package com.ibm.ws.wssecurity.saml.config.impl;

import com.ibm.websphere.management.application.AppConstants;
import com.ibm.ws.wssecurity.common.Constants;
import com.ibm.ws.wssecurity.saml.common.SAML11Constants;
import com.ibm.ws.wssecurity.saml.common.SAML20Constants;
import com.ibm.ws.wssecurity.saml.common.SAMLCommonConstants;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.util.CertificateUtil;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.util.WSSecurityContextUtilFactory;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.Configuration;
import com.ibm.wsspi.wssecurity.core.token.config.RequesterConfiguration;
import com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig;
import com.ibm.wsspi.wssecurity.saml.config.CredentialConfig;
import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
import java.io.File;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/saml/config/impl/SamlConfigUtil.class */
public class SamlConfigUtil {
    private static final String comp = "security.wssecurity";
    private static final TraceComponent tc = Tr.register(SamlConfigUtil.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.samlmessages");
    private static final String clsName = SamlConfigUtil.class.getName();
    public static String SAML_API_PROCESSING = "com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil.samlApiProcessing";

    public static boolean isHolderOfKey(RequesterConfig requesterConfig) {
        String confirmationMethod;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isHolderOfKey(RequesterConfig requesterData)");
        }
        boolean z = false;
        if (requesterConfig != null && (confirmationMethod = requesterConfig.getConfirmationMethod()) != null && confirmationMethod.contains("holder-of-key")) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isHolderOfKey returns: " + new Boolean(z).toString());
        }
        return z;
    }

    public static KeyStoreManager.KeyInformation getSamlSigningKeyInformation(ProviderConfig providerConfig) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSamlSigningKeyInformation(ProviderConfig)");
        }
        KeyStoreManager.KeyInformation keyInformation = null;
        KeyStoreManager keystoreManager = getKeystoreManager();
        if (keystoreManager != null && checkConfig(providerConfig)) {
            keyInformation = keystoreManager.getKeyInformation(providerConfig.getKeyStoreConfig(), providerConfig.getKeyInformationConfig());
        }
        if (keyInformation == null) {
            throw new SoapSecurityException(MessageHelper.getMessage("security.wssecurity.WSSML0001E"));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSamlSigningKeyInformation(ProviderConfig samlCfg)");
        }
        return keyInformation;
    }

    public static boolean createAuthnStatement(CredentialConfig credentialConfig, RequesterConfig requesterConfig, ProviderConfig providerConfig) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createAuthnStatement(CredentialConfig cred, RequesterConfig request, ProviderConfig issue");
        }
        String statementType = getStatementType(credentialConfig, requesterConfig, providerConfig);
        if (SAMLCommonConstants.AUTHN_STATEMENT_TYPE.equals(statementType) || SAMLCommonConstants.AUTHN_ATTRIBUTE_STATEMENT_TYPE.equals(statementType)) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "createAuthnStatement returns: " + new Boolean(true).toString());
            return true;
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "createAuthnStatement returns: " + new Boolean(false).toString());
        return false;
    }

    public static boolean createAttributeStatement(CredentialConfig credentialConfig, RequesterConfig requesterConfig, ProviderConfig providerConfig) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createAttributeStatement(CredentialConfig  cred, RequesterConfig request, ProviderConfig issue)");
        }
        String statementType = getStatementType(credentialConfig, requesterConfig, providerConfig);
        if ("Attribute".equals(statementType) || SAMLCommonConstants.AUTHN_ATTRIBUTE_STATEMENT_TYPE.equals(statementType)) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "createAttributeStatement returns: " + new Boolean(true).toString());
            return true;
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, new Boolean(false).toString());
        return false;
    }

    public static String getStatementType(CredentialConfig credentialConfig, RequesterConfig requesterConfig, ProviderConfig providerConfig) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getStatementType(CredentialConfig cred, RequesterConfig request, ProviderConfig issue)");
        }
        if (requesterConfig.getStatementType() != null && !requesterConfig.getStatementType().isEmpty()) {
            return requesterConfig.getStatementType();
        }
        String str = "Attribute";
        if ((requesterConfig.getAuthenticationMethod() != null && !requesterConfig.getAuthenticationMethod().isEmpty()) || (credentialConfig != null && credentialConfig.getProperties() != null && credentialConfig.getProperties().get("AuthenticationMethod") != null)) {
            str = SAMLCommonConstants.AUTHN_STATEMENT_TYPE;
            if ((credentialConfig.getSAMLAttributes() != null && !credentialConfig.getSAMLAttributes().isEmpty()) || (providerConfig.getAttributeProvider() != null && !providerConfig.getAttributeProvider().isEmpty())) {
                str = SAMLCommonConstants.AUTHN_ATTRIBUTE_STATEMENT_TYPE;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getStatementType returns: " + str);
        }
        return str;
    }

    public static String getConfirmationMethod(RequesterConfig requesterConfig, ProviderConfig providerConfig) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getConfirmationMethod(RequesterConfig request, ProviderConfig issue)");
        }
        String str = null;
        if (requesterConfig.getConfirmationMethod() != null) {
            str = requesterConfig.getConfirmationMethod();
        }
        String str2 = requesterConfig.getRSTTProperties().get(RequesterConfiguration.RSTT.KEYTYPE);
        String str3 = requesterConfig.getRSTTProperties().get(RequesterConfiguration.RSTT.TOKENTYPE);
        if (str == null) {
            if (str2 == null || str2.equals("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer")) {
                if (str3 != null && str3.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) {
                    str = SAML11Constants._BEARER;
                } else if (str3 != null && str3.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0")) {
                    str = SAML20Constants._BEARER;
                }
            } else if (str3 != null && str3.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1")) {
                str = SAML11Constants._HOLDER_OF_KEY;
            } else if (str3 != null && str3.equals("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0")) {
                str = SAML20Constants._HOLDER_OF_KEY;
            }
        }
        String normalizeMethod = normalizeMethod(str, str3);
        if (!isConfirmationMethod(normalizeMethod)) {
            throw new SoapSecurityException("Confirmation Method is not valid");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getConfirmationMethod returns: " + normalizeMethod);
        }
        return normalizeMethod;
    }

    public static boolean isConfirmationMethod(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isConfirmationMethod(method[" + str + "])");
        }
        boolean z = false;
        if (str != null && !str.isEmpty() && (str.equals(SAML11Constants._BEARER) || str.equals(SAML20Constants._BEARER) || str.equals(SAML11Constants._HOLDER_OF_KEY) || str.equals(SAML20Constants._HOLDER_OF_KEY) || str.equals(SAML11Constants._SENDER_VOUCHES) || str.equals(SAML20Constants._SENDER_VOUCHES))) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isConfirmationMethod returns: " + new Boolean(z).toString());
        }
        return z;
    }

    public static String normalizeMethod(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "normalizeMethod(inMethod[" + str + "])");
        }
        String str3 = str;
        if ("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equalsIgnoreCase(str2)) {
            if (str.equalsIgnoreCase("sender-vouches") || str.equalsIgnoreCase(Constants.SENDERVOUCHES) || str.equalsIgnoreCase(Constants.SENDER_VOUCHES_SPACE) || str.equalsIgnoreCase(SAML20Constants._SENDER_VOUCHES)) {
                str3 = SAML20Constants._SENDER_VOUCHES.intern();
            } else if (str.equalsIgnoreCase("holder-of-key") || str.equalsIgnoreCase(Constants.HOLDEROFKEY) || str.equalsIgnoreCase("holder of keys") || str.equalsIgnoreCase(SAML20Constants._HOLDER_OF_KEY)) {
                str3 = SAML20Constants._HOLDER_OF_KEY.intern();
            } else if (str.equalsIgnoreCase("bearer") || str.equalsIgnoreCase(SAML20Constants._BEARER)) {
                str3 = SAML20Constants._BEARER.intern();
            }
        } else if (str.equalsIgnoreCase("sender-vouches") || str.equalsIgnoreCase(Constants.SENDERVOUCHES) || str.equalsIgnoreCase(Constants.SENDER_VOUCHES_SPACE) || str.equalsIgnoreCase(SAML11Constants._SENDER_VOUCHES)) {
            str3 = SAML11Constants._SENDER_VOUCHES;
        } else if (str.equalsIgnoreCase("holder-of-key") || str.equalsIgnoreCase(Constants.HOLDEROFKEY) || str.equalsIgnoreCase("holder of keys") || str.equalsIgnoreCase(SAML11Constants._HOLDER_OF_KEY)) {
            str3 = SAML11Constants._HOLDER_OF_KEY;
        } else if (str.equalsIgnoreCase("bearer") || str.equalsIgnoreCase(SAML11Constants._BEARER)) {
            str3 = SAML11Constants._BEARER;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "normalizeMethod returns: " + str3);
        }
        return str3;
    }

    public static final KeyStoreManager.KeyInformation getTokenProviderKeyInformation(ConsumerConfig consumerConfig) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTokenProviderKeyInformation(ConsumerConfig)");
        }
        KeyStoreManager.KeyInformation keyInformation = null;
        KeyStoreManager keystoreManager = getKeystoreManager();
        if (keystoreManager != null && checkConfig(consumerConfig)) {
            keyInformation = keystoreManager.getKeyInformation(consumerConfig.getTrustStoreConfig(), consumerConfig.getAliasForTokenProvider(), null, "");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTokenProviderKeyInformation returns[" + ConfigUtil.getObjState(keyInformation) + "]");
        }
        return keyInformation;
    }

    public static final KeyStoreManager.KeyInformation getRequesterKeyInformation(ProviderConfig providerConfig, String str) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRequesterKeyInformation(ProviderConfig, alias[" + str + "]");
        }
        KeyStoreManager.KeyInformation keyInformation = null;
        KeyStoreManager keystoreManager = getKeystoreManager();
        if (keystoreManager != null && checkConfig(providerConfig)) {
            keyInformation = keystoreManager.getKeyInformation(providerConfig.getTrustStoreConfig(), str, null, "");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRequesterKeyInformation returns[" + ConfigUtil.getObjState(keyInformation) + "]");
        }
        return keyInformation;
    }

    public static final KeyStoreManager.KeyInformation getTrustKeyInformation(ConsumerConfig consumerConfig) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTrustKeyInformation(ConsumerConfig)");
        }
        KeyStoreManager.KeyInformation keyInformation = null;
        KeyStoreManager keystoreManager = getKeystoreManager();
        if (keystoreManager != null && checkConfig(consumerConfig)) {
            keyInformation = keystoreManager.getTrustKeyInformation(consumerConfig.getTrustStoreConfig(), consumerConfig.getKeyInformationConfig());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTrustKeyInformation(ConsumerConfig) returns[" + ConfigUtil.getObjState(keyInformation) + "]");
        }
        return keyInformation;
    }

    public static final KeyStoreManager.KeyInformation getKeyInformation(ConsumerConfig consumerConfig) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyInformation(ConsumerConfig)");
        }
        KeyStoreManager.KeyInformation keyInformation = null;
        KeyStoreManager keystoreManager = getKeystoreManager();
        if (keystoreManager != null && checkConfig(consumerConfig)) {
            keyInformation = keystoreManager.getKeyInformation(consumerConfig.getKeyStoreConfig(), consumerConfig.getKeyInformationConfig());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKeyInformation(ConsumerConfig) returns[" + ConfigUtil.getObjState(keyInformation) + "]");
        }
        return keyInformation;
    }

    public static final KeyStore getTrustStore(ConsumerConfig consumerConfig) throws SoapSecurityException {
        return getTrustStore(consumerConfig, false);
    }

    public static final KeyStore getTrustStore(ConsumerConfig consumerConfig, boolean z) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTrustStore(ConsumerConfig[" + ConfigUtil.getObjState(consumerConfig) + "], reloadKeystore[" + z + "])");
        }
        KeyStore keyStore = null;
        KeyStoreManager keystoreManager = getKeystoreManager();
        if (keystoreManager != null && checkConfig(consumerConfig)) {
            keyStore = keystoreManager.getKeyStore(consumerConfig.getTrustStoreConfig(), z);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTrustStore(ConsumerConfig) returns[" + ConfigUtil.getObjState(keyStore) + "]");
        }
        return keyStore;
    }

    static KeyStoreManager getKeystoreManager() {
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance();
        if (keyStoreManager == null && tc.isDebugEnabled()) {
            Tr.debug(tc, "KeyStoreManager object is null.");
        }
        return keyStoreManager;
    }

    static boolean checkConfig(Configuration configuration) {
        if (configuration != null) {
            return true;
        }
        if (!tc.isDebugEnabled()) {
            return false;
        }
        Tr.debug(tc, "Configuration object is null.");
        return false;
    }

    public static final void createCertStoreObject(ConsumerConfig consumerConfig) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createCertPathObject (samlCfg[" + (consumerConfig == null ? AppConstants.NULL_STRING : "not null") + "]");
        }
        final CertificateFactory createCertificateFactory = ConfigUtil.createCertificateFactory("");
        HashSet hashSet = new HashSet();
        List<String> x509Paths = consumerConfig.getX509Paths();
        if (x509Paths != null) {
            int size = x509Paths.size();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "number x509Paths[" + size + "]");
            }
            if (size > 0) {
                for (int i = 0; i < size; i++) {
                    String str = x509Paths.get(i);
                    final File file = new File(str);
                    try {
                        hashSet.add((X509Certificate) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil.1
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws SoapSecurityException {
                                return ConfigUtil.getX509Certificate(file, createCertificateFactory);
                            }
                        }));
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Adding the X509 Certificate: " + str);
                        }
                    } catch (PrivilegedActionException e) {
                        Throwable cause = e.getCause();
                        if (!(cause instanceof SoapSecurityException)) {
                            throw new SoapSecurityException(cause);
                        }
                        throw ((SoapSecurityException) cause);
                    }
                }
            }
        }
        List<String> cRLPaths = consumerConfig.getCRLPaths();
        if (cRLPaths != null) {
            boolean z = false;
            int size2 = cRLPaths.size();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "number crlPaths[" + size2 + "]");
            }
            if (size2 > 0) {
                z = true;
                for (int i2 = 0; i2 < size2; i2++) {
                    final String str2 = cRLPaths.get(i2);
                    try {
                        X509CRL x509crl = (X509CRL) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil.2
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws SoapSecurityException {
                                return ConfigUtil.getX509CRL(str2, createCertificateFactory);
                            }
                        });
                        if (tc.isDebugEnabled()) {
                            CertificateUtil.listCrlContents(x509crl);
                        }
                        hashSet.add(x509crl);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Adding the X509 CRL : " + x509crl);
                        }
                    } catch (PrivilegedActionException e2) {
                        Throwable cause2 = e2.getCause();
                        if (!(cause2 instanceof SoapSecurityException)) {
                            throw new SoapSecurityException(cause2);
                        }
                        throw ((SoapSecurityException) cause2);
                    }
                }
            }
            if (z) {
                consumerConfig.setRevocationEnabled(true);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Setting revocationEnabled to true");
                }
            }
        }
        try {
            consumerConfig.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet)));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createCertStoreObject");
            }
        } catch (Exception e3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception caught from CertStore.getInstance: " + e3);
            }
            Tr.processException(e3, clsName + ".createCertStoreObject", "559");
            throw new SoapSecurityException(e3);
        }
    }

    public static Map<Object, Object> getSamlApiContext() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSamlApiContext");
        }
        Map<Object, Object> context = WSSecurityContextUtilFactory.getInstance().getContext();
        if (context == null) {
            context = new HashMap();
            WSSecurityContextUtilFactory.getInstance().putContext(context);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSamlApiContext returns [" + ConfigUtil.getObjState(context) + "]");
        }
        return context;
    }

    public static void removeSamlApiContext() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removeSamlApiContext");
        }
        WSSecurityContextUtilFactory.getInstance().removeContext();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removeSamlApiContext");
        }
    }

    public static void putThreadProperty(String str, Object obj) {
        Map<Object, Object> samlApiContext;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "putThreadProperty");
        }
        if (str != null && (samlApiContext = getSamlApiContext()) != null) {
            samlApiContext.put(str, obj);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "putThreadProperty");
        }
    }

    public static Object getThreadProperty(String str) {
        Map<Object, Object> samlApiContext;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getThreadProperty");
        }
        Object obj = null;
        if (str != null && (samlApiContext = getSamlApiContext()) != null) {
            obj = samlApiContext.get(str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSamlApiContext returns [" + ConfigUtil.getObjType(obj) + "]");
        }
        return obj;
    }

    public static void removeThreadProperty(String str) {
        Map<Object, Object> samlApiContext;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removeThreadProperty");
        }
        if (str != null && (samlApiContext = getSamlApiContext()) != null) {
            samlApiContext.remove(str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removeThreadProperty");
        }
    }

    public static void setSamlApiProcessing() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setSamlApiProcessing");
        }
        putThreadProperty(SAML_API_PROCESSING, new Boolean(true));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setSamlApiProcessing");
        }
    }

    public static void unsetSamlApiProcessing() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "unsetSamlApiProcessing");
        }
        removeThreadProperty(SAML_API_PROCESSING);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "unsetSamlApiProcessing");
        }
    }

    public static boolean getSamlApiProcessing() {
        Object obj;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSamlApiProcessing");
        }
        boolean z = false;
        Map<Object, Object> samlApiContext = getSamlApiContext();
        if (samlApiContext != null && (obj = samlApiContext.get(SAML_API_PROCESSING)) != null && (obj instanceof Boolean)) {
            z = ((Boolean) obj).booleanValue();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSamlApiContext returns [" + z + "]");
        }
        return z;
    }

    public static String objectToString(Object obj) {
        String str = AppConstants.NULL_STRING;
        if (obj != null) {
            str = obj.getClass().getName() + "@" + Integer.toHexString(System.identityHashCode(obj));
        }
        return str;
    }
}
