package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AsymmetricBinding;
import org.apache.wss4j.policy.model.X509Token;

/* loaded from: input_file:repository/org/apache/cxf/cxf-rt-ws-security/3.5.9/cxf-rt-ws-security-3.5.9.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.class */
public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator {
    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
        return assertionInfo.getAssertion() != null && (SP12Constants.ASYMMETRIC_BINDING.equals(assertionInfo.getAssertion().getName()) || SP11Constants.ASYMMETRIC_BINDING.equals(assertionInfo.getAssertion().getName()));
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public void validatePolicies(PolicyValidatorParameters policyValidatorParameters, Collection<AssertionInfo> collection) {
        boolean containsKey = policyValidatorParameters.getResults().getActionResults().containsKey(2048);
        for (AssertionInfo assertionInfo : collection) {
            AsymmetricBinding asymmetricBinding = (AsymmetricBinding) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (checkProtectionOrder(asymmetricBinding, policyValidatorParameters.getAssertionInfoMap(), assertionInfo, policyValidatorParameters.getResults().getResults()) && checkProperties(asymmetricBinding, assertionInfo, policyValidatorParameters.getAssertionInfoMap(), policyValidatorParameters.getResults(), policyValidatorParameters.getSignedResults(), policyValidatorParameters.getMessage()) && !checkTokens(asymmetricBinding, assertionInfo, policyValidatorParameters.getAssertionInfoMap(), containsKey, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults())) {
            }
        }
    }

    private boolean checkTokens(AsymmetricBinding asymmetricBinding, AssertionInfo assertionInfo, AssertionInfoMap assertionInfoMap, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        boolean z2 = true;
        if (asymmetricBinding.getInitiatorToken() != null) {
            z2 = true & checkInitiatorTokens(asymmetricBinding.getInitiatorToken(), assertionInfo, assertionInfoMap, z, list, list2);
        }
        if (asymmetricBinding.getInitiatorSignatureToken() != null) {
            z2 &= checkInitiatorTokens(asymmetricBinding.getInitiatorSignatureToken(), assertionInfo, assertionInfoMap, z, list, list2);
        }
        if (asymmetricBinding.getInitiatorEncryptionToken() != null) {
            z2 &= checkInitiatorTokens(asymmetricBinding.getInitiatorEncryptionToken(), assertionInfo, assertionInfoMap, z, list, list2);
        }
        if (asymmetricBinding.getRecipientToken() != null) {
            z2 &= checkRecipientTokens(asymmetricBinding.getRecipientToken(), assertionInfo, assertionInfoMap, z, list, list2);
        }
        if (asymmetricBinding.getRecipientSignatureToken() != null) {
            z2 &= checkRecipientTokens(asymmetricBinding.getRecipientSignatureToken(), assertionInfo, assertionInfoMap, z, list, list2);
        }
        if (asymmetricBinding.getRecipientEncryptionToken() != null) {
            z2 &= checkRecipientTokens(asymmetricBinding.getRecipientEncryptionToken(), assertionInfo, assertionInfoMap, z, list, list2);
        }
        return z2;
    }

    private boolean checkInitiatorTokens(AbstractTokenWrapper abstractTokenWrapper, AssertionInfo assertionInfo, AssertionInfoMap assertionInfoMap, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        if (abstractTokenWrapper.getToken() instanceof X509Token) {
            boolean z2 = false;
            Iterator<WSSecurityEngineResult> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (((X509Certificate) it.next().get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) != null) {
                    z2 = true;
                    break;
                }
            }
            if (!z2 && !list.isEmpty()) {
                String str = "An X.509 certificate was not used for the " + abstractTokenWrapper.getName();
                unassertPolicy(assertionInfoMap, abstractTokenWrapper.getName(), str);
                assertionInfo.setNotAsserted(str);
                return false;
            }
        }
        PolicyUtils.assertPolicy(assertionInfoMap, abstractTokenWrapper.getName());
        if (checkDerivedKeys(abstractTokenWrapper, z, list, list2)) {
            assertDerivedKeys(abstractTokenWrapper.getToken(), assertionInfoMap);
            return true;
        }
        assertionInfo.setNotAsserted("Message fails the DerivedKeys requirement");
        return false;
    }

    private void unassertPolicy(AssertionInfoMap assertionInfoMap, QName qName, String str) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(qName);
        if (collection == null || collection.isEmpty()) {
            return;
        }
        Iterator<AssertionInfo> it = collection.iterator();
        while (it.hasNext()) {
            it.next().setNotAsserted(str);
        }
    }

    private boolean checkRecipientTokens(AbstractTokenWrapper abstractTokenWrapper, AssertionInfo assertionInfo, AssertionInfoMap assertionInfoMap, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        PolicyUtils.assertPolicy(assertionInfoMap, abstractTokenWrapper.getName());
        if (checkDerivedKeys(abstractTokenWrapper, z, list, list2)) {
            assertDerivedKeys(abstractTokenWrapper.getToken(), assertionInfoMap);
            return true;
        }
        assertionInfo.setNotAsserted("Message fails the DerivedKeys requirement");
        return false;
    }
}
