package com.sun.xml.wss.impl;

import com.sun.enterprise.security.jauth.callback.CertStoreCallback;
import com.sun.enterprise.security.jauth.callback.PasswordValidationCallback;
import com.sun.enterprise.security.jauth.callback.PrivateKeyCallback;
import com.sun.enterprise.security.jauth.callback.SecretKeyCallback;
import com.sun.enterprise.security.jauth.callback.TrustStoreCallback;
import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
import com.sun.org.apache.xml.internal.security.utils.Base64;
import com.sun.org.apache.xml.internal.security.utils.RFC2253Parser;
import com.sun.xml.ws.security.impl.kerberos.KerberosContext;
import com.sun.xml.wss.SecurityEnvironment;
import com.sun.xml.wss.XWSSecurityException;
import com.sun.xml.wss.core.Timestamp;
import com.sun.xml.wss.core.reference.KeyIdentifierSPI;
import com.sun.xml.wss.core.reference.X509SubjectKeyIdentifier;
import com.sun.xml.wss.impl.callback.CertificateValidationCallback;
import com.sun.xml.wss.impl.configuration.DynamicApplicationContext;
import com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl;
import com.sun.xml.wss.impl.misc.NonceCache;
import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
import com.sun.xml.wss.saml.Assertion;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.Timer;
import javax.crypto.SecretKey;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;
import javax.xml.stream.XMLStreamReader;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSName;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:spg-ui-war-2.1.25.war:WEB-INF/lib/xws-security-3.0.jar:com/sun/xml/wss/impl/WssProviderSecurityEnvironment.class */
public class WssProviderSecurityEnvironment implements SecurityEnvironment {
    private Map _securityOptions;
    private CallbackHandler _handler;
    protected final long MAX_CLOCK_SKEW = 360000;
    protected final long TIMESTAMP_FRESHNESS_LIMIT = 300000;
    NonceCache nonceCache = null;
    static final boolean USE_DAEMON_THREAD = true;
    private static final SimpleDateFormat calendarFormatter1 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
    private static final SimpleDateFormat calendarFormatter2 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'.'SSS'Z'");
    static final Timer nonceCleanupTimer = new Timer(true);

    public WssProviderSecurityEnvironment(CallbackHandler callbackHandler, Map map) throws XWSSecurityException {
        this._handler = callbackHandler;
        this._securityOptions = map;
        if (this._securityOptions != null) {
            String str = (String) this._securityOptions.get("ALIASES");
            String str2 = (String) this._securityOptions.get("PASSWORDS");
            if (str == null || str2 == null) {
                return;
            }
            if (new StringTokenizer(str, " ").countTokens() != new StringTokenizer(str2, " ").countTokens()) {
            }
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PrivateKey getPrivateKey(Map map, String str) throws XWSSecurityException {
        try {
            Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.AliasRequest(str));
            this._handler.handle(new Callback[]{privateKeyCallback});
            PrivateKey key = privateKeyCallback.getKey();
            if (key == null) {
                throw new XWSSecurityException("Unable to locate private key for the alias " + str);
            }
            return key;
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PrivateKey getPrivateKey(Map map, byte[] bArr) throws XWSSecurityException {
        Set<X500PrivateCredential> privateCredentials;
        try {
            Subject subject = getSubject(map);
            if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
                for (X500PrivateCredential x500PrivateCredential : privateCredentials) {
                    if (matchesKeyIdentifier(Base64.decode(bArr), x500PrivateCredential.getCertificate())) {
                        return x500PrivateCredential.getPrivateKey();
                    }
                }
            }
            Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.SubjectKeyIDRequest(bArr));
            this._handler.handle(new Callback[]{privateKeyCallback});
            return privateKeyCallback.getKey();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PrivateKey getPrivateKey(Map map, X509Certificate x509Certificate) throws XWSSecurityException {
        Set<X500PrivateCredential> privateCredentials;
        try {
            Subject subject = getSubject(map);
            if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
                String normalize = RFC2253Parser.normalize(x509Certificate.getIssuerDN().getName());
                for (X500PrivateCredential x500PrivateCredential : privateCredentials) {
                    X509Certificate certificate = x500PrivateCredential.getCertificate();
                    BigInteger serialNumber = certificate.getSerialNumber();
                    String normalize2 = RFC2253Parser.normalize(certificate.getIssuerDN().getName());
                    if (serialNumber.equals(x509Certificate.getSerialNumber()) && normalize2.equals(normalize)) {
                        return x500PrivateCredential.getPrivateKey();
                    }
                }
            }
            Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.IssuerSerialNumRequest(x509Certificate.getIssuerX500Principal(), x509Certificate.getSerialNumber()));
            this._handler.handle(new Callback[]{privateKeyCallback});
            return privateKeyCallback.getKey();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PrivateKey getPrivateKey(Map map, BigInteger bigInteger, String str) throws XWSSecurityException {
        Set<X500PrivateCredential> privateCredentials;
        try {
            Subject subject = getSubject(map);
            if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
                for (X500PrivateCredential x500PrivateCredential : privateCredentials) {
                    X509Certificate certificate = x500PrivateCredential.getCertificate();
                    BigInteger serialNumber = certificate.getSerialNumber();
                    String normalize = RFC2253Parser.normalize(certificate.getIssuerDN().getName());
                    if (serialNumber.equals(bigInteger) && normalize.equals(str)) {
                        return x500PrivateCredential.getPrivateKey();
                    }
                }
            }
            Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.IssuerSerialNumRequest(new X500Principal(str), bigInteger));
            this._handler.handle(new Callback[]{privateKeyCallback});
            return privateKeyCallback.getKey();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public X509Certificate getDefaultCertificate(Map map) throws XWSSecurityException {
        Set publicCredentials;
        Subject subject = getSubject(map);
        if (subject != null && (publicCredentials = subject.getPublicCredentials(X509Certificate.class)) != null && publicCredentials.size() == 1) {
            return (X509Certificate) publicCredentials.toArray()[0];
        }
        Callback privateKeyCallback = new PrivateKeyCallback((PrivateKeyCallback.Request) null);
        try {
            this._handler.handle(new Callback[]{privateKeyCallback});
            Certificate[] chain = privateKeyCallback.getChain();
            if (chain == null) {
                throw new XWSSecurityException("Empty certificate chain returned by PrivateKeyCallback");
            }
            return (X509Certificate) chain[0];
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public boolean authenticateUser(Map map, String str, String str2) throws XWSSecurityException {
        char[] charArray = str2 == null ? null : str2.toCharArray();
        Callback passwordValidationCallback = new PasswordValidationCallback(str, charArray);
        try {
            this._handler.handle(new Callback[]{passwordValidationCallback});
            if (charArray != null) {
                passwordValidationCallback.clearPassword();
            }
            return passwordValidationCallback.getResult();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public boolean authenticateUser(Map map, String str, String str2, String str3, String str4) throws XWSSecurityException {
        return false;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v43, types: [java.util.List] */
    @Override // com.sun.xml.wss.SecurityEnvironment
    public boolean validateCertificate(X509Certificate x509Certificate) throws XWSSecurityException {
        try {
            x509Certificate.checkValidity();
            if (x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                return true;
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            ArrayList arrayList = new ArrayList();
            boolean z = false;
            Object obj = null;
            int i = 0;
            boolean z2 = false;
            Callback[] callbackArr = null;
            CertStoreCallback certStoreCallback = null;
            TrustStoreCallback trustStoreCallback = null;
            try {
                if (0 == 0 && 0 == 0) {
                    certStoreCallback = new CertStoreCallback();
                    trustStoreCallback = new TrustStoreCallback();
                    callbackArr = new Callback[]{certStoreCallback, trustStoreCallback};
                } else if (0 == 0) {
                    certStoreCallback = new CertStoreCallback();
                    callbackArr = new Callback[]{certStoreCallback};
                } else if (0 == 0) {
                    trustStoreCallback = new TrustStoreCallback();
                    callbackArr = new Callback[]{trustStoreCallback};
                }
                try {
                    this._handler.handle(callbackArr);
                    PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustStoreCallback.getTrustStore(), x509CertSelector);
                    pKIXBuilderParameters.setRevocationEnabled(false);
                    if (KeyIdentifierSPI.isIBMVM) {
                        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singleton(x509Certificate))));
                    } else {
                        pKIXBuilderParameters.addCertStore(certStoreCallback.getCertStore());
                    }
                    Certificate[] certificateArr = null;
                    String certificateAlias = trustStoreCallback.getTrustStore().getCertificateAlias(x509Certificate);
                    if (certificateAlias != null) {
                        certificateArr = trustStoreCallback.getTrustStore().getCertificateChain(certificateAlias);
                    }
                    if (certificateArr == null) {
                        arrayList.add(x509Certificate);
                        obj = x509Certificate.getIssuerX500Principal();
                        i = trustStoreCallback.getTrustStore().size();
                    } else {
                        arrayList = Arrays.asList(certificateArr);
                    }
                    while (!z) {
                        int i2 = i;
                        i = i2 - 1;
                        if (i2 != 0 && certificateArr == null) {
                            Enumeration<String> aliases = trustStoreCallback.getTrustStore().aliases();
                            while (true) {
                                if (!aliases.hasMoreElements()) {
                                    break;
                                }
                                Certificate certificate = trustStoreCallback.getTrustStore().getCertificate(aliases.nextElement());
                                if (certificate != null && "X.509".equals(certificate.getType()) && !arrayList.contains(certificate)) {
                                    X509Certificate x509Certificate2 = (X509Certificate) certificate;
                                    if (obj.equals(x509Certificate2.getSubjectX500Principal())) {
                                        arrayList.add(certificate);
                                        if (x509Certificate2.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal())) {
                                            z = true;
                                            break;
                                        }
                                        obj = x509Certificate2.getIssuerDN();
                                        if (!z2) {
                                            z2 = true;
                                        }
                                    } else {
                                        continue;
                                    }
                                }
                            }
                            if (!z) {
                                if (!z2) {
                                    break;
                                }
                                z2 = false;
                            }
                        }
                    }
                    try {
                        try {
                            CertPathValidator.getInstance("PKIX").validate(CertificateFactory.getInstance("X.509").generateCertPath(arrayList), pKIXBuilderParameters);
                            return true;
                        } catch (Exception e) {
                            return false;
                        }
                    } catch (Exception e2) {
                        throw new CertificateValidationCallback.CertificateValidationException(e2.getMessage(), e2);
                    }
                } catch (Exception e3) {
                    throw new XWSSecurityException(e3);
                }
            } catch (Exception e4) {
                throw new XWSSecurityException(e4);
            }
        } catch (CertificateExpiredException e5) {
            throw new XWSSecurityException("X509Certificate Expired", e5);
        } catch (CertificateNotYetValidException e6) {
            throw new XWSSecurityException("X509Certificate not yet valid", e6);
        }
    }

    public X509Certificate getMatchingCertificate(Map map, byte[] bArr) throws XWSSecurityException {
        X509Certificate matchingCertificate;
        Set privateCredentials;
        Subject subject = getSubject(map);
        if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
            Iterator it = privateCredentials.iterator();
            while (it.hasNext()) {
                X509Certificate certificate = ((X500PrivateCredential) it.next()).getCertificate();
                if (matchesKeyIdentifier(bArr, certificate)) {
                    return certificate;
                }
            }
        }
        Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.SubjectKeyIDRequest(bArr));
        Callback trustStoreCallback = new TrustStoreCallback();
        try {
            this._handler.handle(new Callback[]{privateKeyCallback, trustStoreCallback});
            Certificate[] chain = privateKeyCallback.getChain();
            if (chain != null) {
                for (Certificate certificate2 : chain) {
                    X509Certificate x509Certificate = (X509Certificate) certificate2;
                    if (matchesKeyIdentifier(bArr, x509Certificate)) {
                        return x509Certificate;
                    }
                }
            }
            KeyStore trustStore = trustStoreCallback.getTrustStore();
            if (trustStore == null || (matchingCertificate = getMatchingCertificate(bArr, trustStore)) == null) {
                throw new XWSSecurityException("No Matching Certificate for :" + Arrays.toString(bArr) + " found in KeyStore or TrustStore");
            }
            return matchingCertificate;
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    public X509Certificate getMatchingCertificate(Map map, BigInteger bigInteger, String str) throws XWSSecurityException {
        X509Certificate matchingCertificate;
        Set privateCredentials;
        Subject subject = getSubject(map);
        if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
            Iterator it = privateCredentials.iterator();
            while (it.hasNext()) {
                X509Certificate certificate = ((X500PrivateCredential) it.next()).getCertificate();
                BigInteger serialNumber = certificate.getSerialNumber();
                String normalize = RFC2253Parser.normalize(certificate.getIssuerDN().getName());
                if (serialNumber.equals(bigInteger) && normalize.equals(str)) {
                    return certificate;
                }
            }
        }
        Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.IssuerSerialNumRequest(new X500Principal(str), bigInteger));
        Callback trustStoreCallback = new TrustStoreCallback();
        try {
            this._handler.handle(new Callback[]{privateKeyCallback, trustStoreCallback});
            Certificate[] chain = privateKeyCallback.getChain();
            if (chain != null) {
                for (Certificate certificate2 : chain) {
                    X509Certificate x509Certificate = (X509Certificate) certificate2;
                    if (matchesIssuerSerialAndName(bigInteger, str, x509Certificate)) {
                        return x509Certificate;
                    }
                }
            }
            KeyStore trustStore = trustStoreCallback.getTrustStore();
            if (trustStore == null || (matchingCertificate = getMatchingCertificate(bigInteger, str, trustStore)) == null) {
                throw new XWSSecurityException("No Matching Certificate for : found in KeyStore or TrustStore");
            }
            return matchingCertificate;
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    public X509Certificate getMatchingCertificate(Map map, byte[] bArr, String str) throws XWSSecurityException {
        X509Certificate matchingCertificate;
        Set privateCredentials;
        if ("Identifier".equals(str)) {
            return getMatchingCertificate(map, bArr);
        }
        Subject subject = getSubject(map);
        if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
            Iterator it = privateCredentials.iterator();
            while (it.hasNext()) {
                X509Certificate certificate = ((X500PrivateCredential) it.next()).getCertificate();
                if (matchesThumbPrint(bArr, certificate)) {
                    return certificate;
                }
            }
        }
        Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.SubjectKeyIDRequest(bArr));
        Callback trustStoreCallback = new TrustStoreCallback();
        try {
            this._handler.handle(new Callback[]{privateKeyCallback, trustStoreCallback});
            Certificate[] chain = privateKeyCallback.getChain();
            if (chain != null) {
                for (Certificate certificate2 : chain) {
                    X509Certificate x509Certificate = (X509Certificate) certificate2;
                    if (matchesThumbPrint(bArr, x509Certificate)) {
                        return x509Certificate;
                    }
                }
            }
            KeyStore trustStore = trustStoreCallback.getTrustStore();
            if (trustStore == null || (matchingCertificate = getMatchingCertificate(bArr, trustStore, str)) == null) {
                throw new XWSSecurityException("No Matching Certificate for :" + Arrays.toString(bArr) + " found in KeyStore or TrustStore");
            }
            return matchingCertificate;
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public SecretKey getSecretKey(Map map, String str, boolean z) throws XWSSecurityException {
        Callback secretKeyCallback = new SecretKeyCallback(new SecretKeyCallback.AliasRequest(str));
        try {
            this._handler.handle(new Callback[]{secretKeyCallback});
            return secretKeyCallback.getKey();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public X509Certificate getCertificate(Map map, String str, boolean z) throws XWSSecurityException {
        X509Certificate x509Certificate;
        Set<X500PrivateCredential> privateCredentials;
        try {
            if (z) {
                try {
                    Subject subject = getSubject(map);
                    if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
                        for (X500PrivateCredential x500PrivateCredential : privateCredentials) {
                            if (x500PrivateCredential.getAlias().equals(str)) {
                                return x500PrivateCredential.getCertificate();
                            }
                        }
                    }
                    Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.AliasRequest(str));
                    this._handler.handle(new Callback[]{privateKeyCallback});
                    Certificate[] chain = privateKeyCallback.getChain();
                    x509Certificate = chain != null ? (X509Certificate) chain[0] : null;
                } catch (Exception e) {
                    throw new XWSSecurityException(e);
                }
            } else {
                Callback trustStoreCallback = new TrustStoreCallback();
                this._handler.handle(new Callback[]{trustStoreCallback});
                x509Certificate = getDynamicCertificate(map, trustStoreCallback.getTrustStore());
                if (x509Certificate == null && trustStoreCallback.getTrustStore() != null) {
                    x509Certificate = (X509Certificate) trustStoreCallback.getTrustStore().getCertificate(str);
                }
            }
            if (x509Certificate == null) {
                throw new XWSSecurityException("Unable to locate certificate for the alias '" + str + "'");
            }
            return x509Certificate;
        } catch (Exception e2) {
            throw new XWSSecurityException(e2);
        }
    }

    private boolean matchesKeyIdentifier(byte[] bArr, X509Certificate x509Certificate) throws XWSSecurityException {
        byte[] subjectKeyIdentifier = X509SubjectKeyIdentifier.getSubjectKeyIdentifier(x509Certificate);
        return subjectKeyIdentifier != null && Arrays.equals(bArr, subjectKeyIdentifier);
    }

    public static byte[] getThumbprintIdentifier(X509Certificate x509Certificate) throws XWSSecurityException {
        try {
            return MessageDigest.getInstance(MessageConstants.SHA_1).digest(x509Certificate.getEncoded());
        } catch (NoSuchAlgorithmException e) {
            throw new XWSSecurityException("Digest algorithm SHA-1 not found");
        } catch (CertificateEncodingException e2) {
            throw new XWSSecurityException("Error while getting certificate's raw content");
        }
    }

    private boolean matchesThumbPrint(byte[] bArr, X509Certificate x509Certificate) throws XWSSecurityException {
        byte[] thumbprintIdentifier = getThumbprintIdentifier(x509Certificate);
        return thumbprintIdentifier != null && Arrays.equals(bArr, thumbprintIdentifier);
    }

    private X509Certificate getMatchingCertificate(byte[] bArr, KeyStore keyStore) throws XWSSecurityException {
        X509Certificate x509Certificate;
        byte[] subjectKeyIdentifier;
        if (keyStore == null) {
            return null;
        }
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                Certificate certificate = keyStore.getCertificate(aliases.nextElement());
                if (certificate != null && "X.509".equals(certificate.getType()) && (subjectKeyIdentifier = X509SubjectKeyIdentifier.getSubjectKeyIdentifier((x509Certificate = (X509Certificate) certificate))) != null && Arrays.equals(bArr, subjectKeyIdentifier)) {
                    return x509Certificate;
                }
            }
            return null;
        } catch (KeyStoreException e) {
            throw new XWSSecurityException(e);
        }
    }

    private X509Certificate getMatchingCertificate(byte[] bArr, KeyStore keyStore, String str) throws XWSSecurityException {
        if ("Identifier".equals(str)) {
            return getMatchingCertificate(bArr, keyStore);
        }
        if (keyStore == null) {
            return null;
        }
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                Certificate certificate = keyStore.getCertificate(aliases.nextElement());
                if (certificate != null && "X.509".equals(certificate.getType())) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    if (Arrays.equals(bArr, getThumbprintIdentifier(x509Certificate))) {
                        return x509Certificate;
                    }
                }
            }
            return null;
        } catch (KeyStoreException e) {
            throw new XWSSecurityException(e);
        }
    }

    private boolean matchesIssuerSerialAndName(BigInteger bigInteger, String str, X509Certificate x509Certificate) {
        return x509Certificate.getSerialNumber().equals(bigInteger) && RFC2253Parser.normalize(x509Certificate.getIssuerDN().getName()).equals(str);
    }

    private X509Certificate getMatchingCertificate(BigInteger bigInteger, String str, KeyStore keyStore) throws XWSSecurityException {
        if (keyStore == null) {
            return null;
        }
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                Certificate certificate = keyStore.getCertificate(aliases.nextElement());
                if (certificate != null && "X.509".equals(certificate.getType())) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    BigInteger serialNumber = x509Certificate.getSerialNumber();
                    String normalize = RFC2253Parser.normalize(x509Certificate.getIssuerDN().getName());
                    if (serialNumber.equals(bigInteger) && normalize.equals(str)) {
                        return x509Certificate;
                    }
                }
            }
            return null;
        } catch (KeyStoreException e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void updateOtherPartySubject(final Subject subject, final String str, final String str2) {
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.xml.wss.impl.WssProviderSecurityEnvironment.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                subject.getPrincipals().add(new X500Principal("CN=" + str));
                subject.getPrivateCredentials().add(str2);
                return null;
            }
        });
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void updateOtherPartySubject(final Subject subject, final X509Certificate x509Certificate) {
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.xml.wss.impl.WssProviderSecurityEnvironment.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                subject.getPrincipals().add(x509Certificate.getSubjectX500Principal());
                subject.getPublicCredentials().add(x509Certificate);
                return null;
            }
        });
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void updateOtherPartySubject(Subject subject, Assertion assertion) {
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PublicKey getPublicKey(Map map, BigInteger bigInteger, String str) throws XWSSecurityException {
        return getMatchingCertificate(map, bigInteger, str).getPublicKey();
    }

    public PublicKey getPublicKey(String str) throws XWSSecurityException {
        try {
            return getMatchingCertificate((Map) null, getDecodedBase64EncodedData(str)).getPublicKey();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PublicKey getPublicKey(Map map, byte[] bArr) throws XWSSecurityException {
        try {
            return getMatchingCertificate(map, bArr).getPublicKey();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PublicKey getPublicKey(Map map, byte[] bArr, String str) throws XWSSecurityException {
        return getMatchingCertificate(map, bArr, str).getPublicKey();
    }

    private byte[] getDecodedBase64EncodedData(String str) throws XWSSecurityException {
        try {
            return Base64.decode(str);
        } catch (Base64DecodingException e) {
            throw new SecurityHeaderException("Unable to decode Base64 encoded data", e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public X509Certificate getCertificate(Map map, BigInteger bigInteger, String str) throws XWSSecurityException {
        return getMatchingCertificate(map, bigInteger, str);
    }

    public X509Certificate getCertificate(String str) throws XWSSecurityException {
        try {
            return getMatchingCertificate((Map) null, getDecodedBase64EncodedData(str));
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PrivateKey getPrivateKey(Map map, PublicKey publicKey, boolean z) {
        return null;
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public X509Certificate getCertificate(Map map, byte[] bArr) {
        return null;
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public X509Certificate getCertificate(Map map, PublicKey publicKey, boolean z) throws XWSSecurityException {
        return null;
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public X509Certificate getCertificate(Map map, byte[] bArr, String str) throws XWSSecurityException {
        return null;
    }

    public boolean validateSamlIssuer(String str) {
        return true;
    }

    public boolean validateSamlUser(String str, String str2, String str3) {
        return true;
    }

    public void setSubject(Subject subject, Map map) {
        map.put(MessageConstants.SELF_SUBJECT, subject);
    }

    public void setRequesterSubject(Subject subject, Map map) {
        map.put(MessageConstants.AUTH_SUBJECT, subject);
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public Subject getSubject() {
        return null;
    }

    public Subject getSubject(Map map) {
        return (Subject) map.get(MessageConstants.SELF_SUBJECT);
    }

    public Subject getRequesterSubject(Map map) {
        return (Subject) map.get(MessageConstants.AUTH_SUBJECT);
    }

    private Date getGMTDateWithSkewAdjusted(Calendar calendar, boolean z) {
        long j = calendar.get(15);
        if (calendar.getTimeZone().inDaylightTime(calendar.getTime())) {
            j += calendar.getTimeZone().getDSTSavings();
        }
        long timeInMillis = calendar.getTimeInMillis() - j;
        calendar.setTimeInMillis(z ? timeInMillis + 360000 : timeInMillis - 360000);
        return calendar.getTime();
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public String getUsername(Map map) throws XWSSecurityException {
        Callback nameCallback = new NameCallback("Username: ");
        try {
            this._handler.handle(new Callback[]{nameCallback});
            return nameCallback.getName();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public String getPassword(Map map) throws XWSSecurityException {
        PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
        try {
            this._handler.handle(new Callback[]{passwordCallback});
            if (passwordCallback.getPassword() == null) {
                return null;
            }
            return new String(passwordCallback.getPassword());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public boolean validateAndCacheNonce(String str, String str2, long j) throws XWSSecurityException {
        if (this.nonceCache == null || this.nonceCache.wasCanceled()) {
            initNonceCache(j);
        }
        if (!this.nonceCache.isScheduled()) {
            setNonceCacheCleanup();
        }
        return this.nonceCache.validateAndCacheNonce(str, str2);
    }

    private synchronized void initNonceCache(long j) {
        if (this.nonceCache == null) {
            if (j == 0) {
                this.nonceCache = new NonceCache();
                return;
            } else {
                this.nonceCache = new NonceCache(j);
                return;
            }
        }
        if (this.nonceCache.wasCanceled()) {
            if (j == 0) {
                this.nonceCache = new NonceCache();
            } else {
                this.nonceCache = new NonceCache(j);
            }
        }
    }

    private synchronized void setNonceCacheCleanup() {
        if (this.nonceCache.isScheduled()) {
            return;
        }
        nonceCleanupTimer.schedule(this.nonceCache, this.nonceCache.getMaxNonceAge(), this.nonceCache.getMaxNonceAge());
        this.nonceCache.scheduled(true);
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void validateTimestamp(Map map, String str, String str2, long j, long j2) throws XWSSecurityException {
        if (expiresBeforeCreated(str, str2)) {
            throw DefaultSecurityEnvironmentImpl.newSOAPFaultException(MessageConstants.WSU_MESSAGE_EXPIRED, "Message expired!", new XWSSecurityException("Message expired!"));
        }
        validateCreationTime(map, str, j, j2);
        validateExpirationTime(str2, j, j2);
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void validateTimestamp(Map map, Timestamp timestamp, long j, long j2) throws XWSSecurityException {
        validateTimestamp(map, timestamp.getCreated(), timestamp.getExpires(), j, j2);
    }

    private static boolean expiresBeforeCreated(String str, String str2) throws XWSSecurityException {
        Date parse;
        Date date = null;
        try {
            try {
                synchronized (calendarFormatter1) {
                    parse = calendarFormatter1.parse(str);
                }
                if (str2 != null) {
                    synchronized (calendarFormatter1) {
                        date = calendarFormatter1.parse(str2);
                    }
                }
            } catch (ParseException e) {
                synchronized (calendarFormatter2) {
                    parse = calendarFormatter2.parse(str);
                    if (str2 != null) {
                        synchronized (calendarFormatter2) {
                            date = calendarFormatter2.parse(str2);
                        }
                    }
                }
            }
            return date != null && date.before(parse);
        } catch (ParseException e2) {
            throw new XWSSecurityException(e2.getMessage());
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void validateCreationTime(Map map, String str, long j, long j2) throws XWSSecurityException {
        Date parse;
        try {
            synchronized (calendarFormatter1) {
                parse = calendarFormatter1.parse(str);
            }
        } catch (ParseException e) {
            try {
                synchronized (calendarFormatter2) {
                    parse = calendarFormatter2.parse(str);
                }
            } catch (ParseException e2) {
                throw new XWSSecurityException("Exception while parsing Creation Time :" + e2.getMessage());
            }
        }
        try {
            if (parse.before(getFreshnessAndSkewAdjustedDate(j, j2))) {
                throw DefaultSecurityEnvironmentImpl.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, "Creation Time is older than configured Timestamp Freshness Interval!", new XWSSecurityException("Creation Time is older than configured Timestamp Freshness Interval!"));
            }
            if (getGMTDateWithSkewAdjusted(new GregorianCalendar(), j, true).before(parse)) {
                throw DefaultSecurityEnvironmentImpl.newSOAPFaultException(MessageConstants.WSSE_INVALID_SECURITY, "Creation Time ahead of Current Time!", new XWSSecurityException("Creation Time ahead of Current Time!"));
            }
        } catch (ParseException e3) {
            throw new XWSSecurityException(e3.getMessage());
        }
    }

    private void validateExpirationTime(String str, long j, long j2) throws XWSSecurityException {
        Date parse;
        if (str != null) {
            try {
                synchronized (calendarFormatter1) {
                    parse = calendarFormatter1.parse(str);
                }
            } catch (ParseException e) {
                try {
                    synchronized (calendarFormatter2) {
                        parse = calendarFormatter2.parse(str);
                    }
                } catch (ParseException e2) {
                    throw new XWSSecurityException("Exception while parsing Expiration Time :" + e2.getMessage());
                }
            }
            if (parse.before(getGMTDateWithSkewAdjusted(new GregorianCalendar(), j, false))) {
                throw DefaultSecurityEnvironmentImpl.newSOAPFaultException(MessageConstants.WSU_MESSAGE_EXPIRED, "Message Expired!", new XWSSecurityException("Message Expired!"));
            }
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public CallbackHandler getCallbackHandler() throws XWSSecurityException {
        return this._handler;
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void validateSAMLAssertion(Map map, Element element) throws XWSSecurityException {
        throw new UnsupportedOperationException("Not supported");
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public Element locateSAMLAssertion(Map map, Element element, String str, Document document) throws XWSSecurityException {
        throw new UnsupportedOperationException("Not supported");
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public AuthenticationTokenPolicy.SAMLAssertionBinding populateSAMLPolicy(Map map, AuthenticationTokenPolicy.SAMLAssertionBinding sAMLAssertionBinding, DynamicApplicationContext dynamicApplicationContext) throws XWSSecurityException {
        throw new UnsupportedOperationException("Not supported");
    }

    private static Date getGMTDateWithSkewAdjusted(Calendar calendar, long j, boolean z) {
        long j2 = calendar.get(15);
        if (calendar.getTimeZone().inDaylightTime(calendar.getTime())) {
            j2 += calendar.getTimeZone().getDSTSavings();
        }
        long timeInMillis = calendar.getTimeInMillis() - j2;
        calendar.setTimeInMillis(z ? timeInMillis + j : timeInMillis - j);
        return calendar.getTime();
    }

    private static Date getFreshnessAndSkewAdjustedDate(long j, long j2) throws ParseException {
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        long j3 = gregorianCalendar.get(15);
        if (gregorianCalendar.getTimeZone().inDaylightTime(gregorianCalendar.getTime())) {
            j3 += gregorianCalendar.getTimeZone().getDSTSavings();
        }
        gregorianCalendar.setTimeInMillis(((gregorianCalendar.getTimeInMillis() - j3) - j) - j2);
        return gregorianCalendar.getTime();
    }

    private X509Certificate getDynamicCertificate(Map map, KeyStore keyStore) {
        X509Certificate x509Certificate = null;
        Subject requesterSubject = getRequesterSubject(map);
        String str = (String) map.get(MessageConstants.REQUESTER_KEYID);
        String str2 = (String) map.get(MessageConstants.REQUESTER_ISSUERNAME);
        BigInteger bigInteger = (BigInteger) map.get(MessageConstants.REQUESTER_SERIAL);
        if (str != null) {
            try {
                X509Certificate matchingCertificate = getMatchingCertificate(str.getBytes(), keyStore);
                if (matchingCertificate != null) {
                    return matchingCertificate;
                }
                return null;
            } catch (XWSSecurityException e) {
                return null;
            }
        }
        if (str2 != null && bigInteger != null) {
            try {
                X509Certificate matchingCertificate2 = getMatchingCertificate(bigInteger, str2, keyStore);
                if (matchingCertificate2 != null) {
                    return matchingCertificate2;
                }
                return null;
            } catch (XWSSecurityException e2) {
                return null;
            }
        }
        if (requesterSubject == null) {
            return null;
        }
        for (Object obj : requesterSubject.getPublicCredentials()) {
            if (obj instanceof X509Certificate) {
                x509Certificate = (X509Certificate) obj;
            }
        }
        if (x509Certificate != null) {
            return x509Certificate;
        }
        return null;
    }

    public void updateOtherPartySubject(Subject subject, String str) {
    }

    public void updateOtherPartySubject(Subject subject, Key key) {
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public PrivateKey getPrivateKey(Map map, byte[] bArr, String str) throws XWSSecurityException {
        Set<X500PrivateCredential> privateCredentials;
        if ("Identifier".equals(str)) {
            return getPrivateKey(map, bArr);
        }
        try {
            Subject subject = getSubject(map);
            if (subject != null && (privateCredentials = subject.getPrivateCredentials(X500PrivateCredential.class)) != null) {
                for (X500PrivateCredential x500PrivateCredential : privateCredentials) {
                    if (matchesThumbPrint(Base64.decode(bArr), x500PrivateCredential.getCertificate())) {
                        return x500PrivateCredential.getPrivateKey();
                    }
                }
            }
            Callback privateKeyCallback = new PrivateKeyCallback(new PrivateKeyCallback.SubjectKeyIDRequest(bArr));
            this._handler.handle(new Callback[]{privateKeyCallback});
            return privateKeyCallback.getKey();
        } catch (Exception e) {
            throw new XWSSecurityException(e);
        }
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void validateSAMLAssertion(Map map, XMLStreamReader xMLStreamReader) throws XWSSecurityException {
        throw new UnsupportedOperationException("Not supported");
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void updateOtherPartySubject(Subject subject, XMLStreamReader xMLStreamReader) {
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public boolean isSelfCertificate(X509Certificate x509Certificate) {
        throw new UnsupportedOperationException("Not supported");
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void updateOtherPartySubject(Subject subject, Subject subject2) {
        throw new UnsupportedOperationException("Not supported");
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public KerberosContext doKerberosLogin() throws XWSSecurityException {
        throw new UnsupportedOperationException("Not supported");
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public KerberosContext doKerberosLogin(byte[] bArr) throws XWSSecurityException {
        throw new UnsupportedOperationException("Not supported");
    }

    @Override // com.sun.xml.wss.SecurityEnvironment
    public void updateOtherPartySubject(Subject subject, GSSName gSSName, GSSCredential gSSCredential) {
        throw new UnsupportedOperationException("Not supported yet.");
    }
}
