package com.ibm.ws.wssecurity.saml.profile.saml20.sso.web;

import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.ws.wssecurity.common.Constants;
import com.ibm.ws.wssecurity.saml.binding.saml20.PostBindingIdPConfig;
import com.ibm.ws.wssecurity.saml.binding.saml20.PostBindingSPConfig;
import com.ibm.ws.wssecurity.saml.binding.saml20.SAMLResponseContext;
import com.ibm.ws.wssecurity.saml.binding.saml20.SAMLSpConstants;
import com.ibm.ws.wssecurity.saml.common.SAML20Constants;
import com.ibm.ws.wssecurity.saml.common.SAMLAssertion;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil;
import com.ibm.ws.wssecurity.saml.protocol.saml20.Response;
import com.ibm.ws.wssecurity.saml.protocol.saml20.Status;
import com.ibm.ws.wssecurity.saml.protocol.saml20.StatusCode;
import com.ibm.ws.wssecurity.saml.protocol.saml20.impl.ResponseImpl;
import com.ibm.ws.wssecurity.saml.saml20.assertion.Assertion;
import com.ibm.ws.wssecurity.saml.saml20.assertion.AudienceRestriction;
import com.ibm.ws.wssecurity.saml.saml20.assertion.AuthnStatement;
import com.ibm.ws.wssecurity.saml.saml20.assertion.ConditionAbstract;
import com.ibm.ws.wssecurity.saml.saml20.assertion.Conditions;
import com.ibm.ws.wssecurity.saml.saml20.assertion.StatementAbstract;
import com.ibm.ws.wssecurity.saml.saml20.assertion.Subject;
import com.ibm.ws.wssecurity.saml.saml20.assertion.SubjectConfirmation;
import com.ibm.ws.wssecurity.saml.saml20.assertion.SubjectConfirmationData;
import com.ibm.ws.wssecurity.saml.security.impl.SAMLSignatureVerification;
import com.ibm.ws.wssecurity.token.UTC;
import com.ibm.ws.wssecurity.util.CommonLogUtils;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.StringUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.ws.wssecurity.wssapi.token.impl.SAMLTokenImpl;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig;
import com.ibm.wsspi.wssecurity.saml.data.SAMLNameID;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import org.apache.axiom.om.OMElement;

/* loaded from: input_file:com/ibm/ws/wssecurity/saml/profile/saml20/sso/web/HTTPPOSTRequestConsumer.class */
public class HTTPPOSTRequestConsumer {
    private static final String comp = "security.wssecurity";
    private static final TraceComponent tc = Tr.register(HTTPPOSTRequestConsumer.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = HTTPPOSTRequestConsumer.class.getName();
    private SAMLResponseContext responseContext;
    private boolean hasSignature = false;
    private Response resp = null;

    public HTTPPOSTRequestConsumer(SAMLResponseContext sAMLResponseContext) {
        this.responseContext = null;
        this.responseContext = sAMLResponseContext;
    }

    public boolean consumeSAMLResponse() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "consumeSAMLResponse");
        }
        consumeSAMLResponseWithoutValidation();
        this.resp = this.responseContext.getResponse();
        if (this.resp != null) {
            validate(this.resp);
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "consumeSAMLResponse returns true");
        return true;
    }

    public boolean consumeSAMLResponseWithoutValidation() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "consumeSAMLResponseWithoutValidation");
        }
        String sAMLResponse = this.responseContext.getSAMLResponse();
        if (sAMLResponse == null || sAMLResponse.isEmpty()) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "consumeSAMLResponseWithoutValidation returns [false] SamlResponse is NULL.");
            return false;
        }
        this.responseContext.decode();
        this.responseContext.unMarshall();
        this.resp = this.responseContext.getResponse();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "consumeSAMLResponseWithoutValidation");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "consumeSAMLResponseWithoutValidation returns [true]");
        return true;
    }

    public boolean validateSAMLResponse() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSAMLResponse");
        }
        Response response = this.responseContext.getResponse();
        if (response != null) {
            validate(response);
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateSAMLResponse returns true");
        return true;
    }

    protected boolean validate() throws SoapSecurityException {
        return validate(this.resp);
    }

    protected boolean validate(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate");
        }
        if (!validateResponse(response)) {
            throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML6010E"));
        }
        if (!validateSAMLAssertion(response)) {
            throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML6010E"));
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validate returns true");
        return true;
    }

    protected boolean validateSAMLAssertion() throws SoapSecurityException {
        return validateSAMLAssertion(this.resp);
    }

    protected boolean validateSAMLAssertion(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSAMLAssertion");
        }
        SAMLAssertion sAMLAssertion = response.getSAMLAssertion();
        if (sAMLAssertion == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML Response does not contains Assertion.");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8004E");
        }
        if (this.responseContext.getPostBindingSPConfig().preventReplay()) {
            this.responseContext.getReplayManager().validate(response.getSAMLToken().getSamlID(), response.getSAMLToken().getSAMLIssuerName());
        }
        if (!sAMLAssertion.validate()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML Response does not contains a valid Assertion.");
            }
            throw new SoapSecurityException("Assertion is not valid.");
        }
        validateSAMLSignature(response);
        validateAssertionIssuer(response);
        validateAssertion20(response);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateSAMLAssertion returns true");
        return true;
    }

    protected boolean validateResponse() throws SoapSecurityException {
        return validateResponse(this.resp);
    }

    protected boolean validateResponse(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateResponse");
        }
        validateResponseSignature(response);
        validateStatus(response);
        validateID(response);
        validateInResponseTo(response);
        validateVersion(response);
        validateIssueInstant(response);
        validateDestination(response);
        validateConsent(response);
        validateIssuer(response);
        validateExtension(response);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateResponse returns true");
        return true;
    }

    protected boolean validateStatus() throws SoapSecurityException {
        return validateStatus(this.resp);
    }

    protected boolean validateStatus(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateStatus");
        }
        Status status = response.getStatus();
        if (status == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Response does not have Status.");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8000E");
        }
        StatusCode statusCode = status.getStatusCode();
        if (statusCode == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Response does not have a status code.");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8001E");
        }
        if (!StatusCode.Success.equals(statusCode.getValue())) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Response has a failing status code:" + statusCode.getValue());
            }
            throw new SoapSecurityException(ConfigUtil.getMessage("security.wssecurity.CWWSS8003E", new String[]{statusCode.getValue()}));
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateStatus returns true");
        return true;
    }

    protected boolean validateID() throws SoapSecurityException {
        return validateID(this.resp);
    }

    protected boolean validateID(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateID");
        }
        if (response.getID() == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML Response does not contain required ID attribute");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8004E");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateID returns true");
        return true;
    }

    protected boolean validateIssuer() throws SoapSecurityException {
        return validateIssuer(this.resp);
    }

    protected boolean validateIssuer(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateIssuer");
        }
        SAMLNameID issuer = response.getIssuer();
        if (issuer != null && issuer.getFormat() != null && !issuer.getFormat().equals(Response.SupportedIssuerNameFormat)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML Response contain name format:" + issuer.getFormat());
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8005E");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateIssuer returns true");
        return true;
    }

    protected boolean validateInResponseTo() throws SoapSecurityException {
        return validateInResponseTo(this.resp);
    }

    protected boolean validateInResponseTo(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateInResponseTo");
        }
        String str = (String) this.responseContext.get("ID");
        if (str != null) {
            if (!str.equals(response.getInResponseTo())) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "InResponse attribute must be equal to the request ID of the original AuthnRequest.");
                }
                throw SoapSecurityException.format("security.wssecurity.CWWSS8006E");
            }
        } else if (response.getInResponseTo() != null && !response.getInResponseTo().isEmpty()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "InResponse attribut must not present for IdP-Initiated SAML response.");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8006E");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateInResponseTo returns true");
        return true;
    }

    protected boolean validateVersion() throws SoapSecurityException {
        return validateVersion(this.resp);
    }

    protected boolean validateVersion(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateVersion");
        }
        if (!"2.0".equals(response.getVersion())) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The Version is not supported:" + response.getVersion());
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8007E");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateVersion returns true");
        return true;
    }

    protected boolean validateIssueInstant() throws SoapSecurityException {
        return validateIssueInstant(this.resp);
    }

    protected boolean validateIssueInstant(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateIssueInstant");
        }
        Date issueInstant = response.getIssueInstant();
        if (issueInstant == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The issue time of the response is missing.");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8009E");
        }
        if (issueInstant.after(new Date())) {
            long allowedClockSkew = this.responseContext.getPostBindingSPConfig().getAllowedClockSkew();
            Date date = new Date();
            long time = allowedClockSkew + date.getTime();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "issueInstant: [" + UTC.format(issueInstant) + "], [" + issueInstant.getTime() + "]");
                Tr.debug(tc, "current time: [" + UTC.format(date) + "], [" + date.getTime() + "]");
                Tr.debug(tc, "clockskew: [" + ((allowedClockSkew / 60) / 1000) + " minutes], [" + allowedClockSkew + " millis]");
                Tr.debug(tc, "time adjusted forward for clockskew=" + time);
            }
            if (time < issueInstant.getTime()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "token issued after current date/time.  Possible clockskew issue.");
                }
                throw SoapSecurityException.format("security.wssecurity.CWWSS8008E", new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.CWSML7002E", new String[]{UTC.format(issueInstant), UTC.format(date), String.valueOf((allowedClockSkew / 60) / 1000)})));
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateIssueInstant returns true");
        return true;
    }

    protected boolean validateDestination() throws SoapSecurityException {
        return validateDestination(this.resp);
    }

    protected boolean validateDestination(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateDestination");
        }
        String destination = response.getDestination();
        if (destination != null && !destination.isEmpty()) {
            String assertionConsumerService = this.responseContext.getPostBindingSPConfig().getAssertionConsumerService();
            if (!matchTarget(assertionConsumerService, destination)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Response destination is " + destination);
                    Tr.debug(tc, "Response receiver is " + assertionConsumerService);
                }
                throw new SoapSecurityException(ConfigUtil.getMessage("security.wssecurity.CWWSS8010E", new String[]{destination, assertionConsumerService}));
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateDestination returns true");
        return true;
    }

    protected boolean validateConsent() throws SoapSecurityException {
        return validateConsent(this.resp);
    }

    protected boolean validateConsent(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateConsent");
        }
        String consent = response.getConsent();
        if (consent != null && tc.isDebugEnabled()) {
            Tr.debug(tc, "Consent is included:" + consent);
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateConsent returns true");
        return true;
    }

    protected boolean validateExtension() throws SoapSecurityException {
        return validateExtension(this.resp);
    }

    protected boolean validateExtension(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateExtension");
        }
        OMElement extension = response.getExtension();
        if (extension != null) {
            Tr.warning(tc, "security.wssecurity.CWWSS8011W");
            if (tc.isDebugEnabled()) {
                CommonLogUtils.logDebug(extension, tc);
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateExtension returns true");
        return true;
    }

    protected boolean validateResponseSignature() throws SoapSecurityException {
        return validateResponseSignature(this.resp);
    }

    protected boolean validateResponseSignature(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateResponseSignature");
        }
        OMElement signature = response.getSignature();
        this.hasSignature = false;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "signatureOM [" + ConfigUtil.getObjState(signature) + "]");
        }
        if (signature == null) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "validateResponseSignature returns true");
            return true;
        }
        this.hasSignature = true;
        OMElement responseXML = response.getResponseXML();
        HashMap hashMap = new HashMap();
        initMap(hashMap);
        boolean verify = SAMLSignatureVerification.verify(responseXML, this.responseContext.getConsumerConfig(), hashMap);
        X509Certificate x509Certificate = (X509Certificate) hashMap.get(SAMLSignatureVerification.X509CERTIFICATE);
        if (response instanceof ResponseImpl) {
            ((ResponseImpl) response).setSigningX509Certificate(x509Certificate);
        }
        if (!verify) {
            Tr.debug(tc, "The Signature element in the response is not valid");
            throw SoapSecurityException.format("security.wssecurity.CWWSS8012E");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateResponseSignature returns " + verify);
        }
        return verify;
    }

    protected boolean validateSAMLSignature() throws SoapSecurityException {
        return validateSAMLSignature(this.resp);
    }

    protected boolean validateSAMLSignature(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSAMLSignature");
        }
        boolean z = true;
        if (this.responseContext.getPostBindingSPConfig().wantAssertionsSigned()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateSAMLSignature");
            }
            OMElement xml = response.getSAMLAssertion().getXML();
            if (this.hasSignature && DOMUtils.getChildElement(xml, Constants.NS_DSIG, "Signature") == null) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "validateSAMLSignature returns true : There is a valid Signature on Response");
                return true;
            }
            HashMap hashMap = new HashMap();
            initMap(hashMap);
            z = SAMLSignatureVerification.verify(xml, this.responseContext.getConsumerConfig(), hashMap);
            X509Certificate x509Certificate = (X509Certificate) hashMap.get(SAMLSignatureVerification.X509CERTIFICATE);
            SAMLTokenImpl sAMLTokenImpl = (SAMLTokenImpl) response.getSAMLToken();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "cert[" + ConfigUtil.getObjType(x509Certificate) + "]");
            }
            sAMLTokenImpl.setSignerCertificate(x509Certificate);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "ignore SAMLSignature");
        }
        if (!z) {
            Tr.debug(tc, "The Signature element in the SAML Assertion is not valid");
            throw SoapSecurityException.format("security.wssecurity.CWWSS8013E");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " SAMLSignature is OK");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateSAMLSignature returns " + z);
        }
        return z;
    }

    private KeyStore getTrustAnchor() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTrustAnchor");
        }
        KeyStore keyStore = null;
        ConsumerConfig consumerConfig = this.responseContext.getConsumerConfig();
        if (!consumerConfig.trustAnySTS()) {
            keyStore = SamlConfigUtil.getTrustStore(consumerConfig);
            if (keyStore == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Valid TrustAnchor is required.");
                }
                throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML6011E"));
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTrustAnchor returns [" + ConfigUtil.getObjState(keyStore) + "]");
        }
        return keyStore;
    }

    protected KeyStoreManager.KeyInformation getSigningKeyInformation() throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSigningKeyInformation");
        }
        KeyStoreManager.KeyInformation keyInformation = null;
        ConsumerConfig consumerConfig = this.responseContext.getConsumerConfig();
        if (consumerConfig.getAliasForTokenProvider() != null) {
            keyInformation = SamlConfigUtil.getTokenProviderKeyInformation(consumerConfig);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSigningKeyInformation returns [" + ConfigUtil.getObjState(keyInformation) + "]");
        }
        return keyInformation;
    }

    protected boolean isTrustedIssuer(String str, X509Certificate x509Certificate) {
        boolean z = false;
        try {
            z = isTrustedIssuerEx(str, x509Certificate);
        } catch (Exception e) {
        }
        return z;
    }

    protected boolean isTrustedIssuerEx(String str, X509Certificate x509Certificate) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTrustedIssuer()");
        }
        SoapSecurityException soapSecurityException = null;
        ArrayList<PostBindingIdPConfig> postBindingIdPConfig = this.responseContext.getPostBindingIdPConfig();
        ListIterator<PostBindingIdPConfig> listIterator = postBindingIdPConfig.listIterator();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "it[" + (listIterator == null ? AppConstants.NULL_STRING : "not null") + "], " + (postBindingIdPConfig != null ? "trustedList.isEmpty[" + postBindingIdPConfig.isEmpty() + "]" : ""));
        }
        if (listIterator == null || postBindingIdPConfig.isEmpty()) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "isTrustedIssuer() returns true");
            return true;
        }
        boolean z = false;
        boolean z2 = false;
        while (true) {
            if (!listIterator.hasNext()) {
                break;
            }
            boolean z3 = false;
            boolean z4 = false;
            PostBindingIdPConfig next = listIterator.next();
            String issuerName = next.getIssuerName();
            String issuerCertificateDN = next.getIssuerCertificateDN();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "trustedIssuer [" + issuerName + "], trustedIssuerDn [" + issuerCertificateDN + "]");
                if (issuerName != null) {
                    Tr.debug(tc, "normalized trustedIssuer [" + StringUtil.removeDNSpace(issuerName) + "]");
                    Tr.debug(tc, "normalized assertion issuer [" + StringUtil.removeDNSpace(str) + "]");
                }
                if (issuerCertificateDN != null) {
                    Tr.debug(tc, "normalized trustedIssuerDn [" + StringUtil.removeDNSpace(issuerCertificateDN) + "]");
                    if (x509Certificate == null || x509Certificate.getSubjectDN() == null) {
                        Tr.debug(tc, "cert [" + ConfigUtil.getObjType(x509Certificate) + "]");
                    } else {
                        Tr.debug(tc, "normalized signer cert subject DN [" + StringUtil.removeDNSpace(x509Certificate.getSubjectDN().getName()) + "]");
                    }
                }
            }
            if (issuerName != null || issuerCertificateDN != null) {
                z2 = true;
            }
            if (issuerName == null) {
                z3 = true;
            }
            if (issuerCertificateDN == null) {
                z4 = true;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "mustCheck [" + z2 + "]");
                Tr.debug(tc, "validIssuer [" + z3 + "]");
                Tr.debug(tc, "validSigner [" + z4 + "]");
            }
            if (issuerName != null) {
                if (StringUtil.removeDNSpace(issuerName).equalsIgnoreCase(StringUtil.removeDNSpace(str))) {
                    z3 = true;
                } else {
                    soapSecurityException = SoapSecurityException.format("security.wssecurity.CWWSS8014E", str);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "CWWSS8014E: The Issuer name in the SAML Assertion is not trusted. [" + str + "]");
                    }
                }
            }
            if (issuerCertificateDN != null) {
                if (x509Certificate == null) {
                    boolean wantAssertionsSigned = this.responseContext.getPostBindingSPConfig().wantAssertionsSigned();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "wantAssertionsSigned [" + wantAssertionsSigned + "]");
                    }
                    if (wantAssertionsSigned) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Unable to evaluate trusted Issuer Subject DN because the signer certificate is not available.");
                            Tr.debug(tc, "The value for the [allowedIssuerDN] custom property is set to a non-null value, [" + issuerCertificateDN + "], but the certificate to use for comparison is not available.");
                        }
                        soapSecurityException = SoapSecurityException.format("security.wssecurity.CWWSS8042E", "");
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Unable to evaluate trusted Issuer Subject DN because the [wantAssertionsSigned] property is set to false.");
                            Tr.debug(tc, "The value for the [allowedIssuerDN] custom property is set to a non-null value, [" + issuerCertificateDN + "], but value for [wantAssertionsSigned] is false.  This condition is not allowed.  Either set [wantAssertionsSigned] to true or unset [allowedIssuerDN].");
                        }
                        soapSecurityException = SoapSecurityException.format("security.wssecurity.CWWSS8043E", "wantAssertionsSigned");
                    }
                } else if (StringUtil.removeDNSpace(issuerCertificateDN).equalsIgnoreCase(StringUtil.removeDNSpace(x509Certificate.getSubjectDN().getName()))) {
                    z4 = true;
                } else {
                    soapSecurityException = SoapSecurityException.format("security.wssecurity.CWWSS8042E", x509Certificate.getSubjectDN().getName());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "CWWSS8042E: The Subject DN of the signer certificate in the SAML Assertion is not trusted: [" + x509Certificate.getSubjectDN().getName() + "]");
                    }
                }
            }
            if (z3 && z4) {
                z = true;
                break;
            }
        }
        if (!z2) {
            z = true;
        }
        if (z) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isTrustedIssuer() returns " + z);
            }
            return z;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Issuer or SubjectDN is not trusted.  Throwing exception.");
        }
        throw soapSecurityException;
    }

    protected boolean validateAssertionIssuer(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateAssertionIssuer");
        }
        SAMLToken sAMLToken = response.getSAMLToken();
        X509Certificate signerCertificate = sAMLToken.getSignerCertificate();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "samlCert [" + ConfigUtil.getObjType(signerCertificate) + "]");
        }
        boolean isTrustedIssuerEx = isTrustedIssuerEx(sAMLToken.getSAMLIssuerName(), signerCertificate);
        if (!isTrustedIssuerEx) {
            Tr.debug(tc, "The issuer name or signer subject DN in the SAML Assertion is not trusted.");
            throw SoapSecurityException.format("security.wssecurity.CWWSS8014E");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateAssertionIssuer() returns " + isTrustedIssuerEx);
        }
        return isTrustedIssuerEx;
    }

    protected boolean validateAssertion20() throws SoapSecurityException {
        return validateAssertion20(this.resp);
    }

    protected boolean validateAssertion20(Response response) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateAssertion20(resp[" + ConfigUtil.getObjState(response) + "])");
        }
        SAMLAssertion sAMLAssertion = response.getSAMLAssertion();
        if (sAMLAssertion == null || !(sAMLAssertion instanceof Assertion)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The response does not contain SAML 2.0 Assertion");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8020E");
        }
        Assertion assertion = (Assertion) sAMLAssertion;
        validateAuthnStatement(assertion);
        validateSubject(assertion);
        validateAudienceRestriction(assertion);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateAssertion20 returns true");
        return true;
    }

    protected boolean validateAuthnStatement(Assertion assertion) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateAuthnStatement(assertion20[" + ConfigUtil.getObjState(assertion) + "])");
        }
        List<StatementAbstract> statements = assertion.getStatements(AuthnStatement.qName);
        if (statements == null || statements.isEmpty()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The SAML 2.0 Assertion does not contain AuthnStatement");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8021E");
        }
        Iterator<StatementAbstract> it = statements.iterator();
        while (it.hasNext()) {
            Date sessionNotOnOrAfter = ((AuthnStatement) it.next()).getSessionNotOnOrAfter();
            if (sessionNotOnOrAfter != null) {
                validateSessionNotOnOrAfter(sessionNotOnOrAfter);
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateAuthnStatement returns true");
        return true;
    }

    protected boolean validateSessionNotOnOrAfter(Date date) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSessionNotOnOrAfter");
        }
        long allowedClockSkew = this.responseContext.getPostBindingSPConfig().getAllowedClockSkew();
        Date date2 = new Date();
        if (!date2.before(date)) {
            long time = date2.getTime() - allowedClockSkew;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "current time: [" + UTC.format(date2) + "], [" + date2.getTime() + "]");
                Tr.debug(tc, "clockskew: [" + ((allowedClockSkew / 60) / 1000) + " minutes], [" + allowedClockSkew + " millis]");
                Tr.debug(tc, "sessionNotOnOrAfter: [" + UTC.format(date) + "], [" + date.getTime() + "]");
                Tr.debug(tc, "time adjusted backward for clockskew=" + time);
            }
            if (time > date.getTime()) {
                Tr.debug(tc, "timeBackward > notOnOrAfter. notOnOrAfter test failed.");
                throw SoapSecurityException.format("security.wssecurity.CWWSS8028E", new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.CWSML7018E", new String[]{UTC.format(date), UTC.format(date2), String.valueOf((allowedClockSkew / 60) / 1000)})));
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateSessionNotOnOrAfter returns true");
        return true;
    }

    protected boolean validateSubject(Assertion assertion) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSubject(assertion20[" + ConfigUtil.getObjState(assertion) + "])");
        }
        Subject subject = assertion.getSubject();
        if (subject == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Subject is required");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8022E");
        }
        validateSubjectConfirmation(subject.getSubjectConfirmation());
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateSubject returns true");
        return true;
    }

    protected boolean validateSubjectConfirmation(SubjectConfirmation subjectConfirmation) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSubjectConfirmation(subjectConfirmation[" + ConfigUtil.getObjState(subjectConfirmation) + "])");
        }
        String method = subjectConfirmation.getMethod();
        if (method == null || !method.equals(SAML20Constants._BEARER)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Bearer SubjectConfirmation is required");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8023E");
        }
        SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
        if (subjectConfirmationData == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, " SubjectConfirmationData is required");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8024E");
        }
        String inResponseTo = subjectConfirmationData.getInResponseTo();
        if (inResponseTo != null) {
            String str = (String) this.responseContext.get("ID");
            if (str == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "InResponse attribute must be present for an IdP-Initiated SAML response.");
                }
                throw SoapSecurityException.format("security.wssecurity.CWWSS8006E");
            }
            if (!str.equals(inResponseTo)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "InResponse attribute must be equal to the request ID of the original AuthnRequest.");
                }
                throw SoapSecurityException.format("security.wssecurity.CWWSS8006E");
            }
        }
        String recipient = subjectConfirmationData.getRecipient();
        String assertionConsumerService = this.responseContext.getPostBindingSPConfig().getAssertionConsumerService();
        if (recipient == null || !recipient.equals(assertionConsumerService)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Recipient:" + recipient);
                Tr.debug(tc, "Assertion Consumer Service:" + assertionConsumerService);
            }
            throw new SoapSecurityException(ConfigUtil.getMessage("security.wssecurity.CWWSS8025E", new String[]{recipient, assertionConsumerService}));
        }
        if (subjectConfirmationData.getNotBefore() != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, " NotBefore in SubjectConfirmationData is not allowed");
            }
            throw SoapSecurityException.format("security.wssecurity.CWWSS8027E");
        }
        Date notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
        if (notOnOrAfter == null) {
            Tr.debug(tc, "NotOnOrAfter missing from SubjectConfirmationData");
            throw SoapSecurityException.format(MessageHelper.getMessage("security.wssecurity.CWSML7006E", new String[]{"NotOnOrAfter", "SubjectConfirmationData"}));
        }
        Date date = new Date();
        if (!date.before(notOnOrAfter)) {
            long allowedClockSkew = this.responseContext.getPostBindingSPConfig().getAllowedClockSkew();
            long time = date.getTime() - allowedClockSkew;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "current time: [" + UTC.format(date) + "], [" + date.getTime() + "]");
                Tr.debug(tc, "clockskew: [" + ((allowedClockSkew / 60) / 1000) + " minutes], [" + allowedClockSkew + " millis]");
                Tr.debug(tc, "notOnOrAfter: [" + UTC.format(notOnOrAfter) + "], [" + notOnOrAfter.getTime() + "]");
                Tr.debug(tc, "time adjusted backward for clockskew=" + time);
            }
            if (time > notOnOrAfter.getTime()) {
                Tr.debug(tc, "timeBackward > notOnOrAfter. notOnOrAfter test failed.");
                throw SoapSecurityException.format("security.wssecurity.CWWSS8026E", new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.CWSML7021E", new String[]{UTC.format(notOnOrAfter), UTC.format(date), String.valueOf((allowedClockSkew / 60) / 1000)})));
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "validateSubjectConfirmation returns true");
        return true;
    }

    protected boolean validateAudienceRestriction(Assertion assertion) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateAudienceRestriction(assertion20[" + ConfigUtil.getObjState(assertion) + "])");
        }
        boolean z = false;
        PostBindingSPConfig postBindingSPConfig = this.responseContext.getPostBindingSPConfig();
        String entityID = postBindingSPConfig.getEntityID();
        String assertionConsumerService = postBindingSPConfig.getAssertionConsumerService();
        String defaultTargetUrl = postBindingSPConfig.getDefaultTargetUrl();
        Conditions conditions = assertion.getConditions();
        if (conditions != null) {
            for (ConditionAbstract conditionAbstract : conditions.getConditionOrAudienceRestrictionOrOneTimeUse()) {
                if (conditionAbstract instanceof AudienceRestriction) {
                    for (String str : ((AudienceRestriction) conditionAbstract).getAudience()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "AudienceRestriction:" + str);
                        }
                        if (entityID.equalsIgnoreCase(str) || matchTarget(assertionConsumerService, str) || (defaultTargetUrl != null && defaultTargetUrl.equalsIgnoreCase(str))) {
                            z = true;
                            break;
                        }
                    }
                    if (z) {
                        break;
                    }
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Conditions does not exist.");
        }
        if (z) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validateAudienceRestriction returns " + z);
            }
            return z;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "AudienceRestriction does not include assertion consumer service URL");
        }
        throw new SoapSecurityException(ConfigUtil.getMessage("security.wssecurity.CWWSS8029E", new String[]{assertionConsumerService}));
    }

    protected boolean matchTarget(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "matchTarget(target[" + str + "], incoming[" + str + "])");
        }
        boolean z = false;
        if (str != null && str.equalsIgnoreCase(str2)) {
            z = true;
        } else if (str != null && str.endsWith("*") && str.length() > 1 && str2 != null && str2.startsWith(str.substring(0, str.lastIndexOf("*")))) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "matchTarget returns " + z);
        }
        return z;
    }

    private void initMap(Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initMap(" + ConfigUtil.getObjType(map) + ")");
        }
        PostBindingSPConfig postBindingSPConfig = this.responseContext.getPostBindingSPConfig();
        String str = "false";
        if (postBindingSPConfig != null && postBindingSPConfig.getRetryTrust()) {
            str = "true";
        }
        map.put(SAMLSpConstants.RETRY_TRUST, str);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "retryTrust[" + str + "]");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initMap");
        }
    }
}
