package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.token.CertCacheManager;
import com.ibm.ws.wssecurity.util.CertificateUtil;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/PkiPathConsumeLoginModule.class */
public class PkiPathConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private SecurityToken _token;
    private SecurityTokenManager _securityTokenManager;
    private Map<Object, Object> _context;
    private static final TraceComponent tc = Tr.register(PkiPathConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = PkiPathConsumeLoginModule.class.getName();

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        boolean z;
        boolean isKeyInfoKeyname;
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        boolean isKeyInfoEmb;
        boolean isKeyInfoX509issuer;
        boolean isKeyInfoThumbprint;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        X509ConsumeCallback x509ConsumeCallback = new X509ConsumeCallback();
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{x509ConsumeCallback, propertyCallback});
            this._context = propertyCallback.getProperties();
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            X509PKIPathTokenImpl x509PKIPathTokenImpl = new X509PKIPathTokenImpl();
            this._context.put(Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING, x509PKIPathTokenImpl);
            QName type = tokenConsumerConfig.getType();
            if (!com.ibm.ws.wssecurity.common.Constants.PKI_PATH.equals(type) && !com.ibm.ws.wssecurity.common.Constants.PKI_PATH11.equals(type)) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PrivateConsumerConfig.s30", new String[]{type.toString(), com.ibm.ws.wssecurity.common.Constants.PKI_PATH.toString() + " or " + com.ibm.ws.wssecurity.common.Constants.PKI_PATH11.toString()}));
            }
            MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            CertCacheManager certCacheManager = (CertCacheManager) this._context.get(CertCacheManager.class);
            this._securityTokenManager = (SecurityTokenManager) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            String str = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
            OMElement oMElement = (OMElement) this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
            if (str == null) {
                z = true;
                isKeyInfoThumbprint = false;
                isKeyInfoX509issuer = false;
                isKeyInfoEmb = false;
                isKeyInfoStrref = false;
                isKeyInfoKeyid = false;
                isKeyInfoKeyname = false;
            } else {
                z = false;
                isKeyInfoKeyname = ConfigUtil.isKeyInfoKeyname(str);
                isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str);
                isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str);
                isKeyInfoEmb = ConfigUtil.isKeyInfoEmb(str);
                isKeyInfoX509issuer = ConfigUtil.isKeyInfoX509issuer(str);
                isKeyInfoThumbprint = ConfigUtil.isKeyInfoThumbprint(str);
            }
            if (z || isKeyInfoEmb) {
                this._token = processElement(x509PKIPathTokenImpl, x509ConsumeCallback, oMElement, tokenConsumerConfig, certCacheManager, messageContext, z, isKeyInfoEmb, this._context);
            } else {
                this._token = X509ConsumeLoginModule.resolveX509KeyInfo(x509PKIPathTokenImpl, x509ConsumeCallback, tokenConsumerConfig, certCacheManager, messageContext, str, isKeyInfoKeyname, isKeyInfoKeyid, isKeyInfoStrref, isKeyInfoX509issuer, isKeyInfoThumbprint, this._securityTokenManager, this._context);
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "login()");
            return true;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".login", "129", this);
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e.toString()}));
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        this._securityTokenManager.addToken(this._token);
        this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private static final SecurityToken processElement(final X509PKIPathTokenImpl x509PKIPathTokenImpl, X509ConsumeCallback x509ConsumeCallback, OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, CertCacheManager certCacheManager, MessageContext messageContext, boolean z, boolean z2, Map<Object, Object> map) throws LoginException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("processElement(");
            stringBuffer.append("X509PKIPathTokenImpl pkiPathToken, X509ConsumeCallback x509Callback, ");
            stringBuffer.append("OMElement target[").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("TokenConsumerConfig config, CertCacheManager cmanager, ");
            stringBuffer.append("SOAPMessageContext messageContext, ");
            stringBuffer.append("boolean isNone[").append(z).append("], ");
            stringBuffer.append("boolean isEmb[").append(z2).append("], ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        x509PKIPathTokenImpl.setXML(new OMStructure(oMElement));
        String str = null;
        if (z) {
            QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
            }
            if (idAttributeName != null) {
                str = oMElement.getAttributeValue(idAttributeName);
            }
        } else if (z2) {
            str = (String) map.get(Constants.WSSECURITY_KEY_EMBID);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier of the token is [" + str + "]");
        }
        x509PKIPathTokenImpl.setId(str);
        String stringValue = DOMUtils.getStringValue(oMElement);
        String buildCertIndex = CertificateUtil.buildCertIndex(stringValue, tokenConsumerConfig, false);
        X509Certificate x509Certificate = null;
        if (certCacheManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking the cached X509Certificate object with the key[" + buildCertIndex + "].");
            }
            try {
                Certificate cachedCert = certCacheManager.getCachedCert(buildCertIndex);
                if (cachedCert == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no cached certificiate.");
                    }
                } else if (cachedCert instanceof X509Certificate) {
                    x509Certificate = (X509Certificate) cachedCert;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The X509Certificate [" + x509Certificate.getSubjectDN().getName() + "] was found.");
                    }
                    try {
                        x509Certificate.getEncoded();
                    } catch (CertificateEncodingException e) {
                        Tr.processException(e, clsName + ".processElement", "622");
                        Tr.error(tc, "security.wssecurity.WSEC0155E", e);
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC0155E", new String[]{e.toString()}));
                    }
                } else if (tc.isDebugEnabled()) {
                    StringBuffer stringBuffer2 = new StringBuffer("The certificate [");
                    stringBuffer2.append(cachedCert.getClass().getName());
                    stringBuffer2.append("] was found, but it's not the X509Certificate object.");
                    Tr.debug(tc, stringBuffer2.toString());
                }
            } catch (SoapSecurityException e2) {
                Tr.processException(e2, clsName + ".processElement", "607");
                throw new LoginException(e2.toString());
            }
        }
        byte[] bArr = null;
        if (x509Certificate == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting the X509Certificate object through the LoginModule.");
            }
            if (stringValue != null) {
                bArr = Base64.decode(stringValue);
            }
            if (bArr == null) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathCallbackHandler.s02"));
            }
            try {
                CertPath generateCertPath = CertificateUtil.generateCertPath(bArr, "X.509", "PkiPath", x509ConsumeCallback.getProvider());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeeded to generate cert path.");
                }
                x509Certificate = (X509Certificate) generateCertPath.getCertificates().get(0);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Subject: " + x509Certificate);
                }
                if (!x509ConsumeCallback.isTrustAnyCertificate()) {
                    validateX509(x509Certificate, x509ConsumeCallback, generateCertPath, tokenConsumerConfig, map);
                }
                if (certCacheManager != null) {
                    try {
                        certCacheManager.cacheCert(buildCertIndex, x509Certificate);
                    } catch (SoapSecurityException e3) {
                        Tr.processException(e3, clsName + ".processElement", "678");
                        throw new LoginException(e3.toString());
                    }
                }
            } catch (Exception e4) {
                Tr.processException(e4, clsName + ".processElement", "663");
                Tr.error(tc, "security.wssecurity.WSSConsumer.s34", e4);
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSSConsumer.s34", new String[]{e4.toString()}));
            }
        }
        final X509Certificate x509Certificate2 = x509Certificate;
        final byte[] bArr2 = bArr;
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                X509PKIPathTokenImpl.this.setCertificate(x509Certificate2);
                X509PKIPathTokenImpl.this.setBinary(bArr2);
                return null;
            }
        });
        WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
        WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
        boolean z3 = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, map) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, map);
        if (z3) {
            Map<String, Object> extendedAuditData = wSSAuditEventGeneratorFactory.setExtendedAuditData(map, "isTrustAnyCert", new Boolean(x509ConsumeCallback.isTrustAnyCertificate()).toString());
            wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.CERTDN, x509Certificate.getSubjectDN().getName());
            wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.CERTISSUER, x509Certificate.getIssuerDN().getName());
            wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.TOKEN_ID, str);
            if (auditService.isVerbose()) {
                try {
                    wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.X509_CERT, Base64.encode(x509Certificate.getEncoded()));
                } catch (CertificateEncodingException e5) {
                    Tr.processException(e5, clsName + ".validateX509", "916");
                }
            }
        }
        if (x509ConsumeCallback.existKeyStore()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "A keystore is configured on the callback handler.");
            }
            if (ConfigUtil.getIsFalseProperty(map, X509ConsumeLoginModule.KEYSTORE_LIMITS_ACCESS)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Verifying that the current target subject matches the one configured in the callback handler.");
                }
                try {
                    KeyStoreManager keyStoreManager = KeyStoreManager.getInstance();
                    String keyStorePath = x509ConsumeCallback.getKeyStorePath();
                    if (keyStorePath == null) {
                        keyStorePath = x509ConsumeCallback.getKeyStoreReference();
                    }
                    KeyStoreManager.KeyInformation keyInformation = keyStoreManager.getKeyInformation(keyStorePath, x509ConsumeCallback.getKeyStoreType(), x509ConsumeCallback.getKeyStorePassword(), x509ConsumeCallback.getKeyStoreReference(), x509ConsumeCallback.getAlias(), x509ConsumeCallback.getKeyPassword(), x509ConsumeCallback.getKeyName());
                    X509Certificate x509Certificate3 = (X509Certificate) keyInformation.getCertificate();
                    if (!x509Certificate.equals(x509Certificate3)) {
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6809E", new String[]{x509Certificate == null ? null : x509Certificate.getSubjectDN().getName(), x509Certificate3 == null ? null : x509Certificate3.getSubjectDN().getName(), x509ConsumeCallback.getKeyStorePath()}));
                    }
                    x509PKIPathTokenImpl.setKey(63, keyInformation.getPublicOrSecretKey());
                    x509PKIPathTokenImpl.setKey(64, keyInformation.getPrivateOrSecretKey());
                    if (z3) {
                        wSSAuditEventGeneratorFactory.setExtendedAuditData(map, WSSAuditEventGenerator.KEYSTORE, keyInformation.toString());
                    }
                } catch (SoapSecurityException e6) {
                    Tr.processException(e6, clsName + ".processElement", "714");
                    throw new LoginException(e6.toString());
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "com.ibm.wsspi.wssecurity.consumer.callbackHandlerKeystoreLimitsAccess is set to false.");
                Tr.debug(tc, "Certificate in the message will not be compared against the configured keystore.");
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no keystore is configured on the callback handler.");
            }
            x509PKIPathTokenImpl.setKey(63, x509Certificate.getPublicKey());
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer3 = new StringBuffer("processElement(");
            stringBuffer3.append("X509PKIPathTokenImpl, OMElement, TokenConsumerConfig, CertCacheManager, ");
            stringBuffer3.append("SOAPMessageContext, boolean, boolean, Map)");
            Tr.exit(tc, stringBuffer3.toString());
        }
        return x509PKIPathTokenImpl;
    }

    private static final void validateX509(X509Certificate x509Certificate, X509ConsumeCallback x509ConsumeCallback, CertPath certPath, TokenConsumerConfig tokenConsumerConfig, Map map) throws LoginException {
        PKIXBuilderParameters pKIXBuilderParameters;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("PkiPathConsumeLoginModule.validateX509(");
            stringBuffer.append("X509Certificate x509[");
            stringBuffer.append(x509Certificate == null ? null : x509Certificate.getSubjectDN().getName()).append("], ");
            stringBuffer.append("X509ConsumeCallback x509Callback, CertPath path, TokenConsumerConfig tconfig, Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        if (certPath == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "path is null");
            }
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathCallbackHandler.s02"));
        }
        PKIXBuilderParameters certPathParameter = x509ConsumeCallback.getCertPathParameter();
        if (certPathParameter == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "pkixBuilderParams was null.  Creating new object.");
            }
            pKIXBuilderParameters = CertificateUtil.createPKIXBuilderParameters(x509ConsumeCallback, tokenConsumerConfig, map);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Obtaining pkixBuilderParams from config object.");
            }
            synchronized (certPathParameter) {
                pKIXBuilderParameters = (PKIXBuilderParameters) certPathParameter.clone();
            }
        }
        try {
            processX509Validation(x509Certificate, x509ConsumeCallback, certPath, pKIXBuilderParameters);
        } catch (LoginException e) {
            if (!ConfigUtil.getIsTrueProperty(map, Constants.RETRY_TRUST_AFTER_FAILURE)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "retryOnceAfterTrustFailure is not enabled, rethrowing exception.");
                }
                throw e;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Validation failed, rebuild pkixBuilderParams and try again.");
            }
            processX509Validation(x509Certificate, x509ConsumeCallback, certPath, CertificateUtil.reCreatePKIXBuilderParameters(x509ConsumeCallback, tokenConsumerConfig, map));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "PkiPathConsumeLoginModule.validateX509");
        }
    }

    private static final void processX509Validation(X509Certificate x509Certificate, X509ConsumeCallback x509ConsumeCallback, CertPath certPath, PKIXBuilderParameters pKIXBuilderParameters) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "PkiPathConsumeLoginModule.processX509Validation");
        }
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking the cert path...");
            }
            CertificateUtil.validateCertPath(certPath, pKIXBuilderParameters);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Succeeded to validate the cert path.");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Building validated cert path.");
            }
            CertificateUtil.buildCertPath(x509Certificate, certPath, pKIXBuilderParameters, x509ConsumeCallback.getProvider(), false);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Succeeded to build validated cert path.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "PkiPathConsumeLoginModule.processX509Validation");
            }
        } catch (Exception e) {
            Tr.processException(e, clsName + ".validateX509", "628");
            LoginException loginException = new LoginException(e.toString());
            loginException.initCause(e.getCause());
            throw loginException;
        }
    }
}
