package com.ibm.ws.security.authentication.internal.jaas.modules;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.credentials.AccessIdUtil;
import com.ibm.ws.security.registry.CertificateMapFailedException;
import com.ibm.ws.security.registry.LDAPUtils;
import com.ibm.ws.security.registry.UserRegistry;
import com.ibm.wsspi.security.auth.callback.WSX509CertificateChainCallback;
import java.io.IOException;
import java.security.cert.X509Certificate;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions(traceGroups = {"Authentication"}, traceGroup = "", messageBundle = "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", traceExceptionThrow = false, traceExceptionHandling = false)
/* loaded from: input_file:lib/com.ibm.ws.security.authentication.builtin_1.0.2.20130531-1507.jar:com/ibm/ws/security/authentication/internal/jaas/modules/CertificateLoginModule.class */
public class CertificateLoginModule extends CommonLoginModule implements LoginModule {
    private static final TraceComponent tc = Tr.register(CertificateLoginModule.class);
    private String username = null;
    private String urAuthenticatedId = null;
    static final long serialVersionUID = -6844025304703499466L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public CertificateLoginModule() {
    }

    @Override // com.ibm.ws.security.authentication.internal.jaas.modules.CommonLoginModule
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    Callback[] getRequiredCallbacks(CallbackHandler callbackHandler) throws IOException, UnsupportedCallbackException {
        Callback[] callbackArr = {new WSX509CertificateChainCallback(null)};
        callbackHandler.handle(callbackArr);
        return callbackArr;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v15 */
    /* JADX WARN: Type inference failed for: r0v2 */
    /* JADX WARN: Type inference failed for: r0v50 */
    @FFDCIgnore({CertificateMapFailedException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean login() throws LoginException {
        if (isAlreadyProcessed()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Already processed by other login module, abstaining.", new Object[0]);
            return false;
        }
        ?? r0 = 0;
        X509Certificate[] x509CertificateArr = null;
        try {
            x509CertificateArr = ((WSX509CertificateChainCallback) getRequiredCallbacks(this.callbackHandler)[0]).getX509CertificateChain();
            if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                return false;
            }
            setAlreadyProcessed();
            this.urAuthenticatedId = getUserRegistry().mapCertificate(x509CertificateArr[0]);
            String cNFromDN = LDAPUtils.getCNFromDN(this.urAuthenticatedId);
            if (cNFromDN != null) {
                this.username = cNFromDN;
                this.urAuthenticatedId = cNFromDN;
            } else {
                this.username = getSecurityName(null, this.urAuthenticatedId);
            }
            setUpTemporarySubject();
            updateSharedState();
            r0 = 1;
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authentication.internal.jaas.modules.CertificateLoginModule", "115", this, new Object[0]);
            Exception exc = r0;
            String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", "JAAS_AUTHENTICATION_FAILED_CERT_INTERNAL_ERROR", new Object[]{x509CertificateArr[0].getSubjectX500Principal().getName()}, "CWWKS1102E: CLIENT-CERT Authentication failed for the client certificate with dn {0}. An internal error occurred.");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.info(tc, formattedMessage, new Object[0]);
            }
            throw new AuthenticationException(formattedMessage, exc);
        } catch (CertificateMapFailedException e2) {
            String name = x509CertificateArr[0].getSubjectX500Principal().getName();
            String formattedMessage2 = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", "JAAS_AUTHENTICATION_FAILED_CERTNOMAP", new Object[]{name}, "CWWKS1101I: CLIENT-CERT Authentication failed for the client certificate with dn {0}. The dn did not map to a user in the registry.");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "CLIENT-CERT Authentication failed for the client certificate with dn " + name + ". The dn did not map to a user in the registry.", new Object[0]);
            }
            throw new AuthenticationException(formattedMessage2, e2);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void setUpTemporarySubject() throws Exception {
        this.temporarySubject = new Subject();
        UserRegistry userRegistry = getUserRegistry();
        setPrincipalAndCredentials(this.temporarySubject, this.username, this.urAuthenticatedId, AccessIdUtil.createAccessId("user", userRegistry.getRealm(), userRegistry.getUniqueUserId(this.urAuthenticatedId)), "certificate");
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean commit() throws LoginException {
        if (this.urAuthenticatedId != null) {
            setUpSubject();
            return true;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
            return false;
        }
        Tr.event(tc, "Authentication did not occur for this login module, abstaining.", new Object[0]);
        return false;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean abort() {
        cleanUpSubject();
        this.urAuthenticatedId = null;
        this.username = null;
        return true;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean logout() {
        cleanUpSubject();
        this.urAuthenticatedId = null;
        this.username = null;
        return true;
    }

    static {
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.entry(tc, "<clinit>", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.exit(tc, "<clinit>");
        }
    }
}
