package org.ogf.graap.wsag.security.core.server;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.axis2.context.MessageContext;
import org.apache.log4j.Logger;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.WSHandlerResult;
import org.ogf.graap.wsag.security.core.SecurityUtils;
import org.ogf.graap.wsag.server.api.WsagMessageContext;
import org.ogf.graap.wsag.server.engine.WsagEngine;
import org.w3c.dom.Element;

/* loaded from: input_file:org/ogf/graap/wsag/security/core/server/WSSecurityHandler.class */
public class WSSecurityHandler implements ServerSecurityHandler {
    private static final Logger LOG = Logger.getLogger(WSSecurityHandler.class);

    public void handleRequest(Element element) throws Exception {
        MessageContext currentMessageContext = MessageContext.getCurrentMessageContext();
        Crypto cryptoFromLoginContext = SecurityUtils.getCryptoFromLoginContext(WsagEngine.getLoginContext());
        if (cryptoFromLoginContext != null) {
            processSecurityHeader(cryptoFromLoginContext, currentMessageContext);
        } else {
            LOG.error("Could not process security headers. Reason: server crypto not found.");
        }
    }

    public void handleResponse(Element element) throws Exception {
    }

    private void processSecurityHeader(Crypto crypto, MessageContext messageContext) throws WSSecurityException {
        WsagMessageContext wsagMessageContext = WsagEngine.getWsagMessageContext();
        Vector vector = (Vector) messageContext.getProperty("RECV_RESULTS");
        X509Certificate x509Certificate = null;
        for (int i = 0; i < vector.size(); i++) {
            Vector results = ((WSHandlerResult) vector.get(i)).getResults();
            for (int i2 = 0; i2 < results.size(); i2++) {
                WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) results.get(i2);
                if (((Integer) wSSecurityEngineResult.get("action")).intValue() == 2 && wSSecurityEngineResult.get("x509-certificate") != null) {
                    x509Certificate = (X509Certificate) wSSecurityEngineResult.get("x509-certificate");
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("Found WS-Security engine result. Message signed by " + ((Principal) wSSecurityEngineResult.get("principal")).getName());
                    }
                    wsagMessageContext.put("http://de.fraunhofer.scai.wsag4j/security/x509-client-certificate", x509Certificate);
                    wsagMessageContext.put("http://de.fraunhofer.scai.wsag4j/security/x509-client-certificate-chain", createClientCertificateChain(crypto, x509Certificate));
                }
            }
        }
        if (x509Certificate != null) {
            Subject subject = new Subject();
            subject.getPrincipals().add(x509Certificate.getSubjectX500Principal());
            subject.getPrincipals().add(x509Certificate.getIssuerX500Principal());
            subject.getPublicCredentials().add(x509Certificate);
            WsagEngine.getWsagMessageContext().put("http://de.fraunhofer.scai.wsag4j/security/user-subject", subject);
            return;
        }
        if (!WsagEngine.isAllowAnonymousAccess()) {
            throw new WSSecurityException("The user was not authenticated.");
        }
        Subject subject2 = new Subject();
        subject2.getPrincipals().add(new X500Principal("anonymous"));
        subject2.getPublicCredentials().add(x509Certificate);
        WsagEngine.getWsagMessageContext().put("http://de.fraunhofer.scai.wsag4j/security/user-subject", subject2);
    }

    private X509Certificate[] createClientCertificateChain(Crypto crypto, X509Certificate x509Certificate) throws WSSecurityException {
        String name = x509Certificate.getSubjectDN().getName();
        String name2 = x509Certificate.getIssuerDN().getName();
        String aliasForX509Cert = crypto.getAliasForX509Cert(name2, x509Certificate.getSerialNumber());
        if (aliasForX509Cert != null) {
            try {
                X509Certificate[] certificates = crypto.getCertificates(aliasForX509Cert);
                if (certificates != null && certificates.length > 0) {
                    if (x509Certificate.equals(certificates[0])) {
                        return certificates;
                    }
                }
            } catch (WSSecurityException e) {
                throw new WSSecurityException(getClass().getName() + ": Could not get certificates for alias " + aliasForX509Cert, e);
            }
        }
        try {
            String[] aliasesForDN = crypto.getAliasesForDN(name2);
            if (aliasesForDN == null || aliasesForDN.length < 1) {
                if (!LOG.isDebugEnabled()) {
                    return null;
                }
                LOG.debug("No aliases found in keystore for issuer " + name2 + " of certificate for " + name + ".");
                return null;
            }
            for (String str : aliasesForDN) {
                if (LOG.isTraceEnabled()) {
                    LOG.trace("Preparing to validate certificate path with alias " + str + " for issuer " + name2 + ".");
                }
                try {
                    X509Certificate[] certificates2 = crypto.getCertificates(str);
                    if ((certificates2 == null) || (certificates2.length < 1)) {
                        throw new WSSecurityException(getClass().getName() + ": Could not get certificates for alias " + str);
                    }
                    try {
                        if (crypto.validateCertPath(certificates2)) {
                            if (LOG.isTraceEnabled()) {
                                LOG.trace(getClass().getName() + ": Certificate path has been verified for certificate with subject " + name);
                            }
                            Vector vector = new Vector();
                            vector.add(x509Certificate);
                            vector.addAll(Arrays.asList(certificates2));
                            return (X509Certificate[]) vector.toArray(new X509Certificate[vector.size()]);
                        }
                    } catch (WSSecurityException e2) {
                        throw new WSSecurityException(getClass().getName() + ": Certificate path verification failed for certificate with subject " + name, e2);
                    }
                } catch (WSSecurityException e3) {
                    throw new WSSecurityException(getClass().getName() + ": Could not get certificates for alias " + str, e3);
                }
            }
            if (!LOG.isInfoEnabled()) {
                return null;
            }
            LOG.info(getClass().getName() + ": Could not retrieve client certificate chain for subject " + name);
            return null;
        } catch (WSSecurityException e4) {
            throw new WSSecurityException(getClass().getName() + ": Could not get alias for certificate with " + name2);
        }
    }
}
