package com.ibm.ws.security.spnego.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationConstants;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.spnego.SpnegoConfig;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Hashtable;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.servlet.http.HttpServletResponse;
import org.apache.cxf.staxutils.PropertiesExpandingStreamReader;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.spnego_1.0.13.jar:com/ibm/ws/security/spnego/internal/Krb5Util.class */
public class Krb5Util {
    public static final String KRB5_CONF = "java.security.krb5.conf";
    public static final String KRB5_KTNAME = "KRB5_KTNAME";
    public static final String KRB5_PRINCIPAL = "com.ibm.security.krb5.principal";
    private static final String USE_SUBJECT_CREDS_ONLY = "javax.security.auth.useSubjectCredsOnly";
    private static final char SPACE = ' ';
    private static final char TAB = '\t';
    private static final char NEWLINE = '\n';
    private static final char TILDA = '~';
    private static final char DOT = '.';
    static final long serialVersionUID = -2753990252784099257L;
    private static final TraceComponent tc = Tr.register(Krb5Util.class);
    private static HashMap<String, Subject> delegateSubjectCache = null;
    static boolean ibmJDK = false;

    public AuthenticationResult processSpnegoToken(HttpServletResponse httpServletResponse, @Sensitive byte[] bArr, String str, SpnegoConfig spnegoConfig) throws AuthenticationException {
        AuthenticationResult authenticationResult;
        GSSCredential spnGSSCredential = spnegoConfig.getSpnGSSCredential(str);
        String str2 = "HTTP/" + str;
        if (spnGSSCredential == null) {
            Tr.error(tc, "SPNEGO_GSSCRED_NOT_FOUND_FOR_SPN", str2);
            return new AuthenticationResult(AuthResult.SEND_401, "There is no GSSCredential for SPN");
        }
        Subject subject = new Subject();
        String str3 = SpnegoHelperProxy.isS4U2proxyEnabled() ? "false" : "true";
        String propertyAsNeeded = setPropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", str3);
        if (SpnegoHelperProxy.isS4U2proxyEnabled()) {
            getdelegateServiceSubject(str2, spnGSSCredential, spnegoConfig);
        }
        try {
            GSSContext validateSpnegoToken = validateSpnegoToken(httpServletResponse, spnGSSCredential, bArr, subject, spnegoConfig);
            restorePropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", propertyAsNeeded, str3);
            if (validateSpnegoToken.isEstablished()) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "SPNEGO request token successfully processed. GSSContext is established", new Object[0]);
                }
                authenticationResult = createResult(subject, validateSpnegoToken, spnegoConfig);
            } else {
                authenticationResult = new AuthenticationResult(AuthResult.FAILURE, "There is no GSSCredential for SPN");
            }
            disposeGssContext(validateSpnegoToken);
            return authenticationResult;
        } catch (Throwable th) {
            restorePropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", propertyAsNeeded, str3);
            throw th;
        }
    }

    public GSSContext validateSpnegoToken(HttpServletResponse httpServletResponse, GSSCredential gSSCredential, @Sensitive final byte[] bArr, Subject subject, SpnegoConfig spnegoConfig) throws AuthenticationException {
        final GSSContext createGssContext = createGssContext(gSSCredential, spnegoConfig);
        try {
            byte[] bArr2 = (byte[]) Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<byte[]>() { // from class: com.ibm.ws.security.spnego.internal.Krb5Util.1
                static final long serialVersionUID = 3271709965058768907L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws Exception {
                    return createGssContext.acceptSecContext(bArr, 0, bArr.length);
                }
            }, AccessController.getContext());
            if (!createGssContext.isEstablished()) {
                Tr.error(tc, "SPNEGO_CAN_NOT_VALIDATE_TOKEN", showHex(bArr2));
            }
            if (bArr2 != null) {
                setServerResponseToken(httpServletResponse, bArr2);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                TraceComponent traceComponent = tc;
                Object[] objArr = new Object[1];
                objArr[0] = subject != null ? subject : "is null";
                Tr.debug(traceComponent, "client subject: ", objArr);
            }
            return createGssContext;
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.internal.Krb5Util", "132", this, new Object[]{httpServletResponse, gSSCredential, "<sensitive byte[]>", subject, spnegoConfig});
            try {
                throw e.getException();
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.spnego.internal.Krb5Util", "135", this, new Object[]{httpServletResponse, gSSCredential, "<sensitive byte[]>", subject, spnegoConfig});
                throw new AuthenticationException(e2.getLocalizedMessage(), e2);
            }
        }
    }

    protected GSSContext createGssContext(GSSCredential gSSCredential, SpnegoConfig spnegoConfig) throws AuthenticationException {
        try {
            return GSSManager.getInstance().createContext(gSSCredential);
        } catch (GSSException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.internal.Krb5Util", "167", this, new Object[]{gSSCredential, spnegoConfig});
            throw new AuthenticationException(e.getLocalizedMessage(), e);
        }
    }

    @Trivial
    protected void setServerResponseToken(HttpServletResponse httpServletResponse, byte[] bArr) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Server response token: " + showHex(bArr), new Object[0]);
        }
        String str = new String(Base64Coder.base64Encode(bArr));
        httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + str);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Encoded response: " + str, new Object[0]);
        }
    }

    AuthenticationResult createResult(Subject subject, GSSContext gSSContext, SpnegoConfig spnegoConfig) throws AuthenticationException {
        GSSCredential addGSSDelegCredToSubject;
        try {
            String gSSName = gSSContext.getSrcName().toString();
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Kerberos client principal: " + gSSName, new Object[0]);
            }
            subject.getPrincipals().add(new KerberosPrincipal(gSSName));
            String str = gSSName;
            if (spnegoConfig.isTrimKerberosRealmNameFromPrincipal()) {
                str = trimUsername(gSSName);
            }
            String str2 = gSSName;
            if (spnegoConfig.isIncludeClientGSSCredentialInSubject() && (addGSSDelegCredToSubject = addGSSDelegCredToSubject(gSSName, gSSContext, subject, spnegoConfig)) != null) {
                str2 = gSSName + addGSSDelegCredToSubject.hashCode();
            }
            addCustomProperties(subject, str2, str, spnegoConfig);
            return new AuthenticationResult(AuthResult.SUCCESS, subject);
        } catch (GSSException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.internal.Krb5Util", "203", this, new Object[]{subject, gSSContext, spnegoConfig});
            throw new AuthenticationException(e.getLocalizedMessage(), e);
        }
    }

    private void addCustomProperties(Subject subject, String str, String str2, SpnegoConfig spnegoConfig) {
        Hashtable hashtable = new Hashtable();
        hashtable.put(AuthenticationConstants.INTERNAL_ASSERTION_KEY, Boolean.TRUE);
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_USERID, str2);
        if (spnegoConfig.isIncludeCustomCacheKeyInSubject()) {
            hashtable.put("com.ibm.wsspi.security.cred.cacheKey", str);
        }
        subject.getPrivateCredentials().add(hashtable);
    }

    public void disposeGssContext(GSSContext gSSContext) {
        if (gSSContext != null) {
            try {
                gSSContext.dispose();
            } catch (GSSException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.spnego.internal.Krb5Util", "253", this, new Object[]{gSSContext});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "GSSException: " + e, new Object[0]);
                }
            }
        }
    }

    private GSSCredential addGSSDelegCredToSubject(String str, GSSContext gSSContext, Subject subject, SpnegoConfig spnegoConfig) {
        GSSCredential gSSCredential = null;
        try {
            gSSCredential = gSSContext.getDelegCred();
            if (gSSCredential == null && SpnegoHelperProxy.isS4U2proxyEnabled()) {
                gSSCredential = SpnegoHelperProxy.getDelegateGSSCredUsingS4U2proxy(str, gSSContext, gSSContext.getTargName().toString());
            }
            if (gSSCredential != null) {
                subject.getPrivateCredentials().add(gSSCredential);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Add gssClientCredential " + str + " to subject", new Object[0]);
                }
            } else {
                Tr.warning(tc, "SPNEGO_NO_DELEGATED_CREDENTIALS_FOUND", str);
            }
        } catch (GSSException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.internal.Krb5Util", "278", this, new Object[]{str, gSSContext, subject, spnegoConfig});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "gssClientCredential has not been saved in the subject, GSSException: " + e.getMessage(), new Object[0]);
            }
        }
        return gSSCredential;
    }

    public String trimUsername(String str) {
        if (str == null || str.length() == 0) {
            return null;
        }
        String str2 = str;
        int indexOf = str2.indexOf(PropertiesExpandingStreamReader.DELIMITER);
        if (indexOf != -1) {
            str2 = str2.substring(0, indexOf);
        }
        return str2;
    }

    public void setKrb5ConfigAndKeytabProps(SpnegoConfig spnegoConfig) {
        String krb5Keytab = spnegoConfig.getKrb5Keytab();
        if (krb5Keytab != null) {
            needToSetSystemProperty("KRB5_KTNAME", krb5Keytab);
        }
        String krb5Config = spnegoConfig.getKrb5Config();
        if (krb5Config != null) {
            needToSetSystemProperty(KRB5_CONF, krb5Config);
        }
    }

    public boolean needToSetSystemProperty(String str, String str2) {
        boolean z = false;
        String systemProperty = getSystemProperty(str);
        if (systemProperty == null || !systemProperty.equalsIgnoreCase(str2)) {
            setSystemProperty(str, str2);
            z = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, str + " property previous: " + (systemProperty != null ? systemProperty : "<null>") + " and now: " + str2, new Object[0]);
        }
        return z;
    }

    public void setSystemProperty(final String str, final String str2) {
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.spnego.internal.Krb5Util.2
            static final long serialVersionUID = 2160589635971594530L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass2.class);

            @Override // java.security.PrivilegedAction
            public Object run() {
                return System.setProperty(str, str2);
            }
        });
    }

    public String getSystemProperty(final String str) {
        return (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.spnego.internal.Krb5Util.3
            static final long serialVersionUID = 8027878588574092882L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass3.class);

            @Override // java.security.PrivilegedAction
            public Object run() {
                return System.getProperty(str);
            }
        });
    }

    @Trivial
    public static String showHex(byte[] bArr) {
        if (bArr == null) {
            return null;
        }
        int length = bArr.length;
        StringBuffer stringBuffer = new StringBuffer(length);
        StringBuffer stringBuffer2 = new StringBuffer(length << 1);
        StringBuffer stringBuffer3 = new StringBuffer(length << 1);
        StringBuffer stringBuffer4 = new StringBuffer(length << 1);
        int i = 0;
        int i2 = 0;
        float f = 0.0f;
        for (byte b : bArr) {
            int i3 = b & 255;
            if (i3 == 13 || i3 == 10 || i3 == 9 || (i3 >= 32 && i3 <= 126)) {
                stringBuffer.append((char) i3);
            } else {
                stringBuffer.append('[' + hexPad(Integer.toHexString(i3), 2) + ']');
                f += 1.0f;
            }
            if (i3 < 32 || i3 > 126) {
                stringBuffer4.append('.');
            } else {
                stringBuffer4.append((char) i3);
            }
            stringBuffer3.append(hexPad(Integer.toHexString(i3), 2));
            if (i == 3 || i == 7 || i == 11) {
                stringBuffer3.append(' ');
                stringBuffer4.append(' ');
            }
            if (i == 15) {
                stringBuffer2.append(hexPad(Integer.toHexString(i2), 4)).append(":  ").append(stringBuffer3).append("    ").append(stringBuffer4).append("\n");
                i = 0;
                i2 += 16;
                stringBuffer3.setLength(0);
                stringBuffer4.setLength(0);
            } else {
                i++;
            }
        }
        for (int length2 = stringBuffer3.length(); length2 < 35; length2++) {
            stringBuffer3.append(' ');
        }
        stringBuffer2.append(hexPad(Integer.toHexString(i2), 4)).append(":  ").append(stringBuffer3).append("    ").append(stringBuffer4).append("\n");
        return stringBuffer2.toString();
    }

    @Trivial
    private static String hexPad(String str, int i) {
        int length = str.length();
        StringBuffer stringBuffer = new StringBuffer(length + i);
        for (int i2 = length; i2 < i; i2++) {
            stringBuffer.append('0');
        }
        stringBuffer.append(str);
        return stringBuffer.toString();
    }

    public static String setPropertyAsNeeded(final String str, final String str2) {
        String str3 = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.spnego.internal.Krb5Util.4
            static final long serialVersionUID = 5692706283483808131L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass4.class);

            @Override // java.security.PrivilegedAction
            public String run() {
                String property = System.getProperty(str);
                if (property == null || !property.equalsIgnoreCase(str2)) {
                    System.setProperty(str, str2);
                }
                return property;
            }
        });
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "javax.security.auth.useSubjectCredsOnly property previous: " + (str3 != null ? str3 : "<null>") + " and now: " + str2, new Object[0]);
        }
        return str3;
    }

    public static void restorePropertyAsNeeded(final String str, final String str2, final String str3) {
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.spnego.internal.Krb5Util.5
            static final long serialVersionUID = -8660177851434465838L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass5.class);

            @Override // java.security.PrivilegedAction
            public Object run() {
                if (str2 == null) {
                    System.clearProperty(str);
                    return null;
                }
                if (str2.equalsIgnoreCase(str3)) {
                    return null;
                }
                System.setProperty(str, str2);
                return null;
            }
        });
    }

    private static Subject getdelegateServiceSubject(String str, GSSCredential gSSCredential, SpnegoConfig spnegoConfig) {
        String str2 = null;
        try {
            str2 = gSSCredential.getName().toString();
        } catch (GSSException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.internal.Krb5Util", "495", null, new Object[]{str, gSSCredential, spnegoConfig});
            Tr.error(tc, "SPNEGO_CAN_NOT_GET_DELEGATE_SERVICE_SPN", str);
        }
        Subject delegateServiceSubjectFromCache = getDelegateServiceSubjectFromCache(str2);
        if (delegateServiceSubjectFromCache != null) {
            return delegateServiceSubjectFromCache;
        }
        String propertyAsNeeded = setPropertyAsNeeded("com.ibm.security.krb5.principal", str2);
        try {
            try {
                delegateServiceSubjectFromCache = SpnegoHelperProxy.doKerberosLogin(str2, spnegoConfig.getKrb5Keytab());
                restorePropertyAsNeeded("com.ibm.security.krb5.principal", propertyAsNeeded, str2);
            } catch (Throwable th) {
                restorePropertyAsNeeded("com.ibm.security.krb5.principal", propertyAsNeeded, str2);
                throw th;
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.spnego.internal.Krb5Util", "507", null, new Object[]{str, gSSCredential, spnegoConfig});
            Tr.error(tc, "SPNEGO_DELEGATE_SPN_LOGIN_TO_KDC_FAILURE", str, spnegoConfig.getKrb5Config(), spnegoConfig.getKrb5Keytab());
            restorePropertyAsNeeded("com.ibm.security.krb5.principal", propertyAsNeeded, str2);
        }
        if (delegateServiceSubjectFromCache != null) {
            delegateSubjectCache.put(str2, delegateServiceSubjectFromCache);
        }
        return delegateServiceSubjectFromCache;
    }

    private static Subject getDelegateServiceSubjectFromCache(String str) {
        if (delegateSubjectCache == null) {
            delegateSubjectCache = new HashMap<>();
            return null;
        }
        Subject subject = delegateSubjectCache.get(str);
        if (subject != null) {
            if (SubjectHelper.isTGTInSubjectValid(subject, str)) {
                return subject;
            }
            delegateSubjectCache.remove(str);
        }
        return subject;
    }
}
