package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.namespace.QName;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.str.STRParser;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.X509Token;
import org.opensaml.soap.wssecurity.KeyIdentifier;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-356-01.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-ws-security-3.1.5.redhat-630356-01.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.class */
public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
    private static final Logger LOG = LogUtils.getL7dLogger(X509TokenPolicyValidator.class);
    private static final String X509_V3_VALUETYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
    private static final String PKI_VALUETYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1";

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
        return assertionInfo.getAssertion() != null && (SP12Constants.X509_TOKEN.equals(assertionInfo.getAssertion().getName()) || SP11Constants.X509_TOKEN.equals(assertionInfo.getAssertion().getName()));
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public void validatePolicies(PolicyValidatorParameters policyValidatorParameters, Collection<AssertionInfo> collection) {
        List<WSSecurityEngineResult> list = policyValidatorParameters.getResults().getActionResults().get(4096);
        for (AssertionInfo assertionInfo : collection) {
            X509Token x509Token = (X509Token) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            assertToken(x509Token, policyValidatorParameters.getAssertionInfoMap());
            if (isTokenRequired(x509Token, policyValidatorParameters.getMessage())) {
                if ((list == null || list.isEmpty()) && policyValidatorParameters.getSignedResults().isEmpty()) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else if (!checkTokenType(x509Token.getTokenType(), list, policyValidatorParameters.getSignedResults())) {
                    assertionInfo.setNotAsserted("An incorrect X.509 Token Type is detected");
                }
            }
        }
    }

    private void assertToken(X509Token x509Token, AssertionInfoMap assertionInfoMap) {
        String namespaceURI = x509Token.getName().getNamespaceURI();
        if (x509Token.isRequireIssuerSerialReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE));
        }
        if (x509Token.isRequireThumbprintReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.REQUIRE_THUMBPRINT_REFERENCE));
        }
        if (x509Token.isRequireEmbeddedTokenReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE));
        }
        if (x509Token.isRequireKeyIdentifierReference()) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
        }
        X509Token.TokenType tokenType = x509Token.getTokenType();
        if (tokenType != null) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, tokenType.name()));
        }
    }

    private boolean checkTokenType(X509Token.TokenType tokenType, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Element keyIdentifier;
        if ((list == null || list.isEmpty()) && list2.isEmpty()) {
            return false;
        }
        String str = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
        boolean z = false;
        if (tokenType == X509Token.TokenType.WssX509PkiPathV1Token10 || tokenType == X509Token.TokenType.WssX509PkiPathV1Token11) {
            str = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1";
        } else if (tokenType == X509Token.TokenType.WssX509V3Token10 || tokenType == X509Token.TokenType.WssX509V3Token11) {
            z = true;
        }
        if (list != null) {
            Iterator<WSSecurityEngineResult> it = list.iterator();
            while (it.hasNext()) {
                BinarySecurity binarySecurity = (BinarySecurity) it.next().get("binary-security-token");
                if (binarySecurity != null && str.equals(binarySecurity.getValueType())) {
                    if (!z || !(binarySecurity instanceof X509Security)) {
                        return true;
                    }
                    try {
                        X509Certificate x509Certificate = ((X509Security) binarySecurity).getX509Certificate(null);
                        if (x509Certificate != null && x509Certificate.getVersion() == 3) {
                            return true;
                        }
                    } catch (WSSecurityException e) {
                        LOG.log(Level.FINE, e.getMessage());
                    }
                }
            }
        }
        if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(str)) {
            return false;
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            if (STRParser.REFERENCE_TYPE.KEY_IDENTIFIER == ((STRParser.REFERENCE_TYPE) wSSecurityEngineResult.get("x509-reference-type")) && (keyIdentifier = getKeyIdentifier((Element) wSSecurityEngineResult.get("token-element"))) != null && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(keyIdentifier.getAttributeNS(null, "ValueType"))) {
                try {
                    X509Certificate x509Certificate2 = new X509Security(keyIdentifier, new BSPEnforcer(true)).getX509Certificate(null);
                    if (x509Certificate2 != null && x509Certificate2.getVersion() == 3) {
                        return true;
                    }
                } catch (WSSecurityException e2) {
                    LOG.log(Level.FINE, e2.getMessage());
                }
            }
        }
        return false;
    }

    private Element getKeyIdentifier(Element element) {
        Element directChildElement;
        Element directChildElement2;
        if (element == null || (directChildElement = XMLUtils.getDirectChildElement(element, "KeyInfo", "http://www.w3.org/2000/09/xmldsig#")) == null || (directChildElement2 = XMLUtils.getDirectChildElement(directChildElement, "SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")) == null) {
            return null;
        }
        return XMLUtils.getDirectChildElement(directChildElement2, KeyIdentifier.ELEMENT_LOCAL_NAME, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    }
}
