package org.apache.cxf.ws.security.wss4j.policyvalidators;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.ws.security.WSSecurityEngineResult;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/cxf-bundle-2.5.2.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.class
 */
/* loaded from: input_file:WEB-INF/lib/cxf-bundle-minimal-2.5.0.jar:org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.class */
public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator {
    private List<WSSecurityEngineResult> signedResults;
    private List<WSSecurityEngineResult> encryptedResults;
    private Message message;
    private boolean hasDerivedKeys;

    public AsymmetricBindingPolicyValidator(Message message, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        this.message = message;
        this.results = list;
        this.signedResults = list2;
        this.encryptedResults = new ArrayList();
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            Integer num = (Integer) wSSecurityEngineResult.get("action");
            if (num.intValue() == 2048) {
                this.hasDerivedKeys = true;
            } else if (num.intValue() == 4) {
                this.encryptedResults.add(wSSecurityEngineResult);
            }
        }
    }

    public boolean validatePolicy(AssertionInfoMap assertionInfoMap) {
        Collection<AssertionInfo> collection = assertionInfoMap.get(SP12Constants.ASYMMETRIC_BINDING);
        if (collection == null || collection.isEmpty()) {
            return true;
        }
        for (AssertionInfo assertionInfo : collection) {
            AsymmetricBinding asymmetricBinding = (AsymmetricBinding) assertionInfo.getAssertion();
            assertionInfo.setAsserted(true);
            if (!checkProtectionOrder(asymmetricBinding, assertionInfo) || !checkProperties(asymmetricBinding, assertionInfo, assertionInfoMap, this.signedResults, this.message) || !checkTokens(asymmetricBinding, assertionInfo, assertionInfoMap)) {
                return false;
            }
        }
        return true;
    }

    private boolean checkTokens(AsymmetricBinding asymmetricBinding, AssertionInfo assertionInfo, AssertionInfoMap assertionInfoMap) {
        if (asymmetricBinding.getInitiatorToken() != null) {
            if (asymmetricBinding.getInitiatorToken().getToken() instanceof X509Token) {
                Iterator<WSSecurityEngineResult> it = this.signedResults.iterator();
                while (it.hasNext()) {
                    if (((X509Certificate) it.next().get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) == null) {
                        notAssertPolicy(assertionInfoMap, asymmetricBinding.getInitiatorToken().getName(), "An X.509 certificate was not used for the initiator token");
                        assertionInfo.setNotAsserted("An X.509 certificate was not used for the initiator token");
                        return false;
                    }
                }
            }
            assertPolicy(assertionInfoMap, asymmetricBinding.getInitiatorToken());
            if (!checkDerivedKeys(asymmetricBinding.getInitiatorToken(), this.hasDerivedKeys, this.signedResults, this.encryptedResults)) {
                assertionInfo.setNotAsserted("Message fails the DerivedKeys requirement");
                return false;
            }
        }
        if (asymmetricBinding.getRecipientToken() == null) {
            return true;
        }
        assertPolicy(assertionInfoMap, asymmetricBinding.getRecipientToken());
        if (checkDerivedKeys(asymmetricBinding.getRecipientToken(), this.hasDerivedKeys, this.signedResults, this.encryptedResults)) {
            return true;
        }
        assertionInfo.setNotAsserted("Message fails the DerivedKeys requirement");
        return false;
    }
}
