package com.ibm.ws.webservices.wssecurity.core;

import com.ibm.security.krb5.wss.util.ElementLocalNames;
import com.ibm.ws.webservices.engine.resources.Messages;
import com.ibm.ws.webservices.engine.xmlsoap.SOAPHeaderElement;
import com.ibm.ws.webservices.wssecurity.KRBConstants;
import com.ibm.ws.webservices.wssecurity.WSSConsumerComponent;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditEventGeneratorImpl;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditService;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditServiceImpl;
import com.ibm.ws.webservices.wssecurity.config.EncryptionConsumerConfig;
import com.ibm.ws.webservices.wssecurity.config.SignatureConsumerConfig;
import com.ibm.ws.webservices.wssecurity.config.TimestampConsumerConfig;
import com.ibm.ws.webservices.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.webservices.wssecurity.dsig.SignatureConsumer;
import com.ibm.ws.webservices.wssecurity.dsig.SignatureGenerator;
import com.ibm.ws.webservices.wssecurity.dsig.VerificationResult;
import com.ibm.ws.webservices.wssecurity.dsig.VerifiedPartChecker;
import com.ibm.ws.webservices.wssecurity.enc.DecryptedPartChecker;
import com.ibm.ws.webservices.wssecurity.enc.DecryptionResult;
import com.ibm.ws.webservices.wssecurity.enc.EncryptionConsumer;
import com.ibm.ws.webservices.wssecurity.keyinfo.KeyInfoConsumer;
import com.ibm.ws.webservices.wssecurity.keyinfo.KeyInfoResult;
import com.ibm.ws.webservices.wssecurity.time.TimestampChecker;
import com.ibm.ws.webservices.wssecurity.time.TimestampConsumer;
import com.ibm.ws.webservices.wssecurity.token.AuthResult;
import com.ibm.ws.webservices.wssecurity.token.CertCacheManager;
import com.ibm.ws.webservices.wssecurity.token.LoginProcessor;
import com.ibm.ws.webservices.wssecurity.token.TokenManager;
import com.ibm.ws.webservices.wssecurity.util.ConfidentialDialectElementSelector;
import com.ibm.ws.webservices.wssecurity.util.DOMUtil;
import com.ibm.ws.webservices.wssecurity.util.IdUtil;
import com.ibm.ws.webservices.wssecurity.util.IntegralDialectElementSelector;
import com.ibm.ws.webservices.wssecurity.util.NamespaceUtil;
import com.ibm.ws.webservices.wssecurity.util.NonceUtil;
import com.ibm.ws.webservices.wssecurity.util.TimestampDialectElementSelector;
import com.ibm.ws.webservices.wssecurity.util.WSPFunctionElementSelector;
import com.ibm.ws.webservices.wssecurity.util.XPathElementSelector;
import com.ibm.ws.wssecurity.xss4j.domutil.XPathCanonicalizer;
import com.ibm.wsspi.webservices.rpc.handler.soap.SOAPMessageContext;
import com.ibm.wsspi.wssecurity.Constants;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.token.Token;
import com.ibm.wsspi.wssecurity.auth.token.X509BSToken;
import com.ibm.wsspi.wssecurity.config.TokenConsumerConfig;
import com.ibm.wsspi.wssecurity.token.IDAssertionUsernameTokenConsumer;
import com.ibm.wsspi.wssecurity.token.TokenConsumerComponent;
import com.ibm.xml.soapsec.Result;
import com.ibm.xml.soapsec.ResultPool;
import com.ibm.xml.soapsec.token.NonceManager;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:com/ibm/ws/webservices/wssecurity/core/WSSConsumer.class */
public class WSSConsumer implements WSSConsumerComponent {
    private static final String comp = "security.wssecurity";
    private Map _handlerOption = new HashMap();
    private Map _properties = new HashMap();
    private boolean _initialized = false;
    private static final TraceComponent tc = Tr.register(WSSConsumer.class, "Web Services Security", "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = WSSConsumer.class.getName();
    public static String REFERENCE_MAP = clsName + ".referenceMap";
    public static String REFERENCE_ELEMENT = clsName + ".referenceElement";
    static String[] samlValueTypes = {SignatureGenerator._SAML11_VALUETYPE, SignatureGenerator._SAML20_VALUETYPE};

    public void setHandlerOption(String str, Object obj) {
        this._handlerOption.put(str, obj);
    }

    public Object getHandlerOption(String str) {
        return this._handlerOption.get(str);
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSComponent, com.ibm.wsspi.wssecurity.Initializable
    public void init(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this._initialized) {
            setInitialProperties();
            this._initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSConsumerComponent
    public void invoke(Node node, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(Node target[" + DOMUtil.getDisplayName(node) + "],Map context)");
        }
        SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
        if (sOAPMessageContext == null) {
            throw SoapSecurityException.format("security.wssecurity.WSSGenerator.s01");
        }
        ResultPool.initialize(map);
        adjustContext(sOAPMessageContext, map);
        TokenManager.initializeSubject(map);
        ResultMessagePool.initialize(map);
        WSSConsumerConfig wSSConsumerConfig = (WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "WSSConsumerConfig [" + wSSConsumerConfig + "].");
        }
        TimestampConsumerConfig timestampConsumer = wSSConsumerConfig.getTimestampConsumer();
        HashMap hashMap = new HashMap(this._properties);
        map.put(NonceManager.class, wSSConsumerConfig.getNonceManager());
        map.put(CertCacheManager.class, wSSConsumerConfig.getCertManager());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Finished initializing the subject.");
        }
        boolean z = wSSConsumerConfig.isTokenRequired() || wSSConsumerConfig.isVerificationRequired() || wSSConsumerConfig.isDecryptionRequired() || wSSConsumerConfig.isLoginRequired() || wSSConsumerConfig.isTimestampRequired();
        boolean z2 = (wSSConsumerConfig.isTokenRequired() || wSSConsumerConfig.isVerificationRequired() || wSSConsumerConfig.isDecryptionRequired() || wSSConsumerConfig.isLoginRequired() || !wSSConsumerConfig.isTimestampRequired()) ? false : true;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "requiredSecurity[" + z + "] timestampOnly[" + z2 + "]");
        }
        Document sOAPPart = sOAPMessageContext.getMessage().getSOAPPart();
        try {
            SOAPEnvelope envelope = sOAPPart.getEnvelope();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The original message to be processed by WSSConsumer: " + DOMUtil.toString(sOAPPart));
            }
            if (!z) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "invoke(Element target,Map context)");
                    return;
                }
                return;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Starts WS-Security operation.");
            }
            new HashMap();
            Element documentElement = sOAPPart.getDocumentElement();
            Element header = WSSGenerator.getHeader(sOAPPart, false);
            if (header == null) {
                Tr.error(tc, ConfigUtil.getMessage("security.wssecurity.DOMUtil.sconf11", new String[]{"SOAP Header"}));
                Tr.error(tc, "There are no Header elements in the inbound SOAP message, so there is no Security header to process.");
                if (z2) {
                    Tr.error(tc, "Timestamp is the only inbound WS-Security constraint configured and it is required.  The Timestamp should be transmitted in a SOAP Security header.");
                }
                throw SoapSecurityException.format("security.wssecurity.DOMUtil.sconf11", "SOAP Header");
            }
            int isSoap = NamespaceUtil.isSoap(header.getNamespaceURI());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, isSoap == 0 ? "The spec of SOAP is SOAP1.1." : isSoap == 1 ? "The spec of SOAP is SOAP1.2." : "Unknown spec of SOAP: " + header.getNamespaceURI());
            }
            NodeList securityHeaders = getSecurityHeaders(header, isSoap, wSSConsumerConfig.isUltimateReceiver(), wSSConsumerConfig.getMyActor());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, securityHeaders.getLength() + " security headers found");
            }
            if (securityHeaders.getLength() == 0) {
                Tr.warning(tc, "security.wssecurity.WSSConsumer.s38", wSSConsumerConfig.getMyActor());
            }
            boolean z3 = false;
            String str = (String) sOAPMessageContext.getProperty(com.ibm.ws.webservices.wssecurity.Constants.CHECK_ID_UNIQUENESS);
            if (str != null && str.equals("true")) {
                z3 = true;
            }
            if (z3) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing the Id uniqueness check.");
                }
                IdUtil.getInstance().checkIdUniqueness(sOAPPart);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Skipping the Id uniqueness check.");
            }
            int i = -1;
            if (z && securityHeaders.getLength() == 0 && countSecurityHeaders(header) > 0) {
                if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_RESOURCE_ACCESS, WSSAuditService.WSSAuditOutcome.DENIED)) {
                    WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.SEC_HEADER_MISSING, null);
                    WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_RESOURCE_ACCESS, sOAPMessageContext, map);
                }
                if (wSSConsumerConfig.getMyActor() == null || wSSConsumerConfig.getMyActor().trim().length() == 0) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The Application Server expected a Security header with the " + com.ibm.ws.webservices.wssecurity.Constants.NS_WSSE + " namespace, but it was not found.");
                    }
                    throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s39");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The Application Server expected a Security header with the " + com.ibm.ws.webservices.wssecurity.Constants.NS_WSSE + " namespace and the " + wSSConsumerConfig.getMyActor() + " actor, but it was not found.");
                }
                throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s40", wSSConsumerConfig.getMyActor());
            }
            if (wSSConsumerConfig.isTimestampRequired()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing the timestamp.");
                }
                NodeList timestampHeader = getTimestampHeader(header, -1, false);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, timestampHeader.getLength() + " timestamp headers found.");
                }
                if (timestampHeader.getLength() > 0) {
                    i = NamespaceUtil.isWsu(((Element) timestampHeader.item(0)).getNamespaceURI());
                    map.put(com.ibm.ws.webservices.wssecurity.Constants.WSS_VERSION, new Integer(i));
                    sOAPMessageContext.setProperty(com.ibm.ws.webservices.wssecurity.Constants.WSS_VERSION, new Integer(i));
                    for (int i2 = 0; i2 < timestampHeader.getLength(); i2++) {
                        callTimestampConsumer(timestampConsumer, hashMap, (Element) timestampHeader.item(i2), map);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Checking the required timestamp.");
                    }
                    checkRequiredTimestamp(sOAPPart, wSSConsumerConfig.getTimestampConsumer(), hashMap, map);
                }
            }
            for (int i3 = 0; i3 < securityHeaders.getLength(); i3++) {
                Element element = (Element) securityHeaders.item(i3);
                boolean z4 = false;
                String attributeNS = element.getAttributeNS(header.getNamespaceURI(), "mustUnderstand");
                if (attributeNS != null && !"".equals(attributeNS)) {
                    z4 = ConfigUtil.isTrue(attributeNS);
                }
                ConfigUtil.setMustUnderstand(sOAPMessageContext, z4);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "mustUnderstand attribute is " + z4);
                }
                try {
                    int isWsse = NamespaceUtil.isWsse(element.getNamespaceURI());
                    if (i < 0) {
                        i = isWsse;
                        map.put(com.ibm.ws.webservices.wssecurity.Constants.WSS_VERSION, new Integer(i));
                        sOAPMessageContext.setProperty(com.ibm.ws.webservices.wssecurity.Constants.WSS_VERSION, new Integer(i));
                    } else if (isWsse != i) {
                        throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s06");
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, i == 0 ? "The spec of WS-Security is 2004/01 ver." : "Unknown spec of WS-Security: " + element.getNamespaceURI());
                    }
                    for (Element firstElement = DOMUtil.getFirstElement(element); firstElement != null; firstElement = DOMUtil.getNextElement(firstElement)) {
                        String localName = firstElement.getLocalName();
                        String namespaceURI = firstElement.getNamespaceURI();
                        int isWsu = NamespaceUtil.isWsu(namespaceURI);
                        if (isWsu < 0) {
                            int isWsse2 = NamespaceUtil.isWsse(namespaceURI);
                            if (isWsse2 >= 0) {
                                if (isWsse2 != i) {
                                    throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s05", namespaceURI);
                                }
                                if (localName.equals(ElementLocalNames.WSSE_USERNAMETOKEN)) {
                                    callTokenConsumer(wSSConsumerConfig.getCallers(), wSSConsumerConfig.getTokenConsumers(), documentElement, element, firstElement, map, true, false, i);
                                } else if (localName.equals("BinarySecurityToken")) {
                                    callTokenConsumer(wSSConsumerConfig.getCallers(), wSSConsumerConfig.getTokenConsumers(), documentElement, element, firstElement, map, false, true, i);
                                } else if (localName.equals(KRBConstants.ELM_SECURITY_TOKEN_REFERENCE)) {
                                    map.put(REFERENCE_ELEMENT, new Boolean(true));
                                    callTokenConsumer(wSSConsumerConfig.getCallers(), wSSConsumerConfig.getTokenConsumers(), documentElement, element, firstElement, map, false, false, i);
                                    map.remove(REFERENCE_ELEMENT);
                                } else {
                                    if (z4) {
                                        throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s04", DOMUtil.getQualifiedName(firstElement), DOMUtil.getQualifiedName(element));
                                    }
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, ConfigUtil.getMessage("security.wssecurity.WSSConsumer.s04", new String[]{DOMUtil.getQualifiedName(firstElement), DOMUtil.getQualifiedName(element)}));
                                        Tr.debug(tc, "mustUnderstand=0; skipping exception.");
                                    }
                                }
                            } else if (com.ibm.ws.webservices.wssecurity.Constants.NS_DSIG.equals(namespaceURI)) {
                                if (!localName.equals("Signature")) {
                                    throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s04", DOMUtil.getQualifiedName(firstElement), DOMUtil.getQualifiedName(element));
                                }
                                boolean z5 = false;
                                for (Element nextElement = DOMUtil.getNextElement(firstElement); nextElement != null; nextElement = DOMUtil.getNextElement(nextElement)) {
                                    String namespaceURI2 = nextElement.getNamespaceURI();
                                    String localName2 = nextElement.getLocalName();
                                    if (com.ibm.ws.webservices.wssecurity.Constants.NS_ENC.equals(namespaceURI2) && ("EncryptedKey".equals(localName2) || "ReferenceList".equals(localName2))) {
                                        z5 = true;
                                    }
                                }
                                callSignatureConsumer(wSSConsumerConfig.getSignatureConsumers(), hashMap, firstElement, z5, map, element);
                            } else if (!com.ibm.ws.webservices.wssecurity.Constants.NS_ENC.equals(namespaceURI)) {
                                callTokenConsumer(wSSConsumerConfig.getCallers(), wSSConsumerConfig.getTokenConsumers(), documentElement, element, firstElement, map, false, false, i);
                            } else {
                                if (!localName.equals("EncryptedKey") && !localName.equals("ReferenceList")) {
                                    throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s04", DOMUtil.getQualifiedName(firstElement), DOMUtil.getQualifiedName(element));
                                }
                                callEncryptionConsumer(wSSConsumerConfig.getEncryptionConsumers(), hashMap, firstElement, map, element);
                            }
                        } else {
                            if (isWsu != i) {
                                throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s05", namespaceURI);
                            }
                            if (!localName.equals(ElementLocalNames.WSU_TIMESTAMP)) {
                                throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s04", DOMUtil.getQualifiedName(firstElement), DOMUtil.getQualifiedName(element));
                            }
                        }
                    }
                } catch (SoapSecurityException e) {
                    Tr.processException(e, clsName + ".invoke", "516", this);
                    Tr.error(tc, "security.wssecurity.WSSConsumer.s23", e);
                    if (!z4) {
                        Tr.debug(tc, "An exception has occurred when mustUnderstand=0.");
                        Tr.debug(tc, "The mustUnderstand=0 attribute may only be honored when there is no inbound WSSecurity configuration for the elements being processed.");
                    }
                    throw e;
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "All security handlers is processed.");
            }
            cleanSubject(map);
            if (wSSConsumerConfig.isVerificationRequired()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Checking the required integrity.");
                }
                checkRequiredIntegrity(sOAPPart, hashMap, map);
            }
            if (wSSConsumerConfig.isDecryptionRequired()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Checking the required confidentiality.");
                }
                checkRequiredConfidentiality(sOAPPart, hashMap, map);
            }
            if (wSSConsumerConfig.isTokenRequired()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Checking the required security token.");
                }
                checkRequiredSecurityToken(wSSConsumerConfig.getRequiredSecurityTokens(), wSSConsumerConfig.getCallers(), map);
            }
            if (wSSConsumerConfig.isLoginRequired()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Checking the caller.");
                }
                checkCaller(hashMap, map);
            }
            copyContextSubjectToMessageContext(sOAPMessageContext, map);
            mapTokenToMessageContext(sOAPMessageContext, map);
            SOAPHeaderElement wsseHeaderByName = NamespaceUtil.getWsseHeaderByName(envelope, "Security");
            if (wsseHeaderByName != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Security header is processed.");
                }
                wsseHeaderByName.setProcessed(true);
            }
            SOAPHeaderElement wsuHeaderByName = NamespaceUtil.getWsuHeaderByName(envelope, ElementLocalNames.WSU_TIMESTAMP);
            if (wsuHeaderByName != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Timestamp header is processed.");
                }
                wsuHeaderByName.setProcessed(true);
            }
            ResultPool.finalize(map);
            ResultMessagePool.finalize(map);
            cleanContext(map);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "invoke(Node target,Map context)");
            }
        } catch (SOAPException e2) {
            Tr.processException((Throwable) e2, clsName + ".invoke", "229", (Object) this);
            Tr.error(tc, "security.wssecurity.WSSConsumer.s01", new Object[]{e2});
            throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s01", (Throwable) e2);
        } catch (Exception e3) {
            Tr.processException(e3, clsName + ".invoke", "235", this);
            Tr.error(tc, "security.wssecurity.WSSConsumer.s02", new Object[]{e3});
            throw SoapSecurityException.format("security.wssecurity.WSSGenerator.s02", e3);
        }
    }

    public void onFault(SOAPMessageContext sOAPMessageContext) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "onFault(SOAPMessageContext context)");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "onFault(SOAPMessageContext context)");
        }
    }

    private void setInitialProperties() throws SoapSecurityException {
        this._properties.put(ConfidentialDialectElementSelector.class, new ConfidentialDialectElementSelector());
        this._properties.put(IntegralDialectElementSelector.class, new IntegralDialectElementSelector());
        this._properties.put(TimestampDialectElementSelector.class, new TimestampDialectElementSelector());
        this._properties.put(WSPFunctionElementSelector.class, new WSPFunctionElementSelector());
        this._properties.put(XPathElementSelector.class, new XPathElementSelector());
        this._properties.put(ElementSelector.IDRESOLVER, IdUtil.getInstance());
        this._properties.put(NonceUtil.class, new NonceUtil());
        WSSFactory wSSFactory = WSSFactory.getInstance("soap");
        HashMap hashMap = new HashMap();
        hashMap.put(WSSFactory.TYPE, WSSFactory.TIMESTAMP);
        this._properties.put(TimestampConsumer.class, wSSFactory.createConsumer(hashMap, this._properties));
        hashMap.put(WSSFactory.TYPE, WSSFactory.SIGNATURE);
        this._properties.put(SignatureConsumer.class, wSSFactory.createConsumer(hashMap, this._properties));
        hashMap.put(WSSFactory.TYPE, WSSFactory.ENCRYPTION);
        this._properties.put(EncryptionConsumer.class, wSSFactory.createConsumer(hashMap, this._properties));
        hashMap.put(WSSFactory.TYPE, WSSFactory.KEYINFO);
        this._properties.put(KeyInfoConsumer.class, wSSFactory.createConsumer(hashMap, this._properties));
        VerifiedPartChecker verifiedPartChecker = new VerifiedPartChecker();
        verifiedPartChecker.init(this._properties);
        this._properties.put(VerifiedPartChecker.class, verifiedPartChecker);
        DecryptedPartChecker decryptedPartChecker = new DecryptedPartChecker();
        decryptedPartChecker.init(this._properties);
        this._properties.put(DecryptedPartChecker.class, decryptedPartChecker);
        TimestampChecker timestampChecker = new TimestampChecker();
        timestampChecker.init(this._properties);
        this._properties.put(TimestampChecker.class, timestampChecker);
        LoginProcessor loginProcessor = new LoginProcessor();
        loginProcessor.init(this._properties);
        this._properties.put(LoginProcessor.class, loginProcessor);
    }

    private static boolean adjustContext(SOAPMessageContext sOAPMessageContext, Map map) throws SoapSecurityException {
        return false;
    }

    public static NodeList getSecurityHeaders(Element element, int i, boolean z, String str) throws SoapSecurityException {
        String attributeNS;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityHeaders(Element header[" + DOMUtil.getDisplayName(element) + "],int soapVersion[" + i + "],boolean untimateReceiver[" + z + "],String actor[" + str + "])");
        }
        XPathCanonicalizer.NodeListImpl nodeListImpl = new XPathCanonicalizer.NodeListImpl();
        Element firstElement = DOMUtil.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                if (nodeListImpl.getLength() > 1) {
                    throw new SoapSecurityException("There are more than one wsse:Security elements to be processed.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getSecurityHeaders(Element header,int soapVersion,int wssVersion,String actor) returns NodeList[" + nodeListImpl + "]");
                }
                return nodeListImpl;
            }
            String namespaceURI = element2.getNamespaceURI();
            String localName = element2.getLocalName();
            if (NamespaceUtil.isWsse(namespaceURI) >= 0 && "Security".equals(localName)) {
                if (i == 1) {
                    attributeNS = element2.getAttributeNS(com.ibm.ws.webservices.wssecurity.Constants.NS_SOAP12, "role");
                } else {
                    if (i != 0) {
                        throw SoapSecurityException.format("security.wssecurity.WSSGenerator.s11", Integer.toString(i));
                    }
                    attributeNS = element2.getAttributeNS(com.ibm.ws.webservices.wssecurity.Constants.NS_SOAP, "actor");
                }
                if (attributeNS == null || attributeNS.trim().length() == 0) {
                    if (str != null && str.trim().length() != 0) {
                    }
                    nodeListImpl.add(element2);
                } else if (i != 1) {
                    if (!com.ibm.ws.webservices.wssecurity.Constants.SOAP11_ACTOR_NEXT.equals(attributeNS) && !attributeNS.equals(str)) {
                    }
                    nodeListImpl.add(element2);
                } else if (!com.ibm.ws.webservices.wssecurity.Constants.SOAP12_ROLE_NONE.equals(attributeNS)) {
                    if (com.ibm.ws.webservices.wssecurity.Constants.SOAP12_ROLE_RECEIVER.equals(attributeNS)) {
                        if (!attributeNS.equals(str)) {
                        }
                        nodeListImpl.add(element2);
                    } else {
                        if (!com.ibm.ws.webservices.wssecurity.Constants.SOAP12_ROLE_NEXT.equals(attributeNS) && !attributeNS.equals(str)) {
                        }
                        nodeListImpl.add(element2);
                    }
                }
            }
            firstElement = DOMUtil.getNextElement(element2);
        }
    }

    private static int countSecurityHeaders(Element element) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "countSecurityHeaders(Element header[" + DOMUtil.getDisplayName(element) + "])");
        }
        int i = 0;
        Element firstElement = DOMUtil.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                break;
            }
            if ("Security".equals(element2.getLocalName())) {
                i++;
            }
            firstElement = DOMUtil.getNextElement(element2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "countSecurityHeaders(Element header, returns " + i);
        }
        return i;
    }

    public static String getId(Node node) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getId(Node node[" + DOMUtil.getDisplayName(node) + "])");
        }
        String str = null;
        if (node.getNodeType() == 1) {
            str = IdUtil.getInstance().getIdAttributeName((Element) node);
            if (str != null) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getNode(Node node) returns " + str);
                }
                return str;
            }
        }
        Node firstChild = node.getFirstChild();
        while (true) {
            Node node2 = firstChild;
            if (node2 == null) {
                break;
            }
            if (node2.getNodeType() == 1 || node2.getNodeType() == 5) {
                str = getId(node2);
                if (str != null) {
                    break;
                }
            }
            firstChild = node2.getNextSibling();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getNode(Node node) returns " + str);
        }
        return str;
    }

    private static NodeList getTimestampHeader(Element element, int i, boolean z) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTimestampHeader(Element root[" + DOMUtil.getDisplayName(element) + "],", "int wssVersion" + i + "],boolean trace[" + z + "])");
        }
        String str = z ? "TimestampTrace" : ElementLocalNames.WSU_TIMESTAMP;
        XPathCanonicalizer.NodeListImpl nodeListImpl = new XPathCanonicalizer.NodeListImpl();
        NodeList wsuElementsByTagName = i < 0 ? NamespaceUtil.getWsuElementsByTagName(element, str) : DOMUtil.getOneOrMoreElements(element, com.ibm.ws.webservices.wssecurity.Constants.NAMESPACES[1][i], str);
        for (int i2 = 0; i2 < wsuElementsByTagName.getLength(); i2++) {
            Element element2 = (Element) wsuElementsByTagName.item(i2);
            if (!element2.hasAttribute(com.ibm.ws.webservices.wssecurity.Constants.WAS_EXTENTION)) {
                nodeListImpl.add(element2);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTimestampHeader(Element root,int wssVersion,boolean trace) returns NodeList[" + nodeListImpl + "]");
        }
        return nodeListImpl;
    }

    private static void callTimestampConsumer(TimestampConsumerConfig timestampConsumerConfig, Map map, Element element, Map map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTimestampConsumer(TimestampConsumerConfig config,Map selectors,Element target[" + DOMUtil.getDisplayName(element) + "],Map context)");
        }
        TimestampConsumer timestampConsumer = (TimestampConsumer) map.get(TimestampConsumer.class);
        map2.put(TimestampConsumerConfig.CONFIG_KEY, timestampConsumerConfig);
        timestampConsumer.invoke(element, map2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTimestampConsumer(TimestampConsumerConfig config,Map selectors,Element target,Map context)");
        }
    }

    public static void callTokenConsumer(Set set, Set set2, Element element, Element element2, Element element3, Map map, boolean z, boolean z2, int i) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "callTokenConsumer(Set cconfigs,Set tconfigs,Element envelope[" + DOMUtil.getDisplayName(element) + "],Element security[" + DOMUtil.getDisplayName(element2) + "],Element target[" + DOMUtil.getDisplayName(element3) + "],Map context,boolean isUT[" + z + "],boolean isBST[" + z2 + "],int wssVersion" + i + "])");
        }
        QName qName = element3.hasAttribute("ValueType") ? DOMUtil.getQName(element3, element3.getAttribute("ValueType"), i) : null;
        String str = com.ibm.ws.webservices.wssecurity.Constants.NAMESPACES[0][i];
        String trim = ConfigUtil.trim(IdUtil.getInstance().getId(element3));
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Target's value type is [" + qName + "].");
            Tr.debug(tc, "UsernameToken flag is [" + z + "].");
            Tr.debug(tc, "BinarySecurityToken flag is [" + z2 + "].");
            Tr.debug(tc, "The identifier is [" + trim + "].");
        }
        HashSet hashSet = new HashSet();
        boolean z3 = true;
        boolean z4 = true;
        if (element != null && element2 != null && (z2 || z)) {
            z3 = false;
            z4 = false;
            int usedFor = getUsedFor(element, element2, str, trim);
            if (usedFor == 1) {
                z4 = true;
            } else if (usedFor == 2) {
                z3 = true;
            }
            if (tc.isDebugEnabled()) {
                if (z4) {
                    Tr.debug(tc, "The token is used for signature verification.");
                } else if (z3) {
                    Tr.debug(tc, "The token is used for decryption.");
                } else {
                    Tr.debug(tc, "The token is maybe stand-alone.");
                }
            }
            Iterator it = set2.iterator();
            while (it.hasNext()) {
                TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) it.next();
                if (tc.isDebugEnabled()) {
                    if (tokenConsumerConfig.isUsedForVerification()) {
                        Tr.debug(tc, "The configuration of token consumers is used for signature verification.");
                    } else if (tokenConsumerConfig.isUsedForDecryption()) {
                        Tr.debug(tc, "The configuration of token consumers is used for decryption.");
                    } else {
                        Tr.debug(tc, "The configuration of token consumers is maybe used for stand-alone tokens.");
                    }
                }
                if ((z4 && tokenConsumerConfig.isUsedForVerification()) || ((z3 && tokenConsumerConfig.isUsedForDecryption()) || (!z4 && !tokenConsumerConfig.isUsedForVerification() && !z3 && !tokenConsumerConfig.isUsedForDecryption()))) {
                    QName type = tokenConsumerConfig.getType();
                    if (z) {
                        if (com.ibm.ws.webservices.wssecurity.Constants.UNTOKEN.equals(type)) {
                            boolean z5 = false;
                            TokenConsumerComponent tokenConsumerConfig2 = tokenConsumerConfig.getInstance();
                            if (tokenConsumerConfig2 != null && (tokenConsumerConfig2 instanceof IDAssertionUsernameTokenConsumer)) {
                                z5 = true;
                            }
                            Element zeroOrOneElement = DOMUtil.getZeroOrOneElement(element3, str, "Password");
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "isIDAssertionConsumer = " + z5);
                                if (zeroOrOneElement == null) {
                                    Tr.debug(tc, "password elem is null. (IDAssertion token)");
                                } else {
                                    Tr.debug(tc, "password elem is not null. (Username token)");
                                }
                            }
                            if (!z5 || zeroOrOneElement == null) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Added a config for [" + type + "].");
                                }
                                hashSet.add(tokenConsumerConfig);
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Not adding config for [" + type + "] at this time. Token consumer is IDAssertionUsernameTokenConsumer and token contains a password.");
                            }
                        }
                    } else if (z2) {
                        if (NamespaceUtil.equals(qName, type)) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Added a config for [" + type + "].");
                            }
                            hashSet.add(tokenConsumerConfig);
                        }
                    } else if (type.equals(new QName(element3.getNamespaceURI(), element3.getLocalName()))) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Added a config for [" + type + "].");
                        }
                        hashSet.add(tokenConsumerConfig);
                    }
                }
            }
        }
        if (map.get(REFERENCE_ELEMENT) != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Processing wsse:SecurityTokenReference");
            }
            String referencedToken = getReferencedToken(str, element3);
            r25 = referencedToken != null ? setupTokenInReferenceMap(trim, referencedToken, map) : false;
            if (!r25 && tc.isDebugEnabled()) {
                Tr.debug(tc, "Error processing wsse:SecurityTokenReference.  A SecurityTokenReference must reference a token that appears before it in the message and has been successfully processed. SecurityTokenReference id[" + trim + "], tokenId[" + referencedToken + "]");
            }
        }
        if (hashSet.isEmpty() & (!r25)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Since it can't select configuration of token cosumers based on the message, it uses all candidates.");
            }
            Iterator it2 = set2.iterator();
            while (it2.hasNext()) {
                TokenConsumerConfig tokenConsumerConfig3 = (TokenConsumerConfig) it2.next();
                QName type2 = tokenConsumerConfig3.getType();
                if (z) {
                    if (com.ibm.ws.webservices.wssecurity.Constants.UNTOKEN.equals(type2)) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Added a config for [" + type2 + "].");
                        }
                        hashSet.add(tokenConsumerConfig3);
                    }
                } else if (z2) {
                    if (NamespaceUtil.equals(qName, type2)) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Added a config for [" + type2 + "].");
                        }
                        hashSet.add(tokenConsumerConfig3);
                    }
                } else if (type2.equals(new QName(element3.getNamespaceURI(), element3.getLocalName()))) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Added a config for [" + type2 + "].");
                    }
                    hashSet.add(tokenConsumerConfig3);
                }
            }
        }
        if (r25) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Element is a wsse:SecurityTokenReference that references a standalone security token.  Exiting callTokenConsumer.");
            }
        } else if (!hashSet.isEmpty()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, hashSet.size() + " TokenConsumerConfig candidates found.");
            }
            map.remove(Constants.WSSECURITY_KEYINFO_TYPE);
            boolean z6 = false;
            boolean z7 = false;
            Exception[] excArr = new Exception[hashSet.size()];
            int i2 = 0;
            SoapSecurityException soapSecurityException = null;
            Iterator it3 = hashSet.iterator();
            while (it3.hasNext()) {
                TokenConsumerConfig tokenConsumerConfig4 = (TokenConsumerConfig) it3.next();
                try {
                    callTokenConsumer(tokenConsumerConfig4, element3, map);
                    Token unprocessedToken = TokenManager.getUnprocessedToken(map);
                    if (unprocessedToken != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Unprocessed token [" + unprocessedToken + "] found.");
                        }
                        unprocessedToken.setProcessed(true);
                        if (!z7 && set != null) {
                            checkCaller(set, tokenConsumerConfig4, unprocessedToken, map);
                            z7 = unprocessedToken.getCallerChecked();
                        }
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "All tokens are processed.");
                        }
                        if (set != null) {
                            checkCaller(set, tokenConsumerConfig4, map);
                        }
                    }
                    z6 = true;
                    if (!z3 && !z4) {
                        break;
                    }
                } catch (Exception e) {
                    Tr.processException(e, clsName + ".callTokenConsumer", "1234");
                    int i3 = i2;
                    i2++;
                    excArr[i3] = e;
                    soapSecurityException = e instanceof SoapSecurityException ? (SoapSecurityException) e : SoapSecurityException.format("security.wssecurity.WSSConsumer.s34", e);
                    Token unprocessedToken2 = TokenManager.getUnprocessedToken(map);
                    if (unprocessedToken2 != null) {
                        if (z3 || z4) {
                            unprocessedToken2.setError(soapSecurityException);
                            unprocessedToken2.setProcessed(true);
                        } else {
                            TokenManager.removeToken(map, unprocessedToken2);
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "getUnprocessedToken returned null");
                    }
                }
            }
            if (!z6) {
                if (hashSet.size() == 1) {
                    throw soapSecurityException;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, i2 + " exceptions were catched.");
                    for (int i4 = 0; i4 < i2; i4++) {
                        Tr.debug(tc, "No." + it3 + "'s exception: " + excArr[i4]);
                    }
                }
                throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s13", excArr[i2 - 1]);
            }
        } else {
            if (ConfigUtil.getMustUnderstand(map)) {
                throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s03", DOMUtil.getQualifiedName(element3));
            }
            Tr.debug(tc, ConfigUtil.getMessage("security.wssecurity.WSSConsumer.s03", new String[]{DOMUtil.getQualifiedName(element3)}));
            Tr.debug(tc, "mustUnderstand=0.  Ignoring unexpected element.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "callTokenConsumer(Set cconfigs,Set tconfigs,Element envelope,Element security,Element target,Map context,boolean isUT,boolean isBST,int wssVersion");
        }
    }

    private static void callTokenConsumer(TokenConsumerConfig tokenConsumerConfig, Element element, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "callTokenConsumer(TokenConsumerConfig config,Element target[" + DOMUtil.getDisplayName(element) + "],Map context)");
        }
        TokenConsumerComponent tokenConsumerConfig2 = tokenConsumerConfig.getInstance();
        if (tokenConsumerConfig2 != null) {
            map.put(TokenConsumerConfig.CONFIG_KEY, tokenConsumerConfig);
            tokenConsumerConfig2.invoke(element, map);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Unable to get the TokenConsumer object: [" + tokenConsumerConfig + "].");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "callTokenConsumer(TokenConsumerConfig config,Element target,Map context)");
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:35:0x01d5  */
    /* JADX WARN: Removed duplicated region for block: B:52:0x0269  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static void callSignatureConsumer(java.util.Set r6, java.util.Map r7, org.w3c.dom.Element r8, boolean r9, java.util.Map r10, org.w3c.dom.Element r11) throws com.ibm.wsspi.wssecurity.SoapSecurityException {
        /*
            Method dump skipped, instructions count: 645
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.webservices.wssecurity.core.WSSConsumer.callSignatureConsumer(java.util.Set, java.util.Map, org.w3c.dom.Element, boolean, java.util.Map, org.w3c.dom.Element):void");
    }

    private static void callSignatureConsumer(SignatureConsumerConfig signatureConsumerConfig, Map map, Element element, boolean z, Map map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "callSignatureConsumer(SignatureConsumerConfig config,Map properties,Element target[" + DOMUtil.getDisplayName(element) + "],boolean copiedDOMTree[" + z + "],Map context)");
        }
        SignatureConsumer signatureConsumer = (SignatureConsumer) map.get(SignatureConsumer.class);
        map2.put(SignatureConsumerConfig.CONFIG_KEY, signatureConsumerConfig);
        if (z) {
            map2.put(com.ibm.ws.webservices.wssecurity.Constants.COPY_DOMTREE, "true");
        } else {
            map2.remove(com.ibm.ws.webservices.wssecurity.Constants.COPY_DOMTREE);
        }
        signatureConsumer.invoke(element, map2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "callSignatureConsumer(SignatureConsumerConfig config,Map selectors,Element target,boolean copiedDOMTree,Map context)");
        }
    }

    private static void callEncryptionConsumer(Set set, Map map, Element element, Map map2, Element element2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "callEncryptionConsumer(Set econfig,Map selectors,Element target[" + DOMUtil.getDisplayName(element) + "],Map context)");
        }
        boolean z = false;
        Exception[] excArr = new Exception[set.size()];
        int i = 0;
        if (set.size() > 0) {
            lockResults(map2, false, true);
            Iterator it = set.iterator();
            int i2 = 0;
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                i2++;
                try {
                    callEncryptionConsumer((EncryptionConsumerConfig) it.next(), map, element, map2);
                    z = true;
                    removeKeyInfoResults(map2);
                    if (1 == 0) {
                        restoreResults(map2, false);
                    }
                } catch (Exception e) {
                    try {
                        Tr.processException(e, clsName + ".callEncryptionConsumer", "1531");
                        int i3 = i;
                        i++;
                        excArr[i3] = e;
                        if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, WSSAuditService.WSSAuditOutcome.ERROR)) {
                            SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                            Map<String, Object> auditEventContext = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.ERROR, WSSAuditService.WSSAuditReason.DECRYPTION_ERROR, e.getMessage());
                            Result[] resultArr = ResultPool.get(map2, KeyInfoResult.class);
                            KeyInfoResult keyInfoResult = null;
                            if (resultArr == null || resultArr.length <= 0) {
                                KeyInfoResult[] keyInfoResultArr = new KeyInfoResult[i2];
                                for (int i4 = 0; i4 < i2; i4++) {
                                    keyInfoResultArr[i4] = new KeyInfoResult(null);
                                    ResultPool.add(map2, keyInfoResultArr[i4]);
                                }
                            } else if (i2 == resultArr.length) {
                                keyInfoResult = (KeyInfoResult) resultArr[resultArr.length - 1];
                            } else {
                                KeyInfoResult[] keyInfoResultArr2 = new KeyInfoResult[resultArr.length];
                                int i5 = 0;
                                while (i5 < resultArr.length) {
                                    keyInfoResultArr2[i5] = (KeyInfoResult) resultArr[i5];
                                    i5++;
                                }
                                for (int i6 = i5; i6 < i2; i6++) {
                                    keyInfoResultArr2[i6] = new KeyInfoResult(null);
                                }
                            }
                            WSSAuditEventGeneratorImpl.getInstance().addEncryptionEventData(auditEventContext, keyInfoResult);
                            WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, sOAPMessageContext, map2);
                        }
                        removeKeyInfoResults(map2);
                        if (!z) {
                            restoreResults(map2, false);
                        }
                    } catch (Throwable th) {
                        removeKeyInfoResults(map2);
                        if (!z) {
                            restoreResults(map2, false);
                        }
                        throw th;
                    }
                }
            }
            if (!z) {
                if (set.size() == 1) {
                    if (!(excArr[0] instanceof SoapSecurityException)) {
                        throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s16", excArr[0]);
                    }
                    throw ((SoapSecurityException) excArr[0]);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, i + " exceptions were catched.");
                    for (int i7 = 0; i7 < i; i7++) {
                        Tr.debug(tc, "No." + it + "'s exception: " + excArr[i7]);
                    }
                }
                throw SoapSecurityException.format("security.wssecurity.WSSConsumer.s12", excArr[i - 1]);
            }
            lockResults(map2, false, false);
        } else if (ConfigUtil.getMustUnderstand(map2)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Encryption information was found in the security header, but there is no inbound encryption configuration.");
            }
            throw new SoapSecurityException(ConfigUtil.getMessage("security.wssecurity.WSSConsumer.s16") + ": " + Messages.getMessage("noUnderstand00", DOMUtil.getDisplayName(element2, false)));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "callEncryptionConsumer(Set econfig,Map selectors,Element target,Map context)");
        }
    }

    private static void callEncryptionConsumer(EncryptionConsumerConfig encryptionConsumerConfig, Map map, Element element, Map map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "callEncryptionConsumer(EncryptionConsumerConfig config,Map selectors,Element target[" + DOMUtil.getDisplayName(element) + "],Map context)");
        }
        EncryptionConsumer encryptionConsumer = (EncryptionConsumer) map.get(EncryptionConsumer.class);
        map2.put(EncryptionConsumerConfig.CONFIG_KEY, encryptionConsumerConfig);
        encryptionConsumer.invoke(element, map2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "callEncryptionConsumer(EncryptionConsumerConfig config,Map selectors,Element target,Map context)");
        }
    }

    private static void checkRequiredIntegrity(Document document, Map map, Map map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkRequiredIntegrity(Document doc[" + DOMUtil.getDisplayName(document) + "],WSSConsumerConfig config,Map selectors,Map context)");
        }
        try {
            ((WSSConsumerComponent) map.get(VerifiedPartChecker.class)).invoke(document, map2);
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, WSSAuditService.WSSAuditOutcome.SUCCESS)) {
                SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.INTEGRITY, null);
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, sOAPMessageContext, map2);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkRequiredIntegrity(Document doc,Map selectors,Map context)");
            }
        } catch (SoapSecurityException e) {
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, WSSAuditService.WSSAuditOutcome.DENIED)) {
                SOAPMessageContext sOAPMessageContext2 = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.INTEGRITY_BAD, e.toString());
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, sOAPMessageContext2, map2);
            }
            throw e;
        }
    }

    private static void checkRequiredConfidentiality(Document document, Map map, Map map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkRequiredConfidentiality(Document doc[" + DOMUtil.getDisplayName(document) + "],Map selectors,Map context)");
        }
        try {
            ((WSSConsumerComponent) map.get(DecryptedPartChecker.class)).invoke(document, map2);
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, WSSAuditService.WSSAuditOutcome.SUCCESS)) {
                SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.CONFIDENTIALITY, null);
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, sOAPMessageContext, map2);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkRequiredConfidentiality(Document doc,Map selectors,Map context)");
            }
        } catch (SoapSecurityException e) {
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, WSSAuditService.WSSAuditOutcome.DENIED)) {
                SOAPMessageContext sOAPMessageContext2 = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.CONFIDENTIALITY_BAD, e.getMessage());
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, sOAPMessageContext2, map2);
            }
            throw e;
        }
    }

    private static void checkRequiredSecurityToken(Set set, Set set2, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkRequiredSecurityToken(Set tokens[" + set + "],Set callers[" + set2 + "],Map context)");
        }
        Set tokens = TokenManager.getTokens(map);
        if (tc.isDebugEnabled()) {
            if (tokens == null) {
                Tr.debug(tc, "The subject has no Token object.");
            } else {
                Tr.debug(tc, tokens.size() + " tokens found in the subject.");
            }
        }
        Iterator it = set.iterator();
        while (it.hasNext()) {
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) it.next();
            if (ConfigUtil.isUsageRequired(tokenConsumerConfig.getUsage())) {
                boolean z = false;
                QName type = tokenConsumerConfig.getType();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Checking the value type [" + type + "]...");
                }
                if (set2 != null) {
                    Iterator it2 = set2.iterator();
                    while (it2.hasNext()) {
                        WSSConsumerConfig.CallerConfig callerConfig = (WSSConsumerConfig.CallerConfig) it2.next();
                        if (!callerConfig.getTokenConsumerType().equals(callerConfig.getTokenType()) && type.equals(callerConfig.getTokenConsumerType())) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Remapped the value type [" + type + "] to the value type [" + callerConfig.getTokenType() + "].");
                            }
                            type = callerConfig.getTokenType();
                        }
                    }
                }
                if (tokens != null) {
                    Iterator it3 = tokens.iterator();
                    while (true) {
                        if (!it3.hasNext()) {
                            break;
                        }
                        QName type2 = ((Token) it3.next()).getType();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Comparing with the value type of the Token [" + type2 + "]...");
                        }
                        if (type.equals(type2)) {
                            z = true;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "A corresponding token found.");
                            }
                        }
                    }
                }
                if (!z) {
                    throw SoapSecurityException.format(com.ibm.ws.webservices.wssecurity.Constants.FAILED_CHECK, "security.wssecurity.WSSConsumer.s14", tokenConsumerConfig.getType().toString());
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkRequiredSecurityToken(Set tokens,Set callers,Map context)");
        }
    }

    private static void checkRequiredTimestamp(Document document, TimestampConsumerConfig timestampConsumerConfig, Map map, Map map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkRequiredTimestamp(Document doc[" + DOMUtil.getDisplayName(document) + "],TimestampConsumerConfig config,Map selectors,Map context)");
        }
        try {
            WSSConsumerComponent wSSConsumerComponent = (WSSConsumerComponent) map.get(TimestampChecker.class);
            map2.put(TimestampConsumerConfig.CONFIG_KEY, timestampConsumerConfig);
            wSSConsumerComponent.invoke(document, map2);
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_RESOURCE_ACCESS, WSSAuditService.WSSAuditOutcome.SUCCESS)) {
                SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.TIMESTAMP, null);
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_RESOURCE_ACCESS, sOAPMessageContext, map2);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkRequiredTimestamp(Document doc,TimestampConsumerConfig config,Map selectors,Map context)");
            }
        } catch (SoapSecurityException e) {
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_RESOURCE_ACCESS, WSSAuditService.WSSAuditOutcome.DENIED)) {
                SOAPMessageContext sOAPMessageContext2 = (SOAPMessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.TIMESTAMP_BAD, e.getMessage());
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_RESOURCE_ACCESS, sOAPMessageContext2, map2);
            }
            throw e;
        }
    }

    private static void checkCaller(Set set, TokenConsumerConfig tokenConsumerConfig, Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCaller(Set cconfigs,TokenConsumerConfig tconfig,Map context)");
        }
        if (tokenConsumerConfig != null && set != null) {
            Set<Token> tokens = TokenManager.getTokens(map);
            if (tokens.size() <= 0) {
                tokens = null;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, tokens.size() + " tokens found.");
            }
            QName type = tokenConsumerConfig.getType();
            Iterator it = set.iterator();
            while (it.hasNext()) {
                WSSConsumerConfig.CallerConfig callerConfig = (WSSConsumerConfig.CallerConfig) it.next();
                if (callerConfig.getPart() == null) {
                    QName tokenType = callerConfig.getTokenType();
                    QName tokenConsumerType = callerConfig.getTokenConsumerType();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "TokenConsumer type in the Caller [" + tokenConsumerType + "], TokenConsumer type [" + type + "].");
                    }
                    if (type.equals(tokenConsumerType) && tokens != null) {
                        for (Token token : tokens) {
                            boolean callerChecked = token.getCallerChecked();
                            boolean isTrusted = token.isTrusted();
                            QName type2 = token.getType();
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Token type in the Caller [" + tokenType + "] and Token type [" + type2 + "].");
                                Tr.debug(tc, "Caller checked [" + callerChecked + "].");
                                Tr.debug(tc, "Token trusted [" + isTrusted + "].");
                            }
                            if (!callerChecked && !isTrusted && tokenType.equals(type2)) {
                                AuthResult authResult = new AuthResult(token, callerConfig);
                                token.setCallerChecked(true);
                                ResultPool.add(map, authResult);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Added AuthResult[" + authResult + "] into the ResultPool.");
                                }
                            }
                        }
                    }
                }
                WSSConsumerConfig.CallerConfig trustMethod = callerConfig.getTrustMethod();
                if (trustMethod != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "TrustMethod configuration found.");
                    }
                    if (trustMethod.getPart() == null) {
                        QName tokenType2 = trustMethod.getTokenType();
                        QName tokenConsumerType2 = trustMethod.getTokenConsumerType();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "TokenConsumer type in the TrustMethod [" + tokenConsumerType2 + "], TokenConsumer type [" + type + "].");
                        }
                        if (type.equals(tokenConsumerType2) && tokens != null) {
                            for (Token token2 : tokens) {
                                boolean callerChecked2 = token2.getCallerChecked();
                                boolean isTrusted2 = token2.isTrusted();
                                QName type3 = token2.getType();
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Token type in the TrustMethod [" + tokenType2 + "] and Token type [" + type3 + "].");
                                    Tr.debug(tc, "TrustMethod checked [" + callerChecked2 + "].");
                                    Tr.debug(tc, "Token trusted [" + isTrusted2 + "].");
                                }
                                if (!callerChecked2 && isTrusted2 && tokenType2.equals(type3)) {
                                    AuthResult authResult2 = new AuthResult(token2, trustMethod);
                                    token2.setCallerChecked(true);
                                    ResultPool.add(map, authResult2);
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Added AuthResult[" + authResult2 + "] into the ResultPool.");
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkCaller(Set cconfig,TokenConsumerConfig tconfig,Map context)");
        }
    }

    private static void checkCaller(Set set, TokenConsumerConfig tokenConsumerConfig, Token token, Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCaller(Set cconfigs,TokenConsumerConfig tconfig,Token token,Map context)");
        }
        if (tokenConsumerConfig != null && set != null) {
            QName type = tokenConsumerConfig.getType();
            Iterator it = set.iterator();
            while (it.hasNext()) {
                WSSConsumerConfig.CallerConfig callerConfig = (WSSConsumerConfig.CallerConfig) it.next();
                if (callerConfig.getPart() == null) {
                    QName tokenType = callerConfig.getTokenType();
                    QName tokenConsumerType = callerConfig.getTokenConsumerType();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "TokenConsumer type in the Caller [" + tokenConsumerType + "], TokenConsumer type [" + type + "].");
                    }
                    if (type.equals(tokenConsumerType)) {
                        boolean callerChecked = token.getCallerChecked();
                        boolean isTrusted = token.isTrusted();
                        QName type2 = token.getType();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Token type in the Caller [" + tokenType + "] and Token type [" + type2 + "].");
                            Tr.debug(tc, "Caller checked [" + callerChecked + "].");
                            Tr.debug(tc, "Token trusted [" + isTrusted + "].");
                        }
                        if (!callerChecked && !isTrusted && tokenType.equals(type2)) {
                            AuthResult authResult = new AuthResult(token, callerConfig);
                            token.setCallerChecked(true);
                            ResultPool.add(map, authResult);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Added AuthResult[" + authResult + "] into the ResultPool.");
                            }
                        }
                    }
                }
                WSSConsumerConfig.CallerConfig trustMethod = callerConfig.getTrustMethod();
                if (trustMethod != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "TrustMethod configuration found.");
                    }
                    if (trustMethod.getPart() == null) {
                        QName tokenType2 = trustMethod.getTokenType();
                        QName tokenConsumerType2 = trustMethod.getTokenConsumerType();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "TokenConsumer type in the TrustMethod [" + tokenConsumerType2 + "], TokenConsumer type [" + type + "].");
                        }
                        if (type.equals(tokenConsumerType2)) {
                            boolean callerChecked2 = token.getCallerChecked();
                            boolean isTrusted2 = token.isTrusted();
                            QName type3 = token.getType();
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Token type in the TrustMethod [" + tokenType2 + "] and Token type [" + type3 + "].");
                                Tr.debug(tc, "TrustMethod checked [" + callerChecked2 + "].");
                                Tr.debug(tc, "Token trusted [" + isTrusted2 + "].");
                            }
                            if (!callerChecked2 && isTrusted2 && tokenType2.equals(type3)) {
                                AuthResult authResult2 = new AuthResult(token, trustMethod);
                                token.setCallerChecked(true);
                                ResultPool.add(map, authResult2);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Added AuthResult[" + authResult2 + "] into the ResultPool.");
                                }
                            }
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkCaller(Set cconfig,TokenConsumerConfig tconfig,Token token,Map context)");
        }
    }

    private static void checkCaller(Map map, Map map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCaller(Map selectors,Map context)");
        }
        ((WSSConsumerComponent) map.get(LoginProcessor.class)).invoke(null, map2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkCaller(Map selectors, Map context)");
        }
    }

    private static void cleanSubject(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanSubject(Map context)");
        }
        Set<Token> tokens = TokenManager.getTokens(map);
        if (tokens != null && tokens.size() > 0) {
            HashMap hashMap = new HashMap();
            Result[] resultArr = ResultPool.get(map, VerificationResult.class);
            if (resultArr != null) {
                for (Result result : resultArr) {
                    Token token = ((VerificationResult) result).getToken();
                    if (token != null) {
                        String uniqueID = token.getUniqueID();
                        if (!hashMap.containsKey(uniqueID)) {
                            hashMap.put(uniqueID, token);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "The token whose unique id is [" + uniqueID + "]: <<<" + token + ">>>.");
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "WARNING: The token that has the same unique id [" + uniqueID + "] exists.");
                            Tr.debug(tc, "The already stored token is [" + hashMap.get(uniqueID) + "] and this is keeped.");
                            Tr.debug(tc, "A newly found token is [" + token + "] and this is ignored.");
                        }
                    }
                }
            }
            Result[] resultArr2 = ResultPool.get(map, DecryptionResult.class);
            if (resultArr2 != null) {
                for (Result result2 : resultArr2) {
                    Token token2 = ((DecryptionResult) result2).getToken();
                    if (token2 != null) {
                        String uniqueID2 = token2.getUniqueID();
                        if (!hashMap.containsKey(uniqueID2)) {
                            hashMap.put(uniqueID2, token2);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "The token whose unique id is [" + uniqueID2 + "]: <<<" + token2 + ">>>.");
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "WARNING: The token that has the same unique id [" + uniqueID2 + "] exists.");
                            Tr.debug(tc, "The already stored token is [" + hashMap.get(uniqueID2) + "] and this is keeped.");
                            Tr.debug(tc, "A newly found token is [" + token2 + "] and this is ignored.");
                        }
                    }
                }
            }
            for (Token token3 : tokens) {
                if (token3.getError() == null) {
                    String uniqueID3 = token3.getUniqueID();
                    if (!hashMap.containsKey(uniqueID3)) {
                        hashMap.put(uniqueID3, token3);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "The token whose unique id is [" + uniqueID3 + "]: <<<" + token3 + ">>>.");
                        }
                    }
                }
            }
            TokenManager.removeAllTokens(map);
            if (hashMap.size() > 0) {
                TokenManager.setTokens(map, hashMap.values());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanSubject(Map context)");
        }
    }

    private static void cleanContext(Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanSubject(Map context)");
        }
        map.remove(Constants.WSSECURITY_KEYINFO_TYPE);
        map.remove(Constants.WSSECURITY_KEY_TYPE);
        map.remove(Constants.WSSECURITY_KEY_NAME);
        map.remove(Constants.WSSECURITY_KEY_ID);
        map.remove(Constants.WSSECURITY_KEY_REFERENCE);
        map.remove(Constants.WSSECURITY_KEY_EMBID);
        map.remove(Constants.WSSECURITY_KEY_ISSUERNAME);
        map.remove(Constants.WSSECURITY_KEY_ISSUERSERIAL);
        map.remove(Constants.WSSECURITY_KEY_IDTYPE);
        map.remove(Constants.WSSECURITY_KEY_ENCODING);
        map.remove(Constants.WSSECURITY_KEY_VALUETYPE);
        map.remove(X509BSToken.KEY_LOCATOR);
        map.remove(X509BSToken.CERT_INFO);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanSubject(Map context)");
        }
    }

    private static void mapTokenToMessageContext(SOAPMessageContext sOAPMessageContext, Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapTokenToMessageContext(SOAPMessageContext messageContext,Map context)");
        }
        int i = 0;
        Set<Token> tokens = TokenManager.getTokens(map);
        if (tokens != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, tokens.size() + " tokens found.");
            }
            if (tokens.size() > 0) {
                Hashtable hashtable = new Hashtable();
                for (Token token : tokens) {
                    String id = token.getId();
                    if (id == null) {
                        i++;
                        id = IdUtil.getInstance().makeUniqueId(null, "Token_") + "_" + i;
                    }
                    hashtable.put(id, token);
                }
                sOAPMessageContext.setProperty(Constants.WSSECURITY_TOKEN_PROPERGATION, hashtable);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "A table of tokens is copied to the property in the MessageContext.");
                }
            }
        }
        if (WSSecurityPlatformContextFactory.getInstance().isServer()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "This is server process. So the runtime is storing a signer certificate...");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking verification results...");
            }
            Result[] resultArr = ResultPool.get(map, VerificationResult.class);
            if (resultArr != null && resultArr.length != 0) {
                X509BSToken x509BSToken = null;
                if (resultArr.length != 1) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "More than one verification tokens found.");
                    }
                    int i2 = 0;
                    while (true) {
                        if (i2 >= resultArr.length) {
                            break;
                        }
                        Token token2 = ((VerificationResult) resultArr[i2]).getToken();
                        if ((token2 instanceof X509BSToken) && token2.getUsedToLogin()) {
                            x509BSToken = (X509BSToken) token2;
                            break;
                        }
                        i2++;
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Only one verification token found.");
                    }
                    Token token3 = ((VerificationResult) resultArr[0]).getToken();
                    if (token3 instanceof X509BSToken) {
                        x509BSToken = (X509BSToken) token3;
                    }
                }
                if (x509BSToken == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to specify the one of X509 certificates in the request message.");
                    }
                    sOAPMessageContext.removeProperty(com.ibm.xml.soapsec.Constants.REQUEST_CERT);
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The X509 token that includes a signer certificate [" + x509BSToken + "].");
                    }
                    Object obj = null;
                    try {
                        obj = x509BSToken.getCert();
                    } catch (SoapSecurityException e) {
                        Tr.warning(tc, "security.wssecurity.WSSConsumer.s32", new Object[]{e});
                    }
                    if (obj == null) {
                        Tr.warning(tc, "security.wssecurity.WSSConsumer.s33");
                        sOAPMessageContext.removeProperty(com.ibm.xml.soapsec.Constants.REQUEST_CERT);
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Signer certificate is stored in the message context [" + obj + "].");
                        }
                        sOAPMessageContext.setProperty(com.ibm.xml.soapsec.Constants.REQUEST_CERT, obj);
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No signer X509 certificate was found in the request message.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapTokenToMessageContext(SOAPMessageContext messageContext,Map context)");
        }
    }

    private static void copyContextSubjectToMessageContext(SOAPMessageContext sOAPMessageContext, Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "copyContextSubjectToMessageContext(SOAPMessageContext messageContext, Map context)");
        }
        sOAPMessageContext.setProperty(Constants.WSSECURITY_TOKEN_WSSSUBJECT, (Subject) map.get(Constants.WSSECURITY_SUBJECT));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "copyContextSubjectToMessageContext(SOAPMessageContext messageContext, Map context)");
        }
    }

    private static void lockResults(Map map, boolean z, boolean z2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "lockResults(Map context,boolean signature[" + z + "],boolean locked[" + z2 + "])");
        }
        if (z) {
            Result[] resultArr = ResultPool.get(map, VerificationResult.class);
            if (resultArr != null && resultArr.length > 0) {
                for (Result result : resultArr) {
                    ((VerificationResult) result).setLocked(z2);
                }
            }
        } else {
            Result[] resultArr2 = ResultPool.get(map, DecryptionResult.class);
            if (resultArr2 != null && resultArr2.length > 0) {
                for (Result result2 : resultArr2) {
                    ((DecryptionResult) result2).setLocked(z2);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "lockResults(Map context,boolean signature,boolean locked)");
        }
    }

    private static void removeKeyInfoResults(Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removeKeyInfoResults(Map context)");
        }
        Result[] resultArr = ResultPool.get(map, KeyInfoResult.class);
        if (resultArr != null && resultArr.length > 0) {
            ResultPool.remove(map, resultArr);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removeKeyInfoResults(Map context)");
        }
    }

    private static void restoreResults(Map map, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "restoreResults(Map context,boolean signature[" + z + "])");
        }
        if (z) {
            Result[] resultArr = ResultPool.get(map, VerificationResult.class);
            if (resultArr != null && resultArr.length > 0) {
                VerificationResult verificationResult = (VerificationResult) resultArr[resultArr.length - 1];
                if (!verificationResult.getLocked()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Restoring a verification result [" + verificationResult + "]...");
                    }
                    List verifiedParts = verificationResult.getVerifiedParts();
                    if (verifiedParts != null) {
                        int size = verifiedParts.size();
                        for (int i = 0; i < size; i++) {
                            VerificationResult.VerifiedPart verifiedPart = (VerificationResult.VerifiedPart) verifiedParts.get(i);
                            if (verifiedPart.getNonce() != null || verifiedPart.getTimestamp() != null) {
                                if (verifiedPart.getNonceFirst()) {
                                    verifiedPart.getParent().appendChild(verifiedPart.getNonce());
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Nonce is restored into the node[" + DOMUtil.getDisplayName(verifiedPart.getParent()) + "].");
                                    }
                                    if (verifiedPart.getNonce() != null) {
                                        verifiedPart.getParent().appendChild(verifiedPart.getTimestamp());
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Timestmap is restored into the node[" + DOMUtil.getDisplayName(verifiedPart.getParent()) + "].");
                                        }
                                    }
                                } else {
                                    verifiedPart.getParent().appendChild(verifiedPart.getTimestamp());
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Timestamp is restored into the node[" + DOMUtil.getDisplayName(verifiedPart.getParent()) + "].");
                                    }
                                    if (verifiedPart.getNonce() != null) {
                                        verifiedPart.getParent().appendChild(verifiedPart.getNonce());
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Nonce is restored into the node[" + DOMUtil.getDisplayName(verifiedPart.getParent()) + "].");
                                        }
                                    }
                                }
                            }
                        }
                    }
                    ResultPool.remove(map, verificationResult);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Removed the verification result.");
                    }
                }
            }
        } else {
            Result[] resultArr2 = ResultPool.get(map, DecryptionResult.class);
            if (resultArr2 != null && resultArr2.length > 0) {
                DecryptionResult decryptionResult = (DecryptionResult) resultArr2[resultArr2.length - 1];
                if (!decryptionResult.getLocked()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Restoring a decryption result [" + decryptionResult + "]...");
                    }
                    List decryptedParts = decryptionResult.getDecryptedParts();
                    if (decryptedParts != null) {
                        int size2 = decryptedParts.size();
                        for (int i2 = 0; i2 < size2; i2++) {
                            DecryptionResult.DecryptedPart decryptedPart = (DecryptionResult.DecryptedPart) decryptedParts.get(i2);
                            if (decryptedPart.getNonce() != null || decryptedPart.getTimestamp() != null) {
                                if (decryptedPart.getNonceFirst()) {
                                    decryptedPart.getParent().appendChild(decryptedPart.getNonce());
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Nonce is restored into the node[" + DOMUtil.getDisplayName(decryptedPart.getParent()) + "].");
                                    }
                                    if (decryptedPart.getNonce() != null) {
                                        decryptedPart.getParent().appendChild(decryptedPart.getTimestamp());
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Timestmap is restored into the node[" + DOMUtil.getDisplayName(decryptedPart.getParent()) + "].");
                                        }
                                    }
                                } else {
                                    decryptedPart.getParent().appendChild(decryptedPart.getTimestamp());
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Timestamp is restored into the node[" + DOMUtil.getDisplayName(decryptedPart.getParent()) + "].");
                                    }
                                    if (decryptedPart.getNonce() != null) {
                                        decryptedPart.getParent().appendChild(decryptedPart.getNonce());
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Nonce is restored into the node[" + DOMUtil.getDisplayName(decryptedPart.getParent()) + "].");
                                        }
                                    }
                                }
                            }
                        }
                    }
                    ResultPool.remove(map, decryptionResult);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Removed the decryption result.");
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "restoreResults(Map context,boolean signature)");
        }
    }

    private static int getUsedFor(Element element, Element element2, String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUsedFor(Element envelope[" + DOMUtil.getDisplayName(element) + "],Element security[" + DOMUtil.getDisplayName(element2) + "],String nsWsse[" + str + "],String id[" + str2 + "])");
        }
        int i = 0;
        if (str2 != null && str2.length() > 0) {
            String str3 = "#" + str2;
            NodeList elementsByTagNameNS = element.getElementsByTagNameNS(str, "Reference");
            if (elementsByTagNameNS != null && elementsByTagNameNS.getLength() != 0) {
                int length = elementsByTagNameNS.getLength();
                if (tc.isDebugEnabled()) {
                    if (length == 1) {
                        Tr.debug(tc, length + " wsse:Reference element found.");
                    } else {
                        Tr.debug(tc, length + " wsse:Reference elements found.");
                    }
                }
                int i2 = 0;
                while (true) {
                    if (i2 >= length) {
                        break;
                    }
                    Element element3 = (Element) elementsByTagNameNS.item(i2);
                    String attribute = element3.getAttribute("URI");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Processing URI [" + attribute + "]...");
                    }
                    if (str3.equals(attribute) && DOMUtil.equals(DOMUtil.getAncestorElement(element3, str, "Security"), element2)) {
                        Element ancestorElement = DOMUtil.getAncestorElement(element3, com.ibm.ws.webservices.wssecurity.Constants.NS_DSIG, "KeyInfo");
                        if (ancestorElement != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "ds:KeyInfo is found as an ancestor.");
                            }
                            Node parentNode = ancestorElement.getParentNode();
                            if (parentNode != null && parentNode.getNodeType() == 1) {
                                if (DOMUtil.equals(parentNode, com.ibm.ws.webservices.wssecurity.Constants.NS_DSIG, "Signature")) {
                                    i = 1;
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "The token is used for signature verification.");
                                    }
                                } else if (DOMUtil.equals(parentNode, com.ibm.ws.webservices.wssecurity.Constants.NS_ENC, "EncryptedKey") || DOMUtil.equals(parentNode, com.ibm.ws.webservices.wssecurity.Constants.NS_ENC, "EncryptedData")) {
                                    break;
                                }
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "ds:KeyInfo is not found as an ancestor.");
                        }
                    }
                    i2++;
                }
                i = 2;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The token is used for decryption.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No wsse:Reference element found.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getUsedFor(Element envelope,Element security,String nsWsse,String id) returns int[" + i + "]");
        }
        return i;
    }

    private static String getReferencedToken(String str, Element element) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getReferencedToken(String nsWsse[" + str + "], Element target [" + element + "])");
        }
        String str2 = null;
        Element firstElement = DOMUtil.getFirstElement(element);
        while (true) {
            Element element2 = firstElement;
            if (element2 == null) {
                break;
            }
            if (DOMUtil.equals(element2, str, "Reference")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "wsse:Reference was found");
                }
                String attribute = element2.getAttribute("URI");
                if (ConfigUtil.hasValue(attribute)) {
                    str2 = attribute.startsWith("#") ? attribute.substring(1) : attribute;
                }
            } else {
                if (DOMUtil.equals(element2, str, "KeyIdentifier")) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "wsse:KeyIdentifier was found");
                    }
                    if (isSamlIdentifier(element2)) {
                        str2 = DOMUtil.getStringValue(element2);
                        break;
                    }
                }
                firstElement = DOMUtil.getNextElement(element2);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getReferencedToken(returns " + str2 + ")");
        }
        return str2;
    }

    private static boolean setupTokenInReferenceMap(String str, String str2, Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setupTokenInReferenceMap(refId[" + str + "], tokenId[" + str2 + "], Map context)");
        }
        boolean z = false;
        Token token = TokenManager.getToken(map, str2);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Referenced token [" + token + "].");
        }
        if (token != null) {
            Element element = token.getElement();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Element [" + DOMUtil.getDisplayName(element) + "].");
            }
            if (element != null) {
                z = true;
                VerificationResult.TransformElement transformElement = new VerificationResult.TransformElement(str, str2, element, element.getParentNode());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "TransformElement created: [" + transformElement + "]");
                }
                HashMap referenceMap = getReferenceMap(map, true);
                if (referenceMap != null) {
                    referenceMap.put(str, transformElement);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setupTokenInReferenceMap returns " + z);
        }
        return z;
    }

    public static boolean isSamlIdentifier(Element element) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSamlIdentifier Element elem[" + DOMUtil.getDisplayName(element) + "]");
        }
        boolean z = false;
        String attribute = element.getAttribute("ValueType");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "ValueType: [" + attribute + "]");
        }
        if (ConfigUtil.hasValue(attribute)) {
            int i = 0;
            while (true) {
                if (i >= samlValueTypes.length) {
                    break;
                }
                if (samlValueTypes[i].equals(attribute.trim())) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "ValueType is SAML");
                    }
                    z = true;
                } else {
                    i++;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isSamlIdentifier returns " + z);
        }
        return z;
    }

    public static HashMap getReferenceMap(Map map) {
        return getReferenceMap(map, false);
    }

    public static HashMap getReferenceMap(Map map, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getReferenceMap createMap [" + z + "]");
        }
        HashMap hashMap = (HashMap) map.get(REFERENCE_MAP);
        if (hashMap == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Reference map was not found");
            }
            if (z) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Creating new reference map.");
                }
                hashMap = new HashMap();
                map.put(REFERENCE_MAP, hashMap);
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Reference map was found");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getReferenceMap returns [" + (hashMap == null ? "null" : "not null") + "]");
        }
        return hashMap;
    }
}
