package com.tivoli.core.ns;

import com.ibm.db2.jcc.t2zos.m;
import com.ibm.distman.voyagerx.security.ssl.sslite.PKI;
import com.ibm.distman.voyagerx.security.ssl.sslite.SMIME;
import com.ibm.distman.voyagerx.security.ssl.sslite.SSLCert;
import com.ibm.distman.voyagerx.security.ssl.sslite.SSLName;
import com.ibm.distman.voyagerx.security.ssl.sslite.SSLRuntimeException;
import com.ibm.logging.ILogger;
import com.tivoli.core.component.IAccessManager;
import com.tivoli.core.directory.Directory;
import com.tivoli.core.oid.Oid;
import com.tivoli.core.orb.info.InfoException;
import com.tivoli.core.orb.info.InfoNameExistsException;
import com.tivoli.core.orb.info.InfoService;
import com.tivoli.core.orb.info.ORBOid;
import com.tivoli.core.security.AccessRight;
import com.tivoli.core.security.NoSuchResourceException;
import com.tivoli.core.security.SecurityServiceManager;
import com.tivoli.core.security.UnresolvedResourceException;
import com.tivoli.core.security.acn.common.AuthenticationException;
import com.tivoli.core.security.acn.common.IACNConstants;
import com.tivoli.core.security.acn.server.IAcnEngine;
import com.tivoli.core.security.common.ISecurityContext;
import com.tivoli.core.security.common.SecurityContextUtils;
import com.tivoli.util.logging.LogManagerFactory;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationTargetException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Date;
import java.util.Properties;

/* JADX WARN: Classes with same name are omitted:
  input_file:DMSDependencies/mm_orb.jar:com/tivoli/core/ns/OrbRaServer.class
 */
/* loaded from: input_file:com.tivoli.eDMS_1.8.0.20050921D.jar:DMSDependencies/mm_orb.jar:com/tivoli/core/ns/OrbRaServer.class */
public class OrbRaServer implements IOrbRegistrationAuthority {
    private static final String COPYRIGHT = "\nLicensed Materials - Property of IBM\n\n5698-TKS\n\nCopyright IBM Corp. 1999, 2000 All Rights Reserved\n\nUS Government Users Restricted Rights - Use, duplication or disclosure\nrestricted by GSA ADP Schedule Contract with IBM Corp.\n";
    private static final String sClassRevision = "$Revision: @(#)54 1.13 orb/src/com/tivoli/core/ns/OrbRaServer.java, mm_orb, mm_orb_dev 00/11/01 10:06:58 $";
    private static final AccessRight INSTALL_RIGHT = new AccessRight("install");
    private static final String tmsFile = "com.tivoli.core.ns.tms.FNG_ns_msg";
    String className = "com.tivoli.core.ns.OrbRaServer";
    IRegistrationAuthority ra = null;
    NSCA ca;
    private static ILogger trace;
    private static ILogger logger;

    static {
        trace = null;
        logger = null;
        logger = LogManagerFactory.getMessageLogger(INetSecMsgKeys.NS_LOGGER);
        logger.setMessageFile("com.tivoli.core.ns.tms.FNG_ns_msg");
        trace = LogManagerFactory.getTraceLogger(INetSecMsgKeys.NS_TRACER);
    }

    public OrbRaServer() {
        this.ca = null;
        this.ca = getCertificationAuthorityPriv();
    }

    private ISecurityContext checkAuthorization(byte[][] bArr, byte[] bArr2) throws NetworkSecurityException {
        if (trace.isLogging()) {
            trace.entry(1048576L, (Object) this.className, "checkAuthorization(byte[][], byte[])", new Object[]{bArr, bArr2});
        }
        IAcnEngine iAcnEngine = null;
        while (iAcnEngine == null) {
            try {
                iAcnEngine = getACNService();
            } catch (Exception e) {
                if (logger.isLogging()) {
                    logger.exception(262144L, this.className, "checkAuthorization(byte[][], byte[])", e);
                }
                try {
                    Thread.sleep(60000L);
                    if (trace.isLogging()) {
                        trace.text(262144L, this.className, "checkAuthorization(byte[][], byte[])", "Exception getting acn service waiting 60 seconds");
                    }
                } catch (InterruptedException unused) {
                }
            }
        }
        try {
            ISecurityContext verifyMAC = iAcnEngine.verifyMAC(bArr[0], bArr2, bArr[1]);
            if (!((Boolean) SecurityContextUtils.runAs(this, getClass().getMethod("isAuthorizedToInstall", new Class[0]), new Object[0], verifyMAC)).booleanValue()) {
                verifyMAC = null;
            }
            if (trace.isLogging()) {
                trace.exit(1048576L, this.className, "checkAuthorization(byte[][], byte[])", verifyMAC);
            }
            return verifyMAC;
        } catch (AuthenticationException e2) {
            NetworkSecurityException networkSecurityException = new NetworkSecurityException("INVALID_USER_NAME_OR_PASSWORD", "com.tivoli.core.ns.tms.FNG_ns_msg", e2);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "checkAuthorization(byte[][], byte[])", networkSecurityException);
            }
            throw networkSecurityException;
        } catch (IllegalAccessException e3) {
            NetworkSecurityException networkSecurityException2 = new NetworkSecurityException("UNKNOWN_ERROR", "com.tivoli.core.ns.tms.FNG_ns_msg", e3);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "checkAuthorization(byte[][], byte[])", networkSecurityException2);
            }
            throw networkSecurityException2;
        } catch (NoSuchMethodException e4) {
            NetworkSecurityException networkSecurityException3 = new NetworkSecurityException("UNKNOWN_ERROR", "com.tivoli.core.ns.tms.FNG_ns_msg", e4);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "checkAuthorization(byte[][], byte[])", networkSecurityException3);
            }
            throw networkSecurityException3;
        } catch (InvocationTargetException e5) {
            NetworkSecurityException networkSecurityException4 = new NetworkSecurityException("UNKNOWN_ERROR", "com.tivoli.core.ns.tms.FNG_ns_msg", e5);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "checkAuthorization(byte[][], byte[])", networkSecurityException4);
            }
            throw networkSecurityException4;
        }
    }

    @Override // com.tivoli.core.ns.IOrbRegistrationAuthority
    public void confirmOrbCertificate(byte[] bArr) throws NetworkSecurityException {
        if (trace.isLogging()) {
            trace.entry(1048576L, this.className, "confirmOrbCertificate(byte[])");
        }
        SMIME smime = new SMIME(bArr, (byte[]) null, this.ca.caPublicCerts());
        if (!smime.validFlags[0]) {
            NetworkSecurityException networkSecurityException = new NetworkSecurityException("CONFIRM_SIGNATURE_NOT_VERIFIED", "com.tivoli.core.ns.tms.FNG_ns_msg", null);
            if (logger.isLogging()) {
                logger.exception(512L, this.className, "confirmOrbCertificate(byte[])", networkSecurityException);
            }
            throw networkSecurityException;
        }
        String str = null;
        try {
            str = new String(smime.content, m.e);
        } catch (UnsupportedEncodingException unused) {
        }
        SSLName sSLName = smime.issuers[0];
        byte[] bArr2 = smime.serialNumbers[0];
        if (!sSLName.equals(smime.certs[0].issuerName()) || !Arrays.equals(bArr2, smime.certs[0].serialNumber())) {
            NetworkSecurityException networkSecurityException2 = new NetworkSecurityException("ATTCHD_CRT_DSNT_MTCH_SIG", "com.tivoli.core.ns.tms.FNG_ns_msg", null);
            if (logger.isLogging()) {
                logger.exception(512L, this.className, "confirmOrbCertificate(byte[])", networkSecurityException2);
            }
            throw networkSecurityException2;
        }
        if (trace.isLogging()) {
            trace.text(262144L, this.className, "confirmOrbCertificate(byte[])", new StringBuffer("Confirming Certificate: ").append(NSUtil.certToString(smime.certs[0])).toString());
        }
        try {
            InfoService.getInfoService().createOrb((ORBOid) Oid.fromString(NSUtil.getOrbIdFromCert(smime.certs[0])), str, new Properties());
            if (trace.isLogging()) {
                trace.exit(1048576L, this.className, "confirmOrbCertificate(byte[])");
            }
        } catch (InfoNameExistsException e) {
            NetworkSecurityException networkSecurityException3 = new NetworkSecurityException("ORB_NAME_IN_USE", "com.tivoli.core.ns.tms.FNG_ns_msg", str, e);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "confirmOrbCertificate(byte[])", networkSecurityException3);
            }
            throw networkSecurityException3;
        } catch (InfoException e2) {
            NetworkSecurityException networkSecurityException4 = new NetworkSecurityException("INFO_SERVICE_CREATE_EXCEPTION", "com.tivoli.core.ns.tms.FNG_ns_msg", e2);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "confirmOrbCertificate(byte[])", networkSecurityException4);
            }
            throw networkSecurityException4;
        } catch (Exception e3) {
            NetworkSecurityException networkSecurityException5 = new NetworkSecurityException("UNKNOWN_ERROR", "com.tivoli.core.ns.tms.FNG_ns_msg", e3);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "confirmOrbCertificate(byte[])", networkSecurityException5);
            }
            throw networkSecurityException5;
        }
    }

    private IAcnEngine getACNService() throws Exception {
        if (trace.isLogging()) {
            trace.entry(1048576L, this.className, "getACNService()");
        }
        IAcnEngine service = ((IAccessManager) Directory.lookup(IAccessManager.NAME)).getService(IACNConstants.AS_SVC_NAME, null);
        if (trace.isLogging()) {
            trace.exit(1048576L, this.className, "getACNService()", service);
        }
        return service;
    }

    private NSCA getCertificationAuthorityPriv() {
        return (NSCA) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.tivoli.core.ns.OrbRaServer.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                return NetSecurityFactory.getCertificationAuthority();
            }
        });
    }

    private byte[] getReturnDataWithMAC(byte[] bArr, ISecurityContext iSecurityContext) throws NetworkSecurityException {
        if (trace.isLogging()) {
            trace.entry(1048576L, (Object) this.className, "getReturnDataWithMAC(byte[], ISecurityContext)", new Object[]{bArr, iSecurityContext});
        }
        IAcnEngine iAcnEngine = null;
        while (iAcnEngine == null) {
            try {
                iAcnEngine = getACNService();
            } catch (Exception e) {
                if (logger.isLogging()) {
                    logger.exception(262144L, this.className, "getReturnDataWithMAC(byte[], ISecurityContext)", e);
                }
                try {
                    Thread.sleep(60000L);
                    if (trace.isLogging()) {
                        trace.text(262144L, this.className, "getReturnDataWithMAC(byte[], ISecurityContext)", "Exception getting acn service waiting 60 seconds");
                    }
                } catch (InterruptedException unused) {
                }
            }
        }
        try {
            byte[] dataWithHash = iAcnEngine.generateMAC(iSecurityContext, bArr).getDataWithHash();
            if (trace.isLogging()) {
                trace.exit(1048576L, this.className, "getReturnDataWithMAC(byte[], ISecurityContext)", dataWithHash);
            }
            return dataWithHash;
        } catch (Exception e2) {
            NetworkSecurityException networkSecurityException = new NetworkSecurityException("UNKNOWN_ERROR", "com.tivoli.core.ns.tms.FNG_ns_msg", e2);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "getReturnDataWithMAC(byte[], ISecurityContext)", networkSecurityException);
            }
            throw networkSecurityException;
        }
    }

    public Boolean isAuthorizedToInstall() {
        Boolean bool;
        if (trace.isLogging()) {
            trace.entry(1048576L, this.className, "isAuthorizedToInstall()");
        }
        try {
            bool = new Boolean(SecurityServiceManager.isAuthorized(INSTALL_RIGHT, 1, "system/services/signOnTargets/KernelService"));
        } catch (NoSuchResourceException e) {
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "isAuthorizedToInstall()", e);
            }
            bool = new Boolean(false);
        } catch (UnresolvedResourceException e2) {
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "isAuthorizedToInstall()", e2);
            }
            bool = new Boolean(false);
        }
        if (trace.isLogging()) {
            trace.exit(1048576L, this.className, "isAuthorizedToInstall()");
        }
        return bool;
    }

    @Override // com.tivoli.core.ns.IOrbRegistrationAuthority
    public byte[] issueNewOrbCertificate(byte[][] bArr, byte[] bArr2) throws NetworkSecurityException {
        trace.entry(1048576L, (Object) this.className, "issueNewOrbCertificate(byte[], byte[])", new Object[]{bArr, bArr2});
        ISecurityContext checkAuthorization = checkAuthorization(bArr, bArr2);
        if (checkAuthorization == null) {
            throw new NetworkSecurityException("USER_NOT_AUTHORIZED_TO_INSTALL", "com.tivoli.core.ns.tms.FNG_ns_msg", null);
        }
        try {
            Object[] verifyCertRequest = PKI.verifyCertRequest(bArr2);
            trace.text(524289L, this.className, "issueNewOrbCertificate(byte[], byte[])", "Certificate Request Subject Info: {0}", PKI.x500Name(verifyCertRequest[0], 0).toString());
            try {
                verifyCertRequest[0] = PKI.x500Name(new StringBuffer("serial=").append(InfoService.allocOrbId(InfoService.getInfoService().getCurrentNamespace()).toString()).append(",").append(CoreNSConstants.CERT_TYPE_COMPONENT_STRING).append("=").append(CoreNSConstants.SYSTEM_CERTIFICATE_IDENTIFIER).toString());
                if (trace.isLogging()) {
                    trace.text(524288L, this.className, "issueNewOrbCertificate(byte[], byte[])", "New Certificate Subject: {0}", PKI.x500Name(verifyCertRequest[0], 0).toString());
                }
                SSLCert issueCert = this.ca.issueCert(0, (String) null, (byte[]) verifyCertRequest[0], (byte[]) null, (Date) null, (SSLCert) verifyCertRequest[1], (byte[]) null, 0L);
                SSLCert[] caPublicCerts = this.ca.caPublicCerts();
                SSLCert[] sSLCertArr = new SSLCert[caPublicCerts.length + 1];
                sSLCertArr[0] = issueCert;
                System.arraycopy(caPublicCerts, 0, sSLCertArr, 1, caPublicCerts.length);
                byte[] returnDataWithMAC = getReturnDataWithMAC(NSUtil.signAndPackageCerts(sSLCertArr, this.ca.getIssuerPrivateCert(issueCert)), checkAuthorization);
                if (trace.isLogging()) {
                    trace.exit(1048576L, this.className, "issueNewOrbCertificate(byte[], byte[])", returnDataWithMAC);
                }
                return returnDataWithMAC;
            } catch (InfoException e) {
                NetworkSecurityException networkSecurityException = new NetworkSecurityException("INFO_SERVICE_READ_NS_EXCEPTION", "com.tivoli.core.ns.tms.FNG_ns_msg", e);
                if (logger.isLogging()) {
                    logger.exception(262144L, this.className, "issueNewOrbCertificate(byte[], byte[])", networkSecurityException);
                }
                throw networkSecurityException;
            }
        } catch (SSLRuntimeException e2) {
            NetworkSecurityException networkSecurityException2 = new NetworkSecurityException("ORB_CERT_REQ_VERIFICATION_FAILED", "com.tivoli.core.ns.tms.FNG_ns_msg", e2);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "issueNewOrbCertificate(byte[], byte[])", networkSecurityException2);
            }
            throw networkSecurityException2;
        }
    }

    @Override // com.tivoli.core.ns.IOrbRegistrationAuthority
    public byte[] issueNewOrbCertificateForRecovery(byte[][] bArr, byte[] bArr2) throws NetworkSecurityException {
        trace.entry(1048576L, this.className, "issueNewOrbCertificateForRecovery(byte[], byte[])");
        ISecurityContext checkAuthorization = checkAuthorization(bArr, bArr2);
        if (checkAuthorization == null) {
            throw new NetworkSecurityException("USER_NOT_AUTHORIZED_TO_INSTALL", "com.tivoli.core.ns.tms.FNG_ns_msg", null);
        }
        try {
            Object[] verifyCertRequest = PKI.verifyCertRequest(bArr2);
            trace.text(524289L, this.className, "issueNewOrbCertificateForRecovery(byte[], byte[])", "Certificate Request Subject Info: {0}", PKI.x500Name(verifyCertRequest[0], 0).toString());
            SSLCert issueCert = this.ca.issueCert(0, (String) null, (byte[]) verifyCertRequest[0], (byte[]) null, (Date) null, (SSLCert) verifyCertRequest[1], (byte[]) null, 0L);
            SSLCert[] caPublicCerts = this.ca.caPublicCerts();
            SSLCert[] sSLCertArr = new SSLCert[caPublicCerts.length + 1];
            sSLCertArr[0] = issueCert;
            System.arraycopy(caPublicCerts, 0, sSLCertArr, 1, caPublicCerts.length);
            byte[] returnDataWithMAC = getReturnDataWithMAC(NSUtil.signAndPackageCerts(sSLCertArr, this.ca.getIssuerPrivateCert(issueCert)), checkAuthorization);
            if (trace.isLogging()) {
                trace.exit(1048576L, this.className, "issueNewOrbCertificateForRecovery(byte[], byte[])");
            }
            return returnDataWithMAC;
        } catch (SSLRuntimeException e) {
            NetworkSecurityException networkSecurityException = new NetworkSecurityException("ORB_CERT_REQ_VERIFICATION_FAILED", "com.tivoli.core.ns.tms.FNG_ns_msg", e);
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "issueNewOrbCertificateForRecovery(byte[], byte[])", networkSecurityException);
            }
            throw networkSecurityException;
        }
    }

    @Override // com.tivoli.core.ns.IOrbRegistrationAuthority
    public byte[] updateOrbCertificate(byte[] bArr) throws NetworkSecurityException {
        if (trace.isLogging()) {
            trace.entry(1048576L, this.className, "updateOrbCertificate(byte[])");
        }
        try {
            SMIME smime = new SMIME(bArr, (byte[]) null, this.ca.caPublicCerts());
            if (!smime.validFlags[0]) {
                CertificateUpdateException certificateUpdateException = new CertificateUpdateException("UPDATE_SIGNATURE_NOT_VERIFIED", "com.tivoli.core.ns.tms.FNG_ns_msg", null);
                if (logger.isLogging()) {
                    logger.exception(0L, this.className, "updateOrbCertificate(byte[])", certificateUpdateException);
                }
                if (logger.isLogging()) {
                    logger.exception(262144L, this.className, "updateOrbCertificate(byte[])", certificateUpdateException);
                }
                throw certificateUpdateException;
            }
            SSLName sSLName = smime.issuers[0];
            byte[] bArr2 = smime.serialNumbers[0];
            if (smime.certs.length <= 0 || !sSLName.equals(smime.certs[0].issuerName()) || !Arrays.equals(bArr2, smime.certs[0].serialNumber())) {
                CertificateUpdateException certificateUpdateException2 = new CertificateUpdateException("UPDATE_CRT_DSNT_MTCH_SIG", "com.tivoli.core.ns.tms.FNG_ns_msg", null);
                if (logger.isLogging()) {
                    logger.exception(0L, this.className, "updateOrbCertificate(byte[])", certificateUpdateException2);
                }
                if (logger.isLogging()) {
                    logger.exception(262144L, this.className, "updateOrbCertificate(byte[])", certificateUpdateException2);
                }
                throw certificateUpdateException2;
            }
            if (trace.isLogging()) {
                trace.text(262144L, this.className, "updateOrbCertificate(byte[])", new StringBuffer("Updating Certificate: ").append(NSUtil.certToString(smime.certs[0])).toString());
            }
            SSLCert sSLCert = smime.certs[0];
            if (trace.isLogging()) {
                trace.text(262144L, this.className, "updateOrbCertificate(byte[])", "PKCS #7: Signature verfied. Now working on CertRequest(PKCS#10)");
            }
            try {
                Object[] verifyCertRequest = PKI.verifyCertRequest(smime.content);
                trace.text(524289L, this.className, "updateOrbCertificate(byte[])", "Certificate Request Subject Info: {0}", PKI.x500Name(verifyCertRequest[0], 0).toString());
                verifyCertRequest[0] = PKI.x500Name(new StringBuffer("serial=").append(((ORBOid) Oid.fromString(NSUtil.getOrbIdFromCert(sSLCert))).toString()).append(",").append(CoreNSConstants.CERT_TYPE_COMPONENT_STRING).append("=").append(CoreNSConstants.SYSTEM_CERTIFICATE_IDENTIFIER).toString());
                if (trace.isLogging()) {
                    trace.text(524288L, this.className, "updateOrbCertificate(byte[])", "New Certificate Subject: {0}", PKI.x500Name(verifyCertRequest[0], 0).toString());
                }
                SSLCert issueCert = this.ca.issueCert(0, (String) null, (byte[]) verifyCertRequest[0], (byte[]) null, (Date) null, (SSLCert) verifyCertRequest[1], (byte[]) null, 0L);
                SSLCert[] caPublicCerts = this.ca.caPublicCerts();
                SSLCert[] sSLCertArr = new SSLCert[caPublicCerts.length + 1];
                sSLCertArr[0] = issueCert;
                System.arraycopy(caPublicCerts, 0, sSLCertArr, 1, caPublicCerts.length);
                byte[] signAndPackageCerts = NSUtil.signAndPackageCerts(sSLCertArr, this.ca.getIssuerPrivateCert(issueCert));
                if (trace.isLogging()) {
                    trace.exit(1048576L, this.className, "updateOrbCertificate(byte[])");
                }
                return signAndPackageCerts;
            } catch (SSLRuntimeException e) {
                CertificateUpdateException certificateUpdateException3 = new CertificateUpdateException("ORB_CERT_REQ_VERIFICATION_FAILED", "com.tivoli.core.ns.tms.FNG_ns_msg", e);
                if (logger.isLogging()) {
                    logger.exception(262144L, this.className, "updateOrbCertificate(byte[])", certificateUpdateException3);
                }
                throw certificateUpdateException3;
            }
        } catch (SSLRuntimeException e2) {
            CertificateUpdateException certificateUpdateException4 = new CertificateUpdateException("UPDATE_SIGNATURE_NOT_VERIFIED", "com.tivoli.core.ns.tms.FNG_ns_msg", e2);
            if (logger.isLogging()) {
                logger.exception(0L, this.className, "updateOrbCertificate(byte[])", certificateUpdateException4);
            }
            if (logger.isLogging()) {
                logger.exception(262144L, this.className, "updateOrbCertificate(byte[])", certificateUpdateException4);
            }
            throw certificateUpdateException4;
        }
    }
}
