package weblogic.wsee.security.bst;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import weblogic.security.SSL.TrustManager;
import weblogic.security.service.ContextHandler;
import weblogic.utils.encoders.BASE64Decoder;
import weblogic.wsee.policy.framework.PolicyAlternative;
import weblogic.wsee.security.policy.assertions.ConfidentialityAssertion;
import weblogic.wsee.security.policy.assertions.xbeans.SecurityTokenReferenceType;
import weblogic.xml.crypto.utils.DOMUtils;
import weblogic.xml.crypto.wss.BSTUtils;
import weblogic.xml.crypto.wss.WSSConstants;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.WSSecurityException;
import weblogic.xml.crypto.wss.X509Credential;
import weblogic.xml.crypto.wss.provider.Purpose;

/* loaded from: input_file:weblogic/wsee/security/bst/PolicyBSTCredentialProvider.class */
public class PolicyBSTCredentialProvider extends BSTCredentialProvider {
    private X509Credential serverCredential;

    public PolicyBSTCredentialProvider(PolicyAlternative policyAlternative, WSSecurityContext wSSecurityContext) throws IOException, CertificateException, WSSecurityException {
        NodeList elementsByTagNameNS;
        this.serverCredential = null;
        if (policyAlternative == null) {
            return;
        }
        Iterator it = policyAlternative.getAssertions(ConfidentialityAssertion.class).iterator();
        while (it.hasNext()) {
            SecurityTokenReferenceType[] securityTokenReferenceArray = ((ConfidentialityAssertion) it.next()).getXbean().getConfidentiality().getKeyInfo().getSecurityTokenReferenceArray();
            int i = 0;
            while (true) {
                if (securityTokenReferenceArray != null && i < securityTokenReferenceArray.length) {
                    NodeList elementsByTagNameNS2 = ((Element) securityTokenReferenceArray[i].newDomNode().getFirstChild()).getElementsByTagNameNS("http://www.bea.com/wls90/security/policy", WSSConstants.EMBEDDED_ELEMENT);
                    if (elementsByTagNameNS2 == null || elementsByTagNameNS2.getLength() <= 0 || (elementsByTagNameNS = ((Element) elementsByTagNameNS2.item(0)).getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken")) == null || elementsByTagNameNS.getLength() <= 0) {
                        i++;
                    } else {
                        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(new BASE64Decoder().decodeBuffer(DOMUtils.getText((Element) elementsByTagNameNS.item(0)))));
                        if (!isTrusted(x509Certificate, wSSecurityContext)) {
                            throw new WSSecurityException("Server cert not trusted.");
                        }
                        this.serverCredential = new X509Credential(x509Certificate);
                    }
                }
            }
        }
    }

    @Override // weblogic.xml.crypto.wss.provider.CredentialProvider
    public Object getCredential(String str, String str2, ContextHandler contextHandler, Purpose purpose) {
        if (this.serverCredential == null) {
            return null;
        }
        if ((purpose == null || isForEncryption(purpose) || isForVerification(purpose)) && BSTUtils.matches(this.serverCredential, contextHandler)) {
            return this.serverCredential;
        }
        return null;
    }

    private boolean isTrusted(X509Certificate x509Certificate, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        TrustManager trustManager = (TrustManager) wSSecurityContext.getProperty(WSSecurityContext.TRUST_MANAGER);
        if (trustManager == null) {
            throw new WSSecurityException("No TrustManager set.");
        }
        return trustManager.certificateCallback(new X509Certificate[]{x509Certificate}, 16);
    }
}
