package com.ibm.rational.test.lt.models.wscore.datamodel.security.policy.validator;

import com.ibm.mq.ese.core.MessageProtectionConstants;
import com.ibm.rational.test.lt.models.wscore.datamodel.security.policy.parser.AbstractDefaultVisitor;
import com.ibm.rational.test.lt.models.wscore.datamodel.security.policy.parser.PolicyParser;
import com.ibm.rational.test.lt.models.wscore.datamodel.security.policy.util.PolicyResult;
import com.ibm.rational.test.lt.models.wscore.datamodel.security.util.KeyStoreUtil;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.RSAPrivateKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.util.logging.Level;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.soap.SOAPConstants;
import org.apache.neethi.All;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyComponent;
import org.apache.neethi.PolicyEngine;
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.AsymmetricBinding;
import org.apache.ws.secpolicy.model.Layout;
import org.apache.ws.secpolicy.model.ProtectionToken;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.SymmetricBinding;
import org.apache.ws.secpolicy.model.Wss10;
import org.apache.ws.secpolicy.model.Wss11;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.eclipse.osgi.util.NLS;

/* loaded from: input_file:coremdl.jar:com/ibm/rational/test/lt/models/wscore/datamodel/security/policy/validator/PolicyValidator.class */
public class PolicyValidator extends AbstractDefaultVisitor {
    private static final boolean traceOn = false;
    private final Policy policy;
    private final String SHA1_RSA_SIGNATURE = "SHA1/RSA";
    private final String SHA1_DSA_SIGNATURE = "SHA1/DSA";
    private final String RSA_KEY_TYPE = MessageProtectionConstants.ENCRYPTION_RSA;
    private final String DSA_KEY_TYPE = "DSA";
    private final String X_509_KEY_FORMAT = XMLX509Certificate.JCA_CERT_ID;
    private boolean isSymmetricBinding = false;
    private boolean isAsymmetricBinding = false;
    private boolean isSignatureConfiguration = false;
    private boolean isEncryptionConfiguration = false;
    private boolean isDeCryptionConfiguration = false;
    private int encryptionKeyLength = 0;
    private int signatureKeyLength = 0;
    private boolean needX509Key = false;
    private boolean needPrivateKey = false;
    private String algorithmSignature = null;
    private String uriAlgorithmSignature = null;
    private String encryptionAlgorithm = null;
    private String asymetricKeyWrap = null;

    static {
        Init.init();
    }

    private static void trace(String str) {
    }

    private static void trace(Exception exc) {
    }

    private static void trace(String str, String str2) {
        trace(String.valueOf(str) + ": " + str2);
    }

    private static void trace(String str, int i) {
        trace(str, String.valueOf(i));
    }

    private static void trace(String str, boolean z) {
        trace(str, String.valueOf(z));
    }

    private String getConfigurationMessage() {
        return this.isEncryptionConfiguration ? PolicyValidatorMessages.ENCRYPTION_CONFIGURATION : this.isSignatureConfiguration ? PolicyValidatorMessages.SIGNATURE_CONFIGURATION : this.isDeCryptionConfiguration ? PolicyValidatorMessages.DECRYPTION_CONFIGURATION : new String();
    }

    public PolicyValidator(Policy policy) {
        this.policy = policy;
        if (this.policy != null) {
            try {
                new PolicyParser().parse(this.policy, this);
            } catch (Exception e) {
                trace(e);
            }
        }
    }

    public void setAlgorithmSignature(String str) {
        this.uriAlgorithmSignature = str;
        this.algorithmSignature = JCEMapper.translateURItoJCEID(str);
        if (this.algorithmSignature == null) {
            if (str.contains("rsa")) {
                this.algorithmSignature = "SHA1/RSA";
                return;
            }
            if (str.contains("dsa")) {
                this.algorithmSignature = "SHA1/DSA";
            } else if (str.contains("hmac")) {
                this.algorithmSignature = null;
            } else {
                this.algorithmSignature = null;
                System.err.println("PolicyValidator.setAlgorithmSignature(" + str + ") unsupported uri algorithm signature.");
            }
        }
    }

    @Override // com.ibm.rational.test.lt.models.wscore.datamodel.security.policy.parser.IPolicyListener
    public void visit(PolicyComponent policyComponent) {
        trace("visit", policyComponent.getClass().getName());
        if (policyComponent instanceof Policy) {
            Policy policy = (Policy) policyComponent;
            trace("   Name=", policy.getName());
            trace("   Type=", policy.getType());
            return;
        }
        if (policyComponent instanceof All) {
            trace("   Type=", ((All) policyComponent).getType());
            return;
        }
        if (policyComponent instanceof ExactlyOne) {
            trace("   Type=", ((ExactlyOne) policyComponent).getType());
            return;
        }
        if (policyComponent instanceof SymmetricBinding) {
            this.isSymmetricBinding = true;
            return;
        }
        if (policyComponent instanceof AsymmetricBinding) {
            this.isAsymmetricBinding = true;
            return;
        }
        if (policyComponent instanceof AlgorithmSuite) {
            AlgorithmSuite algorithmSuite = (AlgorithmSuite) policyComponent;
            setAlgorithmSignature(algorithmSuite.getAsymmetricSignature());
            trace("   ComputedKey=", algorithmSuite.getComputedKey());
            trace("   AsymmetricSignature=", algorithmSuite.getAsymmetricSignature());
            trace("   SymmetricSignature", algorithmSuite.getSymmetricSignature());
            trace("   Type", algorithmSuite.getType());
            trace("   Digest", algorithmSuite.getDigest());
            trace("   IsOptional", algorithmSuite.isOptional());
            trace("   Encryption", algorithmSuite.getEncryption());
            trace("   AsymmetricKeyWrap", algorithmSuite.getAsymmetricKeyWrap());
            this.encryptionAlgorithm = algorithmSuite.getEncryption();
            this.asymetricKeyWrap = algorithmSuite.getAsymmetricKeyWrap();
            if (this.isSymmetricBinding) {
                this.encryptionKeyLength = algorithmSuite.getEncryptionDerivedKeyLength();
                this.signatureKeyLength = algorithmSuite.getSignatureDerivedKeyLength();
                return;
            }
            return;
        }
        if (policyComponent instanceof Layout) {
            return;
        }
        if (policyComponent instanceof ProtectionToken) {
            return;
        }
        if (policyComponent instanceof X509Token) {
            X509Token x509Token = (X509Token) policyComponent;
            this.needX509Key = true;
            trace("   EncryptionUser", x509Token.getEncryptionUser());
            trace("   UserCertAlias", x509Token.getUserCertAlias());
            trace("   TokenVersionAndType", x509Token.getTokenVersionAndType());
            return;
        }
        if (policyComponent instanceof SupportingToken) {
            return;
        }
        if (policyComponent instanceof Wss11) {
            Wss11 wss11 = (Wss11) policyComponent;
            trace("   MustSupportRefEmbeddedToken", wss11.isMustSupportRefEmbeddedToken());
            trace("   MustSupportRefEncryptedKey", wss11.isMustSupportRefEncryptedKey());
            trace("   MustSupportRefKeyIdentifier", wss11.isMustSupportRefKeyIdentifier());
            trace("   MustSupportRefIssuerSerial", wss11.isMustSupportRefIssuerSerial());
            trace("   MustSupportRefExternalURI", wss11.isMustSupportRefExternalURI());
            trace("   MustSupportRefThumbprint", wss11.isMustSupportRefThumbprint());
            return;
        }
        if (!(policyComponent instanceof Wss10)) {
            trace("PolicyComponent Not implemented");
            return;
        }
        Wss10 wss10 = (Wss10) policyComponent;
        trace("   MustSupportRefEmbeddedToken", wss10.isMustSupportRefEmbeddedToken());
        trace("   MustSupportRefKeyIdentifier", wss10.isMustSupportRefKeyIdentifier());
        trace("   MustSupportRefIssuerSerial", wss10.isMustSupportRefIssuerSerial());
        trace("   MustSupportRefExternalURI", wss10.isMustSupportRefExternalURI());
    }

    private KeyGenerator getKeyGenerator(String str) {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(JCEMapper.getJCEKeyAlgorithmFromURI(str));
            if (str.equalsIgnoreCase("http://www.w3.org/2001/04/xmlenc#aes128-cbc")) {
                keyGenerator.init(128);
            } else if (str.equalsIgnoreCase("http://www.w3.org/2001/04/xmlenc#aes192-cbc")) {
                keyGenerator.init(192);
            } else if (str.equalsIgnoreCase("http://www.w3.org/2001/04/xmlenc#aes256-cbc")) {
                keyGenerator.init(256);
            }
            return keyGenerator;
        } catch (Exception e) {
            System.err.println("PolicyValidator.getKeyGenerator(" + str + ") unsupported encryption algorithm: " + e.getMessage());
            return null;
        }
    }

    private boolean checkExtendedLibraryExpected(String str) {
        try {
            KeyGenerator keyGenerator = getKeyGenerator(str);
            if (keyGenerator == null) {
                return false;
            }
            SecretKey generateKey = keyGenerator.generateKey();
            byte[] encoded = generateKey.getEncoded();
            Cipher cipher = Cipher.getInstance(JCEMapper.translateURItoJCEID(str));
            cipher.init(1, generateKey);
            cipher.doFinal(encoded);
            return false;
        } catch (InvalidKeyException e) {
            trace("Extended Library Error detected: " + e.getMessage());
            return true;
        } catch (Exception e2) {
            trace(e2);
            return false;
        }
    }

    private PolicyResult checkKeyStore(KeyStore keyStore, String str, String str2) {
        try {
            if (keyStore == null) {
                return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.KEY_STORE_EXPECTED, getConfigurationMessage()));
            }
            trace("KeyStore Type", keyStore.getType());
            trace("KeyStore Provider Name", keyStore.getProvider().getName());
            if (str == null || str.isEmpty()) {
                trace("Alias expected");
                return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.ALIAS_EXPECTED, getConfigurationMessage()));
            }
            if (!keyStore.containsAlias(str)) {
                trace("alias not found", str);
                return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.UNKNOWN_ALIAS, getConfigurationMessage(), str));
            }
            if (this.needPrivateKey) {
                KeyStore.PasswordProtection passwordProtection = null;
                if (str2 != null) {
                    try {
                        if (!str2.isEmpty()) {
                            passwordProtection = new KeyStore.PasswordProtection(str2.toCharArray());
                        }
                    } catch (Exception e) {
                        trace(SOAPConstants.SOAP_FAULT_DETAIL_EXCEPTION_ENTRY, e.getMessage());
                        return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.INVALID_PASSWORD, getConfigurationMessage(), NLS.bind(PolicyValidatorMessages.EXCEPTION_MESSAGE, PolicyValidatorMessages.exceptionMessage(e))));
                    }
                }
                KeyStore.Entry entry = keyStore.getEntry(str, passwordProtection);
                if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                    return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.PRIVATE_KEY_EXPECTED, getConfigurationMessage()));
                }
                trace("PrivateKey", String.valueOf(str) + "/" + str2);
                PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                if (MessageProtectionConstants.ENCRYPTION_RSA.equals(privateKey.getAlgorithm())) {
                    try {
                        trace("PrivateKey size", ((RSAPrivateKeySpec) KeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_RSA).getKeySpec(privateKey, RSAPrivateCrtKeySpec.class)).getModulus().bitLength());
                    } catch (Exception e2) {
                        trace(e2);
                    }
                }
                if (entry instanceof KeyStore.SecretKeyEntry) {
                    trace("SecretKey", String.valueOf(str) + "/" + str2);
                }
                if (entry instanceof KeyStore.TrustedCertificateEntry) {
                    trace("TrustedCertificateEntryKey", String.valueOf(str) + "/" + str2);
                }
            }
            Certificate certificate = keyStore.getCertificate(str);
            if (certificate == null) {
                return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.INVALID_ALIAS, getConfigurationMessage(), str));
            }
            trace("Certificate Type", certificate.getType());
            PublicKey publicKey = certificate.getPublicKey();
            trace("PublicKey Algo", publicKey.getAlgorithm());
            trace("PublicKey Format", publicKey.getFormat());
            if (XMLX509Certificate.JCA_CERT_ID.equalsIgnoreCase(publicKey.getFormat()) && (str2 == null || str2.isEmpty())) {
                return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.X509_KEY_PASSWORD_EXPECTED, getConfigurationMessage()));
            }
            if (this.algorithmSignature != null) {
                trace("AlgorithmSignature", this.algorithmSignature);
                if ((this.algorithmSignature.contains(MessageProtectionConstants.ENCRYPTION_RSA) && !MessageProtectionConstants.ENCRYPTION_RSA.equals(publicKey.getAlgorithm())) || (this.algorithmSignature.contains("DSA") && !"DSA".equals(publicKey.getAlgorithm()))) {
                    return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.INVALID_KEY_TYPE, new Object[]{getConfigurationMessage(), publicKey.getAlgorithm(), this.algorithmSignature}));
                }
            }
            int i = 0;
            if (this.isEncryptionConfiguration) {
                i = this.encryptionKeyLength;
            }
            if (this.isSignatureConfiguration) {
                i = this.signatureKeyLength;
            }
            int i2 = 0;
            if (MessageProtectionConstants.ENCRYPTION_RSA.equals(publicKey.getAlgorithm())) {
                try {
                    i2 = ((RSAPublicKeySpec) KeyFactory.getInstance(MessageProtectionConstants.ENCRYPTION_RSA).getKeySpec(publicKey, RSAPublicKeySpec.class)).getModulus().bitLength();
                    trace("PublicKey Size", i2);
                } catch (Exception e3) {
                    trace(e3);
                }
            }
            if (i != 0 && i2 != 0 && i2 < i) {
                return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.INVALID_KEY_SIZE, new Object[]{getConfigurationMessage(), String.valueOf(i2), String.valueOf(i)}));
            }
            if (this.needX509Key && !XMLX509Certificate.JCA_CERT_ID.equalsIgnoreCase(publicKey.getFormat())) {
                return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.X509_KEY_EXPECTED, getConfigurationMessage()));
            }
            if (this.algorithmSignature != null) {
                try {
                    Signature signature = Signature.getInstance(this.algorithmSignature);
                    signature.initVerify(publicKey);
                    signature.update(publicKey.getEncoded());
                } catch (Exception e4) {
                    trace(SOAPConstants.SOAP_FAULT_DETAIL_EXCEPTION_ENTRY, e4.getMessage());
                    return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.INCOMPATIBLE_KEY, getConfigurationMessage(), NLS.bind(PolicyValidatorMessages.EXCEPTION_MESSAGE, PolicyValidatorMessages.exceptionMessage(e4))));
                }
            }
            return (this.encryptionAlgorithm == null || !checkExtendedLibraryExpected(this.encryptionAlgorithm)) ? new PolicyResult(false, NLS.bind(PolicyValidatorMessages.KEY_IS_VALID, getConfigurationMessage())) : new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.EXTENDED_LIBRARY_EXPECTED, getConfigurationMessage()));
        } catch (Exception e5) {
            trace(e5);
            return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.INVALID_KEY, getConfigurationMessage(), NLS.bind(PolicyValidatorMessages.EXCEPTION_MESSAGE, PolicyValidatorMessages.exceptionMessage(e5))));
        }
    }

    public PolicyResult checkSecurityEncryptionKeyStore(KeyStore keyStore, String str, String str2) {
        this.isSignatureConfiguration = false;
        this.isEncryptionConfiguration = true;
        this.isDeCryptionConfiguration = false;
        this.needX509Key = true;
        return checkKeyStore(keyStore, str, str2);
    }

    public PolicyResult checkSecurityDecryptionKeyStore(KeyStore keyStore, String str, String str2) {
        this.isSignatureConfiguration = false;
        this.isEncryptionConfiguration = false;
        this.isDeCryptionConfiguration = true;
        this.needX509Key = true;
        this.needPrivateKey = true;
        return checkKeyStore(keyStore, str, str2);
    }

    public PolicyResult checkSecuritySignatureKeyStore(KeyStore keyStore, String str, String str2) {
        this.isSignatureConfiguration = true;
        this.isEncryptionConfiguration = false;
        this.isDeCryptionConfiguration = false;
        this.needX509Key = true;
        this.needPrivateKey = true;
        return checkKeyStore(keyStore, str, str2);
    }

    public PolicyResult checkPolicyEncryptionKeyStore(KeyStore keyStore, String str, String str2) {
        if (this.policy == null) {
            return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.POLICY_EXPECTED, getConfigurationMessage()));
        }
        this.isSignatureConfiguration = false;
        this.isEncryptionConfiguration = true;
        this.isDeCryptionConfiguration = false;
        return checkKeyStore(keyStore, str, str2);
    }

    public PolicyResult checkPolicySignatureKeyStore(KeyStore keyStore, String str, String str2) {
        if (this.policy == null) {
            return new PolicyResult(Level.SEVERE, NLS.bind(PolicyValidatorMessages.POLICY_EXPECTED, getConfigurationMessage()));
        }
        this.isSignatureConfiguration = true;
        this.isEncryptionConfiguration = false;
        this.isDeCryptionConfiguration = false;
        this.needPrivateKey = this.isAsymmetricBinding || this.isSymmetricBinding;
        return checkKeyStore(keyStore, str, str2);
    }

    public static boolean testPolicyValidator(String str, String str2, String str3, String str4) {
        trace("---------------------------------------");
        trace("Start Test");
        try {
            Policy policy = PolicyEngine.getPolicy(new StAXOMBuilder(str).getDocumentElement());
            if (policy == null) {
                throw new RuntimeException("policy == null");
            }
            PolicyValidator policyValidator = new PolicyValidator(policy);
            KeyStore loadKeyStore = KeyStoreUtil.loadKeyStore(str2, str4.toCharArray());
            if (loadKeyStore == null) {
                throw new RuntimeException("keyStore == null");
            }
            PolicyResult checkPolicySignatureKeyStore = policyValidator.checkPolicySignatureKeyStore(loadKeyStore, str3, str4);
            trace("Test result", checkPolicySignatureKeyStore.getComments());
            return !checkPolicySignatureKeyStore.getResult();
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    public static void main(String[] strArr) {
        try {
            testPolicyValidator("C:\\temp\\policy-symm-binding.xml", "C:\\Temp\\client-RSA.jks", "client", "apache");
            testPolicyValidator("C:\\temp\\policy-symm-binding.xml", "C:\\Temp\\client-DSA.jks", "alice", "password");
            testPolicyValidator("C:\\temp\\policy-symm-binding.xml", "C:\\Temp\\interop2.jks", "alice", "password");
            testPolicyValidator("C:\\temp\\policy-symm-binding.xml", "C:\\Temp\\client-RSA.jks", "service", "apache");
            testPolicyValidator("C:\\temp\\policy_with_attachment.wsdl", "C:\\Temp\\client-RSA.jks", "service", "apache");
            testPolicyValidator("C:\\temp\\policy_with_attachment.wsdl", "C:\\Temp\\client-RSA.jks", "client", "apache");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
