package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.SCTConsumeCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.common.SCAndTrustConstants;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.handler.PolicyConfigUtil;
import com.ibm.ws.wssecurity.handler.PolicyInboundConfig;
import com.ibm.ws.wssecurity.impl.auth.callback.SCTCallback;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.SecureConversationCacheHelper;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.token.UTC;
import com.ibm.ws.wssecurity.trust.server.sts.Util.STSTokenUtil;
import com.ibm.ws.wssecurity.trust.server.sts.ext.sct.SCTHelper;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.CacheConfigFactory;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.TokenHolder;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.xml.xss4j.domutil.DOMUtil;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMDocument;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/SCTConsumeLoginModule.class */
public class SCTConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private Map _sharedState;
    private SecurityToken _token;
    private SecurityTokenManager _securityTokenManager;
    private Map<Object, Object> _context;
    private QName _soapFault = null;
    private static final TraceComponent tc = Tr.register(SCTConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = SCTConsumeLoginModule.class.getName();
    private static boolean jdbcEnabled = CacheConfigFactory.getInstance().isJDBCCache();

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        this._sharedState = map;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        boolean z;
        boolean isKeyInfoEmb;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        PropertyCallback propertyCallback = new PropertyCallback(null);
        SCTCallback sCTCallback = new SCTCallback();
        SCTConsumeCallback sCTConsumeCallback = new SCTConsumeCallback();
        try {
            this._handler.handle(new Callback[]{sCTCallback, sCTConsumeCallback, propertyCallback});
            this._context = propertyCallback.getProperties();
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.AUTHN_TYPE, tokenConsumerConfig.getType().toString());
            }
            DKToken dKToken = new DKToken();
            this._context.put(Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING, dKToken);
            this._token = null;
            boolean z2 = !sCTCallback.isExist();
            if (tc.isDebugEnabled()) {
                if (z2) {
                    Tr.debug(tc, "WSSAPI in SCTConsumeLoginModule.");
                } else {
                    Tr.debug(tc, "PolicySet in SCTConsumeLoginModule");
                }
            }
            String str = null;
            if (z2) {
                str = sCTConsumeCallback.getEncryptionAlgorithm();
            }
            this._securityTokenManager = (SecurityTokenManagerImpl) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            String str2 = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
            OMElement oMElement = (OMElement) this._context.get(com.ibm.ws.wssecurity.common.Constants.PROCESSING_ELEMENT);
            if (str2 == null) {
                z = true;
                isKeyInfoEmb = false;
            } else {
                z = false;
                ConfigUtil.isKeyInfoStrref(str2);
                isKeyInfoEmb = ConfigUtil.isKeyInfoEmb(str2);
            }
            if (z || isKeyInfoEmb) {
                this._token = processElement(dKToken, oMElement, tokenConsumerConfig, z2, z, isKeyInfoEmb, this._securityTokenManager, this._context, str);
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "login()");
            return true;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".login", "160", this);
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e.toString()}));
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        this._securityTokenManager.addToken(this._token);
        this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private final SecurityToken processElement(DKToken dKToken, OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, boolean z, boolean z2, boolean z3, SecurityTokenManager securityTokenManager, Map<Object, Object> map, String str) throws LoginException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("processElement(");
            stringBuffer.append("DKToken dkToken, ");
            stringBuffer.append("OMElement target[").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("TokenConsumerConfig config, ");
            stringBuffer.append("boolean isWSSAPI[").append(z).append("], ");
            stringBuffer.append("boolean isNone[").append(z2).append("], ");
            stringBuffer.append("boolean isEmb[").append(z3).append("], ");
            stringBuffer.append("SecurityTokenManager securityTokenManager, Map context, String encAlg)");
            Tr.entry(tc, stringBuffer.toString());
        }
        MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
        SecurityToken securityToken = null;
        String str2 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_SCT_13;
        String str3 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_SC_13;
        String str4 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_DKT_13;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " Target Element namespace URI = " + oMElement.getNamespace().getNamespaceURI());
        }
        if (com.ibm.ws.wssecurity.common.Constants.NS_WSC_SC.equals(oMElement.getNamespace().getNamespaceURI())) {
            str2 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_SCT;
            str3 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_SC;
            String str5 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_DKT;
        }
        messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.SCT_TOKEN_VALUE_TYPE, str2);
        if (oMElement.getNamespace().getNamespaceURI().equals(str3) && oMElement.getLocalName().equals("SecurityContextToken")) {
            String stringValue = DOMUtils.getStringValue(DOMUtils.getChildElement(oMElement, str3, "Identifier"));
            String attributeValue = oMElement.getAttributeValue(IdUtils.getInstance().getIdAttributeName(oMElement));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SCT id = " + attributeValue + ", and token Value Type = " + str2);
            }
            if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, attributeValue);
            }
            OMElement childElement = DOMUtils.getChildElement(oMElement, str3, "Instance");
            String str6 = null;
            if (childElement != null) {
                str6 = DOMUtils.getStringValue(childElement);
                if (str6 == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "instance is null " + DOMUtils.toString(childElement));
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "instance is = " + str6);
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "instance element is null");
            }
            SCT sct = null;
            if (com.ibm.ws.wssecurity.common.Constants.NS_WSC_SCT_13.equals(str2)) {
                sct = new SCT13(stringValue);
            }
            if (com.ibm.ws.wssecurity.common.Constants.NS_WSC_SCT.equals(str2)) {
                sct = new SCT(stringValue);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SCT version =  [" + sct.getValueType().getLocalPart() + "].");
            }
            sct.setXML(new OMStructure(oMElement));
            if (attributeValue != null) {
                sct.setId(attributeValue);
                sct.setReferenceURI("#" + attributeValue);
            }
            OMElement childElement2 = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSU, "Created");
            if (childElement2 != null) {
                try {
                    sct.setCreation(str6, UTC.parse(DOMUtils.getStringValue(childElement2)));
                } catch (ParseException e) {
                    throw new LoginException("Parsing of creation date failed!");
                }
            }
            OMElement childElement3 = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSU, "Expires");
            if (childElement3 != null) {
                try {
                    sct.setExpiration(str6, UTC.parse(DOMUtils.getStringValue(childElement3)));
                } catch (ParseException e2) {
                    throw new LoginException("Parsing of expiration date failed!");
                }
            }
            int i = 256;
            if (!z) {
                String algorithmSuite = ((PolicyInboundConfig) ((WSSConsumerConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey"))).getAlgorithmSuite();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The Algorithm Suite = " + algorithmSuite);
                }
                i = Integer.parseInt(PolicyConfigUtil.getMinimumSymmetricKeyLength(algorithmSuite));
            } else if (str != null) {
                i = ((Integer) SCTGenerateLoginModule.getKeyAlgorithm(str, false, true, false, false).get("keylength")).intValue();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Key Size (in bits) based on the algorihthm Suite = " + i);
            }
            sct.setKeySize(i);
            SCTWrapper verifySCT = verifySCT(sct, str6, z, messageContext, this._context);
            if (verifySCT != null) {
                verifySCT.setXML(new OMStructure(oMElement));
                if (attributeValue != null) {
                    verifySCT.setId(attributeValue);
                    verifySCT.setReferenceURI("#" + attributeValue);
                }
                SecurityToken token = securityTokenManager.getToken(tokenConsumerConfig, verifySCT.getId());
                securityToken = token == null ? verifySCT : token;
            }
        } else {
            messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.SCT_TOKEN_VALUE_TYPE, str2);
            securityToken = resolveReferencedToken(oMElement, messageContext, map);
        }
        SCT sct2 = ((SCTWrapper) securityToken).getSCT();
        String currentInstance = ((SCTWrapper) securityToken).getCurrentInstance();
        this._sharedState.put(Constants.BASE_TOKEN_CLIENT_SECRET, sct2.getClientSecret(currentInstance));
        this._sharedState.put(Constants.BASE_TOKEN_SERVER_SECRET, sct2.getServerSecret(currentInstance));
        this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, sct2.getSecret(currentInstance));
        this._context.put(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN, securityToken);
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("processElement(");
            stringBuffer2.append("DKToken, OMElement, TokenConsumerConfig, ");
            stringBuffer2.append("boolean, boolean, boolean, securityTokenManager, Map)");
            stringBuffer2.append(" returns SecurityToken[").append(securityToken).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return securityToken;
    }

    private static final SCTWrapper verifySCT(SCT sct, String str, boolean z, MessageContext messageContext, Map map) throws LoginException {
        SCTWrapper createSCTWrapper;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("verifySCT(SCT sct, ");
            stringBuffer.append("String keyInstance(").append(str).append("], ");
            stringBuffer.append("boolean isWSSAPI(").append(z).append("], ");
            stringBuffer.append("MessageContext messageContext, ");
            stringBuffer.append("HashMap context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        try {
            boolean isServiceProvider = Axis2Util.isServiceProvider(messageContext);
            String localPart = sct.getValueType().getLocalPart();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SCT version =  [" + localPart + "].");
            }
            if (isServiceProvider) {
                SCT sct2 = null;
                if (SCTHelper.getCache() != null) {
                    sct2 = (SCT) SCTHelper.getCache().getToken(sct.getUUID());
                }
                if (sct2 == null) {
                    try {
                        sct2 = (SCT) STSTokenUtil.getToken(sct.getUUID(), localPart);
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception while getting SCT from trust service:" + e.getMessage());
                        }
                    }
                }
                if (sct2 == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Can not find SCT from trust server cache.");
                    }
                    map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT02", localPart));
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT02"));
                }
                if (str == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "No instance information in the message");
                    }
                    str = searchFirstInstance(sct2);
                }
                SCT checkKeyInstance = checkKeyInstance(sct2, str, localPart);
                if (checkKeyInstance == null || str == null || !checkKeyInstance.isValid(str, 0L)) {
                    if (checkKeyInstance == null) {
                        map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT02", localPart));
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT02"));
                    }
                    map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT", localPart));
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTGenerateLoginModule.invalidSCT"));
                }
                try {
                    if (!checkKeyInstance.validateAppliesToURI(messageContext.getTo().getAddress())) {
                        throw new LoginException("SCT is not applicable to the end point specified!");
                    }
                    checkKeyInstance.setKeySize(sct.getKeySize());
                    checkKeyInstance.valueType = new QName("", localPart);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server side, saving the token in message context context using the WSSECURITY_SECURECONVERSATION_IDENTIFIER as key and uuid = " + checkKeyInstance.getUUID());
                        Tr.debug(tc, "Server side, saving the token in message context using INBOUND_SCTOKEN as key, token uuid = " + checkKeyInstance.getUUID());
                        Tr.debug(tc, "Saving the instance in message context = " + str);
                    }
                    HashMap hashMap = (HashMap) messageContext.getProperty(com.ibm.ws.wssecurity.common.Constants.WSS_RAMP_PROPERTYMAP);
                    HashMap hashMap2 = hashMap;
                    if (hashMap == null) {
                        hashMap2 = new HashMap();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Save the uuid and instance in the wss-ramp propertymap");
                        }
                    }
                    hashMap2.put(Constants.WSSECURITY_SECURECONVERSATION_IDENTIFIER, checkKeyInstance.getUUID());
                    hashMap2.put(com.ibm.ws.wssecurity.common.Constants.INSTANCE_FROM_MESSAGE, str);
                    hashMap2.put(com.ibm.ws.wssecurity.common.Constants.SCT_VERSION_FROM_MESSAGE, localPart);
                    messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.WSS_RAMP_PROPERTYMAP, hashMap2);
                    messageContext.setProperty(Constants.WSSECURITY_SECURECONVERSATION_IDENTIFIER, checkKeyInstance.getUUID());
                    messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.INSTANCE_FROM_MESSAGE, str);
                    messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.SCT_VERSION_FROM_MESSAGE, localPart);
                    TokenHolder.setInboundTokenToContext(checkKeyInstance, messageContext);
                    createSCTWrapper = SCTGenerateLoginModule.createSCTWrapper(checkKeyInstance, str);
                    createSCTWrapper.setXML(sct.getXML());
                    createSCTWrapper.setSCT(checkKeyInstance);
                } catch (Exception e2) {
                    throw new LoginException(e2.getMessage());
                }
            } else {
                SCT sct3 = (SCT) SecureConversationCacheHelper.getSecurityContextTokenFromCacheByUUID(sct.getUUID());
                if (str == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "No instance information in the message");
                    }
                    if (sct3.getInstances() != null) {
                        str = searchFirstInstance(sct3);
                    }
                }
                if (sct3 == null || str == null || !sct3.isValid(str, 0L)) {
                    map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT03", localPart));
                    if (sct3 == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Null SCT");
                        }
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT03"));
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Invalid SCT");
                    }
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT03"));
                }
                createSCTWrapper = SCTGenerateLoginModule.createSCTWrapper(sct3, str);
                createSCTWrapper.setXML(sct.getXML());
                createSCTWrapper.setKeySize(sct.getKeySize());
                createSCTWrapper.setSCT(sct3);
                messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.INSTANCE_FROM_MESSAGE, str);
            }
            if (tc.isEntryEnabled()) {
                StringBuffer stringBuffer2 = new StringBuffer("verifySCT(SCT, String, ");
                stringBuffer2.append("boolean, MessageContext)");
                stringBuffer2.append(" returns SCTWrapper[").append(createSCTWrapper).append("]");
                Tr.exit(tc, stringBuffer2.toString());
            }
            return createSCTWrapper;
        } catch (Exception e3) {
            throw new LoginException(e3.getMessage());
        }
    }

    private static final SCTWrapper resolveSCT(String str, String str2, MessageContext messageContext, String str3, Map map) throws LoginException {
        SCTWrapper createSCTWrapper;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("resolveSCT(String uuid, ");
            stringBuffer.append("String keyInstance [").append(str2).append("], ");
            stringBuffer.append("MessageContext messageContext, ");
            stringBuffer.append("String tokenType [").append(str3).append("], ");
            stringBuffer.append("Map context )");
            Tr.entry(tc, stringBuffer.toString());
        }
        try {
            if (Axis2Util.isServiceProvider(messageContext)) {
                SCT sct = null;
                if (SCTHelper.getCache() != null) {
                    sct = (SCT) SCTHelper.getCache().getToken(str);
                }
                if (sct == null) {
                    try {
                        sct = (SCT) STSTokenUtil.getToken(str, str3);
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception while getting SCT from trust service:" + e.getMessage());
                        }
                    }
                }
                if (sct == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Can not find SCT from trust server cache.");
                    }
                    map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT02", str3));
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT02"));
                }
                if (str2 == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "No instance information in the message");
                    }
                    str2 = searchFirstInstance(sct);
                }
                SCT checkKeyInstance = checkKeyInstance(sct, str2, str3);
                if (checkKeyInstance == null || str2 == null || !checkKeyInstance.isValid(str2, 0L)) {
                    if (checkKeyInstance == null) {
                        map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT02", str3));
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT02"));
                    }
                    map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT", str3));
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTGenerateLoginModule.invalidSCT"));
                }
                try {
                    if (!checkKeyInstance.validateAppliesToURI(messageContext.getTo().getAddress())) {
                        throw new LoginException("SCT is not applicable to the end point specified!");
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server side, saving the token in message context context using the WSSECURITY_SECURECONVERSATION_IDENTIFIER as key and uuid = " + checkKeyInstance.getUUID());
                        Tr.debug(tc, "Server side, saving the token in message context using INBOUND_SCTOKEN as key, token uuid = " + checkKeyInstance.getUUID());
                        Tr.debug(tc, "Saving the instance in message context = " + str2);
                    }
                    checkKeyInstance.valueType = new QName("", str3);
                    HashMap hashMap = (HashMap) messageContext.getProperty(com.ibm.ws.wssecurity.common.Constants.WSS_RAMP_PROPERTYMAP);
                    HashMap hashMap2 = hashMap;
                    if (hashMap == null) {
                        hashMap2 = new HashMap();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Save the uuid and instance in the wss-ramp propertymap");
                        }
                    }
                    hashMap2.put(Constants.WSSECURITY_SECURECONVERSATION_IDENTIFIER, checkKeyInstance.getUUID());
                    hashMap2.put(com.ibm.ws.wssecurity.common.Constants.INSTANCE_FROM_MESSAGE, str2);
                    hashMap2.put(com.ibm.ws.wssecurity.common.Constants.SCT_VERSION_FROM_MESSAGE, str3);
                    messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.WSS_RAMP_PROPERTYMAP, hashMap2);
                    messageContext.setProperty(Constants.WSSECURITY_SECURECONVERSATION_IDENTIFIER, checkKeyInstance.getUUID());
                    messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.INSTANCE_FROM_MESSAGE, str2);
                    messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.SCT_VERSION_FROM_MESSAGE, str3);
                    TokenHolder.setInboundTokenToContext(checkKeyInstance, messageContext);
                    createSCTWrapper = SCTGenerateLoginModule.createSCTWrapper(checkKeyInstance, str2);
                    createSCTWrapper.setXML(checkKeyInstance.getXML());
                    createSCTWrapper.setSCT(checkKeyInstance);
                } catch (Exception e2) {
                    throw new LoginException(e2.getMessage());
                }
            } else {
                SCT sct2 = (SCT) SecureConversationCacheHelper.getSecurityContextTokenFromCacheByUUID(str);
                if (str2 == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "No instance information in the message");
                    }
                    if (sct2.getInstances() != null) {
                        str2 = searchFirstInstance(sct2);
                    }
                }
                if (sct2 == null || str2 == null || !sct2.isValid(str2, 0L)) {
                    map.put(SCAndTrustConstants.SC_FAULT_CODE, SCTGenerateLoginModule.generateSoapFault("invalidSCT03", str3));
                    if (sct2 == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Null SCT");
                        }
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT03"));
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Invalid SCT");
                    }
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.invalidSCT03"));
                }
                sct2.valueType = new QName("", str3);
                createSCTWrapper = SCTGenerateLoginModule.createSCTWrapper(sct2, str2);
                createSCTWrapper.setXML(sct2.getXML());
                createSCTWrapper.setKeySize(sct2.getKeySize());
                createSCTWrapper.setSCT(sct2);
                messageContext.setProperty(com.ibm.ws.wssecurity.common.Constants.INSTANCE_FROM_MESSAGE, str2);
            }
            if (tc.isEntryEnabled()) {
                StringBuffer stringBuffer2 = new StringBuffer("resolveSCT(String, String, ");
                stringBuffer2.append("boolean, MessageContext)");
                stringBuffer2.append(" returns SCTWrapper[").append(createSCTWrapper).append("]");
                Tr.exit(tc, stringBuffer2.toString());
            }
            return createSCTWrapper;
        } catch (Exception e3) {
            throw new LoginException(e3.getMessage());
        }
    }

    private static SCT checkKeyInstance(SCT sct, String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkKeyInstance");
        }
        String[] instances = sct.getInstances();
        for (String str3 : instances) {
            if (str3.equalsIgnoreCase(str)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found matching key instance in SCT.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "checkKeyInstance");
                }
                return sct;
            }
        }
        long time = sct.getExpiration(instances[0]).getTime() - sct.getCreation(instances[0]).getTime();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Not Found matching key instance in SCT in the cluster server??. Retry from primary cache.");
        }
        SCT sct2 = null;
        int i = 0;
        while (0 == 0 && i < 10) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Not Found matching key instance in SCT. Retry from cache " + i + "1 times.");
            }
            try {
                if (jdbcEnabled) {
                    if (SCTHelper.getCache() != null) {
                        sct2 = (SCT) SCTHelper.getCache().getTokenFromDatabase(sct.getUUID(), time);
                    }
                    i += 5;
                } else {
                    try {
                        Thread.sleep(10L);
                    } catch (Exception e) {
                    }
                    sct2 = (SCT) STSTokenUtil.getToken(sct.getUUID(), str2);
                    i++;
                }
                instances = sct2.getInstances();
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception while getting SCT from trust service:" + e2.getMessage());
                }
            }
            for (String str4 : instances) {
                if (str4.equalsIgnoreCase(str)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found matching key instance in SCT during " + i + "1 retry.");
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "checkKeyInstance");
                    }
                    return sct2;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkKeyInstance Fails.");
        }
        return sct;
    }

    private SecurityToken resolveReferencedToken(OMElement oMElement, MessageContext messageContext, Map<Object, Object> map) throws LoginException {
        OMElement childElement;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("resolveReferencedToken(");
            stringBuffer.append("OMElement target(").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("MessageContext messageContext, Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        SecurityToken securityToken = null;
        String str = com.ibm.ws.wssecurity.common.Constants.NS_WSC_SCT_13;
        String str2 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_SC_13;
        String str3 = (String) messageContext.getProperty(com.ibm.ws.wssecurity.common.Constants.SCT_TOKEN_VALUE_TYPE);
        if (com.ibm.ws.wssecurity.common.Constants.NS_WSC_SCT.equals(str3)) {
            str2 = com.ibm.ws.wssecurity.common.Constants.NS_WSC_SC;
        }
        if (oMElement != null && oMElement.getNamespace().getNamespaceURI().equals(str2) && oMElement.getLocalName().equals("DerivedKeyToken") && (childElement = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "SecurityTokenReference")) != null) {
            OMElement childElement2 = DOMUtils.getChildElement(childElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "Reference");
            String attributeValue = childElement2.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.URI_Q);
            if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, null);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Reference Token URI in DerivedKeyToken element: " + attributeValue);
            }
            securityToken = attributeValue.startsWith("#") ? (SecurityToken) this._context.get(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN) : resolveSCT(attributeValue, childElement2.getAttributeValue(new QName(str2, "Instance")), messageContext, str3, map);
            childElement2.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q);
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("resolveReferencedToken(");
            stringBuffer2.append("OMElement, MessageContext, Map)");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return securityToken;
    }

    public static final String getUUIDByRef(String str, MessageContext messageContext, Map<Object, Object> map, String str2) {
        OMElement childElement;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("getUUIDByRef(");
            stringBuffer.append("String ref(").append(str).append("], ");
            stringBuffer.append("MessageContext messageContext, Map context, ");
            stringBuffer.append("String nsWsc[").append(str2).append("])");
            Tr.entry(tc, stringBuffer.toString());
        }
        String str3 = null;
        OMDocument ownerDocument = DOMUtil.getOwnerDocument(messageContext.getEnvelope().getHeader());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The original RM message to be processed : " + DOMUtils.toString(ownerDocument.getOMDocumentElement()));
        }
        OMElement resolveID = IdUtils.getInstance().resolveID(ownerDocument, str);
        if (resolveID != null) {
            if (new QName(str2, "SecurityContextToken").equals(resolveID.getQName()) && (childElement = DOMUtils.getChildElement(resolveID, str2, "Identifier")) != null) {
                str3 = DOMUtils.getStringValue(childElement);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found the matching SCT(Attached reference) for wsu:Id = " + str + ", the uuid Identifier = " + str3);
                }
            }
            if (str3 == null && tc.isDebugEnabled()) {
                Tr.debug(tc, "No SecurityContextToken element with the wsu:Id = " + str + " Found.");
            }
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("getUUIDByRef(String, ");
            stringBuffer2.append("MessageContext, Map) returns String[").append(str3).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return str3;
    }

    public static String searchFirstInstance(SCT sct) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "searchFirstInstance(SCT sctoken): No instance in Message, Use first issued instance.");
        }
        if (sct == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "searchFirstInstanceList(SCT sctoken): no SCT.");
            return null;
        }
        Date date = new Date();
        String[] instances = sct.getInstances();
        if (instances == null || instances.length == 0) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "searchFirstInstance(SCT sctoken): no key instance.");
            return null;
        }
        String str = instances[0];
        if (tc.isDebugEnabled()) {
            if (sct.getExpiration(str).after(date)) {
                Tr.debug(tc, "First Instance:" + str);
            } else {
                Tr.debug(tc, "First Instance expired:" + str);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "searchFirstInstanceList(SCT sctoken)");
        }
        return str;
    }
}
