package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket;
import com.ibm.ws.wssecurity.token.CacheableToken;
import com.ibm.ws.wssecurity.util.KRB5Util;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.util.io.ObjectOutputInputUtil;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnTokenFactory;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInput;
import java.io.ObjectInputStream;
import java.io.ObjectOutput;
import java.io.ObjectOutputStream;
import java.security.MessageDigest;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Date;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/wssapi/token/impl/KRBAuthnTokenImpl.class */
public class KRBAuthnTokenImpl extends BinarySecurityTokenImpl implements KRBAuthnToken, KRBTicket, CacheableToken, Cloneable {
    private static final long serialVersionUID = 1;
    private static final short VERSION = 1;
    private static final String VERSION_NUMBER = "1.0";
    private static final String MESSAGE_DIGEST_ALGORITHM = "SHA";
    private static final long DEFAULT_TOKEN_CUSHION = 600000;
    private static final String KRB5_OID = "1.2.840.113554.1.2.2";
    private static final String comp = "security.wssecurity";
    private short version;
    private byte[] tokenBytes;
    private String uniqueId;
    private String kpn;
    private String realm;
    protected KerberosTicket tgt;
    private GSSCredential gssCred;
    private long expiration;
    private String tokenName;
    private boolean isReadOnly;
    private Date renewTill;
    private Hashtable<String, String> kData;
    private String identifier;
    private boolean isAddressless;
    private boolean isForwardable;
    private boolean isRenewable;
    private int credType;
    private byte[] apReqBytes;
    private static MessageDigest md = null;
    private static final TraceComponent tc = Tr.register(KRBAuthnTokenImpl.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static GSSManager gssMgr = null;

    public KRBAuthnTokenImpl() {
        this.version = (short) 1;
        this.tokenBytes = null;
        this.uniqueId = null;
        this.kpn = null;
        this.realm = null;
        this.tgt = null;
        this.gssCred = null;
        this.expiration = 0L;
        this.tokenName = WSSECURITY_KRBAUTHNTOKEN_NAME;
        this.isReadOnly = false;
        this.renewTill = null;
        this.kData = null;
        this.identifier = null;
        this.isAddressless = false;
        this.isForwardable = false;
        this.isRenewable = false;
        this.credType = 0;
        this.apReqBytes = null;
    }

    public KRBAuthnTokenImpl(byte[] bArr) {
        this.version = (short) 1;
        this.tokenBytes = null;
        this.uniqueId = null;
        this.kpn = null;
        this.realm = null;
        this.tgt = null;
        this.gssCred = null;
        this.expiration = 0L;
        this.tokenName = WSSECURITY_KRBAUTHNTOKEN_NAME;
        this.isReadOnly = false;
        this.renewTill = null;
        this.kData = null;
        this.identifier = null;
        this.isAddressless = false;
        this.isForwardable = false;
        this.isRenewable = false;
        this.credType = 0;
        this.apReqBytes = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "KRBAuthnTokenImpl(TokenBytes)... " + bArr);
        }
        this.tokenBytes = bArr;
        if (KRB5Util.hasValue(this.tokenBytes)) {
            try {
                readExternal(new ObjectInputStream(new ByteArrayInputStream(this.tokenBytes)));
            } catch (Exception e) {
                Tr.error(tc, "security.wssecurity.WSSConsumer.s34", new Object[]{KRB5Util.stackToString(e)});
                throw new RuntimeException(e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "KRBAuthnTokenImpl(TokenBytes)");
        }
    }

    public KRBAuthnTokenImpl(Map map) {
        int indexOf;
        this.version = (short) 1;
        this.tokenBytes = null;
        this.uniqueId = null;
        this.kpn = null;
        this.realm = null;
        this.tgt = null;
        this.gssCred = null;
        this.expiration = 0L;
        this.tokenName = WSSECURITY_KRBAUTHNTOKEN_NAME;
        this.isReadOnly = false;
        this.renewTill = null;
        this.kData = null;
        this.identifier = null;
        this.isAddressless = false;
        this.isForwardable = false;
        this.isRenewable = false;
        this.credType = 0;
        this.apReqBytes = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "KRBAuthnTokenImpl(map): ");
        }
        this.kpn = (String) map.get(KRBAuthnTokenFactory.PRINCIPAL_NAME);
        this.tgt = (KerberosTicket) map.get(KRBAuthnTokenFactory.KERBEROS_TICKET);
        this.gssCred = (GSSCredential) map.get(KRBAuthnTokenFactory.GSS_CREDENTIAL);
        this.realm = (String) map.get(KRBAuthnTokenFactory.REALM_NAME);
        Long l = (Long) map.get(KRBAuthnTokenFactory.EXPIRATION_TIME);
        if (l != null) {
            this.expiration = l.longValue();
        }
        if (this.tgt != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "TGT: " + KRB5Util.printTGT(this.tgt));
            }
            if (this.kpn == null) {
                this.kpn = this.tgt.getClient().toString();
            }
            if (!map.containsKey(KRBAuthnTokenFactory.EXPIRATION_TIME)) {
                this.expiration = this.tgt.getEndTime().getTime();
            }
            this.renewTill = this.tgt.getRenewTill();
            this.isAddressless = this.tgt.getClientAddresses() == null;
            this.isForwardable = this.tgt.isForwardable();
            this.isRenewable = this.tgt.isRenewable();
        } else if (this.gssCred != null) {
            try {
                if (this.kpn == null) {
                    this.kpn = this.gssCred.getName().toString();
                }
            } catch (Exception e) {
                Tr.error(tc, "security.wssecurity.WSSConsumer.s34", new Object[]{e});
            }
        }
        if (this.gssCred != null) {
            try {
                long remainingLifetime = (this.gssCred.getRemainingLifetime() * 1000) + System.currentTimeMillis();
                if (remainingLifetime < this.expiration || this.expiration == 0) {
                    this.expiration = remainingLifetime;
                }
            } catch (Exception e2) {
                Tr.error(tc, "security.wssecurity.WSSConsumer.s34", new Object[]{e2});
            }
        }
        if (this.realm == null && this.kpn != null && (indexOf = this.kpn.indexOf("@")) != -1) {
            this.realm = this.kpn.substring(indexOf + 1, this.kpn.length());
        }
        this.principal = KRB5Util.stripOutPrincipalName(this.kpn);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "KRBAuthnTokenImpl(map) = " + toString());
        }
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken
    public GSSCredential getGSSCredential() throws SoapSecurityException {
        if (this.tgt != null) {
            try {
                this.gssCred = getGSSCredential(this.tgt);
            } catch (PrivilegedActionException e) {
                Tr.error(tc, "security.wssecurity.WSSConsumer.s34", new Object[]{e});
                throw new SoapSecurityException(e);
            }
        }
        if (tc.isDebugEnabled()) {
            if (this.gssCred != null) {
                Tr.debug(tc, "this.gssCred = " + this.gssCred.toString());
            } else {
                Tr.debug(tc, "this.gssCred = null");
                if (this.tgt == null) {
                    Tr.debug(tc, "this.tgt = null");
                }
            }
        }
        return this.gssCred;
    }

    private GSSCredential getGSSCredential(final KerberosTicket kerberosTicket) throws PrivilegedActionException {
        Subject subject = new Subject();
        subject.getPrivateCredentials().add(kerberosTicket);
        return (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBAuthnTokenImpl.1
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws SoapSecurityException {
                return KRBAuthnTokenImpl.this.createGSSCredential(kerberosTicket);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public GSSCredential createGSSCredential(KerberosTicket kerberosTicket) throws SoapSecurityException {
        GSSCredential gSSCredential = null;
        if (kerberosTicket != null) {
            try {
                String name = kerberosTicket.getClient().getName();
                Oid oid = new Oid("1.2.840.113554.1.2.2");
                if (name != null && name.length() > 0) {
                    if (gssMgr == null) {
                        gssMgr = GSSManager.getInstance();
                    }
                    gSSCredential = gssMgr.createCredential(gssMgr.createName(name, GSSName.NT_USER_NAME, oid).canonicalize(oid), Integer.MAX_VALUE, oid, 1);
                }
            } catch (Throwable th) {
                Tr.error(tc, "security.wssecurity.WSSConsumer.s34", new Object[]{th});
                throw new SoapSecurityException(th);
            }
        }
        return gSSCredential;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken
    public boolean isAddressless() {
        return this.isAddressless;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken
    public boolean isRenewable() {
        return this.isRenewable;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken
    public Date getRenewTill() {
        return this.renewTill;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public String getTokenRealm() {
        return this.realm;
    }

    @Override // com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket
    public KerberosTicket getKerberosTicket() {
        return this.tgt;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public String[] addTokenAttribute(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Enters addTokenAttribute( key = " + str + ", value = " + str2 + " )");
        }
        if (!this.isReadOnly) {
            if (this.kData == null) {
                this.kData = new Hashtable<>();
            }
            String put = this.kData.put(str, str2);
            if (put != null) {
                String[] strArr = {put};
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "Exits addTokenAttribute()... " + strArr[0]);
                }
                return strArr;
            }
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "Exits addTokenAttribute()... " + ((Object) null));
        return null;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public Enumeration getTokenAttributeNames() {
        if (this.kData == null) {
            this.kData = new Hashtable<>();
        }
        return this.kData.keys();
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public String[] getTokenAttributes(String str) {
        if (this.kData == null) {
            this.kData = new Hashtable<>();
        }
        String str2 = this.kData.get(str);
        if (str2 != null) {
            return new String[]{str2};
        }
        return null;
    }

    public byte[] getTokenBytes() {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
            writeExternal(objectOutputStream);
            objectOutputStream.flush();
            objectOutputStream.close();
            this.tokenBytes = byteArrayOutputStream.toByteArray();
            return this.tokenBytes;
        } catch (Exception e) {
            Tr.error(tc, "security.wssecurity.WSSConsumer.s34", new Object[]{e});
            throw new RuntimeException(e.getMessage());
        }
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public long getTokenExpiration() {
        return this.expiration;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public String getTokenName() {
        return this.tokenName;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public String getTokenPrincipal() {
        return KRB5Util.stripOutPrincipalName(this.kpn);
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public String getTokenUniqueID() {
        if (this.uniqueId == null) {
            if (this.tgt != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "KRBAuthnTokenImpl: using principal name and hash of TGT for unique ID");
                }
                if (this.tgt.hashCode() > 0) {
                    this.uniqueId = this.kpn + this.tgt.hashCode();
                } else {
                    this.uniqueId = this.kpn + ((-1) * this.tgt.hashCode()) + "n";
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "KRBAuthnTokenImpl: using principal for unique ID");
                }
                this.uniqueId = this.kpn;
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "KRBAuthnTokenImpl: token unique ID = " + this.uniqueId);
        }
        return this.uniqueId;
    }

    @Override // com.ibm.ws.wssecurity.token.CacheableToken
    public String getIdentifier() {
        if (this.identifier == null && this.tgt != null) {
            this.identifier = this.tgt.getClient().getName();
        }
        return this.identifier;
    }

    public void setIdentifier(String str) {
        this.identifier = str;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public short getTokenVersion() {
        return this.version;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public boolean isTokenForwardable() {
        return true;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public boolean isTokenValid() {
        return this.expiration - System.currentTimeMillis() > 0;
    }

    @Override // com.ibm.wsspi.wssecurity.platform.token.AuthnToken
    public void setTokenReadOnly() {
        this.isReadOnly = true;
    }

    public boolean isKRBAuthnToken(byte[] bArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKRBAuthnToken(byte[] inBytes)... " + bArr);
        }
        boolean z = false;
        if (KRB5Util.hasValue(bArr)) {
            try {
                ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(bArr));
                if ("1.0".equals(ObjectOutputInputUtil.readUTF(objectInputStream, "KRBAuthnToken.version"))) {
                    if (KRBAuthnToken.WSSECURITY_KRBAUTHNTOKEN_NAME.equals(ObjectOutputInputUtil.readUTF(objectInputStream, "KRBAuthnToken.tokenName"))) {
                        z = true;
                    }
                }
                objectInputStream.close();
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isKRBAuthnToken. Can not determine if this is a KRBAuthnToken.");
                    Tr.debug(tc, KRB5Util.stackToString(e));
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isKRBAuthnToken(byte[] inBytes)");
        }
        return z;
    }

    @Override // com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket
    public synchronized void setKerberosTicket(KerberosTicket kerberosTicket) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setKerberosTicket()");
        }
        this.tgt = kerberosTicket;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, KRB5Util.printTGT(kerberosTicket));
        }
        if (kerberosTicket != null) {
            this.expiration = kerberosTicket.getEndTime().getTime();
            this.kpn = kerberosTicket.getClient().toString();
            this.renewTill = kerberosTicket.getRenewTill();
            this.isAddressless = kerberosTicket.getClientAddresses() == null;
            this.isRenewable = kerberosTicket.isRenewable();
            try {
                this.gssCred = getGSSCredential(kerberosTicket);
            } catch (PrivilegedActionException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No GSSCredential created - " + e.getLocalizedMessage());
                }
                this.gssCred = null;
            }
        } else {
            this.gssCred = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setKerberosTicket()");
        }
    }

    @Override // com.ibm.ws.wssecurity.wssapi.token.impl.BinarySecurityTokenImpl, com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl, java.io.Externalizable
    public void readExternal(ObjectInput objectInput) throws IOException, ClassNotFoundException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "readExternal(ObjectInput in)");
        }
        if ("1.0".equals(ObjectOutputInputUtil.readUTF(objectInput, "KRBAuthnToken.version"))) {
            this.tokenName = ObjectOutputInputUtil.readUTF(objectInput, "KRBAuthnToken.tokenName");
            this.credType = ObjectOutputInputUtil.readInt(objectInput, "KRBAuthnToken.credType");
            this.kpn = ObjectOutputInputUtil.readUTF(objectInput, "KRBAuthnToken.kpn");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "this.kpn=" + this.kpn);
            }
            this.uniqueId = ObjectOutputInputUtil.readUTF(objectInput, "KRBAuthnToken.uniqueId");
            this.identifier = ObjectOutputInputUtil.readUTF(objectInput, "KRBAuthnToken.identifier");
            this.realm = ObjectOutputInputUtil.readUTF(objectInput, "KRBAuthnToken.realm");
            this.expiration = ObjectOutputInputUtil.readLong(objectInput, "KRBAuthnToken.expiration");
            this.readOnly = ObjectOutputInputUtil.readBoolean(objectInput, "KRBAuthnToken.readOnly");
            Object readObject = ObjectOutputInputUtil.readObject(objectInput, "KRBAuthnToken.kData");
            if (readObject != null) {
                this.kData = (Hashtable) readObject;
            }
            Object readObject2 = ObjectOutputInputUtil.readObject(objectInput, "KRBAuthnToken.tgt");
            if (readObject2 != null) {
                this.tgt = (KerberosTicket) readObject2;
            }
            Object readObject3 = ObjectOutputInputUtil.readObject(objectInput, "KRBAuthnToken.APREQ");
            if (readObject3 != null) {
                this.apReqBytes = (byte[]) readObject3;
            }
            if (this.tgt != null) {
                try {
                    this.gssCred = getGSSCredential(this.tgt);
                    this.renewTill = this.tgt.getRenewTill();
                    this.isAddressless = this.tgt.getClientAddresses() == null;
                    this.isForwardable = this.tgt.isForwardable();
                    this.isRenewable = this.tgt.isRenewable();
                } catch (PrivilegedActionException e) {
                    Tr.error(tc, "security.wssecurity.WSSConsumer.s34", new Object[]{e});
                    throw new IOException(e);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "readExternal(ObjectInput in)=" + objectInput.available());
        }
    }

    @Override // com.ibm.ws.wssecurity.wssapi.token.impl.BinarySecurityTokenImpl, com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl, java.io.Externalizable
    public void writeExternal(ObjectOutput objectOutput) throws IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "writeExternal(ObjectOutput out)");
        }
        ObjectOutputInputUtil.writeUTF(objectOutput, "1.0", "KRBAuthnToken.version");
        ObjectOutputInputUtil.writeUTF(objectOutput, this.tokenName, "KRBAuthnToken.tokenName");
        ObjectOutputInputUtil.writeInt(objectOutput, this.credType, "KRBAuthnToken.credType");
        ObjectOutputInputUtil.writeUTF(objectOutput, this.kpn, "KRBAuthnToken.kpn");
        ObjectOutputInputUtil.writeUTF(objectOutput, this.uniqueId, "KRBAuthnToken.uniqueId");
        ObjectOutputInputUtil.writeUTF(objectOutput, this.identifier, "KRBAuthnToken.identifier");
        ObjectOutputInputUtil.writeUTF(objectOutput, this.realm, "KRBAuthnToken.realm");
        ObjectOutputInputUtil.writeLong(objectOutput, this.expiration, "KRBAuthnToken.expiration");
        ObjectOutputInputUtil.writeBoolean(objectOutput, this.readOnly, "KRBAuthnToken.readOnly");
        ObjectOutputInputUtil.writeObject(objectOutput, this.kData, "KRBAuthnToken.kData");
        ObjectOutputInputUtil.writeObject(objectOutput, this.tgt, "KRBAuthnToken.tgt");
        ObjectOutputInputUtil.writeObject(objectOutput, this.apReqBytes, "KRBAuthnToken.APREQ");
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "writeExternal(ObjectOutput out): this.tgt = " + KRB5Util.printTGT(this.tgt));
        }
    }

    @Override // com.ibm.ws.wssecurity.wssapi.token.impl.BinarySecurityTokenImpl, com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl
    public String toString() {
        Set<String> keySet;
        StringBuffer stringBuffer = new StringBuffer();
        Date date = new Date(this.expiration);
        stringBuffer.append("\n\ntoken name:         " + this.tokenName);
        stringBuffer.append("\nversion:            " + ((int) this.version));
        stringBuffer.append("\nhashCode:           " + hashCode());
        stringBuffer.append("\nuniqueId:           " + this.uniqueId);
        stringBuffer.append("\nkerberos principal: " + this.kpn);
        stringBuffer.append("\nrealm:              " + this.realm);
        stringBuffer.append("\nexpiration:         " + date);
        stringBuffer.append("\nrenew until:        " + this.renewTill);
        stringBuffer.append("\nisReadOnly:         " + this.isReadOnly);
        stringBuffer.append("\nisAddressless:      " + this.isAddressless);
        stringBuffer.append("\nisForwardable:      " + this.isForwardable);
        stringBuffer.append("\nisRenewable:        " + this.isRenewable);
        stringBuffer.append("\nKerberosTicket:     " + KRB5Util.printTGT(this.tgt));
        stringBuffer.append("\nGSSCredential:      " + this.gssCred);
        if (this.kData != null && !this.kData.isEmpty() && (keySet = this.kData.keySet()) != null && !keySet.isEmpty()) {
            stringBuffer.append("\n\nAttributes: ");
            for (String str : keySet) {
                stringBuffer.append("\n" + str + " : " + this.kData.get(str));
            }
        }
        return stringBuffer.toString();
    }
}
