package org.n52.security.service.crypto;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.n52.security.common.crypto.KeyPair;
import org.n52.security.common.xml.DOMSerializer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:org/n52/security/service/crypto/SoapMessageVerifier.class */
public class SoapMessageVerifier implements SoapDocumentVerifier {
    private static final Logger LOG = LoggerFactory.getLogger(SoapMessageVerifier.class);
    protected KeyPair m_signatureValidationKeyPair;
    protected KeyPair m_encryptionKeyPair;

    /* loaded from: input_file:org/n52/security/service/crypto/SoapMessageVerifier$SimpleCallbackHandler.class */
    private static class SimpleCallbackHandler implements CallbackHandler {
        private SimpleCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            if (SoapMessageVerifier.LOG.isTraceEnabled()) {
                SoapMessageVerifier.LOG.trace("handle callbacks : " + callbackArr.length);
            }
            for (int i = 0; i < callbackArr.length; i++) {
                Callback callback = callbackArr[0];
                if (callback instanceof WSPasswordCallback) {
                    ((WSPasswordCallback) callback).setPassword("enckey");
                }
            }
        }
    }

    public SoapMessageVerifier() {
    }

    public SoapMessageVerifier(KeyPair keyPair, KeyPair keyPair2) {
        this.m_signatureValidationKeyPair = keyPair;
        this.m_encryptionKeyPair = keyPair2;
    }

    protected KeyPair getEncryptionKeyPair() {
        return this.m_encryptionKeyPair;
    }

    protected KeyPair getSignatureValidationKeyPair() {
        return this.m_signatureValidationKeyPair;
    }

    public void setSignatureValidationKeyPair(KeyPair keyPair) {
        this.m_signatureValidationKeyPair = keyPair;
    }

    public void setEncryptionKeyPair(KeyPair keyPair) {
        this.m_encryptionKeyPair = keyPair;
    }

    @Override // org.n52.security.service.crypto.SoapDocumentVerifier
    public void verify(Document document, Map map) throws SecuringException {
        if (LOG.isTraceEnabled()) {
            LOG.trace("SoapMessageVerifier.verify: " + DOMSerializer.createNew().serializeToString(document));
        }
        try {
            Vector processSecurityHeader = WSSecurityEngine.getInstance().processSecurityHeader(document, (String) null, new SimpleCallbackHandler(), new SingleKeyPairCrypto(getSignatureValidationKeyPair()), new SingleKeyPairCrypto(getEncryptionKeyPair()));
            if (processSecurityHeader != null) {
                for (int i = 0; i < processSecurityHeader.size(); i++) {
                    WSSecurityEngineResult wSSecurityEngineResult = (WSSecurityEngineResult) processSecurityHeader.get(i);
                    if (2 == wSSecurityEngineResult.getAction()) {
                        X509Certificate certificate = wSSecurityEngineResult.getCertificate();
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Signature verified with certificate: Issuer DN=\"" + wSSecurityEngineResult.getCertificate().getIssuerDN() + "\" SerialNumber=" + wSSecurityEngineResult.getCertificate().getSerialNumber());
                        }
                        if (getSignatureValidationKeyPair() != null && getSignatureValidationKeyPair().getCertificate() != null && !certificate.equals(getSignatureValidationKeyPair().getCertificate())) {
                            throw new SecuringException("message was signed with wrong certificate. Expected: " + getSignatureValidationKeyPair().getCertificate() + " Used: " + certificate);
                        }
                        map.put("signatureCertificate", certificate);
                        return;
                    }
                }
            }
            if (processSecurityHeader == null) {
                throw new SecuringException("no wss:Security header found");
            }
            if (0 == 0) {
                throw new SecuringException("no request signature found");
            }
        } catch (WSSecurityException e) {
            throw new SecuringException("check of signature failed", e);
        }
    }
}
