package org.apache.cxf.ws.security.trust;

import org.apache.commons.codec.binary.Base64;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.binding.wss10.AttributedString;
import org.apache.wss4j.binding.wss10.BinarySecurityTokenType;
import org.apache.wss4j.binding.wss10.EncodedString;
import org.apache.wss4j.binding.wss10.PasswordString;
import org.apache.wss4j.binding.wss10.UsernameTokenType;
import org.apache.wss4j.binding.wsu10.AttributedDateTime;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.message.token.BinarySecurity;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.message.token.PKIPathSecurity;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.dom.message.token.X509Security;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.X509PKIPathv1SecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.X509V3SecurityTokenImpl;
import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
import org.apache.wss4j.stax.securityToken.UsernameSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.validate.BinarySecurityTokenValidator;
import org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl;
import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
import org.apache.wss4j.stax.validate.TokenContext;
import org.apache.wss4j.stax.validate.UsernameTokenValidator;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.XMLSecurityUtils;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-177.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-ws-security-3.0.4.redhat-621177.jar:org/apache/cxf/ws/security/trust/STSStaxTokenValidator.class */
public class STSStaxTokenValidator extends SamlTokenValidatorImpl implements BinarySecurityTokenValidator, UsernameTokenValidator {
    private boolean alwaysValidateToSts;

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-177.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-ws-security-3.0.4.redhat-621177.jar:org/apache/cxf/ws/security/trust/STSStaxTokenValidator$STSStaxBSTValidator.class */
    private static class STSStaxBSTValidator extends BinarySecurityTokenValidatorImpl {
        private boolean alwaysValidateToSts;

        public STSStaxBSTValidator(boolean z) {
            this.alwaysValidateToSts = z;
        }

        @Override // org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl, org.apache.wss4j.stax.validate.BinarySecurityTokenValidator
        public InboundSecurityToken validate(final BinarySecurityTokenType binarySecurityTokenType, TokenContext tokenContext) throws WSSecurityException {
            if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary".equals(binarySecurityTokenType.getEncodingType())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badEncoding", binarySecurityTokenType.getEncodingType());
            }
            final byte[] decodeBase64 = Base64.decodeBase64(binarySecurityTokenType.getValue());
            final SoapMessage soapMessage = (SoapMessage) tokenContext.getWssSecurityProperties().getMsgContext();
            boolean z = false;
            if (this.alwaysValidateToSts) {
                STSStaxTokenValidator.validateTokenToSTS(convertToDOM(binarySecurityTokenType, decodeBase64), soapMessage);
                z = true;
            }
            final boolean z2 = z;
            try {
                if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(binarySecurityTokenType.getValueType())) {
                    X509V3SecurityTokenImpl x509V3SecurityTokenImpl = new X509V3SecurityTokenImpl(tokenContext.getWsSecurityContext(), getCrypto(tokenContext.getWssSecurityProperties()), tokenContext.getWssSecurityProperties().getCallbackHandler(), decodeBase64, binarySecurityTokenType.getId(), tokenContext.getWssSecurityProperties()) { // from class: org.apache.cxf.ws.security.trust.STSStaxTokenValidator.STSStaxBSTValidator.1
                        @Override // org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl, org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken, org.apache.xml.security.stax.securityToken.InboundSecurityToken
                        public void verify() throws XMLSecurityException {
                            if (z2) {
                                return;
                            }
                            try {
                                super.verify();
                            } catch (XMLSecurityException e) {
                                STSStaxTokenValidator.validateTokenToSTS(STSStaxBSTValidator.this.convertToDOM(binarySecurityTokenType, decodeBase64), soapMessage);
                            }
                        }
                    };
                    x509V3SecurityTokenImpl.setElementPath(tokenContext.getElementPath());
                    x509V3SecurityTokenImpl.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
                    return x509V3SecurityTokenImpl;
                }
                if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1".equals(binarySecurityTokenType.getValueType())) {
                    X509PKIPathv1SecurityTokenImpl x509PKIPathv1SecurityTokenImpl = new X509PKIPathv1SecurityTokenImpl(tokenContext.getWsSecurityContext(), getCrypto(tokenContext.getWssSecurityProperties()), tokenContext.getWssSecurityProperties().getCallbackHandler(), decodeBase64, binarySecurityTokenType.getId(), WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference, tokenContext.getWssSecurityProperties()) { // from class: org.apache.cxf.ws.security.trust.STSStaxTokenValidator.STSStaxBSTValidator.2
                        @Override // org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl, org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken, org.apache.xml.security.stax.securityToken.InboundSecurityToken
                        public void verify() throws XMLSecurityException {
                            if (z2) {
                                return;
                            }
                            try {
                                super.verify();
                            } catch (XMLSecurityException e) {
                                STSStaxTokenValidator.validateTokenToSTS(STSStaxBSTValidator.this.convertToDOM(binarySecurityTokenType, decodeBase64), soapMessage);
                            }
                        }
                    };
                    x509PKIPathv1SecurityTokenImpl.setElementPath(tokenContext.getElementPath());
                    x509PKIPathv1SecurityTokenImpl.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
                    return x509PKIPathv1SecurityTokenImpl;
                }
                if (!"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(binarySecurityTokenType.getValueType())) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidValueType", binarySecurityTokenType.getValueType());
                }
                KerberosServiceSecurityTokenImpl kerberosServiceSecurityTokenImpl = new KerberosServiceSecurityTokenImpl(tokenContext.getWsSecurityContext(), tokenContext.getWssSecurityProperties().getCallbackHandler(), decodeBase64, binarySecurityTokenType.getValueType(), binarySecurityTokenType.getId(), WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference) { // from class: org.apache.cxf.ws.security.trust.STSStaxTokenValidator.STSStaxBSTValidator.3
                    @Override // org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken, org.apache.xml.security.stax.securityToken.InboundSecurityToken
                    public void verify() throws XMLSecurityException {
                        if (z2) {
                            return;
                        }
                        try {
                            super.verify();
                        } catch (XMLSecurityException e) {
                            STSStaxTokenValidator.validateTokenToSTS(STSStaxBSTValidator.this.convertToDOM(binarySecurityTokenType, decodeBase64), soapMessage);
                        }
                    }
                };
                kerberosServiceSecurityTokenImpl.setElementPath(tokenContext.getElementPath());
                kerberosServiceSecurityTokenImpl.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
                return kerberosServiceSecurityTokenImpl;
            } catch (XMLSecurityException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Element convertToDOM(BinarySecurityTokenType binarySecurityTokenType, byte[] bArr) {
            Document newDocument = DOMUtils.newDocument();
            BinarySecurity binarySecurity = null;
            if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(binarySecurityTokenType.getValueType())) {
                binarySecurity = new X509Security(newDocument);
            } else if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1".equals(binarySecurityTokenType.getValueType())) {
                binarySecurity = new PKIPathSecurity(newDocument);
            } else if ("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(binarySecurityTokenType.getValueType())) {
                binarySecurity = new KerberosSecurity(newDocument);
            }
            binarySecurity.addWSSENamespace();
            binarySecurity.addWSUNamespace();
            binarySecurity.setEncodingType(binarySecurityTokenType.getEncodingType());
            binarySecurity.setValueType(binarySecurityTokenType.getValueType());
            binarySecurity.setID(binarySecurityTokenType.getId());
            binarySecurity.setToken(bArr);
            return binarySecurity.getElement();
        }
    }

    public STSStaxTokenValidator() {
    }

    public STSStaxTokenValidator(boolean z) {
        this.alwaysValidateToSts = z;
    }

    @Override // org.apache.wss4j.stax.validate.SamlTokenValidatorImpl, org.apache.wss4j.stax.validate.SamlTokenValidator
    public <T extends SamlSecurityToken & InboundSecurityToken> T validate(SamlAssertionWrapper samlAssertionWrapper, InboundSecurityToken inboundSecurityToken, TokenContext tokenContext) throws WSSecurityException {
        checkConditions(samlAssertionWrapper);
        checkOneTimeUse(samlAssertionWrapper, tokenContext.getWssSecurityProperties().getSamlOneTimeUseReplayCache());
        validateAssertion(samlAssertionWrapper);
        Crypto crypto = null;
        if (samlAssertionWrapper.isSigned()) {
            crypto = tokenContext.getWssSecurityProperties().getSignatureVerificationCrypto();
        }
        final SoapMessage soapMessage = (SoapMessage) tokenContext.getWssSecurityProperties().getMsgContext();
        boolean z = false;
        if (this.alwaysValidateToSts) {
            validateTokenToSTS(samlAssertionWrapper.getElement(), soapMessage);
            z = true;
        }
        final boolean z2 = z;
        SamlSecurityTokenImpl samlSecurityTokenImpl = new SamlSecurityTokenImpl(samlAssertionWrapper, inboundSecurityToken, tokenContext.getWsSecurityContext(), crypto, WSSecurityTokenConstants.KeyIdentifier_NoKeyInfo, tokenContext.getWssSecurityProperties()) { // from class: org.apache.cxf.ws.security.trust.STSStaxTokenValidator.1
            @Override // org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl, org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken, org.apache.xml.security.stax.securityToken.InboundSecurityToken
            public void verify() throws XMLSecurityException {
                if (z2) {
                    return;
                }
                try {
                    super.verify();
                } catch (XMLSecurityException e) {
                    STSStaxTokenValidator.validateTokenToSTS(super.getSamlAssertionWrapper().getElement(), soapMessage);
                }
            }
        };
        samlSecurityTokenImpl.setElementPath(tokenContext.getElementPath());
        samlSecurityTokenImpl.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
        return samlSecurityTokenImpl;
    }

    @Override // org.apache.wss4j.stax.validate.BinarySecurityTokenValidator
    public InboundSecurityToken validate(BinarySecurityTokenType binarySecurityTokenType, TokenContext tokenContext) throws WSSecurityException {
        return new STSStaxBSTValidator(this.alwaysValidateToSts).validate(binarySecurityTokenType, tokenContext);
    }

    @Override // org.apache.wss4j.stax.validate.UsernameTokenValidator
    public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType usernameTokenType, TokenContext tokenContext) throws WSSecurityException {
        String str;
        byte[] bArr = (byte[]) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Salt);
        PasswordString passwordString = (PasswordString) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse_Password);
        Long l = (Long) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse11_Iteration);
        if (bArr != null && (passwordString != null || l == null)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01", new Object[0]);
        }
        boolean handleCustomPasswordTypes = tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
        boolean z = tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword() || Boolean.parseBoolean((String) tokenContext.getWsSecurityContext().get(WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
        WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = tokenContext.getWssSecurityProperties().getUsernameTokenPasswordType();
        if (usernameTokenPasswordType != null) {
            if (passwordString == null || passwordString.getType() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            if (usernameTokenPasswordType != WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordString.getType())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
        }
        WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType2 = WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
        if (passwordString != null && passwordString.getType() != null) {
            usernameTokenPasswordType2 = WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordString.getType());
        }
        AttributedString username = usernameTokenType.getUsername();
        if (username == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01", new Object[0]);
        }
        EncodedString encodedString = (EncodedString) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsse_Nonce);
        byte[] bArr2 = null;
        if (encodedString != null && encodedString.getValue() != null) {
            bArr2 = Base64.decodeBase64(encodedString.getValue());
        }
        AttributedDateTime attributedDateTime = (AttributedDateTime) XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_wsu_Created);
        String str2 = null;
        if (attributedDateTime != null) {
            str2 = attributedDateTime.getValue();
        }
        boolean z2 = false;
        SoapMessage soapMessage = (SoapMessage) tokenContext.getWssSecurityProperties().getMsgContext();
        if (this.alwaysValidateToSts) {
            validateTokenToSTS(convertToDOM(username.getValue(), passwordString.getValue(), passwordString.getType(), usernameTokenType.getId()), soapMessage);
            z2 = true;
        }
        if (!z2) {
            try {
                if (usernameTokenPasswordType2 == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
                    if (encodedString == null || attributedDateTime == null) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01", new Object[0]);
                    }
                    if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary".equals(encodedString.getEncodingType())) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, "badTokenType01", new Object[0]);
                    }
                    verifyDigestPassword(username.getValue(), passwordString, bArr2, str2, tokenContext);
                } else if (usernameTokenPasswordType2 == WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT || !(passwordString == null || passwordString.getValue() == null || usernameTokenPasswordType2 != WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE)) {
                    verifyPlaintextPassword(username.getValue(), passwordString, tokenContext);
                } else if (passwordString == null || passwordString.getValue() == null) {
                    if (!z) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                    }
                } else {
                    if (!handleCustomPasswordTypes) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                    }
                    verifyPlaintextPassword(username.getValue(), passwordString, tokenContext);
                }
            } catch (WSSecurityException e) {
                validateTokenToSTS(convertToDOM(username.getValue(), passwordString.getValue(), passwordString.getType(), usernameTokenType.getId()), soapMessage);
            }
        }
        if (passwordString != null) {
            str = passwordString.getValue();
        } else if (bArr != null) {
            WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(username.getValue(), 2);
            try {
                WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), wSPasswordCallback);
                str = wSPasswordCallback.getPassword();
            } catch (WSSecurityException e2) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e2);
            }
        } else {
            str = null;
        }
        UsernameSecurityTokenImpl usernameSecurityTokenImpl = new UsernameSecurityTokenImpl(usernameTokenPasswordType2, username.getValue(), str, str2, bArr2, bArr, l, tokenContext.getWsSecurityContext(), usernameTokenType.getId(), WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
        usernameSecurityTokenImpl.setElementPath(tokenContext.getElementPath());
        usernameSecurityTokenImpl.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
        return usernameSecurityTokenImpl;
    }

    private void verifyDigestPassword(String str, PasswordString passwordString, byte[] bArr, String str2, TokenContext tokenContext) throws WSSecurityException {
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, passwordString.getType(), 2);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), wSPasswordCallback);
            if (wSPasswordCallback.getPassword() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            if (!passwordString.getValue().equals(WSSUtils.doPasswordDigest(bArr, str2, wSPasswordCallback.getPassword()))) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            passwordString.setValue(wSPasswordCallback.getPassword());
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }
    }

    private void verifyPlaintextPassword(String str, PasswordString passwordString, TokenContext tokenContext) throws WSSecurityException {
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, null, passwordString.getType(), 2);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), wSPasswordCallback);
            if (wSPasswordCallback.getPassword() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            if (!passwordString.getValue().equals(wSPasswordCallback.getPassword())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
            passwordString.setValue(wSPasswordCallback.getPassword());
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }
    }

    private Element convertToDOM(String str, String str2, String str3, String str4) {
        UsernameToken usernameToken = new UsernameToken(true, DOMUtils.newDocument(), str3);
        usernameToken.setName(str);
        usernameToken.setPassword(str2);
        usernameToken.setID(str4);
        usernameToken.addWSSENamespace();
        usernameToken.addWSUNamespace();
        return usernameToken.getElement();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void validateTokenToSTS(Element element, SoapMessage soapMessage) throws WSSecurityException {
        SecurityToken securityToken = new SecurityToken();
        securityToken.setToken(element);
        STSClient client = STSUtils.getClient(soapMessage, "sts");
        synchronized (client) {
            System.setProperty("noprint", "true");
            try {
                client.validateSecurityToken(securityToken);
            } catch (Exception e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
            }
        }
    }
}
