package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Iterator;
import java.util.List;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSSecurityEngineResult;

/* loaded from: input_file:lib/cxf-rt-ws-security-2.6.17-TomEE.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.class */
public class AlgorithmSuitePolicyValidator {
    private List<WSSecurityEngineResult> results;

    public AlgorithmSuitePolicyValidator(List<WSSecurityEngineResult> list) {
        this.results = list;
    }

    public boolean validatePolicy(AssertionInfo assertionInfo, AlgorithmSuite algorithmSuite) {
        boolean z = true;
        for (WSSecurityEngineResult wSSecurityEngineResult : this.results) {
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (2 == num.intValue() && !checkSignatureAlgorithms(wSSecurityEngineResult, algorithmSuite, assertionInfo)) {
                z = false;
            } else if (4 == num.intValue() && !checkEncryptionAlgorithms(wSSecurityEngineResult, algorithmSuite, assertionInfo)) {
                z = false;
            }
        }
        return z;
    }

    private boolean checkSignatureAlgorithms(WSSecurityEngineResult wSSecurityEngineResult, AlgorithmSuite algorithmSuite, AssertionInfo assertionInfo) {
        String str = (String) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
        if (!algorithmSuite.getAsymmetricSignature().equals(str) && !algorithmSuite.getSymmetricSignature().equals(str)) {
            assertionInfo.setNotAsserted("The signature method does not match the requirement");
            return false;
        }
        if (algorithmSuite.getInclusiveC14n().equals((String) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD))) {
            return checkDataRefs(CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)), algorithmSuite, assertionInfo) && checkKeyLengths(wSSecurityEngineResult, algorithmSuite, assertionInfo, true);
        }
        assertionInfo.setNotAsserted("The c14n method does not match the requirement");
        return false;
    }

    private boolean checkDataRefs(List<WSDataRef> list, AlgorithmSuite algorithmSuite, AssertionInfo assertionInfo) {
        for (WSDataRef wSDataRef : list) {
            if (!algorithmSuite.getDigest().equals(wSDataRef.getDigestAlgorithm())) {
                assertionInfo.setNotAsserted("The digest method does not match the requirement");
                return false;
            }
            List<String> transformAlgorithms = wSDataRef.getTransformAlgorithms();
            if (transformAlgorithms == null || transformAlgorithms.size() > 2) {
                assertionInfo.setNotAsserted("The transform algorithms do not match the requirement");
                return false;
            }
            for (String str : transformAlgorithms) {
                if (!algorithmSuite.getInclusiveC14n().equals(str) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(str)) {
                    assertionInfo.setNotAsserted("The transform algorithms do not match the requirement");
                    return false;
                }
            }
        }
        return true;
    }

    private boolean checkEncryptionAlgorithms(WSSecurityEngineResult wSSecurityEngineResult, AlgorithmSuite algorithmSuite, AssertionInfo assertionInfo) {
        String str = (String) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD);
        if (str != null && !algorithmSuite.getSymmetricKeyWrap().equals(str) && !algorithmSuite.getAsymmetricKeyWrap().equals(str)) {
            assertionInfo.setNotAsserted("The Key transport method does not match the requirement");
            return false;
        }
        List cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
        if (cast != null) {
            Iterator it = cast.iterator();
            while (it.hasNext()) {
                if (!algorithmSuite.getEncryption().equals(((WSDataRef) it.next()).getAlgorithm())) {
                    assertionInfo.setNotAsserted("The encryption algorithm does not match the requirement");
                    return false;
                }
            }
        }
        return checkKeyLengths(wSSecurityEngineResult, algorithmSuite, assertionInfo, false);
    }

    private boolean checkKeyLengths(WSSecurityEngineResult wSSecurityEngineResult, AlgorithmSuite algorithmSuite, AssertionInfo assertionInfo, boolean z) {
        PublicKey publicKey = (PublicKey) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
        if (publicKey != null && !checkPublicKeyLength(publicKey, algorithmSuite, assertionInfo)) {
            return false;
        }
        X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        if (x509Certificate != null && !checkPublicKeyLength(x509Certificate.getPublicKey(), algorithmSuite, assertionInfo)) {
            return false;
        }
        byte[] bArr = (byte[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SECRET);
        if (!z) {
            if (bArr == null) {
                return true;
            }
            if (bArr.length >= algorithmSuite.getMinimumSymmetricKeyLength() / 8 && bArr.length <= algorithmSuite.getMaximumSymmetricKeyLength() / 8) {
                return true;
            }
            assertionInfo.setNotAsserted("The symmetric key length does not match the requirement");
            return false;
        }
        if (((Principal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL)) instanceof WSDerivedKeyTokenPrincipal) {
            int signatureDerivedKeyLength = algorithmSuite.getSignatureDerivedKeyLength();
            if (bArr != null && bArr.length == signatureDerivedKeyLength / 8) {
                return true;
            }
            assertionInfo.setNotAsserted("The signature derived key length does not match the requirement");
            return false;
        }
        if (bArr == null) {
            return true;
        }
        if (bArr.length >= algorithmSuite.getMinimumSymmetricKeyLength() / 8 && bArr.length <= algorithmSuite.getMaximumSymmetricKeyLength() / 8) {
            return true;
        }
        assertionInfo.setNotAsserted("The symmetric key length does not match the requirement");
        return false;
    }

    private boolean checkPublicKeyLength(PublicKey publicKey, AlgorithmSuite algorithmSuite, AssertionInfo assertionInfo) {
        if (publicKey instanceof RSAPublicKey) {
            int bitLength = ((RSAPublicKey) publicKey).getModulus().bitLength();
            if (bitLength >= algorithmSuite.getMinimumAsymmetricKeyLength() && bitLength <= algorithmSuite.getMaximumAsymmetricKeyLength()) {
                return true;
            }
            assertionInfo.setNotAsserted("The asymmetric key length does not match the requirement");
            return false;
        }
        if (!(publicKey instanceof DSAPublicKey)) {
            assertionInfo.setNotAsserted("An unknown public key was provided");
            return false;
        }
        int bitLength2 = ((DSAPublicKey) publicKey).getParams().getP().bitLength();
        if (bitLength2 >= algorithmSuite.getMinimumAsymmetricKeyLength() && bitLength2 <= algorithmSuite.getMaximumAsymmetricKeyLength()) {
            return true;
        }
        assertionInfo.setNotAsserted("The asymmetric key length does not match the requirement");
        return false;
    }
}
