package org.apache.wss4j.policy.stax.assertionStates;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.policy.AssertionState;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.stax.Assertable;
import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.utils.WSSUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.SecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-policy-stax-2.4.3.jar:org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.class */
public class SignatureProtectionAssertionState extends AssertionState implements Assertable {
    private final List<EncryptedElementSecurityEvent> encryptedElementEvents;
    private final List<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents;
    private final List<List<QName>> elementPaths;
    private PolicyAsserter policyAsserter;

    public SignatureProtectionAssertionState(AbstractSecurityAssertion abstractSecurityAssertion, PolicyAsserter policyAsserter, boolean z) {
        super(abstractSecurityAssertion, z);
        this.encryptedElementEvents = new ArrayList();
        this.tokenSecurityEvents = new ArrayList();
        this.elementPaths = new ArrayList();
        LinkedList linkedList = new LinkedList();
        linkedList.addAll(WSSConstants.SOAP_11_HEADER_PATH);
        linkedList.add(WSSConstants.TAG_WSSE_SECURITY);
        linkedList.add(WSSConstants.TAG_dsig_Signature);
        this.elementPaths.add(linkedList);
        LinkedList linkedList2 = new LinkedList();
        linkedList2.addAll(WSSConstants.SOAP_11_HEADER_PATH);
        linkedList2.add(WSSConstants.TAG_WSSE_SECURITY);
        linkedList2.add(WSSConstants.TAG_WSSE11_SIG_CONF);
        this.elementPaths.add(linkedList2);
        this.policyAsserter = policyAsserter;
        if (this.policyAsserter == null) {
            this.policyAsserter = new DummyPolicyAsserter();
        }
        if (z) {
            policyAsserter.assertPolicy(new QName(getAssertion().getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
        }
    }

    @Override // org.apache.wss4j.policy.stax.Assertable
    public SecurityEventConstants.Event[] getSecurityEventType() {
        return new SecurityEventConstants.Event[]{WSSecurityEventConstants.EncryptedElement, WSSecurityEventConstants.EncryptedKeyToken, WSSecurityEventConstants.ISSUED_TOKEN, WSSecurityEventConstants.KERBEROS_TOKEN, SecurityEventConstants.KeyValueToken, WSSecurityEventConstants.REL_TOKEN, WSSecurityEventConstants.SAML_TOKEN, WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN, WSSecurityEventConstants.USERNAME_TOKEN, SecurityEventConstants.X509Token, WSSecurityEventConstants.OPERATION};
    }

    @Override // org.apache.wss4j.policy.stax.Assertable
    public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
        if (!(securityEvent instanceof EncryptedElementSecurityEvent)) {
            if (!(securityEvent instanceof TokenSecurityEvent)) {
                return true;
            }
            this.tokenSecurityEvents.add((TokenSecurityEvent) securityEvent);
            return true;
        }
        EncryptedElementSecurityEvent encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
        Iterator<List<QName>> it = this.elementPaths.iterator();
        while (it.hasNext()) {
            if (WSSUtils.pathMatches(it.next(), encryptedElementSecurityEvent.getElementPath())) {
                this.encryptedElementEvents.add(encryptedElementSecurityEvent);
            }
        }
        return true;
    }

    @Override // org.apache.wss4j.policy.AssertionState, org.apache.wss4j.policy.stax.Assertable
    public boolean isAsserted() {
        clearErrorMessage();
        if (this.encryptedElementEvents.size() == 1) {
            return testEncryptedSignature(this.encryptedElementEvents.get(0));
        }
        if (this.encryptedElementEvents.size() <= 1) {
            return true;
        }
        String findEndorsingSignatureId = findEndorsingSignatureId();
        for (EncryptedElementSecurityEvent encryptedElementSecurityEvent : this.encryptedElementEvents) {
            String correlationID = encryptedElementSecurityEvent.getCorrelationID();
            if (findEndorsingSignatureId == null || !findEndorsingSignatureId.equals(correlationID)) {
                if (!testEncryptedSignature(encryptedElementSecurityEvent)) {
                    return false;
                }
            }
        }
        return true;
    }

    private String findEndorsingSignatureId() {
        for (int i = 0; i < this.tokenSecurityEvents.size(); i++) {
            TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent = this.tokenSecurityEvents.get(i);
            try {
                SecurityToken effectiveSignatureToken = getEffectiveSignatureToken(tokenSecurityEvent.getSecurityToken());
                if (isSignatureToken(effectiveSignatureToken) && !isMainSignatureToken(effectiveSignatureToken)) {
                    return tokenSecurityEvent.getCorrelationID();
                }
            } catch (XMLSecurityException e) {
                return null;
            }
        }
        return null;
    }

    private boolean isSignatureToken(SecurityToken securityToken) {
        List<SecurityTokenConstants.TokenUsage> tokenUsages = securityToken.getTokenUsages();
        for (int i = 0; i < tokenUsages.size(); i++) {
            SecurityTokenConstants.TokenUsage tokenUsage = tokenUsages.get(i);
            if (WSSecurityTokenConstants.TokenUsage_Signature.equals(tokenUsage) || WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE.equals(tokenUsage) || tokenUsage.getName().contains("Endorsing")) {
                return true;
            }
        }
        return false;
    }

    private boolean isMainSignatureToken(SecurityToken securityToken) throws XMLSecurityException {
        return WSSUtils.getRootToken(securityToken).getTokenUsages().contains(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
    }

    private SecurityToken getEffectiveSignatureToken(SecurityToken securityToken) throws XMLSecurityException {
        SecurityToken rootToken = WSSUtils.getRootToken(securityToken);
        List<? extends SecurityToken> wrappedTokens = rootToken.getWrappedTokens();
        for (int i = 0; i < wrappedTokens.size(); i++) {
            SecurityToken securityToken2 = wrappedTokens.get(i);
            if (isSignatureToken(securityToken2)) {
                if (WSSecurityTokenConstants.DerivedKeyToken.equals(securityToken2.getTokenType())) {
                    return rootToken;
                }
                rootToken = securityToken2;
            }
        }
        return rootToken;
    }

    private boolean testEncryptedSignature(EncryptedElementSecurityEvent encryptedElementSecurityEvent) {
        AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) getAssertion();
        String namespaceURI = getAssertion().getName().getNamespaceURI();
        if (encryptedElementSecurityEvent.isEncrypted()) {
            if (abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
                setAsserted(true);
                this.policyAsserter.assertPolicy(new QName(namespaceURI, SPConstants.ENCRYPT_SIGNATURE));
                return true;
            }
            setAsserted(false);
            setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must not be encrypted");
            this.policyAsserter.unassertPolicy(new QName(namespaceURI, SPConstants.ENCRYPT_SIGNATURE), getErrorMessage());
            return false;
        }
        if (!abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
            setAsserted(true);
            this.policyAsserter.assertPolicy(new QName(namespaceURI, SPConstants.ENCRYPT_SIGNATURE));
            return true;
        }
        setAsserted(false);
        setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
        this.policyAsserter.unassertPolicy(new QName(namespaceURI, SPConstants.ENCRYPT_SIGNATURE), getErrorMessage());
        return false;
    }
}
