package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.crypto.provider.AESKeySpec;
import com.ibm.misc.HexDumpEncoder;
import com.ibm.nws.ffdc.FFDCFilter;
import com.ibm.security.krb5.wss.KerberosTokenConfig;
import com.ibm.security.krb5.wss.KerberosTokenConsumer;
import com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallback;
import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.common.SCAndTrustConstants;
import com.ibm.ws.wssecurity.config.DerivedKeyInfoConfig;
import com.ibm.ws.wssecurity.config.KRBConfig;
import com.ibm.ws.wssecurity.config.KeyInfoContentConsumerConfig;
import com.ibm.ws.wssecurity.keyinfo.WSSKeyInfoComponent;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.token.CacheableTokenCacheFactory;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.KRB5TokenCacheUtil;
import com.ibm.ws.wssecurity.util.KRB5Util;
import com.ibm.ws.wssecurity.util.TokenHolder;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityFaultCode;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMAttribute;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/KRBConsumeLoginModule.class */
public class KRBConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private static final String newline = "\n";
    private static final String CONSUME_CALLBACK_BY_WSSAPI = "com.ibm.wsspi.wssecurity.krbtoken.consumeCallbackByWSSAPI:";
    private boolean loginSucceeded = false;
    private boolean isServer = false;
    private KRBConfig config = null;
    private SecurityToken _token;
    private SecurityTokenManagerImpl _securityTokenManager;
    private Map<Object, Object> _context;
    private CallbackHandler _handler;
    private Map _sharedState;
    private Map _options;
    private List<SecurityToken> _processedTokens;
    private List<SecurityToken> _insertedTokens;
    private WSSAuditService _wssAuditService;
    private WSSAuditEventGenerator _wssAuditEventGenerator;
    private boolean _isAuthnEventsRequired;
    private static final TraceComponent tc = Tr.register(KRBConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = KRBConsumeLoginModule.class.getName();
    private static final HexDumpEncoder hexDumper = new HexDumpEncoder();

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        this._securityTokenManager.addToken(this._token);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The token hash value = " + this._token.hashCode());
        }
        this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        this._sharedState = map;
        this._options = map2;
        this._processedTokens = new ArrayList();
        this._insertedTokens = new ArrayList();
        this._wssAuditService = WSSContextManagerFactory.getInstance().getAuditService();
        this._wssAuditEventGenerator = WSSAuditEventGeneratorFactory.getInstance();
        this._isAuthnEventsRequired = this._wssAuditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, this._context) || this._wssAuditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, this._context);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        this.loginSucceeded = false;
        if (this._handler == null) {
            throw new LoginException("No callback handler is available.");
        }
        PropertyCallback propertyCallback = new PropertyCallback(null);
        KRBTokenConsumeCallback kRBTokenConsumeCallback = new KRBTokenConsumeCallback();
        try {
            this._handler.handle(new Callback[]{propertyCallback, kRBTokenConsumeCallback});
            this._context = propertyCallback.getProperties();
            this._securityTokenManager = (SecurityTokenManagerImpl) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            try {
                this.isServer = Axis2Util.isServiceProvider(messageContext);
                String str = (String) tokenConsumerConfig.getProperties().get(Constants.TOKEN_FORWARDABLE);
                if (str == null || str.equalsIgnoreCase("false")) {
                }
                QName valueType = kRBTokenConsumeCallback.getValueType();
                if (valueType == null) {
                    valueType = tokenConsumerConfig.getType();
                }
                if (!valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN)) {
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PrivateConsumerConfig.s30", new String[]{valueType.toString(), com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN.toString() + newline}));
                }
                this._context.put(Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING, null);
                try {
                    OMElement oMElement = (OMElement) this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
                    if (oMElement != null && ((oMElement.getNamespace().getNamespaceURI().equals(com.ibm.ws.wssecurity.common.Constants.NS_WSSE) || oMElement.getNamespace().getNamespaceURI().equals(com.ibm.ws.wssecurity.common.Constants.NS_WSSE11)) && oMElement.getLocalName().equals("BinarySecurityToken"))) {
                        QName qName = new QName("", DOMUtils.getAttribute(oMElement, com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q.getLocalPart()));
                        if (!qName.equals(valueType)) {
                            throw new LoginException("Encountered invalid BST with invalid ValueType: " + valueType.getLocalPart());
                        }
                        String str2 = (String) tokenConsumerConfig.getProperties().get(Constants.ATTACH_KERBEROS_AP_REQUIRED);
                        boolean z = false;
                        String str3 = (String) tokenConsumerConfig.getProperties().get(Constants.ATTACH_HASHKEY_SUPPORT_KRB_TOKEN_REQUIRED);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, Constants.ATTACH_KERBEROS_AP_REQUIRED + ": " + str2);
                            Tr.debug(tc, Constants.ATTACH_HASHKEY_SUPPORT_KRB_TOKEN_REQUIRED + ": " + str3);
                            Tr.debug(tc, "isUsedForDecryption? " + tokenConsumerConfig.isUsedForDecryption());
                            Tr.debug(tc, "isUsedForVerification? " + tokenConsumerConfig.isUsedForVerification());
                        }
                        if (tokenConsumerConfig.isUsedForVerification() || tokenConsumerConfig.isUsedForDecryption() || !this.isServer) {
                            if (str2 != null && str2.equalsIgnoreCase("true")) {
                                z = true;
                            }
                        } else if (str3 == null || !str3.equalsIgnoreCase("true")) {
                            z = true;
                        }
                        this.loginSucceeded = processBST(oMElement, null, kRBTokenConsumeCallback, qName, z, messageContext);
                    } else if (oMElement != null && oMElement.getLocalName().equals("DerivedKeyToken")) {
                        this.loginSucceeded = verifyDKTokenElement(oMElement, tokenConsumerConfig, valueType, messageContext);
                        if (this.loginSucceeded && (this._token instanceof KRB5TokenImpl)) {
                            this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, ((KRB5TokenImpl) this._token).getAPREQKeyByte());
                            this._context.put(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN, this._token);
                        }
                    } else if (oMElement == null || !((oMElement.getNamespace().getNamespaceURI().equals(com.ibm.ws.wssecurity.common.Constants.NS_WSSE) || oMElement.getNamespace().getNamespaceURI().equals(com.ibm.ws.wssecurity.common.Constants.NS_WSSE11)) && oMElement.getLocalName().equals("SecurityTokenReference"))) {
                        String str4 = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
                        if (str4 == null) {
                            isKeyInfoStrref = false;
                            isKeyInfoKeyid = false;
                        } else {
                            isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str4);
                            isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str4);
                        }
                        if (isKeyInfoStrref) {
                            this.loginSucceeded = mapRefUriToToken((String) this._context.get(Constants.WSSECURITY_KEY_REFERENCE));
                        } else if (isKeyInfoKeyid) {
                            this.loginSucceeded = mapKeyIdToToken((String) this._context.get(Constants.WSSECURITY_KEY_ID), (QName) this._context.get(Constants.WSSECURITY_KEY_ENCODING), (QName) this._context.get(Constants.WSSECURITY_KEY_VALUETYPE), messageContext);
                        }
                        if (this.loginSucceeded) {
                            DerivedKeyInfoConfig derivedKeyInfoConfig = ((KeyInfoContentConsumerConfig) this._context.get(KeyInfoContentConsumerConfig.CONFIG_KEY)).getDerivedKeyInfoConfig();
                            if (derivedKeyInfoConfig == null || !derivedKeyInfoConfig.isRequireDerivedKeys()) {
                                this.loginSucceeded = retrieveKey();
                            } else {
                                if (tc.isDebugEnabled()) {
                                    Tr.exit(tc, "DerivedKey is required.");
                                }
                                if (derivedKeyInfoConfig.isRequireImpliedDerivedKeys()) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.exit(tc, "ImpliedDerivedKeys is used.");
                                    }
                                    this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, ((KRB5TokenImpl) this._token).getAPREQKeyByte());
                                    this._context.put(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN, this._token);
                                }
                            }
                        }
                    } else {
                        OMElement childElement = DOMUtils.getChildElement(oMElement, oMElement.getNamespace().getNamespaceURI(), "KeyIdentifier");
                        if (childElement != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Found KeyIdentifier element: " + childElement);
                            }
                            QName qName2 = null;
                            QName qName3 = null;
                            Iterator allAttributes = childElement.getAllAttributes();
                            String str5 = null;
                            if (allAttributes != null) {
                                while (true) {
                                    if (!allAttributes.hasNext()) {
                                        break;
                                    }
                                    OMAttribute oMAttribute = (OMAttribute) allAttributes.next();
                                    if (oMAttribute.getQName().getLocalPart().equals(com.ibm.ws.wssecurity.common.Constants.ENCODINGTYPE_Q.getLocalPart())) {
                                        qName2 = new QName(oMAttribute.getAttributeValue());
                                    }
                                    if (oMAttribute.getQName().getLocalPart().equals(com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q.getLocalPart())) {
                                        qName3 = new QName(oMAttribute.getAttributeValue());
                                    }
                                    if (qName2 != null && qName3 != null) {
                                        str5 = childElement.getText();
                                        break;
                                    }
                                }
                                this.loginSucceeded = mapKeyIdToToken(str5, qName2, qName3, messageContext);
                            }
                        }
                    }
                    if (tc.isDebugEnabled() && (this._token instanceof KRB5TokenImpl)) {
                        KRB5TokenImpl kRB5TokenImpl = (KRB5TokenImpl) this._token;
                        Tr.debug(tc, "Principal from request Kerberos token: " + kRB5TokenImpl.getClientPrincipal());
                        Tr.debug(tc, "Expired time for request TGT Kerberos token: " + kRB5TokenImpl.getTokenExpiration());
                        KerberosTicket kerberosTicket = kRB5TokenImpl.getKerberosTicket();
                        if (kerberosTicket != null) {
                            Tr.debug(tc, "Request Krb ticket in request Kerberos token: " + kerberosTicket.toString());
                        } else {
                            Tr.debug(tc, "No Kerberos ticket is accessible at the moment.");
                        }
                    }
                    if (this.loginSucceeded && (this._token instanceof KRB5TokenImpl)) {
                        TokenHolder.setInboundTokenToContext((KRB5TokenImpl) this._token, messageContext);
                        if (this._isAuthnEventsRequired) {
                            KRB5TokenImpl kRB5TokenImpl2 = (KRB5TokenImpl) this._token;
                            Map<String, Object> extendedAuditData = this._wssAuditEventGenerator.setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, kRB5TokenImpl2.getId());
                            this._wssAuditEventGenerator.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.TOKEN_PRINCIPAL, kRB5TokenImpl2.getPrincipal());
                            this._wssAuditEventGenerator.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.EXPIRATION, new Long(kRB5TokenImpl2.getTokenExpiration()).toString());
                        }
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "login()");
                    }
                    return this.loginSucceeded;
                } catch (Throwable th) {
                    Tr.error(tc, "security.wssecurity.KRBConsumeLoginModule.s02", th);
                    throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBConsumeLoginModule.s02", new String[]{KRB5Util.stackToString(th)}));
                }
            } catch (Exception e) {
                throw new LoginException(e.getMessage());
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule", "%C", this);
            Tr.processException(e2, clsName + ".login", "%C", this);
            throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBConsumeLoginModule.s02", new String[]{KRB5Util.stackToString(e2)}));
        }
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private boolean verifyDKTokenElement(OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, QName qName, MessageContext messageContext) throws LoginException {
        OMElement childElement;
        OMElement childElement2;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("consumeDKTokenElement(");
            stringBuffer.append("\nOMElement target [").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            Tr.entry(tc, stringBuffer.toString());
        }
        boolean z = false;
        int i = 0;
        Object obj = this._context.get(com.ibm.ws.wssecurity.common.Constants.WSS_VERSION);
        if (obj != null && (obj instanceof Integer)) {
            i = ((Integer) obj).intValue();
        }
        String str = null;
        OMElement childElement3 = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "SecurityTokenReference");
        if (childElement3 != null && (childElement2 = DOMUtils.getChildElement(childElement3, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "Reference")) != null) {
            String attributeValue = childElement2.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.URI_Q);
            if (KRB5Util.hasValue(attributeValue)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Reference Token URI in DerivedKeyToken element: " + attributeValue);
                }
                str = attributeValue.startsWith("#") ? attributeValue.substring(1) : attributeValue;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No Reference token URI is found.");
            }
        }
        if (str != null) {
            z = mapRefUriToToken(str);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No token id is located via Reference-URI. Try KeyIdentifier...");
            }
            OMElement childElement4 = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "SecurityTokenReference");
            if (childElement4 != null && (childElement = DOMUtils.getChildElement(childElement4, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "KeyIdentifier")) != null) {
                String attributeValue2 = childElement.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.ENCODINGTYPE_Q);
                String attributeValue3 = childElement.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q);
                QName qName2 = DOMUtils.getQName(childElement, attributeValue2, i);
                QName qName3 = DOMUtils.getQName(childElement, attributeValue3, i);
                String stringValue = DOMUtils.getStringValue(childElement);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "\nFound EncodingType: " + qName2 + newline + "Found ValueType: " + qName3 + newline + "Found KeyIdentifier value: " + stringValue);
                }
                if (KRB5Util.hasValue(stringValue)) {
                    z = mapKeyIdToToken(stringValue, qName2, qName3, messageContext);
                }
            }
        }
        return z;
    }

    private boolean retrieveKey() throws LoginException, InvalidKeyException, NoSuchProviderException, InvalidKeySpecException, NoSuchAlgorithmException {
        boolean equals;
        boolean equals2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveKey()");
        }
        boolean z = false;
        if (this._token == null) {
            throw new LoginException(newline + ConfigUtil.getMessage("Cannot find a kerberos token to generate required key."));
        }
        if (!(this._token instanceof KRB5TokenImpl)) {
            return true;
        }
        KRB5TokenImpl kRB5TokenImpl = (KRB5TokenImpl) this._token;
        if (kRB5TokenImpl == null) {
            throw new LoginException(newline + ConfigUtil.getMessage("Cannot find a kerberos token to generate required key."));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found kerberos token of token id: " + kRB5TokenImpl.getId());
        }
        byte[] aPREQKeyByte = kRB5TokenImpl.getAPREQKeyByte();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Kerberos key length is " + ((aPREQKeyByte == null || aPREQKeyByte.length == 0) ? 0 : aPREQKeyByte.length) + ", from token with id: " + kRB5TokenImpl.getId());
        }
        String str = (String) this._context.get(Constants.WSSECURITY_KEY_TYPE);
        if (str == null) {
            equals2 = false;
            equals = false;
        } else {
            equals = WSSKeyInfoComponent.KEY_VERIFYING.equals(str);
            equals2 = WSSKeyInfoComponent.KEY_DECRYPTING.equals(str);
            if (tc.isDebugEnabled()) {
                if (equals) {
                    Tr.debug(tc, "Verifying key type");
                } else if (equals2) {
                    Tr.debug(tc, "Decrypting key type");
                }
            }
        }
        if (!equals && !equals2) {
            throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.getKey02", new String[]{str}));
        }
        String str2 = null;
        String str3 = (String) this._context.get(com.ibm.ws.wssecurity.common.Constants.KEY_ALGORITHM);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "keyalgoURI: " + str3);
        }
        if (str3 != null) {
            str2 = DKTGenerateLoginModule.mapKeyAlgorithm2JCE((String) this._context.get(com.ibm.ws.wssecurity.common.Constants.KEY_ALGORITHM), equals, equals2, false, false);
            if (str2 == null) {
                throw new LoginException("Missing Algorithm info in the config");
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isVerifying: " + equals);
            Tr.debug(tc, "isDecrypting: " + equals2);
            Tr.debug(tc, "keyalgo: " + str2);
        }
        if (equals) {
            if (str2.compareTo("HmacSHA1") == 0) {
                if (kRB5TokenImpl != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "krb5token: " + kRB5TokenImpl);
                        Tr.debug(tc, "minKeySize: 16");
                    }
                    SecretKeySpec secretKeySpec = new SecretKeySpec(aPREQKeyByte, "HmacSHA1");
                    kRB5TokenImpl.setKey(63, secretKeySpec);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SecurityToken.VERIFYING_KEY: " + secretKeySpec);
                    }
                }
                z = true;
            } else {
                z = false;
            }
        }
        if (equals2) {
            if (str2.compareTo("AES") != 0 && str2.compareTo("DESede") != 0) {
                z = false;
            } else if (str2.compareTo("AES") == 0) {
                if (kRB5TokenImpl != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "krb5token: " + kRB5TokenImpl);
                        Tr.debug(tc, "minKeySize: 16");
                    }
                    SecretKey generateSecret = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(aPREQKeyByte));
                    kRB5TokenImpl.setKey(64, generateSecret);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SecurityToken.DECRYPTING_KEY: " + generateSecret);
                    }
                }
                z = true;
            } else if (str2.compareTo("DESede") == 0) {
                if (kRB5TokenImpl != null) {
                    SecretKey generateSecret2 = SecretKeyFactory.getInstance("DESede", "IBMJCE").generateSecret(new DESedeKeySpec(aPREQKeyByte));
                    kRB5TokenImpl.setKey(64, generateSecret2);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SecurityToken.DECRYPTING_KEY: " + generateSecret2);
                    }
                }
                z = true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "retrieveKey()");
        }
        return z;
    }

    private boolean mapRefUriToToken(String str) {
        boolean z;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapRefUriToToken()");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Token identifier is [" + str + "]");
        }
        SecurityToken token = this._securityTokenManager.getToken((TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY), str);
        if (token == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WARNING: SecurityToken whose identifier is \"" + str + "\" was not found in the Subject.");
            }
            z = false;
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is the token [" + str + "] stored in the Subject.");
                Tr.debug(tc, "Token instance: " + token + " and hashcode: " + token.hashCode());
            }
            this._token = token;
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapRefUriToToken()");
        }
        return z;
    }

    private boolean mapKeyIdToToken(String str, QName qName, QName qName2, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapKeyIdToToken() for token id: " + str + "...encoding type: " + qName + "...value type:" + qName2);
        }
        if (qName == null || !qName.equals(com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY)) {
            throw new LoginException(getClass().getName() + "Unexpected Encoding type : " + qName + " for key id: " + str);
        }
        if (qName2 == null || !qName2.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_APREQ_SHA1)) {
            throw new LoginException(getClass().getName() + "Unexpected Value type : " + qName2 + " for key id: " + str);
        }
        this._token = this._securityTokenManager.getToken((TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY), str);
        if (this._token != null) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "Found token from SecurityTokenManager");
            return true;
        }
        TGSAuthToken kerberosTokenFromContext = TokenHolder.getKerberosTokenFromContext(messageContext);
        if (kerberosTokenFromContext == null) {
            kerberosTokenFromContext = (TGSAuthToken) CacheableTokenCacheFactory.getInstance().getToken(str);
            if (kerberosTokenFromContext == null) {
                int i = 0;
                boolean z = false;
                while (!z && i < 20) {
                    try {
                        Thread.sleep(10L);
                    } catch (Exception e) {
                    }
                    kerberosTokenFromContext = (TGSAuthToken) CacheableTokenCacheFactory.getInstance().getToken(str);
                    i++;
                    if (kerberosTokenFromContext != null) {
                        z = true;
                    }
                }
            }
        }
        if (kerberosTokenFromContext != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Service token expiration time: " + kerberosTokenFromContext.getServiceTicketExpirationTime());
            }
            if (!KRB5TokenCacheUtil.isTicketValid((KerberosTicket) null, kerberosTokenFromContext.getServiceTicketExpirationTime())) {
                Axis2Util.setFaultCode(this._context, SoapSecurityFaultCode.InvalidSecurityToken);
                throw new LoginException(getClass().getName() + "Failed to locate token of: " + qName2 + " for key id: " + str);
            }
        }
        if (kerberosTokenFromContext == null) {
            Axis2Util.setFaultCode(this._context, SoapSecurityFaultCode.SecurityTokenUnavailable);
            throw new LoginException(getClass().getName() + "Failed to locate token of: " + qName2 + " for key id: " + str);
        }
        KRB5TokenImpl createKrbTokenImpl = KRBGenerateLoginModule.createKrbTokenImpl(kerberosTokenFromContext);
        createKrbTokenImpl.setId(str);
        createKrbTokenImpl.setIdentifier(createKrbTokenImpl.getSHA1ofAPREQ());
        this._token = createKrbTokenImpl;
        updateSharedState();
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "mapKeyIdToToken()");
        return true;
    }

    private boolean processBST(OMElement oMElement, KRB5TokenImpl kRB5TokenImpl, KRBTokenConsumeCallback kRBTokenConsumeCallback, QName qName, boolean z, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processBST()");
        }
        String str = null;
        QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
        }
        if (idAttributeName != null) {
            str = oMElement.getAttributeValue(idAttributeName);
        }
        byte[] decode = Base64.decode(DOMUtils.getStringValue(oMElement));
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Processing inbound AP_REQ token:\n\n" + new HexDumpEncoder().encodeBuffer(decode) + "\n\n");
            Tr.debug(tc, "in_token length= " + decode.length);
        }
        if (decode == null || decode.length == 0) {
            throw new LoginException("Unexpected empty token bytes received");
        }
        TGSAuthToken validate = validate(decode, qName);
        if (validate == null) {
            throw new LoginException("Failed to validate and consume the Kerberos token. No service security token is established for the service.");
        }
        validate.setIdentifier(validate.getSHA1ofAPREQ());
        long time = validate.getServiceTicketExpirationTime().getTime();
        if (z) {
            TokenHolder.setInboundKerberosTokenToContext(validate, messageContext);
        } else {
            CacheableTokenCacheFactory.getInstance().cacheToken(validate.getIdentifier(), validate, time);
        }
        KRB5TokenImpl createKrbTokenImpl = KRBGenerateLoginModule.createKrbTokenImpl(validate);
        createKrbTokenImpl.setId(str);
        createKrbTokenImpl.setXML(new OMStructure(oMElement));
        createKrbTokenImpl.setBinary(decode);
        createKrbTokenImpl.setIdentifier(createKrbTokenImpl.getSHA1ofAPREQ());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Completing the establishment of token: " + createKrbTokenImpl + " for <" + createKrbTokenImpl.getPrincipal() + "> with hashcode: " + createKrbTokenImpl.hashCode());
        }
        this._token = createKrbTokenImpl;
        updateSharedState();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processBST()");
        }
        return true;
    }

    private TGSAuthToken validate(byte[] bArr, QName qName) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate()");
        }
        TGSAuthToken tGSAuthToken = null;
        boolean z = false;
        try {
            ((TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY)).getCallbackHandler().getProperties();
            HashMap hashMap = new HashMap();
            hashMap.put(KerberosTokenConfig.DECODED_TOKEN, bArr);
            KerberosTokenConsumer kerberosTokenConsumer = new KerberosTokenConsumer();
            kerberosTokenConsumer.init(hashMap);
            HashMap hashMap2 = new HashMap();
            kerberosTokenConsumer.invoke(hashMap2);
            byte[] bArr2 = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
            Object obj = hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES_TYPE);
            Object obj2 = hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC);
            Object obj3 = hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC_TYPE);
            if (!KRB5Util.hasValue(bArr2)) {
                bArr2 = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
                obj = hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES_TYPE);
                Object obj4 = hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC);
                obj3 = hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC_TYPE);
                if (KRB5Util.hasValue(bArr2) && !KRB5Util.isSessKeyEncTypeSupported((Integer) obj4)) {
                    throw new LoginException("\nUnsupported Kerberos session key encryption type...Please verify Kerberos configuration.");
                }
            } else if (!KRB5Util.isSubKeyEncTypeSupported((Integer) obj2)) {
                throw new LoginException("\nUnsupported Kerberos sub key encryption type...Please verify Kerberos configuration.");
            }
            if (tc.isDebugEnabled()) {
                if (bArr2 != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Key of type: " + obj + " with encryption type: " + obj3 + " from token as follows...\r\n" + KRB5Util.showHex(bArr2));
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Server subkey or sessoin key is null ...\r\n");
                }
            }
            if (bArr2 != null && bArr2.length != 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Request token processed OK");
                }
                String str = (String) hashMap2.get(KerberosTokenConfig.CLIENT_NAME);
                if (str != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "getAuthenticatedUsername: WebSphere Security principal = " + str);
                    }
                    String stripOutPrincipalName = KRB5Util.stripOutPrincipalName(str);
                    if (stripOutPrincipalName != null) {
                        z = true;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Kerberos client principal: " + stripOutPrincipalName);
                        }
                    }
                    tGSAuthToken = new TGSAuthToken(hashMap2, null, null, qName, KRB5TokenCacheUtil.getSha1FromBytes(bArr));
                } else {
                    z = false;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "User principal is not available.");
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Request token processed Not OK");
            }
        } catch (GSSException e) {
            this._context.put(SCAndTrustConstants.SC_FAULT_CODE, SoapSecurityFaultCode.InvalidSecurityToken);
            FFDCFilter.processException(e, KRBConsumeLoginModule.class.getName(), "1");
            Tr.processException((Throwable) e, clsName + ".login", "%C", (Object) this);
            Tr.error(tc, "security.wssecurity.KRBConsumeLoginModule.s02", KRB5Util.stackToString(e));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Please verify the Kerberos configuration.");
            }
            z = false;
        } catch (Throwable th) {
            this._context.put(SCAndTrustConstants.SC_FAULT_CODE, SoapSecurityFaultCode.InvalidSecurityToken);
            FFDCFilter.processException(th, KRBConsumeLoginModule.class.getName(), "1");
            Tr.processException(th, clsName + ".login", "%C", this);
            Tr.error(tc, "security.wssecurity.KRBConsumeLoginModule.s02", KRB5Util.stackToString(th));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Please verify the Kerberos configuration.");
            }
            z = false;
        }
        if (!z) {
            tGSAuthToken = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validate()");
        }
        return tGSAuthToken;
    }

    private void updateSharedState() {
        String principal;
        if (this._token == null || (principal = this._token.getPrincipal()) == null) {
            return;
        }
        this._sharedState.put(Constants.WSSECURITY_DN, principal);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Kerberos client principal: " + principal);
        }
    }
}
