        WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) it2.next();
                        if (wSSecurityEngineResult.getPrincipal() != null) {
                            context.getInMessage().addPrincipal(wSSecurityEngineResult.getPrincipal());
                        }
                    }
                }
                Subject subject = (Subject) this.currentSubject.get();
                if (subject != null) {
                    Iterator<Principal> it3 = subject.getPrincipals().iterator();
                    while (it3.hasNext()) {
                        context.getInMessage().addPrincipal(it3.next());
                    }
                }
                requestData.clear();
                this.currentSubject.set(null);
                currentHandler.set(null);
            } catch (WSSecurityException e) {
                throw new SoapFault(e);
            }
        } finally {
            requestData.clear();
            this.currentSubject.set(false);
            currentHandler.set(false);
        }
    }

    @Override // org.apache.servicemix.soap.Handler
    public void onReply(Context context) throws Exception {
    }

    @Override // org.apache.servicemix.soap.Handler
    public void onFault(Context context) throws Exception {
    }

    @Override // org.apache.servicemix.soap.Handler
    public void onSend(Context context) throws Exception {
        RequestData requestData = new RequestData();
        requestData.setMsgContext(context);
        init(context);
        try {
            try {
                Vector vector = new Vector();
                String str = this.sendAction;
                if (str == null) {
                    throw new IllegalStateException("WSSecurityHandler: No sendAction defined");
                }
                int decodeAction = WSSecurityUtil.decodeAction(str, vector);
                if (decodeAction == 0) {
                    return;
                }
                requestData.setUsername((String) getOption("user"));
                if (requestData.getUsername() == null || requestData.getUsername().equals("")) {
                    String str2 = (String) getProperty(requestData.getMsgContext(), "user");
                    if (str2 != null) {
                        requestData.setUsername(str2);
                    } else {
                        requestData.setUsername(this.username);
                    }
                }
                if ((decodeAction & 67) != 0 && (requestData.getUsername() == null || requestData.getUsername().equals(""))) {
                    throw new IllegalStateException("WSSecurityHandler: Empty username for specified action");
                }
                Document document = context.getInMessage().getDocument();
                if (document == null) {
                    throw new IllegalStateException("WSSecurityHandler: The soap message has not been parsed using DOM");
                }
                doSenderAction(decodeAction, document, requestData, vector, true);
                requestData.clear();
                currentHandler.set(null);
            } catch (WSSecurityException e) {
                throw new SoapFault(e);
            }
        } finally {
            requestData.clear();
            currentHandler.set(false);
        }
    }

    @Override // org.apache.servicemix.soap.Handler
    public void onAnswer(Context context) {
    }

    protected void checkUser(String str, Object obj) throws GeneralSecurityException {
        if (this.authenticationService == null) {
            throw new IllegalArgumentException("authenticationService is null");
        }
        Subject subject = (Subject) this.currentSubject.get();
        if (subject == null) {
            subject = new Subject();
            this.currentSubject.set(subject);
        }
        this.authenticationService.authenticate(subject, this.domain, str, obj);
    }

    public String getKeystore() {
        return this.keystore;
    }

    public void setKeystore(String str) {
        this.keystore = str;
    }

    protected void init(Context context) {
        this.currentSubject.set(null);
        currentHandler.set(this);
        if (context.getProperty(Context.AUTHENTICATION_SERVICE) != null) {
            setAuthenticationService((AuthenticationService) context.getProperty(Context.AUTHENTICATION_SERVICE));
        }
        if (this.crypto != null || context.getProperty(Context.KEYSTORE_MANAGER) == null) {
            return;
        }
        setCrypto(new KeystoreInstanceCrypto((KeystoreManager) context.getProperty(Context.KEYSTORE_MANAGER), this.keystore));
    }
}
