package org.apache.wss4j.policy.stax.assertionStates;

import java.security.cert.X509Certificate;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.SecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;

/* loaded from: input_file:org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState.class */
public class X509TokenAssertionState extends TokenAssertionState {

    /* renamed from: org.apache.wss4j.policy.stax.assertionStates.X509TokenAssertionState$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType = new int[X509Token.TokenType.values().length];

        static {
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509V3Token10.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509V3Token11.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509V1Token10.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509V1Token11.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509PkiPathV1Token10.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509PkiPathV1Token11.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509Pkcs7Token10.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[X509Token.TokenType.WssX509Pkcs7Token11.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    public X509TokenAssertionState(AbstractSecurityAssertion abstractSecurityAssertion, boolean z, PolicyAsserter policyAsserter, boolean z2) {
        super(abstractSecurityAssertion, z, policyAsserter, z2);
        if (z) {
            X509Token assertion = getAssertion();
            String namespaceURI = assertion.getName().getNamespaceURI();
            if (assertion.isRequireKeyIdentifierReference()) {
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireKeyIdentifierReference"));
            } else if (assertion.isRequireIssuerSerialReference()) {
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireIssuerSerialReference"));
            } else if (assertion.isRequireEmbeddedTokenReference()) {
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireEmbeddedTokenReference"));
            } else if (assertion.isRequireThumbprintReference()) {
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireThumbprintReference"));
            }
            if (assertion.getTokenType() != null) {
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, assertion.getTokenType().name()));
            }
        }
    }

    @Override // org.apache.wss4j.policy.stax.Assertable
    public SecurityEventConstants.Event[] getSecurityEventType() {
        return new SecurityEventConstants.Event[]{SecurityEventConstants.X509Token};
    }

    @Override // org.apache.wss4j.policy.stax.assertionStates.TokenAssertionState
    public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
        if (!(tokenSecurityEvent instanceof X509TokenSecurityEvent)) {
            throw new WSSPolicyException("Expected a X509TokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
        }
        X509Token x509Token = (X509Token) abstractToken;
        SecurityToken securityToken = tokenSecurityEvent.getSecurityToken();
        SecurityTokenConstants.TokenType tokenType = securityToken.getTokenType();
        if (!WSSecurityTokenConstants.X509V3Token.equals(tokenType) && !WSSecurityTokenConstants.X509V1Token.equals(tokenType) && !WSSecurityTokenConstants.X509Pkcs7Token.equals(tokenType) && !WSSecurityTokenConstants.X509PkiPathV1Token.equals(tokenType)) {
            throw new WSSPolicyException("Invalid Token for this assertion");
        }
        try {
            String namespaceURI = getAssertion().getName().getNamespaceURI();
            X509Certificate x509Certificate = securityToken.getX509Certificates()[0];
            if (x509Token.getIssuerName() != null) {
                String name = x509Certificate.getIssuerX500Principal().getName();
                if (!x509Token.getIssuerName().equals(name)) {
                    setErrorMessage("IssuerName in Policy (" + x509Token.getIssuerName() + ") didn't match with the one in the certificate (" + name + ")");
                    getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                    return false;
                }
            }
            if (x509Token.isRequireKeyIdentifierReference()) {
                if (!WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(securityToken.getKeyIdentifier()) && !WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier.equals(securityToken.getKeyIdentifier())) {
                    setErrorMessage("Policy enforces KeyIdentifierReference but we got " + securityToken.getKeyIdentifier());
                    getPolicyAsserter().unassertPolicy(new QName(namespaceURI, "RequireKeyIdentifierReference"), getErrorMessage());
                    return false;
                }
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireKeyIdentifierReference"));
            } else if (x509Token.isRequireIssuerSerialReference()) {
                if (!WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(securityToken.getKeyIdentifier())) {
                    setErrorMessage("Policy enforces IssuerSerialReference but we got " + securityToken.getKeyIdentifier());
                    getPolicyAsserter().unassertPolicy(new QName(namespaceURI, "RequireIssuerSerialReference"), getErrorMessage());
                    return false;
                }
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireIssuerSerialReference"));
            } else if (x509Token.isRequireEmbeddedTokenReference()) {
                if (!WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(securityToken.getKeyIdentifier())) {
                    setErrorMessage("Policy enforces EmbeddedTokenReference but we got " + securityToken.getKeyIdentifier());
                    getPolicyAsserter().unassertPolicy(new QName(namespaceURI, "RequireEmbeddedTokenReference"), getErrorMessage());
                    return false;
                }
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireEmbeddedTokenReference"));
            } else if (x509Token.isRequireThumbprintReference()) {
                if (!WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier.equals(securityToken.getKeyIdentifier())) {
                    setErrorMessage("Policy enforces ThumbprintReference but we got " + securityToken.getKeyIdentifier());
                    getPolicyAsserter().unassertPolicy(new QName(namespaceURI, "RequireThumbprintReference"), getErrorMessage());
                    return false;
                }
                getPolicyAsserter().assertPolicy(new QName(namespaceURI, "RequireThumbprintReference"));
            }
            if (x509Certificate.getVersion() == 2) {
                setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " not supported");
                getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                return false;
            }
            if (x509Token.getTokenType() != null) {
                switch (AnonymousClass1.$SwitchMap$org$apache$wss4j$policy$model$X509Token$TokenType[x509Token.getTokenType().ordinal()]) {
                    case 1:
                    case 2:
                        if (!WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()) || x509Certificate.getVersion() != 3) {
                            setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " mismatch; Policy enforces " + x509Token.getTokenType());
                            getPolicyAsserter().unassertPolicy(new QName(namespaceURI, x509Token.getTokenType().name()), getErrorMessage());
                            return false;
                        }
                        getPolicyAsserter().assertPolicy(new QName(namespaceURI, x509Token.getTokenType().name()));
                        break;
                        break;
                    case 3:
                    case 4:
                        if (!WSSecurityTokenConstants.X509V1Token.equals(securityToken.getTokenType()) || x509Certificate.getVersion() != 1) {
                            setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " mismatch; Policy enforces " + x509Token.getTokenType());
                            getPolicyAsserter().unassertPolicy(new QName(namespaceURI, "WssX509V1Token11"), getErrorMessage());
                            return false;
                        }
                        getPolicyAsserter().assertPolicy(new QName(namespaceURI, "WssX509V1Token11"));
                        break;
                    case 5:
                    case 6:
                        if (!WSSecurityTokenConstants.X509PkiPathV1Token.equals(securityToken.getTokenType())) {
                            setErrorMessage("Policy enforces " + x509Token.getTokenType() + " but we got " + securityToken.getTokenType());
                            getPolicyAsserter().unassertPolicy(new QName(namespaceURI, x509Token.getTokenType().name()), getErrorMessage());
                            return false;
                        }
                        getPolicyAsserter().assertPolicy(new QName(namespaceURI, x509Token.getTokenType().name()));
                        break;
                    case 7:
                    case 8:
                        setErrorMessage("Unsupported token type: " + securityToken.getTokenType());
                        getPolicyAsserter().unassertPolicy(new QName(namespaceURI, x509Token.getTokenType().name()), getErrorMessage());
                        return false;
                }
            }
            getPolicyAsserter().assertPolicy(getAssertion());
            return true;
        } catch (XMLSecurityException e) {
            setErrorMessage(e.getMessage());
            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
            return false;
        }
    }
}
