package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.enc.EncryptedKeyRefConsumer;
import com.ibm.ws.wssecurity.handler.PolicyInboundConfig;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.token.CertCacheManager;
import com.ibm.ws.wssecurity.util.CertificateUtil;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.NamespaceUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.util.WSSecurityFactoryBuilder;
import com.ibm.ws.wssecurity.wssapi.CommonContentConsumer;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.KeyInfo;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import java.security.AccessController;
import java.security.Key;
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/X509ConsumeLoginModule.class */
public class X509ConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private SecurityToken _token;
    private SecurityTokenManager _securityTokenManager;
    private Map<Object, Object> _context;
    public static final String KEYSTORE_LIMITS_ACCESS = "com.ibm.wsspi.wssecurity.consumer.callbackHandlerKeystoreLimitsAccess";
    private static final TraceComponent tc = Tr.register(X509ConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = X509ConsumeLoginModule.class.getName();
    private static final String _factoryKey = (String) WSSecurityFactoryBuilder.getImplClassName("com.ibm.ws.wssecurity.platform.X509Token");
    private static final TokenFactory _tokenFactory = TokenFactoryFactory.getTokenFactory(_factoryKey);

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        boolean z;
        boolean isKeyInfoKeyname;
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        boolean isKeyInfoEmb;
        boolean isKeyInfoX509issuer;
        boolean isKeyInfoThumbprint;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        X509ConsumeCallback x509ConsumeCallback = new X509ConsumeCallback();
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{x509ConsumeCallback, propertyCallback});
            this._context = propertyCallback.getProperties();
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            boolean z2 = true;
            String str = (String) tokenConsumerConfig.getProperties().get(Constants.TOKEN_FORWARDABLE);
            if (str != null && str.equalsIgnoreCase("false")) {
                z2 = false;
            }
            X509TokenImpl x509TokenImpl = (X509TokenImpl) _tokenFactory.getToken(z2);
            this._context.put(Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING, x509TokenImpl);
            QName type = tokenConsumerConfig.getType();
            if (!com.ibm.ws.wssecurity.common.Constants.X509V3.equals(type) && !com.ibm.ws.wssecurity.common.Constants.X509V3_OLD.equals(type) && !com.ibm.ws.wssecurity.common.Constants.X509V3_11_V3.equals(type)) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PrivateConsumerConfig.s30", new String[]{type.toString(), com.ibm.ws.wssecurity.common.Constants.X509V3.toString() + " or " + com.ibm.ws.wssecurity.common.Constants.X509V3_OLD.toString() + " or " + com.ibm.ws.wssecurity.common.Constants.X509V3_11_V3.toString()}));
            }
            MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            CertCacheManager certCacheManager = (CertCacheManager) this._context.get(CertCacheManager.class);
            this._securityTokenManager = (SecurityTokenManager) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            String str2 = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
            OMElement oMElement = (OMElement) this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
            if (str2 == null) {
                z = true;
                isKeyInfoThumbprint = false;
                isKeyInfoX509issuer = false;
                isKeyInfoEmb = false;
                isKeyInfoStrref = false;
                isKeyInfoKeyid = false;
                isKeyInfoKeyname = false;
            } else {
                z = false;
                isKeyInfoKeyname = ConfigUtil.isKeyInfoKeyname(str2);
                isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str2);
                isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str2);
                isKeyInfoEmb = ConfigUtil.isKeyInfoEmb(str2);
                isKeyInfoX509issuer = ConfigUtil.isKeyInfoX509issuer(str2);
                isKeyInfoThumbprint = ConfigUtil.isKeyInfoThumbprint(str2);
            }
            boolean z3 = false;
            if (oMElement != null && "EncryptedKey".equals(oMElement.getLocalName())) {
                z3 = true;
            }
            if (z3) {
                this._token = processEKElement(x509TokenImpl, x509ConsumeCallback, oMElement, tokenConsumerConfig, certCacheManager, messageContext, this._context, this._securityTokenManager);
            } else if (z || isKeyInfoEmb) {
                this._token = processElement(x509TokenImpl, x509ConsumeCallback, oMElement, tokenConsumerConfig, certCacheManager, messageContext, z, isKeyInfoEmb, this._context);
            } else {
                this._token = resolveKeyInfo(x509TokenImpl, x509ConsumeCallback, tokenConsumerConfig, certCacheManager, messageContext, str2, isKeyInfoKeyname, isKeyInfoKeyid, isKeyInfoStrref, isKeyInfoX509issuer, isKeyInfoThumbprint, this._securityTokenManager, this._context);
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "login()");
            return true;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".login", "143", this);
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e.toString()}));
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        this._securityTokenManager.addToken(this._token);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The token hash value = " + this._token.hashCode());
        }
        this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private static final SecurityToken processEKElement(X509TokenImpl x509TokenImpl, X509ConsumeCallback x509ConsumeCallback, OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, CertCacheManager certCacheManager, MessageContext messageContext, Map<Object, Object> map, SecurityTokenManager securityTokenManager) throws LoginException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("processEKElement(");
            stringBuffer.append("X509TokenImpl x509Token, X509ConsumeCallback x509Callback, ");
            stringBuffer.append("OMElement target[").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("TokenConsumerConfig config, CertCacheManager cmanager, ");
            stringBuffer.append("SOAPMessageContext messageContext, ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        String algorithmSuite = ((PolicyInboundConfig) ((WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey"))).getAlgorithmSuite();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The Algorithm Suite = " + algorithmSuite);
        }
        x509TokenImpl.setXML(new OMStructure(oMElement));
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Need decrypt encryptedKey");
            }
            OMElement oMElement2 = null;
            Iterator childElements = oMElement.getChildElements();
            while (true) {
                if (!childElements.hasNext()) {
                    break;
                }
                OMElement oMElement3 = (OMElement) childElements.next();
                if (oMElement3.getLocalName().equals("KeyInfo")) {
                    oMElement2 = oMElement3;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found KeyInfo Element");
                    }
                }
            }
            Map<Object, Object> copyContext = EncryptedKeyRefConsumer.copyContext(map);
            EncryptedKeyRefConsumer.populateContext(CommonContentConsumer.resolveKeyInfo(oMElement2, copyContext), copyContext);
            String str = (String) copyContext.get(Constants.WSSECURITY_KEYINFO_TYPE);
            boolean isKeyInfoKeyname = ConfigUtil.isKeyInfoKeyname(str);
            boolean isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str);
            boolean isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str);
            ConfigUtil.isKeyInfoEmb(str);
            resolveKeyInfo(x509TokenImpl, x509ConsumeCallback, tokenConsumerConfig, certCacheManager, messageContext, str, isKeyInfoKeyname, isKeyInfoKeyid, isKeyInfoStrref, ConfigUtil.isKeyInfoX509issuer(str), ConfigUtil.isKeyInfoThumbprint(str), securityTokenManager, copyContext);
            Key decryptEncryptedKey = EncryptedKeyRefConsumer.decryptEncryptedKey(oMElement, x509TokenImpl.getKey(64), algorithmSuite, copyContext);
            x509TokenImpl.setKey(63, decryptEncryptedKey);
            x509TokenImpl.setKey(64, decryptEncryptedKey);
            String str2 = null;
            QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
            }
            if (idAttributeName != null) {
                str2 = oMElement.getAttributeValue(idAttributeName);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier of the token is [" + str2 + "]");
            }
            x509TokenImpl.setId(str2);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The X509Token hash value = " + x509TokenImpl.hashCode());
            }
            if (tc.isEntryEnabled()) {
                StringBuffer stringBuffer2 = new StringBuffer("processEKElement(");
                stringBuffer2.append("X509TokenImpl, OMElement, TokenConsumerConfig, CertCacheManager, ");
                stringBuffer2.append("SOAPMessageContext, boolean, boolean, SecurityTokenManager, Map)");
                stringBuffer2.append(" returns X509TokenImpl[").append(x509TokenImpl).append("]");
                Tr.exit(tc, stringBuffer2.toString());
            }
            return x509TokenImpl;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".resolveKeyInfo", "416");
            throw new LoginException(e.toString());
        }
    }

    public static final SecurityToken resolveX509KeyInfo(X509TokenImpl x509TokenImpl, X509ConsumeCallback x509ConsumeCallback, TokenConsumerConfig tokenConsumerConfig, CertCacheManager certCacheManager, MessageContext messageContext, String str, boolean z, boolean z2, boolean z3, boolean z4, boolean z5, SecurityTokenManager securityTokenManager, Map<Object, Object> map) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resolveX509KeyInfo");
        }
        SecurityToken resolveKeyInfo = resolveKeyInfo(x509TokenImpl, x509ConsumeCallback, tokenConsumerConfig, certCacheManager, messageContext, str, z, z2, z3, z4, z5, securityTokenManager, map);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resolveX509KeyInfo");
        }
        return resolveKeyInfo;
    }

    private static final SecurityToken resolveKeyInfo(final X509TokenImpl x509TokenImpl, X509ConsumeCallback x509ConsumeCallback, TokenConsumerConfig tokenConsumerConfig, CertCacheManager certCacheManager, MessageContext messageContext, String str, boolean z, boolean z2, boolean z3, boolean z4, boolean z5, SecurityTokenManager securityTokenManager, Map<Object, Object> map) throws LoginException {
        SecurityToken securityToken;
        Object b64Thumbprint;
        Object b64KeyId;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("resolveKeyInfo(");
            stringBuffer.append("X509TokenImpl x509Token, X509ConsumeCallback x509Callback, ");
            stringBuffer.append("TokenConsumerConfig config, CertCacheManager cmanager, ");
            stringBuffer.append("SOAPMessageContext messageContext, ");
            stringBuffer.append("String keyInfoType[").append(str).append("], ");
            stringBuffer.append("boolean isKeyName[").append(z).append("], ");
            stringBuffer.append("boolean isKeyId[").append(z2).append("], ");
            stringBuffer.append("boolean isStrref[").append(z3).append("], ");
            stringBuffer.append("boolean isX509[").append(z4).append("], ");
            stringBuffer.append("boolean isThumbprint[").append(z5).append("], ");
            stringBuffer.append("SecurityTokenManager securityTokenManager, Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
        WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
        boolean z6 = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, map) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, map);
        boolean z7 = (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, WSSAuditService.WSSAuditOutcome.SUCCESS, map) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, WSSAuditService.WSSAuditOutcome.DENIED, map)) || (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, WSSAuditService.WSSAuditOutcome.SUCCESS, map) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, WSSAuditService.WSSAuditOutcome.DENIED, map));
        if (z3) {
            String str2 = (String) map.get(Constants.WSSECURITY_KEY_REFERENCE);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token identifier is [" + str2 + "]");
            }
            SecurityToken token = securityTokenManager.getToken(tokenConsumerConfig, str2);
            if (token == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WARNING: SecurityToken whose identifier is \"" + str2 + "\" was not found in the Subject.");
                }
                securityToken = x509TokenImpl;
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There is the token [" + str2 + "] stored in the Subject.");
                }
                securityToken = token;
            }
        } else {
            String str3 = null;
            String str4 = null;
            String str5 = null;
            if (z2) {
                str3 = (String) map.get(Constants.WSSECURITY_KEY_ID);
            } else if (z5) {
                str3 = (String) map.get(Constants.WSSECURITY_KEY_THUMBPRINT_REFERENCE);
            } else if (z) {
                str3 = (String) map.get(Constants.WSSECURITY_KEY_NAME);
            } else if (z4) {
                str4 = (String) map.get(Constants.WSSECURITY_KEY_ISSUERNAME);
                str5 = (String) map.get(Constants.WSSECURITY_KEY_ISSUERSERIAL);
                if (str4 != null && str5 != null) {
                    str3 = str4 + ":" + str5;
                }
            }
            SecurityToken token2 = securityTokenManager.getToken(tokenConsumerConfig, str3);
            if (token2 == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There is no token [" + str3 + "] stored in the Subject.");
                }
                x509TokenImpl.setId(str3);
                if (!x509ConsumeCallback.existKeyStore()) {
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6810E", new String[]{str3}));
                }
                X509Certificate x509Certificate = null;
                if (certCacheManager != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Checking the cached X509Certificate object with the key[" + str3 + "].");
                    }
                    try {
                        Certificate cachedCert = certCacheManager.getCachedCert(str3);
                        if (cachedCert == null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "There is no cached certificiate.");
                            }
                        } else if (cachedCert instanceof X509Certificate) {
                            x509Certificate = (X509Certificate) cachedCert;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "The X509Certificate [" + x509Certificate.getSubjectDN().getName() + "] was found.");
                            }
                        } else if (tc.isDebugEnabled()) {
                            StringBuffer stringBuffer2 = new StringBuffer("The certificate [");
                            stringBuffer2.append(cachedCert.getClass().getName());
                            stringBuffer2.append("] was found, but it's not the X509Certificate object.");
                            Tr.debug(tc, stringBuffer2.toString());
                        }
                    } catch (SoapSecurityException e) {
                        Tr.processException(e, clsName + ".resolveKeyInfo", "410");
                        throw new LoginException(e.toString());
                    }
                }
                try {
                    KeyStoreManager keyStoreManager = KeyStoreManager.getInstance();
                    String keyStorePath = x509ConsumeCallback.getKeyStorePath();
                    if (keyStorePath == null) {
                        keyStorePath = x509ConsumeCallback.getKeyStoreReference();
                    }
                    KeyStoreManager.KeyInformation keyInformation = keyStoreManager.getKeyInformation(keyStorePath, x509ConsumeCallback.getKeyStoreType(), x509ConsumeCallback.getKeyStorePassword(), x509ConsumeCallback.getKeyStoreReference(), x509ConsumeCallback.getAlias(), x509ConsumeCallback.getKeyPassword(), x509ConsumeCallback.getKeyName());
                    if (x509Certificate == null) {
                        try {
                            if (z2) {
                                QName qName = (QName) map.get(Constants.WSSECURITY_KEY_VALUETYPE);
                                if (qName == null) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier02"));
                                }
                                if (!com.ibm.ws.wssecurity.common.Constants.X509_SKI.equals(qName) && !com.ibm.ws.wssecurity.common.Constants.X509_SKI_OLD.equals(qName)) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier03", new String[]{com.ibm.ws.wssecurity.common.Constants.X509_SKI.toString() + " or " + com.ibm.ws.wssecurity.common.Constants.X509_SKI_OLD.toString(), qName.toString()}));
                                }
                                QName qName2 = (QName) map.get(Constants.WSSECURITY_KEY_IDTYPE);
                                QName qName3 = (QName) map.get(Constants.WSSECURITY_KEY_ENCODING);
                                if (qName3 == null || NamespaceUtil.equals(qName3, com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY)) {
                                    if (qName2 == null || NamespaceUtil.equals(qName2, com.ibm.ws.wssecurity.common.Constants.ITSHA1)) {
                                        b64KeyId = keyInformation.getB64KeyId();
                                    } else {
                                        if (!NamespaceUtil.equals(qName2, com.ibm.ws.wssecurity.common.Constants.IT60SHA1)) {
                                            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier01") + ": " + qName2);
                                        }
                                        b64KeyId = keyInformation.getB64KeyId60();
                                    }
                                } else {
                                    if (!NamespaceUtil.equals(qName3, com.ibm.ws.wssecurity.common.Constants.HEX_BINARY)) {
                                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BinaryTokenReceiver.token15", new String[]{qName3.toString()}));
                                    }
                                    if (qName2 == null || NamespaceUtil.equals(qName2, com.ibm.ws.wssecurity.common.Constants.ITSHA1)) {
                                        b64KeyId = keyInformation.getHexKeyId();
                                    } else {
                                        if (!NamespaceUtil.equals(qName2, com.ibm.ws.wssecurity.common.Constants.IT60SHA1)) {
                                            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier01") + ": " + qName2);
                                        }
                                        b64KeyId = keyInformation.getHexKeyId60();
                                    }
                                }
                                if (!str3.equals(b64KeyId)) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6811E", new String[]{str3, b64KeyId, x509ConsumeCallback.getKeyStorePath()}));
                                }
                            } else if (z5) {
                                QName qName4 = (QName) map.get(Constants.WSSECURITY_KEY_VALUETYPE);
                                if (qName4 == null) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier02"));
                                }
                                if (!com.ibm.ws.wssecurity.common.Constants.THUMBPRINTSHA1.equals(qName4)) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.generateIdentifier03", new String[]{com.ibm.ws.wssecurity.common.Constants.THUMBPRINTSHA1.toString(), qName4.toString()}));
                                }
                                QName qName5 = (QName) map.get(Constants.WSSECURITY_KEY_ENCODING);
                                if (qName5 == null || NamespaceUtil.equals(qName5, com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY)) {
                                    b64Thumbprint = keyInformation.getB64Thumbprint();
                                } else {
                                    if (!NamespaceUtil.equals(qName5, com.ibm.ws.wssecurity.common.Constants.HEX_BINARY)) {
                                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BinaryTokenReceiver.token15", new String[]{qName5.toString()}));
                                    }
                                    b64Thumbprint = keyInformation.getHexThumbprint();
                                }
                                if (!str3.equals(b64Thumbprint)) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6811E", new String[]{str3, b64Thumbprint, x509ConsumeCallback.getKeyStorePath()}));
                                }
                            } else if (z) {
                                String encodeDName = KeyInfo.X509Data.encodeDName(str3);
                                if (encodeDName == null) {
                                    encodeDName = str3;
                                }
                                Object subjectDN = keyInformation.getSubjectDN();
                                if (!encodeDName.equals(subjectDN)) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6812E", new String[]{encodeDName, subjectDN, x509ConsumeCallback.getKeyStorePath()}));
                                }
                            } else if (z4) {
                                String encodeDName2 = KeyInfo.X509Data.encodeDName(str4);
                                if (encodeDName2 == null) {
                                    encodeDName2 = str4;
                                }
                                String issuerDN = keyInformation.getIssuerDN();
                                if (!encodeDName2.equals(issuerDN)) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6813E", new String[]{encodeDName2, issuerDN, x509ConsumeCallback.getKeyStorePath()}));
                                }
                                String issuerSerial = keyInformation.getIssuerSerial();
                                if (!str5.equals(issuerSerial)) {
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6813E", new String[]{str5, issuerSerial, x509ConsumeCallback.getKeyStorePath()}));
                                }
                            }
                            x509Certificate = (X509Certificate) keyInformation.getCertificate();
                            if (!x509ConsumeCallback.isTrustAnyCertificate()) {
                                if (z7 && auditService.isVerbose()) {
                                    map.put("isKeyAuditEnabled", new Boolean(z7));
                                }
                                validateX509(x509Certificate, x509ConsumeCallback, tokenConsumerConfig, map);
                            }
                            if (certCacheManager != null) {
                                try {
                                    certCacheManager.cacheCert(str3, x509Certificate);
                                } catch (SoapSecurityException e2) {
                                    Tr.processException(e2, clsName + ".resolveKeyInfo", "615");
                                    throw new LoginException(e2.toString());
                                }
                            }
                        } catch (SoapSecurityException e3) {
                            Tr.processException(e3, clsName + ".resolveKeyInfo", "620");
                            throw new LoginException(e3.toString());
                        }
                    }
                    if (z6) {
                        Map<String, Object> extendedAuditData = wSSAuditEventGeneratorFactory.setExtendedAuditData(map, WSSAuditEventGenerator.TRUSTANY, new Boolean(x509ConsumeCallback.isTrustAnyCertificate()).toString());
                        wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.CERTDN, x509Certificate.getSubjectDN().getName());
                        wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.CERTISSUER, x509Certificate.getIssuerDN().getName());
                        wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.KEYSTORE, keyInformation.toString());
                        if (auditService.isVerbose()) {
                            try {
                                wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.X509_CERT, Base64.encode(x509Certificate.getEncoded()));
                            } catch (CertificateEncodingException e4) {
                                Tr.processException(e4, clsName + ".validateX509", "916");
                            }
                        }
                    }
                    try {
                        final X509Certificate x509Certificate2 = x509Certificate;
                        final byte[] binary = keyInformation.getBinary();
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.1
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                X509TokenImpl.this.setCertificate(x509Certificate2);
                                X509TokenImpl.this.setBinary(binary);
                                return null;
                            }
                        });
                        x509TokenImpl.setKey(63, keyInformation.getPublicOrSecretKey());
                        x509TokenImpl.setKey(64, keyInformation.getPrivateOrSecretKey());
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "resolveKeyInfo, The X509Token hash value = " + x509TokenImpl.hashCode());
                        }
                        securityToken = x509TokenImpl;
                    } catch (SoapSecurityException e5) {
                        Tr.processException(e5, clsName + ".resolveKeyInfo", "636");
                        throw new LoginException(e5.toString());
                    }
                } catch (SoapSecurityException e6) {
                    Tr.processException(e6, clsName + ".resolveKeyInfo", "443");
                    throw new LoginException(e6.toString());
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There is the token [" + str3 + "] stored in the Subject.");
                }
                securityToken = token2;
            }
        }
        if (z6 && securityToken != null) {
            wSSAuditEventGeneratorFactory.setExtendedAuditData(map, WSSAuditEventGenerator.TOKEN_ID, securityToken.getId());
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer3 = new StringBuffer("resolveKeyInfo(");
            stringBuffer3.append("X509TokenImpl, X509ConsumeCallback, TokenConsumerConfig, ");
            stringBuffer3.append("CertCacheManager, SOAPMessageContext, String, boolean, boolean, ");
            stringBuffer3.append("boolean, boolean, Map)");
            stringBuffer3.append(" returns SecurityToken[").append(securityToken).append("]");
            Tr.exit(tc, stringBuffer3.toString());
        }
        return securityToken;
    }

    private static final SecurityToken processElement(final X509TokenImpl x509TokenImpl, X509ConsumeCallback x509ConsumeCallback, OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, CertCacheManager certCacheManager, MessageContext messageContext, boolean z, boolean z2, Map<Object, Object> map) throws LoginException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("processElement(");
            stringBuffer.append("X509TokenImpl x509Token, X509ConsumeCallback x509Callback, ");
            stringBuffer.append("OMElement target[").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("TokenConsumerConfig config, CertCacheManager cmanager, ");
            stringBuffer.append("SOAPMessageContext messageContext, ");
            stringBuffer.append("boolean isNone[").append(z).append("], ");
            stringBuffer.append("boolean isEmb[").append(z2).append("], ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        x509TokenImpl.setXML(new OMStructure(oMElement));
        String str = null;
        if (z) {
            QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
            }
            if (idAttributeName != null) {
                str = oMElement.getAttributeValue(idAttributeName);
            }
        } else if (z2) {
            str = (String) map.get(Constants.WSSECURITY_KEY_EMBID);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier of the token is [" + str + "]");
        }
        x509TokenImpl.setId(str);
        WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
        WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
        boolean z3 = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, map) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, map);
        boolean z4 = (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, WSSAuditService.WSSAuditOutcome.SUCCESS, map) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_SIGNING, WSSAuditService.WSSAuditOutcome.DENIED, map)) || (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, WSSAuditService.WSSAuditOutcome.SUCCESS, map) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_ENCRYPTION, WSSAuditService.WSSAuditOutcome.DENIED, map));
        String stringValue = DOMUtils.getStringValue(oMElement);
        X509Certificate x509Certificate = null;
        byte[] bArr = null;
        String buildCertIndex = CertificateUtil.buildCertIndex(stringValue, tokenConsumerConfig, true);
        if (certCacheManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking the cached X509Certificate object with the key[" + buildCertIndex + "].");
            }
            try {
                Certificate cachedCert = certCacheManager.getCachedCert(buildCertIndex);
                if (cachedCert == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no cached certificiate.");
                    }
                } else if (cachedCert instanceof X509Certificate) {
                    x509Certificate = (X509Certificate) cachedCert;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The X509Certificate [" + x509Certificate.getSubjectDN().getName() + "] was found.");
                    }
                    try {
                        bArr = x509Certificate.getEncoded();
                    } catch (CertificateEncodingException e) {
                        Tr.processException(e, clsName + ".processElement", "738");
                        Tr.error(tc, "security.wssecurity.WSEC0155E", e);
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC0155E", new String[]{e.toString()}));
                    }
                } else if (tc.isDebugEnabled()) {
                    StringBuffer stringBuffer2 = new StringBuffer("The certificate [");
                    stringBuffer2.append(cachedCert.getClass().getName());
                    stringBuffer2.append("] was found, but it's not the X509Certificate object.");
                    Tr.debug(tc, stringBuffer2.toString());
                }
            } catch (SoapSecurityException e2) {
                Tr.processException(e2, clsName + ".processElement", "723");
                throw new LoginException(e2.toString());
            }
        }
        if (x509Certificate == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting the X509Certificate object through the LoginModule.");
            }
            if (stringValue != null) {
                bArr = Base64.decode(stringValue);
            }
            if (bArr == null) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathCallbackHandler.s02"));
            }
            try {
                x509Certificate = CertificateUtil.generateX509Certificate(bArr, null);
                if (!x509ConsumeCallback.isTrustAnyCertificate()) {
                    if (z4 && auditService.isVerbose()) {
                        map.put("isKeyAuditEnabled", new Boolean(z4));
                    }
                    validateX509(x509Certificate, x509ConsumeCallback, tokenConsumerConfig, map);
                }
                if (certCacheManager != null) {
                    try {
                        certCacheManager.cacheCert(buildCertIndex, x509Certificate);
                    } catch (SoapSecurityException e3) {
                        Tr.processException(e3, clsName + ".processElement", "787");
                        throw new LoginException(e3.toString());
                    }
                }
            } catch (Exception e4) {
                Tr.processException(e4, clsName + ".processElement", "772");
                Tr.error(tc, "security.wssecurity.WSSConsumer.s34", e4);
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSSConsumer.s34", new String[]{e4.toString()}));
            }
        }
        final X509Certificate x509Certificate2 = x509Certificate;
        final byte[] bArr2 = bArr;
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                X509TokenImpl.this.setCertificate(x509Certificate2);
                X509TokenImpl.this.setBinary(bArr2);
                return null;
            }
        });
        if (z3) {
            Map<String, Object> extendedAuditData = wSSAuditEventGeneratorFactory.setExtendedAuditData(map, WSSAuditEventGenerator.TRUSTANY, new Boolean(x509ConsumeCallback.isTrustAnyCertificate()).toString());
            wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.CERTDN, x509Certificate.getSubjectDN().getName());
            wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.CERTISSUER, x509Certificate.getIssuerDN().getName());
            wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.TOKEN_ID, str);
            if (auditService.isVerbose()) {
                try {
                    wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.X509_CERT, Base64.encode(x509Certificate.getEncoded()));
                } catch (CertificateEncodingException e5) {
                    Tr.processException(e5, clsName + ".validateX509", "916");
                }
            }
        }
        if (x509ConsumeCallback.existKeyStore()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "A keystore is configured on the callback handler.");
            }
            if (ConfigUtil.getIsFalseProperty(map, KEYSTORE_LIMITS_ACCESS)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Verifying that the current target subject matches the one configured in the callback handler.");
                }
                try {
                    KeyStoreManager keyStoreManager = KeyStoreManager.getInstance();
                    String keyStorePath = x509ConsumeCallback.getKeyStorePath();
                    if (keyStorePath == null) {
                        keyStorePath = x509ConsumeCallback.getKeyStoreReference();
                    }
                    KeyStoreManager.KeyInformation keyInformation = keyStoreManager.getKeyInformation(keyStorePath, x509ConsumeCallback.getKeyStoreType(), x509ConsumeCallback.getKeyStorePassword(), x509ConsumeCallback.getKeyStoreReference(), x509ConsumeCallback.getAlias(), x509ConsumeCallback.getKeyPassword(), x509ConsumeCallback.getKeyName());
                    X509Certificate x509Certificate3 = (X509Certificate) keyInformation.getCertificate();
                    if (!x509Certificate.equals(x509Certificate3)) {
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6809E", new String[]{x509Certificate == null ? null : x509Certificate.getSubjectDN().getName(), x509Certificate3 == null ? null : x509Certificate3.getSubjectDN().getName(), x509ConsumeCallback.getKeyStorePath()}));
                    }
                    x509TokenImpl.setKey(63, keyInformation.getPublicOrSecretKey());
                    x509TokenImpl.setKey(64, keyInformation.getPrivateOrSecretKey());
                    if (z3) {
                        wSSAuditEventGeneratorFactory.setExtendedAuditData(map, WSSAuditEventGenerator.KEYSTORE, keyInformation.toString());
                    }
                } catch (SoapSecurityException e6) {
                    Tr.processException(e6, clsName + ".processElement", "826");
                    throw new LoginException(e6.toString());
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "com.ibm.wsspi.wssecurity.consumer.callbackHandlerKeystoreLimitsAccess is set to false.");
                Tr.debug(tc, "Certificate in the message will not be compared against the configured keystore.");
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no keystore is configured on the callback handler.");
            }
            x509TokenImpl.setKey(63, x509Certificate.getPublicKey());
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The X509Token hash value = " + x509TokenImpl.hashCode());
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer3 = new StringBuffer("processElement(");
            stringBuffer3.append("X509TokenImpl, OMElement, TokenConsumerConfig, CertCacheManager, ");
            stringBuffer3.append("SOAPMessageContext, boolean, boolean, SecurityTokenManager, Map)");
            stringBuffer3.append(" returns X509TokenImpl[").append(x509TokenImpl).append("]");
            Tr.exit(tc, stringBuffer3.toString());
        }
        return x509TokenImpl;
    }

    private static final void validateX509(X509Certificate x509Certificate, X509ConsumeCallback x509ConsumeCallback, TokenConsumerConfig tokenConsumerConfig, Map<Object, Object> map) throws LoginException {
        PKIXBuilderParameters pKIXBuilderParameters;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("X509ConsumeLoginModule.validateX509(");
            stringBuffer.append("X509Certificate x509[");
            stringBuffer.append(x509Certificate == null ? null : x509Certificate.getSubjectDN().getName()).append("], ");
            stringBuffer.append("X509ConsumeCallback x509Callback, TokenConsumerConfig tconfig, Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        PKIXBuilderParameters certPathParameter = x509ConsumeCallback.getCertPathParameter();
        if (certPathParameter == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "pkixBuilderParams was null.  Creating new object.");
            }
            pKIXBuilderParameters = CertificateUtil.createPKIXBuilderParameters(x509ConsumeCallback, tokenConsumerConfig, map);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Obtaining pkixBuilderParams from config object.");
            }
            synchronized (certPathParameter) {
                pKIXBuilderParameters = (PKIXBuilderParameters) certPathParameter.clone();
            }
        }
        Provider provider = x509ConsumeCallback.getProvider();
        if (map.containsKey("isKeyAuditEnabled") && ((Boolean) map.remove("isKeyAuditEnabled")).booleanValue()) {
            CertificateUtil.auditCertChain(x509Certificate, pKIXBuilderParameters, map);
        }
        try {
            try {
                CertificateUtil.validateX509Certificate(x509Certificate, provider, pKIXBuilderParameters);
            } catch (Exception e) {
                if (!ConfigUtil.getIsTrueProperty(map, Constants.RETRY_TRUST_AFTER_FAILURE)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "retryOnceAfterTrustFailure is not enabled, rethrowing exception.");
                    }
                    throw e;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Validation failed, rebuild pkixBuilderParams and try again.");
                }
                CertificateUtil.validateX509Certificate(x509Certificate, provider, CertificateUtil.reCreatePKIXBuilderParameters(x509ConsumeCallback, tokenConsumerConfig, map));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "X509ConsumeLoginModule.validateX509");
            }
        } catch (Exception e2) {
            Tr.processException(e2, clsName + ".validateX509", "916");
            throw new LoginException(e2.toString());
        }
    }
}
