package org.apache.wss4j.stax.impl.processor.input;

import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.time.Instant;
import java.time.temporal.ChronoField;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import org.apache.wss4j.binding.wss10.TransformationParametersType;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.ext.Attachment;
import org.apache.wss4j.common.ext.AttachmentRequestCallback;
import org.apache.wss4j.common.ext.AttachmentResultCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.AttachmentUtils;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.impl.transformer.AttachmentContentSignatureTransform;
import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
import org.apache.wss4j.stax.securityEvent.TimestampSecurityEvent;
import org.apache.wss4j.stax.securityToken.SecurityTokenReference;
import org.apache.wss4j.stax.utils.WSSUtils;
import org.apache.xml.security.binding.excc14n.InclusiveNamespaces;
import org.apache.xml.security.binding.xmldsig.CanonicalizationMethodType;
import org.apache.xml.security.binding.xmldsig.ReferenceType;
import org.apache.xml.security.binding.xmldsig.SignatureType;
import org.apache.xml.security.binding.xmldsig.TransformType;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.DocumentContext;
import org.apache.xml.security.stax.ext.InputProcessorChain;
import org.apache.xml.security.stax.ext.Transformer;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.XMLSecurityProperties;
import org.apache.xml.security.stax.ext.XMLSecurityUtils;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
import org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor;
import org.apache.xml.security.stax.impl.transformer.canonicalizer.Canonicalizer20010315_Excl;
import org.apache.xml.security.stax.impl.util.DigestOutputStream;
import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
import org.apache.xml.security.utils.UnsyncBufferedOutputStream;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-stax-2.4.3.jar:org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.class */
public class WSSSignatureReferenceVerifyInputProcessor extends AbstractSignatureReferenceVerifyInputProcessor {
    private boolean replayChecked;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-stax-2.4.3.jar:org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.class */
    public class InternalSignatureReferenceVerifier extends AbstractSignatureReferenceVerifyInputProcessor.InternalSignatureReferenceVerifier {
        InternalSignatureReferenceVerifier(WSSSecurityProperties wSSSecurityProperties, InputProcessorChain inputProcessorChain, ReferenceType referenceType, XMLSecStartElement xMLSecStartElement) throws XMLSecurityException {
            super(wSSSecurityProperties, inputProcessorChain, referenceType, xMLSecStartElement);
            addAfterProcessor(WSSSignatureReferenceVerifyInputProcessor.class.getName());
        }
    }

    public WSSSignatureReferenceVerifyInputProcessor(InputProcessorChain inputProcessorChain, SignatureType signatureType, InboundSecurityToken inboundSecurityToken, XMLSecurityProperties xMLSecurityProperties) throws XMLSecurityException {
        super(inputProcessorChain, signatureType, inboundSecurityToken, xMLSecurityProperties);
        this.replayChecked = false;
        addAfterProcessor(WSSSignatureReferenceVerifyInputProcessor.class.getName());
        checkBSPCompliance((WSInboundSecurityContext) inputProcessorChain.getSecurityContext());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor
    public void verifyExternalReference(InputProcessorChain inputProcessorChain, InputStream inputStream, ReferenceType referenceType) throws XMLSecurityException, XMLStreamException {
        if (!referenceType.getURI().startsWith("cid:")) {
            super.verifyExternalReference(inputProcessorChain, inputStream, referenceType);
            return;
        }
        CallbackHandler attachmentCallbackHandler = ((WSSSecurityProperties) getSecurityProperties()).getAttachmentCallbackHandler();
        if (attachmentCallbackHandler == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "empty", new Object[]{"no attachment callbackhandler supplied"});
        }
        String attachmentId = AttachmentUtils.getAttachmentId(referenceType.getURI());
        AttachmentRequestCallback attachmentRequestCallback = new AttachmentRequestCallback();
        attachmentRequestCallback.setAttachmentId(attachmentId);
        try {
            attachmentCallbackHandler.handle(new Callback[]{attachmentRequestCallback});
            List<Attachment> attachments = attachmentRequestCallback.getAttachments();
            if (attachments == null || attachments.isEmpty() || !attachmentId.equals(attachments.get(0).getId())) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "empty", new Object[]{"Attachment not found"});
            }
            Attachment attachment = attachments.get(0);
            InputStream sourceStream = attachment.getSourceStream();
            if (!sourceStream.markSupported()) {
                sourceStream = new BufferedInputStream(sourceStream);
            }
            sourceStream.mark(Integer.MAX_VALUE);
            try {
                DigestOutputStream createMessageDigestOutputStream = createMessageDigestOutputStream(referenceType, inputProcessorChain.getSecurityContext());
                UnsyncBufferedOutputStream unsyncBufferedOutputStream = new UnsyncBufferedOutputStream(createMessageDigestOutputStream);
                if (referenceType.getTransforms() != null) {
                    Transformer buildTransformerChain = buildTransformerChain(referenceType, unsyncBufferedOutputStream, inputProcessorChain, null);
                    if (!(buildTransformerChain instanceof AttachmentContentSignatureTransform)) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "empty", new Object[]{"First transform must be Attachment[Content|Complete]SignatureTransform"});
                    }
                    Map<String, Object> hashMap = new HashMap<>(2);
                    hashMap.put("attachment", attachment);
                    buildTransformerChain.setProperties(hashMap);
                    buildTransformerChain.transform(sourceStream);
                    unsyncBufferedOutputStream.close();
                } else {
                    XMLSecurityUtils.copy(sourceStream, unsyncBufferedOutputStream);
                    unsyncBufferedOutputStream.close();
                }
                compareDigest(createMessageDigestOutputStream.getDigestValue(), referenceType);
                sourceStream.reset();
                Attachment attachment2 = new Attachment();
                attachment2.setId(attachmentId);
                attachment2.setMimeType(attachment.getMimeType());
                attachment2.addHeaders(attachment.getHeaders());
                attachment2.setSourceStream(sourceStream);
                AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
                attachmentResultCallback.setAttachmentId(attachmentId);
                attachmentResultCallback.setAttachment(attachment2);
                try {
                    attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
                    SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(getInboundSecurityToken(), true, inputProcessorChain.getDocumentContext().getProtectionOrder());
                    signedPartSecurityEvent.setAttachment(true);
                    signedPartSecurityEvent.setCorrelationID(referenceType.getId());
                    inputProcessorChain.getSecurityContext().registerSecurityEvent(signedPartSecurityEvent);
                } catch (Exception e) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
                }
            } catch (IOException e2) {
                throw new XMLSecurityException(e2);
            }
        } catch (Exception e3) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e3);
        }
    }

    private void checkBSPCompliance(WSInboundSecurityContext wSInboundSecurityContext) throws WSSecurityException {
        List<ReferenceType> reference = getSignatureType().getSignedInfo().getReference();
        for (int i = 0; i < reference.size(); i++) {
            ReferenceType referenceType = reference.get(i);
            if (referenceType.getTransforms() == null) {
                wSInboundSecurityContext.handleBSPRule(BSPRule.R5416);
            } else if (referenceType.getTransforms().getTransform().isEmpty()) {
                wSInboundSecurityContext.handleBSPRule(BSPRule.R5411);
            } else {
                List<TransformType> transform = referenceType.getTransforms().getTransform();
                for (int i2 = 0; i2 < transform.size(); i2++) {
                    TransformType transformType = transform.get(i2);
                    String algorithm = transformType.getAlgorithm();
                    if (!"http://www.w3.org/2001/10/xml-exc-c14n#".equals(algorithm) && !"http://www.w3.org/2002/06/xmldsig-filter2".equals(algorithm) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(algorithm) && !"http://www.w3.org/2000/09/xmldsig#enveloped-signature".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform".equals(algorithm)) {
                        wSInboundSecurityContext.handleBSPRule(BSPRule.R5423);
                        if (i2 == transform.size() - 1 && !"http://www.w3.org/2001/10/xml-exc-c14n#".equals(algorithm) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform".equals(algorithm)) {
                            wSInboundSecurityContext.handleBSPRule(BSPRule.R5412);
                        }
                        InclusiveNamespaces inclusiveNamespaces = (InclusiveNamespaces) XMLSecurityUtils.getQNameType(transformType.getContent(), XMLSecurityConstants.TAG_c14nExcl_InclusiveNamespaces);
                        if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(algorithm) && inclusiveNamespaces != null && inclusiveNamespaces.getPrefixList().isEmpty()) {
                            wSInboundSecurityContext.handleBSPRule(BSPRule.R5407);
                        }
                        if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(algorithm)) {
                            if (inclusiveNamespaces != null && inclusiveNamespaces.getPrefixList().isEmpty()) {
                                wSInboundSecurityContext.handleBSPRule(BSPRule.R5413);
                            }
                            TransformationParametersType transformationParametersType = (TransformationParametersType) XMLSecurityUtils.getQNameType(transformType.getContent(), WSSConstants.TAG_WSSE_TRANSFORMATION_PARAMETERS);
                            if (transformationParametersType == null) {
                                wSInboundSecurityContext.handleBSPRule(BSPRule.R3065);
                            } else if (((CanonicalizationMethodType) XMLSecurityUtils.getQNameType(transformationParametersType.getAny(), WSSConstants.TAG_dsig_CanonicalizationMethod)) == null) {
                                wSInboundSecurityContext.handleBSPRule(BSPRule.R3065);
                            }
                        }
                    }
                }
            }
            if (!"http://www.w3.org/2000/09/xmldsig#sha1".equals(referenceType.getDigestMethod().getAlgorithm()) && !"http://www.w3.org/2001/04/xmlenc#sha256".equals(referenceType.getDigestMethod().getAlgorithm()) && !"http://www.w3.org/2001/04/xmlenc#sha512".equals(referenceType.getDigestMethod().getAlgorithm())) {
                wSInboundSecurityContext.handleBSPRule(BSPRule.R5420);
            }
        }
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor, org.apache.xml.security.stax.ext.InputProcessor
    public XMLSecEvent processEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
        if (!this.replayChecked) {
            this.replayChecked = true;
            detectReplayAttack(inputProcessorChain);
        }
        return super.processEvent(inputProcessorChain);
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor
    protected void processElementPath(List<QName> list, InputProcessorChain inputProcessorChain, XMLSecEvent xMLSecEvent, ReferenceType referenceType) throws XMLSecurityException {
        DocumentContext documentContext = inputProcessorChain.getDocumentContext();
        if ((list.size() == 3 && WSSUtils.isInSOAPHeader(list)) || (list.size() == 2 && WSSUtils.isInSOAPBody(list))) {
            SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(getInboundSecurityToken(), true, documentContext.getProtectionOrder());
            signedPartSecurityEvent.setElementPath(list);
            signedPartSecurityEvent.setXmlSecEvent(xMLSecEvent);
            signedPartSecurityEvent.setCorrelationID(referenceType.getId());
            inputProcessorChain.getSecurityContext().registerSecurityEvent(signedPartSecurityEvent);
            return;
        }
        SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(getInboundSecurityToken(), true, documentContext.getProtectionOrder());
        signedElementSecurityEvent.setElementPath(list);
        signedElementSecurityEvent.setXmlSecEvent(xMLSecEvent);
        signedElementSecurityEvent.setCorrelationID(referenceType.getId());
        inputProcessorChain.getSecurityContext().registerSecurityEvent(signedElementSecurityEvent);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor
    public InternalSignatureReferenceVerifier getSignatureReferenceVerifier(XMLSecurityProperties xMLSecurityProperties, InputProcessorChain inputProcessorChain, ReferenceType referenceType, XMLSecStartElement xMLSecStartElement) throws XMLSecurityException {
        return new InternalSignatureReferenceVerifier((WSSSecurityProperties) xMLSecurityProperties, inputProcessorChain, referenceType, xMLSecStartElement);
    }

    private void detectReplayAttack(InputProcessorChain inputProcessorChain) throws WSSecurityException {
        TimestampSecurityEvent timestampSecurityEvent = (TimestampSecurityEvent) inputProcessorChain.getSecurityContext().get(WSSConstants.PROP_TIMESTAMP_SECURITYEVENT);
        ReplayCache timestampReplayCache = ((WSSSecurityProperties) getSecurityProperties()).getTimestampReplayCache();
        if (timestampSecurityEvent == null || timestampReplayCache == null) {
            return;
        }
        String str = timestampSecurityEvent.getCreated().get(ChronoField.MILLI_OF_SECOND) + "" + Arrays.hashCode(getSignatureType().getSignatureValue().getValue());
        if (timestampReplayCache.contains(str)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.MESSAGE_EXPIRED);
        }
        Instant expires = timestampSecurityEvent.getExpires();
        if (expires != null) {
            timestampReplayCache.add(str, expires);
        } else {
            timestampReplayCache.add(str);
        }
    }

    @Override // org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor
    protected Transformer buildTransformerChain(ReferenceType referenceType, OutputStream outputStream, InputProcessorChain inputProcessorChain, AbstractSignatureReferenceVerifyInputProcessor.InternalSignatureReferenceVerifier internalSignatureReferenceVerifier) throws XMLSecurityException {
        CanonicalizationMethodType canonicalizationMethodType;
        if (referenceType.getTransforms() == null || referenceType.getTransforms().getTransform().isEmpty()) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
        }
        List<TransformType> transform = referenceType.getTransforms().getTransform();
        if (transform.size() > maximumAllowedTransformsPerReference.intValue()) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "secureProcessing.MaximumAllowedTransformsPerReference", new Object[]{Integer.valueOf(transform.size()), maximumAllowedTransformsPerReference});
        }
        String str = null;
        Transformer transformer = null;
        for (int size = transform.size() - 1; size >= 0; size--) {
            TransformType transformType = transform.get(size);
            TransformationParametersType transformationParametersType = (TransformationParametersType) XMLSecurityUtils.getQNameType(transformType.getContent(), WSSConstants.TAG_WSSE_TRANSFORMATION_PARAMETERS);
            if (transformationParametersType != null && (canonicalizationMethodType = (CanonicalizationMethodType) XMLSecurityUtils.getQNameType(transformationParametersType.getAny(), WSSConstants.TAG_dsig_CanonicalizationMethod)) != null) {
                String algorithm = canonicalizationMethodType.getAlgorithm();
                InclusiveNamespaces inclusiveNamespaces = (InclusiveNamespaces) XMLSecurityUtils.getQNameType(canonicalizationMethodType.getContent(), XMLSecurityConstants.TAG_c14nExcl_InclusiveNamespaces);
                HashMap hashMap = null;
                if (inclusiveNamespaces != null) {
                    hashMap = new HashMap();
                    hashMap.put(Canonicalizer20010315_Excl.INCLUSIVE_NAMESPACES_PREFIX_LIST, inclusiveNamespaces.getPrefixList());
                }
                transformer = WSSUtils.getTransformer(null, outputStream, hashMap, algorithm, XMLSecurityConstants.DIRECTION.IN);
            }
            str = transformType.getAlgorithm();
            AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
            algorithmSuiteSecurityEvent.setAlgorithmURI(str);
            algorithmSuiteSecurityEvent.setAlgorithmUsage(WSSConstants.SigTransform);
            algorithmSuiteSecurityEvent.setCorrelationID(referenceType.getId());
            inputProcessorChain.getSecurityContext().registerSecurityEvent(algorithmSuiteSecurityEvent);
            InclusiveNamespaces inclusiveNamespaces2 = (InclusiveNamespaces) XMLSecurityUtils.getQNameType(transformType.getContent(), XMLSecurityConstants.TAG_c14nExcl_InclusiveNamespaces);
            HashMap hashMap2 = null;
            if (inclusiveNamespaces2 != null) {
                hashMap2 = new HashMap();
                hashMap2.put(Canonicalizer20010315_Excl.INCLUSIVE_NAMESPACES_PREFIX_LIST, inclusiveNamespaces2.getPrefixList());
            }
            transformer = transformer != null ? WSSUtils.getTransformer(transformer, null, hashMap2, str, XMLSecurityConstants.DIRECTION.IN) : WSSUtils.getTransformer(null, outputStream, hashMap2, str, XMLSecurityConstants.DIRECTION.IN);
        }
        if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(str)) {
            internalSignatureReferenceVerifier.setTransformer(transformer);
            SecurityTokenProvider<? extends InboundSecurityToken> securityTokenProvider = inputProcessorChain.getSecurityContext().getSecurityTokenProvider(XMLSecurityUtils.dropReferenceMarker(referenceType.getURI()));
            if (securityTokenProvider == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noReference");
            }
            InboundSecurityToken securityToken = securityTokenProvider.getSecurityToken();
            if (!(securityToken instanceof SecurityTokenReference)) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN);
            }
            SecurityTokenReference securityTokenReference = (SecurityTokenReference) securityToken;
            inputProcessorChain.getDocumentContext().setIsInSignedContent(inputProcessorChain.getProcessors().indexOf(internalSignatureReferenceVerifier), internalSignatureReferenceVerifier);
            internalSignatureReferenceVerifier.setStartElement(securityTokenReference.getXmlSecEvents().getLast().mo4961asStartElement());
            Iterator<XMLSecEvent> descendingIterator = securityTokenReference.getXmlSecEvents().descendingIterator();
            while (descendingIterator.hasNext()) {
                try {
                    internalSignatureReferenceVerifier.processEvent(descendingIterator.next(), inputProcessorChain);
                } catch (XMLStreamException e) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, (Exception) e);
                }
            }
        }
        return transformer;
    }
}
