package com.sonicsw.ws.security.policy;

import com.sonicsw.net.http.HttpHelper;
import com.sonicsw.ws.axis.DebugObjects;
import com.sonicsw.ws.security.AlgorithmConstants;
import com.sonicsw.ws.security.action.Action;
import com.sonicsw.ws.security.action.Encryption;
import com.sonicsw.ws.security.action.MessagePart;
import com.sonicsw.ws.security.action.Signature;
import com.sonicsw.ws.security.action.SupportingToken;
import com.sonicsw.ws.security.action.Timestamp;
import com.sonicsw.ws.security.action.TransportBindingAction;
import com.sonicsw.ws.security.policy.model.HttpsToken;
import com.sonicsw.ws.security.policy.model.KeyStoreEntry;
import com.sonicsw.ws.security.policy.model.RequiredElements;
import com.sonicsw.ws.security.policy.model.TransportBinding;
import com.sonicsw.ws.security.policy.model.TransportToken;
import com.sonicsw.ws.security.policy.model.Trust10Token;
import com.sonicsw.ws.security.policy.model.X509IssuerSerial;
import com.sonicsw.ws.security.policy.model.X509Token;
import com.sonicsw.wsp.PolicyException;
import com.sonicsw.wsp.SecurityPolicyException;
import com.sonicsw.wsp.WSPConstants;
import com.sonicsw.wsp.WSPUtils;
import java.util.ArrayList;
import org.apache.ws.security.policy.model.AlgorithmSuite;
import org.apache.ws.security.policy.model.AsymmetricBinding;
import org.apache.ws.security.policy.model.Binding;
import org.apache.ws.security.policy.model.Header;
import org.apache.ws.security.policy.model.Layout;
import org.apache.ws.security.policy.model.PolicyEngineData;
import org.apache.ws.security.policy.model.RootPolicyEngineData;
import org.apache.ws.security.policy.model.SignedEncryptedElements;
import org.apache.ws.security.policy.model.SignedEncryptedParts;
import org.apache.ws.security.policy.model.SymmetricAsymmetricBindingBase;
import org.apache.ws.security.policy.model.SymmetricBinding;
import org.apache.ws.security.policy.model.Token;
import org.apache.ws.security.policy.model.UsernameToken;
import org.apache.ws.security.policy.model.Wss10;
import org.apache.ws.security.policy.model.Wss11;
import progress.message.broker.mqtt.MqttJmsUtils;

/* loaded from: input_file:com/sonicsw/ws/security/policy/SecurityPolicyAlternative.class */
public class SecurityPolicyAlternative {
    private ArrayList m_actions = new ArrayList();
    private boolean m_secPolicy2002 = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sonicsw/ws/security/policy/SecurityPolicyAlternative$ActionBuilder.class */
    public static class ActionBuilder {
        private Encryption m_encryption;
        private Signature m_signature;
        private SupportingToken m_supportingToken;
        private Timestamp m_timestamp;
        private TransportBindingAction m_transport;
        private Binding m_binding = null;
        private boolean m_encryptBeforeSigning = false;
        private boolean m_encryptSignature = false;

        ActionBuilder() {
            init();
        }

        private void init() {
            clear();
            this.m_encryption = new Encryption(WSPUtils.SP_2005);
            this.m_signature = new Signature(WSPUtils.SP_2005);
            this.m_supportingToken = new SupportingToken(WSPUtils.SP_2005);
            this.m_timestamp = new Timestamp(WSPUtils.SP_2005);
            this.m_transport = new TransportBindingAction(WSPUtils.SP_2005);
        }

        private void clear() {
            this.m_encryption = null;
            this.m_signature = null;
            this.m_supportingToken = null;
            this.m_timestamp = null;
            this.m_transport = null;
            this.m_binding = null;
            this.m_encryptBeforeSigning = false;
            this.m_encryptSignature = false;
        }

        void build(RootPolicyEngineData rootPolicyEngineData, ArrayList arrayList) throws PolicyException {
            for (PolicyEngineData policyEngineData : rootPolicyEngineData.getTopLevelPEDs()) {
                DebugObjects.getPolicyDebug().debug("SecurityPolicyAlternative about to process " + policyEngineData);
                if (policyEngineData instanceof AsymmetricBinding) {
                    processBinding((AsymmetricBinding) policyEngineData);
                } else if (policyEngineData instanceof SymmetricBinding) {
                    processBinding((SymmetricBinding) policyEngineData);
                } else if (policyEngineData instanceof TransportBinding) {
                    processBinding((TransportBinding) policyEngineData);
                } else if (policyEngineData instanceof SignedEncryptedParts) {
                    processSignedEncryptedParts((SignedEncryptedParts) policyEngineData);
                } else if (policyEngineData instanceof SignedEncryptedElements) {
                    processSignedEncryptedElements((SignedEncryptedElements) policyEngineData);
                } else if (policyEngineData instanceof RequiredElements) {
                    processRequiredElements((RequiredElements) policyEngineData);
                } else if (policyEngineData instanceof org.apache.ws.security.policy.model.SupportingToken) {
                    processSupportingToken((org.apache.ws.security.policy.model.SupportingToken) policyEngineData);
                } else if (policyEngineData instanceof Wss11) {
                    processWss11((Wss11) policyEngineData);
                } else if (policyEngineData instanceof Wss10) {
                    processWss10((Wss10) policyEngineData);
                } else {
                    if (!(policyEngineData instanceof Trust10Token)) {
                        throw new SecurityPolicyException(policyEngineData + " not supported as top level Assertion.");
                    }
                    processTrust10((Trust10Token) policyEngineData);
                }
            }
            addRequiredActions(arrayList);
            clear();
        }

        private void processSupportingToken(org.apache.ws.security.policy.model.SupportingToken supportingToken) throws SecurityPolicyException {
            if (this.m_binding != null && !(this.m_binding instanceof TransportBinding)) {
                throw new SecurityPolicyException("Binding assertion is incompatible with supporting token assertion.");
            }
            int type = supportingToken.getType();
            if (type != 3) {
                if (!HttpHelper.ENABLE_SECURE_CONVERSATION) {
                    throw new SecurityPolicyException("Unsupported SupportingToken type. Only SignedSupportingToken is supported.");
                }
                if (type != 2) {
                    throw new SecurityPolicyException("Unsupported SupportingToken type. Only SignedSupportingToken and EndorsingSupportingToken are supported.");
                }
                throw new UnsupportedOperationException("EndorsingSupportingToken not yet supported.");
            }
            if (supportingToken.getAlgorithmSuite() != null || supportingToken.getEncryptedElements() != null || supportingToken.getEncryptedParts() != null || supportingToken.getSignedElements() != null || supportingToken.getSignedParts() != null) {
                throw new SecurityPolicyException("Policy contains SignedSupportingToken assertion that is not yet supported. The only assertion currently supported is UsernameToken.");
            }
            ArrayList token = supportingToken.getToken();
            if (token == null || token.isEmpty()) {
                throw new SecurityPolicyException("No token specified in SupportingToken assertion.");
            }
            if (token.size() > 1) {
                throw new SecurityPolicyException("Multiple tokens specified but not supported in SupportingToken assertion.");
            }
            UsernameToken usernameToken = (Token) token.get(0);
            if (!(usernameToken instanceof UsernameToken)) {
                throw new SecurityPolicyException("Invalid token type " + usernameToken.getClass().getName());
            }
            this.m_supportingToken.setUsernameToken(usernameToken);
            this.m_supportingToken.setTokenType(WSSPConstants.QN_TOKENTYPE_USERNAME);
            this.m_supportingToken.setRequired();
        }

        private void processBinding(Binding binding) throws SecurityPolicyException {
            if (this.m_binding != null) {
                throw new SecurityPolicyException(binding.getClass().getName() + " encountered in a policy alternative that already includes a " + this.m_binding.getClass().getName() + MqttJmsUtils.JMS_TOPIC_LEVEL_SEPARATOR);
            }
            AlgorithmSuite algorithmSuite = binding.getAlgorithmSuite();
            if (algorithmSuite.getDigest() != AlgorithmConstants.XMLDSIG_SHA1) {
                throw new SecurityPolicyException("Unsupported AlgorithmSuite: " + algorithmSuite.getDigest());
            }
            if (binding instanceof SymmetricBinding) {
                this.m_signature.setAlgSignature(algorithmSuite.getSymmetricSignature());
            } else if (binding instanceof AsymmetricBinding) {
                this.m_signature.setAlgSignature(algorithmSuite.getAsymmetricSignature());
            } else if (binding instanceof TransportBinding) {
                this.m_transport.setAlgorithmSuite(algorithmSuite);
            }
            this.m_signature.setAlgCanonicalization(algorithmSuite.getInclusiveC14n());
            this.m_signature.setAlgDigest(algorithmSuite.getDigest());
            this.m_encryption.setAlgEncryption(algorithmSuite.getEncryption());
            this.m_encryption.setKeyEncryptionAlgorithm(algorithmSuite.getAsymmetricKeyWrap());
            if (binding.isIncludeTimestamp()) {
                this.m_timestamp.setRequired();
                this.m_timestamp.requireTimestamp();
                if (binding instanceof AsymmetricBinding) {
                    this.m_signature.setRequired();
                    this.m_signature.addPart(new MessagePart(WSPConstants.NSURI_SECURITY_UTIL, "Timestamp"));
                }
            }
            Layout layout = binding.getLayout();
            if (!"Lax".equals(layout.getValue())) {
                throw new SecurityPolicyException("Unsupported Layout specified " + layout.getValue() + MqttJmsUtils.JMS_TOPIC_LEVEL_SEPARATOR);
            }
            this.m_binding = binding;
        }

        private void processBinding(SymmetricAsymmetricBindingBase symmetricAsymmetricBindingBase) throws SecurityPolicyException {
            processBinding((Binding) symmetricAsymmetricBindingBase);
            if (this.m_supportingToken.isRequired()) {
                throw new SecurityPolicyException("Binding assertion is incompatible with supporting token assertion");
            }
            if (symmetricAsymmetricBindingBase.getProtectionOrder().equals("EncryptBeforeSigning")) {
                this.m_encryptBeforeSigning = true;
            }
            if (symmetricAsymmetricBindingBase.isSignatureProtection()) {
                this.m_encryptSignature = true;
            }
            if (symmetricAsymmetricBindingBase.isTokenProtection()) {
                this.m_signature.addPart(new MessagePart(WSSPConstants.QN_SIGNING_TOKEN));
            }
            if (symmetricAsymmetricBindingBase.isEntireHeaderAndBodySignatures()) {
                this.m_signature.setEntireHeaderAndBodySignatures(true);
            }
        }

        private void processBinding(AsymmetricBinding asymmetricBinding) throws SecurityPolicyException {
            processBinding((SymmetricAsymmetricBindingBase) asymmetricBinding);
            processToken(asymmetricBinding.getInitiatorToken().getInitiatorToken(), true);
            this.m_signature.setInitiatorToken(asymmetricBinding.getInitiatorToken());
            this.m_encryption.setInitiatorToken(asymmetricBinding.getInitiatorToken());
            processToken(asymmetricBinding.getRecipientToken().getRecipientToken(), false);
            this.m_signature.setRecipientToken(asymmetricBinding.getRecipientToken());
            this.m_encryption.setRecipientToken(asymmetricBinding.getRecipientToken());
        }

        private void processBinding(SymmetricBinding symmetricBinding) throws SecurityPolicyException {
            processBinding((SymmetricAsymmetricBindingBase) symmetricBinding);
            if (!HttpHelper.ENABLE_SECURE_CONVERSATION) {
                throw new SecurityPolicyException("SymmetricBinding not supported" + (HttpHelper.ENABLE_SECURE_CONVERSATION ? "outside of a SecureConversation" : "") + MqttJmsUtils.JMS_TOPIC_LEVEL_SEPARATOR);
            }
            if (symmetricBinding.getProtectionToken() == null) {
                throw new SecurityPolicyException("Only ProtectionToken use is supported for SymmetricBinding assertions");
            }
            this.m_signature.setProtectionToken(symmetricBinding.getProtectionToken());
            this.m_encryption.setProtectionToken(symmetricBinding.getProtectionToken());
        }

        private void processBinding(TransportBinding transportBinding) throws SecurityPolicyException {
            processBinding((Binding) transportBinding);
            this.m_transport.setRequired();
            this.m_transport.setTokenType(WSSPConstants.QN_TRANSPORT_BINDING);
            if (transportBinding.getSupportingToken() != null) {
                processSupportingToken(transportBinding.getSupportingToken());
            }
            Token transportToken = transportBinding.getTransportToken();
            if (transportToken == null || !(transportToken instanceof TransportToken)) {
                return;
            }
            this.m_transport.setTransportToken((TransportToken) transportToken);
            Token transportToken2 = ((TransportToken) transportToken).getTransportToken();
            if (transportToken2 == null || !(transportToken2 instanceof HttpsToken)) {
                return;
            }
            this.m_transport.setHttpsToken((HttpsToken) transportToken2);
        }

        private void processToken(Token token, boolean z) throws SecurityPolicyException {
            if (!(token instanceof X509Token)) {
                throw new SecurityPolicyException("Unsupported " + (z ? "Initiator" : "Recipient") + "Token type: " + token.getClass().getName() + ". Only X509Token is supported.");
            }
            X509Token x509Token = (X509Token) token;
            if ("http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once".equals(x509Token.getInclusion())) {
                throw new SecurityPolicyException("Unsupported  " + (z ? "Initiator" : "Recipient") + "Token IncludeToken valuehttp://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once" + MqttJmsUtils.JMS_TOPIC_LEVEL_SEPARATOR);
            }
            if (x509Token.getTokenVersionAndType() != null && !x509Token.getTokenVersionAndType().equals("WssX509V3Token10")) {
                throw new SecurityPolicyException("Unsupported " + (z ? "Initiator" : "Recipient") + "Token X509Token version: " + x509Token.getTokenVersionAndType() + ". Only WssX509V3Token10 is supported.");
            }
            if (x509Token.isRequireEmbeddedTokenReference() || x509Token.isRequireThumbprintReference()) {
                throw new SecurityPolicyException("Unsupported token reference model required by " + (z ? "Initiator" : "Recipient") + "Token. Only RequireKeyIdentierReference and RequireIssuerSerialReference are supported.");
            }
            if (x509Token.isRequireKeyIdentifierReference() && x509Token.isRequireIssuerSerialReference()) {
                throw new SecurityPolicyException("Invalid specification of multiple token reference models in " + (z ? "Initiator" : "Recipient") + "Token.");
            }
            KeyStoreEntry keyStoreEntry = x509Token.getKeyStoreEntry();
            X509IssuerSerial x509IssuerSerial = x509Token.getX509IssuerSerial();
            if (keyStoreEntry != null && x509IssuerSerial != null) {
                throw new SecurityPolicyException("Invalid use of multiple per-mesage override assertions in " + (z ? "Initiator" : "Recipient") + "Token.");
            }
            if (keyStoreEntry != null) {
                this.m_signature.setX509TokenAlias(keyStoreEntry.getAlias());
                this.m_signature.setX509TokenPrivateKeyPassword(keyStoreEntry.getPrivateKeyPassword());
            }
            if (x509IssuerSerial != null) {
                this.m_encryption.setX509TokenRefIssuer(x509IssuerSerial.getX509IssuerName());
                this.m_encryption.setX509TokenRefSerialNumber(x509IssuerSerial.getX509SerialNumber());
            }
        }

        private void processSignedEncryptedParts(SignedEncryptedParts signedEncryptedParts) throws SecurityPolicyException {
            ArrayList arrayList = new ArrayList();
            if (signedEncryptedParts.isBody()) {
                arrayList.add(new MessagePart());
            }
            ArrayList<Header> headers = signedEncryptedParts.getHeaders();
            if (!headers.isEmpty()) {
                if (!signedEncryptedParts.isSignedParts()) {
                    throw new SecurityPolicyException("Encrypting headers requires unsupported WSS 1.1 Encrypted Headers.");
                }
                for (Header header : headers) {
                    if (header.getName() == null || header.getName().length() == 0) {
                        throw new SecurityPolicyException((signedEncryptedParts.isSignedParts() ? "Signed" : "Encrypted") + "Parts optional ommission of Header Name attribute is not supported.");
                    }
                    arrayList.add(new MessagePart(header.getNamespace(), header.getName()));
                }
            }
            if (!signedEncryptedParts.isBody() && headers.isEmpty()) {
                if (signedEncryptedParts.isSignedParts()) {
                    throw new SecurityPolicyException("Empty SignedParts assertion is not supported.");
                }
                arrayList.add(new MessagePart());
            }
            if (signedEncryptedParts.isSignedParts()) {
                this.m_signature.setRequired();
                this.m_signature.addParts(arrayList);
            } else {
                this.m_encryption.setRequired();
                this.m_encryption.addParts(arrayList);
            }
        }

        private void processSignedEncryptedElements(SignedEncryptedElements signedEncryptedElements) throws SecurityPolicyException {
            throw new SecurityPolicyException((signedEncryptedElements.isSignedElements() ? "Signed" : "Encrypted") + "Elements assertion not supported.");
        }

        private void processRequiredElements(RequiredElements requiredElements) throws SecurityPolicyException {
            throw new SecurityPolicyException("RequiredElements assertion not supported.");
        }

        private void processWss10(Wss10 wss10) throws SecurityPolicyException {
            if (wss10.isMustSupportRefEmbeddedToken() || wss10.isMustSupportRefExternalURI()) {
                throw new SecurityPolicyException("Unsupported Wss10 assertion(s) " + (wss10.isMustSupportRefEmbeddedToken() ? "MustSupportRefEmbeddedToken " : "") + (wss10.isMustSupportRefExternalURI() ? "MustSupportRefExternalURI " : ""));
            }
            if (wss10.isMustSupportRefKeyIdentifier()) {
                this.m_signature.setMustSupportRefKeyIdentifier(true);
                this.m_encryption.setMustSupportRefKeyIdentifier(true);
            }
            if (wss10.isMustSupportRefIssuerSerial()) {
                this.m_signature.setMustSupportRefIssuerSerial(true);
                this.m_encryption.setMustSupportRefIssuerSerial(true);
            }
        }

        private void processWss11(Wss11 wss11) throws SecurityPolicyException {
            if (wss11.isMustSupportRefThumbprint() || wss11.isMustSupportRefEncryptedKey() || wss11.isRequireSignatureConfirmation()) {
                throw new SecurityPolicyException("Unsupported Wss11 assertion(s) " + (wss11.isMustSupportRefThumbprint() ? "MustSupportRefThumbprint " : "") + (wss11.isMustSupportRefEncryptedKey() ? "MustSupportRefEncryptedKey " : "") + (wss11.isRequireSignatureConfirmation() ? "MustRequireSignatureConfirmation " : ""));
            }
            processWss10(wss11);
        }

        private void processTrust10(Trust10Token trust10Token) throws SecurityPolicyException {
            if (trust10Token.getRequireClientEntropy()) {
                this.m_signature.setRequireClientEntropy(true);
                this.m_encryption.setRequireClientEntropy(true);
            }
            if (trust10Token.getRequireServerEntropy()) {
                this.m_signature.setRequireServerEntropy(true);
                this.m_encryption.setRequireServerEntropy(true);
            }
            if (trust10Token.getMustSupportClientChallenge()) {
                throw new SecurityPolicyException("/sp:Trust10/wsp:Policy/sp:MustSupportClientChallenge is not supported by SonicMQ in either direction. ");
            }
            if (trust10Token.getMustSupportServerChallenge()) {
                throw new SecurityPolicyException("/sp:Trust10/wsp:Policy/sp:MustSupportServerChallenge is not supported by SonicMQ in either direction. ");
            }
            if (trust10Token.getMustSupportIssuedTokens()) {
                throw new SecurityPolicyException("/sp:Trust10/wsp:Policy/sp:MustSupportServerChallenge is not supported by SonicMQ in either direction. ");
            }
        }

        private void addRequiredActions(ArrayList arrayList) {
            if (this.m_timestamp.isRequired()) {
                arrayList.add(this.m_timestamp);
            }
            if (this.m_supportingToken.isRequired()) {
                arrayList.add(this.m_supportingToken);
            }
            if (this.m_encryptBeforeSigning && this.m_encryption.isRequired()) {
                arrayList.add(this.m_encryption);
            }
            if (this.m_signature.isRequired()) {
                arrayList.add(this.m_signature);
                if (this.m_encryptSignature) {
                    if (this.m_encryptBeforeSigning) {
                        Encryption encryption = new Encryption(this.m_encryption);
                        encryption.addPart(new MessagePart(XDSIGConstants.NSURI, "Signature", true));
                        arrayList.add(encryption);
                    } else {
                        this.m_encryption.addPart(new MessagePart(XDSIGConstants.NSURI, "Signature", true));
                        this.m_encryption.setRequired();
                    }
                }
            }
            if (this.m_encryption.isRequired() && !arrayList.contains(this.m_encryption)) {
                arrayList.add(this.m_encryption);
            }
            if (this.m_transport.isRequired()) {
                arrayList.add(this.m_transport);
            }
        }
    }

    public boolean isPolicy2002() {
        return this.m_secPolicy2002;
    }

    public void addAction(Assertion assertion) {
        this.m_actions.add(assertion.getAction());
    }

    public void addAction(Action action) {
        this.m_actions.add(action);
    }

    public Action[] getActions() {
        return (Action[]) this.m_actions.toArray(new Action[this.m_actions.size()]);
    }

    public void addActions(ArrayList arrayList) {
        this.m_actions.addAll(arrayList);
    }

    public void addActions(Action[] actionArr) {
        for (Action action : actionArr) {
            this.m_actions.add(action);
        }
    }

    public void buildActions(RootPolicyEngineData rootPolicyEngineData) throws PolicyException {
        this.m_secPolicy2002 = false;
        try {
            new ActionBuilder().build(rootPolicyEngineData, this.m_actions);
        } catch (PolicyException e) {
            DebugObjects.getPolicyDebug().debug("Exception encountered processing the Policy: " + e.getMessage());
            throw e;
        }
    }
}
