package com.ibm.ws.collective.member.internal.security;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.collective.member.internal.TraceConstants;
import com.ibm.ws.collective.security.CollectiveDNUtil;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.collective.CollectiveAuthenticationPlugin;
import java.security.cert.X509Certificate;
import javax.naming.InvalidNameException;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {CollectiveAuthenticationPlugin.class}, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM", "service.ranking:Integer=0"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.member_1.1.9.jar:com/ibm/ws/collective/member/internal/security/MemberCollectiveAuthenticationPlugin.class */
public class MemberCollectiveAuthenticationPlugin implements CollectiveAuthenticationPlugin {
    private static final TraceComponent tc = Tr.register(MemberCollectiveAuthenticationPlugin.class);
    static final long serialVersionUID = -7006936304257985659L;

    @Activate
    protected void activate() {
    }

    @Deactivate
    protected void deactivate() {
    }

    @Override // com.ibm.ws.security.authentication.collective.CollectiveAuthenticationPlugin
    @FFDCIgnore({InvalidNameException.class})
    public boolean isCollectiveCertificateChain(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr.length != 2) {
            String name = x509CertificateArr.length >= 1 ? x509CertificateArr[0].getSubjectX500Principal().getName() : "Zero-length certificate chain";
            if (!tc.isEventEnabled()) {
                return false;
            }
            Tr.event(tc, "The certificate chain is not length 2, this is not a collective cert chain. Certificate DN: " + name, new Object[0]);
            return false;
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        X509Certificate x509Certificate2 = x509CertificateArr[1];
        try {
            String name2 = x509Certificate.getSubjectX500Principal().getName();
            CollectiveDNUtil.validateCollectiveDNSyntax(name2);
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate.getIssuerX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getSubjectX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getIssuerX500Principal().getName());
            if (!tc.isEventEnabled()) {
                return true;
            }
            Tr.event(tc, "The presented certificate chain is a collective cert chain. Proceeding to authentication with DN: " + name2, new Object[0]);
            return true;
        } catch (InvalidNameException e) {
            if (!tc.isEventEnabled()) {
                return false;
            }
            Tr.event(tc, "InvalidNameException while processing cert chain in isCollectiveCertificateChain, certificate is not a Collective Certificate chain.", e.getMessage());
            return false;
        }
    }

    @Override // com.ibm.ws.security.authentication.collective.CollectiveAuthenticationPlugin
    public void authenticateCertificateChain(X509Certificate[] x509CertificateArr) throws AuthenticationException {
        if (x509CertificateArr.length != 2) {
            String name = x509CertificateArr.length >= 1 ? x509CertificateArr[0].getSubjectX500Principal().getName() : "Zero-length certificate chain";
            if (tc.isEventEnabled()) {
                Tr.event(tc, "The certificate chain is not length 2, this is not a collective cert chain. Rejecting authentication. Rejected DN: " + name, new Object[0]);
            }
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "MEMBER_SECURITY_REJECT_CERT", new Object[]{name}, "CWWKX8131E: The presented certificate is not a collective certificate. Authentication is denied for DN: {0}"));
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        X509Certificate x509Certificate2 = x509CertificateArr[1];
        String name2 = x509Certificate.getSubjectX500Principal().getName();
        try {
            CollectiveDNUtil.validateCollectiveDNSyntax(name2);
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate.getIssuerX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getSubjectX500Principal().getName());
            CollectiveDNUtil.validateCollectiveRootDNSyntax(x509Certificate2.getIssuerX500Principal().getName());
            CollectiveDNUtil.getCollectiveRole(name2);
            if (tc.isEventEnabled()) {
                Tr.event(tc, "The presented certificate chain is a controller collective cert chain. Authentication successful.", new Object[0]);
            }
        } catch (InvalidNameException e) {
            FFDCFilter.processException(e, "com.ibm.ws.collective.member.internal.security.MemberCollectiveAuthenticationPlugin", "140", this, new Object[]{x509CertificateArr});
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Unexpected InvalidNameException during authenticateCertificateChain for what should have been a collective chain. Rejecting authentication.", e);
            }
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "MEMBER_SECURITY_REJECT_CERT", new Object[]{name2}, "CWWKX8131E: The presented certificate is not a collective certificate. Authentication is denied for DN: {0}"), e);
        }
    }
}
