package org.springframework.ws.soap.security.wss4j;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Vector;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.soap.MessageFactory;
import javax.xml.soap.SOAPMessage;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.ws.context.DefaultMessageContext;
import org.springframework.ws.context.MessageContext;
import org.springframework.ws.soap.SoapMessage;
import org.springframework.ws.soap.axiom.AxiomSoapMessage;
import org.springframework.ws.soap.axiom.support.AxiomUtils;
import org.springframework.ws.soap.saaj.SaajSoapMessage;
import org.springframework.ws.soap.saaj.SaajSoapMessageException;
import org.springframework.ws.soap.saaj.SaajSoapMessageFactory;
import org.springframework.ws.soap.security.AbstractWsSecurityInterceptor;
import org.springframework.ws.soap.security.WsSecuritySecurementException;
import org.springframework.ws.soap.security.WsSecurityValidationException;
import org.springframework.ws.soap.security.callback.CallbackHandlerChain;
import org.springframework.ws.soap.security.callback.CleanupCallback;
import org.springframework.ws.soap.security.wss4j.callback.UsernameTokenPrincipalCallback;
import org.w3c.dom.Document;

/* loaded from: input_file:org/springframework/ws/soap/security/wss4j/Wss4jSecurityInterceptor.class */
public class Wss4jSecurityInterceptor extends AbstractWsSecurityInterceptor implements InitializingBean {
    public static final String SECUREMENT_USER_PROPERTY_NAME = "Wss4jSecurityInterceptor.securementUser";
    private int securementAction;
    private String securementActions;
    private Vector<Integer> securementActionsVector;
    private String securementUsername;
    private CallbackHandler validationCallbackHandler;
    private int validationAction;
    private String validationActions;
    private Vector<Integer> validationActionsVector;
    private String validationActor;
    private Crypto validationDecryptionCrypto;
    private Crypto validationSignatureCrypto;
    private boolean enableSignatureConfirmation;
    private boolean timestampStrict = true;
    private int validationTimeToLive = 300;
    private int securementTimeToLive = 300;
    private final Wss4jHandler handler = new Wss4jHandler();
    private final WSSecurityEngine securityEngine = WSSecurityEngine.getInstance();

    public void setSecurementActions(String str) {
        this.securementActions = str;
        this.securementActionsVector = new Vector<>();
        try {
            this.securementAction = WSSecurityUtil.decodeAction(str, this.securementActionsVector);
        } catch (WSSecurityException e) {
            throw new IllegalArgumentException((Throwable) e);
        }
    }

    public void setSecurementActor(String str) {
        this.handler.setOption("actor", str);
    }

    public void setSecurementCallbackHandler(CallbackHandler callbackHandler) {
        this.handler.setSecurementCallbackHandler(callbackHandler);
    }

    public void setSecurementCallbackHandlers(CallbackHandler[] callbackHandlerArr) {
        this.handler.setSecurementCallbackHandler(new CallbackHandlerChain(callbackHandlerArr));
    }

    public void setSecurementEncryptionCrypto(Crypto crypto) {
        this.handler.setSecurementEncryptionCrypto(crypto);
    }

    public void setSecurementEncryptionEmbeddedKeyName(String str) {
        this.handler.setOption("EmbeddedKeyName", str);
    }

    public void setSecurementEncryptionKeyIdentifier(String str) {
        this.handler.setOption("encryptionKeyIdentifier", str);
    }

    public void setSecurementEncryptionKeyTransportAlgorithm(String str) {
        this.handler.setOption("encryptionKeyTransportAlgorithm", str);
    }

    public void setSecurementEncryptionParts(String str) {
        this.handler.setOption("encryptionParts", str);
    }

    public void setSecurementEncryptionSymAlgorithm(String str) {
        this.handler.setOption("encryptionSymAlgorithm", str);
    }

    public void setSecurementEncryptionUser(String str) {
        this.handler.setOption("encryptionUser", str);
    }

    public void setSecurementPassword(String str) {
        this.handler.setSecurementPassword(str);
    }

    public void setSecurementPasswordType(String str) {
        this.handler.setOption("passwordType", str);
    }

    public void setSecurementSignatureAlgorithm(String str) {
        this.handler.setOption("signatureAlgorithm", str);
    }

    public void setSecurementSignatureCrypto(Crypto crypto) {
        this.handler.setSecurementSignatureCrypto(crypto);
    }

    public void setSecurementSignatureKeyIdentifier(String str) {
        this.handler.setOption("signatureKeyIdentifier", str);
    }

    public void setSecurementSignatureParts(String str) {
        this.handler.setOption("signatureParts", str);
    }

    public void setSecurementSignatureUser(String str) {
        this.handler.setOption("signatureUser", str);
    }

    public void setSecurementUsername(String str) {
        this.securementUsername = str;
    }

    public void setSecurementTimeToLive(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException("timeToLive must be positive");
        }
        this.securementTimeToLive = i;
    }

    public void setValidationTimeToLive(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException("timeToLive must be positive");
        }
        this.validationTimeToLive = i;
    }

    @Deprecated
    public void setTimeToLive(int i) {
        setValidationTimeToLive(i);
    }

    public void setValidationActions(String str) {
        this.validationActions = str;
        try {
            this.validationActionsVector = new Vector<>();
            this.validationAction = WSSecurityUtil.decodeAction(str, this.validationActionsVector);
        } catch (WSSecurityException e) {
            throw new IllegalArgumentException((Throwable) e);
        }
    }

    public void setValidationActor(String str) {
        this.validationActor = str;
    }

    public void setValidationCallbackHandler(CallbackHandler callbackHandler) {
        this.validationCallbackHandler = callbackHandler;
    }

    public void setValidationCallbackHandlers(CallbackHandler[] callbackHandlerArr) {
        this.validationCallbackHandler = new CallbackHandlerChain(callbackHandlerArr);
    }

    public void setValidationDecryptionCrypto(Crypto crypto) {
        this.validationDecryptionCrypto = crypto;
    }

    public void setValidationSignatureCrypto(Crypto crypto) {
        this.validationSignatureCrypto = crypto;
    }

    public void setEnableSignatureConfirmation(boolean z) {
        this.handler.setOption("enableSignatureConfirmation", z);
        this.enableSignatureConfirmation = z;
    }

    public void setTimestampPrecisionInMilliseconds(boolean z) {
        this.handler.setOption("precisionInMilliseconds", z);
    }

    public void setTimestampStrict(boolean z) {
        this.timestampStrict = z;
    }

    public void setSecurementMustUnderstand(boolean z) {
        this.handler.setOption("mustUnderstand", z);
    }

    public void setSecurementUsernameTokenElements(String str) {
        this.handler.setOption("addUTElements", str);
    }

    public void afterPropertiesSet() throws Exception {
        Assert.isTrue((this.validationActions == null && this.securementActions == null) ? false : true, "validationActions or securementActions are required");
        if (this.validationActions != null) {
            if ((this.validationAction & 1) != 0) {
                Assert.notNull(this.validationCallbackHandler, "validationCallbackHandler is required");
            }
            if ((this.validationAction & 2) != 0) {
                Assert.notNull(this.validationSignatureCrypto, "validationSignatureCrypto is required");
            }
        }
        this.securityEngine.getWssConfig().setAllowNamespaceQualifiedPasswordTypes(true);
    }

    @Override // org.springframework.ws.soap.security.AbstractWsSecurityInterceptor
    protected void secureMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecuritySecurementException {
        if (this.securementAction != 0 || this.enableSignatureConfirmation) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Securing message [" + soapMessage + "] with actions [" + this.securementActions + "]");
            }
            RequestData initializeRequestData = initializeRequestData(messageContext);
            Document document = toDocument(soapMessage, messageContext);
            try {
                if (this.securementAction == 0) {
                    this.securementActionsVector = new Vector<>(0);
                }
                this.handler.doSenderAction(this.securementAction, document, initializeRequestData, this.securementActionsVector, false);
                replaceMessage(soapMessage, document);
            } catch (WSSecurityException e) {
                throw new Wss4jSecuritySecurementException(e.getMessage(), e);
            }
        }
    }

    private RequestData initializeRequestData(MessageContext messageContext) {
        RequestData requestData = new RequestData();
        requestData.setMsgContext(messageContext);
        String str = (String) messageContext.getProperty(SECUREMENT_USER_PROPERTY_NAME);
        if (StringUtils.hasLength(str)) {
            requestData.setUsername(str);
        } else {
            requestData.setUsername(this.securementUsername);
        }
        requestData.setTimeToLive(this.securementTimeToLive);
        return requestData;
    }

    @Override // org.springframework.ws.soap.security.AbstractWsSecurityInterceptor
    protected void validateMessage(SoapMessage soapMessage, MessageContext messageContext) throws WsSecurityValidationException {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Validating message [" + soapMessage + "] with actions [" + this.validationActions + "]");
        }
        if (this.validationAction == 0) {
            return;
        }
        Document document = toDocument(soapMessage, messageContext);
        try {
            Vector<WSSecurityEngineResult> processSecurityHeader = this.securityEngine.processSecurityHeader(document, this.validationActor, this.validationCallbackHandler, this.validationSignatureCrypto, this.validationDecryptionCrypto);
            if (CollectionUtils.isEmpty(processSecurityHeader)) {
                throw new Wss4jSecurityValidationException("No WS-Security header found");
            }
            checkResults(processSecurityHeader, this.validationActionsVector);
            updateContextWithResults(messageContext, processSecurityHeader);
            verifyCertificateTrust(processSecurityHeader);
            verifyTimestamp(processSecurityHeader);
            processPrincipal(processSecurityHeader);
            replaceMessage(soapMessage, document);
            soapMessage.getEnvelope().getHeader().removeHeaderElement(WS_SECURITY_NAME);
        } catch (WSSecurityException e) {
            throw new Wss4jSecurityValidationException(e.getMessage(), e);
        }
    }

    protected void checkResults(Vector<WSSecurityEngineResult> vector, Vector<Integer> vector2) throws Wss4jSecurityValidationException {
        if (!this.handler.checkReceiverResultsAnyOrder(vector, vector2)) {
            throw new Wss4jSecurityValidationException("Security processing failed (actions mismatch)");
        }
    }

    private void updateContextWithResults(MessageContext messageContext, Vector<WSSecurityEngineResult> vector) {
        Vector vector2 = (Vector) messageContext.getProperty("RECV_RESULTS");
        Vector vector3 = vector2;
        if (vector2 == null) {
            vector3 = new Vector();
            messageContext.setProperty("RECV_RESULTS", vector3);
        }
        vector3.add(0, new WSHandlerResult(this.validationActor, vector));
        messageContext.setProperty("RECV_RESULTS", vector3);
    }

    protected void verifyCertificateTrust(Vector<WSSecurityEngineResult> vector) throws WSSecurityException {
        RequestData requestData = new RequestData();
        requestData.setSigCrypto(this.validationSignatureCrypto);
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(vector, 2);
        if (fetchActionResult != null) {
            if (!this.handler.verifyTrust((X509Certificate) fetchActionResult.get("x509-certificate"), requestData)) {
                throw new Wss4jSecurityValidationException("The certificate used for the signature is not trusted");
            }
        }
    }

    protected void verifyTimestamp(Vector<WSSecurityEngineResult> vector) throws WSSecurityException {
        Timestamp timestamp;
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(vector, 32);
        if (fetchActionResult != null && (timestamp = (Timestamp) fetchActionResult.get("timestamp")) != null && this.timestampStrict && !this.handler.verifyTimestamp(timestamp, this.validationTimeToLive)) {
            throw new Wss4jSecurityValidationException("Invalid timestamp : " + timestamp.getID());
        }
    }

    private void processPrincipal(Vector<WSSecurityEngineResult> vector) {
        WSUsernameTokenPrincipal wSUsernameTokenPrincipal;
        WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(vector, 1);
        if (fetchActionResult == null || (wSUsernameTokenPrincipal = (Principal) fetchActionResult.get("principal")) == null || !(wSUsernameTokenPrincipal instanceof WSUsernameTokenPrincipal)) {
            return;
        }
        try {
            this.validationCallbackHandler.handle(new Callback[]{new UsernameTokenPrincipalCallback(wSUsernameTokenPrincipal)});
        } catch (IOException e) {
            this.logger.warn("Principal callback resulted in IOException", e);
        } catch (UnsupportedCallbackException e2) {
        }
    }

    private Document toDocument(SoapMessage soapMessage, MessageContext messageContext) {
        if (!(soapMessage instanceof SaajSoapMessage)) {
            if (soapMessage instanceof AxiomSoapMessage) {
                return AxiomUtils.toDocument(((AxiomSoapMessage) soapMessage).getAxiomMessage().getSOAPEnvelope());
            }
            throw new IllegalArgumentException("Message type not supported [" + soapMessage + "]");
        }
        SaajSoapMessage saajSoapMessage = (SaajSoapMessage) soapMessage;
        Assert.isInstanceOf(DefaultMessageContext.class, messageContext);
        DefaultMessageContext defaultMessageContext = (DefaultMessageContext) messageContext;
        Assert.isInstanceOf(SaajSoapMessageFactory.class, defaultMessageContext.getMessageFactory());
        MessageFactory messageFactory = defaultMessageContext.getMessageFactory().getMessageFactory();
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            saajSoapMessage.writeTo(byteArrayOutputStream);
            SOAPMessage createMessage = messageFactory.createMessage(saajSoapMessage.getSaajMessage().getMimeHeaders(), new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
            saajSoapMessage.setSaajMessage(createMessage);
            return createMessage.getSOAPPart();
        } catch (Exception e) {
            throw new SaajSoapMessageException("Could not save changes", e);
        }
    }

    private void replaceMessage(SoapMessage soapMessage, Document document) {
        if (soapMessage instanceof AxiomSoapMessage) {
            AxiomSoapMessage axiomSoapMessage = (AxiomSoapMessage) soapMessage;
            String soapAction = axiomSoapMessage.getSoapAction();
            SOAPEnvelope envelope = AxiomUtils.toEnvelope(document);
            org.apache.axiom.soap.SOAPMessage createSOAPMessage = axiomSoapMessage.getAxiomMessage().getOMFactory().createSOAPMessage();
            createSOAPMessage.setSOAPEnvelope(envelope);
            axiomSoapMessage.setAxiomMessage(createSOAPMessage);
            axiomSoapMessage.setSoapAction(soapAction);
        }
    }

    @Override // org.springframework.ws.soap.security.AbstractWsSecurityInterceptor
    protected void cleanUp() {
        if (this.validationCallbackHandler != null) {
            try {
                this.validationCallbackHandler.handle(new Callback[]{new CleanupCallback()});
            } catch (IOException e) {
                this.logger.warn("Cleanup callback resulted in IOException", e);
            } catch (UnsupportedCallbackException e2) {
            }
        }
    }
}
