package com.ibm.ws.collective.member.internal.security;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.collective.member.internal.TraceConstants;
import com.ibm.ws.collective.member.security.CollectiveCertificateConfig;
import com.ibm.ws.collective.security.CollectiveDNUtil;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.collective.CollectiveAuthenticationPlugin;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.x500.X500Principal;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {CollectiveAuthenticationPlugin.class}, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM", "name=MemberCollectiveAuthenticationPlugin", "service.ranking:Integer=0"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.member_1.1.16.jar:com/ibm/ws/collective/member/internal/security/MemberCollectiveAuthenticationPlugin.class */
public class MemberCollectiveAuthenticationPlugin implements CollectiveAuthenticationPlugin {
    private static final TraceComponent tc = Tr.register(MemberCollectiveAuthenticationPlugin.class);
    static final String KEY_COLLECTIVE_TRUST = "collectiveTrust";
    static final String KEY_COLLECTIVE_CERT_CONFIG_SERVICE_REF = "CollectiveCertificateConfig";
    static final String KEY_KEYSTORE_SERVICE_REF = "keyStoreService";
    private final AtomicServiceReference<KeyStoreService> keyStoreServiceRef = new AtomicServiceReference<>("keyStoreService");
    private final AtomicServiceReference<CollectiveCertificateConfig> collectiveCertConfigServiceRef = new AtomicServiceReference<>(KEY_COLLECTIVE_CERT_CONFIG_SERVICE_REF);
    private Object rdn;
    static final long serialVersionUID = -4307167475874130661L;

    @Activate
    protected void activate(ComponentContext componentContext) {
        this.keyStoreServiceRef.activate(componentContext);
        this.collectiveCertConfigServiceRef.activate(componentContext);
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        this.keyStoreServiceRef.deactivate(componentContext);
    }

    @Reference(name = "keyStoreService", service = KeyStoreService.class)
    protected void setKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.setReference(serviceReference);
    }

    protected void unsetKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.unsetReference(serviceReference);
    }

    @Reference(name = KEY_COLLECTIVE_CERT_CONFIG_SERVICE_REF, service = CollectiveCertificateConfig.class)
    protected void setCollectiveCertificateConfig(ServiceReference<CollectiveCertificateConfig> serviceReference) {
        this.collectiveCertConfigServiceRef.setReference(serviceReference);
    }

    protected void unsetCollectiveCertificateConfig(ServiceReference<CollectiveCertificateConfig> serviceReference) {
        this.collectiveCertConfigServiceRef.unsetReference(serviceReference);
    }

    @Override // com.ibm.ws.security.authentication.collective.CollectiveAuthenticationPlugin
    @FFDCIgnore({InvalidNameException.class})
    public boolean isCollectiveCertificateChain(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr.length != 2) {
            String name = x509CertificateArr.length >= 1 ? x509CertificateArr[0].getSubjectX500Principal().getName() : "Zero-length certificate chain";
            if (!tc.isEventEnabled()) {
                return false;
            }
            Tr.event(tc, "The certificate chain is not length 2, this is not a collective cert chain. Certificate DN: " + name, new Object[0]);
            return false;
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        X509Certificate x509Certificate2 = x509CertificateArr[1];
        try {
            String name2 = x509Certificate.getSubjectX500Principal().getName();
            CollectiveDNUtil.validateCollectiveDNSyntax(name2);
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate.getIssuerX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getSubjectX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getIssuerX500Principal().getName());
            if (!tc.isEventEnabled()) {
                return true;
            }
            Tr.event(tc, "The presented certificate chain is a collective cert chain. Proceeding to authentication with DN: " + name2, new Object[0]);
            return true;
        } catch (InvalidNameException e) {
            if (!tc.isEventEnabled()) {
                return false;
            }
            Tr.event(tc, "InvalidNameException while processing cert chain in isCollectiveCertificateChain, certificate is not a Collective Certificate chain.", e.getMessage());
            return false;
        }
    }

    @Override // com.ibm.ws.security.authentication.collective.CollectiveAuthenticationPlugin
    @FFDCIgnore({InvalidNameException.class})
    public boolean isCollectiveCACertificate(X509Certificate[] x509CertificateArr) {
        boolean z = false;
        if (x509CertificateArr.length == 0) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "The certificate is not a valid CA signed collective certificate. Certificate DN: Zero-length certificate chain", new Object[0]);
            }
            return false;
        }
        try {
            String name = x509CertificateArr[0].getSubjectX500Principal().getName();
            z = validateCollectiveRDN(name);
            if (tc.isEventEnabled()) {
                Tr.event(tc, "The presented CA signed certificate is valid collective certificate. Proceeding to authentication with DN: " + name, new Object[0]);
            }
            return z;
        } catch (InvalidNameException e) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "InvalidNameException while processing cert chain in isCollectiveCACertificate, certificate is not a valid third party Collective Certificate.", e.getMessage());
            }
            return z;
        }
    }

    @Override // com.ibm.ws.security.authentication.collective.CollectiveAuthenticationPlugin
    public void authenticateCertificateChain(X509Certificate[] x509CertificateArr, boolean z) throws AuthenticationException {
        if (z) {
            validateCollectiveCertificate(x509CertificateArr);
        } else {
            validateCACertificate(x509CertificateArr);
        }
    }

    public void validateCollectiveCertificate(X509Certificate[] x509CertificateArr) throws AuthenticationException {
        if (x509CertificateArr.length != 2) {
            String name = x509CertificateArr.length >= 1 ? x509CertificateArr[0].getSubjectX500Principal().getName() : "Zero-length certificate chain";
            if (tc.isEventEnabled()) {
                Tr.event(tc, "The certificate chain is not length 2, this is not a collective cert chain. Rejecting authentication. Rejected DN: " + name, new Object[0]);
            }
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "MEMBER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX8131E: The presented certificate is not a collective certificate. Authentication is denied for DN: {0}"));
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        X509Certificate x509Certificate2 = x509CertificateArr[1];
        String name2 = x509Certificate.getSubjectX500Principal().getName();
        try {
            CollectiveDNUtil.validateCollectiveDNSyntax(name2);
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate.getIssuerX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getSubjectX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getIssuerX500Principal().getName());
            CollectiveDNUtil.getCollectiveRole(name2);
            if (tc.isEventEnabled()) {
                Tr.event(tc, "The presented certificate chain is a controller collective cert chain. Authentication successful.", new Object[0]);
            }
        } catch (InvalidNameException e) {
            FFDCFilter.processException(e, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "232", this, new Object[]{x509CertificateArr});
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Unexpected InvalidNameException during authenticateCertificateChain for what should have been a collective chain. Rejecting authentication.", e);
            }
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "MEMBER_SECURITY_REJECT_CERT", new Object[]{name2}, "CWWKX8131E: The presented certificate is not a collective certificate. Authentication is denied for DN: {0}"), e);
        }
    }

    private void validateCACertificate(X509Certificate[] x509CertificateArr) throws AuthenticationException {
        if (x509CertificateArr.length == 0) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "The certificate chain is not length 1, this is not a collective cert chain. Rejecting authentication. Rejected DN: Zero-length certificate chain", new Object[0]);
            }
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{"Zero-length certificate chain"}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
        }
        KeyStoreService service = this.keyStoreServiceRef.getService();
        String name = x509CertificateArr[0].getSubjectX500Principal().getName();
        try {
            String signerAlias = getSignerAlias(x509CertificateArr, service);
            if (signerAlias.isEmpty()) {
                throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
            }
            x509CertificateArr[0].verify(service.getX509CertificateFromKeyStore(KEY_COLLECTIVE_TRUST, signerAlias).getPublicKey());
        } catch (InvalidKeyException e) {
            FFDCFilter.processException(e, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "298", this, new Object[]{x509CertificateArr});
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
        } catch (KeyStoreException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "291", this, new Object[]{x509CertificateArr});
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
        } catch (NoSuchAlgorithmException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "305", this, new Object[]{x509CertificateArr});
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
        } catch (NoSuchProviderException e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "312", this, new Object[]{x509CertificateArr});
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
        } catch (SignatureException e5) {
            FFDCFilter.processException(e5, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "319", this, new Object[]{x509CertificateArr});
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
        } catch (CertificateException e6) {
            FFDCFilter.processException(e6, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "283", this, new Object[]{x509CertificateArr});
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CONTROLLER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX9204E: The presented certificate is not a valid collective certificate. Authentication is denied for DN: {0}"));
        }
    }

    public boolean validateCollectiveRDN(String str) throws InvalidNameException {
        if (new LdapName(str).getRdns().contains(new Rdn(this.collectiveCertConfigServiceRef.getService().getRDN()))) {
            return true;
        }
        throw new InvalidNameException("Validation of the Collective CA signed certification failed. Incoming certificate relative distinguished name '" + str + "' does not match configurated RDN '" + this.rdn + Expression.QUOTE);
    }

    private String getSignerAlias(X509Certificate[] x509CertificateArr, KeyStoreService keyStoreService) throws KeyStoreException, CertificateException {
        X500Principal issuerX500Principal = x509CertificateArr[0].getIssuerX500Principal();
        for (String str : (HashSet) keyStoreService.getTrustedCertEntriesInKeyStore(KEY_COLLECTIVE_TRUST)) {
            if (keyStoreService.getX509CertificateFromKeyStore(KEY_COLLECTIVE_TRUST, str).getSubjectX500Principal().equals(issuerX500Principal)) {
                return str;
            }
        }
        return "";
    }
}
