package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import javax.xml.xpath.XPathFactoryConfigurationException;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecuredParts;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.EncryptedElements;
import org.apache.wss4j.policy.model.EncryptedParts;
import org.apache.wss4j.policy.model.Header;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.RequiredElements;
import org.apache.wss4j.policy.model.SignedElements;
import org.apache.wss4j.policy.model.SignedParts;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.XPath;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-3.5.4.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.class */
public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSecurityPolicyValidator {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class);
    private SignedElements signedElements;
    private EncryptedElements encryptedElements;
    private SignedParts signedParts;
    private EncryptedParts encryptedParts;
    private boolean enforceEncryptedTokens = true;

    protected abstract boolean isSigned();

    protected abstract boolean isEncrypted();

    protected abstract boolean isEndorsing();

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processUsernameTokens(PolicyValidatorParameters policyValidatorParameters, boolean z) {
        WSSecurityEngineResult matchingDerivedKey;
        if (!policyValidatorParameters.isUtWithCallbacks()) {
            return true;
        }
        if (policyValidatorParameters.getUsernameTokenResults().isEmpty()) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(policyValidatorParameters.getUsernameTokenResults());
        if (isSigned() && !areTokensSigned(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage())) {
            return false;
        }
        if (isEncrypted() && !areTokensEncrypted(arrayList, policyValidatorParameters.getEncryptedResults())) {
            return false;
        }
        if (z && policyValidatorParameters.getResults().getActionResults().containsKey(2048)) {
            Iterator<WSSecurityEngineResult> it = policyValidatorParameters.getUsernameTokenResults().iterator();
            while (it.hasNext()) {
                byte[] bArr = (byte[]) it.next().get(WSSecurityEngineResult.TAG_SECRET);
                if (bArr != null && (matchingDerivedKey = getMatchingDerivedKey(bArr, policyValidatorParameters.getResults())) != null) {
                    arrayList.add(matchingDerivedKey);
                }
            }
        }
        return (!isEndorsing() || checkEndorsed(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getMessage(), policyValidatorParameters.getTimestampElement())) && validateSignedEncryptedPolicies(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processSAMLTokens(PolicyValidatorParameters policyValidatorParameters, boolean z) {
        WSSecurityEngineResult matchingDerivedKey;
        if (policyValidatorParameters.getSamlResults().isEmpty()) {
            return false;
        }
        List<WSSecurityEngineResult> arrayList = new ArrayList<>();
        arrayList.addAll(policyValidatorParameters.getSamlResults());
        if (isSigned() && !areTokensSigned(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage())) {
            return false;
        }
        if (isEncrypted() && !areTokensEncrypted(arrayList, policyValidatorParameters.getEncryptedResults())) {
            return false;
        }
        if (z && policyValidatorParameters.getResults().getActionResults().containsKey(2048)) {
            ArrayList arrayList2 = new ArrayList(arrayList.size());
            Iterator<WSSecurityEngineResult> it = arrayList.iterator();
            while (it.hasNext()) {
                SamlAssertionWrapper samlAssertionWrapper = (SamlAssertionWrapper) it.next().get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                if (samlAssertionWrapper != null && samlAssertionWrapper.getSubjectKeyInfo() != null && samlAssertionWrapper.getSubjectKeyInfo().getSecret() != null && (matchingDerivedKey = getMatchingDerivedKey(samlAssertionWrapper.getSubjectKeyInfo().getSecret(), policyValidatorParameters.getResults())) != null) {
                    arrayList2.add(matchingDerivedKey);
                }
            }
            arrayList.addAll(arrayList2);
        }
        if (!isEndorsing() || checkEndorsed(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getMessage(), policyValidatorParameters.getTimestampElement())) {
            return validateSignedEncryptedPolicies(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage());
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processKerberosTokens(PolicyValidatorParameters policyValidatorParameters, boolean z) {
        ArrayList arrayList = null;
        if (policyValidatorParameters.getResults().getActionResults().containsKey(4096)) {
            arrayList = new ArrayList();
            for (WSSecurityEngineResult wSSecurityEngineResult : policyValidatorParameters.getResults().getActionResults().get(4096)) {
                if (((BinarySecurity) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)) instanceof KerberosSecurity) {
                    arrayList.add(wSSecurityEngineResult);
                }
            }
        }
        if (arrayList == null || arrayList.isEmpty()) {
            return false;
        }
        if (isSigned() && !areTokensSigned(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage())) {
            return false;
        }
        if (isEncrypted() && !areTokensEncrypted(arrayList, policyValidatorParameters.getEncryptedResults())) {
            return false;
        }
        if (z && policyValidatorParameters.getResults().getActionResults().containsKey(2048)) {
            ArrayList arrayList2 = new ArrayList(arrayList.size());
            Iterator<WSSecurityEngineResult> it = arrayList.iterator();
            while (it.hasNext()) {
                WSSecurityEngineResult matchingDerivedKey = getMatchingDerivedKey((byte[]) it.next().get(WSSecurityEngineResult.TAG_SECRET), policyValidatorParameters.getResults());
                if (matchingDerivedKey != null) {
                    arrayList2.add(matchingDerivedKey);
                }
            }
            arrayList.addAll(arrayList2);
        }
        if (!isEndorsing() || checkEndorsed(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getMessage(), policyValidatorParameters.getTimestampElement())) {
            return validateSignedEncryptedPolicies(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage());
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processX509Tokens(PolicyValidatorParameters policyValidatorParameters, boolean z) {
        ArrayList arrayList = null;
        if (policyValidatorParameters.getResults().getActionResults().containsKey(4096)) {
            arrayList = new ArrayList();
            for (WSSecurityEngineResult wSSecurityEngineResult : policyValidatorParameters.getResults().getActionResults().get(4096)) {
                BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                if ((binarySecurity instanceof X509Security) || (binarySecurity instanceof PKIPathSecurity)) {
                    arrayList.add(wSSecurityEngineResult);
                }
            }
        }
        if (arrayList == null || arrayList.isEmpty()) {
            return false;
        }
        if (isSigned() && !areTokensSigned(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage())) {
            return false;
        }
        if (isEncrypted() && !areTokensEncrypted(arrayList, policyValidatorParameters.getEncryptedResults())) {
            return false;
        }
        if (z && policyValidatorParameters.getResults().getActionResults().containsKey(2048)) {
            ArrayList arrayList2 = new ArrayList(arrayList.size());
            Iterator<WSSecurityEngineResult> it = arrayList.iterator();
            while (it.hasNext()) {
                WSSecurityEngineResult processX509DerivedTokenResult = processX509DerivedTokenResult(it.next(), policyValidatorParameters.getResults());
                if (processX509DerivedTokenResult != null) {
                    arrayList2.add(processX509DerivedTokenResult);
                }
            }
            arrayList.addAll(arrayList2);
        }
        if (!isEndorsing() || checkEndorsed(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getMessage(), policyValidatorParameters.getTimestampElement())) {
            return validateSignedEncryptedPolicies(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage());
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processKeyValueTokens(PolicyValidatorParameters policyValidatorParameters) {
        ArrayList arrayList = null;
        if (policyValidatorParameters.getSignedResults() != null && !policyValidatorParameters.getSignedResults().isEmpty()) {
            arrayList = new ArrayList();
            for (WSSecurityEngineResult wSSecurityEngineResult : policyValidatorParameters.getSignedResults()) {
                if (((PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY)) != null) {
                    arrayList.add(wSSecurityEngineResult);
                }
            }
        }
        if (arrayList == null || arrayList.isEmpty()) {
            return false;
        }
        if (isSigned() && !areTokensSigned(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage())) {
            return false;
        }
        if (isEncrypted() && !areTokensEncrypted(arrayList, policyValidatorParameters.getEncryptedResults())) {
            return false;
        }
        if (!isEndorsing() || checkEndorsed(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getMessage(), policyValidatorParameters.getTimestampElement())) {
            return validateSignedEncryptedPolicies(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage());
        }
        return false;
    }

    private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, List<WSSecurityEngineResult> list3, Message message) {
        if (validateSignedEncryptedParts(this.signedParts, false, list2, list, message) && validateSignedEncryptedParts(this.encryptedParts, true, list3, list, message) && validateSignedEncryptedElements(this.signedElements, list2, list, message)) {
            return validateSignedEncryptedElements(this.encryptedElements, list3, list, message);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean processSCTokens(PolicyValidatorParameters policyValidatorParameters, boolean z) {
        if (!policyValidatorParameters.getResults().getActionResults().containsKey(1024)) {
            return false;
        }
        List<WSSecurityEngineResult> arrayList = new ArrayList<>();
        arrayList.addAll(policyValidatorParameters.getResults().getActionResults().get(1024));
        if (isSigned() && !areTokensSigned(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage())) {
            return false;
        }
        if (isEncrypted() && !areTokensEncrypted(arrayList, policyValidatorParameters.getEncryptedResults())) {
            return false;
        }
        if (z && policyValidatorParameters.getResults().getActionResults().containsKey(2048)) {
            ArrayList arrayList2 = new ArrayList(arrayList.size());
            Iterator<WSSecurityEngineResult> it = arrayList.iterator();
            while (it.hasNext()) {
                WSSecurityEngineResult matchingDerivedKey = getMatchingDerivedKey((byte[]) it.next().get(WSSecurityEngineResult.TAG_SECRET), policyValidatorParameters.getResults());
                if (matchingDerivedKey != null) {
                    arrayList2.add(matchingDerivedKey);
                }
            }
            arrayList.addAll(arrayList2);
        }
        if (!isEndorsing() || checkEndorsed(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getMessage(), policyValidatorParameters.getTimestampElement())) {
            return validateSignedEncryptedPolicies(arrayList, policyValidatorParameters.getSignedResults(), policyValidatorParameters.getEncryptedResults(), policyValidatorParameters.getMessage());
        }
        return false;
    }

    private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult wSSecurityEngineResult, WSHandlerResult wSHandlerResult) {
        WSSecurityEngineResult matchingDerivedKey;
        WSSecurityEngineResult matchingEncryptedKey = getMatchingEncryptedKey((X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE), wSHandlerResult);
        if (matchingEncryptedKey == null || (matchingDerivedKey = getMatchingDerivedKey((byte[]) matchingEncryptedKey.get(WSSecurityEngineResult.TAG_SECRET), wSHandlerResult)) == null) {
            return null;
        }
        return matchingDerivedKey;
    }

    private WSSecurityEngineResult getMatchingDerivedKey(byte[] bArr, WSHandlerResult wSHandlerResult) {
        for (WSSecurityEngineResult wSSecurityEngineResult : wSHandlerResult.getActionResults().get(2048)) {
            if (Arrays.equals(bArr, (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET))) {
                return wSSecurityEngineResult;
            }
        }
        return null;
    }

    private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate x509Certificate, WSHandlerResult wSHandlerResult) {
        if (!wSHandlerResult.getActionResults().containsKey(4)) {
            return null;
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : wSHandlerResult.getActionResults().get(4)) {
            if (x509Certificate.equals((X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE))) {
                return wSSecurityEngineResult;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isTLSInUse(Message message) {
        return ((TLSSessionInfo) message.get(TLSSessionInfo.class)) != null;
    }

    private boolean checkEndorsed(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, Message message, Element element) {
        boolean z = false;
        if (isTLSInUse(message)) {
            z = checkTimestampIsSigned(list, list2, element);
        }
        if (!z) {
            z = checkSignatureIsSigned(list, list2);
        }
        return z;
    }

    private boolean areTokensSigned(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, List<WSSecurityEngineResult> list3, Message message) {
        if (isTLSInUse(message)) {
            return true;
        }
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            Element element = (Element) it.next().get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
            if (element == null || !isTokenSigned(element, list2, list3)) {
                return false;
            }
        }
        return true;
    }

    private boolean areTokensEncrypted(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        if (!this.enforceEncryptedTokens) {
            return true;
        }
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            Element element = (Element) it.next().get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
            if (element == null || !isTokenEncrypted(element, list2)) {
                return false;
            }
        }
        return true;
    }

    private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, Element element) {
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (element == ((WSDataRef) it.next()).getProtectedElement() && checkSignatureOrEncryptionResult(wSSecurityEngineResult, list)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null && !cast.isEmpty()) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (WSConstants.SIGNATURE.equals(((WSDataRef) it.next()).getName()) && checkSignatureOrEncryptionResult(wSSecurityEngineResult, list)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean checkSignatureOrEncryptionResult(WSSecurityEngineResult wSSecurityEngineResult, List<WSSecurityEngineResult> list) {
        X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        byte[] bArr = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
        PublicKey publicKey = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        for (WSSecurityEngineResult wSSecurityEngineResult2 : list) {
            Integer num = (Integer) wSSecurityEngineResult2.get("action");
            BinarySecurity binarySecurity = (BinarySecurity) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if ((binarySecurity instanceof X509Security) || (binarySecurity instanceof PKIPathSecurity)) {
                if (((X509Certificate) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)).equals(x509Certificate)) {
                    return true;
                }
            } else if (num.intValue() == 16 || num.intValue() == 8) {
                SAMLKeyInfo subjectKeyInfo = ((SamlAssertionWrapper) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)).getSubjectKeyInfo();
                if (subjectKeyInfo != null) {
                    X509Certificate[] certs = subjectKeyInfo.getCerts();
                    byte[] secret = subjectKeyInfo.getSecret();
                    PublicKey publicKey2 = subjectKeyInfo.getPublicKey();
                    if (x509Certificate != null && certs != null && x509Certificate.equals(certs[0])) {
                        return true;
                    }
                    if (secret != null && Arrays.equals(secret, bArr)) {
                        return true;
                    }
                    if (publicKey2 != null && publicKey2.equals(publicKey)) {
                        return true;
                    }
                } else {
                    continue;
                }
            } else if (publicKey == null) {
                byte[] bArr2 = (byte[]) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_SECRET);
                byte[] bArr3 = (byte[]) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
                if (bArr2 != null && Arrays.equals(bArr2, bArr)) {
                    return true;
                }
                if (bArr3 != null && Arrays.equals(bArr3, bArr)) {
                    return true;
                }
            } else if (publicKey.equals((PublicKey) wSSecurityEngineResult2.get(WSSecurityEngineResult.TAG_PUBLIC_KEY))) {
                return true;
            }
        }
        return false;
    }

    private boolean validateSignedEncryptedParts(AbstractSecuredParts abstractSecuredParts, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, Message message) {
        if (abstractSecuredParts == null) {
            return true;
        }
        if (abstractSecuredParts.isBody()) {
            try {
                if (!checkProtectionResult(((SOAPMessage) message.getContent(SOAPMessage.class)).getSOAPBody(), z, list, list2)) {
                    return false;
                }
            } catch (SOAPException e) {
                LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
                return false;
            }
        }
        for (Header header : abstractSecuredParts.getHeaders()) {
            try {
                SOAPHeader sOAPHeader = ((SOAPMessage) message.getContent(SOAPMessage.class)).getSOAPHeader();
                Iterator<Element> it = (header.getName() == null ? DOMUtils.getChildrenWithNamespace(sOAPHeader, header.getNamespace()) : DOMUtils.getChildrenWithName(sOAPHeader, header.getNamespace(), header.getName())).iterator();
                while (it.hasNext()) {
                    if (!checkProtectionResult((Element) DOMUtils.getDomElement(it.next()), false, list, list2)) {
                        return false;
                    }
                }
            } catch (SOAPException e2) {
                LOG.log(Level.FINE, e2.getMessage(), (Throwable) e2);
                return false;
            }
        }
        return true;
    }

    private boolean checkProtectionResult(Element element, boolean z, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Element element2 = (Element) DOMUtils.getDomElement(element);
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            List<WSDataRef> cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                for (WSDataRef wSDataRef : cast) {
                    if (element2 == wSDataRef.getProtectedElement() && z == wSDataRef.isContent() && checkSignatureOrEncryptionResult(wSSecurityEngineResult, list2)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean validateSignedEncryptedElements(RequiredElements requiredElements, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2, Message message) {
        List<XPath> xPaths;
        if (requiredElements == null || (xPaths = requiredElements.getXPaths()) == null || xPaths.isEmpty()) {
            return true;
        }
        Element documentElement = ((SOAPMessage) message.getContent(SOAPMessage.class)).getSOAPPart().getDocumentElement();
        XPathFactory newInstance = XPathFactory.newInstance();
        try {
            newInstance.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", Boolean.TRUE.booleanValue());
        } catch (XPathFactoryConfigurationException e) {
        }
        javax.xml.xpath.XPath newXPath = newInstance.newXPath();
        MapNamespaceContext mapNamespaceContext = new MapNamespaceContext();
        Iterator<XPath> it = xPaths.iterator();
        while (it.hasNext()) {
            Map<String, String> prefixNamespaceMap = it.next().getPrefixNamespaceMap();
            if (prefixNamespaceMap != null) {
                mapNamespaceContext.addNamespaces(prefixNamespaceMap);
            }
        }
        newXPath.setNamespaceContext(mapNamespaceContext);
        Iterator<XPath> it2 = xPaths.iterator();
        while (it2.hasNext()) {
            if (!checkXPathResult(documentElement, newXPath, it2.next().getXPath(), list, list2)) {
                return false;
            }
        }
        return true;
    }

    private boolean checkXPathResult(Element element, javax.xml.xpath.XPath xPath, String str, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        try {
            NodeList nodeList = (NodeList) xPath.evaluate(str, element, XPathConstants.NODESET);
            if (nodeList.getLength() == 0) {
                return true;
            }
            for (int i = 0; i < nodeList.getLength(); i++) {
                if (!checkProtectionResult((Element) nodeList.item(i), false, list, list2)) {
                    return false;
                }
            }
            return true;
        } catch (XPathExpressionException e) {
            LOG.log(Level.FINE, e.getMessage(), (Throwable) e);
            return false;
        }
    }

    private boolean isTokenSigned(Element element, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            for (WSDataRef wSDataRef : CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS))) {
                if (element == wSDataRef.getProtectedElement() || isEncryptedTokenSigned(element, wSDataRef, list2)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isEncryptedTokenSigned(Element element, WSDataRef wSDataRef, List<WSSecurityEngineResult> list) {
        if (wSDataRef.getProtectedElement() == null || !"EncryptedData".equals(wSDataRef.getProtectedElement().getLocalName()) || !"http://www.w3.org/2001/04/xmlenc#".equals(wSDataRef.getProtectedElement().getNamespaceURI())) {
            return false;
        }
        String attributeNS = wSDataRef.getProtectedElement().getAttributeNS(null, "Id");
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            List<WSDataRef> cast = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                for (WSDataRef wSDataRef2 : cast) {
                    if (element == wSDataRef2.getProtectedElement() && wSDataRef2.getWsuId() != null && wSDataRef2.getWsuId().equals(attributeNS)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean isTokenEncrypted(Element element, List<WSSecurityEngineResult> list) {
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            List cast = CastUtils.cast((List<?>) it.next().get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (cast != null) {
                Iterator it2 = cast.iterator();
                while (it2.hasNext()) {
                    if (element == ((WSDataRef) it2.next()).getProtectedElement()) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public void setSignedElements(SignedElements signedElements) {
        this.signedElements = signedElements;
    }

    public void setEncryptedElements(EncryptedElements encryptedElements) {
        this.encryptedElements = encryptedElements;
    }

    public void setSignedParts(SignedParts signedParts) {
        this.signedParts = signedParts;
    }

    public void setEncryptedParts(EncryptedParts encryptedParts) {
        this.encryptedParts = encryptedParts;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void assertSecurePartsIfTokenNotRequired(SupportingTokens supportingTokens, AssertionInfoMap assertionInfoMap) {
        String namespaceURI = supportingTokens.getName().getNamespaceURI();
        if (supportingTokens.getSignedParts() != null) {
            assertSecurePartsIfTokenNotRequired(supportingTokens.getSignedParts(), new QName(namespaceURI, SPConstants.SIGNED_PARTS), assertionInfoMap);
        }
        if (supportingTokens.getSignedElements() != null) {
            assertSecurePartsIfTokenNotRequired(supportingTokens.getSignedElements(), new QName(namespaceURI, SPConstants.SIGNED_ELEMENTS), assertionInfoMap);
        }
        if (supportingTokens.getEncryptedParts() != null) {
            assertSecurePartsIfTokenNotRequired(supportingTokens.getEncryptedParts(), new QName(namespaceURI, SPConstants.ENCRYPTED_PARTS), assertionInfoMap);
        }
        if (supportingTokens.getEncryptedElements() != null) {
            assertSecurePartsIfTokenNotRequired(supportingTokens.getEncryptedElements(), new QName(namespaceURI, SPConstants.ENCRYPTED_ELEMENTS), assertionInfoMap);
        }
    }

    protected void assertSecurePartsIfTokenNotRequired(AbstractSecurityAssertion abstractSecurityAssertion, QName qName, AssertionInfoMap assertionInfoMap) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(qName);
        if (collection == null || collection.isEmpty()) {
            return;
        }
        for (AssertionInfo assertionInfo : collection) {
            if (assertionInfo.getAssertion().equals(abstractSecurityAssertion)) {
                assertionInfo.setAsserted(true);
            }
        }
    }

    public boolean isEnforceEncryptedTokens() {
        return this.enforceEncryptedTokens;
    }

    public void setEnforceEncryptedTokens(boolean z) {
        this.enforceEncryptedTokens = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void assertDerivedKeys(AbstractToken abstractToken, AssertionInfoMap assertionInfoMap) {
        AbstractToken.DerivedKeys derivedKeys = abstractToken.getDerivedKeys();
        if (derivedKeys != null) {
            PolicyUtils.assertPolicy(assertionInfoMap, new QName(abstractToken.getName().getNamespaceURI(), derivedKeys.name()));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean isSamlTokenRequiredForIssuedToken(IssuedToken issuedToken) {
        Element requestSecurityTokenTemplate = issuedToken.getRequestSecurityTokenTemplate();
        if (requestSecurityTokenTemplate == null) {
            return false;
        }
        Element firstElement = DOMUtils.getFirstElement(requestSecurityTokenTemplate);
        while (true) {
            Element element = firstElement;
            if (element == null) {
                return false;
            }
            if ("TokenType".equals(element.getLocalName())) {
                String textContent = element.getTextContent();
                return "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(textContent) || "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(textContent);
            }
            firstElement = DOMUtils.getNextElement(element);
        }
    }
}
