package com.ibm.ws.security.auth.rsatoken;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.security.util.ByteArray;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.WSKeyStore;
import com.ibm.ws.ssl.core.Constants;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Set;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:wasJars/sas.jar:com/ibm/ws/security/auth/rsatoken/RSAPropagationToken.class */
public class RSAPropagationToken {
    private static final TraceComponent tc = Tr.register(RSAPropagationToken.class, "SASRas", "com.ibm.ISecurityL13SupportImpl.sec");
    private static HashMap decryptedSecretKeyTokenMap = new HashMap();
    private static HashMap encryptedSecretKeyTokenMap = new HashMap();
    private static int maxSecretKeyTokens = 100;
    public static final String tokenHeader = "WS_ROLE_PROP_TOKEN_HEADER";
    private static final byte[] tokenHeaderBytes = tokenHeader.getBytes();
    private int version;
    private SecretKeyToken secretKeyTokenObject;
    private RSAToken rsaTokenObject;
    private byte[] secretKeyToken;
    private byte[] encryptedSecretKeyToken;
    private byte[] signatureOfSecretKeyToken;
    private byte[] rsaToken;
    private byte[] encryptedRSAToken;
    private byte[] signatureOfRSAToken;
    private byte[] sendingCertificate;
    private X509Certificate sendingX509Certificate;
    private X509Certificate receivingX509Certificate;
    private PublicKey receivingPublicKey;
    private PublicKey sendingPublicKey;
    private PrivateKey sendingPrivateKey;
    private PrivateKey receivingPrivateKey;
    private final int tokenHeaderSize = tokenHeaderBytes.length;
    int key_length = 1024;
    SecureRandom random = null;

    RSAPropagationToken() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RSAPropagationToken(X509Certificate x509Certificate, PrivateKey privateKey, X509Certificate x509Certificate2, byte[] bArr, byte[] bArr2, int i) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "RSAPropagationToken <create init>", new Object[]{x509Certificate, x509Certificate2});
        }
        this.version = i;
        try {
            this.sendingX509Certificate = x509Certificate;
            this.sendingCertificate = x509Certificate.getEncoded();
            this.sendingPublicKey = this.sendingX509Certificate.getPublicKey();
            this.sendingPrivateKey = privateKey;
            this.receivingX509Certificate = x509Certificate2;
            this.receivingPublicKey = this.receivingX509Certificate.getPublicKey();
            this.secretKeyToken = bArr;
            this.rsaToken = bArr2;
            this.secretKeyTokenObject = new SecretKeyToken(this.secretKeyToken);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception initialization RSA propagation token.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.<init>", "82", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "RSAPropagationToken <init>");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RSAPropagationToken(X509Certificate x509Certificate, PrivateKey privateKey, byte[] bArr) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "RSAPropagationToken <validate init>", new Object[]{x509Certificate});
        }
        this.receivingX509Certificate = x509Certificate;
        this.receivingPublicKey = this.receivingX509Certificate.getPublicKey();
        this.receivingPrivateKey = privateKey;
        readBytes(bArr);
        if (this.rsaTokenObject == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The rsa token did not validate properly.");
            }
            throw new WSSecurityException("The rsa token did not validate properly.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "RSAPropagationToken <init>");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RSAPropagationToken(X509Certificate x509Certificate) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "RSAPropagationToken <cert validation only>", new Object[]{x509Certificate});
        }
        this.receivingX509Certificate = x509Certificate;
        this.receivingPublicKey = this.receivingX509Certificate.getPublicKey();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "RSAPropagationToken <init>");
        }
    }

    public int getVersion() {
        return this.version;
    }

    public byte[] getSendingCertificate() {
        return this.sendingCertificate;
    }

    public X509Certificate getSendingX509Certificate() {
        return this.sendingX509Certificate;
    }

    public byte[] getSecretKeyToken() {
        return this.secretKeyToken;
    }

    public byte[] getRSAToken() {
        return this.rsaToken;
    }

    public RSAToken getRSATokenObject() {
        if (this.rsaToken != null && this.rsaTokenObject == null) {
            this.rsaTokenObject = new RSAToken(this.rsaToken);
        }
        return this.rsaTokenObject;
    }

    public void setVersion(int i) {
        this.version = i;
    }

    public void setSendingCertificate(byte[] bArr) {
        this.sendingCertificate = bArr;
    }

    public void setSecretKeyToken(byte[] bArr) {
        this.secretKeyToken = bArr;
    }

    public void setRSAToken(byte[] bArr) {
        this.rsaToken = bArr;
    }

    /*  JADX ERROR: JadxRuntimeException in pass: BlockProcessor
        jadx.core.utils.exceptions.JadxRuntimeException: Unreachable block: B:46:0x00ec
        	at jadx.core.dex.visitors.blocks.BlockProcessor.checkForUnreachableBlocks(BlockProcessor.java:88)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.processBlocksTree(BlockProcessor.java:52)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.visit(BlockProcessor.java:44)
        */
    protected void readBytes(byte[] r11) throws com.ibm.websphere.security.WSSecurityException {
        /*
            Method dump skipped, instructions count: 258
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.readBytes(byte[]):void");
    }

    private void readRSAPropagationTokenV1Bytes(DataInputStream dataInputStream) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "readRSAPropagationTokenV1Bytes");
        }
        int readInt = dataInputStream.readInt();
        this.sendingCertificate = new byte[readInt];
        dataInputStream.read(this.sendingCertificate, 0, readInt);
        BufferedInputStream bufferedInputStream = new BufferedInputStream(new ByteArrayInputStream(this.sendingCertificate));
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        while (bufferedInputStream.available() > 0) {
            this.sendingX509Certificate = (X509Certificate) certificateFactory.generateCertificate(bufferedInputStream);
            this.sendingPublicKey = this.sendingX509Certificate.getPublicKey();
        }
        verifyCertificate(new X509Certificate[]{this.sendingX509Certificate});
        int readInt2 = dataInputStream.readInt();
        this.encryptedSecretKeyToken = new byte[readInt2];
        dataInputStream.read(this.encryptedSecretKeyToken, 0, readInt2);
        int readInt3 = dataInputStream.readInt();
        this.signatureOfSecretKeyToken = new byte[readInt3];
        dataInputStream.read(this.signatureOfSecretKeyToken, 0, readInt3);
        decryptAndVerifySecretKeyToken();
        int readInt4 = dataInputStream.readInt();
        this.encryptedRSAToken = new byte[readInt4];
        dataInputStream.read(this.encryptedRSAToken, 0, readInt4);
        int readInt5 = dataInputStream.readInt();
        this.signatureOfRSAToken = new byte[readInt5];
        dataInputStream.read(this.signatureOfRSAToken, 0, readInt5);
        decryptAndVerifyRSAToken();
        this.rsaTokenObject = new RSAToken(this.rsaToken);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "readRSAPropagationTokenV1Bytes");
        }
    }

    private boolean checkRSAPropagationTokenHeader(DataInputStream dataInputStream) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkRSAPropagationTokenHeader");
        }
        try {
            byte[] bArr = new byte[this.tokenHeaderSize];
            dataInputStream.read(bArr, 0, this.tokenHeaderSize);
            if (bArr == null) {
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "checkRSAPropagationTokenHeader (no header, false)");
                return false;
            }
            if (new String(bArr, "UTF-8").equals(tokenHeader)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkRSAPropagationTokenHeader (true)");
                return true;
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkRSAPropagationTokenHeader (invalid header, false)");
            return false;
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.checkRSAPropagationTokenHeader", "427", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception reading RSA propagation token header.", new Object[]{e});
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkRSAPropagationTokenHeader (exception, false)");
            return false;
        }
    }

    /*  JADX ERROR: JadxRuntimeException in pass: BlockProcessor
        jadx.core.utils.exceptions.JadxRuntimeException: Unreachable block: B:21:0x0146
        	at jadx.core.dex.visitors.blocks.BlockProcessor.checkForUnreachableBlocks(BlockProcessor.java:88)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.processBlocksTree(BlockProcessor.java:52)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.visit(BlockProcessor.java:44)
        */
    protected byte[] writeBytes() {
        /*
            Method dump skipped, instructions count: 330
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.writeBytes():byte[]");
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("Version: ");
        stringBuffer.append(this.version);
        stringBuffer.append("\n");
        stringBuffer.append("SendingCertificate: ");
        for (int i = 0; i < this.sendingCertificate.length; i++) {
            stringBuffer.append((char) this.sendingCertificate[i]);
        }
        stringBuffer.append("\n");
        stringBuffer.append("SecretKeyToken: ");
        for (int i2 = 0; i2 < this.secretKeyToken.length; i2++) {
            stringBuffer.append((char) this.secretKeyToken[i2]);
        }
        stringBuffer.append("\n");
        stringBuffer.append("RSAToken: ");
        for (int i3 = 0; i3 < this.rsaToken.length; i3++) {
            stringBuffer.append((char) this.rsaToken[i3]);
        }
        stringBuffer.append("\n");
        return stringBuffer.toString();
    }

    private synchronized void signAndEncryptSecretKeyToken() throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "signAndEncryptSecretKeyToken");
        }
        if (this.secretKeyToken == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "writeBytes (SecretKeyToken is null)");
            }
            throw new NullPointerException("SecretKeyToken is null.  Cannot sign and/or encrypt.");
        }
        byte[] encoded = this.receivingX509Certificate.getEncoded();
        byte[] bArr = new byte[this.secretKeyToken.length + encoded.length];
        System.arraycopy(this.secretKeyToken, 0, bArr, 0, this.secretKeyToken.length);
        System.arraycopy(encoded, 0, bArr, this.secretKeyToken.length, encoded.length);
        ByteArray byteArray = new ByteArray(bArr);
        SecretKeyTokenCacheKey secretKeyTokenCacheKey = (SecretKeyTokenCacheKey) encryptedSecretKeyTokenMap.get(byteArray);
        if (secretKeyTokenCacheKey == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find encrypted secret key token in cache, validating the token.");
            }
            this.encryptedSecretKeyToken = rsaEncryptBytes(this.receivingPublicKey, this.secretKeyToken);
            this.signatureOfSecretKeyToken = rsaSignBytes(this.sendingPrivateKey, this.secretKeyToken);
            SecretKeyTokenCacheKey secretKeyTokenCacheKey2 = new SecretKeyTokenCacheKey(this.encryptedSecretKeyToken, this.signatureOfSecretKeyToken);
            if (secretKeyTokenCacheKey2 != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Current number of encrypted secret key tokens in cache: " + encryptedSecretKeyTokenMap.size());
                }
                if (encryptedSecretKeyTokenMap.size() > maxSecretKeyTokens) {
                    encryptedSecretKeyTokenMap.clear();
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding encrypted secret key token to cache.");
                }
                encryptedSecretKeyTokenMap.put(byteArray, secretKeyTokenCacheKey2);
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found encrypted secret key token in cache.");
            }
            this.encryptedSecretKeyToken = secretKeyTokenCacheKey.getEncryptedBytes();
            this.signatureOfSecretKeyToken = secretKeyTokenCacheKey.getSignatureBytes();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "signAndEncryptSecretKeyToken");
        }
    }

    private void decryptAndVerifySecretKeyToken() throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "decryptAndVerifySecretKeyToken");
        }
        if (this.encryptedSecretKeyToken == null || this.signatureOfSecretKeyToken == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "decryptAndVerifySecretKeyToken (Encrypted bytes or signature of SecretKeyToken was null)");
            }
            throw new NullPointerException("Encrypted bytes or signature of SecretKeyToken was null.  Cannot verify and/or decrypt.");
        }
        SecretKeyTokenCacheKey secretKeyTokenCacheKey = new SecretKeyTokenCacheKey(this.encryptedSecretKeyToken, this.signatureOfSecretKeyToken);
        this.secretKeyTokenObject = (SecretKeyToken) decryptedSecretKeyTokenMap.get(secretKeyTokenCacheKey);
        if (this.secretKeyTokenObject == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find decrypted secret key token in cache, validating the token.");
            }
            this.secretKeyToken = rsaDecryptBytes(this.receivingPrivateKey, this.encryptedSecretKeyToken);
            if (!rsaVerifyBytes(this.sendingPublicKey, this.signatureOfSecretKeyToken, this.secretKeyToken)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Verification failed, throwing exception.");
                }
                throw new Exception("The signature of the secret key token was not verified.");
            }
            this.secretKeyTokenObject = new SecretKeyToken(this.secretKeyToken);
            if (this.secretKeyTokenObject != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Current number of decrypted secret key tokens in cache: " + decryptedSecretKeyTokenMap.size());
                }
                if (decryptedSecretKeyTokenMap.size() > maxSecretKeyTokens) {
                    decryptedSecretKeyTokenMap.clear();
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding secret key token to cache.");
                }
                decryptedSecretKeyTokenMap.put(secretKeyTokenCacheKey, this.secretKeyTokenObject);
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found decrypted secret key token in cache.");
            }
            this.secretKeyToken = this.secretKeyTokenObject.getBytes();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "decryptAndVerifySecretKeyToken");
        }
    }

    private void signAndEncryptRSAToken() throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "signAndEncryptRSAToken");
        }
        if (this.rsaToken == null) {
            throw new NullPointerException("RSAToken is null.  Cannot sign and/or encrypt.");
        }
        byte[] secretKey = this.secretKeyTokenObject.getSecretKey();
        this.signatureOfRSAToken = rsaSignBytes(this.sendingPrivateKey, this.rsaToken);
        this.encryptedRSAToken = aesEncryptBytes(secretKey, this.rsaToken);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "signAndEncryptRSAToken");
        }
    }

    private void decryptAndVerifyRSAToken() throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "decryptAndVerifyRSAToken");
        }
        if (this.encryptedRSAToken == null || this.signatureOfRSAToken == null) {
            throw new NullPointerException("Encrypted bytes or signature of SecretKeyToken was null.  Cannot verify and/or decrypt.");
        }
        this.rsaToken = aesDecryptBytes(this.secretKeyTokenObject.getSecretKey(), this.encryptedRSAToken);
        if (!rsaVerifyBytes(this.sendingPublicKey, this.signatureOfRSAToken, this.rsaToken)) {
            throw new Exception("The signature of the rsa token was not verified.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "decryptAndVerifyRSAToken");
        }
    }

    public byte[] rsaSignBytes(PrivateKey privateKey, byte[] bArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "rsaSignBytes");
        }
        byte[] bArr2 = null;
        try {
            Signature signature = Signature.getInstance("SHA1withRSA");
            signature.initSign(privateKey);
            long currentTimeMillis = System.currentTimeMillis();
            signature.update(bArr, 0, bArr.length);
            bArr2 = signature.sign();
            long currentTimeMillis2 = System.currentTimeMillis();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total RSA sign millis for data size " + bArr.length + " is " + (currentTimeMillis2 - currentTimeMillis) + " millis.");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception signing bytes for RSA token.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.rsaSignBytes", "746", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "rsaSignBytes");
        }
        return bArr2;
    }

    public boolean rsaVerifyBytes(PublicKey publicKey, byte[] bArr, byte[] bArr2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "rsaVerifyBytes");
        }
        boolean z = false;
        try {
            Signature signature = Signature.getInstance("SHA1withRSA");
            signature.initVerify(publicKey);
            long currentTimeMillis = System.currentTimeMillis();
            signature.update(bArr2, 0, bArr2.length);
            z = signature.verify(bArr);
            long currentTimeMillis2 = System.currentTimeMillis();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total RSA verify millis for data size " + bArr2.length + " is " + (currentTimeMillis2 - currentTimeMillis) + " millis.");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception verifying signature of bytes for RSA token.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.rsaVerifyBytes", "780", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "rsaVerifyBytes");
        }
        return z;
    }

    public byte[] rsaEncryptBytes(PublicKey publicKey, byte[] bArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "rsaEncryptBytes");
        }
        byte[] bArr2 = null;
        try {
            Cipher cipher = Cipher.getInstance(Constants.RSA_CERTIFICATE_TYPE);
            cipher.init(1, publicKey);
            long currentTimeMillis = System.currentTimeMillis();
            bArr2 = cipher.doFinal(bArr);
            long currentTimeMillis2 = System.currentTimeMillis();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total RSA encrypt millis for data size " + bArr.length + " is " + (currentTimeMillis2 - currentTimeMillis) + " millis.");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception RSA encrypting bytes for RSA token.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.rsaEncryptBytes", "816", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "rsaEncryptBytes");
        }
        return bArr2;
    }

    public byte[] rsaDecryptBytes(PrivateKey privateKey, byte[] bArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "rsaDecryptBytes");
        }
        byte[] bArr2 = null;
        try {
            Cipher cipher = Cipher.getInstance(Constants.RSA_CERTIFICATE_TYPE);
            cipher.init(2, privateKey);
            long currentTimeMillis = System.currentTimeMillis();
            bArr2 = cipher.doFinal(bArr);
            long currentTimeMillis2 = System.currentTimeMillis();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total RSA decrypt millis for data size " + bArr.length + " is " + (currentTimeMillis2 - currentTimeMillis) + " millis.");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception RSA decrypting bytes for RSA token.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.rsaDecryptBytes", "850", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "rsaDecryptBytes");
        }
        return bArr2;
    }

    public byte[] aesEncryptBytes(byte[] bArr, byte[] bArr2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "aesEncryptBytes");
        }
        byte[] bArr3 = null;
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, this.secretKeyTokenObject.getEncryptAlgorithm());
            Cipher cipher = Cipher.getInstance(this.secretKeyTokenObject.getEncryptAlgorithm());
            cipher.init(1, secretKeySpec);
            long currentTimeMillis = System.currentTimeMillis();
            bArr3 = cipher.doFinal(bArr2);
            long currentTimeMillis2 = System.currentTimeMillis();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total AES encrypt millis for data size " + bArr2.length + " is " + (currentTimeMillis2 - currentTimeMillis) + " millis.");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception AES encrypting bytes for RSA token.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.aesEncryptBytes", "885", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "aesEncryptBytes");
        }
        return bArr3;
    }

    public byte[] aesDecryptBytes(byte[] bArr, byte[] bArr2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "aesDecryptBytes");
        }
        byte[] bArr3 = null;
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, this.secretKeyTokenObject.getEncryptAlgorithm());
            Cipher cipher = Cipher.getInstance(this.secretKeyTokenObject.getEncryptAlgorithm());
            cipher.init(2, secretKeySpec);
            long currentTimeMillis = System.currentTimeMillis();
            bArr3 = cipher.doFinal(bArr2);
            long currentTimeMillis2 = System.currentTimeMillis();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total AES decrypt millis for data size " + bArr2.length + " is " + (currentTimeMillis2 - currentTimeMillis) + " millis.");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception AES decrypting bytes for RSA token.", new Object[]{e});
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.aesDecryptBytes", "919", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "aesDecryptBytes");
        }
        return bArr3;
    }

    public boolean verifyCertificate(X509Certificate[] x509CertificateArr) throws Exception {
        boolean z;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "verifyCertificate", new Object[]{x509CertificateArr[0]});
        }
        CertPathValidatorException certPathValidatorException = null;
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Trying to verify sending certificate with target certificate first.");
            }
            z = false;
            try {
                verifyCertificateInternal(x509CertificateArr, this.receivingX509Certificate);
                z = true;
            } catch (CertPathValidatorException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Verification failure, going on to try trust store certificates.");
                }
                certPathValidatorException = e;
            }
        } catch (Exception e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception verifying sending certificate from RSA token.", new Object[]{e2});
            }
            Manager.Ffdc.log(e2, this, "com.ibm.ws.security.auth.rsatoken.RSAPropagationToken.verifyCertificate", "1034", this);
        }
        if (z) {
            if (!tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "Sending certificate was validated by this processes personal certificate.");
            return true;
        }
        String adminTrustStoreName = RSAPropagationManager.getInstance().getAdminTrustStoreName();
        if (adminTrustStoreName != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Verifying with trust store name: " + adminTrustStoreName);
            }
            WSKeyStore keyStore = KeyStoreManager.getInstance().getKeyStore(adminTrustStoreName);
            if (keyStore == null) {
                throw new IllegalArgumentException("The admin truststore alias is not found.");
            }
            KeyStore keyStore2 = keyStore.getKeyStore(true, false);
            if (keyStore2 == null) {
                throw new WSSecurityException("The admin truststore is not valid.");
            }
            Enumeration<String> aliases = keyStore2.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Looking up certificate from alias \"" + nextElement + "\".");
                }
                Certificate certificate = keyStore2.getCertificate(nextElement);
                if (certificate != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Verifying with the following root certificate.", new Object[]{certificate});
                    }
                    boolean z2 = false;
                    try {
                        verifyCertificateInternal(x509CertificateArr, (X509Certificate) certificate);
                        z2 = true;
                    } catch (CertPathValidatorException e3) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Verification failure, going on to try trust store certificates.");
                        }
                        certPathValidatorException = e3;
                    }
                    if (z2) {
                        if (!tc.isDebugEnabled()) {
                            return true;
                        }
                        Tr.debug(tc, "Sending certificate was validated by " + ((X509Certificate) certificate).getIssuerX500Principal());
                        return true;
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Sending certificate was not validated by " + ((X509Certificate) certificate).getIssuerX500Principal() + ", trying the next certificate.");
                    }
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Exhaused all certificates in the trust store.   Verification failed of sending certificate.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "verifyCertificate");
        }
        throw certPathValidatorException;
    }

    private void verifyCertificateInternal(X509Certificate[] x509CertificateArr, X509Certificate x509Certificate) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "verifyCertificateInternal");
        }
        long currentTimeMillis = System.currentTimeMillis();
        CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509CertificateArr));
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Certificate, null)));
        pKIXParameters.setRevocationEnabled(false);
        for (X509Certificate x509Certificate2 : x509CertificateArr) {
            try {
                x509Certificate2.checkValidity();
            } catch (CertificateExpiredException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Certificate expiration exception: " + e.getMessage());
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "Hit a java.security.cert.CertificateExpiredException while checking the certificate validity.");
                }
                throw e;
            }
        }
        try {
            PKIXCertPathValidatorResult pKIXCertPathValidatorResult = (PKIXCertPathValidatorResult) certPathValidator.validate(generateCertPath, pKIXParameters);
            long currentTimeMillis2 = System.currentTimeMillis();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total certificate verification time is " + (currentTimeMillis2 - currentTimeMillis) + " millis.");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate validated successfully: " + pKIXCertPathValidatorResult);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "verifyCertificateInternal");
            }
        } catch (CertPathValidatorException e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Validation failure, cert[" + e2.getIndex() + "] :" + e2.getMessage());
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "verifyCertificateInternal");
            }
            throw e2;
        }
    }

    public static void main(String[] strArr) {
    }
}
