package be.fedict.trust.client;

import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.Vector;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPFactory;
import javax.xml.soap.SOAPPart;
import javax.xml.ws.handler.MessageContext;
import javax.xml.ws.handler.soap.SOAPHandler;
import javax.xml.ws.handler.soap.SOAPMessageContext;
import javax.xml.ws.soap.SOAPFaultException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.token.Timestamp;
import org.joda.time.DateTime;

/* loaded from: input_file:be/fedict/trust/client/WSSecurityClientHandler.class */
public class WSSecurityClientHandler implements SOAPHandler<SOAPMessageContext> {
    private static final Log LOG = LogFactory.getLog(WSSecurityClientHandler.class);
    public static final String ERROR_INVALID_SIGNATURE = "The signature or decryption was invalid";
    public static final String ERROR_CERTIFICATE_MISMATCH = "The signing certificate does not match the specified server certificate";
    public static final String ERROR_CERTIFICATE_MISSING = "Missing Certificate in WS-Security header";
    public static final String ERROR_TIMESTAMP_MISSING = "Missing Timestamp in WS-Security header";
    public static final String ERROR_TIMESTAMP_OFFSET = "WS-Security Created Timestamp offset exceeded";
    public static final long defaultMaxTimestampOffset = 300000;
    private X509Certificate serverCertificate;
    private long maxTimestampOffset = 300000;

    public void setServerCertificate(X509Certificate x509Certificate) {
        this.serverCertificate = x509Certificate;
    }

    public void setMaxWSSecurityTimestampOffset(long j) {
        this.maxTimestampOffset = j;
    }

    @Override // javax.xml.ws.handler.soap.SOAPHandler
    public Set<QName> getHeaders() {
        HashSet hashSet = new HashSet();
        hashSet.add(new QName(WSConstants.WSSE_NS, WSConstants.WSSE_LN));
        return hashSet;
    }

    @Override // javax.xml.ws.handler.Handler
    public void close(MessageContext messageContext) {
    }

    @Override // javax.xml.ws.handler.Handler
    public boolean handleFault(SOAPMessageContext sOAPMessageContext) {
        return true;
    }

    @Override // javax.xml.ws.handler.Handler
    public boolean handleMessage(SOAPMessageContext sOAPMessageContext) {
        Boolean bool = (Boolean) sOAPMessageContext.get(MessageContext.MESSAGE_OUTBOUND_PROPERTY);
        SOAPPart sOAPPart = sOAPMessageContext.getMessage().getSOAPPart();
        if (false != bool.booleanValue()) {
            return true;
        }
        handleInboundDocument(sOAPPart, sOAPMessageContext);
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r12v0, types: [java.lang.Throwable, org.apache.ws.security.WSSecurityException] */
    private void handleInboundDocument(SOAPPart sOAPPart, SOAPMessageContext sOAPMessageContext) {
        try {
            Vector processSecurityHeader = WSSecurityEngine.getInstance().processSecurityHeader(sOAPPart, (String) null, (CallbackHandler) null, new ServerCrypto());
            if (null == processSecurityHeader) {
                LOG.debug("No WS-Security header to validate");
                return;
            }
            LOG.debug("WS-Security header validation");
            Timestamp timestamp = null;
            X509Certificate x509Certificate = null;
            Set set = null;
            Iterator it = processSecurityHeader.iterator();
            while (it.hasNext()) {
                WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) it.next();
                Set set2 = (Set) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
                if (null != set2) {
                    set = set2;
                }
                if (null != wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) {
                    x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
                }
                Timestamp timestamp2 = (Timestamp) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
                if (null != timestamp2) {
                    timestamp = timestamp2;
                }
            }
            if (null == set) {
                throw createSOAPFaultException(ERROR_INVALID_SIGNATURE, "FailedCheck");
            }
            LOG.debug("signed elements: " + set);
            if (null == x509Certificate) {
                throw createSOAPFaultException(ERROR_CERTIFICATE_MISSING, "InvalidSecurity");
            }
            if (null != this.serverCertificate && !this.serverCertificate.equals(x509Certificate)) {
                throw createSOAPFaultException(ERROR_CERTIFICATE_MISMATCH, "FailedCheck");
            }
            if (null == timestamp) {
                throw createSOAPFaultException(ERROR_TIMESTAMP_MISSING, "InvalidSecurity");
            }
            if (false == set.contains(timestamp.getID())) {
                throw createSOAPFaultException("Timestamp not signed", "FailedCheck");
            }
            long abs = Math.abs(new DateTime(timestamp.getCreated()).toInstant().getMillis() - new DateTime().toInstant().getMillis());
            if (abs > this.maxTimestampOffset) {
                LOG.debug("timestamp offset: " + abs);
                LOG.debug("maximum allowed offset: " + this.maxTimestampOffset);
                throw createSOAPFaultException(ERROR_TIMESTAMP_OFFSET, "FailedCheck");
            }
        } catch (WSSecurityException e) {
            LOG.debug("WS-Security error: " + e.getMessage(), e);
            throw createSOAPFaultException(ERROR_INVALID_SIGNATURE, "FailedCheck");
        }
    }

    public static SOAPFaultException createSOAPFaultException(String str, String str2) {
        try {
            return new SOAPFaultException(SOAPFactory.newInstance().createFault(str, new QName(WSConstants.WSSE_NS, str2, WSConstants.WSSE_PREFIX)));
        } catch (SOAPException e) {
            throw new RuntimeException("SOAP error");
        }
    }
}
