package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.crypto.provider.AESKeySpec;
import com.ibm.misc.HexDumpEncoder;
import com.ibm.security.krb5.wss.KerberosTokenConfig;
import com.ibm.security.krb5.wss.KerberosTokenConsumer;
import com.ibm.security.trust10.util.DerivedKeyGenerator;
import com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallback;
import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.sib.wsrm.WSRMConstants;
import com.ibm.ws.wssecurity.config.KRBConfig;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.handler.PolicyConfigUtil;
import com.ibm.ws.wssecurity.handler.PolicyInboundConfig;
import com.ibm.ws.wssecurity.keyinfo.WSSKeyInfoComponent;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.KRB5TokenCacheUtil;
import com.ibm.ws.wssecurity.util.KRB5Util;
import com.ibm.ws.wssecurity.util.TokenHolder;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import java.security.AccessController;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedAction;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/KRBConsumeLoginModule.class */
public class KRBConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private static final String newline = "\n";
    private boolean loginSucceeded = false;
    private boolean isServer = false;
    private KRBConfig config = null;
    private SecurityToken _token;
    private SecurityTokenManagerImpl _securityTokenManager;
    private Map<Object, Object> _context;
    private CallbackHandler _handler;
    private Map _sharedState;
    private Map _options;
    private List<SecurityToken> _processedTokens;
    private List<SecurityToken> _insertedTokens;
    private static final TraceComponent tc = Tr.register(KRBConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = KRBConsumeLoginModule.class.getName();
    private static final HexDumpEncoder hexDumper = new HexDumpEncoder();

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        this._securityTokenManager.addToken(this._token);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The token hash value = " + this._token.hashCode());
        }
        this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        this._sharedState = map;
        this._options = map2;
        this._processedTokens = new ArrayList();
        this._insertedTokens = new ArrayList();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        this.loginSucceeded = false;
        if (this._handler == null) {
            throw new LoginException("No callback handler is available.");
        }
        KRBTokenConsumeCallback kRBTokenConsumeCallback = new KRBTokenConsumeCallback();
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{propertyCallback, kRBTokenConsumeCallback});
            this._context = propertyCallback.getProperties();
            this._securityTokenManager = (SecurityTokenManagerImpl) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            try {
                this.isServer = Axis2Util.isServiceProvider(messageContext);
                String str = (String) tokenConsumerConfig.getProperties().get(com.ibm.ws.wssecurity.common.Constants.TOKEN_FORWARDABLE);
                if (str == null || str.equalsIgnoreCase("false")) {
                }
                QName valueType = kRBTokenConsumeCallback.getValueType();
                if (valueType == null) {
                    valueType = tokenConsumerConfig.getType();
                }
                if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                    WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.AUTHN_TYPE, valueType.toString());
                }
                if (!valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN)) {
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PrivateConsumerConfig.s30", new String[]{valueType.toString(), com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN.toString() + newline}));
                }
                this._context.put(Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING, null);
                try {
                    OMElement oMElement = (OMElement) this._context.get(com.ibm.ws.wssecurity.common.Constants.PROCESSING_ELEMENT);
                    if (oMElement != null && ((oMElement.getNamespace().getNamespaceURI().equals(com.ibm.ws.wssecurity.common.Constants.NS_WSSE) || oMElement.getNamespace().getNamespaceURI().equals(com.ibm.ws.wssecurity.common.Constants.NS_WSSE11)) && oMElement.getLocalName().equals("BinarySecurityToken"))) {
                        String attribute = DOMUtils.getAttribute(oMElement, com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q.getLocalPart());
                        if (!attribute.contains(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN.getLocalPart()) && !attribute.contains(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN.getLocalPart()) && !attribute.contains(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN.getLocalPart()) && !attribute.contains(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN.getLocalPart()) && !attribute.contains(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN.getLocalPart()) && !attribute.contains(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN.getLocalPart())) {
                            throw new LoginException("Encountered invalid BST with invalid ValueType: " + attribute);
                        }
                        this.loginSucceeded = processBST(oMElement, null, kRBTokenConsumeCallback);
                    } else if (oMElement == null || !oMElement.getLocalName().equals("DerivedKeyToken")) {
                        String str2 = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
                        if (str2 == null) {
                            isKeyInfoStrref = false;
                            isKeyInfoKeyid = false;
                        } else {
                            isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str2);
                            isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str2);
                        }
                        if (isKeyInfoStrref) {
                            this.loginSucceeded = mapRefUriToToken((String) this._context.get(Constants.WSSECURITY_KEY_REFERENCE));
                        } else if (isKeyInfoKeyid) {
                            this.loginSucceeded = mapKeyIdToToken((String) this._context.get(Constants.WSSECURITY_KEY_ID), (QName) this._context.get(Constants.WSSECURITY_KEY_ENCODING), (QName) this._context.get(Constants.WSSECURITY_KEY_VALUETYPE));
                        }
                        if (this.loginSucceeded) {
                            this.loginSucceeded = retrieveKey();
                            if (this.loginSucceeded && (this._token instanceof DKToken)) {
                                String str3 = ((DKToken) this._token).getrefTokenId();
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found DKToken of id: " + this._token.getId() + "...referencing token of id: " + str3);
                                }
                                if (KRB5Util.hasValue(str3)) {
                                    this.loginSucceeded = mapRefUriToToken(str3);
                                    if (!this.loginSucceeded) {
                                        this.loginSucceeded = mapKeyIdToToken(str3, ((DKToken) this._token).getKeyIdentifierEncodingType(), ((DKToken) this._token).getKeyIdentifierValueType());
                                    }
                                    if (this.loginSucceeded) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Found  referenced token of tid: " + str3 + " from DKToken of id: " + this._token.getId());
                                        }
                                        if (this._token instanceof KRB5TokenImpl) {
                                            byte[] secretBytesFromAP_REQ = KRBGenerateLoginModule.getSecretBytesFromAP_REQ(((KRB5TokenImpl) this._token).getContextMap());
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "Found key from AP_REQ token: " + (secretBytesFromAP_REQ != null ? hexDumper.encodeBuffer(secretBytesFromAP_REQ) : null));
                                            }
                                            if (KRB5Util.hasValue(secretBytesFromAP_REQ)) {
                                                this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, secretBytesFromAP_REQ);
                                                this._context.put(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN, this._token);
                                            }
                                        } else if (tc.isDebugEnabled()) {
                                            Tr.warning(tc, "Found  referenced token of tid: " + str3 + " is not of Kerberos token type");
                                        }
                                    } else if (tc.isDebugEnabled()) {
                                        Tr.warning(tc, "Could not find referenced token of tid: " + str3 + " from DKToken of id: " + this._token.getId());
                                    }
                                } else if (tc.isDebugEnabled()) {
                                    Tr.warning(tc, "Could not find referenced token of tid: " + str3 + " from DKToken of id: " + this._token.getId());
                                }
                            }
                        }
                    } else {
                        this.loginSucceeded = verifyDKTokenElement(oMElement, tokenConsumerConfig);
                        if (this.loginSucceeded) {
                            byte[] secretBytesFromAP_REQ2 = KRBGenerateLoginModule.getSecretBytesFromAP_REQ(((KRB5TokenImpl) this._token).getContextMap());
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Found key from AP_REQ token: " + (secretBytesFromAP_REQ2 != null ? hexDumper.encodeBuffer(secretBytesFromAP_REQ2) : null));
                            }
                            if (KRB5Util.hasValue(secretBytesFromAP_REQ2)) {
                                this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, secretBytesFromAP_REQ2);
                                this._context.put(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN, this._token);
                            }
                        }
                    }
                    if (this._token instanceof KRB5TokenImpl) {
                        final KRB5TokenImpl kRB5TokenImpl = (KRB5TokenImpl) this._token;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Principal from request Kerberos token: " + kRB5TokenImpl.getPrincipal());
                            Tr.debug(tc, "Realm name from request Kerberos token: " + kRB5TokenImpl.getRealmName());
                            Tr.debug(tc, "Expired time for request Kerberos token: " + kRB5TokenImpl.getExpirationTime());
                            KerberosTicket kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new PrivilegedAction<KerberosTicket>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule.1
                                /* JADX WARN: Can't rename method to resolve collision */
                                @Override // java.security.PrivilegedAction
                                public KerberosTicket run() {
                                    return kRB5TokenImpl.getRequestKRBTicket();
                                }
                            });
                            if (kerberosTicket != null) {
                                Tr.debug(tc, "Request Krb ticket in request Kerberos token: " + kerberosTicket.toString());
                            } else {
                                Tr.debug(tc, "No Kerberos ticket is accessible at the moment.");
                            }
                        }
                    }
                    if (this.loginSucceeded) {
                        TokenHolder.setInboundTokenToContext((KRB5TokenImpl) this._token, messageContext);
                    }
                    if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                        WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, this._token.getId());
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "login()");
                    }
                    return this.loginSucceeded;
                } catch (Throwable th) {
                    Tr.error(tc, "security.wssecurity.KRBConsumeLoginModule.s02", th);
                    throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBConsumeLoginModule.s02", new String[]{KRB5Util.stackToString(th)}));
                }
            } catch (Exception e) {
                throw new LoginException(e.getMessage());
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule", "%C", this);
            Tr.processException(e2, clsName + ".login", "%C", this);
            throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBConsumeLoginModule.s02", new String[]{KRB5Util.stackToString(e2)}));
        }
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    public boolean verifyDKTokenElement(OMElement oMElement, TokenConsumerConfig tokenConsumerConfig) throws LoginException {
        OMElement childElement;
        OMElement childElement2;
        OMElement childElement3;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("consumeDKTokenElement(");
            stringBuffer.append("\nOMElement target [").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            Tr.entry(tc, stringBuffer.toString());
        }
        boolean z = false;
        int i = 0;
        Object obj = this._context.get(com.ibm.ws.wssecurity.common.Constants.WSS_VERSION);
        if (obj != null && (obj instanceof Integer)) {
            i = ((Integer) obj).intValue();
        }
        String str = (String) this._context.get(Constants.WSSECURITY_KEY_REFERENCE);
        if (str == null && (childElement2 = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "SecurityTokenReference")) != null && (childElement3 = DOMUtils.getChildElement(childElement2, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "Reference")) != null) {
            String attributeValue = childElement3.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.URI_Q);
            if (KRB5Util.hasValue(attributeValue)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Reference Token URI in DerivedKeyToken element: " + attributeValue);
                }
                str = attributeValue.startsWith("#") ? attributeValue.substring(1) : attributeValue;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No Reference token URI is found.");
            }
        }
        if (str != null) {
            z = mapRefUriToToken(str);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No token id is located via Reference-URI. Try KeyIdentifier...");
            }
            OMElement childElement4 = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "SecurityTokenReference");
            if (childElement4 != null && (childElement = DOMUtils.getChildElement(childElement4, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "KeyIdentifier")) != null) {
                String attributeValue2 = childElement.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.ENCODINGTYPE_Q);
                String attributeValue3 = childElement.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q);
                QName qName = DOMUtils.getQName(childElement, attributeValue2, i);
                QName qName2 = DOMUtils.getQName(childElement, attributeValue3, i);
                String stringValue = DOMUtils.getStringValue(childElement);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "\nFound EncodingType: " + qName + newline + "Found ValueType: " + qName2 + newline + "Found KeyIdentifier value: " + stringValue);
                }
                if (KRB5Util.hasValue(stringValue)) {
                    z = mapKeyIdToToken(stringValue, qName, qName2);
                }
            }
        }
        return z;
    }

    private boolean retrieveKey() throws LoginException, InvalidKeyException, NoSuchProviderException, InvalidKeySpecException, NoSuchAlgorithmException {
        Object fromContextMap;
        boolean equals;
        boolean equals2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveKey()");
        }
        boolean z = false;
        KRB5TokenImpl kRB5TokenImpl = null;
        if (this._token == null) {
            throw new LoginException(newline + ConfigUtil.getMessage("Cannot find a kerberos token to generate required key."));
        }
        if (this._token instanceof KRB5TokenImpl) {
            kRB5TokenImpl = (KRB5TokenImpl) this._token;
        }
        if (this._token instanceof DKToken) {
            return true;
        }
        if (kRB5TokenImpl == null) {
            throw new LoginException(newline + ConfigUtil.getMessage("Cannot find a kerberos token to generate required key."));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found kerberos token of token id: " + kRB5TokenImpl.getId());
        }
        byte[] bArr = (byte[]) kRB5TokenImpl.getFromContextMap(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
        if (KRB5Util.hasValue(bArr)) {
            fromContextMap = kRB5TokenImpl.getFromContextMap(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC_TYPE);
        } else {
            bArr = (byte[]) kRB5TokenImpl.getFromContextMap(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
            fromContextMap = kRB5TokenImpl.getFromContextMap(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC_TYPE);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found key byte[]: " + bArr + " of type: " + fromContextMap + " from the Kerberos token.");
        }
        String str = (String) this._context.get(Constants.WSSECURITY_KEY_TYPE);
        if (str == null) {
            equals2 = false;
            equals = false;
        } else {
            equals = WSSKeyInfoComponent.KEY_VERIFYING.equals(str);
            equals2 = WSSKeyInfoComponent.KEY_DECRYPTING.equals(str);
            if (tc.isDebugEnabled()) {
                if (equals) {
                    Tr.debug(tc, "Verifying key type");
                } else if (equals2) {
                    Tr.debug(tc, "Decrypting key type");
                }
            }
        }
        if (!equals && !equals2) {
            throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.getKey02", new String[]{str}));
        }
        String str2 = null;
        int i = 0;
        String str3 = (String) this._context.get(com.ibm.ws.wssecurity.common.Constants.KEY_ALGORITHM);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "keyalgoURI: " + str3);
        }
        if (str3 != null) {
            Map<String, Object> keyAlgorithm = KRBGenerateLoginModule.getKeyAlgorithm(str3, equals, equals2, false, false);
            str2 = (String) keyAlgorithm.get("algorithm");
            if (str2 == null) {
                throw new LoginException("Missing Algorithm info in the config");
            }
            i = ((Integer) keyAlgorithm.get("keylength")).intValue();
        }
        WSSConsumerConfig wSSConsumerConfig = (WSSConsumerConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey");
        TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
        try {
            ((PolicyInboundConfig) wSSConsumerConfig).getAlgorithmSuite();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The Algorithm Suite = " + ((String) null));
            }
        } catch (ClassCastException e) {
            FFDCFilter.processException(e, KRBConsumeLoginModule.class.getName(), WSRMConstants.PROCESS_TRANSACTION);
        }
        String str4 = WSRMConstants.FIND_RMS_BEAN;
        if (0 != 0) {
            str4 = PolicyConfigUtil.getMinimumSymmetricKeyLength(null);
        } else {
            if (str3.equals("http://www.w3.org/2001/04/xmlenc#aes128-cbc")) {
                str4 = PolicyConfigUtil.getMinimumSymmetricKeyLength("Basic128");
            }
            if (str3.equals("http://www.w3.org/2001/04/xmlenc#aes192-cbc")) {
                str4 = PolicyConfigUtil.getMinimumSymmetricKeyLength("Basic192");
            }
            if (str3.equals("http://www.w3.org/2001/04/xmlenc#aes256-cbc")) {
                str4 = PolicyConfigUtil.getMinimumSymmetricKeyLength("Basic256");
            }
            if (str3.equals("http://www.w3.org/2001/04/xmlenc#tripledes-cbc")) {
                str4 = PolicyConfigUtil.getMinimumSymmetricKeyLength("TripleDes");
            }
            if (str3.equals("http://www.w3.org/2000/09/xmldsig#hmac-sha1")) {
                str4 = "160";
            }
        }
        int parseInt = Integer.parseInt(str4) / 8;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The min Derived Key Length is " + parseInt);
        }
        String str5 = (String) tokenConsumerConfig.getProperties().get(Constants.DERIVED_KEY_LENGTH);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The specified Derived Key Length is " + str5);
        }
        if (0 != 0) {
            i = KRBGenerateLoginModule.getKeyLength(equals, (String) null, str5);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isVerifying: " + equals);
            Tr.debug(tc, "isDecrypting: " + equals2);
            Tr.debug(tc, "keyalgo: " + str2);
            Tr.debug(tc, "keylength: " + i);
            Tr.debug(tc, "minKeySize: " + parseInt);
        }
        if (equals) {
            if (str2.compareTo(DerivedKeyGenerator.DEFMAC) == 0) {
                if (kRB5TokenImpl != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "krb5token: " + kRB5TokenImpl);
                        Tr.debug(tc, "keylength: " + i);
                        Tr.debug(tc, "minKeySize: " + parseInt);
                    }
                    SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, DerivedKeyGenerator.DEFMAC);
                    kRB5TokenImpl.setKey(63, secretKeySpec);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SecurityToken.VERIFYING_KEY: " + secretKeySpec);
                    }
                }
                z = true;
            } else {
                z = false;
            }
        }
        if (equals2) {
            if (str2.compareTo("AES") != 0 && str2.compareTo("DESede") != 0) {
                z = false;
            } else if (str2.compareTo("AES") == 0) {
                if (kRB5TokenImpl != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "krb5token: " + kRB5TokenImpl);
                        Tr.debug(tc, "keylength: " + i);
                        Tr.debug(tc, "minKeySize: " + parseInt);
                    }
                    SecretKey generateSecret = SecretKeyFactory.getInstance("AES", com.ibm.ws.wssecurity.trust.server.sts.ext.sct.Constants.VALUE_DEFAULT_PROVIDER).generateSecret(new AESKeySpec(bArr));
                    kRB5TokenImpl.setKey(64, generateSecret);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SecurityToken.DECRYPTING_KEY: " + generateSecret);
                    }
                }
                z = true;
            } else if (str2.compareTo("DESede") == 0) {
                if (kRB5TokenImpl != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "krb5token: " + kRB5TokenImpl);
                        Tr.debug(tc, "keylength: " + i);
                        Tr.debug(tc, "minKeySize: " + parseInt);
                    }
                    SecretKey generateSecret2 = SecretKeyFactory.getInstance("DESede", com.ibm.ws.wssecurity.trust.server.sts.ext.sct.Constants.VALUE_DEFAULT_PROVIDER).generateSecret(new DESedeKeySpec(bArr));
                    kRB5TokenImpl.setKey(64, generateSecret2);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SecurityToken.DECRYPTING_KEY: " + generateSecret2);
                    }
                }
                z = true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "retrieveKey()");
        }
        return z;
    }

    private boolean mapRefUriToToken(String str) {
        boolean z;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapRefUriToToken()");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Token identifier is [" + str + "]");
        }
        SecurityToken token = this._securityTokenManager.getToken((TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY), str);
        if (token == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: SecurityToken whose identifier is \"" + str + "\" was not found in the Subject.");
            }
            z = false;
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is the token [" + str + "] stored in the Subject.");
                Tr.debug(tc, "Token instance: " + token + " and hashcode: " + token.hashCode());
            }
            this._token = token;
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapRefUriToToken()");
        }
        return z;
    }

    private boolean mapKeyIdToToken(String str, QName qName, QName qName2) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapKeyIdToToken() for token id: " + str + "...encoding type: " + qName + "...value type:" + qName2);
        }
        if (qName == null || !qName.equals(com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY)) {
            throw new LoginException(getClass().getName() + "Unexpected Encoding type : " + qName + " for key id: " + str);
        }
        if (qName2 == null || !qName2.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_APREQ_SHA1)) {
            throw new LoginException(getClass().getName() + "Unexpected Value type : " + qName2 + " for key id: " + str);
        }
        this._token = KRB5TokenCacheUtil.getKRB5TokenFromCache(str);
        if (this._token == null) {
            throw new LoginException(getClass().getName() + "Failed to locate token of: " + qName2 + " for key id: " + str);
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "mapKeyIdToToken()");
        return true;
    }

    private boolean processBST(OMElement oMElement, KRB5TokenImpl kRB5TokenImpl, KRBTokenConsumeCallback kRBTokenConsumeCallback) throws LoginException {
        boolean z;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processBST()");
        }
        String str = null;
        QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
        }
        if (idAttributeName != null) {
            str = oMElement.getAttributeValue(idAttributeName);
        }
        byte[] decode = Base64.decode(DOMUtils.getStringValue(oMElement));
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Processing inbound AP_REQ token:\n\n" + new HexDumpEncoder().encodeBuffer(decode) + "\n\n");
            Tr.debug(tc, "in_token length= " + decode.length);
        }
        if (decode == null || decode.length == 0) {
            throw new LoginException("Unexpected empty token bytes received");
        }
        HashMap[] validate = validate(decode);
        if (validate == null || validate.length == 0) {
            z = false;
        } else {
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            QName valueType = kRBTokenConsumeCallback.getValueType();
            if (valueType == null) {
                valueType = tokenConsumerConfig.getType();
            }
            if (valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN)) {
                kRB5TokenImpl = new KRB5_APREQTokenImpl(validate[0], validate[1]);
            } else if (valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN)) {
                kRB5TokenImpl = new KRB5_APREQ1510TokenImpl(validate[0], validate[1]);
            } else if (valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN)) {
                kRB5TokenImpl = new KRB5_APREQ4120TokenImpl(validate[0], validate[1]);
            } else if (valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN)) {
                kRB5TokenImpl = new KRB5_GSSAPREQTokenImpl(validate[0], validate[1]);
            } else if (valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN)) {
                kRB5TokenImpl = new KRB5_GSSAPREQ1510TokenImpl(validate[0], validate[1]);
            } else if (valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN)) {
                kRB5TokenImpl = new KRB5_GSSAPREQ4120TokenImpl(validate[0], validate[1]);
            }
            kRB5TokenImpl.setId(str);
            kRB5TokenImpl.setXML(new OMStructure(oMElement));
            kRB5TokenImpl.setBinary(decode);
            String kEYIDHashValue = KRBGenerateLoginModule.getKEYIDHashValue(kRB5TokenImpl);
            kRB5TokenImpl.setIdentifier(kEYIDHashValue);
            if (this.isServer) {
                KRB5TokenCacheUtil.setKRB5TokenToCache(kEYIDHashValue, kRB5TokenImpl);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Completing the establishment of token: " + kRB5TokenImpl + " with hashcode: " + kRB5TokenImpl.hashCode());
            }
            this._token = kRB5TokenImpl;
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processBST()");
        }
        return z;
    }

    private HashMap[] validate(byte[] bArr) {
        String str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate()");
        }
        boolean z = false;
        HashMap[] hashMapArr = new HashMap[2];
        try {
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            Map<Object, Object> properties = tokenConsumerConfig.getCallbackHandler().getProperties();
            str = properties != null ? (String) properties.get(Constants.WSSECURITY_KRB5TOKEN_SERVICESPN) : "";
            if (!KRB5Util.hasValue(str)) {
                str = (String) tokenConsumerConfig.getProperties().get(Constants.WSSECURITY_KRB5TOKEN_SERVICESPN);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Service name accepting token: " + str);
            }
        } catch (GSSException e) {
            FFDCFilter.processException(e, KRBConsumeLoginModule.class.getName(), WSRMConstants.PROCESS_TRANSACTION);
            Tr.processException((Throwable) e, clsName + ".login", "%C", (Object) this);
            Tr.error(tc, "security.wssecurity.KRBConsumeLoginModule.s02", KRB5Util.stackToString(e));
            z = false;
        } catch (Throwable th) {
            FFDCFilter.processException(th, KRBConsumeLoginModule.class.getName(), WSRMConstants.PROCESS_TRANSACTION);
            Tr.processException(th, clsName + ".login", "%C", this);
            Tr.error(tc, "security.wssecurity.KRBConsumeLoginModule.s02", KRB5Util.stackToString(th));
            z = false;
        }
        if (KRB5Util.hasValue(str) && !KRB5Util.spnValid(str)) {
            StringBuilder append = new StringBuilder().append(newline);
            String[] strArr = new String[1];
            strArr[0] = str == null ? "" : str;
            throw new LoginException(append.append(ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s03", strArr)).toString());
        }
        HashMap hashMap = new HashMap();
        hashMapArr[0] = hashMap;
        hashMap.put(KerberosTokenConfig.SERVICE_NAME, str);
        hashMap.put(KerberosTokenConfig.DECODED_TOKEN, bArr);
        KerberosTokenConsumer kerberosTokenConsumer = new KerberosTokenConsumer();
        kerberosTokenConsumer.init(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMapArr[1] = hashMap2;
        kerberosTokenConsumer.invoke(hashMap2);
        byte[] bArr2 = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
        Object obj = hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES_TYPE);
        hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC);
        Object obj2 = hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC_TYPE);
        if (bArr2 == null) {
            bArr2 = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
            obj = hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES_TYPE);
            hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC);
            obj2 = hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC_TYPE);
        }
        if (tc.isDebugEnabled()) {
            if (bArr2 != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Key of type: " + obj + " with encryption type: " + obj2 + " from token as follows...\r\n" + KRB5Util.showHex(bArr2));
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Server subkey token is null ...\r\n");
            }
        }
        if (bArr2 != null && bArr2.length != 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Request token processed OK");
            }
            String str2 = (String) hashMap2.get(KerberosTokenConfig.CLIENT_NAME);
            if (str2 != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getAuthenticatedUsername: WebSphere Security principal = " + str2);
                }
                String stripOutPrincipalName = KRB5Util.stripOutPrincipalName(str2);
                String stripOutRealmName = KRB5Util.stripOutRealmName(str2);
                if (stripOutPrincipalName != null) {
                    this._sharedState.put(Constants.WSSECURITY_DN, stripOutPrincipalName);
                    z = true;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Kerberos client principal: " + stripOutPrincipalName);
                    }
                } else {
                    z = false;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "WAS principal is not available after the mapping.");
                    }
                }
                if (stripOutRealmName != null) {
                    this._sharedState.put("com.ibm.wsspi.wssecurity.Constants.KerberosRealm", stripOutRealmName);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Kerberos realm: " + stripOutRealmName);
                    }
                }
            } else {
                z = false;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "User principal is not available.");
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Request token processed Not OK");
        }
        if (!z) {
            hashMapArr = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validate()");
        }
        return hashMapArr;
    }
}
