package com.ibm.ws.wssecurity.util;

import com.ibm.security.krb5.wss.KerberosTokenConfig;
import com.ibm.ws.wssecurity.common.Constants;
import com.ibm.ws.wssecurity.platform.auth.WSSContext;
import com.ibm.ws.wssecurity.platform.auth.WSSContextFactory;
import com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket;
import com.ibm.ws.wssecurity.token.CacheableToken;
import com.ibm.ws.wssecurity.token.CacheableTokenCache;
import com.ibm.ws.wssecurity.token.CacheableTokenCacheFactory;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.security.AccessController;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedExceptionAction;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.description.Parameter;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/util/KRB5TokenCacheUtil.class */
public class KRB5TokenCacheUtil {
    private static final String comp = "security.wssecurity";
    private static final TraceComponent tc = Tr.register(KRB5TokenCacheUtil.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String CLS_NAME = KRB5TokenCacheUtil.class.getName();
    private static CacheableTokenCache cacheObject = CacheableTokenCacheFactory.getInstance();
    private static long extraTime = CacheConfigFactory.getInstance().getCacheGraceTimeMilliseconds();
    private static long cushionTime = CacheConfigFactory.getInstance().getCacheCushionMilliseconds();
    private static long clockSkew = CacheConfigFactory.getInstance().getClockSkewToleranceMilliseconds();

    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/util/KRB5TokenCacheUtil$TicketActionState.class */
    public enum TicketActionState {
        NONE,
        REISSUE,
        REFRESH
    }

    public static CacheableTokenCache getCache() {
        return cacheObject;
    }

    public static TicketActionState getTicketActionState(KerberosTicket kerberosTicket) {
        TicketActionState ticketActionState = TicketActionState.NONE;
        Date date = new Date();
        if (kerberosTicket.getEndTime().getTime() < date.getTime() - clockSkew) {
            ticketActionState = TicketActionState.REISSUE;
        } else if (kerberosTicket.getEndTime().getTime() < date.getTime() + cushionTime + clockSkew) {
            ticketActionState = (!kerberosTicket.isRenewable() || kerberosTicket.getRenewTill() == null || kerberosTicket.getRenewTill().getTime() <= (date.getTime() + cushionTime) + clockSkew) ? TicketActionState.REISSUE : TicketActionState.REFRESH;
        }
        return ticketActionState;
    }

    public static boolean isTicketValid(KerberosTicket kerberosTicket, boolean z) {
        boolean z2 = false;
        Date date = new Date();
        if (z) {
            if (kerberosTicket.getEndTime().getTime() > date.getTime() + cushionTime) {
                z2 = true;
            }
        } else if (kerberosTicket.getEndTime().after(date)) {
            z2 = true;
        }
        return z2;
    }

    public static void setKRB5TokenToCache(CacheableToken cacheableToken, String str, long j) {
        cacheObject.cacheToken(str, cacheableToken, j + extraTime);
    }

    public static void setKRB5TokenToCache(CacheableToken cacheableToken, String str, Date date) {
        cacheObject.cacheToken(str, cacheableToken, getExpirationDuration(date));
    }

    public static void invalidatetKRB5TokenFromCache(MessageContext messageContext) {
        String clientHashFromService = getClientHashFromService(messageContext);
        if (clientHashFromService != null) {
            EndpointReference to = messageContext.getTo();
            cacheObject.removeToken(clientHashFromService + (to != null ? to.getAddress() : ""));
        }
    }

    private static long getExpirationDuration(Date date) {
        long time = date.getTime() - System.currentTimeMillis();
        if (time < 0) {
            time = 0;
        }
        return time + extraTime;
    }

    public static String getClientCacheKeyFromSubject(KerberosTicket kerberosTicket, String str) {
        String clientIdentifierForServiceTicket = getClientIdentifierForServiceTicket(kerberosTicket.getClient().getName(), kerberosTicket.getClient().getRealm(), str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "CacheKey=" + clientIdentifierForServiceTicket);
        }
        return clientIdentifierForServiceTicket;
    }

    public static String getSha1FromBytes(byte[] bArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSha1FromBytes()");
        }
        String str = null;
        byte[] bArr2 = null;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(bArr);
            bArr2 = messageDigest.digest();
            messageDigest.reset();
        } catch (NoSuchAlgorithmException e) {
        }
        if (bArr2 != null) {
            str = Base64.encode(bArr2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSha1FromBytes() return " + str);
        }
        return str;
    }

    private static KRBAuthnToken getKRBAuthnTokenFromSubject(final Subject subject) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKRBAuthnTokenFromSubject() entry... " + subject);
        }
        if (subject == null) {
            return null;
        }
        try {
            KRBAuthnToken kRBAuthnToken = (KRBAuthnToken) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.util.KRB5TokenCacheUtil.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    Iterator it = subject.getPrivateCredentials(KRBAuthnToken.class).iterator();
                    if (!it.hasNext()) {
                        return null;
                    }
                    KRBAuthnToken kRBAuthnToken2 = (KRBAuthnToken) it.next();
                    if (kRBAuthnToken2 != null) {
                        if (KRB5TokenCacheUtil.tc.isDebugEnabled()) {
                            Tr.debug(KRB5TokenCacheUtil.tc, "Processing AUTH token with name: " + kRBAuthnToken2.getTokenName());
                        }
                    } else if (KRB5TokenCacheUtil.tc.isDebugEnabled()) {
                        Tr.debug(KRB5TokenCacheUtil.tc, "NO KRBAuthnToken token is found to be processed...");
                    }
                    return kRBAuthnToken2;
                }
            });
            if (kRBAuthnToken == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Could not find internally implemented AuthenticationToken.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found KRBAuthnToken from runAsSubject: " + kRBAuthnToken);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getKRBAuthnTokenFromSubject() exits... ");
            }
            return kRBAuthnToken;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting AuthenticationToken from Subject.", new Object[]{e});
            }
            throw e;
        }
    }

    public static KerberosTicket getTgtTicketFromRunAsSubject(final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTgtTicketFromRunAsSubject()...");
        }
        if (subject == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getTgtTicketFromRunAsSubject() return NULL");
            return null;
        }
        KerberosTicket kerberosTicket = null;
        try {
            KRBAuthnToken kRBAuthnTokenFromSubject = getKRBAuthnTokenFromSubject(subject);
            if (kRBAuthnTokenFromSubject != null && (kRBAuthnTokenFromSubject instanceof KRBTicket)) {
                kerberosTicket = ((KRBTicket) kRBAuthnTokenFromSubject).getKerberosTicket();
            }
            if (kerberosTicket == null) {
                kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.util.KRB5TokenCacheUtil.2
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        Set privateCredentials = subject.getPrivateCredentials(KerberosTicket.class);
                        if (privateCredentials == null || privateCredentials.size() <= 0) {
                            return null;
                        }
                        Iterator it = privateCredentials.iterator();
                        if (it.hasNext()) {
                            return it.next();
                        }
                        return null;
                    }
                });
                if (kerberosTicket != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found KerberosTicket from private creds: " + kerberosTicket);
                    }
                    if ((kerberosTicket.isCurrent() && kerberosTicket.isForwardable() && !kerberosTicket.isDestroyed()) && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Use a found Kerberos ticket for " + kerberosTicket.getClient().getName() + " in realm: " + kerberosTicket.getClient().getRealm());
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "KerberosTicket not found.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found Kerberos ticket from KRBAuthnToken in RunAsSubject: " + kerberosTicket);
            }
        } catch (Exception e) {
            Tr.processException(e, CLS_NAME + ".login", "%C");
            Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", e);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to locate Kerberos ticket. Login to get Kerberos ticket.");
            }
        }
        if (kerberosTicket != null && kerberosTicket.getClient() != null && tc.isDebugEnabled()) {
            Tr.debug(tc, "CacheKey=" + kerberosTicket.getClient().getName());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTgtTicketFromRunAsSubject()...");
        }
        return kerberosTicket;
    }

    public static Subject getRunAsSubject(MessageContext messageContext) {
        Subject subject = null;
        WSSContext wSSContextFactory = WSSContextFactory.getInstance();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found a WSSContext: " + wSSContextFactory.toString());
        }
        if (wSSContextFactory != null) {
            try {
                subject = wSSContextFactory.getRunAsSubject(messageContext);
            } catch (Exception e) {
                Tr.processException(e, CLS_NAME + ".login", "%C");
                Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", e);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unable to get RunAsSubject.");
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No WSSContext is found. Return.");
        }
        if (tc.isEntryEnabled()) {
            if (subject != null) {
                Tr.exit(tc, "RunAsSubject NOT null");
            } else {
                Tr.exit(tc, "Not RunAsSubject exists");
            }
        }
        return subject;
    }

    public static void addClientCacheIdToService(MessageContext messageContext, String str) {
        if (str == null || messageContext == null) {
            return;
        }
        EndpointReference to = messageContext.getTo();
        String address = to != null ? to.getAddress() : "";
        Parameter parameter = new Parameter(Constants.WSSECURITY_KERBEROS_TICKET_IDENTIFIER + address, str);
        try {
            messageContext.setProperty(Constants.WSSECURITY_KERBEROS_TICKET_IDENTIFIER + address, str);
            if (messageContext.getAxisService() != null) {
                messageContext.getAxisService().addParameter(parameter);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Cache the Kerberos ticket in AxisService with ID of " + str);
            }
        } catch (Exception e) {
            Tr.debug(tc, "Unable to add Kerberos ticket to AxisContext. ", e);
        }
    }

    public static String getClientCacheKeyFromKRBAuthnToken(Subject subject, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientCacheKeyFromKRBAuthnToken( KRBAuthnToken kToken, String spn ) ");
        }
        String str2 = null;
        try {
            KRBAuthnToken kRBAuthnTokenFromSubject = getKRBAuthnTokenFromSubject(subject);
            if (kRBAuthnTokenFromSubject != null) {
                str2 = kRBAuthnTokenFromSubject.getTokenUniqueID();
                if (str != null) {
                    str2 = str2 + str.hashCode();
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no KRBAuthnToken to create cache key");
            }
        } catch (Exception e) {
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "Fail to create cache key from rnAsSubject.", e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "Cache key =" + str2);
        }
        return str2;
    }

    public static String getClientIdentifierForServiceTicket(String str, String str2, String str3) {
        String stringBuffer;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientIdentifierForServiceTicket(HashMap initMap)");
        }
        StringBuffer stringBuffer2 = new StringBuffer();
        if (str != null) {
            stringBuffer2.append(str);
            if (str.endsWith(str2) || str2 == null) {
                if (str.indexOf(64) > 0) {
                    str = str.substring(0, str.indexOf(64));
                }
            } else if (str2 != null) {
                stringBuffer2.append('@').append(str2);
            }
        }
        if (str3 != null) {
            stringBuffer2.append(str3);
        }
        String stringBuffer3 = stringBuffer2.toString();
        StringBuffer stringBuffer4 = new StringBuffer();
        int hashCode = stringBuffer3.hashCode();
        if (hashCode > 0) {
            stringBuffer = stringBuffer4.append(str).append(hashCode).toString();
        } else {
            stringBuffer = stringBuffer4.append(str).append(hashCode * (-1)).append('n').toString();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getClientIdentifierForServiceTicket:" + stringBuffer4.toString() + ":" + stringBuffer);
        }
        return stringBuffer;
    }

    public static String getClientIdentifierForServiceTicketByCallback(HashMap hashMap) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientIdentifierForServiceTicket(HashMap initMap)");
        }
        String str = (String) hashMap.get(KerberosTokenConfig.CLIENT_NAME);
        String str2 = (String) hashMap.get(KerberosTokenConfig.CLIENT_REALM_NAME);
        String str3 = (String) hashMap.get(KerberosTokenConfig.SERVICE_NAME);
        String str4 = null;
        if (str != null && str2 != null && str3 != null) {
            str4 = getClientIdentifierForServiceTicket(str, str2, str3);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getClientIdentifierForServiceTicket:" + str4);
        }
        return str4;
    }

    public static String getClientHashFromService(MessageContext messageContext) {
        Parameter parameter;
        String str = null;
        if (messageContext != null) {
            EndpointReference to = messageContext.getTo();
            String address = to != null ? to.getAddress() : "";
            str = (String) messageContext.getProperty(Constants.WSSECURITY_KERBEROS_TICKET_IDENTIFIER + address);
            if (str == null && messageContext.getAxisService() != null && (parameter = messageContext.getAxisService().getParameter(Constants.WSSECURITY_KERBEROS_TICKET_IDENTIFIER + address)) != null) {
                str = (String) parameter.getValue();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The cached cache key = " + str);
                }
            }
        }
        return str;
    }

    public static String getClientIdentifierForTGT(String str, String str2, String str3) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientIdentifierForTGTString(String clientName,String clientRealm)");
        }
        StringBuffer stringBuffer = new StringBuffer();
        if (str != null) {
            stringBuffer.append(str);
            if (!str.endsWith(str2) && str2 != null && str2 != null) {
                stringBuffer.append('@').append(str2);
            }
        }
        if (str3 != null) {
            stringBuffer.append(str3.hashCode());
        }
        String stringBuffer2 = stringBuffer.toString();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getClientIdentifierForTGTString:" + stringBuffer2);
        }
        return stringBuffer2;
    }

    public static String getClientIdentifierForTGTByCallback(HashMap hashMap) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientIdentifierForTGTByCallback(HashMap initMap)");
        }
        String str = (String) hashMap.get(KerberosTokenConfig.CLIENT_NAME);
        String str2 = (String) hashMap.get(KerberosTokenConfig.CLIENT_REALM_NAME);
        String str3 = (String) hashMap.get(KerberosTokenConfig.CLIENTPASSWORD);
        String str4 = null;
        if (str != null && str2 != null) {
            str4 = getClientIdentifierForTGT(str, str2, str3);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getClientIdentifierForTGTByCallback:" + str4);
        }
        return str4;
    }

    public static boolean isTicketValid(KerberosTicket kerberosTicket, Date date) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTicketValid()...");
        }
        boolean z = false;
        Date date2 = new Date();
        long j = 0;
        if (date != null) {
            j = date.getTime();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Expiration time from service token: " + j);
            }
        } else if (kerberosTicket != null) {
            j = kerberosTicket.getEndTime().getTime();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Expiration time from the ticket: " + j);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Current time past clock skew: " + (date2.getTime() - clockSkew));
        }
        if (j > date2.getTime() - clockSkew) {
            z = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Validated ticket: " + kerberosTicket);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTicketValid()...");
        }
        return z;
    }
}
