package com.ibm.wsspi.security.token;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.spnego.Constants;
import com.ibm.ws.security.util.Base64Coder;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.client_9.0.jar:com/ibm/wsspi/security/token/SpnegoTokenHelper.class */
public class SpnegoTokenHelper {
    private static Oid KRB5MECHANISMOID;
    private static Oid SPNEGOMECHOID;
    private static Logger log = Logger.getLogger(SpnegoTokenHelper.class.getName());
    private static final TraceComponent tc = Tr.register((Class<?>) SpnegoTokenHelper.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static String className = SpnegoTokenHelper.class.getSimpleName();
    private static String USE_SUBJECT_CREDS_ONLY = Constants.KEY_JGSS_USE_SUBJ_CREDS;

    public static String buildSpnegoAuthorizationFromCallerSubject(final String str, final int i, final boolean z) throws WSSecurityException, GSSException, PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildSpnegoAuthorization(SPN)");
        }
        checkSpn(str);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SPN [" + str + "], lifetime [" + i + "], delegate [" + z + "]");
        }
        try {
            String str2 = (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws WSSecurityException, GSSException, PrivilegedActionException {
                    Subject callerSubject = WSSubject.getCallerSubject();
                    if (callerSubject == null) {
                        callerSubject = WSSubject.getRunAsSubject();
                    }
                    return SpnegoTokenHelper.buildSpnegoAuthorizationFromSubject(str, callerSubject, i, z);
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token generated - from Caller Subject");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "buildSpnegoAuthorization(SPN)");
            }
            return str2;
        } catch (PrivilegedActionException e) {
            Manager.Ffdc.log(e, SpnegoTokenHelper.class, "com.ibm.wsspi.security.token.buildSpnegoAuthorizationFromCallerSubject", "152");
            GSSException generalCause = getGeneralCause(e);
            if (generalCause instanceof WSSecurityException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a WSSecurityException");
                }
                throw ((WSSecurityException) generalCause);
            }
            if (generalCause instanceof GSSException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a GSSException");
                }
                throw generalCause;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Throwing a " + generalCause.getClass().getName());
            }
            throw e;
        }
    }

    public static String buildSpnegoAuthorizationFromNativeCreds(final String str, final int i, final boolean z) throws GSSException, PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildSpnegoAuthorizationFromNativeCreds");
        }
        checkSpn(str);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SPN [" + str + "], lifetime [" + i + "], delegate [" + z + "]");
        }
        try {
            String str2 = (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws PrivilegedActionException, GSSException {
                    String property = System.setProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY, "false");
                    try {
                        GSSCredential createCredential = SpnegoTokenHelper.access$100().createCredential((GSSName) null, Integer.MAX_VALUE, SpnegoTokenHelper.KRB5MECHANISMOID, 1);
                        createCredential.add((GSSName) null, Integer.MAX_VALUE, Integer.MAX_VALUE, SpnegoTokenHelper.SPNEGOMECHOID, 1);
                        String buildSpnegoAuthorization = SpnegoTokenHelper.buildSpnegoAuthorization(createCredential, str, i, z);
                        if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                            Tr.debug(SpnegoTokenHelper.tc, "Resetting USE_SUBJECT_CREDS_ONLY");
                        }
                        if (property != null) {
                            System.setProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY, property);
                        } else {
                            System.clearProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY);
                        }
                        return buildSpnegoAuthorization;
                    } catch (Throwable th) {
                        if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                            Tr.debug(SpnegoTokenHelper.tc, "Resetting USE_SUBJECT_CREDS_ONLY");
                        }
                        if (property != null) {
                            System.setProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY, property);
                        } else {
                            System.clearProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY);
                        }
                        throw th;
                    }
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token generated");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "buildSpnegoAuthorizationFromNativeCreds");
            }
            return str2;
        } catch (PrivilegedActionException e) {
            Manager.Ffdc.log(e, SpnegoTokenHelper.class, "com.ibm.wsspi.security.token.buildSpnegoAuthorizationFromNativeCreds", "237");
            GSSException generalCause = getGeneralCause(e);
            if (generalCause instanceof GSSException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a GSSException");
                }
                throw generalCause;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Throwing a " + generalCause.getClass().getName());
            }
            throw e;
        }
    }

    public static String buildSpnegoAuthorizationFromSubject(final String str, final Subject subject, final int i, final boolean z) throws GSSException, PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildSpnegoAuthorizationFromSubject");
        }
        checkSpn(str);
        if (subject == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Null Subject supplied");
            }
            throw new GSSException(3);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SPN [" + str + "], lifetime [" + i + "], delegate [" + z + "]");
        }
        try {
            String str2 = (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.3
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws LoginException, GSSException, PrivilegedActionException {
                    GSSCredential gSSCredentialFromSubject = SubjectHelper.getGSSCredentialFromSubject(subject);
                    if (gSSCredentialFromSubject != null) {
                        gSSCredentialFromSubject.add(gSSCredentialFromSubject.getName(), i, i, SpnegoTokenHelper.SPNEGOMECHOID, 1);
                    }
                    return SpnegoTokenHelper.buildSpnegoAuthorization(gSSCredentialFromSubject, str, i, z);
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token generated from Subject");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "buildSpnegoAuthorizationFromSubject");
            }
            return str2;
        } catch (PrivilegedActionException e) {
            Manager.Ffdc.log(e, SpnegoTokenHelper.class, "com.ibm.wsspi.security.token.buildSpnegoAuthorizationFromSubject", "308");
            GSSException generalCause = getGeneralCause(e);
            if (generalCause instanceof GSSException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a GSSException");
                }
                throw generalCause;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Throwing a " + generalCause.getClass().getName());
            }
            throw e;
        }
    }

    public static String buildSpnegoAuthorizationFromUpn(final String str, final String str2, final String str3, final int i, final boolean z) throws GSSException, LoginException, PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildSpnegoAuthorizationFromUpn");
        }
        checkSpn(str);
        checkUpn(str2);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SPN [" + str + "], upn [" + str2 + "], jaasLoginContextEntry [" + str3 + "], lifetime [" + i + "], delegate [" + z + "]");
        }
        try {
            String str4 = (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.4
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws LoginException, PrivilegedActionException, GSSException {
                    String property = System.setProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY, "false");
                    try {
                        if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                            Tr.debug(SpnegoTokenHelper.tc, "login() with UPN");
                        }
                        LoginContext loginContext = new LoginContext(str3, new WSCallbackHandlerImpl(str2, null));
                        loginContext.login();
                        if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                            Tr.debug(SpnegoTokenHelper.tc, "login() was successful");
                        }
                        Subject subject = loginContext.getSubject();
                        final GSSManager access$100 = SpnegoTokenHelper.access$100();
                        String buildSpnegoAuthorization = SpnegoTokenHelper.buildSpnegoAuthorization((GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.4.1
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws GSSException, Exception {
                                if (SpnegoTokenHelper.tc.isDebugEnabled() && SpnegoTokenHelper.tc.isDebugEnabled()) {
                                    Tr.debug(SpnegoTokenHelper.tc, "id doAS" + SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY + "= [" + System.getProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY) + "]");
                                }
                                GSSName createName = access$100.createName(str2, GSSName.NT_USER_NAME, SpnegoTokenHelper.KRB5MECHANISMOID);
                                if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                                    Tr.debug(SpnegoTokenHelper.tc, "gssName = [" + createName + "]");
                                }
                                GSSCredential createCredential = access$100.createCredential(createName.canonicalize(SpnegoTokenHelper.KRB5MECHANISMOID), i, SpnegoTokenHelper.KRB5MECHANISMOID, 1);
                                if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                                    Tr.debug(SpnegoTokenHelper.tc, "got innerCred = [" + createCredential.toString() + "]");
                                }
                                createCredential.add(createName, i, i, SpnegoTokenHelper.SPNEGOMECHOID, 1);
                                if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                                    Tr.debug(SpnegoTokenHelper.tc, "added SPNEGOMECHOID");
                                }
                                return createCredential;
                            }
                        }), str, i, z);
                        if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                            Tr.debug(SpnegoTokenHelper.tc, "Resetting USE_SUBJECT_CREDS_ONLY");
                        }
                        if (property != null) {
                            System.setProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY, property);
                        } else {
                            System.clearProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY);
                        }
                        return buildSpnegoAuthorization;
                    } catch (Throwable th) {
                        if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                            Tr.debug(SpnegoTokenHelper.tc, "Resetting USE_SUBJECT_CREDS_ONLY");
                        }
                        if (property != null) {
                            System.setProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY, property);
                        } else {
                            System.clearProperty(SpnegoTokenHelper.USE_SUBJECT_CREDS_ONLY);
                        }
                        throw th;
                    }
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token generated - for UPN [" + str2 + "]");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "buildSpnegoAuthorizationFromUpn");
            }
            return str4;
        } catch (PrivilegedActionException e) {
            Manager.Ffdc.log(e, SpnegoTokenHelper.class, "com.ibm.wsspi.security.token.buildSpnegoAuthorizationFromUpn", "417");
            GSSException generalCause = getGeneralCause(e);
            if (generalCause instanceof LoginException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a LoginException");
                }
                throw ((LoginException) generalCause);
            }
            if (generalCause instanceof GSSException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a GSSException");
                }
                throw generalCause;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Throwing a " + generalCause.getClass().getName());
            }
            throw e;
        }
    }

    public static String buildSpnegoAuthorizationFromUseridPassword(final String str, final String str2, final String str3, final int i, final boolean z) throws GSSException, LoginException, PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildSpnegoAuthorizationFromUseridPassword");
        }
        checkSpn(str);
        checkUpn(str2);
        checkPassword(str3);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SPN [" + str + "], userid [" + str2 + "], lifetime [" + i + "], delegate [" + z + "]");
        }
        try {
            String str4 = (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.5
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws LoginException, GSSException, PrivilegedActionException {
                    if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                        Tr.debug(SpnegoTokenHelper.tc, "login() with GSSUP");
                    }
                    LoginContext loginContext = new LoginContext("JAASClient", new WSCallbackHandlerImpl(str2, str3));
                    loginContext.login();
                    if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                        Tr.debug(SpnegoTokenHelper.tc, "login() was successful");
                    }
                    return SpnegoTokenHelper.buildSpnegoAuthorization((GSSCredential) Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.5.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws GSSException, Exception {
                            if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                                Tr.debug(SpnegoTokenHelper.tc, "in doAS");
                            }
                            GSSManager access$100 = SpnegoTokenHelper.access$100();
                            GSSName createName = access$100.createName(str2, GSSName.NT_USER_NAME, SpnegoTokenHelper.KRB5MECHANISMOID);
                            if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                                Tr.debug(SpnegoTokenHelper.tc, "gssName = [" + createName + "]");
                            }
                            GSSCredential createCredential = access$100.createCredential(createName.canonicalize(SpnegoTokenHelper.KRB5MECHANISMOID), i, SpnegoTokenHelper.KRB5MECHANISMOID, 1);
                            if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                                Tr.debug(SpnegoTokenHelper.tc, "got innerCred = [" + createCredential.toString() + "]");
                            }
                            createCredential.add(createName, i, i, SpnegoTokenHelper.SPNEGOMECHOID, 1);
                            if (SpnegoTokenHelper.tc.isDebugEnabled()) {
                                Tr.debug(SpnegoTokenHelper.tc, "added SPNEGOMECHOID");
                            }
                            return createCredential;
                        }
                    }), str, i, z);
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token generated - using GSSUP for user [" + str2 + "]");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "buildSpnegoAuthorizationFromUseridPassword");
            }
            return str4;
        } catch (PrivilegedActionException e) {
            Manager.Ffdc.log(e, SpnegoTokenHelper.class, "com.ibm.wsspi.security.token.buildSpnegoAuthorizationFromUseridPassword", "513");
            GSSException generalCause = getGeneralCause(e);
            if (generalCause instanceof LoginException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a LoginException");
                }
                throw ((LoginException) generalCause);
            }
            if (generalCause instanceof GSSException) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Throwing a GSSException");
                }
                throw generalCause;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Throwing a " + generalCause.getClass().getName());
            }
            throw e;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String buildSpnegoAuthorization(GSSCredential gSSCredential, String str, int i, boolean z) throws GSSException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "buildSpnegoAuthorization");
        }
        if (gSSCredential == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty GSSCredential supplied");
            }
            throw new GSSException(13);
        }
        checkSpn(str);
        GSSManager gSSManager = getGSSManager();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Step 1. Got GSSManager");
        }
        GSSName canonicalize = gSSManager.createName(str, GSSName.NT_USER_NAME).canonicalize(SPNEGOMECHOID);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Step 2 - Got backEnd GSSName: " + canonicalize.toString());
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Step 3 - Got GSSCredential: " + gSSCredential.toString());
        }
        GSSContext createContext = gSSManager.createContext(canonicalize, SPNEGOMECHOID, gSSCredential, i);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Step 4 - GSSContext: " + createContext);
        }
        createContext.requestMutualAuth(true);
        createContext.requestCredDeleg(z);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Step 5 - GSSContext: " + createContext);
        }
        byte[] initSecContext = createContext.initSecContext((byte[]) null, 0, 0);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Step 6 - initSecContext done.");
        }
        String str2 = "Negotiate " + new String(Base64Coder.base64Encode(initSecContext));
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SPNEGO token\n" + str2);
        }
        createContext.dispose();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Token generated");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "buildSpnegoAuthorization");
        }
        return str2;
    }

    private static void checkSpn(String str) throws GSSException {
        if (str == null || "".equals(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty Service Principal Name supplied");
            }
            throw new GSSException(3);
        }
    }

    private static void checkUpn(String str) throws GSSException {
        if (str == null || "".equals(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty User Principal Name supplied");
            }
            throw new GSSException(3);
        }
    }

    private static void checkPassword(String str) throws GSSException {
        if (str == null || "".equals(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Empty password supplied");
            }
            throw new GSSException(13);
        }
    }

    private static GSSManager getGSSManager() throws GSSException {
        GSSManager gSSManager = GSSManager.getInstance();
        if (gSSManager != null) {
            return gSSManager;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No GSSManager found");
        }
        throw new GSSException(11);
    }

    private static Throwable getGeneralCause(PrivilegedActionException privilegedActionException) {
        PrivilegedActionException privilegedActionException2 = privilegedActionException;
        if (privilegedActionException != null) {
            PrivilegedActionException cause = privilegedActionException.getCause();
            if (cause != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Deciphering a PrivilegedActionException [" + cause.getClass().getName() + "]");
                    cause.printStackTrace();
                }
                while (cause != null && (cause instanceof PrivilegedActionException)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unravelling");
                    }
                    cause = cause.getCause();
                }
                if (cause != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unravelled to a " + cause.getClass().getName());
                    }
                    privilegedActionException2 = cause;
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Only PrivilegedActionException in stack.  Returning original exception.");
                }
            }
        }
        return privilegedActionException2;
    }

    static /* synthetic */ GSSManager access$100() throws GSSException {
        return getGSSManager();
    }

    static {
        Oid oid;
        Oid oid2;
        try {
            oid = new Oid(Constants.OID_KRB5_MECH);
        } catch (GSSException e) {
            System.err.println("Unexpected internal condition creating Kerberos OID: " + e);
            oid = null;
        }
        KRB5MECHANISMOID = oid;
        try {
            oid2 = new Oid(Constants.OID_SPNEGO_MECH);
        } catch (GSSException e2) {
            System.err.println("Unexpected internal condition creating SPNEGO OID: " + e2);
            oid2 = null;
        }
        SPNEGOMECHOID = oid2;
    }
}
