package com.ibm.ws.security.token.krb5;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.krb5.Krb5Common;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/token/krb5/Krb5Helper.class */
public class Krb5Helper {
    private static final TraceComponent tc = Tr.register(Krb5Helper.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");
    public static final String KEY_KERBEROS_EXT_SERVICE = "KerberosExtService";
    static final long serialVersionUID = -5325513778084427205L;

    public static String buildSpnegoAuthorizationFromSubjectCommon(final String str, final Subject subject, final int i, final boolean z) throws GSSException, PrivilegedActionException {
        try {
            return (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.token.krb5.Krb5Helper.1
                static final long serialVersionUID = 2436872518947490525L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws GSSException, PrivilegedActionException {
                    return Krb5Helper.buildSpnegoAuthorization(Krb5Helper.getGSSCred(subject, null, Krb5Common.SPNEGO_MECH_OID, 1, i, i), str, i, z);
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.token.krb5.Krb5Helper", "63", (Object) null, new Object[]{str, subject, Integer.valueOf(i), Boolean.valueOf(z)});
            GSSException generalCause = getGeneralCause(e);
            if (generalCause instanceof GSSException) {
                throw generalCause;
            }
            throw e;
        }
    }

    public static String buildSpnegoAuthorization(GSSCredential gSSCredential, String str, int i, boolean z) throws GSSException {
        GSSContext createSpnegoGSSContext = createSpnegoGSSContext(gSSCredential, str, i, z);
        String str2 = "Negotiate " + Base64Coder.encode(createSpnegoGSSContext.initSecContext(new byte[1024], 0, 0));
        createSpnegoGSSContext.dispose();
        return str2;
    }

    public static GSSContext createSpnegoGSSContext(GSSCredential gSSCredential, String str, int i, boolean z) throws GSSException {
        GSSManager gSSManager = GSSManager.getInstance();
        GSSContext createContext = gSSManager.createContext(gSSManager.createName(str, GSSName.NT_USER_NAME).canonicalize(Krb5Common.SPNEGO_MECH_OID), Krb5Common.SPNEGO_MECH_OID, gSSCredential, i);
        createContext.requestMutualAuth(false);
        createContext.requestCredDeleg(z);
        return createContext;
    }

    public static GSSCredential getGSSCred(Subject subject, String str, Oid oid, int i, int i2, int i3) throws GSSException {
        GSSCredential gSSCredentialFromSubject = subject != null ? SubjectHelper.getGSSCredentialFromSubject(subject) : createKrbMechGSSCred(str);
        addSpnegoMechGSSCred(gSSCredentialFromSubject, oid, i, i2, i3);
        return gSSCredentialFromSubject;
    }

    public static void addSpnegoMechGSSCred(GSSCredential gSSCredential, Oid oid, int i, int i2, int i3) throws GSSException {
        if (gSSCredential == null) {
            throw new GSSException(13);
        }
        Oid[] mechs = gSSCredential.getMechs();
        if (oid == null || oid.containedIn(mechs)) {
            return;
        }
        gSSCredential.add(gSSCredential.getName(), i2, i3, oid, i);
    }

    private static GSSCredential createKrbMechGSSCred(String str) throws GSSException {
        GSSName gSSName = null;
        GSSManager gSSManager = GSSManager.getInstance();
        if (str != null) {
            gSSName = gSSManager.createName(str, GSSName.NT_USER_NAME, Krb5Common.KRB5_MECH_OID);
        }
        return gSSManager.createCredential(gSSName, Integer.MAX_VALUE, Krb5Common.KRB5_MECH_OID, 1);
    }

    public static String setPropertyAsNeeded(final String str, final String str2) {
        String str3 = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.token.krb5.Krb5Helper.2
            static final long serialVersionUID = -1691999775443660420L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass2.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

            @Override // java.security.PrivilegedAction
            public String run() {
                String property = System.getProperty(str);
                if (property == null || !property.equalsIgnoreCase(str2)) {
                    System.setProperty(str, str2);
                }
                return property;
            }
        });
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "javax.security.auth.useSubjectCredsOnly property previous: " + (str3 != null ? str3 : "<null>") + " and now: " + str2, new Object[0]);
        }
        return str3;
    }

    public static void serviceNotAvailableException() throws GSSException {
        Tr.error(tc, "KRB_OSGI_SERVICE_ERROR", new Object[0]);
        throw new GSSException(16, 16, TraceNLS.getFormattedMessage(Krb5Helper.class, "com.ibm.ws.security.token.internal.resources.TokenMessages", "KRB_OSGI_SERVICE_ERROR", new Object[]{KEY_KERBEROS_EXT_SERVICE}, "CWWKS4003E: The constrained delegation OSGi service {0} is not available."));
    }

    public static void unsuportJdkErrorMsg(boolean z) throws GSSException {
        if (z) {
            return;
        }
        Tr.error(tc, "KRB_S4U2PROXY_NOT_SUPPORTED", new Object[0]);
        throw new GSSException(16, 16, TraceNLS.getFormattedMessage(Krb5Helper.class, "com.ibm.ws.security.token.internal.resources.TokenMessages", "KRB_S4U2PROXY_NOT_SUPPORTED", (Object[]) null, "CWWKS4002E: The constrained delegation (S4U2self and S4U2proxy) API requires a minimum Java runtime environment version of JavaSE 1.8."));
    }

    public static void checkPassword(@Sensitive String str) throws GSSException {
        if (str == null || "".equals(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty password supplied", new Object[0]);
            }
            throw new GSSException(13);
        }
    }

    public static Throwable getGeneralCause(PrivilegedActionException privilegedActionException) {
        PrivilegedActionException privilegedActionException2 = privilegedActionException;
        if (privilegedActionException != null) {
            PrivilegedActionException cause = privilegedActionException.getCause();
            if (cause != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Deciphering a PrivilegedActionException [" + cause.getClass().getName() + "]", new Object[0]);
                }
                while (cause != null && (cause instanceof PrivilegedActionException)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unravelling", new Object[0]);
                    }
                    cause = cause.getCause();
                }
                if (cause != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unravelled to a " + cause.getClass().getName(), new Object[0]);
                    }
                    privilegedActionException2 = cause;
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Only PrivilegedActionException in stack.  Returning original exception.", new Object[0]);
                }
            }
        }
        return privilegedActionException2;
    }

    public static void checkSpn(String str) throws GSSException {
        if (str == null || "".equals(str) || !str.contains("/")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty or invalid format servicePrincipalName supplied", new Object[0]);
            }
            throw new GSSException(3);
        }
    }

    public static void checkUpn(String str) throws GSSException {
        if (str == null || "".equals(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty UserPrincipalName supplied", new Object[0]);
            }
            throw new GSSException(3);
        }
    }
}
