package weblogic.wsee.security.wssp.handlers;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.rpc.handler.soap.SOAPMessageContext;
import javax.xml.soap.SOAPException;
import weblogic.kernel.KernelStatus;
import weblogic.security.SSL.TrustManager;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.wsee.policy.framework.NormalizedExpression;
import weblogic.wsee.policy.framework.PolicyAlternative;
import weblogic.wsee.policy.framework.PolicyException;
import weblogic.wsee.policy.runtime.PolicyContext;
import weblogic.wsee.security.bst.StubPropertyBSTCredProv;
import weblogic.wsee.security.saml.PKISAMLCredentialProvider;
import weblogic.wsee.security.saml.SAML2CredentialProvider;
import weblogic.wsee.security.saml.SAMLTrustCredentialProvider;
import weblogic.wsee.security.serviceref.ServiceRefBSTCredProv;
import weblogic.wsee.security.serviceref.ServiceRefTrustManager;
import weblogic.wsee.security.serviceref.ServiceRefUNTCredProv;
import weblogic.wsee.security.wss.SecurityPolicyArchitect;
import weblogic.wsee.security.wss.SecurityPolicyException;
import weblogic.wsee.security.wssc.WSSCCredentialProviderFactory;
import weblogic.wsee.security.wssc.base.WSCConstantsBase;
import weblogic.wsee.security.wssc.base.sct.SCCredentialProactiveRequestor;
import weblogic.wsee.security.wssp.IssuedTokenAssertion;
import weblogic.wsee.security.wssp.ProtectionTokenAssertion;
import weblogic.wsee.security.wssp.SecureConversationTokenAssertion;
import weblogic.wsee.security.wssp.SecurityPolicyAssertionInfo;
import weblogic.wsee.security.wssp.SecurityPolicyAssertionInfoFactory;
import weblogic.wsee.security.wssp.SupportingTokensAssertion;
import weblogic.wsee.security.wssp.SymmetricBindingInfo;
import weblogic.wsee.security.wssp.TokenAssertion;
import weblogic.wsee.security.wssp.X509TokenAssertion;
import weblogic.xml.crypto.api.MarshalException;
import weblogic.xml.crypto.encrypt.api.XMLEncryptionException;
import weblogic.xml.crypto.wss.WSSConstants;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.WSSecurityException;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
import weblogic.xml.crypto.wss11.EncryptedKeyCredentialProviderFactory;
import weblogic.xml.crypto.wss11.internal.WSS11Constants;
import weblogic.xml.crypto.wss11.internal.WSS11Context;
import weblogic.xml.crypto.wss11.internal.WSS11Factory;
import weblogic.xml.crypto.wss11.internal.enckey.EncryptedKeyToken;

/* loaded from: input_file:weblogic/wsee/security/wssp/handlers/WssClientHandler.class */
public class WssClientHandler extends WssHandler {
    private static final Logger LOGGER = Logger.getLogger(WssClientHandler.class.getName());
    private SCCredentialProactiveRequestor sccProactiveRequestor;
    private boolean autoReset = true;

    @Override // weblogic.wsee.security.wssp.handlers.WssHandler
    protected boolean processRequest(SOAPMessageContext sOAPMessageContext) throws PolicyException, SOAPException, WSSecurityException {
        try {
            NormalizedExpression requestEffectivePolicy = PolicyContext.getRequestEffectivePolicy(sOAPMessageContext);
            if (requestEffectivePolicy == null || null == requestEffectivePolicy.getPolicyAlternatives()) {
                return true;
            }
            processOutbound(requestEffectivePolicy, getSecurityPolicyDriver(sOAPMessageContext), sOAPMessageContext);
            WSS11Context wSS11Context = (WSS11Context) WSSecurityContext.getSecurityContext(sOAPMessageContext);
            String[] signatureValues = wSS11Context.getSignatureValues();
            int requestPolicyIdx = wSS11Context.getRequestPolicyIdx();
            EncryptedKeyToken encryptedKeyToken = getEncryptedKeyToken(wSS11Context);
            if (this.autoReset) {
                WSSecurityContext.getSecurityContext(sOAPMessageContext).reset();
            }
            wSS11Context.setRequestPolicyIdx(requestPolicyIdx);
            wSS11Context.addPreviousMessageSignatureValues(signatureValues);
            if (encryptedKeyToken != null) {
                wSS11Context.addKeyProvider(encryptedKeyToken.getKeyProvider());
                wSS11Context.addSecurityToken(encryptedKeyToken);
            }
            reportOutboundWSSSuccessToWsspStats(getWsspStats(sOAPMessageContext), sOAPMessageContext);
            populateSCCProactiveRequestor(sOAPMessageContext);
            return true;
        } finally {
            populateSCCProactiveRequestor(sOAPMessageContext);
        }
    }

    private EncryptedKeyToken getEncryptedKeyToken(WSS11Context wSS11Context) throws WSSecurityException {
        EncryptedKeyToken encryptedKeyToken = null;
        List securityTokens = wSS11Context.getSecurityTokens(WSS11Constants.ENC_KEY_TOKEN_TYPE);
        if (securityTokens.size() > 0) {
            encryptedKeyToken = (EncryptedKeyToken) securityTokens.get(0);
        }
        return encryptedKeyToken;
    }

    protected static void processOutbound(NormalizedExpression normalizedExpression, SecurityPolicyArchitect securityPolicyArchitect, SOAPMessageContext sOAPMessageContext) throws PolicyException, WSSecurityException {
        if (normalizedExpression == null) {
            return;
        }
        try {
            securityPolicyArchitect.processRequestOutbound(normalizedExpression, sOAPMessageContext);
        } catch (SecurityPolicyException e) {
            e.printStackTrace();
            throw new WSSecurityException(e);
        } catch (MarshalException e2) {
            throw new WSSecurityException(e2);
        } catch (XMLEncryptionException e3) {
            throw new WSSecurityException(e3);
        }
    }

    @Override // weblogic.wsee.security.wssp.handlers.WssHandler
    protected boolean processResponse(SOAPMessageContext sOAPMessageContext) throws PolicyException, SOAPException, WSSecurityException, SecurityPolicyException {
        copyEndpointAddress(sOAPMessageContext);
        processInbound(PolicyContext.getResponseEffectivePolicy(sOAPMessageContext), sOAPMessageContext);
        return true;
    }

    protected void processInbound(NormalizedExpression normalizedExpression, SOAPMessageContext sOAPMessageContext) throws WSSecurityException, SOAPException, SecurityPolicyException, PolicyException {
        try {
            if (hasSecurityHeader(sOAPMessageContext)) {
                setupSecurityContext(sOAPMessageContext);
                try {
                    sOAPMessageContext.setProperty(WSCConstantsBase.NEED_CHECKING_SCT_EXPIRATION, "true");
                    if (sOAPMessageContext.getProperty(WLStub.CHECKING_SCT_EXPIRATION) == null) {
                        sOAPMessageContext.setProperty(WLStub.CHECKING_SCT_EXPIRATION, WLStub.TOLERANT_CHECKING_SCT_EXPIRATION);
                    }
                    WSS11Factory.getInstance();
                    WSS11Factory.unmarshalAndProcessSecurity(sOAPMessageContext);
                    sOAPMessageContext.setProperty(WSCConstantsBase.NEED_CHECKING_SCT_EXPIRATION, "false");
                } catch (Throwable th) {
                    sOAPMessageContext.setProperty(WSCConstantsBase.NEED_CHECKING_SCT_EXPIRATION, "false");
                    throw th;
                }
            }
        } catch (weblogic.xml.dom.marshal.MarshalException e) {
            throw new WSSecurityException((Exception) e, WSSConstants.FAILURE_INVALID);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // weblogic.wsee.security.wssp.handlers.WssHandler
    public void fillCredentialProviders(SOAPMessageContext sOAPMessageContext, WSSecurityContext wSSecurityContext) throws WSSecurityException {
        List serviceRefClientCredProvs;
        boolean isServer = KernelStatus.isServer();
        TrustManager trustManager = (TrustManager) sOAPMessageContext.getProperty(WSSecurityContext.TRUST_MANAGER);
        if (trustManager != null) {
            wSSecurityContext.setProperty(WSSecurityContext.TRUST_MANAGER, trustManager);
        } else if (isServer) {
            wSSecurityContext.setProperty(WSSecurityContext.TRUST_MANAGER, ServiceRefTrustManager.getInstance());
        }
        List list = (List) sOAPMessageContext.getProperty(WSSecurityContext.CREDENTIAL_PROVIDER_LIST);
        if (list != null) {
            wSSecurityContext.setCredentialProviders(list);
        }
        CredentialProvider stubPropCredProv = getStubPropCredProv(sOAPMessageContext);
        if (stubPropCredProv != null) {
            wSSecurityContext.addCredentialProvider(stubPropCredProv);
        }
        if (isServer && (serviceRefClientCredProvs = getServiceRefClientCredProvs()) != null) {
            wSSecurityContext.addCredentialProviders(serviceRefClientCredProvs);
        }
        addWSSCCredProviders(wSSecurityContext, sOAPMessageContext);
    }

    private static void addWSSCCredProviders(WSSecurityContext wSSecurityContext, SOAPMessageContext sOAPMessageContext) throws WSSecurityException {
        SecurityPolicyAssertionInfo securityPolicyAssertionInfo;
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Adding WSS cred providers");
        }
        try {
            Set policyAlternatives = PolicyContext.getRequestEffectivePolicy(sOAPMessageContext).getPolicyAlternatives();
            if (policyAlternatives == null) {
                return;
            }
            Iterator it = policyAlternatives.iterator();
            while (it.hasNext() && (securityPolicyAssertionInfo = SecurityPolicyAssertionInfoFactory.getSecurityPolicyAssertionInfo((PolicyAlternative) it.next())) != null) {
                SecureConversationTokenAssertion secureConversationTokenAssertion = null;
                X509TokenAssertion x509TokenAssertion = null;
                IssuedTokenAssertion issuedTokenAssertion = null;
                SymmetricBindingInfo symmetricBindingInfo = securityPolicyAssertionInfo.getSymmetricBindingInfo();
                if (symmetricBindingInfo != null) {
                    ProtectionTokenAssertion protectionTokenAssertion = symmetricBindingInfo.getProtectionTokenAssertion();
                    if (protectionTokenAssertion == null) {
                        return;
                    }
                    secureConversationTokenAssertion = protectionTokenAssertion.getSecureConversationTokenAssertion();
                    x509TokenAssertion = protectionTokenAssertion.getX509TokenAssertion();
                } else {
                    SupportingTokensAssertion supportingTokensAssertion = securityPolicyAssertionInfo.getSupportingTokensAssertion();
                    if (supportingTokensAssertion == null) {
                        return;
                    }
                    ArrayList<TokenAssertion> arrayList = new ArrayList();
                    arrayList.addAll(supportingTokensAssertion.getSupportingTokens());
                    arrayList.addAll(supportingTokensAssertion.getSignedSupportingTokens());
                    arrayList.addAll(supportingTokensAssertion.getEncryptedSupportingTokens());
                    arrayList.addAll(supportingTokensAssertion.getSignedEncryptedSupportingTokens());
                    arrayList.addAll(supportingTokensAssertion.getEndorsingSupportingTokens());
                    arrayList.addAll(supportingTokensAssertion.getSignedEndorsingSupportingTokens());
                    for (TokenAssertion tokenAssertion : arrayList) {
                        if (tokenAssertion instanceof SecureConversationTokenAssertion) {
                            secureConversationTokenAssertion = (SecureConversationTokenAssertion) tokenAssertion;
                        } else if (tokenAssertion instanceof X509TokenAssertion) {
                            x509TokenAssertion = (X509TokenAssertion) tokenAssertion;
                        } else if (tokenAssertion instanceof IssuedTokenAssertion) {
                            issuedTokenAssertion = (IssuedTokenAssertion) tokenAssertion;
                        }
                    }
                }
                String[] strArr = null;
                if (secureConversationTokenAssertion != null) {
                    strArr = secureConversationTokenAssertion.getTokenType();
                } else {
                    if (LOGGER.isLoggable(Level.FINE)) {
                        LOGGER.log(Level.FINE, "X509TokenAssertion is: " + x509TokenAssertion);
                    }
                    CredentialProvider credentialProvider = null;
                    if (x509TokenAssertion != null) {
                        strArr = x509TokenAssertion.getDerivedKeyTokenType(null != securityPolicyAssertionInfo.getWsTrustOptions() ? securityPolicyAssertionInfo.getWsTrustOptions().isWst13() : false);
                        credentialProvider = EncryptedKeyCredentialProviderFactory.getEncryptedKeyCredentialProvider();
                    }
                    if (issuedTokenAssertion != null) {
                        if (LOGGER.isLoggable(Level.FINE)) {
                            LOGGER.log(Level.FINE, "IssuedTokenAssertion is: " + issuedTokenAssertion);
                        }
                        String dkTokenType = issuedTokenAssertion.getDkTokenType();
                        if (LOGGER.isLoggable(Level.FINE)) {
                            LOGGER.log(Level.FINE, "tokenType is: " + dkTokenType);
                        }
                        if (null == strArr || strArr.length == 0) {
                            strArr = new String[]{dkTokenType};
                        } else {
                            HashSet hashSet = new HashSet(Arrays.asList(strArr));
                            hashSet.add(dkTokenType);
                            strArr = (String[]) hashSet.toArray(new String[0]);
                        }
                        credentialProvider = EncryptedKeyCredentialProviderFactory.getEncryptedKeyCredentialProvider();
                    }
                    if (LOGGER.isLoggable(Level.FINE)) {
                        LOGGER.log(Level.FINE, "CP for EK is: " + credentialProvider);
                    }
                    if (credentialProvider != null) {
                        wSSecurityContext.addCredentialProvider(credentialProvider);
                    }
                }
                if (strArr == null) {
                    return;
                }
                if (LOGGER.isLoggable(Level.FINE)) {
                    StringBuffer stringBuffer = new StringBuffer("tokenTypes:");
                    for (String str : strArr) {
                        stringBuffer.append(" " + str);
                    }
                    LOGGER.log(Level.FINE, "tokenTypes is: " + stringBuffer.toString());
                }
                WSSCCredentialProviderFactory wSSCCredentialProviderFactory = WSSCCredentialProviderFactory.getInstance();
                for (String str2 : strArr) {
                    CredentialProvider credentialProvider2 = wSSCCredentialProviderFactory.getCredentialProvider(str2);
                    if (credentialProvider2 != null) {
                        wSSecurityContext.addCredentialProvider(credentialProvider2);
                    }
                }
            }
        } catch (PolicyException e) {
            throw new WSSecurityException(e);
        }
    }

    private CredentialProvider getStubPropCredProv(SOAPMessageContext sOAPMessageContext) throws WSSecurityException {
        X509Certificate x509Certificate = (X509Certificate) sOAPMessageContext.getProperty("weblogic.wsee.security.bst.serverEncryptCert");
        X509Certificate x509Certificate2 = (X509Certificate) sOAPMessageContext.getProperty("weblogic.wsee.security.bst.serverVerifyCert");
        if (x509Certificate != null) {
            return new StubPropertyBSTCredProv(x509Certificate, x509Certificate2);
        }
        if (x509Certificate2 == null) {
            return null;
        }
        throw new WSSecurityException("Invalid to set server's verify certificate but no encryption certificate.");
    }

    private List getServiceRefClientCredProvs() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ServiceRefUNTCredProv());
        arrayList.add(new ServiceRefBSTCredProv());
        arrayList.add(new PKISAMLCredentialProvider());
        arrayList.add(new SAML2CredentialProvider());
        arrayList.add(new SAMLTrustCredentialProvider());
        return arrayList;
    }

    private void populateSCCProactiveRequestor(SOAPMessageContext sOAPMessageContext) {
        SCCredentialProactiveRequestor sCCredentialProactiveRequestor = (SCCredentialProactiveRequestor) sOAPMessageContext.getProperty(SCCredentialProactiveRequestor.SC_CREDENTIAL_PROACTIVE_REQUESTOR);
        if (sCCredentialProactiveRequestor == null || !sCCredentialProactiveRequestor.verify(sOAPMessageContext)) {
            return;
        }
        this.sccProactiveRequestor = sCCredentialProactiveRequestor;
    }

    public void destroy() {
        if (this.sccProactiveRequestor != null) {
            this.sccProactiveRequestor.dispose();
            this.sccProactiveRequestor = null;
        }
    }
}
