package weblogic.wsee.security.saml;

import java.security.Key;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.rpc.handler.MessageContext;
import org.w3c.dom.Node;
import weblogic.kernel.KernelStatus;
import weblogic.security.service.ContextHandler;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.wsee.message.WlMessageContext;
import weblogic.wsee.security.policy.WssPolicyContext;
import weblogic.wsee.security.wst.helpers.EncryptedKeyInfoBuilder;
import weblogic.xml.crypto.api.MarshalException;
import weblogic.xml.crypto.common.keyinfo.KeyProvider;
import weblogic.xml.crypto.common.keyinfo.SecretKeyProvider;
import weblogic.xml.crypto.utils.CertUtils;
import weblogic.xml.crypto.wss.SecurityTokenContextHandler;
import weblogic.xml.crypto.wss.SecurityTokenValidateResult;
import weblogic.xml.crypto.wss.WSSConstants;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.WSSecurityException;
import weblogic.xml.crypto.wss.WSSecurityInfo;
import weblogic.xml.crypto.wss.api.KeyIdentifier;
import weblogic.xml.crypto.wss.provider.Purpose;
import weblogic.xml.crypto.wss.provider.SecurityToken;
import weblogic.xml.crypto.wss.provider.SecurityTokenHandler;
import weblogic.xml.crypto.wss.provider.SecurityTokenReference;
import weblogic.xml.crypto.wss11.internal.WSS11Context;
import weblogic.xml.security.utils.Utils;

/* loaded from: input_file:weblogic/wsee/security/saml/AbstractSAMLTokenHandler.class */
public abstract class AbstractSAMLTokenHandler implements SecurityTokenHandler {
    private static final Logger LOGGER = Logger.getLogger(AbstractSAMLTokenHandler.class.getName());
    private static final boolean debug = false;
    private static final boolean DEBUG_SX_INTEROP_ISSUED_TOKEN = false;
    private static final boolean DEBUG_UNIT_TEST_ONLY = false;

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public abstract QName[] getQNames();

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public abstract String[] getValueTypes();

    public abstract boolean isSupportedTokenType(String str);

    public abstract boolean isSupportedValueType(String str);

    public abstract boolean isSaml2();

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken getSecurityToken(String str, Object obj, ContextHandler contextHandler) throws WSSecurityException {
        return new SAMLTokenImpl(str, obj);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken getSecurityToken(String str, String str2, Purpose purpose, ContextHandler contextHandler) throws WSSecurityException {
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "getSecurityToken for value type =" + str);
        }
        WSSecurityInfo wSSecurityInfo = (WSSecurityInfo) contextHandler.getValue(SecurityTokenContextHandler.SECURITY_INFO);
        if (null == wSSecurityInfo) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "com.bea.contextelement.xml.SecurityInfoNot found");
            return null;
        }
        List<SecurityToken> securityTokens = wSSecurityInfo.getSecurityTokens();
        if (securityTokens == null || securityTokens.size() == 0) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "No SAML tokens from com.bea.contextelement.xml.SecurityInfo");
            return null;
        }
        for (SecurityToken securityToken : securityTokens) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Checking Token Id = " + securityToken.getId() + " valueType = " + securityToken.getValueType() + " of " + securityToken.toString());
            }
            if (securityToken.getValueType().equals(str)) {
                return securityToken;
            }
        }
        if (!"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID".equals(str)) {
            return null;
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Checking again with Token Type  = http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
        }
        for (SecurityToken securityToken2 : securityTokens) {
            if (SAML2Constants.SAML11_TOKEN_TYPE.equals(securityToken2.getValueType())) {
                return securityToken2;
            }
        }
        return null;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenReference getSTR(QName qName, String str, SecurityToken securityToken) throws WSSecurityException {
        if (isSaml2() && qName.equals(WSSConstants.REFERENCE_QNAME)) {
            return new SAMLSecurityTokenReference(qName, str, securityToken);
        }
        if (isSaml2() || !qName.equals(WSSConstants.KEY_IDENTIFIER_QNAME)) {
            return null;
        }
        return new SAMLSecurityTokenReference(qName, str, securityToken);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken newSecurityToken(Node node) throws MarshalException {
        try {
            return new SAMLTokenImpl(new SAMLCredentialImpl(node));
        } catch (WSSecurityException e) {
            throw new MarshalException("Invalid SAML token on wsee " + e.getMessage(), e);
        }
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenReference newSecurityTokenReference(Node node) throws weblogic.xml.dom.marshal.MarshalException {
        SAMLSecurityTokenReference sAMLSecurityTokenReference = new SAMLSecurityTokenReference();
        sAMLSecurityTokenReference.unmarshal(node);
        return sAMLSecurityTokenReference;
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public KeyProvider getKeyProvider(SecurityToken securityToken, MessageContext messageContext) {
        if (null == securityToken) {
            return null;
        }
        SAMLToken sAMLToken = (SAMLToken) securityToken;
        if (!sAMLToken.isHolderOfKey() && null == sAMLToken.getPublicKey()) {
            return null;
        }
        PublicKey publicKey = sAMLToken.getPublicKey();
        if (publicKey != null) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Returning public key SAMLKeyProvider for token");
            }
            return new SAMLKeyProvider(publicKey, sAMLToken.getPrivateKey(), sAMLToken.getAssertionID(), sAMLToken);
        }
        if (null != sAMLToken.getSecretKey()) {
            Key secretKey = sAMLToken.getSecretKey();
            if (null == secretKey) {
                return null;
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Returning Scret Key of SecretKeyProvider for token");
            }
            EncryptedKeyInfoBuilder.debugKey(secretKey, "Got Secret Key from SAML Token");
            return new SecretKeyProvider(secretKey, (String) null, sAMLToken.getAssertionID().getBytes(), (String) null, sAMLToken);
        }
        if (null == sAMLToken.getCredential()) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "Null credentail on SAML token");
            return null;
        }
        if (!(sAMLToken.getCredential() instanceof SAMLCredentialImpl)) {
            return null;
        }
        SAMLCredentialImpl sAMLCredentialImpl = (SAMLCredentialImpl) sAMLToken.getCredential();
        if (null != sAMLCredentialImpl.getEncryptedKeyProvider()) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Returning EncryptedKeyProvider from SAMLCredential for token");
            }
            return sAMLCredentialImpl.getEncryptedKeyProvider();
        }
        if (null != sAMLCredentialImpl.getSymmetircKey()) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Returning Symmetric key of SecretKeyProvider for token");
            }
            return new SecretKeyProvider(sAMLCredentialImpl.getSymmetircKey(), (String) null, sAMLToken.getAssertionID().getBytes(), (String) null, sAMLToken);
        }
        if (null == sAMLCredentialImpl.getSecurityTokenReference()) {
            return null;
        }
        SecurityTokenReference securityTokenReference = sAMLCredentialImpl.getSecurityTokenReference();
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Getting Keys from SecurityTokenReference in the SAML Token on HofK case for STR =" + securityTokenReference);
        }
        String valueType = securityTokenReference.getValueType();
        String base64 = Utils.toBase64(securityTokenReference.getKeyIdentifier().getIdentifier());
        try {
            WSS11Context wSS11Context = (WSS11Context) messageContext.getProperty("weblogic.xml.crypto.wss.WSSecurityContext");
            SecurityTokenHandler requiredTokenHandler = wSS11Context.getRequiredTokenHandler(valueType);
            if (null == requiredTokenHandler) {
                LOGGER.log(Level.FINE, "Unable to find the SecurityTokenHandler for valueType = " + valueType);
                return null;
            }
            try {
                SecurityToken securityToken2 = requiredTokenHandler.getSecurityToken(securityTokenReference, messageContext);
                if (null != securityToken2) {
                    return new SAMLKeyProvider(securityToken2.getPublicKey(), securityToken2.getPrivateKey(), sAMLToken.getAssertionID(), sAMLToken);
                }
                LOGGER.log(Level.FINE, "Unable to find the secToken for valueType = " + valueType);
                return null;
            } catch (WSSecurityException e) {
                LOGGER.log(Level.FINE, "Unable to find SKI=" + base64);
                LOGGER.log(Level.FINE, e.getMessage(), (Throwable) e);
                System.out.println("Wrong SKI from the SAML Token, Try to get with the client key for signature again");
                try {
                    Object credential = wSS11Context.getRequiredCredentialProvider(valueType).getCredential(valueType, null, new SecurityTokenContextHandler((WSSecurityInfo) wSS11Context), Purpose.SIGN);
                    if (credential == null) {
                        LOGGER.log(Level.FINE, "Again, without SKI still unable to find the credentail for valueType = " + valueType);
                        return null;
                    }
                    SecurityToken securityToken3 = requiredTokenHandler.getSecurityToken(valueType, credential, new SecurityTokenContextHandler((WSSecurityInfo) wSS11Context));
                    if (null == securityToken3) {
                        LOGGER.log(Level.FINE, "Again, without SKI still unable to find the secToken for valueType = " + valueType);
                        return null;
                    }
                    LOGGER.log(Level.FINE, "Try again, hacker code without SKI and got the secToken for  for SAMLKeyProvider");
                    return new SAMLKeyProvider(securityToken3.getPublicKey(), securityToken3.getPrivateKey(), sAMLToken.getAssertionID(), sAMLToken);
                } catch (Exception e2) {
                    LOGGER.log(Level.FINE, e2.getMessage(), (Throwable) e2);
                    return null;
                }
            } catch (Exception e3) {
                LOGGER.log(Level.FINE, e3.getMessage(), (Throwable) e3);
                return null;
            }
        } catch (Exception e4) {
            LOGGER.log(Level.FINE, e4.getMessage(), (Throwable) e4);
            return null;
        }
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityToken getSecurityToken(SecurityTokenReference securityTokenReference, MessageContext messageContext) throws WSSecurityException {
        List<SecurityToken> securityTokens = WSSecurityContext.getSecurityContext(messageContext).getSecurityTokens();
        String referenceURI = securityTokenReference.getReferenceURI();
        if (referenceURI != null && referenceURI.startsWith("#")) {
            referenceURI = referenceURI.substring(1);
        }
        KeyIdentifier keyIdentifier = securityTokenReference.getKeyIdentifier();
        for (SecurityToken securityToken : securityTokens) {
            if (referenceURI != null) {
                if (referenceURI.equals(securityToken.getId())) {
                    return securityToken;
                }
            } else if (keyIdentifier != null && (securityToken instanceof SAMLToken) && Arrays.equals(((SAMLToken) securityToken).getAssertionID().getBytes(), keyIdentifier.getIdentifier())) {
                return securityToken;
            }
        }
        throw new WSSecurityException("Failed to retrieve token for reference " + securityTokenReference, WSSConstants.FAILURE_TOKEN_UNAVAILABLE);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenValidateResult validateUnmarshalled(SecurityToken securityToken, MessageContext messageContext) {
        SAMLToken sAMLToken = (SAMLToken) securityToken;
        SecurityTokenContextHandler securityTokenContextHandler = new SecurityTokenContextHandler();
        securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.TargetResource", CSSUtils.getEndpointPath(isSaml2(), (String) messageContext.getProperty(WlMessageContext.END_POINT_ADDRESS)));
        if (isSaml2()) {
            securityTokenContextHandler.addContextElement("com.bea.contextelement.saml2.Attributes", new ArrayList());
        } else {
            securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.Attributes", new ArrayList());
        }
        securityTokenContextHandler.addContextElement("com.bea.contextelement.saml.AttributePrincipals", new ArrayList());
        SAMLCredential sAMLCredential = (SAMLCredential) sAMLToken.getCredential();
        if (LOGGER.isLoggable(Level.FINE)) {
            ((SAMLCredentialImpl) sAMLCredential).verbose();
            LOGGER.log(Level.FINE, "Is HofK =" + sAMLToken.isHolderOfKey());
            if (null == messageContext.getProperty("weblogic.xml.crypto.wss.provider.Purpose")) {
                LOGGER.log(Level.FINE, "weblogic.xml.crypto.wss.provider.Purpose is null");
            } else {
                LOGGER.log(Level.FINE, "weblogic.xml.crypto.wss.provider.Purpose=" + messageContext.getProperty("weblogic.xml.crypto.wss.provider.Purpose") + " is Decryption =" + (Purpose.DECRYPT == messageContext.getProperty("weblogic.xml.crypto.wss.provider.Purpose")));
            }
        }
        Node node = (Node) sAMLCredential.getCredential();
        if (!sAMLToken.isHolderOfKey() || Purpose.DECRYPT != messageContext.getProperty("weblogic.xml.crypto.wss.provider.Purpose")) {
            try {
                sAMLToken.setSubject(CSSUtils.assertIdentity(node, securityTokenContextHandler, isSaml2()).getSubject());
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "asserted identity: subject is '" + sAMLToken.getSubject() + "'");
                }
            } catch (Exception e) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "SAML Token is rejected by CSS", (Throwable) e);
                }
                return new SecurityTokenValidateResult(false, "The SAML token is not valid, it is rejected by CSS ");
            }
        } else if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "Bypass CSS Validation due to it is HofK and purpose =" + messageContext.getProperty("weblogic.xml.crypto.wss.provider.Purpose"));
        }
        SAMLAttributeStatementData makeSAMLAttributeStatementData = SAMLAttributeStatementDataFactory.makeSAMLAttributeStatementData(isSaml2() ? securityTokenContextHandler.getValue("com.bea.contextelement.saml2.Attributes") : securityTokenContextHandler.getValue("com.bea.contextelement.saml.Attributes"));
        if (null != makeSAMLAttributeStatementData) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Saving SAMLAttributeStatementData into SAML Credential and message context ");
            }
            messageContext.setProperty(WLStub.SAML_ATTRIBUTES, makeSAMLAttributeStatementData);
            sAMLCredential.setAttributes(makeSAMLAttributeStatementData);
        }
        if (sAMLToken.isHolderOfKey() && sAMLCredential.getEncryptedKey() != null) {
            try {
                EncryptedKeyInfoBuilder.processEncryptedKey(sAMLCredential, messageContext);
            } catch (Exception e2) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Error on processing EncryptedKey element ", (Throwable) e2);
                }
                return new SecurityTokenValidateResult(false, "Error in processing EncryptedKey element in the SAML Token, Exception =" + e2.toString());
            }
        }
        boolean z = true;
        X509Certificate holderOfCert = sAMLToken.getHolderOfCert();
        if (holderOfCert != null && sAMLToken.isHolderOfKey()) {
            boolean z2 = true;
            WssPolicyContext wssPolicyContext = (WssPolicyContext) messageContext.getProperty("weblogic.weblogic.wsee.security.policy.WssPolicyCtx");
            if (wssPolicyContext != null && !wssPolicyContext.getWssConfiguration().validateHOKNeeded()) {
                z2 = false;
            } else if (!KernelStatus.isServer()) {
                z2 = false;
            }
            if (z2) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "WssPolicyContext.WSS_POLICY_CTX_PROP is not set, validating Certificate  of " + holderOfCert.toString());
                }
                z = CertUtils.validateCertificate(holderOfCert);
                if (!z) {
                    LOGGER.log(Level.FINE, "Certificate is fail to validate");
                } else if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "WssPolicyContext.WSS_POLICY_CTX_PROP is set, or it is off-server case, bypass the validating Certificate");
                }
            }
        }
        return new SecurityTokenValidateResult(z);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public SecurityTokenValidateResult validateProcessed(SecurityToken securityToken, MessageContext messageContext) {
        return new SecurityTokenValidateResult(true);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public boolean matches(SecurityToken securityToken, String str, String str2, ContextHandler contextHandler, Purpose purpose) {
        Object credential;
        if (securityToken == null || (credential = securityToken.getCredential()) == null || !(credential instanceof SAMLCredential)) {
            return false;
        }
        return isSupportedTokenType(str) || isSupportedValueType(str);
    }

    @Override // weblogic.xml.crypto.wss.provider.SecurityTokenHandler
    public Subject getSubject(SecurityToken securityToken, MessageContext messageContext) throws WSSecurityException {
        return ((SAMLToken) securityToken).getSubject();
    }
}
