package weblogic.wsee.security.wss.plan;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.rpc.handler.soap.SOAPMessageContext;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.wsee.message.WlMessageContext;
import weblogic.wsee.security.policy.EncryptionTarget;
import weblogic.wsee.security.policy.SecurityToken;
import weblogic.wsee.security.saml.SAML2Constants;
import weblogic.wsee.security.saml.SAMLUtils;
import weblogic.wsee.security.wss.plan.helper.SOAPSecurityHeaderHelper;
import weblogic.wsee.security.wss.policy.EncryptionPolicy;
import weblogic.wsee.security.wss.policy.IdentityPolicy;
import weblogic.wsee.security.wss.policy.SecurityInspectionErrorCode;
import weblogic.wsee.security.wss.policy.SecurityPolicyArchitectureException;
import weblogic.wsee.security.wss.policy.SecurityPolicyInspectionException;
import weblogic.wsee.security.wss.policy.SignaturePolicy;
import weblogic.wsee.security.wss.policy.TimestampPolicy;
import weblogic.wsee.security.wss.sps.SmartSecurityPolicyBlueprint;
import weblogic.xml.crypto.dsig.XMLSignatureImpl;
import weblogic.xml.crypto.dsig.api.Reference;
import weblogic.xml.crypto.dsig.api.SignedInfo;
import weblogic.xml.crypto.dsig.api.spec.DigestMethodParameterSpec;
import weblogic.xml.crypto.encrypt.api.EncryptionMethod;
import weblogic.xml.crypto.encrypt.api.XMLEncryptionException;
import weblogic.xml.crypto.wss.SecurityTokenContextHandler;
import weblogic.xml.crypto.wss.WSSConstants;
import weblogic.xml.crypto.wss.WSSecurityException;
import weblogic.xml.crypto.wss11.internal.STRType;
import weblogic.xml.crypto.wss11.internal.SecurityBuilderImpl;
import weblogic.xml.crypto.wss11.internal.SecurityValidator;
import weblogic.xml.crypto.wss11.internal.SecurityValidatorFactory;
import weblogic.xml.crypto.wss11.internal.SignatureConfirmation;
import weblogic.xml.crypto.wss11.internal.WSS11Context;

/* loaded from: input_file:weblogic/wsee/security/wss/plan/SecurityMessageInspector.class */
public class SecurityMessageInspector {
    private static final Logger LOGGER = Logger.getLogger(SecurityMessageInspector.class.getName());
    private static final boolean debug = false;
    private static final boolean WS_POLICY_INTEROP = true;
    private static final boolean DEBUG_DUMP_SOAP = false;
    private SecurityTokenContextHandler ctxHandler;
    private SecurityPolicyBlueprint blueprint;
    private SOAPMessageContext soapMessageCtx;
    private WSS11Context securityCtx;
    private SecurityValidator svalidator;
    private Map<String, SecurityToken> validatedTokenMap = new HashMap();
    private static final String COMPAT_FLAG_3006 = "Bypass.3006.error";

    public SecurityMessageInspector(SOAPMessageContext sOAPMessageContext, WSS11Context wSS11Context) {
        this.soapMessageCtx = sOAPMessageContext;
        this.securityCtx = wSS11Context;
        this.ctxHandler = new SecurityTokenContextHandler(wSS11Context);
        new SecurityValidatorFactory();
        this.svalidator = SecurityValidatorFactory.getSecurityValidator(wSS11Context);
    }

    public void inspectWssMessage(SmartSecurityPolicyBlueprint smartSecurityPolicyBlueprint, boolean z) throws SecurityPolicyInspectionException, SecurityPolicyArchitectureException, WSSecurityException {
        this.blueprint = smartSecurityPolicyBlueprint.getSecurityPolicyBlueprint();
        init();
        checkMessage(z);
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "SOAP Security Message has been verified");
        }
    }

    private static boolean isTransportSecure(SOAPMessageContext sOAPMessageContext) {
        WlMessageContext narrow = WlMessageContext.narrow(sOAPMessageContext);
        boolean z = true;
        if (null != narrow) {
            Object property = narrow.getProperty(WlMessageContext.IS_SECURE_SERVLET_REQUEST);
            if (property != null) {
                z = ((Boolean) property).booleanValue();
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "The massage protected by HTTPS is " + z);
                }
            }
        } else {
            LOGGER.log(Level.FINE, "Unable to determine it is from HTTPS or not");
        }
        return z;
    }

    private static boolean hasClientCert(SOAPMessageContext sOAPMessageContext) {
        WlMessageContext narrow = WlMessageContext.narrow(sOAPMessageContext);
        boolean z = true;
        if (null != narrow) {
            Object property = narrow.getProperty(WlMessageContext.IS_CLIENT_CERT_REQUIRED);
            if (property != null) {
                z = ((Boolean) property).booleanValue();
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "The client cert present " + z);
                }
            }
        } else {
            LOGGER.log(Level.FINE, "Unable to determine it has client cert or not");
        }
        return z;
    }

    private void checkMessage(boolean z) throws WSSecurityException, SecurityPolicyArchitectureException, SecurityPolicyInspectionException {
        SignatureConfirmation[] inspectSignatureConfirmation;
        Iterator it;
        boolean isRequest = this.blueprint.isRequest();
        if (this.blueprint.hasTransportSecuirity() && isRequest) {
            if (!isTransportSecure(this.soapMessageCtx)) {
                LOGGER.log(Level.FINE, "*** Security Warning ***");
                LOGGER.log(Level.FINE, "The policy requires transport security, but the message does not come from HTTPs");
                System.err.println("*** Security Warning ***\n The message is NOT protected by HTTPS");
                throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_TRANSPORT_SECURITY_TOKEN);
            }
            if (this.blueprint.getGenrealPolicy().isClientCertificateRequired() && !hasClientCert(this.soapMessageCtx)) {
                LOGGER.log(Level.FINE, "*** Security Warning ***");
                LOGGER.log(Level.FINE, "The policy requires client cert on two-way SSL, but the message does not come from two-way SSL");
                System.err.println("*** Security Warning ***\n The message is NOT protected by TWO-WAY SSL");
                throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_TRANSPORT_CERT_TOKEN);
            }
        }
        if (doAction(2)) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Inspecting message age ...");
            }
            inspectMessageAge(this.blueprint.getTimestampPolicy());
        }
        if (doAction(1)) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Inspecting message authentication identity ...");
            }
            inspectIdentity(this.blueprint.getIdentityPolicy());
        }
        if (doAction(128)) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Inspecting signature confirmation ...");
            }
            inspectSignatureConfirmation = inspectSignatureConfirmation(this.blueprint.getGeneralPolicy().isRequireSignatureConfirmation(), this.blueprint.getGeneralPolicy().isOptionalSignatureConfirmation());
        } else {
            inspectSignatureConfirmation = inspectSignatureConfirmation(false, this.blueprint.getGeneralPolicy().isOptionalSignatureConfirmation());
        }
        if (doAction(4)) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Adding toekns to the message ...");
            }
            inspectEndorseToken(this.blueprint.getEndorsingPolicy(), this.blueprint.getSigningPolicy());
        }
        if (doAction(8192)) {
            Map nodeMap = this.blueprint.getEncryptionPolicy().getNodeMap();
            if (nodeMap.size() == 1 && nodeMap.containsKey("EncryptSignature")) {
                nodeMap.remove("EncryptSignature");
            }
        }
        if (doAction(256)) {
            boolean z2 = false;
            if (doAction(SecurityPolicyPlan.ACTION_SIGN_AND_ENCRYPT_REQUEST)) {
                z2 = true;
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Inspecting signature and encryption ..., request =" + isRequest);
            }
            resolveSignatureList(false);
            resolveEncryptionList(inspectSignatureConfirmation);
            inspectIntegrityAndConfidentiality(this.blueprint.getSigningPolicy(), this.blueprint.getEncryptionPolicy(), z2, this.blueprint.getGeneralPolicy().isEncryptBeforeSigning());
        } else if (this.blueprint.getGeneralPolicy().isEncryptBeforeSigning()) {
            SecurityBuilderImpl.setEncryptBeforeSign(this.ctxHandler, true);
            if (doAction(8)) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Inspecting encryption  ...");
                }
                resolveEncryptionList(inspectSignatureConfirmation);
                inspectConfidentiality(this.blueprint.getEncryptionPolicy(), isRequest, true);
            }
            if (doAction(16)) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Inspecting signature ...");
                }
                resolveSignatureList(true);
                if (this.blueprint.isX509AuthConditional()) {
                }
                inspectIntegrity(this.blueprint.getSigningPolicy(), isRequest);
            }
            SecurityBuilderImpl.setEncryptBeforeSign(this.ctxHandler, false);
        } else {
            if (doAction(16)) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Inspecting signature ...");
                }
                resolveSignatureList(false);
                if (this.blueprint.isX509AuthConditional()) {
                }
                inspectIntegrity(this.blueprint.getSigningPolicy(), isRequest);
            }
            if (doAction(8)) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Inspecting encryption  ...");
                }
                if (this.blueprint.getEncryptionPolicy().getNodeMap().containsKey("EncryptSignature") && !this.blueprint.getSigningPolicy().isSignatureRequired()) {
                    this.blueprint.getEncryptionPolicy().getNodeMap().remove("EncryptSignature");
                }
                resolveEncryptionList(inspectSignatureConfirmation);
                inspectConfidentiality(this.blueprint.getEncryptionPolicy(), isRequest, false);
            }
        }
        if (doAction(1024)) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Endorsing support token  ...");
            }
            resolveSignatureElementSignatureList();
            if ((this.blueprint.getGeneralPolicy().hasTrustOptions() || this.blueprint.getGeneralPolicy().isCompatMSFT()) && this.blueprint.getEndorsingPolicy().getValidSignatureTokens() != null && (it = this.blueprint.getEndorsingPolicy().getValidSignatureTokens().iterator()) != null && it.hasNext()) {
                ((SecurityToken) it.next()).getStrTypes().add(new STRType(WSSConstants.REFERENCE_QNAME));
            }
            inspectIntegrity(this.blueprint.getEndorsingPolicy(), isRequest);
        }
    }

    private boolean doAction(int i) {
        return (this.blueprint.getBuildingPlan() & i) == i;
    }

    private void init() throws SecurityPolicyArchitectureException {
        this.blueprint.verifyPolicy(this.soapMessageCtx);
    }

    private void resolveSignatureList(boolean z) throws SecurityPolicyInspectionException, WSSecurityException {
        Element timestampElement;
        SignaturePolicy signingPolicy = this.blueprint.getSigningPolicy();
        Map signingNodeMap = signingPolicy.getSigningNodeMap();
        SOAPMessage message = this.soapMessageCtx.getMessage();
        try {
            SOAPSecurityHeaderHelper sOAPSecurityHeaderHelper = new SOAPSecurityHeaderHelper(this.soapMessageCtx);
            if (signingNodeMap.containsKey("Body")) {
                signingPolicy.addSignatureNode("Body", message.getSOAPBody());
            }
            if (signingNodeMap.containsKey(SecurityPolicyPlan.USERNAME_TOKEN)) {
                addReferenceByTokenValueType(signingPolicy, WSSConstants.VALUE_TYPE_UNT, z);
            }
            if (signingNodeMap.containsKey("SamlToken")) {
                Iterator it = this.blueprint.getIdentityPolicy().getValidIdentityTokens().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String tokenTypeUri = ((SecurityToken) it.next()).getTokenTypeUri();
                    if (isSamlTokenType(tokenTypeUri)) {
                        addReferenceByTokenValueType(signingPolicy, tokenTypeUri, z);
                        break;
                    }
                }
            }
            if (signingNodeMap.containsKey("SamlToken")) {
            }
            if (!signingNodeMap.containsKey("Header") || null == signingNodeMap.get("Header")) {
            }
            if (signingPolicy.isSignatureRequired() && null != (timestampElement = sOAPSecurityHeaderHelper.getTimestampElement())) {
                signingPolicy.addSignatureNode(SecurityPolicyPlan.TIME_STAMP, timestampElement);
            }
            signingPolicy.addSignatureNodeListToReference(this.soapMessageCtx);
        } catch (SecurityPolicyArchitectureException e) {
            LOGGER.log(Level.FINE, e.getMessage(), (Throwable) e);
            throw new WSSecurityException(e.getMessage(), (Exception) e);
        } catch (SOAPException e2) {
            LOGGER.log(Level.FINE, e2.getMessage(), (Throwable) e2);
            throw new WSSecurityException(e2.getMessage(), (Exception) e2);
        }
    }

    private void addReferenceByTokenValueType(SignaturePolicy signaturePolicy, String str, boolean z) throws WSSecurityException {
        SecurityToken securityToken = this.validatedTokenMap.get(str);
        if (null == securityToken) {
            throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_AUTHENTICATION_TOKEN);
        }
        addReferenceByTokenValueType(signaturePolicy, str, securityToken, z);
    }

    private boolean isSamlTokenType(String str) {
        if (null == str) {
            return false;
        }
        return str.startsWith("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile") || str.startsWith("http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile");
    }

    private void addReferenceByTokenValueType(SignaturePolicy signaturePolicy, String str, SecurityToken securityToken, boolean z) throws WSSecurityException {
        r11 = null;
        List<weblogic.xml.crypto.wss.provider.SecurityToken> securityTokens = this.securityCtx.getSecurityTokens(str);
        if ((null == securityTokens || securityTokens.size() == 0) && isSamlTokenType(str)) {
            String str2 = str;
            if (!str.equals(SAML2Constants.SAML20_TOKEN_TYPE)) {
                str2 = SAML2Constants.SAML11_TOKEN_TYPE;
            }
            securityTokens = this.securityCtx.getSecurityTokens(str2);
        }
        if (null == securityTokens || securityTokens.size() == 0) {
            throw new SecurityPolicyInspectionException(3601);
        }
        for (weblogic.xml.crypto.wss.provider.SecurityToken securityToken2 : securityTokens) {
            if (null != this.securityCtx.getNode(securityToken2)) {
                break;
            }
        }
        if (null == securityToken2) {
            throw new SecurityPolicyInspectionException(3601);
        }
        String str3 = null;
        if (z) {
            try {
                Map map = (Map) this.ctxHandler.getValue(SecurityTokenContextHandler.ENCRYPTED_ELEMENT_MAP);
                if (null != map) {
                    str3 = (String) map.get(WSSConstants.VALUE_TYPE_UNT.equals(str) ? WSSConstants.UNT_QNAME : null);
                }
            } catch (Exception e) {
                throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.TOKEN_SIGNATURE_ALGO_ERROR);
            }
        }
        Reference reference = str3 != null ? this.svalidator.getReference(str3, this.blueprint.getXmlSignatureFactory().newDigestMethod(signaturePolicy.getDigestMethod().getAlgorithm(), (DigestMethodParameterSpec) null), new ArrayList(), securityToken.isIncludeInMessage()) : this.svalidator.getReference(securityToken2, this.blueprint.getXmlSignatureFactory().newDigestMethod(signaturePolicy.getDigestMethod().getAlgorithm(), (DigestMethodParameterSpec) null), new ArrayList(), securityToken.isIncludeInMessage());
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(reference);
        signaturePolicy.addReferences(arrayList);
    }

    private void resolveEncryptionList(SignatureConfirmation[] signatureConfirmationArr) throws SecurityPolicyInspectionException, SecurityPolicyArchitectureException, WSSecurityException {
        EncryptionPolicy encryptionPolicy = this.blueprint.getEncryptionPolicy();
        Map nodeMap = encryptionPolicy.getNodeMap();
        SOAPMessage message = this.soapMessageCtx.getMessage();
        try {
            new SOAPSecurityHeaderHelper(this.soapMessageCtx);
            if (nodeMap.containsKey("Body")) {
                if (message.getSOAPBody().hasChildNodes()) {
                    encryptionPolicy.addNode("Body", message.getSOAPBody());
                } else if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "No body encryption due to body is empty");
                }
            }
            if (nodeMap.containsKey("EncryptSignature")) {
                List signatures = this.securityCtx.getSignatures();
                if (null == signatures || signatures.size() == 0) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_SIGNATURE);
                }
                encryptionPolicy.addNode("EncryptSignature", ((XMLSignatureImpl) signatures.get(0)).getSignatureNode());
                if (signatureConfirmationArr != null && signatureConfirmationArr.length > 0) {
                    for (int i = 0; i < signatureConfirmationArr.length; i++) {
                        encryptionPolicy.addNode("Signature" + i, (Element) signatureConfirmationArr[i].getSignatureConfirmationNode());
                    }
                }
            }
            if (nodeMap.containsKey(SecurityPolicyPlan.USERNAME_TOKEN)) {
                Node nodeByTokenValueType = getNodeByTokenValueType(WSSConstants.VALUE_TYPE_UNT);
                if (null == nodeByTokenValueType) {
                    throw new SecurityPolicyInspectionException(4621);
                }
                encryptionPolicy.addNode(SecurityPolicyPlan.USERNAME_TOKEN, nodeByTokenValueType);
            }
            if (nodeMap.containsKey("SamlToken")) {
                String validatedSamlTokenTypeUri = getValidatedSamlTokenTypeUri();
                if (null == validatedSamlTokenTypeUri) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_SAML_TOKEN_ENCRYPTION);
                }
                Node nodeByTokenValueType2 = getNodeByTokenValueType(validatedSamlTokenTypeUri);
                if (null == nodeByTokenValueType2) {
                    String str = validatedSamlTokenTypeUri;
                    if (!validatedSamlTokenTypeUri.equals(SAML2Constants.SAML20_TOKEN_TYPE)) {
                        str = SAML2Constants.SAML11_TOKEN_TYPE;
                    }
                    nodeByTokenValueType2 = getNodeByTokenValueType(str);
                }
                if (null == nodeByTokenValueType2) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_SAML_TOKEN_ENCRYPTION);
                }
                encryptionPolicy.addNode("SamlToken", nodeByTokenValueType2);
            }
            if (nodeMap.containsKey("Header")) {
            }
            encryptionPolicy.addEncryptionNodeList(this.soapMessageCtx);
        } catch (SOAPException e) {
            LOGGER.log(Level.FINE, e.getMessage(), (Throwable) e);
            throw new WSSecurityException(e.getMessage(), (Exception) e);
        }
    }

    private String getValidatedSamlTokenTypeUri() {
        if (this.validatedTokenMap.isEmpty()) {
            LOGGER.log(Level.FINE, "No validated SAML Token");
            return null;
        }
        Iterator it = this.blueprint.getIdentityPolicy().getValidIdentityTokens().iterator();
        while (it.hasNext()) {
            String tokenTypeUri = ((SecurityToken) it.next()).getTokenTypeUri();
            if (isSamlTokenType(tokenTypeUri)) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Found the SAML Token Type URI from IdentityPolicy =[" + tokenTypeUri + "]");
                }
                if (null != this.validatedTokenMap.get(tokenTypeUri)) {
                    return tokenTypeUri;
                }
                LOGGER.log(Level.FINE, "No validated SAML Token for token type =[" + tokenTypeUri + "]");
                return null;
            }
        }
        LOGGER.log(Level.FINE, "Unable to find any SAML Token Type URI from IdentityPolicy");
        return null;
    }

    private Node getNodeByTokenValueType(String str) {
        List securityTokens = this.securityCtx.getSecurityTokens(str);
        if (null == securityTokens || securityTokens.size() == 0) {
            return null;
        }
        Iterator it = securityTokens.iterator();
        while (it.hasNext()) {
            Node node = this.securityCtx.getNode((weblogic.xml.crypto.wss.provider.SecurityToken) it.next());
            if (null != node) {
                return node;
            }
        }
        return null;
    }

    private void resolveSignatureElementSignatureList() throws SecurityPolicyInspectionException, WSSecurityException {
        SignaturePolicy endorsingPolicy = this.blueprint.getEndorsingPolicy();
        try {
            if (endorsingPolicy.getSigningNodeMap().containsKey(SecurityPolicyPlan.ENDORSE_SIGNATURE)) {
                List signatures = this.securityCtx.getSignatures();
                if (this.blueprint.hasTransportSecuirity()) {
                    if (LOGGER.isLoggable(Level.FINE)) {
                        LOGGER.log(Level.FINE, "Endorsing supporting token + transport security caes....");
                    }
                    if (null == signatures || signatures.size() == 0) {
                        throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_ENDORSING_SIGNATURE_ELEMENT);
                    }
                    if (signatures.size() == 1) {
                        return;
                    }
                } else if (null == signatures || signatures.size() != 2) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_ENDORSING_SIGNATURE_ELEMENT);
                }
                Element signatureNode = ((XMLSignatureImpl) signatures.get(1)).getSignatureNode();
                ArrayList arrayList = new ArrayList();
                if (!SecurityPolicyOutlineSketcher.isSignatureElement(signatureNode)) {
                    signatureNode = ((XMLSignatureImpl) signatures.get(0)).getSignatureNode();
                }
                arrayList.add(signatureNode);
                endorsingPolicy.setNewSignatureNodeListToReference(arrayList);
            }
        } catch (Exception e) {
            LOGGER.log(Level.FINE, e.getMessage(), (Throwable) e);
            if (!(e instanceof WSSecurityException)) {
                throw new WSSecurityException(e.getMessage(), e);
            }
            throw ((WSSecurityException) e);
        }
    }

    private void inspectMessageAge(TimestampPolicy timestampPolicy) throws WSSecurityException {
        if (timestampPolicy.isIncludeTimestamp()) {
            doMessageAge(timestampPolicy);
        } else if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Timestamp is not required.");
        }
    }

    private void doMessageAge(TimestampPolicy timestampPolicy) throws WSSecurityException {
        short messageAgeSeconds = timestampPolicy.getMessageAgeSeconds();
        if (messageAgeSeconds == 0) {
            messageAgeSeconds = -1;
        }
        if (!this.svalidator.validateTimestamp(messageAgeSeconds)) {
            throw new WSSecurityException("Timestamp validation failed.", WSSConstants.FAILURE_INVALID);
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, " timestamp(maxAgesSecs=" + ((int) messageAgeSeconds) + ") verified");
        }
    }

    private void inspectEndorseToken(SignaturePolicy signaturePolicy, SignaturePolicy signaturePolicy2) throws SecurityPolicyInspectionException, WSSecurityException {
        if (signaturePolicy.isSignatureRequired()) {
            doEndorseToken(signaturePolicy, signaturePolicy2);
        } else if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "No need to verify support token endorsing.");
        }
    }

    private void doEndorseToken(SignaturePolicy signaturePolicy, SignaturePolicy signaturePolicy2) throws SecurityPolicyInspectionException, WSSecurityException {
        for (SecurityToken securityToken : signaturePolicy.getValidSignatureTokens()) {
            addReferenceByTokenValueType(signaturePolicy2, securityToken.getTokenTypeUri(), securityToken, false);
        }
    }

    private void inspectIdentity(IdentityPolicy identityPolicy) throws WSSecurityException {
        if (identityPolicy.isAuthenticationRequired()) {
            doIdentity(identityPolicy);
        } else if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Identity is not required.");
        }
    }

    private void doIdentity(IdentityPolicy identityPolicy) throws WSSecurityException {
        boolean z = false;
        for (SecurityToken securityToken : identityPolicy.getValidIdentityTokens()) {
            setTokenIssuer(securityToken);
            this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, Boolean.valueOf(securityToken.isIncludeInMessage()));
            String tokenTypeUri = securityToken.getTokenTypeUri();
            if (tokenTypeUri.endsWith("/dk") && SAMLUtils.isSamlTokenType(securityToken.getDerivedFromTokenType())) {
                tokenTypeUri = securityToken.getDerivedFromTokenType();
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Trying to validate identity assertion token type =" + securityToken.getTokenTypeUri() + " DerivedFromTokenType =" + securityToken.getDerivedFromTokenType() + " use Token Type for validation =" + tokenTypeUri);
            }
            if (this.svalidator.validateSecurityToken(tokenTypeUri, securityToken.getIssuerName(), securityToken.getClaims())) {
                z = true;
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Validated identity assertion token " + securityToken.getTokenTypeUri());
                }
                this.validatedTokenMap.put(securityToken.getTokenTypeUri(), securityToken);
            }
        }
        this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, null);
        if (!z) {
            throw new SecurityPolicyInspectionException(1000);
        }
    }

    private void inspectIntegrity(SignaturePolicy signaturePolicy, boolean z) throws SecurityPolicyInspectionException, WSSecurityException {
        if (signaturePolicy.isSignatureRequired()) {
            doIntegrity(signaturePolicy, z);
        } else if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Signature is not required.");
        }
    }

    private void doIntegrity(SignaturePolicy signaturePolicy, boolean z) throws SecurityPolicyInspectionException, WSSecurityException {
        SignedInfo signedInfo = signaturePolicy.getSignedInfo();
        List validSignatureTokens = signaturePolicy.getValidSignatureTokens();
        boolean z2 = false;
        boolean signedSecurityTokens = signaturePolicy.signedSecurityTokens();
        Iterator it = validSignatureTokens.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SecurityToken securityToken = (SecurityToken) it.next();
            setTokenIssuer(securityToken);
            this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, Boolean.valueOf(securityToken.isIncludeInMessage()));
            if (signedSecurityTokens) {
                SecurityTokenContextHandler securityTokenContextHandler = new SecurityTokenContextHandler();
                securityTokenContextHandler.addContextElement(SecurityTokenContextHandler.CLAIMS_MAP, securityToken.getClaims());
                Reference newSigningTokenReference = this.blueprint.getSigningReferencesFactory().newSigningTokenReference(securityToken, securityTokenContextHandler, signaturePolicy.getDigestMethod().getAlgorithm());
                if (null == newSigningTokenReference) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_SIGNED_SIGNATURE);
                }
                z2 = this.svalidator.validateSignature(signaturePolicy.newSignedInfo(this.blueprint.getXmlSignatureFactory(), newSigningTokenReference), securityToken.getTokenTypeUri(), securityToken.getStrTypes(), securityToken.getIssuerName(), securityToken.getClaims());
            } else {
                z2 = this.svalidator.validateSignature(signedInfo, securityToken.getTokenTypeUri(), securityToken.getStrTypes(), securityToken.getIssuerName(), securityToken.getClaims());
            }
            if (z2) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Signature has been validated successfully");
                }
            }
        }
        this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, null);
        if (z2) {
            return;
        }
        if (z) {
            throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.SIGNATURE_ERROR);
        }
        try {
            String str = (String) this.soapMessageCtx.getProperty(WLStub.POLICY_COMPATIBILITY_PREFERENCE);
            if (null != str && COMPAT_FLAG_3006.equals(str)) {
                LOGGER.log(Level.FINE, "Policy Enforcement Problem Dectected");
                LOGGER.log(Level.FINE, "By pass Policy Error 3006 due to the property weblogic.wsee.policy.compat.preference is set to Bypass.3006.error");
                return;
            }
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "ERROR ON on getting compact property during processing of policy enforcement Error code 3006 for the response message");
            LOGGER.log(Level.FINE, e.getMessage(), (Throwable) e);
        }
        throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.BAD_SIGNATURE);
    }

    private void inspectIntegrityAndConfidentiality(SignaturePolicy signaturePolicy, EncryptionPolicy encryptionPolicy, boolean z, boolean z2) throws SecurityPolicyInspectionException, WSSecurityException {
        if (!encryptionPolicy.isEncryptionRequired() && !signaturePolicy.isSignatureRequired() && LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Neither Encryption nor Signature is required.");
        }
        doIntegrityAndConfidentiality(signaturePolicy, encryptionPolicy, z, z2);
    }

    private void doIntegrityAndConfidentiality(SignaturePolicy signaturePolicy, EncryptionPolicy encryptionPolicy, boolean z, boolean z2) throws SecurityPolicyInspectionException, WSSecurityException {
        boolean validateSignatureAndEncryptionResponse;
        List list = null;
        SignedInfo signedInfo = null;
        ArrayList arrayList = null;
        EncryptionMethod keyWrapMethod = encryptionPolicy.getKeyWrapMethod();
        EncryptionMethod encryptionMethod = encryptionPolicy.getEncryptionMethod();
        List<EncryptionTarget> encryptionTargets = encryptionPolicy.getEncryptionTargets();
        if (signaturePolicy.isSignatureRequired()) {
            signedInfo = signaturePolicy.getSignedInfo();
            list = signaturePolicy.getValidSignatureTokens();
        }
        if (encryptionPolicy.isEncryptionRequired()) {
            encryptionTargets = encryptionPolicy.getEncryptionTargets();
            if (null == list) {
                list = encryptionPolicy.getValidEncryptionTokens();
            }
        }
        if (null != encryptionTargets) {
            arrayList = new ArrayList();
            Iterator<EncryptionTarget> it = encryptionTargets.iterator();
            while (it.hasNext()) {
                arrayList.addAll(it.next().getTBEs());
            }
        } else if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "There is no encryption target.");
        }
        try {
            if (z) {
                SecurityToken securityToken = (SecurityToken) list.get(0);
                setTokenIssuer(securityToken);
                this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, Boolean.valueOf(securityToken.isIncludeInMessage()));
                validateSignatureAndEncryptionResponse = z2 ? this.svalidator.validateEncryptionAndSignatureRequest(signedInfo, arrayList, keyWrapMethod, encryptionMethod, securityToken.getTokenTypeUri(), securityToken.getStrTypes(), securityToken.getIssuerName(), securityToken.isIncludeInMessage(), this.ctxHandler) : this.svalidator.validateSignatureAndEncryptionRequest(signedInfo, arrayList, keyWrapMethod, encryptionMethod, securityToken.getTokenTypeUri(), securityToken.getStrTypes(), securityToken.getIssuerName(), securityToken.isIncludeInMessage(), this.ctxHandler);
            } else {
                try {
                    validateSignatureAndEncryptionResponse = this.svalidator.validateSignatureAndEncryptionResponse(signedInfo, arrayList, encryptionMethod, this.ctxHandler);
                } catch (Exception e) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.BAD_SIGN_ENCRYPTION_ERROR, e);
                }
            }
            this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, null);
            if (!validateSignatureAndEncryptionResponse) {
                if (!z) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.BAD_SIGN_ENCRYPTION_ERROR);
                }
                throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.SIGN_ENCRYPTION_ERROR);
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Signature and Encryption has been validated successfully.");
            }
        } catch (XMLEncryptionException e2) {
            this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, null);
            throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.ENCRYPTION_ALGO_ERROR, e2);
        }
    }

    private void inspectConfidentiality(EncryptionPolicy encryptionPolicy, boolean z, boolean z2) throws SecurityPolicyInspectionException, WSSecurityException {
        if (encryptionPolicy.isEncryptionRequired()) {
            doConfidentiality(encryptionPolicy, z, z2);
        } else if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Encryption is not required.");
        }
    }

    private void doConfidentiality(EncryptionPolicy encryptionPolicy, boolean z, boolean z2) throws SecurityPolicyInspectionException, WSSecurityException {
        List validEncryptionTokens = encryptionPolicy.getValidEncryptionTokens();
        List<EncryptionTarget> encryptionTargets = encryptionPolicy.getEncryptionTargets();
        EncryptionMethod keyWrapMethod = encryptionPolicy.getKeyWrapMethod();
        for (EncryptionTarget encryptionTarget : encryptionTargets) {
            EncryptionMethod encryptionMethod = null != encryptionTarget.getEncryptionMethod() ? encryptionTarget.getEncryptionMethod() : encryptionPolicy.getEncryptionMethod();
            boolean z3 = false;
            Iterator it = validEncryptionTokens.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                try {
                    SecurityToken securityToken = (SecurityToken) it.next();
                    setTokenIssuer(securityToken);
                    this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, Boolean.valueOf(securityToken.isIncludeInMessage()));
                    if (z2) {
                        HashMap hashMap = new HashMap();
                        z3 = this.svalidator.validateEncryptionforEncryptFirst(encryptionTarget.getTBEs(), keyWrapMethod, encryptionMethod, securityToken.getTokenTypeUri(), securityToken.getStrTypes(), securityToken.getIssuerName(), securityToken.getClaims(), hashMap);
                        if (!hashMap.isEmpty()) {
                            this.ctxHandler.addContextElement(SecurityTokenContextHandler.ENCRYPTED_ELEMENT_MAP, hashMap);
                        }
                    } else {
                        z3 = this.svalidator.validateEncryption(encryptionTarget.getTBEs(), keyWrapMethod, encryptionMethod, securityToken.getTokenTypeUri(), securityToken.getStrTypes(), securityToken.getIssuerName(), securityToken.getClaims());
                    }
                    if (z3) {
                        if (LOGGER.isLoggable(Level.FINE)) {
                            LOGGER.log(Level.FINE, "Encryption has been validated successfull.");
                        }
                    }
                } catch (XMLEncryptionException e) {
                    this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, null);
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.ENCRYPTION_ALGO_ERROR, e);
                }
            }
            this.securityCtx.setProperty(weblogic.xml.crypto.wss.SecurityValidator.SECURITY_TOKEN_INCLUDED_IN_MESSAGE, null);
            if (!z3) {
                if (!z) {
                    throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.BAD_ENCRYPTION);
                }
                throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.ENCRYPTION_ERROR);
            }
        }
    }

    private SignatureConfirmation[] inspectSignatureConfirmation(boolean z, boolean z2) throws SecurityPolicyInspectionException {
        return doSignatureConfirmation(z, z2);
    }

    private SignatureConfirmation[] doSignatureConfirmation(boolean z, boolean z2) throws SecurityPolicyInspectionException {
        SignatureConfirmation[] signatureConfirmationArr = null;
        List signatureConfirmations = this.securityCtx.getSignatureConfirmations();
        if (z) {
            if (null == signatureConfirmations || signatureConfirmations.size() == 0) {
                throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.MISSING_SIGNATURE_CONFIRMATION);
            }
            if (!this.svalidator.validateSignatureConfirmation()) {
                throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.SIGNATURE_CONFIRMATION_ERROR);
            }
            signatureConfirmationArr = new SignatureConfirmation[signatureConfirmations.size()];
            for (int i = 0; i < signatureConfirmationArr.length; i++) {
                signatureConfirmationArr[i] = (SignatureConfirmation) signatureConfirmations.get(i);
            }
        } else if (!z2 && signatureConfirmations != null && signatureConfirmations.size() > 0) {
            throw new SecurityPolicyInspectionException(SecurityInspectionErrorCode.SIGNATURE_CONFIRMATION_NOT_REQUIRED);
        }
        return signatureConfirmationArr;
    }

    private void setTokenIssuer(SecurityToken securityToken) {
        if (securityToken.getTokenIssuer() == null) {
            this.ctxHandler.addContextElement(SecurityTokenContextHandler.ISSUER_ENDPOINT_REF, null);
        } else {
            this.ctxHandler.addContextElement(SecurityTokenContextHandler.ISSUER_ENDPOINT_REF, securityToken.getTokenIssuer());
        }
    }
}
