package org.apache.wss4j.dom.processor;

import java.security.Key;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.crypto.NodeSetData;
import javax.xml.crypto.OctetStreamData;
import javax.xml.crypto.dsig.Manifest;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLObject;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.HMACParameterSpec;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.PublicKeyPrincipalImpl;
import org.apache.wss4j.common.principal.UsernameTokenPrincipal;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.callback.CallbackLookup;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.Timestamp;
import org.apache.wss4j.dom.str.STRParser;
import org.apache.wss4j.dom.str.STRParserParameters;
import org.apache.wss4j.dom.str.STRParserResult;
import org.apache.wss4j.dom.str.SignatureSTRParser;
import org.apache.wss4j.dom.transform.AttachmentContentSignatureTransform;
import org.apache.wss4j.dom.transform.STRTransform;
import org.apache.wss4j.dom.transform.STRTransformUtil;
import org.apache.wss4j.dom.util.EncryptionUtils;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.util.X509Util;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
import org.apache.xml.security.utils.Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:org/apache/wss4j/dom/processor/SignatureProcessor.class */
public class SignatureProcessor implements Processor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SignatureProcessor.class);
    private XMLSignatureFactory signatureFactory;

    public SignatureProcessor() {
        init(null);
    }

    public SignatureProcessor(Provider provider) {
        init(provider);
    }

    private void init(Provider provider) {
        if (provider != null) {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM", provider);
            return;
        }
        try {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
        } catch (NoSuchProviderException e) {
            this.signatureFactory = XMLSignatureFactory.getInstance("DOM");
        }
    }

    @Override // org.apache.wss4j.dom.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData) throws WSSecurityException {
        LOG.debug("Found signature element");
        Element directChildElement = XMLUtils.getDirectChildElement(element, "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
        X509Certificate[] x509CertificateArr = null;
        Principal principal = null;
        PublicKey publicKey = null;
        byte[] bArr = null;
        String signatureMethod = getSignatureMethod(element);
        STRParser.REFERENCE_TYPE reference_type = null;
        Credential credential = new Credential();
        Validator validator = requestData.getValidator(WSConstants.SIGNATURE);
        if (directChildElement == null) {
            x509CertificateArr = getDefaultCerts(requestData.getSigVerCrypto());
            principal = x509CertificateArr[0].getSubjectX500Principal();
        } else {
            int i = 0;
            Element element2 = null;
            for (Node firstChild = directChildElement.getFirstChild(); firstChild != null; firstChild = firstChild.getNextSibling()) {
                if (1 == firstChild.getNodeType()) {
                    i++;
                    element2 = (Element) firstChild;
                }
            }
            if (i != 1) {
                requestData.getBSPEnforcer().handleBSPRule(BSPRule.R5402);
            }
            if ("SecurityTokenReference".equals(element2.getLocalName()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(element2.getNamespaceURI())) {
                STRParserParameters sTRParserParameters = new STRParserParameters();
                sTRParserParameters.setData(requestData);
                sTRParserParameters.setStrElement(element2);
                if (signatureMethod != null) {
                    sTRParserParameters.setDerivationKeyLength(KeyUtils.getKeyLength(signatureMethod));
                }
                STRParserResult parseSecurityTokenReference = new SignatureSTRParser().parseSecurityTokenReference(sTRParserParameters);
                principal = parseSecurityTokenReference.getPrincipal();
                x509CertificateArr = parseSecurityTokenReference.getCertificates();
                publicKey = parseSecurityTokenReference.getPublicKey();
                bArr = parseSecurityTokenReference.getSecretKey();
                reference_type = parseSecurityTokenReference.getCertificatesReferenceType();
                boolean isTrustedCredential = parseSecurityTokenReference.isTrustedCredential();
                if (isTrustedCredential) {
                    LOG.debug("Direct Trust for SAML/BST credential");
                }
                if (!isTrustedCredential && ((publicKey != null || x509CertificateArr != null) && validator != null)) {
                    credential.setPublicKey(publicKey);
                    credential.setCertificates(x509CertificateArr);
                    credential.setPrincipal(principal);
                    credential = validator.validate(credential, requestData);
                }
            } else {
                requestData.getBSPEnforcer().handleBSPRule(BSPRule.R5417);
                publicKey = X509Util.parseKeyValue(directChildElement, this.signatureFactory);
                if (validator != null) {
                    credential.setPublicKey(publicKey);
                    principal = new PublicKeyPrincipalImpl(publicKey);
                    credential.setPrincipal(principal);
                    credential = validator.validate(credential, requestData);
                }
            }
        }
        if ((x509CertificateArr == null || x509CertificateArr.length == 0 || x509CertificateArr[0] == null) && bArr == null && publicKey == null) {
            LOG.debug("No certificates or keys were found with which to validate the signature");
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
        }
        AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite();
        if (algorithmSuite != null) {
            AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite);
            if (principal instanceof WSDerivedKeyTokenPrincipal) {
                algorithmSuiteValidator.checkDerivedKeyAlgorithm(((WSDerivedKeyTokenPrincipal) principal).getAlgorithm());
                algorithmSuiteValidator.checkSignatureDerivedKeyLength(((WSDerivedKeyTokenPrincipal) principal).getLength());
            } else if (x509CertificateArr != null && x509CertificateArr.length > 0) {
                algorithmSuiteValidator.checkAsymmetricKeyLength(x509CertificateArr);
            } else if (publicKey != null) {
                algorithmSuiteValidator.checkAsymmetricKeyLength(publicKey);
            } else if (bArr != null) {
                algorithmSuiteValidator.checkSymmetricKeyLength(bArr.length);
            }
        }
        XMLSignature verifyXMLSignature = verifyXMLSignature(element, x509CertificateArr, publicKey, bArr, signatureMethod, requestData, requestData.getWsDocInfo());
        byte[] value = verifyXMLSignature.getSignatureValue().getValue();
        String algorithm = verifyXMLSignature.getSignedInfo().getCanonicalizationMethod().getAlgorithm();
        List<WSDataRef> buildProtectedRefs = buildProtectedRefs(element.getOwnerDocument(), verifyXMLSignature.getSignedInfo(), requestData, requestData.getWsDocInfo());
        if (buildProtectedRefs.isEmpty()) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
        }
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(principal instanceof UsernameTokenPrincipal ? 64 : 2, principal, x509CertificateArr, buildProtectedRefs, value);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_SIGNATURE_METHOD, signatureMethod);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD, algorithm);
        String attributeNS = element.getAttributeNS(null, "Id");
        if (!"".equals(attributeNS)) {
            wSSecurityEngineResult.put("id", attributeNS);
        }
        wSSecurityEngineResult.put("secret", bArr);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PUBLIC_KEY, publicKey);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE, reference_type);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_TOKEN_ELEMENT, element);
        if (validator != null) {
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
            if (credential != null) {
                wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_SUBJECT, credential.getSubject());
            }
        }
        requestData.getWsDocInfo().addResult(wSSecurityEngineResult);
        requestData.getWsDocInfo().addTokenElement(element);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    private X509Certificate[] getDefaultCerts(Crypto crypto) throws WSSecurityException {
        if (crypto == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile");
        }
        if (crypto.getDefaultX509Identifier() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "unsupportedKeyInfo");
        }
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(crypto.getDefaultX509Identifier());
        return crypto.getX509Certificates(cryptoType);
    }

    private XMLSignature verifyXMLSignature(Element element, X509Certificate[] x509CertificateArr, PublicKey publicKey, byte[] bArr, String str, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        LOG.debug("Verify XML Signature");
        Key prepareSecretKey = (x509CertificateArr == null || x509CertificateArr[0] == null) ? publicKey != null ? publicKey : KeyUtils.prepareSecretKey(str, bArr) : x509CertificateArr[0].getPublicKey();
        if (requestData.isExpandXopInclude()) {
            WSSecurityUtil.inlineAttachments(XMLUtils.findElements(element.getFirstChild(), "Include", "http://www.w3.org/2004/08/xop/include"), requestData.getAttachmentCallbackHandler(), true);
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(prepareSecretKey, element);
        dOMValidateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        dOMValidateContext.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        dOMValidateContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
        dOMValidateContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wSDocInfo);
        if (requestData.getSignatureProvider() != null) {
            dOMValidateContext.setProperty("org.jcp.xml.dsig.internal.dom.SignatureProvider", requestData.getSignatureProvider());
        }
        dOMValidateContext.setProperty(AttachmentContentSignatureTransform.ATTACHMENT_CALLBACKHANDLER, requestData.getAttachmentCallbackHandler());
        try {
            XMLSignature unmarshalXMLSignature = this.signatureFactory.unmarshalXMLSignature(dOMValidateContext);
            checkBSPCompliance(unmarshalXMLSignature, requestData.getBSPEnforcer());
            AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite();
            if (algorithmSuite != null) {
                new AlgorithmSuiteValidator(algorithmSuite).checkSignatureAlgorithms(unmarshalXMLSignature);
            }
            testMessageReplay(element, unmarshalXMLSignature.getSignatureValue().getValue(), prepareSecretKey, requestData, wSDocInfo);
            setElementsOnContext(unmarshalXMLSignature, dOMValidateContext, requestData, wSDocInfo);
            if (unmarshalXMLSignature.validate(dOMValidateContext)) {
                return unmarshalXMLSignature;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("XML Signature verification has failed");
                LOG.debug("Signature Validation check: " + unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext));
                for (Reference reference : unmarshalXMLSignature.getSignedInfo().getReferences()) {
                    boolean validate = reference.validate(dOMValidateContext);
                    String id = reference.getId();
                    if (id == null) {
                        id = reference.getURI();
                    }
                    LOG.debug("Reference " + id + " check: " + validate);
                }
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
        } catch (WSSecurityException e) {
            throw e;
        } catch (Exception e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e2);
        }
    }

    private void setElementsOnContext(XMLSignature xMLSignature, DOMValidateContext dOMValidateContext, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        Iterator it = xMLSignature.getSignedInfo().getReferences().iterator();
        CallbackLookup callbackLookup = wSDocInfo.getCallbackLookup();
        while (it.hasNext()) {
            String uri = ((Reference) it.next()).getURI();
            Element andRegisterElement = callbackLookup.getAndRegisterElement(uri, null, true, dOMValidateContext);
            if (andRegisterElement == null) {
                wSDocInfo.setTokenOnContext(uri, dOMValidateContext);
            } else if ("BinarySecurityToken".equals(andRegisterElement.getLocalName()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd".equals(andRegisterElement.getNamespaceURI()) && isXopInclude(andRegisterElement)) {
                handleXopInclude(andRegisterElement, wSDocInfo);
            } else if (requestData.isExpandXopInclude() && andRegisterElement.getFirstChild() != null) {
                for (Element element : XMLUtils.findElements(andRegisterElement.getFirstChild(), "Include", "http://www.w3.org/2004/08/xop/include")) {
                    String attributeNS = element.getAttributeNS(null, "href");
                    if (attributeNS != null) {
                        element.getParentNode().replaceChild(element.getOwnerDocument().createTextNode(org.apache.xml.security.utils.XMLUtils.encodeToString(WSSecurityUtil.getBytesFromAttachment(attributeNS, requestData))), element);
                    }
                }
            }
        }
    }

    private boolean isXopInclude(Element element) {
        String attributeNS;
        Element directChildElement = XMLUtils.getDirectChildElement(element, "Include", "http://www.w3.org/2004/08/xop/include");
        return directChildElement != null && directChildElement.hasAttributeNS(null, "href") && (attributeNS = directChildElement.getAttributeNS(null, "href")) != null && attributeNS.startsWith("cid:");
    }

    private void handleXopInclude(Element element, WSDocInfo wSDocInfo) {
        Map<Integer, List<WSSecurityEngineResult>> actionResults = wSDocInfo.getActionResults();
        if (actionResults == null || !actionResults.containsKey(4096)) {
            return;
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : actionResults.get(4096)) {
            if (element.equals((Element) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) {
                ((BinarySecurity) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)).encodeRawToken();
                return;
            }
        }
    }

    private static String getSignatureMethod(Element element) {
        Element directChildElement;
        Element directChildElement2 = XMLUtils.getDirectChildElement(element, "SignedInfo", "http://www.w3.org/2000/09/xmldsig#");
        if (directChildElement2 == null || (directChildElement = XMLUtils.getDirectChildElement(directChildElement2, Constants._TAG_SIGNATUREMETHOD, "http://www.w3.org/2000/09/xmldsig#")) == null) {
            return null;
        }
        return directChildElement.getAttributeNS(null, "Algorithm");
    }

    private List<WSDataRef> buildProtectedRefs(Document document, SignedInfo signedInfo, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        ArrayList arrayList = new ArrayList(signedInfo.getReferences().size());
        for (Reference reference : signedInfo.getReferences()) {
            String uri = reference.getURI();
            if (!"".equals(uri)) {
                Element dereferenceSTR = dereferenceSTR(document, reference, requestData, wSDocInfo);
                boolean z = false;
                if (dereferenceSTR == null) {
                    NodeSetData dereferencedData = reference.getDereferencedData();
                    if (dereferencedData instanceof NodeSetData) {
                        Iterator it = dereferencedData.iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            Node node = (Node) it.next();
                            if (node instanceof Element) {
                                dereferenceSTR = (Element) node;
                                break;
                            }
                        }
                    } else if (dereferencedData instanceof OctetStreamData) {
                        dereferenceSTR = document.createElementNS("http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1", "attachment");
                        z = true;
                    }
                }
                if (dereferenceSTR == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
                }
                WSDataRef wSDataRef = new WSDataRef();
                wSDataRef.setWsuId(uri);
                wSDataRef.setProtectedElement(dereferenceSTR);
                wSDataRef.setAlgorithm(signedInfo.getSignatureMethod().getAlgorithm());
                wSDataRef.setDigestAlgorithm(reference.getDigestMethod().getAlgorithm());
                wSDataRef.setDigestValue(reference.getDigestValue());
                wSDataRef.setAttachment(z);
                List transforms = reference.getTransforms();
                ArrayList arrayList2 = new ArrayList(transforms.size());
                Iterator it2 = transforms.iterator();
                while (it2.hasNext()) {
                    arrayList2.add(((Transform) it2.next()).getAlgorithm());
                }
                wSDataRef.setTransformAlgorithms(arrayList2);
                wSDataRef.setXpath(EncryptionUtils.getXPath(dereferenceSTR));
                arrayList.add(wSDataRef);
            }
        }
        return arrayList;
    }

    private Element dereferenceSTR(Document document, Reference reference, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        NodeSetData dereferencedData;
        Element dereferenceSTR;
        Iterator it = reference.getTransforms().iterator();
        while (it.hasNext()) {
            if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(((Transform) it.next()).getAlgorithm()) && (dereferencedData = reference.getDereferencedData()) != null) {
                Iterator it2 = dereferencedData.iterator();
                Node node = null;
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    Node node2 = (Node) it2.next();
                    if ("SecurityTokenReference".equals(node2.getLocalName())) {
                        node = node2;
                        break;
                    }
                }
                if (node != null && (dereferenceSTR = STRTransformUtil.dereferenceSTR(document, new SecurityTokenReference((Element) node, requestData.getBSPEnforcer()), wSDocInfo)) != null) {
                    return dereferenceSTR;
                }
            }
        }
        return null;
    }

    private void testMessageReplay(Element element, byte[] bArr, Key key, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        ReplayCache timestampReplayCache = requestData.getTimestampReplayCache();
        if (timestampReplayCache == null) {
            return;
        }
        List<WSSecurityEngineResult> resultsByTag = wSDocInfo.getResultsByTag(32);
        Timestamp timestamp = null;
        if (resultsByTag.isEmpty()) {
            Node nextSibling = element.getNextSibling();
            while (true) {
                Node node = nextSibling;
                if (node != null) {
                    if ((node instanceof Element) && "Timestamp".equals(node.getLocalName()) && "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd".equals(node.getNamespaceURI())) {
                        timestamp = new Timestamp((Element) node, requestData.getBSPEnforcer());
                        break;
                    }
                    nextSibling = node.getNextSibling();
                } else {
                    break;
                }
            }
        } else {
            timestamp = (Timestamp) resultsByTag.get(0).get("timestamp");
        }
        if (timestamp == null) {
            return;
        }
        String str = timestamp.getCreatedString() + "" + Arrays.hashCode(bArr) + "" + Arrays.hashCode(key.getEncoded());
        if (timestampReplayCache.contains(str)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "invalidTimestamp", new Object[]{"A replay attack has been detected"});
        }
        if (timestamp.getExpires() != null) {
            timestampReplayCache.add(str, 1 + Duration.between(Instant.now(), timestamp.getExpires()).getSeconds());
        } else {
            timestampReplayCache.add(str);
        }
    }

    private void checkBSPCompliance(XMLSignature xMLSignature, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        AlgorithmParameterSpec parameterSpec;
        for (Object obj : xMLSignature.getObjects()) {
            if (obj instanceof XMLObject) {
                Iterator it = ((XMLObject) obj).getContent().iterator();
                while (it.hasNext()) {
                    if (it.next() instanceof Manifest) {
                        bSPEnforcer.handleBSPRule(BSPRule.R5403);
                    }
                }
            }
        }
        if (!"http://www.w3.org/2001/10/xml-exc-c14n#".equals(xMLSignature.getSignedInfo().getCanonicalizationMethod().getAlgorithm())) {
            bSPEnforcer.handleBSPRule(BSPRule.R5404);
        }
        if (xMLSignature.getSignedInfo().getSignatureMethod().getParameterSpec() instanceof HMACParameterSpec) {
            bSPEnforcer.handleBSPRule(BSPRule.R5401);
        }
        AlgorithmParameterSpec parameterSpec2 = xMLSignature.getSignedInfo().getCanonicalizationMethod().getParameterSpec();
        if (parameterSpec2 != null && !(parameterSpec2 instanceof ExcC14NParameterSpec)) {
            bSPEnforcer.handleBSPRule(BSPRule.R5404);
        }
        for (Reference reference : xMLSignature.getSignedInfo().getReferences()) {
            if (reference.getTransforms().isEmpty()) {
                bSPEnforcer.handleBSPRule(BSPRule.R5416);
            }
            for (int i = 0; i < reference.getTransforms().size(); i++) {
                Transform transform = (Transform) reference.getTransforms().get(i);
                String algorithm = transform.getAlgorithm();
                if (!"http://www.w3.org/2001/10/xml-exc-c14n#".equals(algorithm) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(algorithm) && !"http://www.w3.org/2002/06/xmldsig-filter2".equals(algorithm) && !"http://www.w3.org/2000/09/xmldsig#enveloped-signature".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform".equals(algorithm)) {
                    bSPEnforcer.handleBSPRule(BSPRule.R5423);
                }
                if (i == reference.getTransforms().size() - 1 && !"http://www.w3.org/2001/10/xml-exc-c14n#".equals(algorithm) && !"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform".equals(algorithm) && !"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform".equals(algorithm)) {
                    bSPEnforcer.handleBSPRule(BSPRule.R5412);
                }
                if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(algorithm) && (parameterSpec = transform.getParameterSpec()) != null && !(parameterSpec instanceof ExcC14NParameterSpec)) {
                    bSPEnforcer.handleBSPRule(BSPRule.R5407);
                }
            }
        }
    }
}
