package com.ibm.ws.management.util;

import com.ibm.ISecurityUtilityImpl.WSSecurityContextFactory;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.AdminService;
import com.ibm.websphere.management.AdminServiceFactory;
import com.ibm.websphere.security.auth.WSSecurityContext;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.rsatoken.RSATokenThreadManager;
import com.ibm.ws.security.util.Base64Coder;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.management.InstanceNotFoundException;
import javax.management.MBeanException;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.ReflectionException;
import javax.security.auth.Subject;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.core.jar:com/ibm/ws/management/util/RSAPropagationHelper.class */
public class RSAPropagationHelper {
    private static final String CLASSNAME = "com.ibm.ws.management.util.RSAPropagationHelper";
    public static final String DEVICE_ID = "deviceId";
    public static final String DEVICE_REALM = "deviceRealm";
    public static final String DEVICE_SPN = "kerberosSPN";
    public static final String NO_ACTIVE_JOB = "Return-Empty";
    public static final String RSA_AUTH_HEADER = "IBM-WAS-Authorization";
    public static final String RSA_AUTH_ERROR_MSG_HEADER = "IBM-WAS-Authorization-Error-Message";
    public static final String RSA_PUBLIC_CERT_HEADER = "IBM-WAS-RSA_Public-Cert";
    public static final String WWW_AUTHENTICATE_HEADER = "WWW-Authenticate";
    private static final String RSA_PROPATATION_MECH_OID = "oid:1.3.18.0.2.30.6";
    private static String resBundleName = "com.ibm.ws.management.resources.adminservice";
    private static final TraceComponent tc = Tr.register(RSAPropagationHelper.class, (String) null, resBundleName);
    private static ThreadLocal agentUUIDTL = new ThreadLocal();
    private static ThreadLocal agentCertificateTL = new ThreadLocal();

    public static byte[] retrieveRSACert() throws MalformedObjectNameException, InstanceNotFoundException, MBeanException, ReflectionException, CertificateEncodingException, IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveRSACert");
        }
        boolean isDebugEnabled = tc.isDebugEnabled();
        AdminService adminService = AdminServiceFactory.getAdminService();
        if (isDebugEnabled) {
            Tr.debug(tc, "adminService = " + adminService);
        }
        String nodeName = adminService.getNodeName();
        if (isDebugEnabled) {
            Tr.debug(tc, "node name = " + nodeName);
        }
        String processName = adminService.getProcessName();
        if (isDebugEnabled) {
            Tr.debug(tc, "process name = " + processName);
        }
        ObjectName objectName = new ObjectName(adminService.getDomainName() + ":type=SSLAdmin,node=" + nodeName + ",process=" + processName + ",*");
        if (isDebugEnabled) {
            Tr.debug(tc, "queryName = " + objectName);
        }
        ObjectName objectName2 = (ObjectName) adminService.queryNames(objectName, null).iterator().next();
        if (isDebugEnabled) {
            Tr.debug(tc, "mBeanName = " + objectName2);
        }
        X509Certificate x509Certificate = (X509Certificate) adminService.invoke(objectName2, "getAdminRSAPropagationCertificate", null, null);
        byte[] bArr = null;
        if (x509Certificate != null) {
            bArr = x509Certificate.getEncoded();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "cert = ", x509Certificate);
        }
        return bArr;
    }

    public static void addRSAAuthHeader(HttpURLConnection httpURLConnection, X509Certificate x509Certificate, String str) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addRSAAuthHeader overloaded method");
        }
        addRSAAuthHeader(httpURLConnection, x509Certificate, str, null, null, null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addRSAAuthHeader overloaded method");
        }
    }

    public static void addRSAAuthHeader(HttpURLConnection httpURLConnection, X509Certificate x509Certificate, String str, String str2, String str3, String str4) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addRSAAuthHeader");
        }
        try {
            if (str2 != null) {
                httpURLConnection.setRequestProperty(DEVICE_ID, str2);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "deviceId/hostUUID is null");
            }
            if (str3 != null) {
                httpURLConnection.setRequestProperty(DEVICE_REALM, str3);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "deviceRealm/hostSecRealm is null");
            }
            if (str4 != null) {
                httpURLConnection.setRequestProperty(DEVICE_SPN, str4);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "deviceKrbSPN/hostKrbSPN is null");
            }
            if (x509Certificate == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "targetCert is null");
                }
                httpURLConnection.setRequestProperty(RSA_AUTH_HEADER, RSA_AUTH_HEADER);
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "targetCert is not null");
                }
                Subject retrieveSubject = SecurityHelper.retrieveSubject();
                if (retrieveSubject != null) {
                    try {
                        SecurityHelper.getActualSubject(retrieveSubject);
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "getActualSubject failed getting token Subject.");
                        }
                        FFDCFilter.processException(e, "com.ibm.ws.management.util.RSAPropagationHelper.addRSAAuthHeader", "174");
                        retrieveSubject = null;
                    }
                }
                if (retrieveSubject != null) {
                    WSSecurityContext createContext = WSSecurityContextFactory.getInstance().createContext("oid:1.3.18.0.2.30.6");
                    String realm = SecurityHelper.getHelper().getRealm();
                    if (createContext != null) {
                        try {
                            RSATokenThreadManager.getInstance().setTargetCertificate(x509Certificate);
                            String str5 = new String(Base64Coder.base64Encode(createContext.initSecContext(retrieveSubject, str, realm)));
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "setting tokenStr to http header IBM-WAS-Authorization");
                            }
                            httpURLConnection.setRequestProperty(RSA_AUTH_HEADER, str5);
                            RSATokenThreadManager.getInstance().setTargetCertificate(null);
                        } catch (Throwable th) {
                            RSATokenThreadManager.getInstance().setTargetCertificate(null);
                            throw th;
                        }
                    }
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "addRSAAuthHeader");
            }
        } catch (Exception e2) {
            Tr.error(tc, "ADMN2000E", e2);
            throw e2;
        }
    }

    public static X509Certificate extractTargetCert(HttpURLConnection httpURLConnection) throws IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "extractTargetCert", httpURLConnection);
        }
        String headerField = httpURLConnection.getHeaderField(RSA_PUBLIC_CERT_HEADER);
        if (headerField == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Target RSA cert is null");
            }
            String base64Decode = Base64Coder.base64Decode(httpURLConnection.getHeaderField(RSA_AUTH_ERROR_MSG_HEADER));
            IOException iOException = base64Decode != null ? new IOException(base64Decode) : new IOException("Unable to retrieve target's public certificate");
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "extractTargetCert", iOException);
            }
            throw iOException;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Target RSA cert is not null");
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64Coder.base64Decode(headerField.getBytes())));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "extractTargetCert", x509Certificate);
            }
            return x509Certificate;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.util.RSAPropagationHelper.extractTargetCert", "234");
            IOException iOException2 = new IOException(e);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "extractTargetCert", iOException2);
            }
            throw iOException2;
        }
    }

    public static boolean hasTargetCert(HttpURLConnection httpURLConnection) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "hasTargetCert", httpURLConnection);
        }
        boolean z = false;
        if (httpURLConnection.getHeaderField(RSA_PUBLIC_CERT_HEADER) != null) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "hasTargetCert", Boolean.valueOf(z));
        }
        return z;
    }

    public static String getAgentUUIDThreadLocal() {
        return (String) agentUUIDTL.get();
    }

    public static void setAgentUUIDThreadLocal(String str) {
        agentUUIDTL.set(str);
    }

    public static X509Certificate getAgentCertificateThreadLocal() {
        return (X509Certificate) agentCertificateTL.get();
    }

    public static void setAgentCertificateThreadLocal(X509Certificate x509Certificate) {
        agentCertificateTL.set(x509Certificate);
    }
}
