package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Merlin;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.str.STRParser;
import org.apache.ws.security.util.WSSecurityUtil;
import org.opensaml.ws.wssecurity.KeyIdentifier;
import org.w3c.dom.Element;

/* loaded from: input_file:repository/org/mule/apache/cxf/cxf-rt-ws-security/2.7.19-MULE-003/cxf-rt-ws-security-2.7.19-MULE-003.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.class */
public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
    private static final String X509_V3_VALUETYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
    private static final String PKI_VALUETYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1";
    private static final Logger LOG = LogUtils.getL7dLogger(X509TokenPolicyValidator.class);

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.TokenPolicyValidator
    public boolean validatePolicy(AssertionInfoMap assertionInfoMap, Message message, Element element, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(SP12Constants.X509_TOKEN);
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        List<WSSecurityEngineResult> fetchAllActionResults = WSS4JUtils.fetchAllActionResults(list, 4096);
        for (AssertionInfo assertionInfo : collection) {
            X509Token x509Token = (X509Token) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (isTokenRequired(x509Token, message)) {
                if (fetchAllActionResults.isEmpty() && list2.isEmpty()) {
                    assertionInfo.setNotAsserted("The received token does not match the token inclusion requirement");
                } else if (!checkTokenType(x509Token.getTokenVersionAndType(), fetchAllActionResults, list2)) {
                    assertionInfo.setNotAsserted("An incorrect X.509 Token Type is detected");
                }
            }
        }
        return true;
    }

    private boolean checkTokenType(String str, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Element keyIdentifier;
        if (list.isEmpty() && list2.isEmpty()) {
            return false;
        }
        String str2 = (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(str) || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(str)) ? "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" : "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            BinarySecurity binarySecurity = (BinarySecurity) it.next().get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity != null) {
                if (str2.equals(binarySecurity.getValueType())) {
                    return true;
                }
            }
        }
        if (!"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(str2)) {
            return false;
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            if (STRParser.REFERENCE_TYPE.KEY_IDENTIFIER == ((STRParser.REFERENCE_TYPE) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE)) && (keyIdentifier = getKeyIdentifier((Element) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) != null && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(keyIdentifier.getAttributeNS(null, "ValueType"))) {
                try {
                    X509Certificate x509Certificate = new X509Security(keyIdentifier, false).getX509Certificate(new Merlin());
                    if (x509Certificate != null && x509Certificate.getVersion() == 3) {
                        return true;
                    }
                } catch (WSSecurityException e) {
                    LOG.log(Level.FINE, e.getMessage());
                }
            }
        }
        return false;
    }

    private Element getKeyIdentifier(Element element) {
        Element directChildElement;
        Element directChildElement2;
        if (element == null || (directChildElement = WSSecurityUtil.getDirectChildElement(element, "KeyInfo", "http://www.w3.org/2000/09/xmldsig#")) == null || (directChildElement2 = WSSecurityUtil.getDirectChildElement(directChildElement, "SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")) == null) {
            return null;
        }
        return WSSecurityUtil.getDirectChildElement(directChildElement2, KeyIdentifier.ELEMENT_LOCAL_NAME, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    }
}
