package org.apache.cxf.sts.token.canceller;

import java.security.Key;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.SecretKey;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.SecurityContextToken;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-401.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630401.jar:org/apache/cxf/sts/token/canceller/SCTCanceller.class */
public class SCTCanceller implements TokenCanceller {
    private static final Logger LOG = LogUtils.getL7dLogger(SCTCanceller.class);
    private boolean verifyProofOfPossession = true;

    @Override // org.apache.cxf.sts.token.canceller.TokenCanceller
    public boolean canHandleToken(ReceivedToken receivedToken) {
        Object token = receivedToken.getToken();
        if (!(token instanceof Element)) {
            return false;
        }
        Element element = (Element) token;
        String namespaceURI = element.getNamespaceURI();
        return ("http://schemas.xmlsoap.org/ws/2005/02/sc".equals(namespaceURI) || "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512".equals(namespaceURI)) && "SecurityContextToken".equals(element.getLocalName());
    }

    @Override // org.apache.cxf.sts.token.canceller.TokenCanceller
    public TokenCancellerResponse cancelToken(TokenCancellerParameters tokenCancellerParameters) {
        LOG.fine("Trying to cancel a SecurityContextToken");
        TokenCancellerResponse tokenCancellerResponse = new TokenCancellerResponse();
        ReceivedToken token = tokenCancellerParameters.getToken();
        if (tokenCancellerParameters.getTokenStore() == null) {
            LOG.log(Level.FINE, "A cache must be configured to use the SCTCanceller");
            return tokenCancellerResponse;
        }
        if (token == null) {
            LOG.log(Level.FINE, "Cancel Target is null");
            return tokenCancellerResponse;
        }
        token.setState(ReceivedToken.STATE.NONE);
        tokenCancellerResponse.setToken(token);
        if (token.isDOMElement()) {
            try {
                String identifier = new SecurityContextToken((Element) token.getToken()).getIdentifier();
                SecurityToken token2 = tokenCancellerParameters.getTokenStore().getToken(identifier);
                if (token2 == null) {
                    LOG.fine("Identifier: " + identifier + " is not found in the cache");
                    return tokenCancellerResponse;
                }
                if (this.verifyProofOfPossession && !matchKey(tokenCancellerParameters, token2.getSecret())) {
                    throw new STSException("Failed to verify the proof of possession of the key associated with the security context. No matching key found in the request.", STSException.INVALID_REQUEST);
                }
                tokenCancellerParameters.getTokenStore().remove(token2.getId());
                token.setState(ReceivedToken.STATE.CANCELLED);
                LOG.fine("SecurityContextToken successfully cancelled");
            } catch (WSSecurityException e) {
                LOG.log(Level.WARNING, "", (Throwable) e);
            }
        }
        return tokenCancellerResponse;
    }

    private boolean matchKey(TokenCancellerParameters tokenCancellerParameters, byte[] bArr) {
        Map<String, Object> messageContext = tokenCancellerParameters.getMessageContext();
        if (matchDOMSignatureSecret(messageContext, bArr)) {
            return true;
        }
        try {
            return matchStreamingSignatureSecret(messageContext, bArr);
        } catch (XMLSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            return false;
        }
    }

    @Override // org.apache.cxf.sts.token.canceller.TokenCanceller
    public void setVerifyProofOfPossession(boolean z) {
        this.verifyProofOfPossession = z;
    }

    private boolean matchDOMSignatureSecret(Map<String, Object> map, byte[] bArr) {
        List<WSSecurityEngineResult> list;
        List cast = CastUtils.cast((List<?>) map.get(WSHandlerConstants.RECV_RESULTS));
        if (cast == null || cast.size() <= 0 || (list = ((WSHandlerResult) cast.get(0)).getActionResults().get(2)) == null) {
            return false;
        }
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            if (Arrays.equals(bArr, (byte[]) it.next().get("secret"))) {
                LOG.log(Level.FINE, "Verification of the proof of possession of the key associated with the security context successful.");
                return true;
            }
        }
        return false;
    }

    private boolean matchStreamingSignatureSecret(Map<String, Object> map, byte[] bArr) throws XMLSecurityException {
        List<SecurityEvent> list = (List) map.get(SecurityEvent.class.getName() + ".in");
        if (list == null) {
            return false;
        }
        for (SecurityEvent securityEvent : list) {
            if (WSSecurityEventConstants.SIGNED_PART == securityEvent.getSecurityEventType() || WSSecurityEventConstants.SignedElement == securityEvent.getSecurityEventType()) {
                org.apache.xml.security.stax.securityToken.SecurityToken securityToken = ((AbstractSecuredElementSecurityEvent) securityEvent).getSecurityToken();
                if (securityToken != null && securityToken.getSecretKey() != null) {
                    Iterator<String> it = securityToken.getSecretKey().keySet().iterator();
                    while (it.hasNext()) {
                        Key key = securityToken.getSecretKey().get(it.next());
                        if ((key instanceof SecretKey) && Arrays.equals(bArr, ((SecretKey) key).getEncoded())) {
                            LOG.log(Level.FINE, "Verification of the proof of possession of the key associated with the security context successful.");
                            return true;
                        }
                    }
                }
            }
        }
        return false;
    }
}
