package org.apache.wss4j.stax.impl.securityToken;

import java.security.Key;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.x500.X500Principal;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.PublicKeyPrincipalImpl;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.utils.WSSUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.impl.securityToken.X509SecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-stax-2.1.10.jar:org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.class */
public abstract class X509SecurityTokenImpl extends X509SecurityToken implements org.apache.wss4j.stax.securityToken.X509SecurityToken {
    private static final transient Logger LOG = LoggerFactory.getLogger((Class<?>) X509SecurityTokenImpl.class);
    private CallbackHandler callbackHandler;
    private Crypto crypto;
    private WSSSecurityProperties securityProperties;
    private Principal principal;

    /* JADX INFO: Access modifiers changed from: protected */
    public X509SecurityTokenImpl(SecurityTokenConstants.TokenType tokenType, WSInboundSecurityContext wSInboundSecurityContext, Crypto crypto, CallbackHandler callbackHandler, String str, SecurityTokenConstants.KeyIdentifier keyIdentifier, WSSSecurityProperties wSSSecurityProperties, boolean z) {
        super(tokenType, wSInboundSecurityContext, str, keyIdentifier, z);
        this.crypto = crypto;
        this.callbackHandler = callbackHandler;
        this.securityProperties = wSSSecurityProperties;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Crypto getCrypto() {
        return this.crypto;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setCrypto(Crypto crypto) {
        this.crypto = crypto;
    }

    public CallbackHandler getCallbackHandler() {
        return this.callbackHandler;
    }

    @Override // org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken
    public Key getKey(String str, XMLSecurityConstants.AlgorithmUsage algorithmUsage, String str2) throws XMLSecurityException {
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(getAlias(), 1);
        WSSUtils.doPasswordCallback(getCallbackHandler(), wSPasswordCallback);
        try {
            return getCrypto().getPrivateKey(getAlias(), wSPasswordCallback.getPassword());
        } catch (WSSecurityException e) {
            Crypto decryptionCrypto = this.securityProperties.getDecryptionCrypto();
            if (decryptionCrypto == null || decryptionCrypto == getCrypto()) {
                throw e;
            }
            return decryptionCrypto.getPrivateKey(getAlias(), wSPasswordCallback.getPassword());
        }
    }

    @Override // org.apache.xml.security.stax.impl.securityToken.AbstractSecurityToken, org.apache.xml.security.stax.securityToken.SecurityToken
    public X509Certificate[] getX509Certificates() throws XMLSecurityException {
        String alias;
        if (super.getX509Certificates() == null && (alias = getAlias()) != null) {
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(alias);
            setX509Certificates(getCrypto().getX509Certificates(cryptoType));
        }
        return super.getX509Certificates();
    }

    @Override // org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken, org.apache.xml.security.stax.securityToken.InboundSecurityToken
    public void verify() throws XMLSecurityException {
        X509Certificate[] x509Certificates = getX509Certificates();
        if (x509Certificates == null || x509Certificates.length <= 0) {
            return;
        }
        boolean z = false;
        Collection<Pattern> collection = null;
        Collection<Pattern> collection2 = null;
        if (this.securityProperties != null) {
            z = this.securityProperties.isEnableRevocation();
            collection = this.securityProperties.getSubjectCertConstraints();
            collection2 = this.securityProperties.getIssuerDNConstraints();
        }
        getCrypto().verifyTrust(x509Certificates, z, collection);
        if (!matchesIssuerDnPattern(x509Certificates[0], collection2)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
    }

    protected boolean matchesIssuerDnPattern(X509Certificate x509Certificate, Collection<Pattern> collection) {
        if (x509Certificate != null) {
            return matchesName(x509Certificate.getIssuerDN().getName(), collection);
        }
        LOG.debug("The certificate is null so no constraints matching was possible");
        return false;
    }

    private boolean matchesName(String str, Collection<Pattern> collection) {
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        if (str == null || str.isEmpty()) {
            LOG.debug("The name is null so no constraints matching was possible");
            return false;
        }
        boolean z = false;
        Iterator<Pattern> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Pattern next = it.next();
            if (next.matcher(str).matches()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Name " + str + " matches with pattern " + next);
                }
                z = true;
            }
        }
        return z;
    }

    protected boolean matches(X509Certificate x509Certificate, Collection<Pattern> collection) {
        if (collection.isEmpty()) {
            LOG.warn("No Subject DN Certificate Constraints were defined. This could be a security issue");
        }
        if (collection.isEmpty()) {
            return true;
        }
        if (x509Certificate == null) {
            LOG.debug("The certificate is null so no constraints matching was possible");
            return false;
        }
        String name = x509Certificate.getSubjectX500Principal().getName();
        boolean z = false;
        Iterator<Pattern> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Pattern next = it.next();
            if (next.matcher(name).matches()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Subject DN " + name + " matches with pattern " + next);
                }
                z = true;
            }
        }
        return z;
    }

    protected abstract String getAlias() throws XMLSecurityException;

    @Override // org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken
    public Subject getSubject() throws WSSecurityException {
        return null;
    }

    @Override // org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken
    public Principal getPrincipal() throws WSSecurityException {
        if (this.principal != null) {
            return this.principal;
        }
        try {
            X509Certificate[] x509Certificates = getX509Certificates();
            if (x509Certificates == null || x509Certificates.length <= 0) {
                PublicKeyPrincipalImpl publicKeyPrincipalImpl = new PublicKeyPrincipalImpl(getPublicKey());
                this.principal = publicKeyPrincipalImpl;
                return publicKeyPrincipalImpl;
            }
            X500Principal subjectX500Principal = x509Certificates[0].getSubjectX500Principal();
            this.principal = subjectX500Principal;
            return subjectX500Principal;
        } catch (XMLSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
        }
    }

    @Override // org.apache.xml.security.stax.impl.securityToken.X509SecurityToken, org.apache.xml.security.stax.securityToken.SecurityToken
    public SecurityTokenConstants.TokenType getTokenType() {
        SecurityTokenConstants.TokenType tokenType = super.getTokenType();
        if (WSSecurityTokenConstants.X509V3Token.equals(tokenType)) {
            try {
                X509Certificate[] x509Certificates = super.getX509Certificates();
                if (x509Certificates != null && x509Certificates.length > 0 && x509Certificates[0].getVersion() == 1) {
                    return WSSecurityTokenConstants.X509V1Token;
                }
            } catch (XMLSecurityException e) {
                return tokenType;
            }
        }
        return tokenType;
    }
}
