package org.globus.wsrf.impl.security.authentication.wssec;

import java.io.ByteArrayInputStream;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import javax.xml.rpc.handler.MessageContext;
import javax.xml.soap.Name;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPHeaderElement;
import org.apache.axis.message.addressing.MessageID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.message.EnvelopeIdResolver;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.EncryptionConstants;
import org.apache.xml.security.utils.IdResolver;
import org.globus.gsi.CertUtil;
import org.globus.gsi.CertificateRevocationLists;
import org.globus.gsi.TrustedCertificates;
import org.globus.gsi.gssapi.GSSConstants;
import org.globus.gsi.jaas.GlobusPrincipal;
import org.globus.gsi.jaas.PasswordCredential;
import org.globus.gsi.jaas.UserNamePrincipal;
import org.globus.gsi.proxy.ProxyPathValidator;
import org.globus.util.I18n;
import org.globus.wsrf.NoResourceHomeException;
import org.globus.wsrf.Resource;
import org.globus.wsrf.ResourceContext;
import org.globus.wsrf.ResourceContextException;
import org.globus.wsrf.ResourceException;
import org.globus.wsrf.impl.security.authentication.Constants;
import org.globus.wsrf.impl.security.authentication.ContextCrypto;
import org.globus.wsrf.impl.security.authentication.secureconv.service.SecurityContext;
import org.globus.wsrf.impl.security.authentication.signature.SignatureGSS;
import org.globus.wsrf.impl.security.descriptor.SecurityPropertiesHelper;
import org.globus.wsrf.impl.security.util.EnvelopeConverter;
import org.globus.wsrf.utils.ContextUtils;
import org.globus.wsrf.utils.XmlUtils;
import org.gridforum.jgss.ExtendedGSSContext;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSName;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.Text;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/ghn-core-runtime-1.0.0.jar:org/globus/wsrf/impl/security/authentication/wssec/WSSecurityEngine.class
 */
/* loaded from: input_file:WEB-INF/lib/wsrf-core-4.0.4.jar:org/globus/wsrf/impl/security/authentication/wssec/WSSecurityEngine.class */
public abstract class WSSecurityEngine {
    protected static I18n i18n = I18n.getI18n("org.globus.wsrf.impl.security.authentication.wssec.errors");
    private static Log log;
    public static final String SIG_LN = "Signature";
    private org.apache.ws.security.WSSecurityEngine wssEngine;
    private static ContextCrypto crypto;
    static Class class$org$globus$wsrf$impl$security$authentication$wssec$WSSecurityEngine;

    public boolean handleSignatureElement(Element element, MessageContext messageContext, boolean z) throws Exception {
        boolean verifyXMLSignature;
        normalize(element);
        XMLSignature xMLSignature = new XMLSignature(element, null);
        xMLSignature.addResourceResolver(EnvelopeIdResolver.getInstance(WSSConfig.getDefaultWSConfig()));
        SignedInfo signedInfo = xMLSignature.getSignedInfo();
        if (signedInfo.getSignatureMethodURI().equalsIgnoreCase(SignatureGSS.URI)) {
            log.debug("Found GSS XML signature");
            verifyXMLSignature = verifyGssXMLSignature(xMLSignature, messageContext);
        } else {
            log.debug("Found XML signature");
            verifyXMLSignature = verifyXMLSignature(xMLSignature, messageContext);
        }
        if (verifyXMLSignature) {
            enforceSecureDispatchHeaders(signedInfo, messageContext, z);
        }
        return verifyXMLSignature;
    }

    protected void enforceSecureDispatchHeaders(SignedInfo signedInfo, MessageContext messageContext, boolean z) throws Exception {
        int length = signedInfo.getLength();
        HashMap hashMap = new HashMap();
        for (int i = 0; i < length; i++) {
            Reference item = signedInfo.item(i);
            log.debug(new StringBuffer().append("Reference URI ").append(item.getURI()).toString());
            for (Node node : item.getContentsBeforeTransformation().getNodeSet()) {
                if (node.getNodeType() == 1) {
                    QName qName = new QName(node.getNamespaceURI(), node.getLocalName());
                    log.debug(new StringBuffer().append("Adding Qname ").append(qName).toString());
                    hashMap.put(qName, "");
                }
            }
        }
        if (z) {
            HashMap hashMap2 = (HashMap) messageContext.getProperty(Constants.ENFORCED_SECURE_HEADERS);
            QName resourceKeyHeaderQName = getResourceKeyHeaderQName(messageContext);
            log.debug(new StringBuffer().append("Key name ").append(resourceKeyHeaderQName).toString());
            if (resourceKeyHeaderQName != null) {
                if (hashMap2 == null) {
                    hashMap2 = new HashMap();
                }
                hashMap2.put(resourceKeyHeaderQName, "");
            }
            if (hashMap2 != null) {
                for (QName qName2 : hashMap2.keySet()) {
                    if (!hashMap.containsKey(qName2)) {
                        throw new WSSecurityException(0, "insecureHeader", new Object[]{qName2});
                    }
                }
            }
        }
    }

    protected QName getResourceKeyHeaderQName(MessageContext messageContext) throws Exception {
        QName qName = null;
        SOAPHeaderElement sOAPHeaderElement = null;
        try {
            sOAPHeaderElement = ResourceContext.getResourceContext((org.apache.axis.MessageContext) messageContext).getResourceKeyHeader();
        } catch (NoResourceHomeException e) {
            log.debug(e);
        }
        if (sOAPHeaderElement != null) {
            Name elementName = sOAPHeaderElement.getElementName();
            qName = new QName(elementName.getURI(), elementName.getLocalName());
        }
        return qName;
    }

    public abstract boolean verifyGssXMLSignature(XMLSignature xMLSignature, MessageContext messageContext) throws Exception;

    protected X509Certificate[] getCertificatesX509Data(KeyInfo keyInfo) throws Exception {
        int lengthX509Data = keyInfo.lengthX509Data();
        if (lengthX509Data != 1) {
            throw new WSSecurityException(0, "invalidX509Data", new Object[]{new Integer(lengthX509Data)});
        }
        X509Data itemX509Data = keyInfo.itemX509Data(0);
        int lengthCertificate = itemX509Data.lengthCertificate();
        if (lengthCertificate <= 0) {
            throw new WSSecurityException(0, "invalidCertData", new Object[]{new Integer(lengthCertificate)});
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[lengthCertificate];
        for (int i = 0; i < lengthCertificate; i++) {
            x509CertificateArr[i] = CertUtil.loadCertificate(new ByteArrayInputStream(itemX509Data.itemCertificate(i).getCertificateBytes()));
        }
        return x509CertificateArr;
    }

    public abstract boolean verifyXMLSignature(XMLSignature xMLSignature, MessageContext messageContext) throws Exception;

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verifyXMLSignature(XMLSignature xMLSignature, MessageContext messageContext, ProxyPathValidator proxyPathValidator) throws Exception {
        X509Certificate[] certificatesTokenReference;
        log.debug("Verify XML Signature");
        KeyInfo keyInfo = xMLSignature.getKeyInfo();
        if (keyInfo.containsX509Data()) {
            certificatesTokenReference = getCertificatesX509Data(keyInfo);
        } else {
            Node directChild = WSSecurityUtil.getDirectChild(keyInfo.getElement(), "SecurityTokenReference", WSSConfig.getDefaultWSConfig().getWsseNS());
            if (directChild == null) {
                throw new WSSecurityException(3, "unsupportedKeyInfo", null);
            }
            certificatesTokenReference = org.apache.ws.security.WSSecurityEngine.getInstance().getCertificatesTokenReference(WSSecurityUtil.getElementByWsuId(WSSConfig.getDefaultWSConfig(), directChild.getOwnerDocument(), ((Element) directChild.getFirstChild()).getAttribute("URI")), crypto);
        }
        if (!xMLSignature.checkSignatureValue(certificatesTokenReference[0])) {
            throw new WSSecurityException(6);
        }
        TrustedCertificates defaultTrustedCertificates = TrustedCertificates.getDefaultTrustedCertificates();
        X509Certificate[] certificates = defaultTrustedCertificates != null ? defaultTrustedCertificates.getCertificates() : null;
        CertificateRevocationLists defaultCertificateRevocationLists = CertificateRevocationLists.getDefaultCertificateRevocationLists();
        if (log.isDebugEnabled()) {
            for (X509Certificate x509Certificate : certificatesTokenReference) {
                log.debug(new StringBuffer().append("Cert ").append(x509Certificate.getSubjectDN().getName()).toString());
            }
        }
        proxyPathValidator.validate(certificatesTokenReference, certificates, defaultCertificateRevocationLists);
        String identity = proxyPathValidator.getIdentity();
        messageContext.setProperty(org.globus.wsrf.security.Constants.GSI_SEC_MSG, Constants.SIGNATURE);
        Subject subject = getSubject(messageContext);
        subject.getPublicCredentials().add(certificatesTokenReference);
        subject.getPrincipals().add(new GlobusPrincipal(identity));
        return true;
    }

    protected Subject getSubject(MessageContext messageContext) {
        Subject subject = (Subject) messageContext.getProperty(Constants.PEER_SUBJECT);
        if (subject == null) {
            subject = new Subject();
            messageContext.setProperty(Constants.PEER_SUBJECT, subject);
        }
        return subject;
    }

    public boolean handleEncryptionElement(Element element, MessageContext messageContext) throws Exception {
        if (element.getLocalName().equals("EncryptedKey")) {
            log.debug("Found XML Encryption");
            return decryptXMLEncryption(element, messageContext);
        }
        Element element2 = (Element) WSSecurityUtil.findElement(element, EncryptionConstants._TAG_DATAREFERENCE, "http://www.w3.org/2001/04/xmlenc#");
        String attribute = element2.getAttribute("URI");
        Element elementById = IdResolver.getElementById(element.getOwnerDocument(), attribute.substring(1));
        if (elementById == null) {
            throw new WSSecurityException(0, "noEncryptedData", new Object[]{element2.getAttribute("URI")});
        }
        this.wssEngine.decryptDataRefEmbedded(elementById.getOwnerDocument(), attribute, new WSSecurityCallbackHandler((org.apache.axis.MessageContext) messageContext));
        setContextProperties(messageContext, (SecurityContext) messageContext.getProperty(Constants.CONTEXT), Constants.ENCRYPTION);
        return true;
    }

    public abstract boolean decryptXMLEncryption(Element element, MessageContext messageContext) throws Exception;

    public boolean decryptXMLEncryption(Element element, PrivateKey privateKey) throws Exception {
        this.wssEngine.handleEncryptedKey(element, privateKey);
        Document ownerDocument = element.getOwnerDocument();
        XmlUtils.getFirstChildElement(WSSecurityUtil.findBodyElement(ownerDocument, WSSecurityUtil.getSOAPConstants(ownerDocument.getDocumentElement()))).removeAttributeNS("http://www.w3.org/2000/xmlns/", org.apache.ws.security.WSConstants.ENC_PREFIX);
        log.debug("Exit: decryptXMLEncryption");
        return true;
    }

    public abstract Document processSecurityHeader(SOAPEnvelope sOAPEnvelope, MessageContext messageContext) throws Exception;

    public Document processSecurityHeader(SOAPEnvelope sOAPEnvelope, MessageContext messageContext, boolean z) throws Exception {
        return processSecurityHeader(sOAPEnvelope, (String) messageContext.getProperty("actor"), messageContext, z);
    }

    public Document processSecurityHeader(SOAPEnvelope sOAPEnvelope, String str, MessageContext messageContext, boolean z) throws Exception {
        if (str == null) {
            str = "";
        }
        SOAPHeaderElement sOAPHeaderElement = null;
        SOAPHeaderElement sOAPHeaderElement2 = null;
        SOAPHeader header = sOAPEnvelope.getHeader();
        if (header == null) {
            return null;
        }
        Iterator examineHeaderElements = header.examineHeaderElements(str);
        int i = 0;
        while (examineHeaderElements.hasNext()) {
            SOAPHeaderElement sOAPHeaderElement3 = (SOAPHeaderElement) examineHeaderElements.next();
            Name elementName = sOAPHeaderElement3.getElementName();
            if (elementName.getLocalName().equalsIgnoreCase("Security") && elementName.getURI().equalsIgnoreCase(WSConstants.WSSE_NS)) {
                sOAPHeaderElement = sOAPHeaderElement3;
                i++;
            } else if (elementName.getLocalName().equalsIgnoreCase(org.apache.axis.message.addressing.Constants.MESSAGE_ID) && elementName.getURI().equalsIgnoreCase("http://schemas.xmlsoap.org/ws/2004/03/addressing")) {
                sOAPHeaderElement2 = sOAPHeaderElement3;
                i++;
            }
            if (i == 2) {
                break;
            }
        }
        if (sOAPHeaderElement == null) {
            return null;
        }
        GSSConfig.init();
        if (this.wssEngine == null) {
            this.wssEngine = GSSSecurityEngine.getInstance();
        }
        Document document = EnvelopeConverter.getInstance().toDocument(sOAPEnvelope);
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS(org.apache.ws.security.WSConstants.WSSE_NS, "Security");
        int length = elementsByTagNameNS.getLength();
        String str2 = null;
        for (int i2 = 0; i2 < length; i2++) {
            Element element = (Element) elementsByTagNameNS.item(i2);
            Attr attributeNodeNS = element.getAttributeNodeNS("http://schemas.xmlsoap.org/soap/envelope/", "actor");
            if (attributeNodeNS != null) {
                str2 = attributeNodeNS.getValue();
            }
            if (str2 == null || str2.length() == 0 || str2.equalsIgnoreCase(str) || str2.equals("http://schemas.xmlsoap.org/soap/actor/next")) {
                processSecurityHeader(element, messageContext, str2, sOAPHeaderElement2, z);
            }
        }
        return document;
    }

    public void processSecurityHeader(Element element, MessageContext messageContext, String str, SOAPHeaderElement sOAPHeaderElement, boolean z) throws Exception {
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer().append("Processing WS-Security header for '").append(str).append("' actor.").append(" request (so process timestamp) ").append(z).toString());
        }
        Element element2 = null;
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            String namespaceURI = item.getNamespaceURI();
            String localName = item.getLocalName();
            if ("http://www.w3.org/2000/09/xmldsig#".equalsIgnoreCase(namespaceURI) && "Signature".equalsIgnoreCase(localName)) {
                log.debug("Found signature element");
                if (!handleSignatureElement((Element) item, messageContext, z)) {
                    throw new WSSecurityException(6);
                }
            } else if ("http://www.w3.org/2001/04/xmlenc#".equalsIgnoreCase(namespaceURI)) {
                log.debug("Found encryption element");
                handleEncryptionElement((Element) item, messageContext);
            } else if ("UsernameToken".equalsIgnoreCase(localName)) {
                log.debug("Found user name token");
                handleUsernameElement((Element) item, messageContext);
            } else if (WSConstants.WSU_NS.equalsIgnoreCase(namespaceURI) && "Timestamp".equalsIgnoreCase(localName)) {
                log.debug("Found timestamp element");
                element2 = (Element) item;
                normalize(element2);
            } else if (item.getNodeType() == 1) {
                log.debug(new StringBuffer().append(item.getLocalName()).append(" ").append(item.getNamespaceURI()).toString());
            }
        }
        if (z) {
            log.debug("Secure message, timestamp might be required");
            if (constantSet(messageContext.getProperty(org.globus.wsrf.security.Constants.GSI_SEC_MSG), Constants.SIGNATURE) || constantSet(messageContext.getProperty(org.globus.wsrf.security.Constants.GSI_SEC_MSG), Constants.ENCRYPTION)) {
                processTimestampHeader(element2, messageContext, sOAPHeaderElement);
            }
        }
        if ("".equals(str) && Boolean.TRUE.equals(messageContext.getProperty(Constants.ROUTED))) {
            log.debug("Header not removed");
        } else {
            element.getParentNode().removeChild(element);
        }
    }

    public boolean handleUsernameElement(Element element, MessageContext messageContext) throws Exception {
        log.debug("User name processing");
        UsernameToken usernameToken = new UsernameToken(WSSConfig.getDefaultWSConfig(), element);
        String name = usernameToken.getName();
        String password = usernameToken.getPassword();
        Subject subject = getSubject(messageContext);
        subject.getPrincipals().add(new UserNamePrincipal(name));
        if (password != null) {
            subject.getPrivateCredentials().add(new PasswordCredential(password));
        }
        messageContext.setProperty("userNameAuthz", Boolean.TRUE);
        return false;
    }

    protected void processTimestampHeader(Element element, MessageContext messageContext, SOAPHeaderElement sOAPHeaderElement) throws Exception {
        String targetServicePath = ContextUtils.getTargetServicePath((org.apache.axis.MessageContext) messageContext);
        if (targetServicePath == null) {
            throw new Exception(i18n.getMessage("serviceNull"));
        }
        Resource resource = null;
        try {
            resource = ResourceContext.getResourceContext((org.apache.axis.MessageContext) messageContext).getResource();
        } catch (ResourceContextException e) {
            log.debug("Resource does not exist ", e);
        } catch (ResourceException e2) {
            log.debug("Resource does not exist ", e2);
        }
        if (element != null) {
            ReplayAttackFilter replayAttackFilter = ReplayAttackFilter.getInstance(SecurityPropertiesHelper.getReplayAttackWindow(targetServicePath, resource));
            if (sOAPHeaderElement != null) {
                checkMessageValidity(replayAttackFilter, element, sOAPHeaderElement);
            } else if (!verifyTimestamp(new Timestamp(WSSConfig.getDefaultWSConfig(), element), replayAttackFilter.getMessageWindow())) {
                throw new WSSecurityException(0, "timestampNotOk");
            }
        } else if (rejectMsgSansTimestampHeader(messageContext, SecurityPropertiesHelper.getReplayAttackFilter(targetServicePath, resource))) {
            log.debug("Required time stamp header was not added.");
            throw new WSSecurityException(0, "timestampRequired");
        }
        log.debug("Done processing timestamp header.");
    }

    protected boolean verifyTimestamp(Timestamp timestamp, int i) {
        return verifyTimestamp(timestamp.getCreated(), i);
    }

    protected boolean verifyTimestamp(Calendar calendar, int i) {
        Calendar calendar2 = Calendar.getInstance();
        calendar2.setTime(new Date(calendar2.getTime().getTime() - (i * 1000)));
        return calendar.after(calendar2);
    }

    protected void checkMessageValidity(ReplayAttackFilter replayAttackFilter, Element element, SOAPHeaderElement sOAPHeaderElement) throws Exception {
        replayAttackFilter.checkMessageValidity(new MessageID(sOAPHeaderElement).toString(), new Timestamp(WSSConfig.getDefaultWSConfig(), element).getCreated());
    }

    protected boolean rejectMsgSansTimestampHeader(MessageContext messageContext, String str) throws Exception {
        return str == null || !str.equals(SchemaSymbols.ATTVAL_FALSE);
    }

    public static void normalize(Node node) {
        if (node.getNodeType() == 3) {
            String data = ((Text) node).getData();
            if (data.length() > 1 && data.charAt(0) == '\n' && (data.charAt(1) == '\n' || data.charAt(1) == ' ')) {
                ((Text) node).setData("\n");
            }
        }
        Node firstChild = node.getFirstChild();
        while (true) {
            Node node2 = firstChild;
            if (node2 == null) {
                return;
            }
            normalize(node2);
            firstChild = node2.getNextSibling();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void ensureSignature(MessageContext messageContext) throws Exception {
        Object property = messageContext.getProperty(org.globus.wsrf.security.Constants.GSI_SEC_MSG);
        if (property == null || !property.equals(Constants.SIGNATURE)) {
            throw new WSSecurityException(0, "encRequiresSig");
        }
    }

    private boolean constantSet(Object obj, Object obj2) {
        return obj != null && obj.equals(obj2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setContextProperties(MessageContext messageContext, SecurityContext securityContext, Integer num) throws Exception {
        X509Certificate[] x509CertificateArr;
        messageContext.setProperty(Constants.CONTEXT, securityContext);
        messageContext.setProperty(org.globus.wsrf.security.Constants.GSI_SEC_CONV, num);
        Subject subject = getSubject(messageContext);
        GSSContext context = securityContext.getContext();
        GSSName srcName = context.getSrcName();
        if (srcName.isAnonymous()) {
            return;
        }
        String obj = srcName.toString();
        GSSCredential delegCred = context.getDelegCred();
        if ((context instanceof ExtendedGSSContext) && (x509CertificateArr = (X509Certificate[]) ((ExtendedGSSContext) context).inquireByOid(GSSConstants.X509_CERT_CHAIN)) != null) {
            subject.getPublicCredentials().add(x509CertificateArr);
        }
        subject.getPrincipals().add(new GlobusPrincipal(obj));
        if (delegCred != null) {
            subject.getPrivateCredentials().add(delegCred);
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$globus$wsrf$impl$security$authentication$wssec$WSSecurityEngine == null) {
            cls = class$("org.globus.wsrf.impl.security.authentication.wssec.WSSecurityEngine");
            class$org$globus$wsrf$impl$security$authentication$wssec$WSSecurityEngine = cls;
        } else {
            cls = class$org$globus$wsrf$impl$security$authentication$wssec$WSSecurityEngine;
        }
        log = LogFactory.getLog(cls.getName());
        crypto = ContextCrypto.getInstance();
    }
}
