package org.apache.cxf.rs.security.xml;

import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.ext.ReaderInterceptor;
import jakarta.ws.rs.ext.ReaderInterceptorContext;
import java.io.IOException;
import java.io.InputStream;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.StaxInInterceptor;
import org.apache.cxf.jaxrs.ext.search.fiql.FiqlParser;
import org.apache.cxf.jaxrs.impl.ReaderInterceptorContextImpl;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.RSSecurityUtils;
import org.apache.cxf.rs.security.common.TrustValidator;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.http.protocol.HTTP;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.XMLSec;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.XMLSecurityProperties;
import org.apache.xml.security.stax.impl.securityToken.KeyNameSecurityToken;
import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;

/* loaded from: input_file:org/apache/cxf/rs/security/xml/XmlSecInInterceptor.class */
public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> implements ReaderInterceptor {
    private static final Logger LOG = LogUtils.getL7dLogger(XmlSecInInterceptor.class);
    private EncryptionProperties encryptionProperties;
    private SignatureProperties sigProps;
    private String decryptionAlias;
    private String signatureVerificationAlias;
    private boolean persistSignature;
    private boolean requireSignature;
    private boolean requireEncryption;
    private Collection<Pattern> subjectDNPatterns;

    /* loaded from: input_file:org/apache/cxf/rs/security/xml/XmlSecInInterceptor$StaxActionInInterceptor.class */
    private static class StaxActionInInterceptor extends AbstractPhaseInterceptor<Message> {
        private static final Logger LOG = LogUtils.getL7dLogger(StaxActionInInterceptor.class);
        private final boolean signatureRequired;
        private final boolean encryptionRequired;

        StaxActionInInterceptor(boolean z, boolean z2) {
            super(Phase.PRE_LOGICAL);
            this.signatureRequired = z;
            this.encryptionRequired = z2;
        }

        @Override // org.apache.cxf.interceptor.Interceptor
        public void handleMessage(Message message) throws Fault {
            if (this.signatureRequired || this.encryptionRequired) {
                List<SecurityEvent> list = (List) message.get(SecurityEvent.class.getName() + ".in");
                if (list == null) {
                    LOG.warning("Security processing failed (actions mismatch)");
                    XMLSecurityException xMLSecurityException = new XMLSecurityException("empty", new Object[]{"The request was not signed or encrypted"});
                    throwFault(xMLSecurityException.getMessage(), xMLSecurityException);
                }
                if (this.signatureRequired && !isEventInResults(SecurityEventConstants.SignatureValue, list)) {
                    LOG.warning("The request was not signed");
                    XMLSecurityException xMLSecurityException2 = new XMLSecurityException("empty", new Object[]{"The request was not signed"});
                    throwFault(xMLSecurityException2.getMessage(), xMLSecurityException2);
                }
                if (!this.encryptionRequired || isEventInResults(SecurityEventConstants.EncryptedElement, list)) {
                    return;
                }
                LOG.warning("The request was not encrypted");
                XMLSecurityException xMLSecurityException3 = new XMLSecurityException("empty", new Object[]{"The request was not encrypted"});
                throwFault(xMLSecurityException3.getMessage(), xMLSecurityException3);
            }
        }

        private boolean isEventInResults(SecurityEventConstants.Event event, List<SecurityEvent> list) {
            Iterator<SecurityEvent> it = list.iterator();
            while (it.hasNext()) {
                if (event == it.next().getSecurityEventType()) {
                    return true;
                }
            }
            return false;
        }

        protected void throwFault(String str, Exception exc) {
            LOG.warning(str);
            throw ExceptionUtils.toBadRequestException(null, JAXRSUtils.toResponseBuilder(400).entity(str).build());
        }
    }

    public XmlSecInInterceptor() {
        super(Phase.POST_STREAM);
        this.persistSignature = true;
        this.subjectDNPatterns = new ArrayList();
        getAfter().add(StaxInInterceptor.class.getName());
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) throws Fault {
        if (canDocumentBeRead(message)) {
            prepareMessage(message);
            message.getInterceptorChain().add(new StaxActionInInterceptor(this.requireSignature, this.requireEncryption));
        }
    }

    private void prepareMessage(Message message) throws Fault {
        InputStream inputStream;
        XMLStreamReader xMLStreamReader = (XMLStreamReader) message.getContent(XMLStreamReader.class);
        if (xMLStreamReader == null && (inputStream = (InputStream) message.getContent(InputStream.class)) != null) {
            xMLStreamReader = StaxUtils.createXMLStreamReader(inputStream);
        }
        try {
            XMLSecurityProperties xMLSecurityProperties = new XMLSecurityProperties();
            configureDecryptionKeys(message, xMLSecurityProperties);
            Crypto signatureCrypto = getSignatureCrypto(message);
            configureSignatureKeys(signatureCrypto, message, xMLSecurityProperties);
            message.setContent(XMLStreamReader.class, XMLSec.getInboundWSSec(xMLSecurityProperties).processInMessage(xMLStreamReader, null, configureSecurityEventListener(signatureCrypto, message, xMLSecurityProperties)));
        } catch (XMLStreamException | IOException | UnsupportedCallbackException | XMLSecurityException e) {
            throwFault(e.getMessage(), e);
        }
    }

    private boolean canDocumentBeRead(Message message) {
        if (isServerGet(message)) {
            return false;
        }
        Integer num = (Integer) message.get(Message.RESPONSE_CODE);
        return num == null || num.intValue() == 200;
    }

    private boolean isServerGet(Message message) {
        return "GET".equals((String) message.get(Message.HTTP_REQUEST_METHOD)) && !MessageUtils.isRequestor(message);
    }

    private void configureDecryptionKeys(Message message, XMLSecurityProperties xMLSecurityProperties) throws IOException, UnsupportedCallbackException, WSSecurityException {
        String str;
        String str2;
        if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
            str = SecurityConstants.SIGNATURE_CRYPTO;
            str2 = SecurityConstants.SIGNATURE_PROPERTIES;
        } else {
            str = SecurityConstants.ENCRYPT_CRYPTO;
            str2 = SecurityConstants.ENCRYPT_PROPERTIES;
        }
        Crypto crypto = null;
        try {
            crypto = new CryptoLoader().getCrypto(message, str, str2);
        } catch (Exception e) {
            throwFault("Crypto can not be loaded", e);
        }
        if (crypto != null) {
            String str3 = this.decryptionAlias;
            if (str3 == null) {
                str3 = crypto.getDefaultX509Identifier();
            }
            if (str3 != null) {
                CallbackHandler callbackHandler = RSSecurityUtils.getCallbackHandler(message, getClass());
                WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str3, 1);
                callbackHandler.handle(new Callback[]{wSPasswordCallback});
                xMLSecurityProperties.setDecryptionKey(crypto.getPrivateKey(str3, wSPasswordCallback.getPassword()));
            }
        }
    }

    private Crypto getSignatureCrypto(Message message) {
        String str;
        String str2;
        if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
            str = SecurityConstants.ENCRYPT_CRYPTO;
            str2 = SecurityConstants.ENCRYPT_PROPERTIES;
        } else {
            str = SecurityConstants.SIGNATURE_CRYPTO;
            str2 = SecurityConstants.SIGNATURE_PROPERTIES;
        }
        try {
            return new CryptoLoader().getCrypto(message, str, str2);
        } catch (Exception e) {
            throwFault("Crypto can not be loaded", e);
            return null;
        }
    }

    private void configureSignatureKeys(Crypto crypto, Message message, XMLSecurityProperties xMLSecurityProperties) throws IOException, UnsupportedCallbackException, WSSecurityException {
        if (crypto != null && this.signatureVerificationAlias != null) {
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType.setAlias(this.signatureVerificationAlias);
            X509Certificate[] x509Certificates = crypto.getX509Certificates(cryptoType);
            if (x509Certificates == null || x509Certificates.length <= 0) {
                return;
            }
            xMLSecurityProperties.setSignatureVerificationKey(x509Certificates[0].getPublicKey());
            return;
        }
        if (crypto == null || this.sigProps == null || this.sigProps.getKeyNameAliasMap() == null) {
            return;
        }
        for (Map.Entry<String, String> entry : this.sigProps.getKeyNameAliasMap().entrySet()) {
            CryptoType cryptoType2 = new CryptoType(CryptoType.TYPE.ALIAS);
            cryptoType2.setAlias(entry.getValue());
            X509Certificate[] x509Certificates2 = crypto.getX509Certificates(cryptoType2);
            if (x509Certificates2 != null && x509Certificates2.length > 0) {
                xMLSecurityProperties.addKeyNameMapping(entry.getKey(), x509Certificates2[0].getPublicKey());
            }
        }
    }

    protected SecurityEventListener configureSecurityEventListener(final Crypto crypto, final Message message, XMLSecurityProperties xMLSecurityProperties) {
        final LinkedList linkedList = new LinkedList();
        SecurityEventListener securityEventListener = new SecurityEventListener() { // from class: org.apache.cxf.rs.security.xml.XmlSecInInterceptor.1
            @Override // org.apache.xml.security.stax.securityEvent.SecurityEventListener
            public void registerSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException {
                if (securityEvent.getSecurityEventType() == SecurityEventConstants.AlgorithmSuite) {
                    if (XmlSecInInterceptor.this.encryptionProperties != null) {
                        XmlSecInInterceptor.this.checkEncryptionAlgorithms((AlgorithmSuiteSecurityEvent) securityEvent);
                    }
                    if (XmlSecInInterceptor.this.sigProps != null) {
                        XmlSecInInterceptor.this.checkSignatureAlgorithms((AlgorithmSuiteSecurityEvent) securityEvent);
                    }
                } else if (securityEvent.getSecurityEventType() != SecurityEventConstants.EncryptedKeyToken && (securityEvent instanceof TokenSecurityEvent)) {
                    XmlSecInInterceptor.this.checkSignatureTrust(crypto, message, (TokenSecurityEvent) securityEvent);
                }
                linkedList.add(securityEvent);
            }
        };
        message.getExchange().put(SecurityEvent.class.getName() + ".in", linkedList);
        message.put(SecurityEvent.class.getName() + ".in", linkedList);
        return securityEventListener;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkEncryptionAlgorithms(AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent) throws XMLSecurityException {
        if (XMLSecurityConstants.Enc.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage()) && this.encryptionProperties.getEncryptionSymmetricKeyAlgo() != null && !this.encryptionProperties.getEncryptionSymmetricKeyAlgo().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
            throw new XMLSecurityException("empty", new Object[]{"The symmetric encryption algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " is not allowed"});
        }
        if ((XMLSecurityConstants.Sym_Key_Wrap.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage()) || XMLSecurityConstants.Asym_Key_Wrap.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage())) && this.encryptionProperties.getEncryptionKeyTransportAlgo() != null && !this.encryptionProperties.getEncryptionKeyTransportAlgo().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
            throw new XMLSecurityException("empty", new Object[]{"The key transport algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " is not allowed"});
        }
        if (XMLSecurityConstants.EncDig.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage()) && this.encryptionProperties.getEncryptionDigestAlgo() != null && !this.encryptionProperties.getEncryptionDigestAlgo().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
            throw new XMLSecurityException("empty", new Object[]{"The encryption digest algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " is not allowed"});
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkSignatureAlgorithms(AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent) throws XMLSecurityException {
        if ((XMLSecurityConstants.Asym_Sig.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage()) || XMLSecurityConstants.Sym_Sig.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage())) && this.sigProps.getSignatureAlgo() != null && !this.sigProps.getSignatureAlgo().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
            throw new XMLSecurityException("empty", new Object[]{"The signature algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " is not allowed"});
        }
        if (XMLSecurityConstants.SigDig.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage()) && this.sigProps.getSignatureDigestAlgo() != null && !this.sigProps.getSignatureDigestAlgo().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
            throw new XMLSecurityException("empty", new Object[]{"The signature digest algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " is not allowed"});
        }
        if (XMLSecurityConstants.SigC14n.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage()) && this.sigProps.getSignatureC14nMethod() != null && !this.sigProps.getSignatureC14nMethod().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
            throw new XMLSecurityException("empty", new Object[]{"The signature c14n algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " is not allowed"});
        }
        if (XMLSecurityConstants.SigTransform.equals(algorithmSuiteSecurityEvent.getAlgorithmUsage()) && !"http://www.w3.org/2000/09/xmldsig#enveloped-signature".equals(algorithmSuiteSecurityEvent.getAlgorithmURI()) && this.sigProps.getSignatureC14nTransform() != null && !this.sigProps.getSignatureC14nTransform().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
            throw new XMLSecurityException("empty", new Object[]{"The signature transformation algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " is not allowed"});
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v1, types: [org.apache.xml.security.stax.securityToken.SecurityToken] */
    public void checkSignatureTrust(Crypto crypto, Message message, TokenSecurityEvent<?> tokenSecurityEvent) throws XMLSecurityException {
        ?? securityToken = tokenSecurityEvent.getSecurityToken();
        if (securityToken != 0) {
            X509Certificate[] x509Certificates = securityToken.getX509Certificates();
            if (x509Certificates == null && securityToken.getPublicKey() == null && (securityToken instanceof KeyNameSecurityToken)) {
                x509Certificates = getX509CertificatesForKeyName(crypto, message, (KeyNameSecurityToken) securityToken);
            }
            PublicKey publicKey = securityToken.getPublicKey();
            X509Certificate x509Certificate = null;
            if (x509Certificates != null && x509Certificates.length > 0) {
                x509Certificate = x509Certificates[0];
            }
            try {
                new TrustValidator().validateTrust(crypto, x509Certificate, publicKey, getSubjectContraints(message));
                if (this.persistSignature) {
                    message.setContent(X509Certificate.class, x509Certificate);
                }
            } catch (WSSecurityException e) {
                throw new XMLSecurityException("empty", new Object[]{"Signature validation failed"});
            }
        }
    }

    private X509Certificate[] getX509CertificatesForKeyName(Crypto crypto, Message message, KeyNameSecurityToken keyNameSecurityToken) throws XMLSecurityException {
        String keyName = keyNameSecurityToken.getKeyName();
        String str = null;
        if (this.sigProps != null && this.sigProps.getKeyNameAliasMap() != null) {
            str = this.sigProps.getKeyNameAliasMap().get(keyName);
        }
        try {
            return RSSecurityUtils.getCertificates(crypto, str);
        } catch (Exception e) {
            throw new XMLSecurityException("empty", new Object[]{"Error during Signature Trust validation"});
        }
    }

    protected void throwFault(String str, Exception exc) {
        LOG.warning(str);
        throw ExceptionUtils.toBadRequestException(null, JAXRSUtils.toResponseBuilder(400).entity(str).type(HTTP.PLAIN_TEXT_TYPE).build());
    }

    public void setEncryptionProperties(EncryptionProperties encryptionProperties) {
        this.encryptionProperties = encryptionProperties;
    }

    public void setSignatureProperties(SignatureProperties signatureProperties) {
        this.sigProps = signatureProperties;
    }

    public String getDecryptionAlias() {
        return this.decryptionAlias;
    }

    public void setDecryptionAlias(String str) {
        this.decryptionAlias = str;
    }

    public String getSignatureVerificationAlias() {
        return this.signatureVerificationAlias;
    }

    public void setSignatureVerificationAlias(String str) {
        this.signatureVerificationAlias = str;
    }

    public void setPersistSignature(boolean z) {
        this.persistSignature = z;
    }

    public boolean isRequireSignature() {
        return this.requireSignature;
    }

    public void setRequireSignature(boolean z) {
        this.requireSignature = z;
    }

    public boolean isRequireEncryption() {
        return this.requireEncryption;
    }

    public void setRequireEncryption(boolean z) {
        this.requireEncryption = z;
    }

    public void setSubjectConstraints(List<String> list) {
        if (list != null) {
            this.subjectDNPatterns = new ArrayList();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                try {
                    this.subjectDNPatterns.add(Pattern.compile(it.next().trim()));
                } catch (PatternSyntaxException e) {
                    throw e;
                }
            }
        }
    }

    private Collection<Pattern> getSubjectContraints(Message message) throws PatternSyntaxException {
        String[] split;
        String str = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, message);
        if (str != null && (split = str.split(FiqlParser.OR)) != null) {
            this.subjectDNPatterns.clear();
            for (String str2 : split) {
                this.subjectDNPatterns.add(Pattern.compile(str2.trim()));
            }
        }
        return this.subjectDNPatterns;
    }

    public Object aroundReadFrom(ReaderInterceptorContext readerInterceptorContext) throws IOException, WebApplicationException {
        Message message = ((ReaderInterceptorContextImpl) readerInterceptorContext).getMessage();
        if (!canDocumentBeRead(message)) {
            return readerInterceptorContext.proceed();
        }
        prepareMessage(message);
        Object proceed = readerInterceptorContext.proceed();
        new StaxActionInInterceptor(this.requireSignature, this.requireEncryption).handleMessage(message);
        return proceed;
    }
}
