package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.Layout;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/cxf-rt-ws-security-3.2.1.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.class */
public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
        return assertionInfo.getAssertion() != null && (SP12Constants.LAYOUT.equals(assertionInfo.getAssertion().getName()) || SP11Constants.LAYOUT.equals(assertionInfo.getAssertion().getName()));
    }

    @Override // org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator
    public void validatePolicies(PolicyValidatorParameters policyValidatorParameters, Collection<AssertionInfo> collection) {
        for (AssertionInfo assertionInfo : collection) {
            Layout layout = (Layout) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            assertToken(layout, policyValidatorParameters.getAssertionInfoMap());
            if (!validatePolicy(layout, policyValidatorParameters.getResults().getResults(), policyValidatorParameters.getSignedResults())) {
                assertionInfo.setNotAsserted("Layout does not match the requirements");
            }
        }
    }

    private void assertToken(Layout layout, AssertionInfoMap assertionInfoMap) {
        String namespaceURI = layout.getName().getNamespaceURI();
        Layout.LayoutType layoutType = layout.getLayoutType();
        if (layoutType != null) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(namespaceURI, layoutType.name()));
        }
    }

    private boolean validatePolicy(Layout layout, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        boolean z = layout.getLayoutType() == Layout.LayoutType.LaxTsFirst;
        boolean z2 = layout.getLayoutType() == Layout.LayoutType.LaxTsLast;
        boolean z3 = layout.getLayoutType() == Layout.LayoutType.Strict;
        if (z) {
            return !list.isEmpty() && ((Integer) list.get(list.size() - 1).get("action")).intValue() == 32;
        }
        if (z2) {
            return !list.isEmpty() && ((Integer) list.get(0).get("action")).intValue() == 32;
        }
        if (z3) {
            return validateStrictSignaturePlacement(list, list2) && validateStrictSignatureTokenPlacement(list) && checkSignatureIsSignedPlacement(list, list2);
        }
        return true;
    }

    private boolean validateStrictSignaturePlacement(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            List<WSDataRef> cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (cast != null && 16 != num.intValue()) {
                for (WSDataRef wSDataRef : cast) {
                    String xpath = wSDataRef.getXpath();
                    if (xpath != null && StringUtils.split(xpath, "/").length == 5) {
                        Element protectedElement = wSDataRef.getProtectedElement();
                        boolean z = false;
                        for (WSSecurityEngineResult wSSecurityEngineResult2 : list) {
                            Element element = (Element) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
                            if (element == protectedElement) {
                                z = true;
                            }
                            if (z && wSSecurityEngineResult2 == wSSecurityEngineResult) {
                                return false;
                            }
                            if (element == null || wSSecurityEngineResult2 != wSSecurityEngineResult) {
                            }
                        }
                    }
                }
            }
        }
        return true;
    }

    private boolean validateStrictSignatureTokenPlacement(List<WSSecurityEngineResult> list) {
        int findCorrespondingTokenIndex;
        for (int i = 0; i < list.size(); i++) {
            WSSecurityEngineResult wSSecurityEngineResult = list.get(i);
            if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 2 && (findCorrespondingTokenIndex = findCorrespondingTokenIndex(wSSecurityEngineResult, list)) > 0 && findCorrespondingTokenIndex < i) {
                return false;
            }
        }
        return true;
    }

    private boolean checkSignatureIsSignedPlacement(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            List<WSDataRef> cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null && cast.size() >= 1) {
                for (WSDataRef wSDataRef : cast) {
                    if (WSConstants.SIGNATURE.equals(wSDataRef.getName()) && !isEndorsingSignatureInCorrectPlace(list, wSSecurityEngineResult, wSDataRef.getProtectedElement())) {
                        return false;
                    }
                }
            }
        }
        return true;
    }

    private boolean isEndorsingSignatureInCorrectPlace(List<WSSecurityEngineResult> list, WSSecurityEngineResult wSSecurityEngineResult, Element element) {
        boolean z = false;
        for (WSSecurityEngineResult wSSecurityEngineResult2 : list) {
            Integer num = (Integer) wSSecurityEngineResult2.get("action");
            if (2 == num.intValue() || 16 == num.intValue() || 64 == num.intValue()) {
                if (wSSecurityEngineResult2 == wSSecurityEngineResult) {
                    z = true;
                }
                Element element2 = (Element) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
                if (z && element2 == element) {
                    return true;
                }
                if (element2 == element) {
                    return false;
                }
            }
        }
        return true;
    }

    private int findCorrespondingTokenIndex(WSSecurityEngineResult wSSecurityEngineResult, List<WSSecurityEngineResult> list) {
        X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        PublicKey publicKey = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        for (int i = 0; i < list.size(); i++) {
            WSSecurityEngineResult wSSecurityEngineResult2 = list.get(i);
            Integer num = (Integer) wSSecurityEngineResult2.get("action");
            if (num.intValue() != 2) {
                BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                PublicKey publicKey2 = (PublicKey) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
                if ((binarySecurity instanceof X509Security) || (binarySecurity instanceof PKIPathSecurity)) {
                    if (((X509Certificate) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)).equals(x509Certificate)) {
                        return i;
                    }
                } else if (num.intValue() == 16 || num.intValue() == 8) {
                    SAMLKeyInfo subjectKeyInfo = ((SamlAssertionWrapper) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)).getSubjectKeyInfo();
                    if (subjectKeyInfo != null) {
                        X509Certificate[] certs = subjectKeyInfo.getCerts();
                        PublicKey publicKey3 = subjectKeyInfo.getPublicKey();
                        if ((x509Certificate != null && certs != null && x509Certificate.equals(certs[0])) || (publicKey3 != null && publicKey3.equals(publicKey))) {
                            return i;
                        }
                    } else {
                        continue;
                    }
                } else if (publicKey != null && publicKey.equals(publicKey2)) {
                    return i;
                }
            }
        }
        return -1;
    }
}
