package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.websphere.wssecurity.wssapi.token.X509PKIPathToken;
import com.ibm.ws.wssecurity.common.Constants0;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.TokenGeneratorConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/PkiPathGenerateLoginModule.class */
public class PkiPathGenerateLoginModule extends X509GenerateLoginModule {
    private static final String comp = "security.wssecurity";
    private static final TraceComponent tc = Tr.register(PkiPathGenerateLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = PkiPathGenerateLoginModule.class.getName();

    @Override // com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule
    public boolean login() throws LoginException {
        KeyStoreManager.KeyInformation keyInformationInPkiPath;
        boolean isKeyInfoKeyname;
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        boolean isKeyInfoEmb;
        boolean isKeyInfoX509issuer;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        X509GenerateCallback x509GenerateCallback = new X509GenerateCallback();
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{x509GenerateCallback, propertyCallback});
            this._context = propertyCallback.getProperties();
            MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            this._securityTokenManager = (SecurityTokenManager) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance();
            if (x509GenerateCallback.isUsedRequestorCertificate()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Checking the certificate of requestor...");
                }
                Object property = messageContext.getProperty(Constants0.REQUEST_CERT);
                if (property == null || !(property instanceof X509Certificate)) {
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.WSEC6808E"));
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The certificate of requestor is used.");
                }
                try {
                    keyInformationInPkiPath = keyStoreManager.getKeyInformation((X509Certificate) property);
                } catch (SoapSecurityException e) {
                    Tr.processException(e, clsName + ".login", "104", this);
                    throw new LoginException(e.toString());
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Getting the key information using the configuration...");
                }
                try {
                    String keyStorePath = x509GenerateCallback.getKeyStorePath();
                    if (keyStorePath == null) {
                        keyStorePath = x509GenerateCallback.getKeyStoreReference();
                    }
                    keyInformationInPkiPath = keyStoreManager.getKeyInformationInPkiPath(keyStorePath, x509GenerateCallback.getKeyStoreType(), x509GenerateCallback.getKeyStorePassword(), x509GenerateCallback.getKeyStoreReference(), x509GenerateCallback.getAlias(), x509GenerateCallback.getKeyPassword(), x509GenerateCallback.getKeyName(), x509GenerateCallback.getCertStores());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The key information got with the configuration is used.");
                    }
                } catch (SoapSecurityException e2) {
                    Tr.processException(e2, clsName + ".login", "117", this);
                    throw new LoginException(e2.toString());
                }
            }
            TokenGeneratorConfig tokenGeneratorConfig = (TokenGeneratorConfig) this._context.get(TokenGeneratorConfig.CONFIG_KEY);
            String str = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
            try {
                Certificate certificate = keyInformationInPkiPath.getCertificate();
                String subjectDN = keyInformationInPkiPath.getSubjectDN();
                SecurityToken token = getToken(tokenGeneratorConfig, str, certificate, this._securityTokenManager);
                boolean isStandAlone = tokenGeneratorConfig.isStandAlone();
                if (str == null) {
                    isKeyInfoX509issuer = false;
                    isKeyInfoEmb = false;
                    isKeyInfoStrref = false;
                    isKeyInfoKeyid = false;
                    isKeyInfoKeyname = false;
                } else {
                    isKeyInfoKeyname = ConfigUtil.isKeyInfoKeyname(str);
                    isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str);
                    isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str);
                    isKeyInfoEmb = ConfigUtil.isKeyInfoEmb(str);
                    isKeyInfoX509issuer = ConfigUtil.isKeyInfoX509issuer(str);
                }
                if (token == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no token [" + subjectDN + "] stored in the Subject.");
                    }
                    Object obj = this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
                    final X509PKIPathTokenImpl x509PKIPathTokenImpl = new X509PKIPathTokenImpl();
                    try {
                        if (isStandAlone) {
                            x509PKIPathTokenImpl.setId(IdUtils.getInstance().makeUniqueId(this._context, "x509bst_"));
                            createTokenElement(obj, tokenGeneratorConfig.getType(), keyInformationInPkiPath, x509PKIPathTokenImpl, true, this._context);
                            this._processedTokens.add(x509PKIPathTokenImpl);
                            this._insertedTokens.add(x509PKIPathTokenImpl);
                        } else if (isKeyInfoStrref) {
                            String makeUniqueId = IdUtils.getInstance().makeUniqueId(this._context, "x509bst_");
                            x509PKIPathTokenImpl.setId(makeUniqueId);
                            x509PKIPathTokenImpl.setReferenceURI("#" + makeUniqueId);
                            createTokenElement(obj, tokenGeneratorConfig.getType(), keyInformationInPkiPath, x509PKIPathTokenImpl, true, this._context);
                            this._processedTokens.add(x509PKIPathTokenImpl);
                            this._insertedTokens.add(x509PKIPathTokenImpl);
                        } else if (isKeyInfoEmb) {
                            x509PKIPathTokenImpl.setId(IdUtils.getInstance().makeUniqueId(this._context, "x509bst_"));
                            createTokenElement(obj, tokenGeneratorConfig.getType(), keyInformationInPkiPath, x509PKIPathTokenImpl, false, this._context);
                            this._processedTokens.add(x509PKIPathTokenImpl);
                            this._insertedTokens.add(x509PKIPathTokenImpl);
                        } else if (isKeyInfoKeyid) {
                            String keyIdentifier = getKeyIdentifier(keyInformationInPkiPath, (QName) this._context.get(Constants.WSSECURITY_KEY_ENCODING), (QName) this._context.get(Constants.WSSECURITY_KEY_IDTYPE));
                            x509PKIPathTokenImpl.setId(keyIdentifier);
                            x509PKIPathTokenImpl.setKeyIdentifier(keyIdentifier);
                            this._processedTokens.add(x509PKIPathTokenImpl);
                        } else if (isKeyInfoKeyname) {
                            String subjectDN2 = keyInformationInPkiPath.getSubjectDN();
                            x509PKIPathTokenImpl.setId(subjectDN2);
                            x509PKIPathTokenImpl.setKeyName(subjectDN2);
                            this._processedTokens.add(x509PKIPathTokenImpl);
                        } else if (isKeyInfoX509issuer) {
                            String issuerDN = keyInformationInPkiPath.getIssuerDN();
                            String issuerSerial = keyInformationInPkiPath.getIssuerSerial();
                            x509PKIPathTokenImpl.setId(issuerDN + ":" + issuerSerial);
                            x509PKIPathTokenImpl.setIssuerName(issuerDN);
                            x509PKIPathTokenImpl.setIssuerSerial(issuerSerial);
                            this._processedTokens.add(x509PKIPathTokenImpl);
                        }
                        final X509Certificate x509Certificate = (X509Certificate) keyInformationInPkiPath.getCertificate();
                        final byte[] binary = keyInformationInPkiPath.getBinary();
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule.1
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                x509PKIPathTokenImpl.setCertificate(x509Certificate);
                                x509PKIPathTokenImpl.setBinary(binary);
                                return null;
                            }
                        });
                        x509PKIPathTokenImpl.setKey(62, keyInformationInPkiPath.getPublicOrSecretKey());
                        x509PKIPathTokenImpl.setKey(61, keyInformationInPkiPath.getPrivateOrSecretKey());
                    } catch (SoapSecurityException e3) {
                        Tr.processException(e3, clsName + ".login", "233", this);
                        throw new LoginException(e3.toString());
                    }
                } else if (isStandAlone) {
                    this._processedTokens.add(token);
                } else if (isKeyInfoStrref) {
                    this._processedTokens.add(token);
                } else if (isKeyInfoEmb) {
                    final X509PKIPathTokenImpl x509PKIPathTokenImpl2 = new X509PKIPathTokenImpl();
                    try {
                        x509PKIPathTokenImpl2.setId(IdUtils.getInstance().makeUniqueId(this._context, "x509bst_"));
                        final X509Certificate x509Certificate2 = (X509Certificate) keyInformationInPkiPath.getCertificate();
                        final byte[] binary2 = keyInformationInPkiPath.getBinary();
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule.2
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                x509PKIPathTokenImpl2.setCertificate(x509Certificate2);
                                x509PKIPathTokenImpl2.setBinary(binary2);
                                return null;
                            }
                        });
                        x509PKIPathTokenImpl2.setKey(62, keyInformationInPkiPath.getPublicOrSecretKey());
                        x509PKIPathTokenImpl2.setKey(61, keyInformationInPkiPath.getPrivateOrSecretKey());
                        this._processedTokens.add(x509PKIPathTokenImpl2);
                        this._insertedTokens.add(x509PKIPathTokenImpl2);
                    } catch (SoapSecurityException e4) {
                        Tr.processException(e4, clsName + ".login", "261", this);
                        throw new LoginException(e4.toString());
                    }
                } else if (isKeyInfoKeyid) {
                    this._processedTokens.add(token);
                } else if (isKeyInfoKeyname) {
                    this._processedTokens.add(token);
                } else if (isKeyInfoX509issuer) {
                    this._processedTokens.add(token);
                }
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "login()");
                return true;
            } catch (SoapSecurityException e5) {
                Tr.processException(e5, clsName + ".login", "134", this);
                throw new LoginException(e5.toString());
            }
        } catch (Exception e6) {
            Tr.processException(e6, clsName + ".login", "71", this);
            Tr.error(tc, "security.wssecurity.BSTokenLoginModule.s01", e6);
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e6.toString()}));
        }
    }

    private static final SecurityToken getToken(TokenGeneratorConfig tokenGeneratorConfig, String str, Certificate certificate, SecurityTokenManager securityTokenManager) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("getToken(");
            stringBuffer.append("TokenGeneratorConfig config, ");
            stringBuffer.append("String keyInfoType[").append(str).append("], ");
            stringBuffer.append("Certificate cert, SecurityTokenManager securityTokenManager)");
            Tr.entry(tc, stringBuffer.toString());
        }
        SecurityToken securityToken = null;
        Collection<SecurityToken> tokens = securityTokenManager.getTokens(tokenGeneratorConfig, str);
        if (tokens != null && tokens.size() > 0) {
            Iterator<SecurityToken> it = tokens.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SecurityToken next = it.next();
                if ((next instanceof X509PKIPathToken) && ((X509PKIPathToken) next).getCertificate().equals(certificate)) {
                    securityToken = next;
                    break;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("getToken(");
            stringBuffer2.append("TokenGeneratorConfig, String, Certificate, SecurityTokenManager)");
            stringBuffer2.append(" returns SecurityToken[").append(securityToken).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return securityToken;
    }
}
