package org.apache.wss4j.stax.test;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Map;
import java.util.Properties;
import java.util.regex.Pattern;
import javax.xml.transform.TransformerException;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.setup.WSSec;
import org.apache.wss4j.stax.test.AbstractTestBase;
import org.apache.wss4j.stax.test.utils.StAX2DOM;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/apache/wss4j/stax/test/SignatureIssuerCertConstaintsTest.class */
public class SignatureIssuerCertConstaintsTest extends AbstractTestBase {
    @Test
    public void testBSTSignature() throws Exception {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Document doOutboundSecurityWithWSS4J = doOutboundSecurityWithWSS4J(getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"), "Signature", new Properties());
        Assertions.assertEquals(doOutboundSecurityWithWSS4J.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()).item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
        TRANSFORMER_FACTORY.newTransformer().transform(new DOMSource(doOutboundSecurityWithWSS4J), new StreamResult(byteArrayOutputStream));
        WSSSecurityProperties wSSSecurityProperties = new WSSSecurityProperties();
        wSSSecurityProperties.loadSignatureVerificationKeystore(getClass().getClassLoader().getResource("keys/wss40CA.jks"), "security".toCharArray());
        wSSSecurityProperties.setIssuerDNConstraints(Collections.singletonList(Pattern.compile(".*CN=Werner.*OU=Apache.*".trim())));
        NodeList elementsByTagNameNS = StAX2DOM.readDoc(this.documentBuilderFactory.newDocumentBuilder(), WSSec.getInboundWSSec(wSSSecurityProperties).processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(byteArrayOutputStream.toByteArray())))).getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
        Assertions.assertEquals(elementsByTagNameNS.getLength(), 1);
        Assertions.assertEquals(elementsByTagNameNS.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
        WSSSecurityProperties wSSSecurityProperties2 = new WSSSecurityProperties();
        wSSSecurityProperties2.loadSignatureVerificationKeystore(getClass().getClassLoader().getResource("keys/wss40CA.jks"), "security".toCharArray());
        wSSSecurityProperties2.setIssuerDNConstraints(Collections.singletonList(Pattern.compile(".*CN=Werner2.*OU=Apache.*".trim())));
        try {
            StAX2DOM.readDoc(this.documentBuilderFactory.newDocumentBuilder(), WSSec.getInboundWSSec(wSSSecurityProperties2, false, true).processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()))));
            Assertions.fail("Expected failure on a incorrect cert constraint check");
        } catch (Exception e) {
            Assertions.assertTrue(e.getMessage().contains("The security token could not be authenticated or authorized"));
        }
    }

    @Test
    public void testBSTSignaturePKIPath() throws Exception {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
        Properties properties = new Properties();
        properties.put("useSingleCertificate", "false");
        Document doOutboundSecurityWithWSS4J = doOutboundSecurityWithWSS4J(resourceAsStream, "Signature", properties);
        Assertions.assertEquals(doOutboundSecurityWithWSS4J.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()).item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
        TRANSFORMER_FACTORY.newTransformer().transform(new DOMSource(doOutboundSecurityWithWSS4J), new StreamResult(byteArrayOutputStream));
        WSSSecurityProperties wSSSecurityProperties = new WSSSecurityProperties();
        wSSSecurityProperties.loadSignatureVerificationKeystore(getClass().getClassLoader().getResource("keys/wss40CA.jks"), "security".toCharArray());
        wSSSecurityProperties.setIssuerDNConstraints(Collections.singletonList(Pattern.compile(".*CN=Werner.*OU=Apache.*".trim())));
        NodeList elementsByTagNameNS = StAX2DOM.readDoc(this.documentBuilderFactory.newDocumentBuilder(), WSSec.getInboundWSSec(wSSSecurityProperties).processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(byteArrayOutputStream.toByteArray())))).getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
        Assertions.assertEquals(elementsByTagNameNS.getLength(), 1);
        Assertions.assertEquals(elementsByTagNameNS.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
        WSSSecurityProperties wSSSecurityProperties2 = new WSSSecurityProperties();
        wSSSecurityProperties2.loadSignatureVerificationKeystore(getClass().getClassLoader().getResource("keys/wss40CA.jks"), "security".toCharArray());
        wSSSecurityProperties2.setIssuerDNConstraints(Collections.singletonList(Pattern.compile(".*CN=Werner2.*OU=Apache.*".trim())));
        try {
            StAX2DOM.readDoc(this.documentBuilderFactory.newDocumentBuilder(), WSSec.getInboundWSSec(wSSSecurityProperties2, false, true).processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()))));
            Assertions.fail("Expected failure on a incorrect cert constraint check");
        } catch (Exception e) {
            Assertions.assertTrue(e.getMessage().contains("The security token could not be authenticated or authorized"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.wss4j.stax.test.AbstractTestBase
    public Map<String, Object> doOutboundSecurityWithWSS4J_1(InputStream inputStream, String str, Properties properties) throws WSSecurityException, TransformerException, IOException {
        AbstractTestBase.CustomWSS4JHandler customWSS4JHandler = new AbstractTestBase.CustomWSS4JHandler();
        Map<String, Object> messageContext = getMessageContext(inputStream);
        messageContext.put("action", str);
        messageContext.put("user", "wss40");
        messageContext.put("signatureKeyIdentifier", "DirectReference");
        Properties properties2 = new Properties();
        properties2.setProperty("org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
        properties2.setProperty("org.apache.wss4j.crypto.merlin.keystore.file", "keys/wss40.jks");
        properties2.setProperty("org.apache.wss4j.crypto.merlin.keystore.password", "security");
        properties2.setProperty("org.apache.wss4j.crypto.merlin.keystore.alias", "wss40");
        customWSS4JHandler.setPassword(messageContext, "security");
        messageContext.put("signaturePropRefId", properties2.hashCode());
        messageContext.put(properties2.hashCode(), properties2);
        Enumeration<?> propertyNames = properties.propertyNames();
        while (propertyNames.hasMoreElements()) {
            String str2 = (String) propertyNames.nextElement();
            messageContext.put(str2, properties.get(str2));
        }
        RequestData requestData = new RequestData();
        requestData.setMsgContext(messageContext);
        customWSS4JHandler.doSender(messageContext, requestData, true);
        return messageContext;
    }
}
