package com.ibm.ws.security.icsf;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.TokenCreationFailedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.BasicAuthData;
import com.ibm.ws.security.auth.WSCredentialImpl;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityConfig;
import com.ibm.ws.security.registry.UnsupportedEntryTypeException;
import com.ibm.ws.security.registry.UserRegistryImpl;
import com.ibm.ws.security.server.SecurityServerImpl;
import com.ibm.ws.security.util.AccessController;
import java.io.UnsupportedEncodingException;
import java.rmi.RemoteException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.util.Date;
import java.util.Properties;
import javax.security.auth.login.CredentialExpiredException;

/* loaded from: input_file:lib/securityimpl.jar:com/ibm/ws/security/icsf/ICSFServerObject.class */
public class ICSFServerObject {
    private static final TraceComponent tc;
    private static final String NONE = "";
    private static final String USERTYPE = "user";
    private static final String GROUPTYPE = "group";
    private static final String ROLETYPE = "role";
    private static final String[] supportedTypes;
    private static final int GROUP = 0;
    private static final int USER = 1;
    private static final String realmSeparator = "/";
    private static final String typeSeparator = ":";
    private String realm;
    private static UserRegistryImpl userRegistry;
    private static long expirationLimit;
    private byte[] adminPassword;
    private byte[] new_adminPassword;
    private byte[] icsfKeyLabel;
    private static String CURRENT_ICSF_VERSION;
    public static final String ICSF_VERSION_PROPERTY = "com.ibm.websphere.icsf.version";
    public static final String ICSF_LABEL = "was.security.ISCF.cryptoKey";
    protected static ICSFServerObject icsfServer;
    static boolean _useFIPS;
    static String _defaultJCEProvider;
    private static final WebSphereRuntimePermission ACCESS_ICSF_SERVER_OBJECT;
    static Class class$com$ibm$ws$security$icsf$ICSFServerObject;

    public static ICSFServerObject getICSFServer() throws ICSFConfigException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getICSFServer");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, new StringBuffer().append("Expecting : ").append(ACCESS_ICSF_SERVER_OBJECT.toString()).toString());
            }
            securityManager.checkPermission(ACCESS_ICSF_SERVER_OBJECT);
        }
        if (icsfServer == null) {
            initICSFServer();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getICSFServer");
        }
        return icsfServer;
    }

    /* JADX WARN: Type inference failed for: r14v1, types: [java.lang.Throwable, com.ibm.ws.security.icsf.ICSFConfigException] */
    private static void initICSFServer() throws ICSFConfigException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initICSFServer");
        }
        if (!((String) SecurityConfig.getConfig().getValue("security.activeAuthMechanism")).equals(SecurityConfig.AUTH_MECHANISM_ICSF)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Not Using ICSF");
            }
            icsfServer = null;
        } else if (icsfServer == null) {
            try {
                Long l = (Long) SecurityConfig.getConfig().getValue("was.security.ISCF.timeout");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("ICSF_EXPIRATION_TIME set to ").append(SecurityConfig.getConfig().getValue("was.security.ISCF.timeout")).toString());
                }
                String str = (String) SecurityConfig.getConfig().getValue("was.security.ISCF.cryptoKey");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("ICSF_LABEL set to ").append(SecurityConfig.getConfig().getValue("was.security.ISCF.cryptoKey")).toString());
                }
                if (l == null || str == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "One or more of the required ICSF configuration items are either null or unavailable, can't init ICSFServerObject");
                    }
                    Tr.error(tc, "security.TokenMechanismFactory.badicsfconfig", new Object[]{l, str});
                    throw new ICSFConfigException("ICSF Configuration error, One or more of the required ICSF configuration items are either null or unavailable, can't init ICSF ServerObject");
                }
                icsfServer = new ICSFServerObject(null, l.longValue(), null, str);
                if (((String) SecurityConfig.getConfig().getValue("com.ibm.security.useFIPS")).equalsIgnoreCase("true")) {
                    _useFIPS = true;
                    _defaultJCEProvider = Security.getProperty("DEFAULT_JCE_PROVIDER");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("useFIPS = ").append(_useFIPS).toString());
                    if (_useFIPS) {
                        Tr.debug(tc, new StringBuffer().append("defaultJCEProvider = ").append(_defaultJCEProvider).toString());
                    }
                }
            } catch (ICSFConfigException e) {
                Tr.error(tc, new StringBuffer().append("com.ibm.ws.security.core.TokenMechanismFactory.initICSFServer").append(e.toString()).toString());
                throw e;
            } catch (Exception e2) {
                Tr.error(tc, "security.TokenMechanismFactory.icsfconfigerr", new Object[]{e2});
                throw new ICSFConfigException(e2.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initICSFServer");
        }
    }

    public ICSFServerObject() {
        this.realm = null;
        this.adminPassword = null;
        this.new_adminPassword = null;
    }

    private ICSFServerObject(UserRegistry userRegistry2, long j, byte[] bArr, String str) throws ICSFConfigException {
        this.realm = null;
        this.adminPassword = null;
        this.new_adminPassword = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "ICSFServerObject");
        }
        userRegistry = (UserRegistryImpl) SecurityServerImpl.getRegistryImpl(ContextManagerFactory.getInstance().getDefaultRealm());
        expirationLimit = j;
        this.adminPassword = bArr;
        try {
            this.icsfKeyLabel = str.getBytes("Cp1047");
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "ICSFServerObject");
            }
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.icsf.ICSFServerObject.ICSFServerObject", "105", this);
            Tr.error(tc, "security.ltpa.init.error", new Object[]{e});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "ICSFServerObject", e);
            }
            throw new ICSFConfigException(e.getMessage());
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.icsf.ICSFServerObject.ICSFServerObject", "87", this);
            Tr.error(tc, "security.ltpa.init.error", new Object[]{e2});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "ICSFServerObject", e2);
            }
            throw new ICSFConfigException(e2.getMessage());
        }
    }

    private byte[] getICSFKeyLabel() {
        return this.icsfKeyLabel;
    }

    public WSCredential createICSFToken(WSCredential wSCredential) throws TokenCreationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createICSFToken");
        }
        try {
            String accessId = wSCredential.getAccessId();
            if (accessId == null) {
                Tr.error(tc, "security.ltpa.credmap.failed.nullaccessid");
                throw new TokenCreationFailedException("Cannot create token since accessID is null");
            }
            ICSFToken iCSFToken = new ICSFToken(accessId, new Date().getTime() + (expirationLimit * 60 * 1000));
            iCSFToken.encrypt((byte[]) this.icsfKeyLabel.clone());
            try {
                WSCredential wSCredential2 = (WSCredential) AccessController.doPrivileged(new PrivilegedExceptionAction(this, wSCredential, (String) SecurityConfig.getConfig().getValue("security.activeAuthMechanism.OID"), iCSFToken) { // from class: com.ibm.ws.security.icsf.ICSFServerObject.1
                    private final WSCredential val$cred;
                    private final String val$oid;
                    private final ICSFToken val$privToken;
                    private final ICSFServerObject this$0;

                    {
                        this.this$0 = this;
                        this.val$cred = wSCredential;
                        this.val$oid = r6;
                        this.val$privToken = iCSFToken;
                    }

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return new WSCredentialImpl(this.val$cred, this.val$oid, this.val$privToken.getBytes(), true, this.val$privToken.getExpiration());
                    }
                });
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "createICSFToken");
                }
                return wSCredential2;
            } catch (PrivilegedActionException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception occurred creating new WS cred.", new Object[]{e.getException()});
                }
                FFDCFilter.processException(e.getException(), "com.ibm.ws.security.icsf.ICSFServerObject.createICSFToken", "245", this);
                Exception exception = e.getException();
                throw new TokenCreationFailedException(exception != null ? exception.getMessage() : "Exception occurred creating new WS cred.");
            }
        } catch (CredentialDestroyedException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.icsf.ICSFServerObject.createICSFToken", "158", this);
            Tr.error(tc, "security.secsrv.basic.destroy", new Object[]{e2});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential has been destroyed.");
            }
            throw new TokenCreationFailedException(e2.getMessage());
        } catch (CredentialExpiredException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.icsf.ICSFServerObject.createICSFToken", "164", this);
            Tr.error(tc, "security.secsrv.basic.expired", new Object[]{e3});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential has expired.");
            }
            throw new TokenCreationFailedException(e3.getMessage());
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:37:0x0051, code lost:
    
        if (com.ibm.ws.security.icsf.ICSFServerObject.tc.isDebugEnabled() == false) goto L19;
     */
    /* JADX WARN: Code restructure failed: missing block: B:38:0x0054, code lost:
    
        com.ibm.ejs.ras.Tr.debug(com.ibm.ws.security.icsf.ICSFServerObject.tc, new java.lang.StringBuffer().append("Obtaining userRegistry object: ").append(com.ibm.ws.security.icsf.ICSFServerObject.userRegistry).toString());
     */
    /* JADX WARN: Code restructure failed: missing block: B:40:0x0072, code lost:
    
        if (com.ibm.ws.security.icsf.ICSFServerObject.userRegistry != null) goto L23;
     */
    /* JADX WARN: Code restructure failed: missing block: B:42:0x007d, code lost:
    
        return com.ibm.ws.security.core.ContextManagerFactory.getInstance().getUnauthenticatedCredential();
     */
    /* JADX WARN: Code restructure failed: missing block: B:46:0x0051, code lost:
    
        if (com.ibm.ws.security.icsf.ICSFServerObject.tc.isDebugEnabled() == false) goto L19;
     */
    /* JADX WARN: Code restructure failed: missing block: B:47:0x0054, code lost:
    
        com.ibm.ejs.ras.Tr.debug(com.ibm.ws.security.icsf.ICSFServerObject.tc, new java.lang.StringBuffer().append("Obtaining userRegistry object: ").append(com.ibm.ws.security.icsf.ICSFServerObject.userRegistry).toString());
     */
    /* JADX WARN: Code restructure failed: missing block: B:49:0x0072, code lost:
    
        if (com.ibm.ws.security.icsf.ICSFServerObject.userRegistry != null) goto L23;
     */
    /* JADX WARN: Code restructure failed: missing block: B:51:0x007d, code lost:
    
        return com.ibm.ws.security.core.ContextManagerFactory.getInstance().getUnauthenticatedCredential();
     */
    /* JADX WARN: Code restructure failed: missing block: B:53:0x0048, code lost:
    
        throw r10;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public com.ibm.websphere.security.cred.WSCredential authenticate(com.ibm.ws.security.auth.BasicAuthData r8) throws com.ibm.websphere.security.auth.WSLoginFailedException {
        /*
            Method dump skipped, instructions count: 286
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.icsf.ICSFServerObject.authenticate(com.ibm.ws.security.auth.BasicAuthData):com.ibm.websphere.security.cred.WSCredential");
    }

    public WSCredential authenticateLoginToken(byte[] bArr) throws WSLoginFailedException, RemoteException {
        throw new WSLoginFailedException("ICSFServerObject: authenticateLoginToken not implemented");
    }

    /*  JADX ERROR: JadxRuntimeException in pass: BlockSplitter
        jadx.core.utils.exceptions.JadxRuntimeException: Incorrect nodes count for selectOther: B:27:0x0085 in [B:19:0x0067, B:27:0x0085, B:20:0x006a, B:23:0x007d]
        	at jadx.core.utils.BlockUtils.selectOther(BlockUtils.java:64)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.processBlocks(ResolveJavaJSR.java:101)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.lambda$resolveForRetBlock$1(ResolveJavaJSR.java:59)
        	at jadx.core.utils.BlockUtils.traversePredecessors(BlockUtils.java:548)
        	at jadx.core.utils.BlockUtils.visitPredecessorsUntil(BlockUtils.java:536)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.resolveForRetBlock(ResolveJavaJSR.java:52)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.resolve(ResolveJavaJSR.java:42)
        	at jadx.core.dex.visitors.blocks.ResolveJavaJSR.process(ResolveJavaJSR.java:27)
        	at jadx.core.dex.visitors.blocks.BlockSplitter.visit(BlockSplitter.java:72)
        */
    public com.ibm.websphere.security.cred.WSCredential validate(byte[] r8) throws com.ibm.websphere.security.auth.WSLoginFailedException {
        /*
            Method dump skipped, instructions count: 704
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.icsf.ICSFServerObject.validate(byte[]):com.ibm.websphere.security.cred.WSCredential");
    }

    private String getSecurityName(String str) throws CustomRegistryException, EntryNotFoundException, UnsupportedEntryTypeException, RemoteException {
        String groupSecurityName;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityName", str);
        }
        String relativeName = getRelativeName(str);
        if (str.startsWith(supportedTypes[1])) {
            groupSecurityName = userRegistry.getUserSecurityName(relativeName);
        } else {
            if (!str.startsWith(supportedTypes[0])) {
                UnsupportedEntryTypeException unsupportedEntryTypeException = new UnsupportedEntryTypeException("not USER or GROUP");
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getSecurityName", unsupportedEntryTypeException);
                }
                Tr.error(tc, "security.ltpa.badtype", new Object[]{unsupportedEntryTypeException});
                throw unsupportedEntryTypeException;
            }
            groupSecurityName = userRegistry.getGroupSecurityName(relativeName);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSecurityName", groupSecurityName);
        }
        return groupSecurityName;
    }

    private String getRelativeName(String str) throws CustomRegistryException, RemoteException {
        int indexOf = str.indexOf("/");
        String str2 = str;
        this.realm = userRegistry.getRealm();
        if (indexOf >= 0) {
            int indexOf2 = str.indexOf(":");
            if ((indexOf - indexOf2) - 1 != this.realm.length() || !str.startsWith(this.realm, indexOf2 + 1)) {
                Tr.error(tc, "security.ltpa.realm_mismatch");
                throw new CustomRegistryException(new StringBuffer().append("The realm in the token: ").append(str.substring(indexOf2 + 1, indexOf)).append(" does not match the current realm: ").append(this.realm).toString());
            }
            str2 = str.substring(indexOf + 1);
        }
        return str2;
    }

    public synchronized void importSSOProperties(Properties properties, byte[] bArr) throws Exception {
    }

    public Properties exportSSOProperties() throws Exception {
        return new Properties();
    }

    public byte[] issueLoginToken(BasicAuthData basicAuthData) throws RemoteException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "issueLoginToken");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "issueLoginToken");
        }
        throw new RemoteException("issueLoginToken not implemented");
    }

    private static byte[] toBytes(String str) {
        byte[] bArr = null;
        try {
            bArr = str.getBytes("UTF8");
        } catch (UnsupportedEncodingException e) {
            Tr.debug(tc, new StringBuffer().append("to UTF8 bytes =").append(e.toString()).toString());
        }
        return bArr;
    }

    static boolean useFIPS() {
        return _useFIPS;
    }

    static String defaultJCEProvider() {
        return _defaultJCEProvider;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$icsf$ICSFServerObject == null) {
            cls = class$("com.ibm.ws.security.icsf.ICSFServerObject");
            class$com$ibm$ws$security$icsf$ICSFServerObject = cls;
        } else {
            cls = class$com$ibm$ws$security$icsf$ICSFServerObject;
        }
        tc = Tr.register(cls, (String) null, "com.ibm.ejs.resources.security");
        supportedTypes = new String[]{"group", "user"};
        CURRENT_ICSF_VERSION = "1.0";
        icsfServer = null;
        _useFIPS = false;
        _defaultJCEProvider = "IBMJCE";
        ACCESS_ICSF_SERVER_OBJECT = new WebSphereRuntimePermission("accessICSFServerObject");
    }
}
