package weblogic.xml.crypto.wss;

import java.security.AccessController;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import javax.xml.rpc.handler.MessageContext;
import org.w3c.dom.Node;
import weblogic.security.KeyPairCredential;
import weblogic.security.PublicCertCredential;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.PrivilegedActions;
import weblogic.wsee.security.serviceref.ServiceRefUtils;
import weblogic.xml.crypto.api.MarshalException;
import weblogic.xml.crypto.common.keyinfo.KeyProvider;
import weblogic.xml.crypto.common.keyinfo.KeyProviderFactory;
import weblogic.xml.crypto.dsig.api.keyinfo.X509IssuerSerial;
import weblogic.xml.crypto.utils.CertUtils;
import weblogic.xml.crypto.utils.LogUtils;
import weblogic.xml.crypto.wss.api.BinarySecurityToken;
import weblogic.xml.crypto.wss.api.KeyIdentifier;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
import weblogic.xml.crypto.wss.provider.Purpose;
import weblogic.xml.crypto.wss.provider.SecurityToken;
import weblogic.xml.crypto.wss.provider.SecurityTokenHandler;
import weblogic.xml.crypto.wss.provider.SecurityTokenReference;
import weblogic.xml.crypto.wss11.internal.WSS11Constants;
import weblogic.xml.crypto.wss11.internal.enckey.EncryptedKeyCredentialProvider;

/* loaded from: input_file:weblogic/xml/crypto/wss/BinarySecurityTokenHandler.class */
public class BinarySecurityTokenHandler implements SecurityTokenHandler {
    private static final AuthenticatedSubject kernelID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private boolean isAuthorizationToken;
    private String valueType = null;

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public String[] getValueTypes() {
        return WSSConstants.BUILTIN_BST_VALUETYPES;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public KeyProvider getKeyProvider(SecurityToken securityToken, MessageContext messageContext) {
        return KeyProviderFactory.create((BinarySecurityToken) securityToken);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken getSecurityToken(SecurityTokenReference securityTokenReference, MessageContext messageContext) throws WSSecurityException {
        WSSecurityContext securityContext = WSSecurityContext.getSecurityContext(messageContext);
        String valueType = securityTokenReference.getValueType();
        List securityTokens = securityContext.getSecurityTokens();
        Purpose purpose = (Purpose) messageContext.getProperty("weblogic.xml.crypto.wss.provider.Purpose");
        String referenceURI = securityTokenReference.getReferenceURI();
        if (referenceURI != null) {
            return getTokenByURI(referenceURI, securityTokens, purpose, securityContext);
        }
        KeyIdentifier keyIdentifier = securityTokenReference.getKeyIdentifier();
        if (keyIdentifier != null) {
            return getTokenByKeyId(keyIdentifier, valueType, securityTokenReference.getValueType(), securityTokens, purpose, securityContext);
        }
        X509IssuerSerial issuerSerial = securityTokenReference.getIssuerSerial();
        if (issuerSerial != null) {
            return getTokenByIssuerSerial(issuerSerial, valueType, securityTokens, purpose, securityContext);
        }
        throw new WSSecurityException("Failed to resolve SecurityToken from STR " + securityTokenReference, WSSConstants.FAILURE_TOKEN_UNAVAILABLE);
    }

    protected SecurityToken getTokenByKeyId(KeyIdentifier keyIdentifier, String str, String str2, List list, Purpose purpose, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        Iterator it = list.iterator();
        while (it.hasNext()) {
            SecurityToken securityToken = (SecurityToken) it.next();
            if ((securityToken instanceof BinarySecurityToken) && BSTUtils.matches(keyIdentifier, (X509Credential) securityToken.getCredential())) {
                return amend((BinarySecurityToken) securityToken, purpose, wSSecurityContext);
            }
        }
        Object credential = getCredential(SecurityTokenContextHandler.KEYID, keyIdentifier, str, purpose, wSSecurityContext);
        if (credential == null || (!BSTUtils.matches(keyIdentifier, (X509Credential) credential) && !BSTUtils.matchesThumbprint(keyIdentifier, (X509Credential) credential))) {
            X509Certificate lookupCertificate = CertUtils.lookupCertificate(keyIdentifier.getIdentifier());
            if (lookupCertificate != null) {
                return getToken(lookupCertificate, str, wSSecurityContext);
            }
            throw new WSSecurityException("Failed to resolve security token from key identifier " + keyIdentifier, WSSConstants.FAILURE_TOKEN_UNAVAILABLE);
        }
        return getToken(credential, str, wSSecurityContext);
    }

    private SecurityToken getTokenByIssuerSerial(X509IssuerSerial x509IssuerSerial, String str, List list, Purpose purpose, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        Iterator it = list.iterator();
        while (it.hasNext()) {
            SecurityToken securityToken = (SecurityToken) it.next();
            if ((securityToken instanceof BinarySecurityToken) && BSTUtils.matches(x509IssuerSerial, (X509Credential) securityToken.getCredential())) {
                return amend((BinarySecurityToken) securityToken, purpose, wSSecurityContext);
            }
        }
        Object credential = getCredential(SecurityTokenContextHandler.ISSUER_SERIAL, x509IssuerSerial, str, purpose, wSSecurityContext);
        if (credential != null && BSTUtils.matches(x509IssuerSerial, (X509Credential) credential)) {
            return getToken(credential, str, wSSecurityContext);
        }
        X509Certificate lookupCertificate = CertUtils.lookupCertificate(x509IssuerSerial.getIssuerName(), x509IssuerSerial.getSerialNumber());
        if (lookupCertificate != null) {
            return getToken(lookupCertificate, str, wSSecurityContext);
        }
        throw new WSSecurityException("Failed to resolve security token for issuer serial " + x509IssuerSerial, WSSConstants.FAILURE_TOKEN_UNAVAILABLE);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityToken getToken(X509Certificate x509Certificate, String str, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        return getToken(new X509Credential(x509Certificate), str, wSSecurityContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityToken getToken(Object obj, String str, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        return wSSecurityContext.getRequiredTokenHandler(str).getSecurityToken(str, obj, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Object getCredential(String str, Object obj, String str2, Purpose purpose, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        CredentialProvider requiredCredentialProvider;
        Object credentialByKeyIdentifier;
        ContextHandler contextHandler = getContextHandler(wSSecurityContext, str, obj);
        LogUtils.logWss("--->Trying to get credential from token type = " + str2 + " and ctxElementName = " + str);
        if ((WSS11Constants.THUMBPRINT_URI.equals(str2) || WSSConstants.VALUE_TYPE_X509DATA.equals(str2)) && str != null && str.endsWith("KeyIdentifier")) {
            LogUtils.logWss("Changed token type from " + str2 + " to " + WSSConstants.VALUE_TYPE_X509V3);
            if (null == purpose) {
                purpose = Purpose.VERIFY;
            }
            str2 = WSSConstants.VALUE_TYPE_X509V3;
            requiredCredentialProvider = wSSecurityContext.getRequiredCredentialProvider(str2);
            if ((requiredCredentialProvider instanceof WrapperCredentialProvider) && (credentialByKeyIdentifier = ((WrapperCredentialProvider) requiredCredentialProvider).getCredentialByKeyIdentifier(str2, null, contextHandler, purpose)) != null) {
                return credentialByKeyIdentifier;
            }
        } else {
            requiredCredentialProvider = wSSecurityContext.getRequiredCredentialProvider(str2);
        }
        return requiredCredentialProvider.getCredential(str2, null, contextHandler, purpose);
    }

    private SecurityToken getTokenByURI(String str, List list, Purpose purpose, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        String substring = str.substring(1);
        Iterator it = list.iterator();
        while (it.hasNext()) {
            SecurityToken securityToken = (SecurityToken) it.next();
            if ((securityToken instanceof BinarySecurityToken) && substring.equals(securityToken.getId())) {
                return amend((BinarySecurityToken) securityToken, purpose, wSSecurityContext);
            }
        }
        throw new WSSecurityException("Failed to retrieve token for reference URI " + str, WSSConstants.FAILURE_TOKEN_UNAVAILABLE);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenValidateResult validateUnmarshalled(SecurityToken securityToken, MessageContext messageContext) throws WSSecurityException {
        SecurityTokenValidateResult securityTokenValidateResult = new SecurityTokenValidateResult(true);
        securityTokenValidateResult.setDefferedValidation(true);
        return securityTokenValidateResult;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenValidateResult validateProcessed(SecurityToken securityToken, MessageContext messageContext) {
        boolean z = true;
        BinarySecurityToken binarySecurityToken = (BinarySecurityToken) securityToken;
        X509Certificate certificate = ((BinarySecurityToken) securityToken).getCertificate();
        WSSecurityContext securityContext = WSSecurityContext.getSecurityContext(messageContext);
        boolean z2 = false;
        List signatures = securityContext.getSignatures(securityToken);
        if (signatures != null && signatures.size() > 0) {
            z2 = true;
            if (!CertUtils.supportsSign(certificate)) {
                z = false;
            }
        } else if (securityContext.getIdTokens().contains(securityToken)) {
            z = false;
        }
        List encryptions = securityContext.getEncryptions(securityToken);
        if (encryptions != null && encryptions.size() > 0) {
            z2 = true;
            if (!CertUtils.supportsKeyEncrypt(certificate)) {
                z = false;
            }
        }
        if (z && z2) {
            z = BinarySecurityTokenImpl.getBSTType(securityToken.getValueType()).validate(binarySecurityToken, messageContext);
            if (!z) {
                return new SecurityTokenValidateResult(z, binarySecurityToken.getCertificate());
            }
        }
        if (z) {
            binarySecurityToken.setValidated(true);
        }
        return new SecurityTokenValidateResult(z);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityToken amend(BinarySecurityToken binarySecurityToken, Purpose purpose, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        String valueType = binarySecurityToken.getValueType();
        CredentialProvider credentialProvider = wSSecurityContext.getCredentialProvider(valueType);
        if (credentialProvider == null) {
            return binarySecurityToken;
        }
        ContextHandler contextHandler = getContextHandler(wSSecurityContext, SecurityTokenContextHandler.TOKEN, binarySecurityToken);
        Object credential = credentialProvider.getCredential(valueType, null, contextHandler, purpose);
        if (credential == null || !BSTUtils.matches(binarySecurityToken, (X509Credential) credential)) {
            return binarySecurityToken;
        }
        SecurityToken securityToken = wSSecurityContext.getRequiredTokenHandler(valueType).getSecurityToken(valueType, credential, contextHandler);
        securityToken.setId(binarySecurityToken.getId());
        return securityToken;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public boolean matches(SecurityToken securityToken, String str, String str2, ContextHandler contextHandler, Purpose purpose) {
        if (securityToken == null) {
            return false;
        }
        Object credential = securityToken.getCredential();
        if (credential == null) {
            LogUtils.logWss("Unable to find credetail for token type " + str);
            return false;
        }
        WSSecurityContext wSSecurityContext = (WSSecurityContext) contextHandler.getValue(SecurityTokenContextHandler.SECURITY_INFO);
        if ((credential instanceof EncryptedKeyCredentialProvider) || WSS11Constants.ENC_KEY_VALUE_TYPE.equals(str) || WSS11Constants.ENC_KEY_TOKEN_TYPE.equals(str)) {
            LogUtils.logWss("Checking Encrypted Key with token type " + str);
            if (!Purpose.IDENTITY.equals(purpose) || isAuthToken(securityToken, wSSecurityContext)) {
                return true;
            }
            LogUtils.logWss("X509 token is not a auth Token!");
            return false;
        }
        if (!(credential instanceof X509Credential) || (!WSSConstants.VALUE_TYPE_X509V3.equals(str) && !WSSConstants.VALUE_TYPE_X509V1.equals(str) && !WSSConstants.VALUE_TYPE_X509DATA.equals(str) && !WSSConstants.VALUE_TYPE_X509PKI.equals(str) && !WSSConstants.VALUE_TYPE_PKCS7.equals(str))) {
            LogUtils.logWss("X509 token doesn't match. No token or wrong token type " + str);
            return false;
        }
        if (Purpose.IDENTITY.equals(purpose) && !isAuthToken(securityToken, wSSecurityContext)) {
            LogUtils.logWss("X509 token is not a auth Token!");
            return false;
        }
        X509Credential x509Credential = (X509Credential) securityToken.getCredential();
        if (Purpose.DECRYPT.equals(purpose) && x509Credential.getPrivateKey() == null) {
            LogUtils.logWss("X509 token doesn't match because purpose is DECRYPT and private key is null.");
            return false;
        }
        X509Certificate certificate = x509Credential.getCertificate();
        if (Purpose.ENCRYPT.equals(purpose) && !CertUtils.supportsKeyEncrypt(certificate)) {
            LogUtils.logWss("X509 token does not match because purpose is ENCRYPT but the certificate does not support key encryption.");
            return false;
        }
        if (Purpose.SIGN.equals(purpose) && !CertUtils.supportsSign(certificate)) {
            LogUtils.logWss("X509 token does not match because purpose is SIGN butthe certificate does not support sign.");
            return false;
        }
        if (str2 == null || certificate.getIssuerX500Principal().getName().equals(str2)) {
            return BSTUtils.matches(x509Credential, contextHandler);
        }
        LogUtils.logWss("X509 token does not match because its issuerName " + certificate.getIssuerX500Principal().getName() + " does not match required issuerName " + str2);
        return false;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken getSecurityToken(String str, Object obj, ContextHandler contextHandler) throws WSSecurityException {
        if (obj == null) {
            return null;
        }
        return new BinarySecurityTokenImpl(str, obj, contextHandler);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken getSecurityToken(String str, String str2, Purpose purpose, ContextHandler contextHandler) throws WSSecurityException {
        SecurityToken tokenFromContext = getTokenFromContext(str, str2, purpose, contextHandler);
        if (tokenFromContext == null) {
            tokenFromContext = getTokenFromSubject(str, str2, purpose, contextHandler);
        }
        return tokenFromContext;
    }

    private SecurityToken getTokenFromSubject(String str, String str2, Purpose purpose, ContextHandler contextHandler) throws WSSecurityException {
        if (purpose.equals(Purpose.ENCRYPT)) {
            LogUtils.logWss("Trying to get trusted cert credential from PKICredMapper.");
            Object credential = ServiceRefUtils.getCredential(kernelID, "weblogic.pki.TrustedCertificate", str2, contextHandler);
            if (credential != null) {
                return getSecurityToken(str, new X509Credential((X509Certificate) ((PublicCertCredential) credential).getCertificate()), contextHandler);
            }
            return null;
        }
        LogUtils.logWss("Trying to get key pair credential from PKICredMapper.");
        Object credential2 = ServiceRefUtils.getCredential(kernelID, "weblogic.pki.Keypair", str2, contextHandler);
        if (credential2 == null) {
            return null;
        }
        KeyPairCredential keyPairCredential = (KeyPairCredential) credential2;
        return getSecurityToken(str, new X509Credential((X509Certificate) keyPairCredential.getCertificate(), (PrivateKey) keyPairCredential.getKey()), contextHandler);
    }

    private SecurityToken getTokenFromContext(String str, String str2, Purpose purpose, ContextHandler contextHandler) {
        LogUtils.logWss("Trying to get token for token type " + str + " and purpose " + purpose + " from context.");
        WSSecurityInfo wSSecurityInfo = (WSSecurityInfo) contextHandler.getValue(SecurityTokenContextHandler.SECURITY_INFO);
        List<SecurityToken> securityTokens = wSSecurityInfo.getSecurityTokens();
        if (securityTokens == null) {
            return null;
        }
        for (SecurityToken securityToken : securityTokens) {
            if (securityToken.getValueType().equals(str)) {
                PrivateKey privateKey = securityToken.getPrivateKey();
                if (Purpose.ENCRYPT.equals(purpose)) {
                    if (privateKey != null) {
                        LogUtils.logWss("Token for token type " + str + " from context doesn't match because purpose is ENCRYPT and token contains private key.");
                    } else if (wSSecurityInfo.getEncryptions(securityToken).size() != 0) {
                        LogUtils.logWss("Token for token type " + str + " from context doesn't match because purpose is ENCRYPT and token has been used to encrypt request.");
                    }
                }
                if (matches(securityToken, str, str2, contextHandler, purpose)) {
                    LogUtils.logWss("Got token for token type " + str + " and purpose " + purpose + " from context.");
                    return securityToken;
                }
                LogUtils.logWss("Token for token type " + str + " and purpose " + purpose + " from context doesn't match.");
            }
        }
        return null;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken newSecurityToken(Node node) throws MarshalException {
        BinarySecurityTokenImpl binarySecurityTokenImpl = new BinarySecurityTokenImpl();
        try {
            binarySecurityTokenImpl.unmarshal(node);
            this.valueType = binarySecurityTokenImpl.getValueType();
            return binarySecurityTokenImpl;
        } catch (weblogic.xml.dom.marshal.MarshalException e) {
            throw new MarshalException("Failed to unmarshal BinarySecurityToken.", e);
        }
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public QName[] getQNames() {
        return WSSConstants.BUILTIN_BST_QNAMES;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenReference getSTR(QName qName, String str, SecurityToken securityToken) throws WSSecurityException {
        if (securityToken == null) {
            return null;
        }
        return new BinarySecurityTokenReference(qName, str, securityToken);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenReference newSecurityTokenReference(Node node) {
        return new BinarySecurityTokenReference();
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public Subject getSubject(SecurityToken securityToken, MessageContext messageContext) throws WSSecurityException {
        return getSubject(securityToken, WSSecurityContext.getSecurityContext(messageContext));
    }

    public Subject getSubject(SecurityToken securityToken, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        if (!isAuthToken(securityToken, wSSecurityContext)) {
            return null;
        }
        BinarySecurityToken binarySecurityToken = (BinarySecurityToken) securityToken;
        try {
            Subject subject = SecurityUtils.assertIdentity(new X509Certificate[]{binarySecurityToken.getCertificate()}, "weblogicDEFAULT").getSubject();
            if (null != subject) {
                wSSecurityContext.setProperty(WSSConstants.AUTHENTICATED_SUBJECT_CERT, binarySecurityToken.getCertificate());
                LogUtils.logWss("BinarySecurityTokenHandler.AuthenticatedSubject.Cert saved for " + binarySecurityToken.getCertificate());
            }
            return subject;
        } catch (LoginException e) {
            throw new WSSecurityException("Failed to derive subject from token." + e, WSSConstants.FAILURE_AUTH);
        }
    }

    private boolean isAuthToken(SecurityToken securityToken, WSSecurityContext wSSecurityContext) {
        if (!this.isAuthorizationToken) {
            return false;
        }
        if (Boolean.getBoolean(WSSConstants.AUTH_WITHOUT_SIG)) {
            return true;
        }
        List signatures = wSSecurityContext.getSignatures(securityToken);
        return (signatures == null || signatures.size() == 0) ? false : true;
    }

    public void setAuthorizationToken(boolean z) {
        this.isAuthorizationToken = z;
    }

    public boolean isAuthorizationToken() {
        return this.isAuthorizationToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ContextHandler getContextHandler(WSSecurityInfo wSSecurityInfo, String str, Object obj) {
        SecurityTokenContextHandler securityTokenContextHandler = new SecurityTokenContextHandler(wSSecurityInfo);
        securityTokenContextHandler.addContextElement(str, obj);
        return securityTokenContextHandler;
    }
}
