package com.ibm.ws.wssecurity.util;

import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.platform.auth.WSSContext;
import com.ibm.ws.wssecurity.platform.auth.WSSContextFactory;
import com.ibm.ws.wssecurity.wssapi.token.impl.AuthenticationTokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.DKToken;
import com.ibm.ws.wssecurity.wssapi.token.impl.KRB5TokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.SAMLTokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.SCT;
import com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.TokenFactory;
import com.ibm.ws.wssecurity.wssapi.token.impl.TokenFactoryFactory;
import com.ibm.ws.wssecurity.wssapi.token.impl.UsernameTokenImpl;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/util/TokenUtils.class */
public class TokenUtils {
    private static final String comp = "security.wssecurity";
    private static final TraceComponent tc = Tr.register(TokenUtils.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = TokenUtils.class.getName();
    private static String _sctFactoryKey = (String) WSSecurityFactoryBuilder.getImplClassName("com.ibm.ws.wssecurity.platform.AuthnToken");
    private static TokenFactory _sctTokenFactory = TokenFactoryFactory.getTokenFactory(_sctFactoryKey);

    public static ArrayList<SecurityToken> getTokenFromContext(MessageContext messageContext, QName qName) throws SoapSecurityException {
        return getTokenFromSubject(getRunAsSubject(messageContext), qName);
    }

    public static ArrayList<SecurityToken> getTokenFromSubject(final Subject subject, final QName qName) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTokenFromSubject() entry... " + qName);
        }
        ArrayList<SecurityToken> arrayList = new ArrayList<>();
        if (subject == null) {
            return arrayList;
        }
        try {
            ArrayList<SecurityToken> arrayList2 = (ArrayList) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.util.TokenUtils.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    ArrayList arrayList3 = new ArrayList();
                    for (SecurityToken securityToken : subject.getPrivateCredentials(SecurityToken.class)) {
                        if (securityToken != null) {
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Found SecurityToken in PrivateCredential: " + securityToken.getId());
                            }
                        } else if (TokenUtils.tc.isDebugEnabled()) {
                            Tr.debug(TokenUtils.tc, "NO SecurityToken is found to be processed...");
                        }
                        if (qName.equals(securityToken.getValueType())) {
                            arrayList3.add(securityToken);
                        }
                    }
                    for (SecurityToken securityToken2 : subject.getPublicCredentials(SecurityToken.class)) {
                        if (securityToken2 != null) {
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Found SecurityToken in publicCredential: " + securityToken2.getId());
                            }
                        } else if (TokenUtils.tc.isDebugEnabled()) {
                            Tr.debug(TokenUtils.tc, "NO SecurityToken is found to be processed...");
                        }
                        if (qName.equals(securityToken2.getValueType())) {
                            arrayList3.add(securityToken2);
                        }
                    }
                    return arrayList3;
                }
            });
            if (arrayList2 == null || arrayList2.isEmpty()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Could not find SecurityToken.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found SecurityToken from runAsSubject: " + arrayList2);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getSecurityTokenFromSubject() exits... ");
            }
            return arrayList2;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting SecurityToken from Subject.", new Object[]{e});
            }
            throw new SoapSecurityException(e.getMessage(), e.getCause());
        }
    }

    public static SecurityToken getOneTokenFromSubject(final Subject subject, final QName qName) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getOneTokenFromSubject() entry... " + qName);
        }
        if (subject == null) {
            return null;
        }
        try {
            SecurityToken securityToken = (SecurityToken) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.util.TokenUtils.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    Iterator it = subject.getPrivateCredentials(SecurityToken.class).iterator();
                    if (it.hasNext()) {
                        SecurityToken securityToken2 = (SecurityToken) it.next();
                        if (securityToken2 != null) {
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Found SecurityToken in PrivateCredential: " + securityToken2.getId());
                            }
                        } else if (TokenUtils.tc.isDebugEnabled()) {
                            Tr.debug(TokenUtils.tc, "NO SecurityToken is found to be processed...");
                        }
                        if (qName.equals(securityToken2.getValueType())) {
                            return securityToken2;
                        }
                    }
                    Iterator it2 = subject.getPublicCredentials(SecurityToken.class).iterator();
                    if (!it2.hasNext()) {
                        return null;
                    }
                    SecurityToken securityToken3 = (SecurityToken) it2.next();
                    if (securityToken3 != null) {
                        if (TokenUtils.tc.isDebugEnabled()) {
                            Tr.debug(TokenUtils.tc, "Found SecurityToken in publicCredential: " + securityToken3.getId());
                        }
                    } else if (TokenUtils.tc.isDebugEnabled()) {
                        Tr.debug(TokenUtils.tc, "NO SecurityToken is found to be processed...");
                    }
                    if (qName.equals(securityToken3.getValueType())) {
                        return securityToken3;
                    }
                    return null;
                }
            });
            if (securityToken == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Could not find SecurityToken.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found SecurityToken from runAsSubject: " + securityToken);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getOneTokenFromSubject() exits... ");
            }
            return securityToken;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting SecurityToken from Subject.", new Object[]{e});
            }
            throw new SoapSecurityException(e.getMessage(), e.getCause());
        }
    }

    public static Subject getRunAsSubject(final MessageContext messageContext) {
        Subject subject = null;
        final WSSContext wSSContextFactory = WSSContextFactory.getInstance();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found a WSSContext: " + wSSContextFactory.toString());
        }
        if (wSSContextFactory != null) {
            try {
                subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.util.TokenUtils.3
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return WSSContext.this.getRunAsSubject(messageContext);
                    }
                });
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unable to get RunAsSubject.");
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No WSSContext is found. Return.");
        }
        if (tc.isEntryEnabled()) {
            if (subject != null) {
                Tr.exit(tc, "RunAsSubject NOT null");
            } else {
                Tr.exit(tc, "Not RunAsSubject exists");
            }
        }
        return subject;
    }

    public static final void removePrivateData(Subject subject, Map<Object, Object> map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removePrivateData(Subject, context)");
        }
        if (removePrivateData(map)) {
            removePrivateData(subject);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removePrivateData(Subject, context)");
        }
    }

    public static final void removePrivateData(final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removePrivateData(Subject)");
        }
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.util.TokenUtils.4
            @Override // java.security.PrivilegedAction
            public Object run() {
                for (Object obj : subject.getPublicCredentials()) {
                    if (obj != null) {
                        if (obj instanceof UsernameTokenImpl) {
                            ((UsernameTokenImpl) obj).setPassword(null);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove password from UsernameToken: " + obj);
                            }
                        } else if (obj instanceof SAMLTokenImpl) {
                            SAMLTokenImpl sAMLTokenImpl = (SAMLTokenImpl) obj;
                            sAMLTokenImpl.setHolderOfKeyBytes(null);
                            TokenUtils.removeKeys(sAMLTokenImpl);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove Keys from SAMLToken: " + obj);
                            }
                        } else if (obj instanceof KRB5TokenImpl) {
                            KRB5TokenImpl kRB5TokenImpl = (KRB5TokenImpl) obj;
                            kRB5TokenImpl.setAPREQKeyByte(null);
                            TokenUtils.removeKeys(kRB5TokenImpl);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove keys from KRB5Token: " + obj);
                            }
                        } else if (obj instanceof SecurityTokenImpl) {
                            TokenUtils.removeKeys((SecurityTokenImpl) obj);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove privateObject from SecurityTokenImpl: " + obj);
                            }
                        } else if (TokenUtils.tc.isDebugEnabled()) {
                            Tr.debug(TokenUtils.tc, "Public object already in Subject: " + obj);
                        }
                    }
                }
                for (Object obj2 : subject.getPrivateCredentials()) {
                    if (obj2 != null) {
                        if (obj2 instanceof UsernameTokenImpl) {
                            ((UsernameTokenImpl) obj2).setPassword(null);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove password from UsernameToken: " + obj2);
                            }
                        } else if (obj2 instanceof SAMLTokenImpl) {
                            SAMLTokenImpl sAMLTokenImpl2 = (SAMLTokenImpl) obj2;
                            sAMLTokenImpl2.setHolderOfKeyBytes(null);
                            TokenUtils.removeKeys(sAMLTokenImpl2);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove Keys from SAMLToken: " + obj2);
                            }
                        } else if (obj2 instanceof KRB5TokenImpl) {
                            KRB5TokenImpl kRB5TokenImpl2 = (KRB5TokenImpl) obj2;
                            kRB5TokenImpl2.setAPREQKeyByte(null);
                            TokenUtils.removeKeys(kRB5TokenImpl2);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove keys from KRB5Token: " + obj2);
                            }
                        } else if (obj2 instanceof SecurityTokenImpl) {
                            TokenUtils.removeKeys((SecurityTokenImpl) obj2);
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Remove keys from SecurityTokenImpl: " + obj2);
                            }
                        } else if (TokenUtils.tc.isDebugEnabled()) {
                            Tr.debug(TokenUtils.tc, "Public object already in Subject: " + obj2);
                        }
                    }
                }
                for (Principal principal : subject.getPrincipals()) {
                    if (principal != null) {
                        if (!subject.getPrincipals().contains(principal)) {
                            if (TokenUtils.tc.isDebugEnabled()) {
                                Tr.debug(TokenUtils.tc, "Adding principal object to Subject: " + principal);
                            }
                            subject.getPrincipals().add(principal);
                        } else if (TokenUtils.tc.isDebugEnabled()) {
                            Tr.debug(TokenUtils.tc, "Principal object already in Subject: " + principal);
                        }
                    }
                }
                return null;
            }
        });
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removePrivateData(Subject)");
        }
    }

    public static final void replaceSCT(Subject subject, Map<Object, Object> map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "replaceSCT(Subject, context)");
        }
        if (removePrivateData(map)) {
            replaceSCT(subject);
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "replaceSCT(Subject, context)");
        }
    }

    public static final void replaceSCT(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "replaceSCT(Subject)");
        }
        Vector vector = new Vector();
        for (Object obj : subject.getPublicCredentials()) {
            if (obj != null) {
                if (obj instanceof SCT) {
                    vector.add((SCT) obj);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Remove SCT: " + obj);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Not a SCT: " + obj);
                }
            }
        }
        if (vector != null && !vector.isEmpty()) {
            Iterator it = vector.iterator();
            while (it.hasNext()) {
                SCT sct = (SCT) it.next();
                AuthenticationTokenImpl authenticationTokenImpl = (AuthenticationTokenImpl) _sctTokenFactory.getToken(true);
                authenticationTokenImpl.setValueType(sct.getValueType());
                authenticationTokenImpl.setUniqueID(sct.getUUID());
                replaceToken(subject, true, sct, authenticationTokenImpl);
            }
        }
        Vector vector2 = new Vector();
        for (Object obj2 : subject.getPrivateCredentials()) {
            if (obj2 != null) {
                if (obj2 instanceof SCT) {
                    vector2.add((SCT) obj2);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Remove SCT: " + obj2);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Not a SCT: " + obj2);
                }
            }
        }
        if (vector2 != null && !vector2.isEmpty()) {
            Iterator it2 = vector2.iterator();
            while (it2.hasNext()) {
                SCT sct2 = (SCT) it2.next();
                AuthenticationTokenImpl authenticationTokenImpl2 = (AuthenticationTokenImpl) _sctTokenFactory.getToken(true);
                authenticationTokenImpl2.setValueType(sct2.getValueType());
                authenticationTokenImpl2.setUniqueID(sct2.getUUID());
                replaceToken(subject, false, sct2, authenticationTokenImpl2);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "replaceSCT(Subject)");
        }
    }

    public static final void removeDKT(Subject subject, Map<Object, Object> map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removeDKT(Subject)");
        }
        if (removeAuxiliarySecurityTokens(map)) {
            removeDKT(subject);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removeDKT(Subject)");
        }
    }

    public static final void removeDKT(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removeDKT(Subject)");
        }
        Vector vector = new Vector();
        for (Object obj : subject.getPublicCredentials()) {
            if (obj != null) {
                if (obj instanceof DKToken) {
                    vector.add((DKToken) obj);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Remove DKT: " + obj);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "not a DKT: " + obj);
                }
            }
        }
        if (vector != null && !vector.isEmpty()) {
            Iterator it = vector.iterator();
            while (it.hasNext()) {
                removeToken(subject, true, (DKToken) it.next());
            }
        }
        Vector vector2 = new Vector();
        for (Object obj2 : subject.getPrivateCredentials()) {
            if (obj2 != null) {
                if (obj2 instanceof DKToken) {
                    vector2.add((DKToken) obj2);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Remove DKT: " + obj2);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Not a DKT: " + obj2);
                }
            }
        }
        if (vector2 != null && !vector2.isEmpty()) {
            Iterator it2 = vector2.iterator();
            while (it2.hasNext()) {
                removeToken(subject, false, (DKToken) it2.next());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removeDKT(Subject)");
        }
    }

    public static final void replaceToken(final Subject subject, final boolean z, final SecurityToken securityToken, final SecurityToken securityToken2) {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("replaceToken(");
            stringBuffer.append("SecurityToken token[").append(securityToken).append("])");
            Tr.entry(tc, stringBuffer.toString());
        }
        if (securityToken != null && securityToken2 != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.util.TokenUtils.5
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (z) {
                        subject.getPublicCredentials().remove(securityToken);
                        subject.getPublicCredentials().add(securityToken2);
                        return null;
                    }
                    subject.getPrivateCredentials().remove(securityToken);
                    subject.getPrivateCredentials().add(securityToken2);
                    return null;
                }
            });
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "replaceToken(SecurityToken)");
        }
    }

    public static final void replaceToken(final Subject subject, final SecurityToken securityToken, final SecurityToken securityToken2) {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("replaceToken(");
            stringBuffer.append("SecurityToken token[").append(securityToken).append("])");
            Tr.entry(tc, stringBuffer.toString());
        }
        if (securityToken != null && securityToken2 != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.util.TokenUtils.6
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (subject.getPublicCredentials().contains(securityToken)) {
                        subject.getPublicCredentials().remove(securityToken);
                        subject.getPublicCredentials().add(securityToken2);
                    }
                    if (!subject.getPrivateCredentials().contains(securityToken)) {
                        return null;
                    }
                    subject.getPrivateCredentials().remove(securityToken);
                    subject.getPrivateCredentials().add(securityToken2);
                    return null;
                }
            });
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "replaceToken(SecurityToken)");
        }
    }

    public static final void removeToken(final Subject subject, final boolean z, final SecurityToken securityToken) {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("removeToken(");
            stringBuffer.append("SecurityToken token[").append(securityToken).append("])");
            Tr.entry(tc, stringBuffer.toString());
        }
        if (securityToken != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.util.TokenUtils.7
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (z) {
                        subject.getPublicCredentials().remove(securityToken);
                        return null;
                    }
                    subject.getPrivateCredentials().remove(securityToken);
                    return null;
                }
            });
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removeToken(SecurityToken)");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void removeKeys(SecurityTokenImpl securityTokenImpl) {
        securityTokenImpl.setKey(61, null);
        securityTokenImpl.setKey(64, null);
        securityTokenImpl.setKey(62, null);
        securityTokenImpl.setKey(63, null);
    }

    public static final boolean removePrivateData(Map<Object, Object> map) {
        WSSConsumerConfig wSSConsumerConfig;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removePrivateData(context)");
        }
        boolean z = true;
        if (map != null && (wSSConsumerConfig = (WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey")) != null && !wSSConsumerConfig.isRemoveSensitiveUserData()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "removePrivateData(context) is false.");
            }
            z = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removePrivateData(context):" + z);
        }
        return z;
    }

    private static final boolean removeAuxiliarySecurityTokens(Map<Object, Object> map) {
        WSSConsumerConfig wSSConsumerConfig;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removeAuxiliarySecurityTokens(context)");
        }
        boolean z = true;
        if (map != null && (wSSConsumerConfig = (WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey")) != null && !wSSConsumerConfig.isRemoveAuxiliarySecurityTokens()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "removePrivateData(context) is false.");
            }
            z = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removeAuxiliarySecurityTokens(context):" + z);
        }
        return z;
    }
}
