package org.apache.wss4j.dom.str;

import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.bsp.BSPEnforcer;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.BinarySecurity;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.message.token.PKIPathSecurity;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
import org.apache.wss4j.dom.message.token.X509Security;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-020.zip:modules/system/layers/fuse/org/apache/ws/security/2.0/wss4j-ws-security-dom-2.0.3.jar:org/apache/wss4j/dom/str/STRParserUtil.class */
public final class STRParserUtil {
    private STRParserUtil() {
    }

    public static SamlAssertionWrapper getAssertionFromKeyIdentifier(SecurityTokenReference securityTokenReference, Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        String keyIdentifierValue = securityTokenReference.getKeyIdentifierValue();
        String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
        WSSecurityEngineResult result = wSDocInfo.getResult(keyIdentifierValue);
        if (result != null) {
            return (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
        }
        Element findProcessedTokenElement = securityTokenReference.findProcessedTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler(), keyIdentifierValue, keyIdentifierValueType);
        if (findProcessedTokenElement != null) {
            if ("Assertion".equals(findProcessedTokenElement.getLocalName())) {
                return new SamlAssertionWrapper(findProcessedTokenElement);
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[0]);
        }
        Element findUnprocessedTokenElement = securityTokenReference.findUnprocessedTokenElement(element.getOwnerDocument(), wSDocInfo, requestData.getCallbackHandler(), keyIdentifierValue, keyIdentifierValueType);
        if (findUnprocessedTokenElement == null || !"Assertion".equals(findUnprocessedTokenElement.getLocalName())) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", new Object[0]);
        }
        return (SamlAssertionWrapper) requestData.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN).handleToken(findUnprocessedTokenElement, requestData, wSDocInfo).get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
    }

    public static void checkBinarySecurityBSPCompliance(SecurityTokenReference securityTokenReference, BinarySecurity binarySecurity, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        if (securityTokenReference.containsReference()) {
            String valueType = securityTokenReference.getReference().getValueType();
            if (((binarySecurity instanceof X509Security) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(valueType)) || (((binarySecurity instanceof PKIPathSecurity) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1".equals(valueType)) || ((binarySecurity instanceof KerberosSecurity) && valueType != null && !"".equals(valueType) && !"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(valueType)))) {
                bSPEnforcer.handleBSPRule(BSPRule.R3058);
            }
        } else if (securityTokenReference.containsKeyIdentifier()) {
            String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
            if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier".equals(keyIdentifierValueType) && !"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1".equals(keyIdentifierValueType) && !"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1".equals(keyIdentifierValueType) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(keyIdentifierValueType)) {
                bSPEnforcer.handleBSPRule(BSPRule.R3063);
            }
        }
        if (!(binarySecurity instanceof PKIPathSecurity) || "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1".equals(securityTokenReference.getTokenType())) {
            return;
        }
        bSPEnforcer.handleBSPRule(BSPRule.R5215);
    }

    public static void checkEncryptedKeyBSPCompliance(SecurityTokenReference securityTokenReference, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        if (securityTokenReference.containsKeyIdentifier() && !"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1".equals(securityTokenReference.getKeyIdentifierValueType())) {
            bSPEnforcer.handleBSPRule(BSPRule.R3063);
        }
        if ("http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey".equals(securityTokenReference.getTokenType())) {
            return;
        }
        bSPEnforcer.handleBSPRule(BSPRule.R5215);
    }

    public static void checkSamlTokenBSPCompliance(SecurityTokenReference securityTokenReference, SamlAssertionWrapper samlAssertionWrapper, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        String valueType;
        if (securityTokenReference.containsKeyIdentifier()) {
            String keyIdentifierValueType = securityTokenReference.getKeyIdentifierValueType();
            if (samlAssertionWrapper.getSaml1() != null && !"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(keyIdentifierValueType)) {
                bSPEnforcer.handleBSPRule(BSPRule.R6603);
            }
            if (samlAssertionWrapper.getSaml2() != null && !"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID".equals(keyIdentifierValueType)) {
                bSPEnforcer.handleBSPRule(BSPRule.R6616);
            }
            String keyIdentifierEncodingType = securityTokenReference.getKeyIdentifierEncodingType();
            if (keyIdentifierEncodingType != null && !"".equals(keyIdentifierEncodingType)) {
                bSPEnforcer.handleBSPRule(BSPRule.R6604);
            }
        }
        String tokenType = securityTokenReference.getTokenType();
        if (samlAssertionWrapper.getSaml1() != null && !"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenType)) {
            bSPEnforcer.handleBSPRule(BSPRule.R6611);
        }
        if (samlAssertionWrapper.getSaml2() != null && !"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenType)) {
            bSPEnforcer.handleBSPRule(BSPRule.R6617);
        }
        if (samlAssertionWrapper.getSaml2() == null || !securityTokenReference.containsReference() || (valueType = securityTokenReference.getReference().getValueType()) == null || "".equals(valueType)) {
            return;
        }
        bSPEnforcer.handleBSPRule(BSPRule.R6614);
    }

    public static void checkUsernameTokenBSPCompliance(SecurityTokenReference securityTokenReference, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        if (!securityTokenReference.containsReference()) {
            bSPEnforcer.handleBSPRule(BSPRule.R4215);
        }
        if (securityTokenReference.getReference() == null || "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken".equals(securityTokenReference.getReference().getValueType())) {
            return;
        }
        bSPEnforcer.handleBSPRule(BSPRule.R4214);
    }
}
