package com.ibm.pvcws.wss.util;

import com.ibm.crypto.microedition.SignatureException;
import com.ibm.crypto.microedition.cert.Certificate;
import com.ibm.crypto.microedition.cert.X509Certificate;
import com.ibm.pvcws.jaxp.namespace.NamespaceResolver;
import com.ibm.pvcws.jaxp.util.Attribute;
import com.ibm.pvcws.jaxp.util.QNameUtils;
import com.ibm.pvcws.jaxrpc.msg.Elem;
import com.ibm.pvcws.wss.KeyStoreSupport;
import com.ibm.pvcws.wss.WSSConstants;
import com.ibm.pvcws.wss.WSSException;
import com.ibm.pvcws.wss.handler.BSTReceiver;
import com.ibm.pvcws.wss.param.STParameter;
import java.util.Calendar;
import java.util.TimeZone;
import javax.xml.namespace.QName;
import org.xml.sax.SAXException;

/* loaded from: input_file:WS-Security.jar:com/ibm/pvcws/wss/util/X509BSTRecImpl.class */
public class X509BSTRecImpl implements BSTReceiver {
    private final WSSConstants _constants;
    private final KeyStoreSupport _keystore;
    private X509BSTParamImpl _bp;
    private Elem _bst;

    public X509BSTRecImpl(WSSFactory wSSFactory) {
        this._constants = wSSFactory.getConstants();
        this._keystore = wSSFactory.getKeyStore();
        clear();
    }

    @Override // com.ibm.pvcws.wss.WSSReceiver
    public QName getBaseQName() {
        return this._constants.QNAME_BST;
    }

    @Override // com.ibm.pvcws.wss.handler.BSTReceiver
    public QName getValueType() {
        return this._constants.VALUE_X509V3;
    }

    @Override // com.ibm.pvcws.wss.WSSReceiver
    public void clear() {
        this._bp = new X509BSTParamImpl(this._constants);
        this._bst = null;
    }

    @Override // com.ibm.pvcws.wss.handler.STReceiver
    public STParameter getSecToken() {
        return this._bp;
    }

    @Override // com.ibm.pvcws.wss.WSSReceiver
    public void prepend(Elem elem) throws WSSException {
        if (elem == null) {
            throw new WSSException("FaultCode:221, null is not allowed to the parameter.");
        }
        if (!elem.getQName().equals(this._constants.QNAME_BST)) {
            throw new WSSException(new StringBuffer().append("FaultCode:221,unexpected element [").append(elem.getQName()).append("].").toString());
        }
        this._bst = elem;
    }

    @Override // com.ibm.pvcws.wss.WSSReceiver
    public void commit() throws WSSException {
        if (this._bst == null) {
            throw new WSSException("FaultCode:221, the binary security token in response SOAP message is not set.");
        }
        Attribute attribute = this._bst.getAttribute(WSSConstants.ATTR_ENCODING_TYPE);
        if (attribute == null) {
            throw new WSSException("FaultCode:211, no encoding type in binary security token.");
        }
        try {
            QName createQName = NamespaceResolver.createQName(attribute.value, false, this._bst);
            if (!createQName.equals(this._constants.VALUE_BASE64BINARY) && !createQName.equals(this._constants.VALUE_HEXBINARY)) {
                throw new WSSException(new StringBuffer().append("FaultCode:211, unsupported encoding type [").append(attribute.value).append("].").toString());
            }
            this._bp.setEncoidngType(createQName);
            Attribute attribute2 = this._bst.getAttribute(this._constants.ATTR_WSUID);
            if (attribute2 != null) {
                this._bp.setId(attribute2.value);
            }
            String eraseSpaces = WSSUtils.eraseSpaces(WSSUtils.getTextValue(this._bst));
            if (createQName.equals(this._constants.VALUE_BASE64BINARY)) {
                this._bp.setContent(WSSUtils.decode_base64(eraseSpaces));
            } else if (createQName.equals(this._constants.VALUE_HEXBINARY)) {
                this._bp.setContent(WSSUtils.decode_hex(eraseSpaces));
            }
            if (!this._bp.isValid()) {
                throw new WSSException("FaultCode:211, the X509BST in response SOAP message is not correct.");
            }
            verify();
        } catch (SAXException e) {
            throw new WSSException(new StringBuffer().append("FaultCode:221, no namespace declaration [").append(QNameUtils.getPfx(attribute.value)).append("].").toString());
        }
    }

    private boolean verify() throws WSSException {
        X509Certificate x509Certificate;
        Certificate certificate = KeyStoreSupport.getCertificate(this._bp.getContent());
        if (certificate == null || !(certificate instanceof X509Certificate)) {
            throw new WSSException("FaultCode:211, the certificate in the message is not X509.");
        }
        X509Certificate x509Certificate2 = (X509Certificate) certificate;
        long time = Calendar.getInstance(TimeZone.getTimeZone("UTC")).getTime().getTime();
        long time2 = x509Certificate2.getNotBefore().getTime();
        long time3 = x509Certificate2.getNotAfter().getTime();
        if (time < time2 && time > time3) {
            throw new WSSException("FaultCode:211, the certificate is not valid.");
        }
        Object issuer = x509Certificate2.getIssuer();
        Object subject = x509Certificate2.getSubject();
        if (issuer == null) {
            throw new WSSException("FaultCode:211, Null is not allowed to the issuer bane of the certificate.");
        }
        if (subject == null) {
            throw new WSSException("FaultCode:211, Null is not allowed to the subject bane of the certificate.");
        }
        if (issuer.equals(subject)) {
            x509Certificate = x509Certificate2;
        } else {
            Certificate certificateBySDN = this._keystore.getCertificateBySDN(x509Certificate2.getIssuer());
            if (certificateBySDN == null) {
                throw new WSSException("FaultCode:211, there is no issuer certificate in the keystore.");
            }
            if (!(certificateBySDN instanceof X509Certificate)) {
                throw new WSSException("FaultCode:211, the issuer certificate is not X509.");
            }
            x509Certificate = (X509Certificate) certificateBySDN;
            long time4 = x509Certificate.getNotBefore().getTime();
            long time5 = x509Certificate.getNotAfter().getTime();
            if (time < time4 && time > time5) {
                throw new WSSException("FaultCode:211, the issuer certificate is not valid.");
            }
        }
        try {
            if (x509Certificate2.verify(x509Certificate.getPublicKey())) {
                return true;
            }
            throw new WSSException("FaultCode:211, signature verification of the certificate failed.");
        } catch (SignatureException e) {
            throw new WSSException("FaultCode:211, signature verification of the certificate failed.", e);
        }
    }
}
