package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.EncryptionToken;
import org.apache.cxf.ws.security.policy.model.ProtectionToken;
import org.apache.cxf.ws.security.policy.model.SignatureToken;
import org.apache.cxf.ws.security.policy.model.SymmetricAsymmetricBindingBase;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.TokenWrapper;
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.neethi.Assertion;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;

/* loaded from: input_file:tomee.zip:lib/cxf-rt-ws-security-2.6.14.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.class */
public abstract class AbstractBindingPolicyValidator implements BindingPolicyValidator {
    private static final QName SIG_QNAME = new QName("http://www.w3.org/2000/09/xmldsig#", "Signature");

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validateTimestamp(boolean z, boolean z2, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, Message message) {
        ArrayList arrayList = new ArrayList();
        WSSecurityUtil.fetchAllActionResults(list, 32, arrayList);
        if (z && arrayList.size() != 1) {
            return false;
        }
        if (!z) {
            return arrayList.isEmpty();
        }
        if (z2) {
            return true;
        }
        if (list2.isEmpty()) {
            return false;
        }
        Timestamp timestamp = (Timestamp) ((WSSecurityEngineResult) arrayList.get(0)).get("timestamp");
        Iterator<WSSecurityEngineResult> it = list2.iterator();
        while (it.hasNext()) {
            Iterator it2 = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS)).iterator();
            while (it2.hasNext()) {
                if (timestamp.getElement() == ((WSDataRef) it2.next()).getProtectedElement()) {
                    return true;
                }
            }
        }
        return false;
    }

    protected boolean validateEntireHeaderAndBodySignatures(List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            Iterator it2 = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS)).iterator();
            while (it2.hasNext()) {
                String xpath = ((WSDataRef) it2.next()).getXpath();
                if (xpath != null) {
                    String[] split = StringUtils.split(xpath, "/");
                    if (split.length < 3 || split.length > 5) {
                        return false;
                    }
                    if (!split[2].contains("Header") && !split[2].contains("Body")) {
                        return false;
                    }
                    if (split.length == 5 && !split[3].contains("Security")) {
                        return false;
                    }
                    if (split.length == 4 && split[2].contains("Body")) {
                        return false;
                    }
                }
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkProperties(SymmetricAsymmetricBindingBase symmetricAsymmetricBindingBase, AssertionInfo assertionInfo, AssertionInfoMap assertionInfoMap, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, Message message) {
        if (!new AlgorithmSuitePolicyValidator(list).validatePolicy(assertionInfo, symmetricAsymmetricBindingBase.getAlgorithmSuite())) {
            return false;
        }
        if (!validateTimestamp(symmetricAsymmetricBindingBase.isIncludeTimestamp(), false, list, list2, message)) {
            notAssertPolicy(assertionInfoMap, SP12Constants.INCLUDE_TIMESTAMP, "Received Timestamp does not match the requirements");
            assertionInfo.setNotAsserted("Received Timestamp does not match the requirements");
            return false;
        }
        assertPolicy(assertionInfoMap, SP12Constants.INCLUDE_TIMESTAMP);
        if (symmetricAsymmetricBindingBase.isEntireHeadersAndBodySignatures() && !validateEntireHeaderAndBodySignatures(list2)) {
            assertionInfo.setNotAsserted("OnlySignEntireHeadersAndBody does not match the requirements");
            return false;
        }
        if (!symmetricAsymmetricBindingBase.isSignatureProtection() || isSignatureEncrypted(list)) {
            return true;
        }
        assertionInfo.setNotAsserted("The signature is not protected");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkProtectionOrder(SymmetricAsymmetricBindingBase symmetricAsymmetricBindingBase, AssertionInfo assertionInfo, List<WSSecurityEngineResult> list) {
        if (symmetricAsymmetricBindingBase.getProtectionOrder() != SPConstants.ProtectionOrder.EncryptBeforeSigning) {
            if (!isEncryptedBeforeSigned(list)) {
                return true;
            }
            assertionInfo.setNotAsserted("Not signed before encrypted");
            return false;
        }
        if (symmetricAsymmetricBindingBase.isSignatureProtection() || !isSignedBeforeEncrypted(list)) {
            return true;
        }
        assertionInfo.setNotAsserted("Not encrypted before signed");
        return false;
    }

    private boolean isSignedBeforeEncrypted(List<WSSecurityEngineResult> list) {
        boolean z = false;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (num.intValue() == 2 && cast != null && (cast.size() != 1 || !((WSDataRef) cast.get(0)).getName().equals(SIG_QNAME))) {
                z = true;
            }
            if (num.intValue() == 4 && cast != null) {
                return z;
            }
        }
        return false;
    }

    private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> list) {
        boolean z = false;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (num.intValue() == 4 && cast != null) {
                z = true;
            }
            if (num.intValue() == 2 && cast != null && (cast.size() != 1 || !((WSDataRef) cast.get(0)).getName().equals(SIG_QNAME))) {
                return z;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkDerivedKeys(TokenWrapper tokenWrapper, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Token token = tokenWrapper.getToken();
        if (!(token instanceof X509Token) || !token.isDerivedKeys()) {
            return true;
        }
        if ((tokenWrapper instanceof EncryptionToken) && !z && !list2.isEmpty()) {
            return false;
        }
        if (!(tokenWrapper instanceof SignatureToken) || z || list.isEmpty()) {
            return !(tokenWrapper instanceof ProtectionToken) || z || list.isEmpty() || list2.isEmpty();
        }
        return false;
    }

    protected boolean isTokenProtected(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        for (int i = 0; i < list2.size(); i++) {
            WSSecurityEngineResult wSSecurityEngineResult = list2.get(i);
            WSSecurityEngineResult findCorrespondingToken = findCorrespondingToken(wSSecurityEngineResult, list);
            if (findCorrespondingToken == null) {
                return false;
            }
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            boolean z = false;
            if (cast != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    Element protectedElement = ((WSDataRef) it.next()).getProtectedElement();
                    if (protectedElement != null && protectedElement.equals(findCorrespondingToken.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) {
                        z = true;
                    }
                }
            }
            if (!z) {
                return false;
            }
        }
        return true;
    }

    private WSSecurityEngineResult findCorrespondingToken(WSSecurityEngineResult wSSecurityEngineResult, List<WSSecurityEngineResult> list) {
        X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        PublicKey publicKey = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        for (WSSecurityEngineResult wSSecurityEngineResult2 : list) {
            Integer num = (Integer) wSSecurityEngineResult2.get("action");
            if (num.intValue() != 2) {
                BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                PublicKey publicKey2 = (PublicKey) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
                if ((binarySecurity instanceof X509Security) || (binarySecurity instanceof PKIPathSecurity)) {
                    if (((X509Certificate) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)).equals(x509Certificate)) {
                        return wSSecurityEngineResult2;
                    }
                } else if (num.intValue() == 16 || num.intValue() == 8) {
                    SAMLKeyInfo subjectKeyInfo = ((AssertionWrapper) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)).getSubjectKeyInfo();
                    if (subjectKeyInfo != null) {
                        X509Certificate[] certs = subjectKeyInfo.getCerts();
                        PublicKey publicKey3 = subjectKeyInfo.getPublicKey();
                        if ((x509Certificate != null && certs != null && x509Certificate.equals(certs[0])) || (publicKey3 != null && publicKey3.equals(publicKey))) {
                            return wSSecurityEngineResult2;
                        }
                    } else {
                        continue;
                    }
                } else if (publicKey != null && publicKey.equals(publicKey2)) {
                    return wSSecurityEngineResult2;
                }
            }
        }
        return null;
    }

    protected boolean isSignatureEncrypted(List<WSSecurityEngineResult> list) {
        String str;
        boolean z = false;
        for (int size = list.size() - 1; size >= 0; size--) {
            WSSecurityEngineResult wSSecurityEngineResult = list.get(size);
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (num.intValue() == 2 && !z) {
                z = true;
                String str2 = (String) wSSecurityEngineResult.get("id");
                if (str2 == null || !isIdEncrypted(str2, list)) {
                    return false;
                }
            } else if (num.intValue() == 128 && ((str = (String) wSSecurityEngineResult.get("id")) == null || !isIdEncrypted(str, list))) {
                return false;
            }
        }
        return true;
    }

    private boolean isIdEncrypted(String str, List<WSSecurityEngineResult> list) {
        List cast;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 4 && (cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS))) != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    Element protectedElement = ((WSDataRef) it.next()).getProtectedElement();
                    if (protectedElement != null) {
                        String attributeNS = protectedElement.getAttributeNS(null, "Id");
                        String attributeNS2 = protectedElement.getAttributeNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd", "Id");
                        if (str.equals(attributeNS) || str.equals(attributeNS2)) {
                            return true;
                        }
                    }
                }
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void assertPolicy(AssertionInfoMap assertionInfoMap, Assertion assertion) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(assertion.getName());
        if (collection == null || collection.isEmpty()) {
            return;
        }
        for (AssertionInfo assertionInfo : collection) {
            if (assertionInfo.getAssertion() == assertion) {
                assertionInfo.setAsserted(true);
            }
        }
    }

    protected void notAssertPolicy(AssertionInfoMap assertionInfoMap, Assertion assertion, String str) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(assertion.getName());
        if (collection == null || collection.isEmpty()) {
            return;
        }
        for (AssertionInfo assertionInfo : collection) {
            if (assertionInfo.getAssertion() == assertion) {
                assertionInfo.setNotAsserted(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean assertPolicy(AssertionInfoMap assertionInfoMap, QName qName) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(qName);
        if (collection == null || collection.isEmpty()) {
            return false;
        }
        Iterator<AssertionInfo> it = collection.iterator();
        while (it.hasNext()) {
            it.next().setAsserted(true);
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void notAssertPolicy(AssertionInfoMap assertionInfoMap, QName qName, String str) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(qName);
        if (collection == null || collection.isEmpty()) {
            return;
        }
        Iterator<AssertionInfo> it = collection.iterator();
        while (it.hasNext()) {
            it.next().setNotAsserted(str);
        }
    }
}
