package com.ibm.ws.security.ltpa;

import com.ibm.CORBA.iiop.ORB;
import com.ibm.ejs.oa.EJSORB;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.InvalidTokenException;
import com.ibm.websphere.security.auth.TokenCreationFailedException;
import com.ibm.websphere.security.auth.TokenExpiredException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.BasicAuthData;
import com.ibm.ws.security.auth.WSCredentialImpl;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityConfig;
import com.ibm.ws.security.registry.RegistryUtil;
import com.ibm.ws.security.registry.UnsupportedEntryTypeException;
import com.ibm.ws.security.registry.UserRegistryImpl;
import com.ibm.ws.security.server.LTPAConfigException;
import com.ibm.ws.security.server.SecurityServerImpl;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.Base64Coder;
import com.ibm.wsspi.security.ltpa.Token;
import com.ibm.wsspi.security.ltpa.TokenFactory;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.xslt4j.bcel.Constants;
import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.rmi.RemoteException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Properties;
import java.util.StringTokenizer;

/* loaded from: input_file:lib/securityimpl.jar:com/ibm/ws/security/ltpa/LTPAServerObject.class */
public final class LTPAServerObject {
    private static final TraceComponent tc;
    private static final String NONE = "";
    private static final String USERTYPE = "user";
    private static final String GROUPTYPE = "group";
    private static final String ROLETYPE = "role";
    private static final String[] supportedTypes;
    private static final int GROUP = 0;
    private static final int USER = 1;
    private static final String realmSeparator = "/";
    private static final String typeSeparator = ":";
    private static final String tokenFactorySeparator = "|";
    private String realm;
    private static UserRegistryImpl userRegistry;
    private static long expirationLimit;
    private byte[] adminPassword;
    private byte[] new_adminPassword;
    private ArrayList tokenFactory;
    private static LTPAPublicKey ltpaPubKey;
    private static LTPAPrivateKey ltpaPrivKey;
    private static byte[] sharedKey;
    private static HashMap tokenFactoryMap;
    private static LTPAPublicKey new_ltpaPubKey;
    private static LTPAPrivateKey new_ltpaPrivKey;
    private byte[] privateKey;
    private byte[] publicKey;
    private byte[] new_sharedKey;
    private byte[] new_privateKey;
    private byte[] new_publicKey;
    private byte[] encryptedPrivateKey;
    private byte[] encryptedSharedKey;
    private byte[] new_encryptedPrivateKey;
    private byte[] new_encryptedSharedKey;
    private static String CURRENT_LTPA_VERSION;
    public static final String SHARED_KEY_PROPERTY = "com.ibm.websphere.ltpa.3DESKey";
    public static final String PUBLIC_KEY_PROPERTY = "com.ibm.websphere.ltpa.PublicKey";
    public static final String PRIVATE_KEY_PROPERTY = "com.ibm.websphere.ltpa.PrivateKey";
    public static final String LTPA_VERSION_PROPERTY = "com.ibm.websphere.ltpa.version";
    public static final String CREATION_DATE_PROPERTY = "com.ibm.websphere.CreationDate";
    public static final String CREATION_HOST_PROPERTY = "com.ibm.websphere.CreationHost";
    public static final String LDAP_REALM_PROPERTY = "com.ibm.websphere.ltpa.Realm";
    protected static LTPAServerObject ltpaServer;
    static boolean _useFIPS;
    static String _defaultJCEProvider;
    private static final ContextManager ctxMgr;
    private static final WebSphereRuntimePermission ACCESS_LTPA_SERVER_OBJECT;
    private static final WebSphereRuntimePermission MAP_CREDENTIAL;
    static Class class$com$ibm$ws$security$ltpa$LTPAServerObject;

    public static LTPAServerObject getLTPAServer() throws LTPAConfigException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLTPAServer");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, new StringBuffer().append("Expecting : ").append(ACCESS_LTPA_SERVER_OBJECT.toString()).toString());
            }
            securityManager.checkPermission(ACCESS_LTPA_SERVER_OBJECT);
        }
        if (ltpaServer == null) {
            initLTPAServer();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getLTPAServer");
        }
        return ltpaServer;
    }

    private static void initLTPAServer() throws LTPAConfigException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initLTPAServer");
        }
        Boolean bool = (Boolean) SecurityConfig.getConfig().getValue("security.authMechForwardCred");
        if ("LTPA".equals((String) SecurityConfig.getConfig().getValue("security.activeAuthMechanism")) && Boolean.TRUE.equals(bool)) {
            try {
                String str = (String) SecurityConfig.getConfig().getValue("security.ltpa.password");
                Long l = (Long) SecurityConfig.getConfig().getValue("security.ltpa.expirydate");
                String str2 = (String) SecurityConfig.getConfig().getValue("com.ibm.websphere.ltpa.PrivateKey");
                String str3 = (String) SecurityConfig.getConfig().getValue("com.ibm.websphere.ltpa.PublicKey");
                String str4 = (String) SecurityConfig.getConfig().getValue("com.ibm.websphere.ltpa.3DESKey");
                if (l == null || str2 == null || str3 == null || str4 == null || str == null) {
                    TraceComponent traceComponent = tc;
                    Object[] objArr = new Object[5];
                    objArr[0] = str != null ? "LTPA password is set" : null;
                    objArr[1] = l != null ? l.toString() : null;
                    objArr[2] = str2 != null ? "Private key is set" : null;
                    objArr[3] = str3 != null ? "Public key is set" : null;
                    objArr[4] = str4 != null ? "Shared key is set" : null;
                    Tr.error(traceComponent, "security.secsrv.badltpconfig", objArr);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Required LTPA configuration data is unavailable.  Initialization failed.");
                    }
                    throw new LTPAConfigException("Required LTPA configuration data is unavailable.  Initialization failed.");
                }
                ltpaServer = new LTPAServerObject(l.longValue(), str.getBytes("UTF8"), str3, str2, str4);
                if (((String) SecurityConfig.getConfig().getValue("com.ibm.security.useFIPS")).equalsIgnoreCase("true")) {
                    _useFIPS = true;
                    _defaultJCEProvider = Security.getProperty("DEFAULT_JCE_PROVIDER");
                }
            } catch (LTPAConfigException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.initLTPAServer", "244");
                throw e;
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.ltpa.LTPAServerObject.initLTPAServer", "249");
                Tr.error(tc, "security.secsrv.ltpaconfigerr", new Object[]{e2});
                throw new LTPAConfigException(e2.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initLTPAServer");
        }
    }

    private LTPAServerObject(long j, byte[] bArr, String str, String str2, String str3) throws LTPAConfigException {
        this.realm = null;
        this.adminPassword = null;
        this.new_adminPassword = null;
        this.tokenFactory = new ArrayList();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
        userRegistry = (UserRegistryImpl) SecurityServerImpl.getRegistryImpl(ctxMgr.getDefaultRealm());
        expirationLimit = j;
        this.adminPassword = bArr;
        try {
            this.encryptedSharedKey = Base64Coder.base64Decode(str3.getBytes("UTF8"));
            this.encryptedPrivateKey = Base64Coder.base64Decode(str2.getBytes("UTF8"));
            this.publicKey = Base64Coder.base64Decode(str.getBytes("UTF8"));
            ltpaPubKey = new LTPAPublicKey(this.publicKey);
            ltpaPrivKey = new LTPAPrivateKey(getPrivateKey(bArr, this.encryptedPrivateKey));
            sharedKey = getSharedKey(bArr, this.encryptedSharedKey);
            tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.expiration", new Long(expirationLimit));
            tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.ltpa_shared_key", sharedKey);
            tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.ltpa_public_key", ltpaPubKey);
            tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.ltpa_private_key", ltpaPrivKey);
            try {
                StringTokenizer stringTokenizer = new StringTokenizer((String) SecurityConfig.getConfig().getValue("com.ibm.wsspi.security.ltpa.tokenFactory"), tokenFactorySeparator);
                while (stringTokenizer.hasMoreTokens()) {
                    findFactory(stringTokenizer.nextToken());
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, Constants.CONSTRUCTOR_NAME, this);
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.LTPAServerObject", "311", this);
                Tr.error(tc, "security.ltpa.init.error", new Object[]{e});
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "LTPAServerObject", e);
                }
                throw new LTPAConfigException(e.getMessage());
            }
        } catch (UnsupportedEncodingException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.ltpa.LTPAServerObject.LTPAServerObject", "278", this);
            Tr.error(tc, "security.ltpa.init.error", new Object[]{e2});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "LTPAServerObject", e2);
            }
            throw new LTPAConfigException(e2.getMessage());
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.ltpa.LTPAServerObject.LTPAServerObject", "285", this);
            Tr.error(tc, "security.ltpa.init.error", new Object[]{e3});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "LTPAServerObject", e3);
            }
            throw new LTPAConfigException(e3.getMessage());
        }
    }

    public LTPAServerObject() {
        this.realm = null;
        this.adminPassword = null;
        this.new_adminPassword = null;
        this.tokenFactory = new ArrayList();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.CONSTRUCTOR_NAME, this);
        }
    }

    public TokenFactory findFactory(String str) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "findFactory", str);
        }
        TokenFactory tokenFactory = null;
        TokenFactory[] tokenFactoryArr = (TokenFactory[]) this.tokenFactory.toArray(new TokenFactory[0]);
        if (tokenFactoryArr.length > 0) {
            for (int i = 0; i < tokenFactoryArr.length; i++) {
                if (tokenFactoryArr[i].getClass().getName().equals(str)) {
                    tokenFactory = tokenFactoryArr[i];
                }
            }
        }
        if (tokenFactory == null) {
            try {
                tokenFactory = (TokenFactory) Class.forName(str).newInstance();
                tokenFactory.initialize(tokenFactoryMap);
                this.tokenFactory.add(tokenFactory);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.findFactory", "366", this);
                Tr.error(tc, "security.ltpa.factory.init.error", new Object[]{str, e});
                throw new WSLoginFailedException(e.getMessage(), e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "findFactory", tokenFactory);
        }
        return tokenFactory;
    }

    public void refreshTokenFactories() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "refreshTokenFactories");
        }
        tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.expiration", new Long(expirationLimit));
        tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.ltpa_shared_key", sharedKey);
        tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.ltpa_public_key", ltpaPubKey);
        tokenFactoryMap.put("com.ibm.wsspi.security.ltpa.ltpa_private_key", ltpaPrivKey);
        TokenFactory[] tokenFactoryArr = (TokenFactory[]) this.tokenFactory.toArray(new TokenFactory[0]);
        if (tokenFactoryArr.length > 0) {
            for (int i = 0; i < tokenFactoryArr.length; i++) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("Refreshing tokenFactory keys for: ").append(tokenFactoryArr[i].getClass().getName()).toString());
                }
                tokenFactoryArr[i].initialize(tokenFactoryMap);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "refreshTokenFactories");
        }
    }

    public Token createLTPAToken(String str, String str2) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createLTPAToken", new Object[]{str, str2});
        }
        if (str2 == null) {
            throw new WSLoginFailedException("TokenFactory is null");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, new StringBuffer().append("Expecting : ").append(MAP_CREDENTIAL.toString()).toString());
            }
            securityManager.checkPermission(MAP_CREDENTIAL);
        }
        Token token = null;
        try {
            if (getUserRegistry() != null) {
                String uniqueUserId = str.startsWith(supportedTypes[1]) ? str : getUserRegistry().getUniqueUserId(str);
                if (uniqueUserId == null) {
                    Tr.error(tc, "security.ltpa.credmap.failed.nullaccessid");
                    throw new WSLoginFailedException("Cannot create token since accessID is null");
                }
                TokenFactory findFactory = findFactory(str2);
                if (findFactory == null) {
                    Tr.error(tc, "security.ltpa.factory.null.error", new Object[]{str2});
                    throw new WSLoginFailedException("TokenFactory is null");
                }
                HashMap hashMap = new HashMap();
                hashMap.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, uniqueUserId);
                token = findFactory.createToken(hashMap);
                if (token == null) {
                    Tr.error(tc, "security.ltpa.validate.nulltoken");
                    throw new WSLoginFailedException("Token is null");
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createLTPAToken", token);
            }
            return token;
        } catch (WSLoginFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.createLTPAToken", "477", this);
            throw e;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.ltpa.LTPAServerObject.createLTPAToken", "482", this);
            Tr.error(tc, "security.ltpa.factory.tokencreate.error", new Object[]{str2, e2});
            throw new WSLoginFailedException(e2.getMessage(), e2);
        }
    }

    public WSCredential createLTPAToken(WSCredential wSCredential) throws TokenCreationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createLTPAToken", wSCredential);
        }
        String str = (String) SecurityConfig.getConfig().getValue("com.ibm.wsspi.security.token.authenticationTokenFactory");
        try {
            String accessId = wSCredential.getAccessId();
            if (accessId == null) {
                Tr.error(tc, "security.ltpa.credmap.failed.nullaccessid");
                throw new TokenCreationFailedException("Cannot create token since accessID is null");
            }
            TokenFactory findFactory = findFactory(str);
            if (findFactory == null) {
                Tr.error(tc, "security.ltpa.factory.null.error", new Object[]{str});
            }
            HashMap hashMap = new HashMap();
            hashMap.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, accessId);
            try {
                WSCredential wSCredential2 = (WSCredential) AccessController.doPrivileged(new PrivilegedExceptionAction(this, wSCredential, findFactory.createToken(hashMap)) { // from class: com.ibm.ws.security.ltpa.LTPAServerObject.1
                    private final WSCredential val$cred;
                    private final Token val$privToken;
                    private final LTPAServerObject this$0;

                    {
                        this.this$0 = this;
                        this.val$cred = wSCredential;
                        this.val$privToken = r6;
                    }

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return new WSCredentialImpl(this.val$cred, "oid:1.3.18.0.2.30.2", this.val$privToken, true, this.val$privToken.getExpiration());
                    }
                });
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "createLTPAToken", wSCredential2);
                }
                return wSCredential2;
            } catch (PrivilegedActionException e) {
                Exception exception = e.getException();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception occurred creating new WS cred.", new Object[]{exception});
                }
                FFDCFilter.processException(exception, "com.ibm.ws.security.ltpa.LTPAServerObject.createLTPAToken", "547", this);
                throw new TokenCreationFailedException(exception != null ? exception.getMessage() : "Exception occurred creating new WS cred.");
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.ltpa.LTPAServerObject.createLTPAToken", "522", this);
            Tr.error(tc, "security.ltpa.factory.tokencreate.error", new Object[]{str, e2});
            throw new TokenCreationFailedException(e2.getMessage());
        }
    }

    public WSCredential authenticate(BasicAuthData basicAuthData) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate");
        }
        WSCredential wSCredential = null;
        try {
            if (getUserRegistry() == null) {
                wSCredential = ctxMgr.getUnauthenticatedCredential();
            }
            if (wSCredential == null) {
                wSCredential = getUserRegistry().createCredential(getUserRegistry().checkPassword(basicAuthData.getUserid(), basicAuthData.getPassword()));
            }
            if (wSCredential == null) {
                throw new WSLoginFailedException("Credential returned by createCredential is null");
            }
            WSCredential createLTPAToken = createLTPAToken(wSCredential);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "authenticate", createLTPAToken);
            }
            return createLTPAToken;
        } catch (TokenCreationFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.authenticate", "590", this);
            Tr.error(tc, "security.ltpa.authenticate", new Object[]{e.getMessage()});
            throw new WSLoginFailedException(e.getMessage(), e);
        } catch (WSLoginFailedException e2) {
            throw e2;
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.ltpa.LTPAServerObject.authenticate", "596", this);
            Tr.error(tc, "security.ltpa.authenticate", new Object[]{e3.getMessage()});
            throw new WSLoginFailedException(e3.getMessage(), e3);
        }
    }

    public WSCredential authenticateLoginToken(byte[] bArr) throws WSLoginFailedException, RemoteException {
        throw new WSLoginFailedException("LTPAServerObject: authenticateLoginToken not implemented");
    }

    public Token validateToken(byte[] bArr) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateToken", bArr);
        }
        if (bArr == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate: LTPA validate failed");
            }
            Tr.error(tc, "security.ltpa.validate.nulltoken");
            throw new WSLoginFailedException("LTPAServerObject: token passed in is null.");
        }
        Token token = null;
        WSLoginFailedException wSLoginFailedException = null;
        try {
            if (getUserRegistry() == null) {
                return null;
            }
            TokenFactory[] tokenFactoryArr = (TokenFactory[]) this.tokenFactory.toArray(new TokenFactory[0]);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "BEGIN VALIDATING TOKEN: some errors may occur, look for SUCCESS:");
            }
            for (int i = 0; i < tokenFactoryArr.length; i++) {
                try {
                    try {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("Calling tokenFactory[").append(i).append("].validateTokenBytes()").toString());
                        }
                        token = tokenFactoryArr[i].validateTokenBytes(bArr);
                    } catch (TokenExpiredException e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.validate", "677", this);
                        Tr.warning(tc, "security.ltpa.validate.tokenexpired", new Object[]{e.getMessage()});
                        throw new WSLoginFailedException(e.getMessage(), e);
                    }
                } catch (InvalidTokenException e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.security.ltpa.LTPAServerObject.validate", "656", this);
                    if (i >= tokenFactoryArr.length) {
                        wSLoginFailedException.addException(e2);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception occurred processing TokenFactory validateTokenBytes.", new Object[]{wSLoginFailedException});
                        }
                        throw wSLoginFailedException;
                    }
                    if (wSLoginFailedException == null) {
                        wSLoginFailedException = new WSLoginFailedException(e2.getMessage(), e2);
                    } else {
                        wSLoginFailedException.addException(e2);
                    }
                } catch (Exception e3) {
                    FFDCFilter.processException(e3, "com.ibm.ws.security.ltpa.LTPAServerObject.validate", "683", this);
                    if (i >= tokenFactoryArr.length) {
                        wSLoginFailedException.addException(e3);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception occurred processing TokenFactory validateTokenBytes.", new Object[]{wSLoginFailedException});
                        }
                        throw wSLoginFailedException;
                    }
                    if (wSLoginFailedException == null) {
                        wSLoginFailedException = new WSLoginFailedException(e3.getMessage(), e3);
                    } else {
                        wSLoginFailedException.addException(e3);
                    }
                }
                if (token != null) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, new StringBuffer().append("SUCCESS: validated using tokenFactoryArray[").append(i).append("]: ").append(tokenFactoryArr[i].getClass().getName()).toString());
                    }
                    return token;
                }
            }
            if (token != null) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "validateToken");
                }
                return token;
            }
            Tr.debug(tc, "security.ltpa.validate.verifytoken.failed");
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "LTPAServerObject: LTPATokenFactory.validateTokenBytes internal error.");
            }
            throw new WSLoginFailedException("Token is null.");
        } catch (Exception e4) {
            Tr.debug(tc, "security.ltpa.validate.verifytoken.failed");
            FFDCFilter.processException(e4, "com.ibm.ws.security.ltpa.LTPAServerObject.validate", "715", this);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "LTPAServerObject: LTPAToken.getInstance internal error.", new Object[]{e4});
            }
            if (e4 instanceof WSLoginFailedException) {
                throw ((WSLoginFailedException) e4);
            }
            throw new WSLoginFailedException(e4.getMessage(), e4);
        }
    }

    public WSCredential validate(byte[] bArr) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, org.apache.xerces.impl.Constants.DOM_VALIDATE);
        }
        Token validateToken = validateToken(bArr);
        if (validateToken != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate (bytes)");
            }
            return validate(validateToken);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "Problem validating token, returning null.");
        }
        throw new WSLoginFailedException("Problem validating LTPA token.");
    }

    public WSCredential validate(Token token) throws WSLoginFailedException {
        if (getUserRegistry() == null || token == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Bootstrap mode: returning unauthenticated cred.");
            }
            try {
                return ctxMgr.getUnauthenticatedCredential();
            } catch (WSSecurityException e) {
                throw new WSLoginFailedException(e.getMessage(), e);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "validation successful - to create credential");
        }
        try {
            String securityName = getSecurityName(token.getAttributes("u")[0]);
            if (SecurityConfig.isRegTAM() && !RegistryUtil.checkValidUserifTAM(securityName, getUserRegistry())) {
                throw new WSLoginFailedException("User is not valid in Access Manager");
            }
            try {
                WSCredential wSCredential = (WSCredential) AccessController.doPrivileged(new PrivilegedExceptionAction(this, getUserRegistry().createCredential(securityName), token) { // from class: com.ibm.ws.security.ltpa.LTPAServerObject.2
                    private final WSCredential val$retCred;
                    private final Token val$privToken;
                    private final LTPAServerObject this$0;

                    {
                        this.this$0 = this;
                        this.val$retCred = r5;
                        this.val$privToken = token;
                    }

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return new WSCredentialImpl(this.val$retCred, "oid:1.3.18.0.2.30.2", this.val$privToken, true, this.val$privToken.getExpiration());
                    }
                });
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, org.apache.xerces.impl.Constants.DOM_VALIDATE);
                }
                return wSCredential;
            } catch (PrivilegedActionException e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception occurred creating new WS cred.", new Object[]{e2.getException()});
                }
                FFDCFilter.processException(e2.getException(), "com.ibm.ws.security.ltpa.LTPAServerObject.createLTPAToken", "813", this);
                Exception exception = e2.getException();
                throw new WSLoginFailedException(exception != null ? exception.getMessage() : "Exception occurred creating new WS cred.", exception);
            }
        } catch (WSLoginFailedException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.ltpa.LTPAServerObject.validate", "824", this);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate: LTPA validation failed", e3);
            }
            Tr.error(tc, "security.ltpa.validate.createcredential.failed", new Object[]{null, e3});
            throw e3;
        } catch (Exception e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.ltpa.LTPAServerObject.validate", "831", this);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate: LTPA validation failed", e4);
            }
            Tr.error(tc, "security.ltpa.validate.createcredential.failed", new Object[]{null, e4});
            throw new WSLoginFailedException(e4.getMessage(), e4);
        }
    }

    public String validateGetUser(byte[] bArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateGetUser", bArr);
        }
        String str = null;
        try {
            Token validateToken = validateToken(bArr);
            if (validateToken == null || !validateToken.isValid()) {
                Tr.error(tc, "security.ltpa.validate.tokenexpired");
            }
            str = getSecurityName(validateToken.getAttributes("u")[0]);
        } catch (Exception e) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validateGetUser: LTPA token is not valid", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateGetUser", str);
        }
        return str;
    }

    public long getExpiration(byte[] bArr) throws InvalidTokenException, TokenExpiredException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getExpiration", bArr);
        }
        if (bArr == null) {
            throw new InvalidTokenException();
        }
        long j = 0;
        try {
            Token validateToken = validateToken(bArr);
            if (validateToken != null && validateToken.isValid()) {
                j = validateToken.getExpiration();
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getExpiration", new Long(j));
            }
            return j;
        } catch (Exception e) {
            throw new TokenExpiredException();
        }
    }

    private String getSecurityName(String str) throws CustomRegistryException, EntryNotFoundException, UnsupportedEntryTypeException, RemoteException {
        String groupSecurityName;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityName", str);
        }
        String relativeName = getRelativeName(str);
        if (str.startsWith(supportedTypes[1])) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Calling userRegistry.getUserSecName");
            }
            groupSecurityName = getUserRegistry().getUserSecurityName(relativeName);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Back from  userRegistry.getUserSecName");
            }
        } else {
            if (!str.startsWith(supportedTypes[0])) {
                UnsupportedEntryTypeException unsupportedEntryTypeException = new UnsupportedEntryTypeException("not USER or GROUP");
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getSecurityName", unsupportedEntryTypeException);
                }
                Tr.error(tc, "security.ltpa.badtype", new Object[]{unsupportedEntryTypeException});
                throw unsupportedEntryTypeException;
            }
            groupSecurityName = getUserRegistry().getGroupSecurityName(relativeName);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSecurityName", groupSecurityName);
        }
        return groupSecurityName;
    }

    private String getRelativeName(String str) throws CustomRegistryException, RemoteException {
        int indexOf = str.indexOf("/");
        String str2 = str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRelativeName", str);
        }
        this.realm = getUserRegistry().getRealm();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("realm from userRegistry.getRealm(): ").append(this.realm).append("\n realm length: ").append(this.realm.length()).toString());
            Tr.debug(tc, new StringBuffer().append("realmIndex: ").append(indexOf).toString());
        }
        if (indexOf >= 0) {
            int indexOf2 = str.indexOf(":");
            if ((indexOf - indexOf2) - 1 != this.realm.length() || !str.startsWith(this.realm, indexOf2 + 1)) {
                Tr.error(tc, "security.ltpa.realm_mismatch");
                throw new CustomRegistryException(new StringBuffer().append("The realm in the token: ").append(str.substring(indexOf2 + 1, indexOf)).append(" does not match the current realm: ").append(this.realm).toString());
            }
            str2 = str.substring(indexOf + 1);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRelativeName", str2);
        }
        return str2;
    }

    private byte[] getPrivateKey(byte[] bArr, byte[] bArr2) {
        return new KeyEncryptor(bArr).decrypt((byte[]) bArr2.clone());
    }

    private byte[] getSharedKey(byte[] bArr, byte[] bArr2) {
        return new KeyEncryptor(bArr).decrypt((byte[]) bArr2.clone());
    }

    private byte[] getPublicKey() throws RemoteException {
        return this.publicKey;
    }

    private byte[] getEncPrivateKey() throws RemoteException {
        return this.encryptedPrivateKey;
    }

    private byte[] getEncSharedKey() throws RemoteException {
        return this.encryptedSharedKey;
    }

    public synchronized void generateKeys(byte[] bArr) throws RemoteException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "generateKeys");
        }
        this.adminPassword = bArr;
        KeyEncryptor keyEncryptor = new KeyEncryptor(this.adminPassword);
        LTPAKeyPair generateLTPAKeyPair = LTPADigSignature.generateLTPAKeyPair();
        this.publicKey = generateLTPAKeyPair.getPublic().getEncoded();
        this.privateKey = generateLTPAKeyPair.getPrivate().getEncoded();
        ltpaPubKey = new LTPAPublicKey(this.publicKey);
        ltpaPrivKey = new LTPAPrivateKey(this.privateKey);
        this.encryptedPrivateKey = keyEncryptor.encrypt((byte[]) this.privateKey.clone());
        new LTPACrypto();
        sharedKey = LTPACrypto.generate3DESKey();
        this.encryptedSharedKey = keyEncryptor.encrypt((byte[]) sharedKey.clone());
        refreshTokenFactories();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "generateKeys");
        }
    }

    public Properties genKeys(byte[] bArr) throws Exception {
        String property;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "genKeys");
        }
        KeyEncryptor keyEncryptor = new KeyEncryptor(bArr);
        LTPAKeyPair generateLTPAKeyPair = LTPADigSignature.generateLTPAKeyPair();
        byte[] encoded = generateLTPAKeyPair.getPublic().getEncoded();
        byte[] encrypt = keyEncryptor.encrypt((byte[]) generateLTPAKeyPair.getPrivate().getEncoded().clone());
        new LTPACrypto();
        byte[] base64Encode = Base64Coder.base64Encode(keyEncryptor.encrypt((byte[]) LTPACrypto.generate3DESKey().clone()));
        byte[] base64Encode2 = Base64Coder.base64Encode(encrypt);
        byte[] base64Encode3 = Base64Coder.base64Encode(encoded);
        Properties properties = new Properties();
        try {
            properties.put("com.ibm.websphere.ltpa.3DESKey", new String(base64Encode, "UTF8"));
            properties.put("com.ibm.websphere.ltpa.PrivateKey", new String(base64Encode2, "UTF8"));
            properties.put("com.ibm.websphere.ltpa.PublicKey", new String(base64Encode3, "UTF8"));
            properties.put("com.ibm.websphere.ltpa.version", CURRENT_LTPA_VERSION);
            properties.put("com.ibm.websphere.CreationDate", new Date().toString());
            properties.put("com.ibm.websphere.CreationHost", InetAddress.getLocalHost().getHostName());
            ORB oRBInstance = EJSORB.getORBInstance();
            if (oRBInstance != null && (property = oRBInstance.getProperty("com.ibm.CORBA.principalName")) != null && property.length() > 0) {
                properties.put("com.ibm.websphere.ltpa.Realm", property.substring(0, property.indexOf("/")));
            }
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.genKeys", "1067", this);
            Tr.error(tc, "security.ltpa.exportkeys", new Object[]{e});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unsupported encoding: UTF8");
            }
            throw new Exception(e.getMessage());
        } catch (UnknownHostException e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unknown host exception");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "genKeys");
        }
        return properties;
    }

    public void checkImportSSOProperties(Properties properties, byte[] bArr) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkImportSSOProperties");
        }
        String property = properties.getProperty("com.ibm.websphere.ltpa.3DESKey");
        String property2 = properties.getProperty("com.ibm.websphere.ltpa.PrivateKey");
        String property3 = properties.getProperty("com.ibm.websphere.ltpa.PublicKey");
        try {
            byte[] base64Decode = Base64Coder.base64Decode(property.getBytes("UTF8"));
            byte[] base64Decode2 = Base64Coder.base64Decode(property2.getBytes("UTF8"));
            new LTPAPublicKey(Base64Coder.base64Decode(property3.getBytes("UTF8")));
            new LTPAPrivateKey(getPrivateKey(bArr, base64Decode2));
            getSharedKey(bArr, base64Decode);
        } catch (NullPointerException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.checkImportSSOProperties", "1102", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Problem importingSSO keys. Using original values. Make sure that the password is correct.");
            }
            Tr.error(tc, "security.ltpa.checkimportltpakeys", new Object[]{e});
            throw new Exception("Problem importingSSO keys. Using original values. Make sure the password is correct.");
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.ltpa.LTPAServerObject.checkImportSSOProperties", "1109", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Problem importingSSO keys. Using original values.");
            }
            Tr.error(tc, "security.ltpa.checkimportltpakeys", new Object[]{e2});
            throw new Exception(new StringBuffer().append("Problem importingSSO keys. Using original values. Check the Password. The exception is ").append(e2).toString());
        }
    }

    public synchronized void importSSOProperties(Properties properties, byte[] bArr) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "importSSOProperties");
        }
        this.new_adminPassword = bArr;
        String property = properties.getProperty("com.ibm.websphere.ltpa.3DESKey");
        String property2 = properties.getProperty("com.ibm.websphere.ltpa.PrivateKey");
        String property3 = properties.getProperty("com.ibm.websphere.ltpa.PublicKey");
        try {
            this.new_encryptedSharedKey = Base64Coder.base64Decode(property.getBytes("UTF8"));
            this.new_encryptedPrivateKey = Base64Coder.base64Decode(property2.getBytes("UTF8"));
            this.new_publicKey = Base64Coder.base64Decode(property3.getBytes("UTF8"));
            new_ltpaPubKey = new LTPAPublicKey(this.new_publicKey);
            this.new_privateKey = getPrivateKey(bArr, this.new_encryptedPrivateKey);
            new_ltpaPrivKey = new LTPAPrivateKey(this.new_privateKey);
            this.new_sharedKey = getSharedKey(bArr, this.new_encryptedSharedKey);
            this.adminPassword = this.new_adminPassword;
            this.encryptedSharedKey = this.new_encryptedSharedKey;
            this.encryptedPrivateKey = this.new_encryptedPrivateKey;
            this.publicKey = this.new_publicKey;
            this.privateKey = this.new_privateKey;
            ltpaPubKey = new_ltpaPubKey;
            ltpaPrivKey = new_ltpaPrivKey;
            sharedKey = this.new_sharedKey;
            refreshTokenFactories();
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "importSSOProperties");
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.importSSOProperties", "1140", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Problem importingSSO keys. Using original values.");
            }
            Tr.error(tc, "security.ltpa.importkeys", new Object[]{e});
            throw new Exception(new StringBuffer().append("Problem importingSSO keys. Using original values. The exception is ").append(e.getMessage()).toString());
        }
    }

    public Properties exportSSOProperties() throws Exception {
        String property;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "exportSSOProperties");
        }
        if (this.encryptedSharedKey == null || this.encryptedPrivateKey == null || this.publicKey == null) {
            Exception exc = new Exception("Keys do not exist. Make sure the LTPA configuration is setup");
            Tr.error(tc, "security.ltpa.importkeys", new Object[]{exc});
            throw exc;
        }
        byte[] base64Encode = Base64Coder.base64Encode(this.encryptedSharedKey);
        byte[] base64Encode2 = Base64Coder.base64Encode(this.encryptedPrivateKey);
        byte[] base64Encode3 = Base64Coder.base64Encode(this.publicKey);
        Properties properties = new Properties();
        try {
            properties.put("com.ibm.websphere.ltpa.3DESKey", new String(base64Encode, "UTF8"));
            properties.put("com.ibm.websphere.ltpa.PrivateKey", new String(base64Encode2, "UTF8"));
            properties.put("com.ibm.websphere.ltpa.PublicKey", new String(base64Encode3, "UTF8"));
            properties.put("com.ibm.websphere.ltpa.version", CURRENT_LTPA_VERSION);
            properties.put("com.ibm.websphere.CreationDate", new Date().toString());
            properties.put("com.ibm.websphere.CreationHost", InetAddress.getLocalHost().getHostName());
            ORB oRBInstance = EJSORB.getORBInstance();
            if (oRBInstance != null && (property = oRBInstance.getProperty("com.ibm.CORBA.principalName")) != null && property.length() > 0) {
                properties.put("com.ibm.websphere.ltpa.Realm", property.substring(0, property.indexOf("/")));
            }
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAServerObject.exportSSOProperties", "1200", this);
            Tr.error(tc, "security.ltpa.exportkeys", new Object[]{e});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unsupported encoding: UTF8");
            }
            throw new Exception(e.getMessage());
        } catch (UnknownHostException e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unknown host exception");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "exportSSOProperties");
        }
        return properties;
    }

    public byte[] issueLoginToken(BasicAuthData basicAuthData) throws RemoteException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "issueLoginToken");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "issueLoginToken");
        }
        throw new RemoteException("issueLoginToken not implemented");
    }

    private static byte[] toBytes(String str) {
        byte[] bArr = null;
        try {
            bArr = str.getBytes("UTF8");
        } catch (UnsupportedEncodingException e) {
            Tr.debug(tc, new StringBuffer().append("to UTF8 bytes =").append(e.toString()).toString());
        }
        return bArr;
    }

    static UserRegistryImpl getUserRegistry() {
        if (userRegistry == null) {
            userRegistry = (UserRegistryImpl) SecurityServerImpl.getRegistryImpl(ctxMgr.getDefaultRealm());
        }
        return userRegistry;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean useFIPS() {
        return _useFIPS;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String defaultJCEProvider() {
        return _defaultJCEProvider;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$ltpa$LTPAServerObject == null) {
            cls = class$("com.ibm.ws.security.ltpa.LTPAServerObject");
            class$com$ibm$ws$security$ltpa$LTPAServerObject = cls;
        } else {
            cls = class$com$ibm$ws$security$ltpa$LTPAServerObject;
        }
        tc = Tr.register(cls, "Security", "com.ibm.ejs.resources.security");
        supportedTypes = new String[]{"group", "user"};
        tokenFactoryMap = new HashMap();
        CURRENT_LTPA_VERSION = "1.0";
        ltpaServer = null;
        _useFIPS = false;
        _defaultJCEProvider = "IBMJCE";
        ctxMgr = ContextManagerFactory.getInstance();
        ACCESS_LTPA_SERVER_OBJECT = new WebSphereRuntimePermission("accessLTPAServerObject");
        MAP_CREDENTIAL = new WebSphereRuntimePermission("mapCredential");
    }
}
