package com.ibm.xml.soapsec.token;

import com.ibm.ws.wssecurity.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.xml.soapsec.Constants;
import com.ibm.xml.soapsec.ResultPool;
import com.ibm.xml.soapsec.SoapSecurityComponent;
import com.ibm.xml.soapsec.dsig.VerificationSettings;
import com.ibm.xml.soapsec.token.TokenResult;
import com.ibm.xml.soapsec.util.DOMUtil;
import com.ibm.xml.soapsec.util.IdUtil;
import com.ibm.xml.soapsec.util.NamespaceUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.io.ByteArrayInputStream;
import java.security.Provider;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CRLSelector;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.faces.validator.BeanValidator;
import javax.xml.namespace.QName;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:com/ibm/xml/soapsec/token/BinaryTokenReceiver.class */
public class BinaryTokenReceiver implements SoapSecurityComponent {
    private static final String comp = "security.wssecurity";
    TokenReceiverConfig conf;
    private static final TraceComponent tc = Tr.register(BinaryTokenReceiver.class, Constants.TR_GROUP, "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = BinaryTokenReceiver.class.getName();

    public BinaryTokenReceiver() {
        this.conf = null;
    }

    public BinaryTokenReceiver(TokenReceiverConfig tokenReceiverConfig) {
        this.conf = null;
        this.conf = tokenReceiverConfig;
    }

    @Override // com.ibm.xml.soapsec.SoapSecurityComponent
    public void init(Map map) throws Exception {
        this.conf = (TokenReceiverConfig) map.get(TokenReceiverConfig.class);
    }

    @Override // com.ibm.xml.soapsec.SoapSecurityComponent
    public void invoke(Document document, Element element, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(" + document + BeanValidator.VALIDATION_GROUPS_DELIMITER + element + BeanValidator.VALIDATION_GROUPS_DELIMITER + map + ")");
        }
        String wssens = Constants.getWSSENS(map);
        QName qName = Constants.getQName(wssens, Constants.INVALID_SECURITY_TOKEN_QNAME);
        QName qName2 = Constants.getQName(wssens, Constants.UNSUPPORTED_SECURITY_TOKEN_QNAME);
        if (this.conf == null) {
            throw SoapSecurityException.format(qName, "token12");
        }
        String idAttributeName = IdUtil.getInstance().getIdAttributeName(element);
        String attribute = idAttributeName == null ? null : element.getAttribute(idAttributeName);
        String stringValue = DOMUtil.getStringValue(element);
        String attribute2 = element.getAttribute("EncodingType");
        if (attribute2.equals("")) {
            throw SoapSecurityException.format(qName, "security.wssecurity.BinaryTokenReceiver.token13");
        }
        QName qName3 = DOMUtil.getQName(element, attribute2);
        if (!NamespaceUtil.equals(qName3, Constants.BASE64_BINARY_RCVR)) {
            if (!NamespaceUtil.equals(qName3, Constants.HEX_BINARY_RCVR)) {
                throw SoapSecurityException.format(qName2, "security.wssecurity.BinaryTokenReceiver.token15", attribute2);
            }
            throw SoapSecurityException.format(qName2, "security.wssecurity.BinaryTokenReceiver.token14");
        }
        byte[] decode = Base64.decode(stringValue);
        String attribute3 = element.getAttribute("ValueType");
        if (attribute3.equals("")) {
            throw SoapSecurityException.format(qName, "security.wssecurity.BinaryTokenReceiver.token16");
        }
        QName qName4 = DOMUtil.getQName(element, attribute3);
        if (NamespaceUtil.equals(qName4, Constants.X509V3_RCVR)) {
            if (this.conf.isX509Ready()) {
                try {
                    X509Certificate x509Certificate = null;
                    String str = null;
                    String str2 = null;
                    boolean z = false;
                    try {
                        X509Certificate x509Certificate2 = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(decode));
                        Iterator it = this.conf.getVerificationSettingsList().iterator();
                        SoapSecurityException soapSecurityException = null;
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            VerificationSettings verificationSettings = (VerificationSettings) it.next();
                            Provider certPathProvider = verificationSettings.getCertPathProvider();
                            if (verificationSettings.getTrustAnyCertificate()) {
                                x509Certificate = x509Certificate2;
                                z = true;
                                break;
                            }
                            CertPathBuilder certPathBuilder = certPathProvider == null ? CertPathBuilder.getInstance("PKIX") : CertPathBuilder.getInstance("PKIX", certPathProvider);
                            PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) verificationSettings.getPKIXBuilderParameters().clone();
                            X509CertSelector x509CertSelector = (X509CertSelector) pKIXBuilderParameters.getTargetCertConstraints();
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "CertPathProvider = " + (certPathProvider == null ? "default" : certPathProvider.getName()));
                                Tr.debug(tc, "CertPath Builder = " + certPathBuilder.getClass().getName());
                                Tr.debug(tc, "CertPath Selector = " + x509CertSelector.getClass().getName());
                                Tr.debug(tc, "SubjectDN = " + x509Certificate2.getSubjectX500Principal().getName());
                            }
                            x509CertSelector.setSubject(x509Certificate2.getSubjectX500Principal().getEncoded());
                            pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
                            HashSet eeCerts = verificationSettings.getEeCerts();
                            if (eeCerts == null) {
                                eeCerts = new HashSet();
                            }
                            eeCerts.add(x509Certificate2);
                            pKIXBuilderParameters.addCertStore(certPathProvider == null ? CertStore.getInstance("Collection", new CollectionCertStoreParameters(eeCerts)) : CertStore.getInstance("Collection", new CollectionCertStoreParameters(eeCerts), certPathProvider));
                            pKIXBuilderParameters.setRevocationEnabled(false);
                            try {
                                List<CertStore> certStores = pKIXBuilderParameters.getCertStores();
                                X509CRLSelector x509CRLSelector = new X509CRLSelector();
                                boolean z2 = false;
                                if (certStores != null) {
                                    Iterator<CertStore> it2 = certStores.iterator();
                                    while (true) {
                                        if (!it2.hasNext()) {
                                            break;
                                        }
                                        Collection<? extends CRL> cRLs = it2.next().getCRLs(x509CRLSelector);
                                        if (cRLs != null && cRLs.iterator().hasNext()) {
                                            z2 = true;
                                            break;
                                        }
                                    }
                                }
                                if (z2) {
                                    pKIXBuilderParameters.setRevocationEnabled(true);
                                    Tr.debug(tc, " RevocationEnabled.");
                                } else {
                                    Tr.debug(tc, " Revocation Not Enabled.");
                                }
                            } catch (Exception e) {
                                Tr.debug(tc, "Exception occurred while attempting to process CRLs: " + e);
                            }
                            try {
                                certPathBuilder.build(pKIXBuilderParameters);
                                str = verificationSettings.getTrustAnchorRef();
                                str2 = verificationSettings.getCertStoreRef();
                                x509Certificate = x509Certificate2;
                                break;
                            } catch (CertPathBuilderException e2) {
                                soapSecurityException = SoapSecurityException.format(qName, "security.wssecurity.BinaryTokenReceiver.token19", e2.toString());
                            }
                        }
                        if (x509Certificate == null) {
                            throw soapSecurityException;
                        }
                        ResultPool.add(map, new TokenResult.X509(x509Certificate, attribute, str, str2, z));
                    } catch (CertificateException e3) {
                        throw SoapSecurityException.format(qName, "security.wssecurity.BinaryTokenReceiver.token17", e3.toString());
                    }
                } catch (SoapSecurityException e4) {
                    Tr.processException((Throwable) e4, clsName + ".invoke", "184", (Object) this);
                    Tr.error(tc, "security.wssecurity.BinaryTokenReceiver.token20", e4);
                    throw e4;
                } catch (Exception e5) {
                    Tr.processException(e5, clsName + ".invoke", "189", this);
                    Tr.error(tc, "security.wssecurity.BinaryTokenReceiver.token20", e5);
                    throw SoapSecurityException.format("security.wssecurity.BinaryTokenReceiver.token20", e5.toString());
                }
            } else {
                Tr.warning(tc, "security.wssecurity.BinaryTokenReceiver.token40");
            }
        } else if (decode != null && decode.length != 0) {
            if (NamespaceUtil.isWsse(qName4.getNamespaceURI())) {
                qName4 = new QName(Constants.NS_WSSE, qName4.getLocalPart());
            }
            LoginMapping loginMapping = this.conf.getLoginMapping(qName4);
            if (loginMapping != null) {
                ResultPool.add(map, new TokenResult.Generic(qName4, ReceiverLogin.login(loginMapping, decode, null, null, map), attribute));
            } else {
                Tr.warning(tc, "security.wssecurity.BinaryTokenReceiver.token22", qName4.toString());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Document doc, Element target,Map context)");
        }
    }
}
