package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.security.krb5.wss.KerberosTokenConfig;
import com.ibm.ws.wssecurity.token.CacheableToken;
import com.ibm.ws.wssecurity.util.KRB5TokenCacheUtil;
import com.ibm.ws.wssecurity.util.KRB5Util;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.util.io.ObjectOutputInputUtil;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnTokenFactory;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInput;
import java.io.ObjectInputStream;
import java.io.ObjectOutput;
import java.io.ObjectOutputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.SecurityPermission;
import java.util.Date;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.xml.namespace.QName;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/TGSAuthToken.class */
public class TGSAuthToken extends SecurityTokenImpl implements CacheableToken, Cloneable {
    private static final long serialVersionUID = 1;
    private static final String VERSION_NUMBER = "1.0";
    protected String identifier;
    protected KerberosTicket tgs;
    protected KerberosTicket tgt;
    protected String spn;
    protected String apreqSha1;
    protected byte[] secreteBytes;
    protected String client;
    protected String realm;
    protected Date tgsExpirationTime;
    protected Date tgtExpirationTime;
    protected byte[] tokenBytes;
    protected HashMap credTable;
    public static final String TGSAuthToken_version = "TGSAuthToken.version";
    public static final String TGSAuthToken_identifier = "TGSAuthToken.identifier";
    public static final String TGSAuthToken_spn = "TGSAuthToken.spn";
    public static final String TGSAuthToken_tgs = "TGSAuthToken.tgs";
    public static final String TGSAuthToken_tgt = "TGSAuthToken.tgt";
    public static final String TGSAuthToken_valueType = "TGSAuthToken.valueType";
    public static final String TGSAuthToken_secreteBytes = "TGSAuthToken.secreteBytes";
    public static final String TGSAuthToken_apreqSha1 = "TGSAuthToken.apreqSha1";
    public static final String TGSAuthToken_client = "TGSAuthToken.client";
    public static final String TGSAuthToken_tgtExpirationTime = "TGSAuthToken.tgtExpirationTime";
    public static final String TGSAuthToken_tgsExpirationTime = "TGSAuthToken.tgsExpirationTime";
    public static final String TGT_PREFIX = "krbtgt";
    private HashMap _table;
    private static final TraceComponent tc = Tr.register(TGSAuthToken.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final SecurityPermission ACCESS_KRB5TKT_PERM = new SecurityPermission("wsspi.KRB5Token.accessTKT");
    private static final SecurityPermission ACCESS_SESSIONKEY_PERM = new SecurityPermission("wsspi.KRB5Token.accessSessionKey");

    public TGSAuthToken() {
        this.identifier = null;
        this.tgs = null;
        this.tgt = null;
        this.spn = null;
        this.apreqSha1 = null;
        this.secreteBytes = null;
        this.client = null;
        this.realm = null;
        this.tgsExpirationTime = null;
        this.tgtExpirationTime = null;
        this.tokenBytes = null;
        this.credTable = new HashMap();
        this._table = new HashMap();
    }

    public TGSAuthToken(byte[] bArr) {
        this.identifier = null;
        this.tgs = null;
        this.tgt = null;
        this.spn = null;
        this.apreqSha1 = null;
        this.secreteBytes = null;
        this.client = null;
        this.realm = null;
        this.tgsExpirationTime = null;
        this.tgtExpirationTime = null;
        this.tokenBytes = null;
        this.credTable = new HashMap();
        this._table = new HashMap();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "TGSAuthToken(TokenBytes)");
        }
        this.tokenBytes = bArr;
        if (this.tokenBytes != null) {
            try {
                readExternal(new ObjectInputStream(new ByteArrayInputStream(this.tokenBytes)));
            } catch (Exception e) {
                e.printStackTrace();
                throw new RuntimeException(e.getMessage());
            }
        }
        this.credTable = copy2Table();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "TGSAuthToken(TokenBytes)");
        }
    }

    public TGSAuthToken(HashMap hashMap, String str, String str2, QName qName, String str3) {
        this.identifier = null;
        this.tgs = null;
        this.tgt = null;
        this.spn = null;
        this.apreqSha1 = null;
        this.secreteBytes = null;
        this.client = null;
        this.realm = null;
        this.tgsExpirationTime = null;
        this.tgtExpirationTime = null;
        this.tokenBytes = null;
        this.credTable = new HashMap();
        this._table = new HashMap();
        this.spn = str2;
        this.valueType = qName;
        this.secreteBytes = extractSecretBytes(hashMap);
        this.client = str;
        if (this.client == null) {
            this.client = (String) hashMap.get(KerberosTokenConfig.CLIENT_NAME);
        }
        this.realm = (String) hashMap.get(KerberosTokenConfig.CLIENT_REALM_NAME);
        this.apreqSha1 = str3;
        this.tgsExpirationTime = new Date(System.currentTimeMillis() + 7200000);
        this.tgtExpirationTime = new Date(System.currentTimeMillis() + 28800000);
        this.tgt = extractTgt(hashMap, str);
        if (this.tgt == null) {
            this.tgt = (KerberosTicket) hashMap.get(KerberosTokenConfig.CONTEXT_DELEG_KERBEROS_TICKET);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Got contextDelegatedKerberosTicket");
            }
        }
        if (this.tgt != null) {
            this.identifier = KRB5TokenCacheUtil.getClientIdentifierForServiceTicket(this.tgt.getClient().getName(), this.tgt.getClient().getRealm(), str2);
            this.client = this.tgt.getClient().getName();
            this.realm = this.tgt.getClient().getRealm();
            this.tgtExpirationTime = this.tgt.getEndTime();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "TGT Client principal = " + this.tgt.getClient().getName());
                Tr.debug(tc, "TGT Server principal = " + this.tgt.getServer().getName());
            }
        }
        this.tgs = (KerberosTicket) hashMap.get(KerberosTokenConfig.CONTEXT_SERVICE_TICKET);
        if (this.tgs != null) {
            this.tgsExpirationTime = this.tgs.getEndTime();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "TGS Client principal = " + this.tgs.getClient().getName());
                Tr.debug(tc, "TGS Server principal = " + this.tgs.getServer().getName());
            }
        } else {
            this.tgsExpirationTime = new Date(((Long) hashMap.get(KerberosTokenConfig.TGS_EXP_TIME)).longValue());
        }
        if (this.client != null) {
            this.client = KRB5Util.stripOutPrincipalName(this.client);
        }
        this.principal = this.client;
        this.credTable = copy2Table();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "TGT Ticket expiration time=" + this.tgtExpirationTime);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Service Ticket expiration time=" + this.tgsExpirationTime);
        }
    }

    public TGSAuthToken modifyTGSAuthToken(byte[] bArr, String str) {
        TGSAuthToken tGSAuthToken = (TGSAuthToken) clone();
        tGSAuthToken.apreqSha1 = str;
        tGSAuthToken.secreteBytes = bArr;
        tGSAuthToken.copy2Table();
        return tGSAuthToken;
    }

    public Object clone() {
        return new TGSAuthToken(getTokenBytes());
    }

    private HashMap copy2Table() {
        this._table.put(TGSAuthToken_identifier, this.identifier);
        this._table.put(TGSAuthToken_spn, this.spn);
        this._table.put(TGSAuthToken_tgs, this.tgs);
        this._table.put(TGSAuthToken_tgt, this.tgt);
        this._table.put(TGSAuthToken_valueType, this.valueType);
        this._table.put(TGSAuthToken_secreteBytes, this.secreteBytes);
        this._table.put(TGSAuthToken_apreqSha1, this.apreqSha1);
        this._table.put(TGSAuthToken_client, this.client);
        this._table.put(TGSAuthToken_tgtExpirationTime, this.tgtExpirationTime);
        this._table.put(TGSAuthToken_tgsExpirationTime, this.tgsExpirationTime);
        this._table.put(KRBAuthnTokenFactory.PRINCIPAL_NAME, this.principal);
        this._table.put(KRBAuthnTokenFactory.KERBEROS_TICKET, this.tgt);
        this._table.put(KRBAuthnTokenFactory.REALM_NAME, this.realm);
        this._table.put(KRBAuthnTokenFactory.EXPIRATION_TIME, new Long(this.tgtExpirationTime.getTime()));
        return this._table;
    }

    public byte[] getTokenBytes() {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
            writeExternal(objectOutputStream);
            objectOutputStream.flush();
            objectOutputStream.close();
            this.tokenBytes = byteArrayOutputStream.toByteArray();
            return this.tokenBytes;
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }
    }

    @Override // com.ibm.ws.wssecurity.token.CacheableToken
    public String getIdentifier() {
        return this.identifier;
    }

    public Date getServiceTicketExpirationTime() {
        return this.tgsExpirationTime;
    }

    public Date getTGTExpirationTime() {
        return this.tgtExpirationTime;
    }

    public String getSHA1ofAPREQ() {
        return this.apreqSha1;
    }

    public byte[] getSecretKeyByte() {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, "Expecting: " + ACCESS_SESSIONKEY_PERM.toString());
            }
            securityManager.checkPermission(ACCESS_SESSIONKEY_PERM);
        }
        return this.secreteBytes;
    }

    public void setIdentifier(String str) {
        this.identifier = str;
    }

    public KerberosTicket getTGS() {
        return this.tgs;
    }

    public KerberosTicket getTGT() {
        return this.tgt;
    }

    public HashMap getTGSAuthTokenAsMap() {
        return this.credTable;
    }

    @Override // com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl, java.io.Externalizable
    public void readExternal(ObjectInput objectInput) throws IOException, ClassNotFoundException {
        super.readExternal(objectInput);
        if ("1.0".equals(ObjectOutputInputUtil.readUTF(objectInput, TGSAuthToken_version))) {
            this.identifier = ObjectOutputInputUtil.readUTF(objectInput, TGSAuthToken_identifier);
            this.spn = ObjectOutputInputUtil.readUTF(objectInput, TGSAuthToken_spn);
            Object readObject = ObjectOutputInputUtil.readObject(objectInput, TGSAuthToken_tgs);
            if (readObject != null) {
                this.tgs = (KerberosTicket) readObject;
            }
            Object readObject2 = ObjectOutputInputUtil.readObject(objectInput, TGSAuthToken_tgt);
            if (readObject2 != null) {
                this.tgt = (KerberosTicket) readObject2;
            }
            Object readObject3 = ObjectOutputInputUtil.readObject(objectInput, TGSAuthToken_valueType);
            if (readObject3 != null) {
                this.valueType = (QName) readObject3;
            }
            Object readObject4 = ObjectOutputInputUtil.readObject(objectInput, TGSAuthToken_secreteBytes);
            if (readObject4 != null) {
                this.secreteBytes = (byte[]) readObject4;
            }
            this.apreqSha1 = ObjectOutputInputUtil.readUTF(objectInput, TGSAuthToken_apreqSha1);
            this.client = ObjectOutputInputUtil.readUTF(objectInput, TGSAuthToken_client);
            Object readObject5 = ObjectOutputInputUtil.readObject(objectInput, TGSAuthToken_tgsExpirationTime);
            if (readObject5 != null) {
                this.tgsExpirationTime = (Date) readObject5;
            }
            Object readObject6 = ObjectOutputInputUtil.readObject(objectInput, TGSAuthToken_tgtExpirationTime);
            if (readObject6 != null) {
                this.tgtExpirationTime = (Date) readObject6;
            }
            this.credTable = copy2Table();
        }
    }

    @Override // com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl, java.io.Externalizable
    public void writeExternal(ObjectOutput objectOutput) throws IOException {
        super.writeExternal(objectOutput);
        ObjectOutputInputUtil.writeUTF(objectOutput, "1.0", TGSAuthToken_version);
        ObjectOutputInputUtil.writeUTF(objectOutput, this.identifier, TGSAuthToken_identifier);
        ObjectOutputInputUtil.writeUTF(objectOutput, this.spn, TGSAuthToken_spn);
        ObjectOutputInputUtil.writeObject(objectOutput, this.tgs, TGSAuthToken_tgs);
        ObjectOutputInputUtil.writeObject(objectOutput, this.tgt, TGSAuthToken_tgt);
        ObjectOutputInputUtil.writeObject(objectOutput, this.valueType, TGSAuthToken_valueType);
        ObjectOutputInputUtil.writeObject(objectOutput, this.secreteBytes, TGSAuthToken_secreteBytes);
        ObjectOutputInputUtil.writeUTF(objectOutput, this.apreqSha1, TGSAuthToken_apreqSha1);
        ObjectOutputInputUtil.writeUTF(objectOutput, this.client, TGSAuthToken_client);
        ObjectOutputInputUtil.writeObject(objectOutput, this.tgsExpirationTime, TGSAuthToken_tgsExpirationTime);
        ObjectOutputInputUtil.writeObject(objectOutput, this.tgtExpirationTime, TGSAuthToken_tgtExpirationTime);
    }

    private static byte[] extractSecretBytes(HashMap hashMap) {
        byte[] bArr = (byte[]) hashMap.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
        if (bArr == null) {
            bArr = (byte[]) hashMap.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
            if (bArr != null && tc.isDebugEnabled()) {
                Tr.debug(tc, "Found session key of type: " + hashMap.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES_TYPE) + " from kerberos token.");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found sub key of type: " + hashMap.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES_TYPE) + " from kerberos token.");
        }
        return bArr;
    }

    private static KerberosTicket extractTgt(HashMap hashMap, String str) {
        final Subject subject = (Subject) hashMap.get(KerberosTokenConfig.CONTEXT_SUBJECT);
        KerberosTicket kerberosTicket = null;
        if (subject != null) {
            kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.TGSAuthToken.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    for (KerberosTicket kerberosTicket2 : subject.getPrivateCredentials(KerberosTicket.class)) {
                        String name = kerberosTicket2.getServer().getName();
                        if (name.startsWith("krbtgt")) {
                            if (TGSAuthToken.tc.isDebugEnabled()) {
                                Tr.debug(TGSAuthToken.tc, "Ticket name=" + name);
                                Tr.debug(TGSAuthToken.tc, "Expiration time=" + kerberosTicket2.getEndTime());
                            }
                            return kerberosTicket2;
                        }
                    }
                    return null;
                }
            });
        }
        if (kerberosTicket == null) {
            kerberosTicket = (KerberosTicket) hashMap.get(KerberosTokenConfig.CONTEXT_DELEG_KERBEROS_TICKET);
        }
        return kerberosTicket;
    }

    @Override // com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl
    public String toString() {
        return getClass().getName() + ":" + this.identifier;
    }
}
