package com.ibm.xml.soapsec.token;

import com.ibm.ws.wssecurity.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.xml.soapsec.Constants;
import com.ibm.xml.soapsec.ResultPool;
import com.ibm.xml.soapsec.SoapSecurityComponent;
import com.ibm.xml.soapsec.token.TokenResult;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.DOMUtil;
import com.ibm.xml.soapsec.util.Hex;
import com.ibm.xml.soapsec.util.IdUtil;
import com.ibm.xml.soapsec.util.NamespaceUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.text.MessageFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;
import javax.faces.validator.BeanValidator;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:lib/ecc_v2r3m0f010/com.ibm.ws.webservices.thinclient_8.5.0.jar:com/ibm/xml/soapsec/token/UsernameTokenReceiver.class */
public class UsernameTokenReceiver implements SoapSecurityComponent {
    private static final String comp = "security.wssecurity";
    TokenReceiverConfig conf = null;
    private static final TraceComponent tc = Tr.register(UsernameTokenReceiver.class, Constants.TR_GROUP, "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = UsernameTokenReceiver.class.getName();

    @Override // com.ibm.xml.soapsec.SoapSecurityComponent
    public void init(Map map) throws Exception {
        this.conf = (TokenReceiverConfig) map.get(TokenReceiverConfig.class);
    }

    @Override // com.ibm.xml.soapsec.SoapSecurityComponent
    public void invoke(Document document, Element element, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(" + document + BeanValidator.VALIDATION_GROUPS_DELIMITER + element + BeanValidator.VALIDATION_GROUPS_DELIMITER + map + ")");
        }
        String idAttributeName = IdUtil.getInstance().getIdAttributeName(element);
        String attribute = idAttributeName == null ? null : element.getAttribute(idAttributeName);
        String stringValue = DOMUtil.getStringValue((Element) NamespaceUtil.getWsseElementsByTagName(element, Constants.STR_USER).item(0));
        char[] cArr = null;
        NodeList wsseElementsByTagName = NamespaceUtil.getWsseElementsByTagName(element, "Password");
        if (wsseElementsByTagName.getLength() != 0) {
            Element element2 = (Element) wsseElementsByTagName.item(0);
            String attribute2 = element2.getAttribute(com.ibm.xml.crypto.dsig.Constants.AT_TYPE);
            if (!attribute2.equals("") && NamespaceUtil.equals(DOMUtil.getQName(element2, attribute2), Constants.PASSWORD_DIGEST_RCVR)) {
                throw SoapSecurityException.format(Constants.getQName(Constants.getWSSENS(map), Constants.UNSUPPORTED_SECURITY_TOKEN_QNAME), "security.wssecurity.UsernameTokenReceiver.token08");
            }
            cArr = DOMUtil.getStringValue(element2).toCharArray();
        }
        validateNonceTimestamp(element, map);
        validateNonce(element, map);
        LoginMapping loginMapping = cArr == null ? this.conf.getLoginMapping(Constants.STR_ID) : this.conf.getLoginMapping(Constants.STR_BASIC);
        if (loginMapping != null) {
            Subject login = ReceiverLogin.login(loginMapping, stringValue, null, cArr, map);
            boolean z = cArr == null;
            ResultPool.add(map, attribute != null ? new TokenResult.Username(login, stringValue, z, attribute) : new TokenResult.Username(login, stringValue, z, element));
        } else {
            Tr.warning(tc, "security.wssecurity.UsernameTokenReceiver.token53");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Document doc, Element target, Map context)");
        }
    }

    private void validateNonceTimestamp(Element element, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateNonceTimestamp");
        }
        String wssens = Constants.getWSSENS(map);
        NodeList wsuElementsByTagName = NamespaceUtil.getWsuElementsByTagName(element, "Created");
        if (wsuElementsByTagName.getLength() != 0) {
            String stringValue = DOMUtil.getStringValue((Element) wsuElementsByTagName.item(0));
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Parsing Nonce timestamp in String format = " + stringValue);
                }
                Date parse = UTC.parse(stringValue);
                long currentTimeMillis = System.currentTimeMillis();
                new Long(currentTimeMillis);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "current time = " + currentTimeMillis + " ms");
                }
                long nonceMaxAge = currentTimeMillis - this.conf.getNonceMaxAge();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Nonce max age = " + this.conf.getNonceMaxAge() + " ms, (current - Nonce max age) = " + nonceMaxAge + " ms");
                }
                long nonceClockSkew = nonceMaxAge - this.conf.getNonceClockSkew();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Nonce clock skew = " + this.conf.getNonceClockSkew() + " ms, (current - Nonce clock skew) = " + nonceClockSkew + " ms");
                }
                long time = parse.getTime();
                new Long(time);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Nonce created time (timestamp) = " + time + " ms");
                }
                if (time < nonceClockSkew) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Nonce timestamp is not fresh, creation timestamp " + UTC.format(parse) + " too old");
                    }
                    Date date = new Date(currentTimeMillis);
                    Date date2 = new Date(time);
                    SimpleDateFormat simpleDateFormat = new SimpleDateFormat("d MMM yyyy HH:mm:ss Z");
                    Tr.error(tc, "security.wssecurity.WSEC5200E", new Object[]{simpleDateFormat.format(date), simpleDateFormat.format(date2)});
                    throw SoapSecurityException.format(Constants.getQName(wssens, Constants.FAILED_AUTHENTICATION_QNAME), "security.wssecurity.WSEC5193E");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Nonce timestamp is fresh");
                }
            } catch (ParseException e) {
                Tr.processException(e, clsName + ".validateNonceTimestamp", "168");
                Tr.error(tc, "security.wssecurity.WSEC5191E", new Object[]{stringValue, e});
                throw new SoapSecurityException(Constants.getQName(wssens, Constants.INVALID_SECURITY_QNAME), MessageFormat.format(ConfigUtil.getMessage("security.wssecurity.WSEC5191E"), stringValue, e.toString()), e);
            }
        } else if (this.conf.isNonceTimestampChecked()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No Nonce timestamp found in Username token");
            }
            Tr.error(tc, "security.wssecurity.WSEC5192E");
            throw new SoapSecurityException(Constants.getQName(wssens, Constants.INVALID_SECURITY_TOKEN_QNAME), "security.wssecurity.WSEC5192E");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateNonceTimestamp");
        }
    }

    private void validateNonce(Element element, Map map) throws SoapSecurityException {
        byte[] decode;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateNonce");
        }
        String wssens = Constants.getWSSENS(map);
        NodeList wsseElementsByTagName = NamespaceUtil.getWsseElementsByTagName(element, "Nonce");
        if (wsseElementsByTagName.getLength() != 0) {
            Element element2 = (Element) wsseElementsByTagName.item(0);
            QName qName = null;
            if (element2.hasAttribute("EncodingType")) {
                qName = DOMUtil.getQName(element2, element2.getAttribute("EncodingType"));
            }
            String stringValue = DOMUtil.getStringValue(element2);
            if (qName == null || NamespaceUtil.equals(qName, Constants.BASE64_BINARY_RCVR)) {
                decode = Base64.decode(stringValue);
            } else {
                if (!NamespaceUtil.equals(qName, Constants.HEX_BINARY_RCVR)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unsupported encoding type: " + qName.toString());
                    }
                    Tr.error(tc, "security.wssecurity.UsernameToken.token55", new Object[]{qName.toString()});
                    throw SoapSecurityException.format(Constants.getQName(wssens, Constants.UNSUPPORTED_SECURITY_TOKEN_QNAME), "security.wssecurity.UsernameToken.token55", qName.toString());
                }
                try {
                    decode = Hex.decode(stringValue);
                } catch (ParseException e) {
                    Tr.processException(e, clsName + ".validateNonce", "262");
                    Tr.error(tc, "security.wssecurity.WSEC5175E", e);
                    throw new SoapSecurityException(Constants.getQName(wssens, Constants.INVALID_SECURITY_QNAME), MessageFormat.format(ConfigUtil.getMessage("security.wssecurity.WSEC5175E"), e.toString()), e);
                }
            }
            NonceManager nonceManager = this.conf.getNonceManager();
            if (nonceManager == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "NonceManager is not set");
                }
                throw SoapSecurityException.format("security.wssecurity.UsernameToken.token56");
            }
            if (!nonceManager.validate(decode)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Repeated Nonce: " + stringValue);
                }
                Tr.error(tc, "security.wssecurity.WSEC5178E");
                throw SoapSecurityException.format(Constants.getQName(wssens, Constants.FAILED_AUTHENTICATION_QNAME), "security.wssecurity.WSEC5178E");
            }
        } else if (this.conf.isNonceChecked()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No Nonce found in Username token");
            }
            Tr.error(tc, "security.wssecurity.WSEC5194E");
            throw new SoapSecurityException(Constants.getQName(wssens, Constants.INVALID_SECURITY_TOKEN_QNAME), "security.wssecurity.WSEC5194E");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateNonce");
        }
    }
}
