package com.ibm.ws.wssecurity.enc;

import com.ibm.ws.wssecurity.common.Constants;
import com.ibm.ws.wssecurity.common.Result;
import com.ibm.ws.wssecurity.common.ResultPool;
import com.ibm.ws.wssecurity.config.EncryptionConsumerConfig;
import com.ibm.ws.wssecurity.config.ReferencePartConfig;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.core.ElementSelector;
import com.ibm.ws.wssecurity.core.WSSConsumerComponent;
import com.ibm.ws.wssecurity.dsig.SignatureGenerator;
import com.ibm.ws.wssecurity.enc.DecryptionResult;
import com.ibm.ws.wssecurity.keyinfo.KeyInfoResult;
import com.ibm.ws.wssecurity.token.NonceManager;
import com.ibm.ws.wssecurity.util.ConfidentialDialectElementSelector;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.NonceUtil;
import com.ibm.ws.wssecurity.util.QNameHeaderSelector;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenWrapper;
import com.ibm.ws.wssecurity.xml.xss4j.domutil.DOMUtil;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.IDResolver;
import com.ibm.ws.wssecurity.xml.xss4j.enc.type.EncryptedData;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.axiom.om.OMDocument;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/enc/DecryptedPartChecker.class */
public class DecryptedPartChecker implements WSSConsumerComponent {
    private static final TraceComponent tc = Tr.register(DecryptedPartChecker.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String comp = "security.wssecurity";
    private Map<Object, Object> _selectors = null;
    private IDResolver _idResolver = null;
    private boolean _initialized = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/enc/DecryptedPartChecker$RequiredPart.class */
    public static class RequiredPart {
        private ReferencePartConfig _rconfig;
        private ReferencePartConfig.PartConfig _pconfig;
        private OMElement _element;
        private Set<SecurityTokenWrapper> _tokenWrappers = new HashSet();
        private boolean _processed = false;
        private boolean _requiredTimestamp = false;
        private boolean _requiredNonce = false;

        RequiredPart(ReferencePartConfig referencePartConfig, ReferencePartConfig.PartConfig partConfig, OMElement oMElement) {
            this._rconfig = referencePartConfig;
            this._pconfig = partConfig;
            this._element = oMElement;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/enc/DecryptedPartChecker$RequiredParts.class */
    public static class RequiredParts {
        private RequiredPart[] _parts;
        private String _type;

        RequiredParts(RequiredPart[] requiredPartArr, String str) {
            this._parts = requiredPartArr;
            this._type = str;
        }
    }

    @Override // com.ibm.ws.wssecurity.core.WSSComponent, com.ibm.ws.wssecurity.core.Initializable
    public void init(Map<Object, Object> map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this._initialized) {
            this._selectors = map;
            this._idResolver = (IdUtils) map.get(ElementSelector.IDRESOLVER);
            this._initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map)");
        }
    }

    @Override // com.ibm.ws.wssecurity.core.WSSConsumerComponent
    public void invoke(OMNode oMNode, Map<Object, Object> map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("invoke(");
            stringBuffer.append("OMNode target[").append(DOMUtils.getDisplayName(oMNode)).append("], ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        if (oMNode == null) {
            throw SoapSecurityException.format("security.wssecurity.SignatureConsumer.s11", "soapenv:Envelope");
        }
        Object obj = map.get(Constants.WSS_VERSION);
        int i = 0;
        if (obj != null && (obj instanceof Integer)) {
            i = ((Integer) obj).intValue();
        }
        String str = Constants.NAMESPACES[0][i];
        String str2 = Constants.NAMESPACES[1][i];
        Map map2 = (Map) map.get(Constants.VERIFIED_NONCE_MAP);
        OMDocument ownerDocument = DOMUtil.getOwnerDocument(oMNode);
        WSSConsumerConfig wSSConsumerConfig = (WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey");
        NonceManager nonceManager = wSSConsumerConfig.getNonceManager();
        HashMap hashMap = new HashMap(map);
        hashMap.put(NonceManager.class, nonceManager);
        hashMap.put(ElementSelector.IDRESOLVER, this._idResolver);
        hashMap.put(ElementSelector.CONFIG, wSSConsumerConfig.getTokenConsumers());
        Set<RequiredParts> preprocess = preprocess(ownerDocument, wSSConsumerConfig.getRequiredConfidentialParts(), this._selectors, hashMap);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Processing the decrypted results...");
        }
        Result[] resultArr = ResultPool.get(map, DecryptionResult.class);
        HashSet hashSet = new HashSet();
        if (resultArr != null && resultArr.length > 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, resultArr.length + " decrypted results found.");
            }
            for (Result result : resultArr) {
                DecryptionResult decryptionResult = (DecryptionResult) result;
                hashSet.clear();
                for (DecryptionResult.DecryptedPart decryptedPart : decryptionResult._decryptedParts) {
                    RequiredPart relatedPart = getRelatedPart(decryptionResult, decryptedPart, preprocess);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "DecryptedPart [" + decryptedPart + "], RequiredPart [" + relatedPart + "]");
                    }
                    if (relatedPart != null) {
                        if (relatedPart._requiredNonce) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Checking required nonce...");
                            }
                            if (decryptedPart._nonce == null) {
                                throw SoapSecurityException.format(Constants.FAILED_CHECK, "security.wssecurity.VerifiedPartChecker.s02", relatedPart._pconfig.getKeyword());
                            }
                            boolean z = false;
                            String stringValue = DOMUtil.getStringValue(decryptedPart._nonce);
                            if (stringValue != null && stringValue.length() > 0) {
                                OMElement oMElement = map2 != null ? (OMElement) map2.get(stringValue) : null;
                                if (oMElement != null && oMElement == decryptedPart._object) {
                                    z = true;
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Already verified nonce value of " + stringValue + " for element " + decryptedPart._object + " in VerifiedPartChecker");
                                    }
                                }
                            }
                            if (!z) {
                                NonceUtil.checkNonce(decryptedPart._nonce, str, nonceManager);
                            }
                        }
                        if (relatedPart._requiredTimestamp) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Checking required timestamp...");
                            }
                            if (decryptedPart._timestamp == null) {
                                throw SoapSecurityException.format(Constants.FAILED_CHECK, "security.wssecurity.TimestampChecker.s02", relatedPart._pconfig.getKeyword());
                            }
                            NonceUtil.checkTimestamp(decryptedPart._timestamp, str2, wSSConsumerConfig.getTimestampMaxAge(), wSSConsumerConfig.getTimestampClockSkew(), false);
                        }
                        relatedPart._processed = true;
                        relatedPart._tokenWrappers.add(decryptionResult._tokenWrapper);
                        hashSet.add(relatedPart._rconfig);
                    }
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Checking whether all required confidentiality is processed...");
        }
        for (RequiredParts requiredParts : preprocess) {
            RequiredPart[] requiredPartArr = requiredParts._parts;
            boolean equals = EncryptedData.CONTENT.equals(requiredParts._type);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Content type = " + requiredParts._type);
            }
            for (int i2 = 0; i2 < requiredPartArr.length; i2++) {
                boolean z2 = equals ? requiredPartArr[i2]._element.getFirstOMChild() != null : requiredPartArr[i2]._element != null;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "rpart[" + i2 + "]._element = " + DOMUtils.toString(requiredPartArr[i2]._element));
                    Tr.debug(tc, "rpart[" + i2 + "]._element.hasChildNodes() = " + (requiredPartArr[i2]._element.getFirstOMChild() != null));
                    Tr.debug(tc, "bHasContent = " + z2);
                }
                if (z2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Encrypted target(s) is/are present and security constraint is enforced!");
                    }
                    if (!requiredPartArr[i2]._processed) {
                        String keyword = requiredPartArr[i2]._pconfig.getKeyword();
                        if (keyword == null) {
                            String headerName = requiredPartArr[i2]._pconfig.getHeaderName();
                            keyword = headerName != null ? requiredPartArr[i2]._pconfig.getHeaderNamespace() + ":" + headerName : requiredPartArr[i2]._pconfig.getHeaderNamespace();
                        }
                        throw SoapSecurityException.format(Constants.FAILED_CHECK, "security.wssecurity.DecryptedPartChecker.s01", keyword);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Encrypted target(s) is/are *not* present and security constraint is *not* enforced!");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(OMNode, Map)");
        }
    }

    private static Set<RequiredParts> preprocess(OMDocument oMDocument, Set<ReferencePartConfig> set, Map<Object, Object> map, Map<Object, Object> map2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("preprocess(");
            stringBuffer.append("OMDocument doc[").append(DOMUtils.getDisplayName(oMDocument)).append("], ");
            stringBuffer.append("Set requiredConfidentiality, Map selectors, Map selectorMap)");
            Tr.entry(tc, stringBuffer.toString());
        }
        HashSet<RequiredParts> hashSet = new HashSet();
        HashSet<ReferencePartConfig.PartConfig> hashSet2 = new HashSet();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (ReferencePartConfig referencePartConfig : set) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Processing ReferencePartConfig [" + referencePartConfig + "]...");
            }
            HashMap hashMap3 = new HashMap(map2);
            for (ReferencePartConfig.PartConfig partConfig : referencePartConfig.getParts()) {
                if (partConfig.isTimestamp() || partConfig.isNonce()) {
                    hashSet2.add(partConfig);
                    hashMap.put(partConfig, hashMap3);
                    hashMap2.put(partConfig, referencePartConfig);
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Processing PartConfig [" + partConfig + "]...");
                    }
                    String dialect = partConfig.getDialect();
                    String keyword = partConfig.getKeyword();
                    Class cls = ConfidentialDialectElementSelector.class;
                    if (dialect.equals(Constants.DIALECT_HEADER)) {
                        hashMap3.put(ElementSelector.HEADERNAME, partConfig.getHeaderName());
                        hashMap3.put(ElementSelector.HEADERNAMESPACE, partConfig.getHeaderNamespace());
                        cls = QNameHeaderSelector.class;
                    }
                    PartList partList = (PartList) SignatureGenerator.getMessagePart(oMDocument, dialect, keyword, ElementSelector.DECRYPTION_MODE, map, cls, hashMap3);
                    if (partList != null && partList.getLength() > 0) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, partList.getLength() + " parts found.");
                        }
                        boolean z = false;
                        for (int i = 0; i < partList.getLength(); i++) {
                            OMElement item = partList.item(i);
                            for (RequiredParts requiredParts : hashSet) {
                                int i2 = 0;
                                while (true) {
                                    if (i2 >= requiredParts._parts.length) {
                                        break;
                                    }
                                    if (DOMUtils.equals((OMNode) item, (OMNode) requiredParts._parts[i2]._element)) {
                                        z = true;
                                        break;
                                    }
                                    i2++;
                                }
                            }
                            if (!z) {
                                hashSet.add(new RequiredParts(new RequiredPart[]{new RequiredPart(referencePartConfig, partConfig, item)}, partList.getType()));
                            }
                        }
                    }
                }
            }
        }
        for (ReferencePartConfig.PartConfig partConfig2 : hashSet2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Processing PartConfig [" + partConfig2 + "]...");
            }
            Map map3 = (Map) hashMap.get(partConfig2);
            if (partConfig2.isTimestamp() || partConfig2.isNonce()) {
                partConfig2.getDialect();
                partConfig2.getKeyword();
                PartList partList2 = (PartList) SignatureGenerator.getNoncePart(oMDocument, null, partConfig2, ElementSelector.DECRYPTION_MODE, map, ConfidentialDialectElementSelector.class, map3);
                if (partList2 != null && partList2.getLength() > 0) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, partList2.getLength() + " parts found.");
                    }
                    for (int i3 = 0; i3 < partList2.getLength(); i3++) {
                        OMElement item2 = partList2.item(i3);
                        for (RequiredParts requiredParts2 : hashSet) {
                            int i4 = 0;
                            while (true) {
                                if (i4 < requiredParts2._parts.length) {
                                    RequiredPart requiredPart = requiredParts2._parts[i4];
                                    if (DOMUtils.equals((OMNode) item2, (OMNode) requiredPart._element)) {
                                        if (partConfig2.isTimestamp()) {
                                            requiredPart._requiredTimestamp = partConfig2.isTimestamp();
                                        }
                                        if (partConfig2.isNonce()) {
                                            requiredPart._requiredNonce = partConfig2.isNonce();
                                        }
                                    } else {
                                        i4++;
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("preprocess(");
            stringBuffer2.append("OMDocument, Set, Map, Map)");
            stringBuffer2.append(" returns Set [").append(hashSet).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return hashSet;
    }

    private static RequiredPart getRelatedPart(DecryptionResult decryptionResult, DecryptionResult.DecryptedPart decryptedPart, Set<RequiredParts> set) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("getRelatedPart(");
            stringBuffer.append("DecryptionResult dresult, ");
            stringBuffer.append("DecryptedPart dpart[").append(decryptedPart).append("], ");
            stringBuffer.append("Set requiredParts)");
            Tr.entry(tc, stringBuffer.toString());
        }
        SoapSecurityException soapSecurityException = null;
        RequiredPart requiredPart = null;
        Iterator<RequiredParts> it = set.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RequiredPart[] requiredPartArr = it.next()._parts;
            for (int i = 0; i < requiredPartArr.length; i++) {
                if (!requiredPartArr[i]._processed) {
                    SoapSecurityException checkBinding = checkBinding(requiredPartArr[i]._rconfig.getBindings(), decryptionResult);
                    if (checkBinding == null) {
                        if (hasSameUri(requiredPartArr[i]._element, decryptedPart._object) || DOMUtils.equals((OMNode) requiredPartArr[i]._element, (OMNode) decryptedPart._object)) {
                            requiredPart = requiredPartArr[i];
                            break;
                        }
                    } else {
                        soapSecurityException = checkBinding;
                    }
                }
            }
            if (requiredPart != null) {
                soapSecurityException = null;
                break;
            }
        }
        if (soapSecurityException != null) {
            throw soapSecurityException;
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("getRelatedPart(");
            stringBuffer2.append("DecryptionResult, DecryptedPart, Set)");
            stringBuffer2.append(" returns RequiredPart [").append(requiredPart).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return requiredPart;
    }

    private static boolean hasSameUri(OMElement oMElement, OMElement oMElement2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("hasSameUri(");
            stringBuffer.append("OMElement rpart[").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("OMElement dpart[").append(DOMUtils.getDisplayName((OMNode) oMElement2)).append("])");
            Tr.entry(tc, stringBuffer.toString());
        }
        boolean z = false;
        String id = IdUtils.getInstance().getId(oMElement);
        String id2 = IdUtils.getInstance().getId(oMElement2);
        if (id != null && id.length() > 0 && id2 != null && id2.length() > 0 && id.equals(id2)) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("hasSameUri(OMElement, OMElement)");
            stringBuffer2.append(" returns boolean [").append(z).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return z;
    }

    private static SoapSecurityException checkBinding(Set<Object> set, DecryptionResult decryptionResult) {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("checkBinding(");
            stringBuffer.append("Set bindings, DecryptionResult dresult)");
            Tr.entry(tc, stringBuffer.toString());
        }
        SoapSecurityException soapSecurityException = null;
        boolean contains = set.contains(decryptionResult._config);
        if (!contains) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The configuration of encryption consumer used for decryption was NOT found in the bindings.");
            }
            Iterator<Object> it = set.iterator();
            while (true) {
                if (contains || !it.hasNext()) {
                    break;
                }
                KeyInfoResult keyInfoResult = decryptionResult._identities.get((EncryptionConsumerConfig) it.next());
                if (keyInfoResult != null) {
                    Exception error = keyInfoResult.getError();
                    if (error == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "The keyinfo result has no exception.");
                        }
                        SecurityTokenWrapper securityTokenWrapper = (SecurityTokenWrapper) decryptionResult._kresults.get(keyInfoResult);
                        if (securityTokenWrapper == null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "There is no token corresponding to the keyinfo result.");
                            }
                        } else if (securityTokenWrapper.getError() == null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "The token [" + securityTokenWrapper + "] has no exception.");
                            }
                            contains = true;
                        } else {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "The token [" + securityTokenWrapper + "] has the exception [" + error.getMessage() + "].");
                            }
                            soapSecurityException = securityTokenWrapper.getError();
                        }
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "The keyinfo result has the exception [" + error.getMessage() + "].");
                        }
                        soapSecurityException = error instanceof SoapSecurityException ? (SoapSecurityException) error : SoapSecurityException.format("security.wssecurity.KeyInfoConsumer.getKey04", new String[]{error.getMessage()}, error);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There is no keyinfo result corresponding to the EncryptionConsumerConfig.");
                }
            }
            if (contains) {
                soapSecurityException = null;
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The configuration of encryption consumer used for decryption was found in the bindings.");
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("checkBinding(");
            stringBuffer2.append("Set, DecryptionResult)");
            stringBuffer2.append(" returns SoapSecurityException [");
            stringBuffer2.append(soapSecurityException == null ? "null" : soapSecurityException.toString());
            stringBuffer2.append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return soapSecurityException;
    }
}
