package com.ibm.ws.management.util;

import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.OID;
import com.ibm.ISecurityUtilityImpl.WSSecurityContextFactory;
import com.ibm.ejs.ras.RasHelper;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.security.krb5.internal.Config;
import com.ibm.websphere.management.AdminClient;
import com.ibm.websphere.management.AdminClientFactory;
import com.ibm.websphere.management.AdminContext;
import com.ibm.websphere.management.authorizer.AdminAuthorizer;
import com.ibm.websphere.management.authorizer.AdminAuthorizerFactory;
import com.ibm.websphere.management.authorizer.service.AdminAuthzServiceEvent;
import com.ibm.websphere.management.authorizer.service.AdminAuthzServiceListener;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSSecurityContext;
import com.ibm.websphere.security.auth.WSSecurityContextException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.AdminDataHolder;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.auth.rsatoken.RSAPropagationManager;
import com.ibm.ws.security.auth.rsatoken.RSATokenThreadManager;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.SecurityConfigResource;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityContext;
import com.ibm.ws.security.role.RoleBasedAppException;
import com.ibm.ws.security.role.RoleBasedConfigurator;
import com.ibm.ws.security.role.RoleBasedConfiguratorNullImpl;
import com.ibm.ws.security.service.SecurityService;
import com.ibm.ws.security.service.SecurityServiceEvent;
import com.ibm.ws.security.service.SecurityServiceListener;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Properties;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import org.apache.soap.encoding.soapenc.Base64;
import org.apache.tools.mail.MailMessage;
import org.ietf.jgss.GSSException;
import org.omg.CSI.KRB5MechOID;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.core.jar:com/ibm/ws/management/util/SecurityHelper.class */
public final class SecurityHelper implements SecurityServiceListener, AdminAuthzServiceListener, SecurityServiceMonitor {
    public static final String isInternal = "isInternal";
    public static final String loginMethod = "LoginMethod";
    public static final String tokenBasedAuth = "TokenBased";
    public static final String basicAuth = "BasicAuth";
    public static final String tokeElement = "token";
    public static final String trustStoreProp = "javax.net.ssl.trustStore";
    public static final String keyStoreProp = "javax.net.ssl.keyStore";
    public static final String trustStorePasswordProp = "javax.net.ssl.trustStorePassword";
    public static final String keyStorePasswordProp = "javax.net.ssl.keyStorePassword";
    public static final String trustStoreTypeProp = "javax.net.ssl.trustStoreType";
    public static final String keyStoreTypeProp = "javax.net.ssl.keyStoreType";
    public static final String sslHandlerProp = "java.protocol.handler.pkgs";
    public static final String defaultSslHandler = "com.ibm.net.ssl.internal.www.protocol";
    public static final String FIPSProvider = "ssl.SocketFactory.provider";
    public static final String contextProvider = "com.ibm.ssl.contextProvider";
    public static final String KRB5_TOKEN_STR = "krb5TokenStr";
    private boolean securityEnabled = false;
    private boolean securityServiceEnabled = false;
    private boolean securityServiceStopped = false;
    private RoleBasedConfigurator nullconfigurator = new RoleBasedConfiguratorNullImpl();
    private SecurityService securityService = null;
    private WSSecurityContext securityContext = null;
    private String clientSSLAlias = null;
    private AdminAuthorizer authorizer = null;
    private static final String PKGNAME_DELIMITER = "|";
    private static final TraceComponent tc = Tr.register(SecurityHelper.class);
    private static final WebSphereRuntimePermission perm = new WebSphereRuntimePermission("SecOwnCredentials");
    private static SecurityHelper myself = new SecurityHelper();
    private static String URL_HANDLER_PROP = "java.protocol.handler.pkgs";

    private SecurityHelper() {
    }

    public static SecurityHelper getHelper() {
        return myself;
    }

    public String getClientSSLAlias() {
        return this.clientSSLAlias;
    }

    public void setClientSSLAlias(String str) {
        this.clientSSLAlias = str;
    }

    @Override // com.ibm.websphere.management.authorizer.service.AdminAuthzServiceListener
    public void stateChanged(AdminAuthzServiceEvent adminAuthzServiceEvent) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "stateChanged", adminAuthzServiceEvent);
        }
        if (adminAuthzServiceEvent.getState() == 1) {
            try {
                this.authorizer = AdminAuthorizerFactory.getAdminAuthorizer();
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "AdminAuthorizer not initialized");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "stateChanged");
        }
    }

    @Override // com.ibm.ws.security.service.SecurityServiceListener
    public void stateChanged(SecurityServiceEvent securityServiceEvent) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "stateChanged");
        }
        int state = securityServiceEvent.getState();
        if (state == 1) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Marking the Security Service as having been started.");
            }
            this.securityServiceEnabled = true;
            this.securityServiceStopped = false;
        } else if (state == 2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Marking the Security Service as having been stopped.");
            }
            this.securityServiceStopped = true;
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Security service state change to: " + state);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "stateChanged");
        }
    }

    public WSSecurityContext getWSSecurityContext() {
        if (this.securityContext == null) {
            this.securityContext = WSSecurityContextFactory.getInstance().createContext(RSAPropagationManager.getInstance().getAdminPreferredAuthMechOID());
        }
        return this.securityContext;
    }

    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
        this.securityEnabled = this.securityService.isSecurityEnabled();
    }

    public boolean isSecurityEnabled() {
        return this.securityEnabled;
    }

    public AdminAuthorizer getAdminAuthorizer() {
        String peek = AdminContext.peek();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAdminAuthorizer: " + peek);
        }
        AdminAuthorizer adminAuthorizer = this.authorizer;
        if (peek != null) {
            adminAuthorizer = AdminAuthorizerFactory.getAdminAuthorizer();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAdminAuthorizer: " + peek + " " + adminAuthorizer);
        }
        return adminAuthorizer;
    }

    @Override // com.ibm.ws.management.util.SecurityServiceMonitor
    public boolean isSecurityServiceStarted() {
        return this.securityServiceEnabled;
    }

    @Override // com.ibm.ws.management.util.SecurityServiceMonitor
    public boolean isSecurityServiceStopped() {
        return this.securityServiceStopped;
    }

    public RoleBasedConfigurator getConfigurator() {
        RoleBasedConfigurator roleBasedConfigurator = this.nullconfigurator;
        if (this.securityServiceEnabled && this.securityService != null) {
            try {
                roleBasedConfigurator = this.securityService.getConfigurator();
            } catch (RoleBasedAppException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "RoleBasedConfigurator not initialized");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getConfigurator " + roleBasedConfigurator);
        }
        return roleBasedConfigurator;
    }

    public String getRealm() {
        String defaultRealm = getContextManager().getDefaultRealm();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRealm " + defaultRealm);
        }
        return defaultRealm;
    }

    public static Subject authenticate(String str, String str2) throws WSLoginFailedException {
        Subject createBasicAuthSubject;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate");
        }
        try {
            try {
                boolean pushResource = SecurityObjectLocator.getThreadLocal().pushResource(AdminContext.peek() != null ? new SecurityConfigResource("", "application") : new SecurityConfigResource("", "admin"));
                if (RasHelper.isServer()) {
                    createBasicAuthSubject = getContextManager().login(getContextManager().getDefaultRealm(), str, str2);
                } else {
                    CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                    int integer = cSIv2Config.getInteger("com.ibm.CORBA.authenticationTarget");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "authenticationTarget: ", Integer.valueOf(integer));
                    }
                    if (integer == 6) {
                        createBasicAuthSubject = AdminClientFactory.jaas_login(AuthMechanismConfig.TYPE_KERBEROS, null, str, str2, null, null, cSIv2Config.getString(CSIv2Config.KERBEROS_CONFIG_FILE));
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Kerberos subject: ", createBasicAuthSubject);
                        }
                    } else {
                        createBasicAuthSubject = createBasicAuthSubject(str, str2);
                    }
                }
                if (pushResource) {
                    SecurityObjectLocator.getThreadLocal().popResource();
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "authenticate");
                }
                return createBasicAuthSubject;
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "fail to authenticate", e);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "authenticate - failed");
                }
                if (e instanceof WSLoginFailedException) {
                    throw ((WSLoginFailedException) e);
                }
                throw new WSLoginFailedException(e.getMessage(), e);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                SecurityObjectLocator.getThreadLocal().popResource();
            }
            throw th;
        }
    }

    public static Subject validate(byte[] bArr) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate");
        }
        try {
            Subject login = getContextManager().login(getContextManager().getDefaultRealm(), bArr);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate");
            }
            return login;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "fail to validate", e);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate - failed");
            }
            if (e instanceof WSLoginFailedException) {
                throw ((WSLoginFailedException) e);
            }
            throw new WSLoginFailedException(e.getMessage(), e);
        }
    }

    public static Subject createBasicAuthSubject(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createBasicAuthSubject");
        }
        Subject subject = null;
        try {
            subject = SubjectHelper.createBasicAuthSubject(getContextManager().getDefaultRealm(), str, str2);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "fail to create basic auth subject", e);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "authenticate - failed");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createBasicAuthSubject");
        }
        return subject;
    }

    public static void removeSubjectFromThreadTable(Subject subject) {
        try {
            getContextManager().initializeCallerContext((Subject) null);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Failed to initialize caller context.", e);
            }
        }
    }

    public static Subject pushInvocationSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "pushInvocationSubject");
        }
        Subject subject2 = null;
        try {
            subject2 = getContextManager().pushInvocationSubject(subject);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.pushInvocationSubject", "226");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "pushInvocationSubject");
        }
        return subject2;
    }

    public static void popInvocationSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "popInvocationSubject");
        }
        try {
            getContextManager().popInvocationSubject(subject);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.popInvocationSubject", "239");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "popInvocationSubject");
        }
    }

    public static Subject getOwnedSubject() {
        return getServerSubject();
    }

    public static Subject retrieveSubject() {
        WSCredential wSCredentialFromSubject;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveSubject");
        }
        Subject invocationSubject = getInvocationSubject();
        WSCredential wSCredential = null;
        if (invocationSubject != null) {
            wSCredential = SubjectHelper.getWSCredentialFromSubject(invocationSubject);
        }
        if (invocationSubject == null || (wSCredential != null && wSCredential.isUnauthenticated())) {
            invocationSubject = getReceivedSubject();
            if (invocationSubject != null && (wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(invocationSubject)) != null && wSCredentialFromSubject.isUnauthenticated()) {
                invocationSubject = null;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "retrieveSubject");
        }
        return invocationSubject;
    }

    public static Subject getInvocationSubject() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInvocationSubject");
        }
        Subject subject = null;
        boolean z = true;
        try {
            subject = getContextManager().getInvocationSubject();
            if (SubjectHelper.getWSCredentialFromSubject(subject) != null) {
                if (RasHelper.isServer()) {
                    z = getContextManager().getWSCredTokenMapper().checkValidityOfAllTokensAndRefresh(subject);
                }
                if (!z && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Non-server invocation subject could not be refreshed.");
                }
            }
            if (!z && subject != null && getContextManager().isServerSubject(subject)) {
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server subject is expired, logging in to get a new one.");
                    }
                    subject = getContextManager().getServerSubject();
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationSubject", "450");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "unable to obtain invocation subject or subject expired", e);
                    }
                    subject = null;
                }
            } else if (z || subject == null) {
                if (subject == null && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Invocation subject is null.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Non-server invocation subject is invalid or expired.");
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationSubject", "394");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to obtain invocation subject from ContextManager.", e2);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getInvocationSubject");
        }
        return subject;
    }

    public static void resetContext() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resetContext");
        }
        try {
            getContextManager().initializeCallerContext((Subject) null);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "fail to initialize caller context.", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resetContext");
        }
    }

    public static void setInvocationSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setInvocationSubject");
        }
        try {
            getContextManager().setInvocationSubject(subject);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "fail to set invocation subject.", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setInvocationSubject");
        }
    }

    public static void setReceivedSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setReceivedSubject");
        }
        try {
            getContextManager().setCallerSubject(subject);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Failed to set caller subject.", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setReceivedSubject");
        }
    }

    public static Subject getReceivedSubject() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getReceivedSubject");
        }
        Subject subject = null;
        WSCredential wSCredential = null;
        boolean z = false;
        try {
            subject = getContextManager().getCallerSubject();
            if (subject != null) {
                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
            }
            if (wSCredential != null) {
                z = wSCredential.isCurrent();
            }
            if (!z && subject != null && getContextManager().isServerSubject(subject)) {
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server subject is expired, logging in to get a new one.");
                    }
                    subject = getContextManager().getServerSubject();
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getReceivedSubject", "557");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "unable to obtain received subject or subject is expired", e);
                    }
                    subject = null;
                }
            } else if (!z && subject != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Non-server received subject is invalid or expired.");
                }
                subject = null;
            } else if (subject == null && tc.isDebugEnabled()) {
                Tr.debug(tc, "Received subject is null.");
            }
        } catch (Exception e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to obtain received subject from ContextManager.", e2);
            }
            FFDCFilter.processException(e2, "com.ibm.ws.management.connector.util.SecurityHelper.getReceivedSubject", "504");
            z = false;
        }
        if (z && subject != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getReceivedSubject");
            }
            return subject;
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "getReceivedSubject");
        return null;
    }

    public static Subject getActualSubject(Subject subject) {
        Subject subject2;
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        if (!wSCredentialFromSubject.isBasicAuth() || wSCredentialFromSubject.isUnauthenticated()) {
            return subject;
        }
        try {
            subject2 = getContextManager().login(wSCredentialFromSubject);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "LoginFailed exception getting server cred.", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getActualSubject", "566");
            subject2 = null;
        }
        return subject2;
    }

    public static Subject getServerSubject() {
        Subject subject;
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...Expecting : " + perm.toString());
            }
            securityManager.checkPermission(perm);
        }
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting server subject.");
            }
            subject = getContextManager().getServerSubject();
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "unable to obtain own subject or subject is expired", e);
            }
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getServerCredential", "1001");
            subject = null;
        }
        return subject;
    }

    public static String getUserName() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUserName");
        }
        String str = null;
        try {
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(retrieveSubject());
            if (wSCredentialFromSubject != null) {
                str = wSCredentialFromSubject.getRealmSecurityName();
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception attempting to getUserName from credential.", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getUserName", "637");
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUserName");
        }
        return str;
    }

    public static ContextManager getContextManager() {
        return ContextManagerFactory.getInstance();
    }

    public static synchronized void registerPackage(String str) {
        ArrayList arrayList = new ArrayList();
        String property = System.getProperty(URL_HANDLER_PROP);
        if (property != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(property, "|");
            while (stringTokenizer.hasMoreTokens()) {
                arrayList.add(stringTokenizer.nextToken());
            }
        }
        if (arrayList.contains(str)) {
            return;
        }
        arrayList.add(str);
        StringBuffer stringBuffer = new StringBuffer();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            stringBuffer.append((String) it.next());
            if (it.hasNext()) {
                stringBuffer.append('|');
            }
        }
        System.setProperty(URL_HANDLER_PROP, stringBuffer.toString());
    }

    public static String getAuditUserName() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAuditUserName");
        }
        String str = null;
        try {
            str = getContextManager().getUserBeforeRunAs();
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception attempting to getAuditUserName from Context Manager.", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getAuditUserName", "762");
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAuditUserName");
        }
        return str;
    }

    public static WSSecurityContext createContext() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createContext");
        }
        try {
            WSSecurityContext wSSecurityContext = (WSSecurityContext) Class.forName("com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl").newInstance();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Instantiating WSSecurityContext instance: com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl");
            }
            return wSSecurityContext;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception attempting to createContext.", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.createContext", "769");
            return null;
        }
    }

    public static String getTargetKrbRealm(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTargetKrbRealm" + str + " " + str2);
        }
        String str3 = "default";
        if (str2 != null && str2.length() > 0) {
            System.setProperty("java.security.krb5.conf", str2);
        }
        String canonicalHost = getCanonicalHost(str);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "canonicalHost: " + canonicalHost);
        }
        try {
            str3 = Config.getInstance().mapHostToRealm(canonicalHost);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception attempting to mapHostToRealm.", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getTargetKrbRealm", "793");
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTargetKrbRealm" + str3);
        }
        return str3;
    }

    public static String getTargetKrbSPN(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getTargetKrbSPN" + str + " " + str2);
        }
        String str3 = str2 + "@" + getCanonicalHost(str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getTargetKrbSPN" + str3);
        }
        return str3;
    }

    public static String getCanonicalHost(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCanonicalHost");
        }
        String str2 = null;
        if (str.equals(MailMessage.DEFAULT_HOST)) {
            try {
                str2 = InetAddress.getLocalHost().getCanonicalHostName();
            } catch (UnknownHostException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception attempting to getCanonicalHostName.", new Object[]{e});
                }
                FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getCanonicalHost", "825");
            }
        } else {
            str2 = str;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCanonicalHost" + str2);
        }
        return str2;
    }

    public static X509Certificate retrieveRSACertificate(Properties properties) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveRSACertificate");
        }
        X509Certificate x509Certificate = null;
        try {
            if (AdminCertificateHelper.getInstance().isRSAPropagationEnabled()) {
                if (RSATokenThreadManager.getInstance().isCertificateRetrievalInProcess().booleanValue()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Certificate retrieval in process.");
                    }
                    x509Certificate = AdminCertificateHelper.getInstance().checkCacheForCertificate(properties);
                } else {
                    try {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Retrieving the admin target certificate.");
                        }
                        RSATokenThreadManager.getInstance().setCertificateRetrievalInProcess();
                        x509Certificate = AdminCertificateHelper.getInstance().retrieveTargetCertificate(properties);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Finished retrieving the admin target certificate.");
                        }
                        RSATokenThreadManager.getInstance().unsetCertificateRetrievalInProcess();
                    } catch (Throwable th) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Finished retrieving the admin target certificate.");
                        }
                        RSATokenThreadManager.getInstance().unsetCertificateRetrievalInProcess();
                        throw th;
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "RSA token authentication is not enabled.");
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception setting up RSA token information.", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.management.util.SecurityHelper.retrieveRSACertificate", "873");
            RSATokenThreadManager.getInstance().setTargetCertificate(null);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "retrieveRSACertificate", new Object[]{x509Certificate});
        }
        return x509Certificate;
    }

    /* JADX WARN: Removed duplicated region for block: B:10:0x002a A[Catch: Exception -> 0x00be, TryCatch #0 {Exception -> 0x00be, blocks: (B:50:0x0017, B:10:0x002a, B:24:0x0036, B:26:0x003f, B:27:0x0047, B:28:0x0058, B:30:0x005e, B:31:0x0066, B:12:0x008e, B:14:0x0097, B:15:0x009f, B:35:0x0071, B:36:0x0074, B:38:0x007a, B:39:0x0082, B:40:0x008a, B:46:0x00aa, B:48:0x00b3), top: B:49:0x0017, inners: #1 }] */
    /* JADX WARN: Removed duplicated region for block: B:19:0x00f0  */
    /* JADX WARN: Removed duplicated region for block: B:46:0x00aa A[Catch: Exception -> 0x00be, TryCatch #0 {Exception -> 0x00be, blocks: (B:50:0x0017, B:10:0x002a, B:24:0x0036, B:26:0x003f, B:27:0x0047, B:28:0x0058, B:30:0x005e, B:31:0x0066, B:12:0x008e, B:14:0x0097, B:15:0x009f, B:35:0x0071, B:36:0x0074, B:38:0x007a, B:39:0x0082, B:40:0x008a, B:46:0x00aa, B:48:0x00b3), top: B:49:0x0017, inners: #1 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static com.ibm.ws.security.auth.kerberos.KerberosPolicy retrieveKerberosPolicy(java.util.Properties r7, boolean r8) {
        /*
            Method dump skipped, instructions count: 258
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.management.util.SecurityHelper.retrieveKerberosPolicy(java.util.Properties, boolean):com.ibm.ws.security.auth.kerberos.KerberosPolicy");
    }

    public static boolean isKerberosEnabled(Properties properties, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKerberosEnabled (internal = " + z + ")");
        }
        if (z) {
            boolean z2 = SecurityObjectLocator.getSecurityConfig("security").getAdminPreferredAuthMechanism().getType().equals(AuthMechanismConfig.TYPE_KERBEROS) || SecurityObjectLocator.getSecurityConfig("security").getActiveAuthMechanism().getType().equals(AuthMechanismConfig.TYPE_KERBEROS);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isKerberosEnabled(" + z2 + ")");
            }
            return z2;
        }
        String property = properties.getProperty(AdminClient.AUTH_TARGET);
        if (property == null || property.length() <= 0 || !(property.equalsIgnoreCase(AuthMechanismConfig.TYPE_KERBEROS) || property.equalsIgnoreCase("Kerberos"))) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isKerberosEnabled(false)");
            return false;
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "isKerberosEnabled(true)");
        return true;
    }

    public static byte[] getKerberosToken(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, HashMap hashMap) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKerberosToken");
        }
        byte[] bArr = null;
        Object obj = hashMap.get(AdminDataHolder.WSSUBJECT);
        Subject subject = null;
        if (obj instanceof Subject) {
            subject = (Subject) obj;
        }
        String str12 = (String) hashMap.get(KRB5_TOKEN_STR);
        if (str12 == null || str12.length() <= 0) {
            str12 = null;
        } else {
            bArr = Base64.decode(str12);
        }
        if (subject != null && str12 == null) {
            bArr = getKerberosServiceTicket(subject, str, str7, str8, str10, str11);
            if (bArr != null && bArr.length > 0) {
                str12 = Base64.encode(bArr);
                hashMap.put(KRB5_TOKEN_STR, str12);
            }
        }
        if (subject == null || str12 == null) {
            if ((str5 == null || !str5.equalsIgnoreCase(AdminClient.KRB5_CCACHE)) && str7 != null && str7.length() != 0) {
                System.setProperty("java.security.krb5.conf", str7);
            }
            try {
                Subject jaas_login = AdminClientFactory.jaas_login(str4, str5, str2, str3, null, str6, str7);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Kerberos subject: ", jaas_login);
                }
                if (jaas_login != null) {
                    if (!SecurityContext.isServerProcess()) {
                        AdminDataHolder.setData(AdminDataHolder.WSSUBJECT, jaas_login);
                    }
                    hashMap.put(AdminDataHolder.WSSUBJECT, jaas_login);
                    bArr = getKerberosServiceTicket(jaas_login, str, str7, str8, str10, str11);
                    if (bArr == null || bArr.length <= 0) {
                        return null;
                    }
                    hashMap.put(KRB5_TOKEN_STR, Base64.encode(bArr));
                }
            } catch (WSLoginFailedException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WSLoginFailedException occurred: ", new Object[]{e});
                }
                FFDCFilter.processException(e, "com.ibm.ws.management.util.SecurityHelper", "1053");
                throw e;
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception occurred during JAAS login: ", new Object[]{e2});
                }
                FFDCFilter.processException(e2, "com.ibm.ws.management.util.SecurityHelper", "1056");
                throw e2;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKerberosToken");
        }
        return bArr;
    }

    public static byte[] getKerberosServiceTicket(Subject subject, String str, String str2) {
        if (str == null || str2 == null || str.length() < 1 || str2.length() < 1) {
            throw new IllegalArgumentException("spn and realm must both be non-empty. spn = '" + str + "', realm = '" + str2 + "'");
        }
        return getKerberosServiceTicket(subject, null, null, null, str, str2);
    }

    /* JADX WARN: Removed duplicated region for block: B:26:0x0095 A[Catch: WSSecurityContextException -> 0x00e5, TryCatch #1 {WSSecurityContextException -> 0x00e5, blocks: (B:33:0x0057, B:21:0x0074, B:24:0x008a, B:26:0x0095, B:27:0x00d4, B:31:0x0081, B:18:0x0064), top: B:32:0x0057 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static byte[] getKerberosServiceTicket(javax.security.auth.Subject r5, java.lang.String r6, java.lang.String r7, java.lang.String r8, java.lang.String r9, java.lang.String r10) {
        /*
            Method dump skipped, instructions count: 274
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.management.util.SecurityHelper.getKerberosServiceTicket(javax.security.auth.Subject, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String):byte[]");
    }

    public static boolean isKrb5Auth(WSCredential wSCredential) throws CredentialDestroyedException, CredentialExpiredException {
        return OID.compareOIDs(wSCredential.getOID(), KRB5MechOID.value);
    }

    public static boolean isCertPathValidatorException(Object obj) {
        Throwable cause;
        Throwable cause2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCertPathValidatorException", obj);
        }
        boolean z = false;
        if (obj != null && (obj instanceof WSSecurityContextException) && (cause = ((WSSecurityContextException) obj).getCause()) != null && (cause instanceof WSSecurityException) && (cause2 = ((WSSecurityException) cause).getCause()) != null && (cause2 instanceof CertPathValidatorException)) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCertPathValidatorException: " + z);
        }
        return z;
    }

    public static Exception getGSSException(Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getGSSException", obj);
        }
        if (tc.isDebugEnabled() && obj != null) {
            Tr.debug(tc, "getGSSException class name: " + obj.getClass().getName());
        }
        Exception exc = null;
        if (obj instanceof Throwable) {
            Throwable th = (Throwable) obj;
            while (true) {
                Exception exc2 = th;
                if (exc2 == null) {
                    break;
                }
                if (exc2 instanceof GSSException) {
                    exc = exc2;
                    break;
                }
                th = exc2.getCause();
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getGSSException: " + exc);
        }
        return exc;
    }
}
