package com.sonicsw.ws.security.wss4j;

import com.sonicsw.net.http.ws.WSHttpInRequest;
import com.sonicsw.net.http.ws.WSHttpOutRequest;
import com.sonicsw.security.cert.BrokerCertificateStore;
import com.sonicsw.security.cert.BrokerKeyStore;
import com.sonicsw.security.cert.BrokerTrustStore;
import com.sonicsw.security.cert.TrustStore;
import com.sonicsw.ws.axis.ContextProperties;
import com.sonicsw.ws.axis.DebugObjects;
import com.sonicsw.ws.axis.handlers.PolicyFromWSDLHandler;
import com.sonicsw.ws.security.SOAPFaultConstants;
import com.sonicsw.ws.security.action.Action;
import com.sonicsw.ws.security.action.Encryption;
import com.sonicsw.ws.security.action.MessagePart;
import com.sonicsw.ws.security.action.Signature;
import com.sonicsw.ws.security.action.SupportingToken;
import com.sonicsw.ws.security.action.Timestamp;
import com.sonicsw.ws.security.action.TransportBindingAction;
import com.sonicsw.ws.security.policy.SecurityPolicyAlternative;
import com.sonicsw.ws.security.policy.WSSPConstants;
import com.sonicsw.ws.security.processingresult.EncryptionResult;
import com.sonicsw.ws.security.processingresult.ProcessingResult;
import com.sonicsw.ws.security.processingresult.SignatureResult;
import com.sonicsw.ws.security.processingresult.SupportingTokenResult;
import com.sonicsw.ws.security.processingresult.TimestampResult;
import com.sonicsw.ws.security.processingresult.TransportBindingResult;
import com.sonicsw.ws.security.processingresult.ValidationStatus;
import com.sonicsw.wsp.OperationContext;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Properties;
import java.util.Vector;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import org.apache.axis.AxisFault;
import org.apache.axis.Message;
import org.apache.axis.MessageContext;
import org.apache.axis.SOAPPart;
import org.apache.axis.message.SAX2EventRecorder;
import org.apache.axis.message.SOAPHeaderElement;
import org.apache.axis.utils.XMLUtils;
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.Merlin;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:com/sonicsw/ws/security/wss4j/WSSInboundHandler.class */
public class WSSInboundHandler {
    private SonicWSSecurityEngine secEngine;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sonicsw/ws/security/wss4j/WSSInboundHandler$CertCrypto.class */
    public class CertCrypto extends Merlin {
        CertCrypto(KeyStore keyStore) throws Exception {
            super((Properties) null);
            this.keystore = keyStore;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sonicsw/ws/security/wss4j/WSSInboundHandler$DecryptionCrypto.class */
    public class DecryptionCrypto extends Merlin {
        DecryptionCrypto(KeyStore keyStore) throws Exception {
            super((Properties) null);
            this.keystore = keyStore;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sonicsw/ws/security/wss4j/WSSInboundHandler$PasswordCallbackHandler.class */
    public class PasswordCallbackHandler implements CallbackHandler {
        private String m_x509Alias;
        private char[] m_x509Pwd;

        PasswordCallbackHandler(MessageContext messageContext) {
            this.m_x509Alias = null;
            this.m_x509Pwd = null;
            if (messageContext.isClient()) {
                WSHttpOutRequest wSHttpOutRequest = (WSHttpOutRequest) messageContext.getProperty(ContextProperties.HTTP_OUT_REQUEST);
                this.m_x509Alias = wSHttpOutRequest.getSigningCertAlias();
                this.m_x509Pwd = wSHttpOutRequest.getSigningCertPrivateKeyPwd();
                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: keystore alias for the request signer = " + this.m_x509Alias);
                return;
            }
            OperationContext operationContext = (OperationContext) messageContext.getProperty(ContextProperties.OPERATION_CONTEXT);
            if (operationContext != null) {
                this.m_x509Alias = operationContext.getSigningCertAlias();
                this.m_x509Pwd = operationContext.getSigningCertPassword().toCharArray();
            }
            if (this.m_x509Alias == null || this.m_x509Pwd == null) {
                this.m_x509Alias = ((WSHttpInRequest) messageContext.getProperty(ContextProperties.HTTP_IN_REQUEST)).getServiceAlias();
                this.m_x509Pwd = ((WSHttpInRequest) messageContext.getProperty(ContextProperties.HTTP_IN_REQUEST)).getServicePrivateKeyPwd();
            }
            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: keystore alias for the service = " + this.m_x509Alias);
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (!(callbackArr[i] instanceof WSPasswordCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i], "Unrecognized Callback");
                }
                WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callbackArr[i];
                if (wSPasswordCallback.getUsage() == 1) {
                    if (this.m_x509Alias == null || !wSPasswordCallback.getIdentifer().equals(this.m_x509Alias)) {
                        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Unable to retrieve private key password for " + wSPasswordCallback.getIdentifer() + ", expected alias = " + this.m_x509Alias);
                    } else {
                        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Retrieving private key password for " + wSPasswordCallback.getIdentifer());
                        wSPasswordCallback.setPassword(new String(this.m_x509Pwd));
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sonicsw/ws/security/wss4j/WSSInboundHandler$RequestContext.class */
    public class RequestContext {
        MessageContext msgContext;
        Crypto sigCrypto;
        Crypto decCrypto;
        int timeToLive;

        private RequestContext() {
            this.msgContext = null;
            this.sigCrypto = null;
            this.decCrypto = null;
            this.timeToLive = 300;
        }

        void clear() {
            this.decCrypto = null;
            this.msgContext = null;
            this.sigCrypto = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sonicsw/ws/security/wss4j/WSSInboundHandler$SignatureCrypto.class */
    public class SignatureCrypto extends Merlin {
        private boolean m_cert2uid;

        SignatureCrypto(KeyStore keyStore, boolean z) throws Exception {
            super((Properties) null);
            this.keystore = keyStore;
            this.m_cert2uid = z;
        }
    }

    public WSSInboundHandler() {
        this.secEngine = null;
        this.secEngine = (SonicWSSecurityEngine) SonicWSSecurityEngine.getInstance();
    }

    private String getActor(MessageContext messageContext) {
        String str = null;
        WSHttpInRequest wSHttpInRequest = (WSHttpInRequest) messageContext.getProperty(ContextProperties.HTTP_IN_REQUEST);
        if (wSHttpInRequest != null) {
            str = wSHttpInRequest.getSoapActor();
        }
        return str;
    }

    private Vector getAction(SecurityPolicyAlternative securityPolicyAlternative, int i) {
        if (securityPolicyAlternative == null || securityPolicyAlternative.getActions().length == 0) {
            return null;
        }
        Action[] actions = securityPolicyAlternative.getActions();
        Vector vector = new Vector();
        for (int i2 = 0; i2 < actions.length; i2++) {
            if (actions[i2].getType() == i) {
                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: required action:\n" + actions[i2]);
                vector.add(actions[i2]);
            }
        }
        return vector;
    }

    public void handleServerRequest(MessageContext messageContext) throws AxisFault {
        handleInboundMessage(messageContext);
    }

    public void handleClientResponse(MessageContext messageContext) throws AxisFault {
        handleInboundMessage(messageContext);
    }

    private void handleInboundMessage(MessageContext messageContext) throws AxisFault {
        SecurityPolicyAlternative[] securityPolicyAlternativeArr;
        Vector action;
        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: processing " + (messageContext.isClient() ? "service response" : "client request"));
        Message currentMessage = messageContext.getCurrentMessage();
        if (currentMessage == null) {
            return;
        }
        try {
            Document asDocument = currentMessage.getSOAPEnvelope().getAsDocument();
            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: SOAP message received:\n" + XMLUtils.PrettyDocumentToString(asDocument));
            RequestContext requestContext = new RequestContext();
            requestContext.msgContext = messageContext;
            messageContext.setProperty(ContextProperties.WSS_REQUEST_CTX, requestContext);
            try {
                try {
                    loadSignatureCrypto(requestContext);
                    loadDecryptionCrypto(requestContext);
                    Vector vector = null;
                    String actor = getActor(messageContext);
                    if (actor == null) {
                        actor = "";
                    }
                    try {
                        SOAPConstants sOAPConstants = WSSecurityUtil.getSOAPConstants(asDocument.getDocumentElement());
                        Element securityHeader = WSSecurityUtil.getSecurityHeader(asDocument, actor, sOAPConstants);
                        if (securityHeader == null) {
                            if (actor.equalsIgnoreCase("http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver")) {
                                actor = "";
                                securityHeader = WSSecurityUtil.getSecurityHeader(asDocument, actor, sOAPConstants);
                                if (securityHeader == null) {
                                    actor = "http://www.w3.org/2003/05/soap-envelope/role/next";
                                    securityHeader = WSSecurityUtil.getSecurityHeader(asDocument, actor, sOAPConstants);
                                    if (securityHeader == null) {
                                        actor = "http://schemas.xmlsoap.org/soap/actor/next";
                                        securityHeader = WSSecurityUtil.getSecurityHeader(asDocument, actor, sOAPConstants);
                                    }
                                }
                            } else if (securityHeader == null) {
                                actor = "http://www.w3.org/2003/05/soap-envelope/role/next";
                                securityHeader = WSSecurityUtil.getSecurityHeader(asDocument, actor, sOAPConstants);
                                if (securityHeader == null) {
                                    actor = "http://schemas.xmlsoap.org/soap/actor/next";
                                    securityHeader = WSSecurityUtil.getSecurityHeader(asDocument, actor, sOAPConstants);
                                }
                            }
                        }
                        if (securityHeader != null) {
                            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Processing WS-Security header for '" + actor + "' actor.");
                            vector = this.secEngine.processSecurityHeader(securityHeader, new PasswordCallbackHandler(requestContext.msgContext), loadCertCrypto(), requestContext.decCrypto);
                        }
                        if (securityHeader != null) {
                            ArrayList arrayList = new ArrayList();
                            Iterator it = currentMessage.getSOAPEnvelope().getHeaders().iterator();
                            while (it.hasNext()) {
                                SOAPHeaderElement sOAPHeaderElement = (SOAPHeaderElement) it.next();
                                if (sOAPHeaderElement.isProcessed()) {
                                    arrayList.add(sOAPHeaderElement.getQName());
                                }
                            }
                            SOAPPart sOAPPart = currentMessage.getSOAPPart();
                            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                            org.apache.xml.security.utils.XMLUtils.outputDOM(asDocument, byteArrayOutputStream, true);
                            sOAPPart.setCurrentMessage(byteArrayOutputStream.toByteArray(), 4);
                            Iterator it2 = arrayList.iterator();
                            while (it2.hasNext()) {
                                QName qName = (QName) it2.next();
                                Enumeration headersByName = currentMessage.getSOAPEnvelope().getHeadersByName(qName.getNamespaceURI(), qName.getLocalPart());
                                while (headersByName.hasMoreElements()) {
                                    ((SOAPHeaderElement) headersByName.nextElement()).setProcessed(true);
                                }
                            }
                            try {
                                SOAPHeaderElement sOAPHeaderElement2 = null;
                                Iterator examineHeaderElements = currentMessage.getSOAPEnvelope().getHeader().examineHeaderElements(actor);
                                while (true) {
                                    if (!examineHeaderElements.hasNext()) {
                                        break;
                                    }
                                    SOAPHeaderElement sOAPHeaderElement3 = (javax.xml.soap.SOAPHeaderElement) examineHeaderElements.next();
                                    if (sOAPHeaderElement3.getLocalName().equals("Security") && sOAPHeaderElement3.getNamespaceURI().equals("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")) {
                                        sOAPHeaderElement2 = sOAPHeaderElement3;
                                        sOAPHeaderElement2.setProcessed(true);
                                        break;
                                    }
                                }
                                if (sOAPHeaderElement2 == null) {
                                    AxisFault axisFault = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, actor, (Element[]) null);
                                    axisFault.clearFaultDetails();
                                    axisFault.addFaultDetailString(SOAPFaultConstants.FD_SOAP_HEADER_NOT_FOUND_ERROR);
                                    throw axisFault;
                                }
                                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: removing the processed security header - \n" + sOAPHeaderElement2);
                                sOAPHeaderElement2.detachNode();
                                currentMessage.getSOAPEnvelope().setRecorder((SAX2EventRecorder) null);
                                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Post-processing SOAP message");
                                DebugObjects.getHandlerDebug().debug(XMLUtils.PrettyDocumentToString(currentMessage.getSOAPEnvelope().getAsDocument()));
                            } catch (Exception e) {
                                AxisFault axisFault2 = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, actor, (Element[]) null);
                                axisFault2.clearFaultDetails();
                                axisFault2.addFaultDetailString(SOAPFaultConstants.FD_SOAP_HEADER_NOT_FOUND_ERROR);
                                axisFault2.setStackTrace(e.getStackTrace());
                                throw axisFault2;
                            }
                        }
                        Object[] fetchActionResult = fetchActionResult(vector, 32);
                        Object[] fetchActionResult2 = fetchActionResult(vector, 1);
                        Object[] fetchActionResult3 = fetchActionResult(vector, 2);
                        Object[] fetchActionResult4 = fetchActionResult(vector, 4);
                        if (fetchActionResult2 != null) {
                            for (Object obj : fetchActionResult2) {
                                SupportingTokenResult supportingTokenResult = (SupportingTokenResult) obj;
                                if (!authenticate(supportingTokenResult)) {
                                    AxisFault axisFault3 = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_FAILED_AUTHENTICATION), SOAPFaultConstants.FS_FAILED_AUTHENTICATION, actor, (Element[]) null);
                                    axisFault3.clearFaultDetails();
                                    axisFault3.addFaultDetailString("Failed to authenticate Username token, uid = " + supportingTokenResult.getUsername());
                                    throw axisFault3;
                                }
                            }
                        }
                        if (fetchActionResult3 != null) {
                            for (Object obj2 : fetchActionResult3) {
                                X509Certificate certificate = ((SignatureResult) obj2).getCertificate();
                                if (certificate != null) {
                                    if (!verifyTrust(certificate, (SignatureCrypto) requestContext.sigCrypto)) {
                                        AxisFault axisFault4 = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_FAILED_AUTHENTICATION), SOAPFaultConstants.FS_FAILED_AUTHENTICATION, (String) null, (Element[]) null);
                                        axisFault4.clearFaultDetails();
                                        axisFault4.addFaultDetailString("Signing certificate not trusted, subject DN = " + certificate.getSubjectDN().getName());
                                        throw axisFault4;
                                    }
                                    if (!messageContext.isClient()) {
                                        ((WSHttpInRequest) messageContext.getProperty(ContextProperties.HTTP_IN_REQUEST)).setSigningCertificate(certificate);
                                        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: saving the signing cert to encrypt the response, cert info:\n" + certificate);
                                    }
                                }
                            }
                        }
                        if (messageContext.isClient()) {
                            securityPolicyAlternativeArr = (SecurityPolicyAlternative[]) messageContext.getProperty(ContextProperties.WSS_INBOUND_POLICY);
                        } else {
                            if (messageContext.getProperty(ContextProperties.WSS_INBOUND_POLICY) == null) {
                                ((PolicyFromWSDLHandler) messageContext.getProperty(ContextProperties.WSS_INBOUND_POLICY_HANDLER)).getPolicy(messageContext);
                            }
                            securityPolicyAlternativeArr = (SecurityPolicyAlternative[]) messageContext.getProperty(ContextProperties.WSS_INBOUND_POLICY);
                        }
                        if (securityPolicyAlternativeArr != null) {
                            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: policy alternative count = " + securityPolicyAlternativeArr.length);
                            AxisFault axisFault5 = null;
                            int i = 0;
                            while (true) {
                                if (i >= securityPolicyAlternativeArr.length) {
                                    break;
                                }
                                Vector action2 = getAction(securityPolicyAlternativeArr[i], 4);
                                int size = action2 != null ? 0 + action2.size() : 0;
                                Vector action3 = getAction(securityPolicyAlternativeArr[i], 3);
                                if (action3 != null) {
                                    size += action3.size();
                                }
                                Vector action4 = getAction(securityPolicyAlternativeArr[i], 1);
                                if (action4 != null) {
                                    size += action4.size();
                                }
                                Vector action5 = getAction(securityPolicyAlternativeArr[i], 2);
                                if (action5 != null) {
                                    size += action5.size();
                                }
                                action = getAction(securityPolicyAlternativeArr[i], 5);
                                if (action != null) {
                                    DebugObjects.getHandlerDebug().debug("WSSInboundHandler: processing " + action.size() + " TransportBinding Actions");
                                }
                                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: security assertion count of policy alternative " + i + " = " + size);
                                if (size == 0) {
                                    DebugObjects.getHandlerDebug().debug("WSSInboundHandler: no security required.");
                                    axisFault5 = null;
                                    break;
                                }
                                if (vector == null || (size > vector.size() && securityPolicyAlternativeArr[i].isPolicy2002())) {
                                    DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Missing security header element(s), expected = " + size + ", found = " + (vector == null ? 0 : vector.size()));
                                    axisFault5 = initFault(actor);
                                    axisFault5.addFaultDetailString(SOAPFaultConstants.FD_SECURITY_HEADER_NOT_FOUND);
                                } else {
                                    boolean z = false;
                                    if (action3 != null && !action3.isEmpty()) {
                                        z = true;
                                        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: timestamp is required by the policy.");
                                    }
                                    if (!z || fetchActionResult != null) {
                                        Timestamp timestamp = z ? (Timestamp) action3.get(0) : null;
                                        if (fetchActionResult != null) {
                                            for (Object obj3 : fetchActionResult) {
                                                if (!((TimestampResult) obj3).validate(timestamp)) {
                                                    axisFault5 = initFault(actor);
                                                    axisFault5.addFaultDetailString(SOAPFaultConstants.FD_MESSAGE_EXPIRED);
                                                }
                                            }
                                        }
                                        boolean z2 = false;
                                        SupportingToken supportingToken = null;
                                        if (action2 != null && !action2.isEmpty()) {
                                            int i2 = 0;
                                            while (true) {
                                                if (i2 >= action2.size()) {
                                                    break;
                                                }
                                                supportingToken = (SupportingToken) action2.get(i2);
                                                if (supportingToken.getTokenType().equals(WSSPConstants.QN_TOKENTYPE_USERNAME)) {
                                                    z2 = true;
                                                    DebugObjects.getHandlerDebug().debug("WSSInboundHandler: security (username) token is required for " + supportingToken);
                                                    break;
                                                }
                                                i2++;
                                            }
                                        }
                                        if (z2) {
                                            boolean z3 = false;
                                            if (fetchActionResult2 != null) {
                                                for (Object obj4 : fetchActionResult2) {
                                                    SupportingTokenResult supportingTokenResult2 = (SupportingTokenResult) obj4;
                                                    if (!z3) {
                                                        z3 = supportingTokenResult2.validate(supportingToken);
                                                        if (z3) {
                                                            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Required security (username) token found.");
                                                        }
                                                    }
                                                }
                                            }
                                            if (!z3) {
                                                axisFault5 = initFault(actor);
                                                axisFault5.addFaultDetailString(SOAPFaultConstants.FD_USERNAME_TOKEN_NOT_FOUND);
                                            }
                                        }
                                        if (action4 != null && !action4.isEmpty()) {
                                            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: signature is required by the policy alternative.");
                                            int length = fetchActionResult3 == null ? 0 : fetchActionResult3.length;
                                            if (length == 0 || (length < action4.size() && securityPolicyAlternativeArr[i].isPolicy2002())) {
                                                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: required signature NOT found.");
                                                axisFault5 = initFault(actor);
                                                appendErrorAndFaultDetailString(securityPolicyAlternativeArr, i, SOAPFaultConstants.FD_SIGNATURE_NOT_FOUND, action4, length, axisFault5);
                                            } else {
                                                boolean z4 = false;
                                                ValidationStatus validationStatus = new ValidationStatus();
                                                int i3 = 0;
                                                while (true) {
                                                    if (i3 >= action4.size()) {
                                                        break;
                                                    }
                                                    Signature signature = (Signature) action4.get(i3);
                                                    z4 = securityPolicyAlternativeArr[i].isPolicy2002() ? validateIntegrityAssertion(signature, fetchActionResult3, messageContext, validationStatus) : validateSignedParts(signature, fetchActionResult3, messageContext, validationStatus);
                                                    if (!z4) {
                                                        axisFault5 = returnErrorWithDetail(actor, length, SOAPFaultConstants.FD_SIGNATURE_NOT_FOUND, validationStatus);
                                                        break;
                                                    }
                                                    i3++;
                                                }
                                                if (z4) {
                                                    DebugObjects.getHandlerDebug().debug("WSSInboundHandler: required signature(s) found.");
                                                }
                                            }
                                        }
                                        if (action5 == null || action5.isEmpty()) {
                                            break;
                                        }
                                        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: encryption is required by the policy alternative.");
                                        int length2 = fetchActionResult4 == null ? 0 : fetchActionResult4.length;
                                        if (length2 != 0 && (length2 >= action5.size() || !securityPolicyAlternativeArr[i].isPolicy2002())) {
                                            boolean z5 = false;
                                            ValidationStatus validationStatus2 = new ValidationStatus();
                                            int i4 = 0;
                                            while (true) {
                                                if (i4 >= action5.size()) {
                                                    break;
                                                }
                                                Encryption encryption = (Encryption) action5.get(i4);
                                                z5 = securityPolicyAlternativeArr[i].isPolicy2002() ? validateConfidentialityAssertion(encryption, fetchActionResult4, messageContext, validationStatus2) : validateEncryptedParts(encryption, fetchActionResult4, messageContext, validationStatus2);
                                                if (!z5) {
                                                    axisFault5 = returnErrorWithDetail(actor, length2, SOAPFaultConstants.FD_ENCRYPTION_NOT_FOUND, validationStatus2);
                                                    break;
                                                }
                                                i4++;
                                            }
                                            if (z5) {
                                                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: required encryption(s) found.");
                                                break;
                                            }
                                        } else {
                                            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: required encryption NOT found.");
                                            axisFault5 = initFault(actor);
                                            appendErrorAndFaultDetailString(securityPolicyAlternativeArr, i, SOAPFaultConstants.FD_ENCRYPTION_NOT_FOUND, action5, length2, axisFault5);
                                        }
                                    } else {
                                        axisFault5 = initFault(actor);
                                        axisFault5.addFaultDetailString(SOAPFaultConstants.FD_TIMESTAMP_NOT_FOUND);
                                    }
                                }
                                i++;
                            }
                            int i5 = 0;
                            while (true) {
                                if (i5 >= action.size()) {
                                    break;
                                }
                                TransportBindingAction transportBindingAction = (TransportBindingAction) action.get(i5);
                                TransportBindingResult transportBindingResult = new TransportBindingResult(messageContext);
                                if (!false && !transportBindingResult.validate(transportBindingAction)) {
                                    DebugObjects.getHandlerDebug().debug("WSSInboundHandler: " + transportBindingResult.getStatus());
                                    AxisFault axisFault6 = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", transportBindingResult.getStatus()), SOAPFaultConstants.FS_INVALID_SECURITY, actor, (Element[]) null);
                                    axisFault6.clearFaultDetails();
                                    axisFault6.addFaultDetailString(transportBindingResult.getStatus());
                                    break;
                                }
                                i5++;
                            }
                            axisFault5 = null;
                            if (axisFault5 != null) {
                                throw axisFault5;
                            }
                        }
                        Vector vector2 = (Vector) messageContext.getProperty("RECV_RESULTS");
                        Vector vector3 = vector2;
                        if (vector2 == null) {
                            vector3 = new Vector();
                            messageContext.setProperty("RECV_RESULTS", vector3);
                        }
                        vector3.add(0, new ProcessingResult(actor, vector));
                        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: exit invoke()");
                        requestContext.clear();
                    } catch (WSSecurityException e2) {
                        AxisFault axisFault7 = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, actor, (Element[]) null);
                        axisFault7.clearFaultDetails();
                        axisFault7.addFaultDetailString(e2.getMessage());
                        axisFault7.setStackTrace(e2.getStackTrace());
                        throw axisFault7;
                    }
                } catch (Throwable th) {
                    requestContext.clear();
                    throw th;
                }
            } catch (AxisFault e3) {
                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Axis fault, fault code = " + e3.getFaultCode() + ", fault string = " + e3.getFaultString());
                throw e3;
            } catch (Exception e4) {
                if (DebugObjects.getHandlerDebug().getDebug()) {
                    e4.printStackTrace();
                }
                AxisFault axisFault8 = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, (String) null, (Element[]) null);
                axisFault8.clearFaultDetails();
                axisFault8.addFaultDetailString("Server Error: " + e4.getMessage());
                axisFault8.setStackTrace(e4.getStackTrace());
                throw axisFault8;
            }
        } catch (Exception e5) {
            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Empty soap envelope or failure to convert the soap envelope into document:" + e5.getMessage());
        }
    }

    private void appendErrorAndFaultDetailString(SecurityPolicyAlternative[] securityPolicyAlternativeArr, int i, String str, Vector vector, int i2, AxisFault axisFault) {
        String str2 = str;
        if (securityPolicyAlternativeArr[i].isPolicy2002()) {
            str2 = str2 + "; expected " + vector.size() + ", found " + i2;
        }
        axisFault.addFaultDetailString(str2);
    }

    private static AxisFault returnErrorWithDetail(String str, int i, String str2, ValidationStatus validationStatus) {
        String str3 = str2;
        if (i == 1 && validationStatus.getError() != null) {
            str3 = str3 + "; possible error: " + validationStatus.getError();
        }
        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: " + str3);
        AxisFault initFault = initFault(str);
        initFault.addFaultDetailString(str3);
        return initFault;
    }

    private static AxisFault initFault(String str) {
        AxisFault axisFault = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, str, (Element[]) null);
        axisFault.clearFaultDetails();
        return axisFault;
    }

    private void loadSignatureCrypto(RequestContext requestContext) throws AxisFault {
        TrustStore trustStore;
        boolean isCertificateToUidEnabled;
        if (requestContext.msgContext.isClient()) {
            isCertificateToUidEnabled = false;
            trustStore = BrokerTrustStore.getInstance("JKS");
        } else {
            trustStore = ((WSHttpInRequest) requestContext.msgContext.getProperty(ContextProperties.HTTP_IN_REQUEST)).getTrustStore();
            isCertificateToUidEnabled = ((WSHttpInRequest) requestContext.msgContext.getProperty(ContextProperties.HTTP_IN_REQUEST)).isCertificateToUidEnabled();
            if (trustStore == null) {
                trustStore = BrokerTrustStore.getInstance("JKS");
            }
        }
        if (trustStore != null) {
            try {
                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: loading per-service trust store for trust verification");
                requestContext.sigCrypto = new SignatureCrypto(trustStore.getTrustStore(), isCertificateToUidEnabled);
            } catch (Exception e) {
                if (DebugObjects.getHandlerDebug().getDebug()) {
                    e.printStackTrace();
                }
                AxisFault axisFault = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, (String) null, (Element[]) null);
                axisFault.clearFaultDetails();
                axisFault.addFaultDetailString("Error loading the trust store for signature verification : " + e.getMessage());
                throw axisFault;
            }
        }
    }

    private void loadDecryptionCrypto(RequestContext requestContext) throws AxisFault {
        try {
            KeyStore keyStore = BrokerKeyStore.getInstance("JKS").getKeyStore();
            if (keyStore != null) {
                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: loading the broker key store for decryption.");
            }
            requestContext.decCrypto = new DecryptionCrypto(keyStore);
        } catch (Exception e) {
            AxisFault axisFault = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, (String) null, (Element[]) null);
            axisFault.clearFaultDetails();
            axisFault.addFaultDetailString("Error loading the key store for message decryption : " + e.getMessage());
            throw axisFault;
        }
    }

    private CertCrypto loadCertCrypto() throws AxisFault {
        try {
            KeyStore keyStore = BrokerCertificateStore.getInstance().getKeyStore();
            if (keyStore != null) {
                DebugObjects.getHandlerDebug().debug("WSSInboundHandler: loading the broker cert store.");
            }
            return new CertCrypto(keyStore);
        } catch (Exception e) {
            AxisFault axisFault = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_INVALID_SECURITY), SOAPFaultConstants.FS_INVALID_SECURITY, (String) null, (Element[]) null);
            axisFault.clearFaultDetails();
            axisFault.addFaultDetailString("Error loading the cert store for signature processing : " + e.getMessage());
            throw axisFault;
        }
    }

    private boolean authenticate(SupportingTokenResult supportingTokenResult) {
        String username = supportingTokenResult.getUsername();
        String password = supportingTokenResult.getPassword();
        String nonce = supportingTokenResult.getNonce();
        String createdTime = supportingTokenResult.getCreatedTime();
        boolean isPasswordDigest = supportingTokenResult.isPasswordDigest();
        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Authenticating user " + username + ", hashed password = " + isPasswordDigest);
        Principal authenticate = isPasswordDigest ? this.secEngine.getPasswordTrustManager().authenticate(username, password, nonce, createdTime) : this.secEngine.getPasswordTrustManager().authenticate(username, password);
        if (authenticate == null) {
            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: User \"" + username + "\" authentication FAILED.");
            return false;
        }
        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: User \"" + username + "\" authentication SUCCEEDED.");
        supportingTokenResult.setUsername(authenticate.getName());
        supportingTokenResult.setPassword(null);
        return true;
    }

    private boolean verifyTrust(X509Certificate x509Certificate, SignatureCrypto signatureCrypto) throws AxisFault {
        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Verifying siigning certificate " + x509Certificate.getSubjectDN().getName());
        if (signatureCrypto == null || signatureCrypto.getKeyStore() == null) {
            AxisFault axisFault = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_FAILED_AUTHENTICATION), SOAPFaultConstants.FS_FAILED_AUTHENTICATION, (String) null, (Element[]) null);
            axisFault.clearFaultDetails();
            axisFault.addFaultDetailString("Signing certificate not trusted (trust store not available), subject DN = " + x509Certificate.getSubjectDN().getName());
            throw axisFault;
        }
        boolean isTrusted = this.secEngine.getX509TrustManager().isTrusted(x509Certificate, signatureCrypto.getKeyStore());
        DebugObjects.getHandlerDebug().debug("WSSInboundHandler: signing certificate " + (isTrusted ? "is trusted." : "is NOT trusted."));
        if (signatureCrypto.m_cert2uid) {
            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Mapping certificate to internal user...");
            Principal isTrusted2 = this.secEngine.getDomainTrustManager().isTrusted(x509Certificate);
            DebugObjects.getHandlerDebug().debug("WSSInboundHandler: Mapped internal user " + isTrusted2);
            if (isTrusted2 == null) {
                AxisFault axisFault2 = new AxisFault(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", SOAPFaultConstants.FC_FAILED_AUTHENTICATION), SOAPFaultConstants.FS_FAILED_AUTHENTICATION, (String) null, (Element[]) null);
                axisFault2.clearFaultDetails();
                axisFault2.addFaultDetailString("Signer not a valid user, subject DN = " + x509Certificate.getSubjectDN().getName());
                throw axisFault2;
            }
        }
        return isTrusted;
    }

    private Object[] fetchActionResult(Vector vector, int i) {
        if (vector == null || vector.isEmpty()) {
            return null;
        }
        Vector vector2 = new Vector();
        for (int i2 = 0; i2 < vector.size(); i2++) {
            Object obj = vector.get(i2);
            if (i == 2 && (vector.get(i2) instanceof SignatureResult)) {
                vector2.add(obj);
            } else if (i == 32 && (vector.get(i2) instanceof TimestampResult)) {
                vector2.add(obj);
            } else if (i == 1 && (vector.get(i2) instanceof SupportingTokenResult)) {
                vector2.add(obj);
            } else if (i == 4 && (vector.get(i2) instanceof EncryptionResult)) {
                vector2.add(obj);
            }
        }
        if (vector2.isEmpty()) {
            return null;
        }
        Object[] objArr = new Object[vector2.size()];
        vector2.copyInto(objArr);
        return objArr;
    }

    private boolean validateIntegrityAssertion(Signature signature, Object[] objArr, MessageContext messageContext, ValidationStatus validationStatus) {
        boolean z = false;
        for (Object obj : objArr) {
            z = ((SignatureResult) obj).validate(signature, messageContext, validationStatus);
            if (z) {
                break;
            }
        }
        return z;
    }

    private boolean validateConfidentialityAssertion(Encryption encryption, Object[] objArr, MessageContext messageContext, ValidationStatus validationStatus) {
        boolean z = false;
        for (Object obj : objArr) {
            z = ((EncryptionResult) obj).validate(encryption, messageContext, validationStatus);
            if (z) {
                break;
            }
        }
        return z;
    }

    private boolean validateSignedParts(Signature signature, Object[] objArr, MessageContext messageContext, ValidationStatus validationStatus) {
        boolean z = false;
        for (Object obj : objArr) {
            z = ((SignatureResult) obj).validate(signature, messageContext, validationStatus);
            if (z) {
                break;
            }
            Vector messageParts = validationStatus.getMessageParts();
            if (messageParts != null && !messageParts.isEmpty()) {
                Iterator it = messageParts.iterator();
                while (it.hasNext()) {
                    QName qName = (QName) it.next();
                    signature.getParts().removePart(new MessagePart(qName.getNamespaceURI(), qName.getLocalPart()));
                }
            }
        }
        return z;
    }

    private boolean validateEncryptedParts(Encryption encryption, Object[] objArr, MessageContext messageContext, ValidationStatus validationStatus) {
        boolean z = false;
        for (Object obj : objArr) {
            z = ((EncryptionResult) obj).validate(encryption, messageContext, validationStatus);
            if (z) {
                break;
            }
            Vector messageParts = validationStatus.getMessageParts();
            if (messageParts != null && !messageParts.isEmpty()) {
                Iterator it = messageParts.iterator();
                while (it.hasNext()) {
                    QName qName = (QName) it.next();
                    encryption.getParts().removePart(new MessagePart(qName.getNamespaceURI(), qName.getLocalPart()));
                }
            }
        }
        return z;
    }
}
