package org.apache.cxf.sts.token.validator;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.token.realm.CertConstraintsParser;
import org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.SignatureTrustValidator;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.content.X509Data;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:m2repo/org/apache/cxf/services/sts/cxf-services-sts-core/3.2.5-jbossorg-1/cxf-services-sts-core-3.2.5-jbossorg-1.jar:org/apache/cxf/sts/token/validator/X509TokenValidator.class */
public class X509TokenValidator implements TokenValidator {
    public static final String X509_V3_TYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
    public static final String BASE64_ENCODING = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
    private static final Logger LOG = LogUtils.getL7dLogger(X509TokenValidator.class);
    private Validator validator = new SignatureTrustValidator();
    private CertConstraintsParser certConstraints = new CertConstraintsParser();

    public void setSubjectConstraints(List<String> list) {
        this.certConstraints.setSubjectConstraints(list);
    }

    public void setValidator(Validator validator) {
        this.validator = validator;
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public boolean canHandleToken(ReceivedToken receivedToken) {
        return canHandleToken(receivedToken, null);
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public boolean canHandleToken(ReceivedToken receivedToken, String str) {
        Object token = receivedToken.getToken();
        if ((token instanceof BinarySecurityTokenType) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(((BinarySecurityTokenType) token).getValueType())) {
            return true;
        }
        return (token instanceof Element) && "http://www.w3.org/2000/09/xmldsig#".equals(((Element) token).getNamespaceURI()) && "X509Data".equals(((Element) token).getLocalName());
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public TokenValidatorResponse validateToken(TokenValidatorParameters tokenValidatorParameters) {
        X509Security x509Security;
        LOG.fine("Validating X.509 Token");
        STSPropertiesMBean stsProperties = tokenValidatorParameters.getStsProperties();
        CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
        Crypto encryptionCrypto = stsProperties.getEncryptionCrypto();
        if (encryptionCrypto == null) {
            encryptionCrypto = stsProperties.getSignatureCrypto();
        }
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(encryptionCrypto);
        requestData.setWssConfig(WSSConfig.getNewInstance());
        requestData.setCallbackHandler(callbackHandler);
        requestData.setMsgContext(tokenValidatorParameters.getMessageContext());
        requestData.setSubjectCertConstraints(this.certConstraints.getCompiledSubjectContraints());
        TokenValidatorResponse tokenValidatorResponse = new TokenValidatorResponse();
        ReceivedToken token = tokenValidatorParameters.getToken();
        token.setState(ReceivedToken.STATE.INVALID);
        tokenValidatorResponse.setToken(token);
        if (token.isBinarySecurityToken()) {
            BinarySecurityTokenType binarySecurityTokenType = (BinarySecurityTokenType) token.getToken();
            String encodingType = binarySecurityTokenType.getEncodingType();
            if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary".equals(encodingType)) {
                LOG.fine("Bad encoding type attribute specified: " + encodingType);
                return tokenValidatorResponse;
            }
            Document emptyDocument = DOMUtils.getEmptyDocument();
            x509Security = new X509Security(emptyDocument);
            x509Security.setEncodingType(encodingType);
            x509Security.setValueType(binarySecurityTokenType.getValueType());
            x509Security.getElement().appendChild(emptyDocument.createTextNode(binarySecurityTokenType.getValue()));
        } else {
            if (!token.isDOMElement()) {
                return tokenValidatorResponse;
            }
            try {
                x509Security = new X509Security(DOMUtils.getEmptyDocument());
                x509Security.setEncodingType("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
                X509Data x509Data = new X509Data((Element) token.getToken(), "");
                if (x509Data.containsCertificate()) {
                    x509Security.setX509Certificate(x509Data.itemCertificate(0).getX509Certificate());
                }
            } catch (WSSecurityException e) {
                LOG.log(Level.WARNING, "", (Throwable) e);
                return tokenValidatorResponse;
            } catch (XMLSecurityException e2) {
                LOG.log(Level.WARNING, "", (Throwable) e2);
                return tokenValidatorResponse;
            }
        }
        try {
            Credential credential = new Credential();
            credential.setBinarySecurityToken(x509Security);
            if (encryptionCrypto != null) {
                credential.setCertificates(new X509Certificate[]{x509Security.getX509Certificate(encryptionCrypto)});
            }
            Credential validate = this.validator.validate(credential, requestData);
            Principal principal = validate.getPrincipal();
            if (principal == null) {
                principal = validate.getCertificates()[0].getSubjectX500Principal();
            }
            tokenValidatorResponse.setPrincipal(principal);
            token.setState(ReceivedToken.STATE.VALID);
            LOG.fine("X.509 Token successfully validated");
        } catch (WSSecurityException e3) {
            LOG.log(Level.WARNING, "", (Throwable) e3);
        }
        return tokenValidatorResponse;
    }
}
