package com.ibm.ws.objectgrid.security.util;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.queryengine.eval.Constantdef;
import com.ibm.websphere.objectgrid.ObjectGridRuntimeException;
import com.ibm.websphere.objectgrid.security.SecurityConstants;
import com.ibm.websphere.objectgrid.security.config.ClientSecurityConfiguration;
import com.ibm.websphere.objectgrid.security.config.SSLConfiguration;
import com.ibm.websphere.objectgrid.security.plugins.CannotGenerateCredentialException;
import com.ibm.websphere.objectgrid.security.plugins.Credential;
import com.ibm.websphere.objectgrid.security.plugins.CredentialGenerator;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.objectgrid.CatalogClusterUtility;
import com.ibm.ws.objectgrid.Constants;
import com.ibm.ws.objectgrid.ObjectGridManagerImpl;
import com.ibm.ws.objectgrid.ServerSecurityConfigService;
import com.ibm.ws.objectgrid.ServerSecurityProperties;
import com.ibm.ws.objectgrid.SessionImpl;
import com.ibm.ws.objectgrid.corba.ClientContextHandler;
import com.ibm.ws.objectgrid.corba.NO_PERMISSIONHelper;
import com.ibm.ws.objectgrid.corba.ObjectGridClientRequestInterceptor;
import com.ibm.ws.objectgrid.event.RequestSystemEvent;
import com.ibm.ws.objectgrid.event.ResponseSystemEvent;
import com.ibm.ws.objectgrid.objectMapping.ObjectBytes;
import com.ibm.ws.objectgrid.partition.ORBFactory;
import com.ibm.ws.objectgrid.runtime.context.ClientSecurityContext;
import com.ibm.ws.objectgrid.runtime.context.ServerSecurityContext;
import com.ibm.ws.objectgrid.runtime.context.SessionSecurityContext;
import com.ibm.ws.objectgrid.security.config.ServerSecurityConfiguration;
import com.ibm.ws.security.config.SecurityConfigManagerImpl;
import com.ibm.ws.xs.NLSConstants;
import com.ibm.ws.xs.util.dopriv.DoPrivUtil;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Properties;
import java.util.StringTokenizer;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import javax.security.cert.Certificate;
import javax.security.cert.X509Certificate;
import org.omg.CORBA.Any;
import org.omg.CORBA.ORB;
import org.omg.CORBA.ORBPackage.InvalidName;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ForwardRequest;

/* loaded from: input_file:com/ibm/ws/objectgrid/security/util/SecurityUtil.class */
public class SecurityUtil {
    public static final String DEFAULT_UNKNOWN_STRING = "UNKNOW VALUE";
    public static final String KEY_STORE_PASSWORD = "keyStorePassword";
    public static final String TRUST_STORE_PASSWORD = "trustStorePassword";
    public static final String AUTHENTICATION_SECRET = "authenticationSecret";
    public static final String CREDENTIAL_GENERTOR_PROPS = "credentialGeneratorProps";
    static final TraceComponent tc = Tr.register(SecurityUtil.class, Constants.TR_SECURITY_GROUP_NAME, "com.ibm.ws.objectgrid.resources.ObjectGridMessages");
    private static Method ADD_CONTAINER_SECURITY_CONTEXT = null;
    private static ObjectGridClientRequestInterceptor containerInterceptor = null;

    /* loaded from: input_file:com/ibm/ws/objectgrid/security/util/SecurityUtil$SecurityClientContextHandler.class */
    public static final class SecurityClientContextHandler implements ClientContextHandler {
        private final ClientSecurityContext clientContext;
        private final SessionSecurityContext sessionContext;
        private int retryCount = 0;

        public SecurityClientContextHandler(ClientSecurityContext clientSecurityContext, SessionSecurityContext sessionSecurityContext) {
            this.clientContext = clientSecurityContext;
            this.sessionContext = sessionSecurityContext;
        }

        @Override // com.ibm.ws.objectgrid.corba.ClientContextHandler
        public void receiveContext(DataInput dataInput) throws IOException {
        }

        @Override // com.ibm.ws.objectgrid.corba.ClientContextHandler
        public void sendContext(DataOutput dataOutput) throws IOException {
            dataOutput.writeBoolean(true);
            if (this.clientContext == null) {
                dataOutput.writeBoolean(false);
            } else {
                dataOutput.writeBoolean(true);
                this.clientContext.sendContext(dataOutput);
            }
            if (this.sessionContext == null) {
                dataOutput.writeBoolean(false);
            } else {
                dataOutput.writeBoolean(true);
                this.sessionContext.sendContext(dataOutput);
            }
        }

        @Override // com.ibm.ws.objectgrid.corba.ClientContextHandler
        public void handleServerException(ClientRequestInfo clientRequestInfo, DataInput dataInput) throws ForwardRequest {
            Any received_exception = clientRequestInfo.received_exception();
            String received_exception_id = clientRequestInfo.received_exception_id();
            if (clientRequestInfo.reply_status() == 1 && received_exception_id.equals(NO_PERMISSIONHelper.id()) && NO_PERMISSIONHelper.extract(received_exception).minor == 39065) {
                if (ObjectGridManagerImpl.isTraceEnabled && SecurityUtil.tc.isDebugEnabled()) {
                    Tr.debug(SecurityUtil.tc, "Client receives a credential expired exception");
                }
                int authenticationRetryCount = this.clientContext.getCsConfig().getAuthenticationRetryCount();
                if (ObjectGridManagerImpl.isTraceEnabled && SecurityUtil.tc.isDebugEnabled()) {
                    Tr.debug(SecurityUtil.tc, "triedTimes = " + this.retryCount + ", retryCount=" + authenticationRetryCount);
                }
                int i = this.retryCount + 1;
                this.retryCount = i;
                if (i <= authenticationRetryCount) {
                    if (this.sessionContext != null) {
                        this.sessionContext.reGetCredential();
                    } else {
                        SecurityUtil.reGetCredential(this.clientContext);
                    }
                    throw new ForwardRequest(clientRequestInfo.target());
                }
            }
        }

        public String toString() {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("[clientContext=").append(this.clientContext).append(Constantdef.COMMA).append("sessionContext=").append(this.sessionContext).append(Constantdef.RIGHTSB);
            return super.toString() + stringBuffer.toString();
        }

        public ClientSecurityConfiguration getClientSecurityConfiguration() {
            if (this.clientContext == null) {
                return null;
            }
            return this.clientContext.getCsConfig();
        }
    }

    public static void propSecurityAttrsFromResponseToRuntime(ResponseSystemEvent responseSystemEvent, ClientSecurityContext clientSecurityContext, boolean z) {
        ClientSecurityContext csContext;
        if (responseSystemEvent == null || (csContext = responseSystemEvent.getCsContext()) == null) {
            return;
        }
        clientSecurityContext.setTransportType(csContext.getTransportType());
        if (z) {
            if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "setting client security context's SSOToken");
            }
            clientSecurityContext.setSSOToken(csContext.getSSOToken());
        }
    }

    public static void propSecurityAttrsFromRuntimeToRequest(ClientSecurityContext clientSecurityContext, RequestSystemEvent requestSystemEvent, boolean z) {
        if (requestSystemEvent == null) {
            return;
        }
        if (!z) {
            requestSystemEvent.setCsContext(clientSecurityContext.cloneWithNoCred());
            return;
        }
        requestSystemEvent.setCsContext(clientSecurityContext);
        if (clientSecurityContext.getCredential() == null) {
            if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential is null. Get it from the CredentialGenerator.");
            }
            reGetCredential(requestSystemEvent);
        }
    }

    public static void reGetCredential(RequestSystemEvent requestSystemEvent) {
        reGetCredential(requestSystemEvent.getCsContext());
    }

    public static void reGetCredential(ClientSecurityContext clientSecurityContext) {
        CredentialGenerator credentialGenerator = clientSecurityContext.getCsConfig().getCredentialGenerator();
        if (credentialGenerator == null) {
            if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "CredentialGenerator is null, the credential will be null.");
                return;
            }
            return;
        }
        try {
            Credential credential = credentialGenerator.getCredential();
            if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "getCredential", credential);
            }
            try {
                clientSecurityContext.setCredential(convertObjectToByteArray(credential));
                if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "After reGetCredential, csContext is: " + clientSecurityContext);
                }
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.objectgrid.security.util.SecurityUtil.propSecurityAttrsFromRuntimeToRequest", "136");
                if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "" + e);
                }
                throw new ObjectGridRuntimeException(e);
            }
        } catch (CannotGenerateCredentialException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.objectgrid.security.util.SecurityUtil.propSecurityAttrsFromRuntimeToRequest", "111");
            throw new ObjectGridRuntimeException(e2);
        } catch (Throwable th) {
            FFDCFilter.processException(th, "com.ibm.ws.objectgrid.security.util.SecurityUtil.reGetCredential", "196");
            Tr.warning(tc, NLSConstants.GENERAL_EXCEPTION_WARNING_CWOBJ0006, th);
            throw new ObjectGridRuntimeException(th);
        }
    }

    public static void reGetCredentialFromSession(SessionImpl sessionImpl, RequestSystemEvent requestSystemEvent) {
        if (ObjectGridManagerImpl.isTraceEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "reGetCredentialFromSession", new Object[]{sessionImpl, requestSystemEvent});
        }
        if (sessionImpl.getCredGenerator() == null) {
            reGetCredential(requestSystemEvent);
        } else {
            sessionImpl.regenCredential();
            requestSystemEvent.setSessionContext(sessionImpl.getSessionSecurityContext());
        }
        if (ObjectGridManagerImpl.isTraceEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "reGetCredentialFromSession");
        }
    }

    public static String getTransportTypeAsString(int i) {
        return getIntAsString(i, new int[]{20, 21, 22}, new String[]{"TCP/IP", SecurityConstants.SSL_SUPPORTED_STRING, SecurityConstants.SSL_REQUIRED_STRING}, "UNKNOWN TRANSPORT TYPE");
    }

    public static String getCredentialAuthenticationTypeAsString(int i) {
        return getIntAsString(i, new int[]{40, 41, 42}, new String[]{SecurityConstants.NEVER_STRING, SecurityConstants.SUPPORTED_STRING, SecurityConstants.REQUIRED_STRING}, "UNKNOWN CREDENTIAL AUTHENTICATION TYPE");
    }

    public static String getTransportProtocolAsString(int i) {
        return getIntAsString(i, new int[]{31, 32}, new String[]{"TCP/IP", "SSL"}, "UNKNOWN TRANSPORT PROTOCOL");
    }

    public static String getAuthorizationMechanismAsString(int i) {
        return getIntAsString(i, new int[]{0, 1}, new String[]{Constants.AUTHORIZATION_MECHANISM_JAAS_STRING, "custom"}, "UNKNOWN AUTHORIZATION MECHANISM");
    }

    public static String getIntAsString(int i, int[] iArr, String[] strArr, String str) {
        if (iArr == null || strArr == null || iArr.length != strArr.length) {
            throw new IllegalArgumentException("The passed in parameters are illegal.");
        }
        for (int i2 = 0; i2 < iArr.length; i2++) {
            if (iArr[i2] == i) {
                return strArr[i2] + Constantdef.LEFTP + i + Constantdef.RIGHTP;
            }
        }
        return str + Constantdef.LEFTP + i + Constantdef.RIGHTP;
    }

    public static String getIntAsString(int i, int[] iArr, String[] strArr) {
        return getIntAsString(i, iArr, strArr, DEFAULT_UNKNOWN_STRING);
    }

    public static String getClientCertificateAuthenticationTypeAsString(int i) {
        return getIntAsString(i, new int[]{50, 51, 52}, new String[]{SecurityConstants.NEVER_STRING, SecurityConstants.SUPPORTED_STRING, SecurityConstants.REQUIRED_STRING}, "UNKNOWN CLIENT CERTIFICATE AUTHENTICATION TYPE");
    }

    public static String clean(String str) {
        String str2 = null;
        if (str != null) {
            str2 = str.trim();
            if ((str2.startsWith("\"") && str2.endsWith("\"")) || (str2.startsWith("'") && str2.endsWith("'"))) {
                str2 = str2.substring(1, str2.length() - 1).trim();
            }
        }
        return str2;
    }

    public static Properties sanitizeProps(Properties properties) {
        if (properties == null || properties.size() == 0) {
            return properties;
        }
        Properties properties2 = (Properties) properties.clone();
        if (properties2.containsKey("keyStorePassword")) {
            properties2.setProperty("keyStorePassword", "xxxxxxxx");
        }
        if (properties2.containsKey("trustStorePassword")) {
            properties2.setProperty("trustStorePassword", "xxxxxxxx");
        }
        if (properties2.containsKey(AUTHENTICATION_SECRET)) {
            properties2.setProperty(AUTHENTICATION_SECRET, "xxxxxxxx");
        }
        if (properties2.containsKey("credentialGeneratorProps")) {
            properties2.setProperty("credentialGeneratorProps", "xxxxxxxx");
        }
        return properties2;
    }

    public static byte[] convertObjectToByteArray(Object obj) throws IOException {
        if (obj == null) {
            return null;
        }
        return ObjectBytes.objectToBytes(obj);
    }

    public static Object convertByteArrayToObject(byte[] bArr) throws IOException, ClassNotFoundException {
        if (bArr == null) {
            return null;
        }
        return ObjectBytes.bytesToObject(bArr);
    }

    public static void validateCertSubjectDN(SSLSocket sSLSocket, String str) throws ObjectGridRuntimeException {
        try {
            if (validateCertSubjectDN(sSLSocket.getSession().getPeerCertificateChain(), str)) {
                return;
            }
            try {
                sSLSocket.close();
            } catch (IOException e) {
                if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "IOException during socket close" + e);
                }
            }
            throw new ObjectGridRuntimeException("The subject DN name in the certificate doesn't match the required DN name");
        } catch (SSLPeerUnverifiedException e2) {
            throw new ObjectGridRuntimeException(e2);
        }
    }

    public static boolean validateCertSubjectDN(Certificate[] certificateArr, String str) {
        if (certificateArr == null || certificateArr[0] == null) {
            throw new ObjectGridRuntimeException("The peer certificate array is null or doesn't contain any certificate.");
        }
        if (!(certificateArr[0] instanceof X509Certificate)) {
            if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate type is not X509Certificate, throw an exception.");
            }
            throw new ObjectGridRuntimeException("Certificate type is not X509Certificate, throw an exception.");
        }
        String trim = ((X509Certificate) certificateArr[0]).getSubjectDN().getName().trim();
        if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "Check the Certificate");
            Tr.debug(tc, "The Subject DN name in the certificate is " + trim);
            Tr.debug(tc, "The required DN name is " + str);
        }
        if (trim == null) {
            return false;
        }
        String formatDNName = formatDNName(trim);
        String formatDNName2 = formatDNName(str);
        if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "dnName is " + formatDNName);
            Tr.debug(tc, "reqSubjectDN is " + formatDNName2);
        }
        StringTokenizer stringTokenizer = new StringTokenizer(formatDNName2, Constantdef.COMMA);
        while (stringTokenizer.hasMoreTokens()) {
            String trim2 = stringTokenizer.nextToken().trim();
            if (formatDNName.indexOf(trim2) < 0) {
                if (!ObjectGridManagerImpl.isTraceEnabled || !tc.isDebugEnabled()) {
                    return false;
                }
                Tr.debug(tc, "'" + trim2 + "' cannot be found in the peer certificate subject DN.");
                return false;
            }
        }
        return true;
    }

    public static String formatDNName(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, SecurityConfigManagerImpl.CFG_VALUE_DELIM);
        StringBuffer stringBuffer = new StringBuffer(str.length());
        if (stringTokenizer.hasMoreTokens()) {
            stringBuffer.append(stringTokenizer.nextToken().trim());
        }
        while (stringTokenizer.hasMoreTokens()) {
            stringBuffer.append(SecurityConfigManagerImpl.CFG_VALUE_DELIM).append(stringTokenizer.nextToken().trim());
        }
        return new String(stringBuffer);
    }

    public static void checkSSLConfig(SSLConfiguration sSLConfiguration, boolean z) {
        if (sSLConfiguration.getContextProvider() == null || sSLConfiguration.getContextProvider().trim().equals("")) {
            throw new IllegalArgumentException("The context provider is null or an empty string");
        }
        if (sSLConfiguration.getProtocol() == null || sSLConfiguration.getProtocol().trim().equals("")) {
            throw new IllegalArgumentException("The protocol is null or an empty string");
        }
        if (z) {
            if (sSLConfiguration.getTrustStore() == null || sSLConfiguration.getTrustStore().trim().equals("")) {
                throw new IllegalArgumentException("The trust store file name is null or an empty string");
            }
            if (sSLConfiguration.getTrustStoreType() == null || sSLConfiguration.getTrustStoreType().trim().equals("")) {
                throw new IllegalArgumentException("The trust store type is null or an empty string");
            }
            if (sSLConfiguration.getTrustStorePassword() == null || sSLConfiguration.getTrustStorePassword().trim().equals("")) {
                throw new IllegalArgumentException("The trust store password is null or an empty string");
            }
            return;
        }
        if (sSLConfiguration.getKeyStore() == null || sSLConfiguration.getKeyStore().trim().equals("")) {
            throw new IllegalArgumentException("The key store file name is null or an empty string");
        }
        if (sSLConfiguration.getKeyStoreType() == null || sSLConfiguration.getKeyStoreType().trim().equals("")) {
            throw new IllegalArgumentException("The key store type is null or an empty string");
        }
        if (sSLConfiguration.getKeyStorePassword() == null || sSLConfiguration.getKeyStorePassword().trim().equals("")) {
            throw new IllegalArgumentException("The key store password is null or an empty string");
        }
    }

    public static void addClientSecurityContext(SessionImpl sessionImpl, ClientSecurityContext clientSecurityContext, ObjectGridClientRequestInterceptor objectGridClientRequestInterceptor, boolean z) {
        boolean z2 = ObjectGridManagerImpl.isTraceEnabled && tc.isEntryEnabled();
        if (z2) {
            Tr.entry(tc, "addClientSecurityContext", new Object[]{sessionImpl, clientSecurityContext, objectGridClientRequestInterceptor});
        }
        if (clientSecurityContext == null) {
            objectGridClientRequestInterceptor.addContextHandler((short) 1, null, z);
            if (z2) {
                Tr.exit(tc, "addClientSecurityContext", "cleared the context");
                return;
            }
            return;
        }
        ClientSecurityContext clientSecurityContext2 = clientSecurityContext;
        SessionSecurityContext sessionSecurityContext = null;
        if (sessionImpl != null && sessionImpl.getCredGenerator() != null) {
            sessionSecurityContext = sessionImpl.getSessionSecurityContext();
            clientSecurityContext2 = clientSecurityContext.cloneWithNoCred();
        } else if (clientSecurityContext.getCredential() == null) {
            if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential is null. Get it from the CredentialGenerator.");
            }
            reGetCredential(clientSecurityContext);
        }
        objectGridClientRequestInterceptor.addContextHandler((short) 1, new SecurityClientContextHandler(clientSecurityContext2, sessionSecurityContext), z);
        if (z2) {
            Tr.exit(tc, "addClientSecurityContext");
        }
    }

    public static ServerSecurityConfiguration getSSConfig(String str) {
        return CatalogClusterUtility.getClusterConfiguration().getClusterMemberByName(str).getServerSecurityConfiguration();
    }

    public static ServerSecurityConfiguration getSSConfig() {
        ServerSecurityContext serverSecurityContext = null;
        ServerSecurityProperties serverSecurityProperties = ServerSecurityConfigService.instance().getServerSecurityProperties();
        if (serverSecurityProperties != null) {
            serverSecurityContext = serverSecurityProperties.getServerSecurityContext();
        }
        if (serverSecurityContext == null) {
            return null;
        }
        return serverSecurityContext.getSsConfig();
    }

    public static void addServerSecurityContext() {
        ORB orb = ORBFactory.getORB();
        if (orb == null) {
            return;
        }
        if (containerInterceptor == null) {
            synchronized (SecurityUtil.class) {
                if (containerInterceptor == null) {
                    try {
                        containerInterceptor = orb.resolve_initial_references("ObjectGridClientInterceptor");
                    } catch (InvalidName e) {
                        FFDCFilter.processException(e, "com.ibm.ws.objectgrid.security.util.SecurityUtil.addServerSecurityContext", "");
                        return;
                    }
                }
                if (ObjectGridManagerImpl.isTraceEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "addServerSecurityContext gets the ClientRequestInterceptor: " + containerInterceptor);
                }
                if (ADD_CONTAINER_SECURITY_CONTEXT == null) {
                    try {
                        ADD_CONTAINER_SECURITY_CONTEXT = DoPrivUtil.forName("com.ibm.ws.objectgrid.corba.ContainerClientRequestInterceptor").getMethod("addContainerSecurityContext", new Class[0]);
                    } catch (ClassNotFoundException e2) {
                        throw new ObjectGridRuntimeException(e2);
                    } catch (NoSuchMethodException e3) {
                        throw new ObjectGridRuntimeException(e3);
                    } catch (SecurityException e4) {
                        throw new ObjectGridRuntimeException(e4);
                    }
                }
            }
        }
        try {
            ADD_CONTAINER_SECURITY_CONTEXT.invoke(containerInterceptor, new Object[0]);
        } catch (IllegalAccessException e5) {
            throw new ObjectGridRuntimeException(e5);
        } catch (IllegalArgumentException e6) {
            throw new ObjectGridRuntimeException(e6);
        } catch (InvocationTargetException e7) {
            throw new ObjectGridRuntimeException(e7);
        }
    }

    public static CredentialGenerator createCredentialGenerator(String str, String str2) {
        CredentialGenerator credentialGenerator = null;
        if (str != null && str.length() > 0) {
            try {
                credentialGenerator = (CredentialGenerator) DoPrivUtil.contextClassLoaderForName(str).newInstance();
                if (str2 != null && str2.trim().length() > 0) {
                    String passwordDecode = PasswordUtil.passwordDecode(str2);
                    if (passwordDecode == null) {
                        throw new IllegalArgumentException("The credential generator properties uses an unsupported encoding algorithm.");
                    }
                    credentialGenerator.setProperties(passwordDecode);
                }
            } catch (Exception e) {
                throw new ObjectGridRuntimeException("Exception occurs when constructing the CredentialGenerator: " + e.getMessage(), e);
            }
        }
        return credentialGenerator;
    }
}
