package com.tivoli.core.security.common;

import com.ibm.db2.jcc.t2zos.m;
import com.ibm.distman.voyagerx.security.ssl.sslite.PKI;
import com.ibm.distman.voyagerx.security.ssl.sslite.SSLCert;
import com.ibm.logging.ILogger;
import com.ibm.logging.IRecordType;
import com.tivoli.core.component.IAccessManager;
import com.tivoli.core.directory.Directory;
import com.tivoli.core.ns.LocalOrbVault;
import com.tivoli.core.ns.NetSecurityFactory;
import com.tivoli.core.orb.security.SecurityBase;
import com.tivoli.core.security.acn.client.BeginOfWorld;
import com.tivoli.core.security.acn.common.AuthenticationException;
import com.tivoli.core.security.acn.common.IACNConstants;
import com.tivoli.core.security.acn.common.SCTimeStamp;
import com.tivoli.core.security.acn.server.IRepositoryAccess;
import com.tivoli.util.configuration.Preferences;
import com.tivoli.util.logging.LogManagerFactory;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Date;
import java.util.Iterator;
import java.util.Properties;
import java.util.StringTokenizer;
import java.util.TreeSet;

/* JADX WARN: Classes with same name are omitted:
  input_file:DMSDependencies/mm_orb.jar:com/tivoli/core/security/common/SecurityContextUtils.class
 */
/* loaded from: input_file:com.tivoli.eDMS_1.8.0.20050921D.jar:DMSDependencies/mm_orb.jar:com/tivoli/core/security/common/SecurityContextUtils.class */
public class SecurityContextUtils {
    private static final String sClassRevision = "$Revision: @(#)25 1.44 orb/src/com/tivoli/core/security/common/SecurityContextUtils.java, mm_sec, mm_orb_dev 00/11/13 17:26:59 $";
    private static final String COPYRIGHT = "\nLicensed Materials - Property of IBM\n\n5698-TKS\n\nCopyright IBM Corp. 1999, 2000 All Rights Reserved\n\nUS Government Users Restricted Rights - Use, duplication or disclosure\nrestricted by GSA ADP Schedule Contract with IBM Corp.\n";
    private static boolean debug = false;
    private static ILogger auditLogger;
    private static ILogger theTrace;
    private static final String theClassName = "SecurityContextUtils";

    static {
        auditLogger = null;
        theTrace = null;
        theTrace = LogManagerFactory.getTraceLogger(IACNConstants.TRACE_NAME);
        auditLogger = LogManagerFactory.getMessageLogger("sec.auditLogger");
    }

    public static void changeKernelPassword(String str, String str2, String str3) throws Exception {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "changeKernelPassword");
        }
        ISecurityContext iSecurityContext = null;
        try {
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "changeKernelPassword", "Getting Access Manager");
            }
            iSecurityContext = getCurrentSecurityContext();
            setCurrentSecurityContext(SecurityKeyMaster.getSecurityContext());
            IAccessManager iAccessManager = (IAccessManager) Directory.lookup(IAccessManager.NAME);
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "changeKernelPassword", "Getting AuthenticationService");
            }
            IRepositoryAccess repository = iAccessManager.getService(IACNConstants.AS_SVC_NAME, null).getRepository();
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "changeKernelPassword", "Calling change password");
            }
            repository.changePassword(str, str2, str3);
            setCurrentSecurityContext(iSecurityContext);
            if (theTrace.isLogging()) {
                theTrace.exit(256L, theClassName, "changeKernelPassword");
            }
        } catch (Exception unused) {
            setCurrentSecurityContext(iSecurityContext);
            Exception exc = new Exception();
            if (theTrace.isLogging()) {
                theTrace.exception(512L, theClassName, "changeKernelPassword", exc);
            }
            throw exc;
        }
    }

    public static void clearThread() {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "clearTread");
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.tivoli.core.security.common.SecurityContextUtils.3
            @Override // java.security.PrivilegedAction
            public Object run() {
                SecurityBase.setSecurityInfo(null);
                return null;
            }
        });
        if (theTrace.isLogging()) {
            theTrace.exit(256L, theClassName, "clearTread");
        }
    }

    public static ISecurityContext getCurrentSecurityContext() {
        return (ISecurityContext) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.tivoli.core.security.common.SecurityContextUtils.4
            @Override // java.security.PrivilegedAction
            public Object run() {
                return (ISecurityContext) SecurityBase.getSecurityInfo();
            }
        });
    }

    public static long getRefreshDuration() throws Exception {
        try {
            return Long.parseLong(((Preferences) runAs((Object) null, Class.forName("ExtendedPreferences").getMethod("forName", IACNConstants.CLIENT_PREF_PATH_NAME.getClass()), new Object[]{IACNConstants.CLIENT_PREF_PATH_NAME}, SecurityKeyMaster.getSecurityContext())).get(IACNConstants.SC_REFRESH_TIME, Long.toString(IACNConstants.DEFAULT_REFRESH_TIME)));
        } catch (Exception e) {
            AuthenticationException authenticationException = new AuthenticationException("generic", e);
            if (theTrace.isLogging()) {
                theTrace.exception(512L, theClassName, "getRefreshDuration", authenticationException);
            }
            throw authenticationException;
        }
    }

    public static String[] getRoles(ISecurityContext iSecurityContext) {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "getRoles");
        }
        String[] strArr = null;
        String[] strArr2 = null;
        if (iSecurityContext != null) {
            String signableProperty = iSecurityContext.getSignableProperty(ISecurityContextConstants.STATIC_ROLE_IN_NAME);
            String signableProperty2 = iSecurityContext.getSignableProperty(ISecurityContextConstants.FILTER_ROLE_IN_NAME);
            int i = 0;
            if (signableProperty2 != null) {
                StringTokenizer stringTokenizer = new StringTokenizer(signableProperty2, ",");
                int countTokens = stringTokenizer.countTokens();
                strArr2 = new String[countTokens];
                for (int i2 = 0; i2 < countTokens; i2++) {
                    String trim = stringTokenizer.nextToken().trim();
                    if (signableProperty == null || (signableProperty != null && signableProperty.indexOf(trim) < 0)) {
                        i++;
                        strArr2[i - 1] = trim;
                    }
                }
            }
            int i3 = 0;
            if (signableProperty != null) {
                StringTokenizer stringTokenizer2 = new StringTokenizer(signableProperty, ",");
                i3 = stringTokenizer2.countTokens();
                strArr = new String[i3 + i];
                for (int i4 = 0; i4 < i3; i4++) {
                    strArr[i4] = stringTokenizer2.nextToken().trim();
                }
            } else {
                strArr = new String[i];
            }
            int i5 = i3;
            int i6 = 0;
            while (i5 < i3 + i) {
                strArr[i5] = strArr2[i6];
                i5++;
                i6++;
            }
        }
        if (theTrace.isLogging()) {
            theTrace.exit(256L, theClassName, "getRoles");
        }
        return strArr;
    }

    private static LocalOrbVault getVault() throws IOException {
        return (LocalOrbVault) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.tivoli.core.security.common.SecurityContextUtils.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                return NetSecurityFactory.getLocalOrbVault();
            }
        });
    }

    private static boolean isIdentityEqual(ISecurityContext iSecurityContext, ISecurityContext iSecurityContext2) {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "isIdentityEqual");
        }
        boolean equalsIgnoreCase = iSecurityContext.getSignableProperty(ISecurityContextConstants.DOID).equalsIgnoreCase(iSecurityContext2.getSignableProperty(ISecurityContextConstants.DOID));
        if (theTrace.isLogging()) {
            theTrace.exit(256L, theClassName, "isIdentityEqual");
        }
        return equalsIgnoreCase;
    }

    private static void print(String str) {
        if (debug) {
            System.out.println(str);
        }
    }

    public static Object runAs(Object obj, String str, Object[] objArr, ISecurityContext iSecurityContext) throws IllegalAccessException, InvocationTargetException, NoSuchMethodException, CredentialsInvalidException {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "runAs(String)");
        }
        if (obj == null || str == null) {
            throw new CredentialsInvalidException("badparam1");
        }
        Class<?>[] clsArr = null;
        if (objArr != null) {
            clsArr = new Class[objArr.length];
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "runAs(String)", "Getting argument classes");
            }
            for (int i = 0; i < objArr.length; i++) {
                if (objArr[i] != null) {
                    clsArr[i] = objArr[i].getClass();
                } else {
                    clsArr[i] = null;
                }
            }
        }
        if (theTrace.isLogging()) {
            theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "runAs(String)", new StringBuffer("Getting method ").append(str).append(" from object ").append(obj).toString());
        }
        Method method = obj.getClass().getMethod(str, clsArr);
        ISecurityContext currentSecurityContext = getCurrentSecurityContext();
        try {
            AccessController.doPrivileged(new SetSecurityInfoAction(iSecurityContext));
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "runAs(String)", "Invoking method");
            }
            Object invoke = method.invoke(obj, objArr);
            if (theTrace.isLogging()) {
                theTrace.exit(256L, theClassName, "runAs(String)");
            }
            return invoke;
        } finally {
            AccessController.doPrivileged(new SetSecurityInfoAction(currentSecurityContext));
        }
    }

    public static Object runAs(Object obj, Method method, Object[] objArr, ISecurityContext iSecurityContext) throws InvocationTargetException, IllegalAccessException, CredentialsInvalidException {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "runAs(Method)");
        }
        if (method == null) {
            throw new CredentialsInvalidException("badparam2");
        }
        ISecurityContext currentSecurityContext = getCurrentSecurityContext();
        try {
            try {
                AccessController.doPrivileged(new SetSecurityInfoAction(iSecurityContext));
                if (theTrace.isLogging()) {
                    theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "runAs(Method)", "Invoking method");
                }
                Object invoke = method.invoke(obj, objArr);
                if (theTrace.isLogging()) {
                    theTrace.exit(256L, theClassName, "runAs(Method)");
                }
                return invoke;
            } catch (IllegalArgumentException e) {
                CredentialsInvalidException credentialsInvalidException = new CredentialsInvalidException("runasillegalarg", e);
                if (theTrace.isLogging()) {
                    theTrace.exception(512L, theClassName, "runAs(Method)", credentialsInvalidException);
                }
                throw credentialsInvalidException;
            } catch (NullPointerException unused) {
                CredentialsInvalidException credentialsInvalidException2 = new CredentialsInvalidException("nullinstanceobj");
                if (theTrace.isLogging()) {
                    theTrace.exception(512L, theClassName, "runAs(Method)", credentialsInvalidException2);
                }
                throw credentialsInvalidException2;
            }
        } finally {
            AccessController.doPrivileged(new SetSecurityInfoAction(currentSecurityContext));
        }
    }

    public static Object runWith(Object obj, String str, Object[] objArr, ISecurityContext iSecurityContext) {
        return null;
    }

    public static void setCurrentSecurityContext(ISecurityContext iSecurityContext) {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "setCurrentSecurityContext");
        }
        AccessController.doPrivileged(new SetSecurityInfoAction(iSecurityContext));
        if (theTrace.isLogging()) {
            theTrace.exit(256L, theClassName, "setCurrentSecurityContext");
        }
    }

    public static boolean validate() throws CredentialsInvalidException {
        if (theTrace.isLogging()) {
            theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate", "Getting SecurityContext from current thread");
        }
        return validate((ISecurityContext) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.tivoli.core.security.common.SecurityContextUtils.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                return (ISecurityContext) SecurityBase.getSecurityInfo();
            }
        }));
    }

    public static boolean validate(ISecurityContext iSecurityContext) throws CredentialsInvalidException {
        Date parse;
        boolean z = true;
        ISecurityContext iSecurityContext2 = null;
        if (theTrace.isLogging()) {
            theTrace.entry(0L, theClassName, "validate(SC)", new StringBuffer("SecurityContext to be validated is: ").append(iSecurityContext).toString());
        }
        try {
            if (iSecurityContext == null) {
                if (theTrace.isLogging()) {
                    theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate(SC)", "SecurityContext is null");
                }
                CredentialsInvalidException credentialsInvalidException = new CredentialsInvalidException("validatenullsc");
                if (theTrace.isLogging()) {
                    theTrace.exception(512L, theClassName, "validate(SC)", credentialsInvalidException);
                }
                throw credentialsInvalidException;
            }
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate(SC)", "Checking if orb has been validated");
            }
            if (iSecurityContext.getTransientProperty(ISecurityContextConstants.IS_VALIDATED).equals("no")) {
                if (theTrace.isLogging()) {
                    theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate(SC)", "SecurityContext has not been validated on this orb yet, verifying signature.");
                }
                try {
                    verifySecurityContextSignature(iSecurityContext);
                } catch (InvalidSignatureException e) {
                    if (theTrace.isLogging()) {
                        theTrace.exception(512L, theClassName, "validate(SC)", e);
                    }
                    z = false;
                    if (auditLogger != null) {
                        auditLogger.msg(8L, theClassName, "validate", IAuditLoggingConstants.SC_VALIDATION_SIGNATURE_MSG, "com.tivoli.core.security.tms.FNG_sec_msg");
                    }
                }
            } else if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate(SC)", "SecurityContext already validated");
            }
            if (z) {
                if (theTrace.isLogging()) {
                    theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate(SC)", "Checking Expiration");
                }
                String signableProperty = iSecurityContext.getSignableProperty(ISecurityContextConstants.EXPIRATION_STAMP);
                if (signableProperty.equals("0")) {
                    parse = new Date(0L);
                } else {
                    try {
                        parse = SCTimeStamp.parse(signableProperty);
                    } catch (Exception e2) {
                        throw new CredentialsInvalidException("timestampparsefail", signableProperty, ((SecurityContext) iSecurityContext).toString(), e2);
                    }
                }
                Date date = new Date();
                print(new StringBuffer("exp=").append(parse.toString()).toString());
                print(new StringBuffer("today=").append(date.toString()).toString());
                if (date.compareTo(parse) < 0 || signableProperty.equals("0")) {
                    String signableProperty2 = iSecurityContext.getSignableProperty(ISecurityContextConstants.DURATION);
                    if (signableProperty2 != null && signableProperty2.equals(ISecurityContextConstants.VALUE_DURATION_TEMPORARY) && !BeginOfWorld.isBeginOfWorld()) {
                        if (theTrace.isLogging()) {
                            theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate(SC)", "Temporary SecurityContext.  Refreshing");
                        }
                        try {
                            try {
                                iSecurityContext2 = getCurrentSecurityContext();
                                setCurrentSecurityContext(SecurityKeyMaster.getSecurityContext());
                                ((IAccessManager) Directory.lookup(IAccessManager.NAME)).getComponent(IACNConstants.AS_CLIENT_COMP_NAME, null).refreshOnly(iSecurityContext);
                            } finally {
                            }
                        } catch (Exception e3) {
                            if (theTrace.isLogging()) {
                                theTrace.exception(512L, theClassName, "validate(SC)", e3);
                            }
                            print("validate error 3");
                            z = false;
                            if (auditLogger != null) {
                                auditLogger.msg(8L, theClassName, "validate", IAuditLoggingConstants.SC_VALIDATION_DISABLED_PRINCIPAL_MSG, "com.tivoli.core.security.tms.FNG_sec_msg", iSecurityContext.getPrincipalName());
                            }
                        }
                        setCurrentSecurityContext(iSecurityContext2);
                    }
                } else {
                    if (theTrace.isLogging()) {
                        theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "validate(SC)", new StringBuffer("SecurityContext has expired.  Refreshing. exp=").append(parse.toString()).append(" cur=").append(date.toString()).toString());
                    }
                    try {
                        try {
                            iSecurityContext2 = getCurrentSecurityContext();
                            setCurrentSecurityContext(SecurityKeyMaster.getSecurityContext());
                            ((IAccessManager) Directory.lookup(IAccessManager.NAME)).getComponent(IACNConstants.AS_CLIENT_COMP_NAME, null).refreshOnly(iSecurityContext);
                        } catch (Exception e4) {
                            if (theTrace.isLogging()) {
                                theTrace.exception(512L, theClassName, "validate(SC)", e4);
                            }
                            print("validate error 2");
                            z = false;
                            if (auditLogger != null) {
                                auditLogger.msg(8L, theClassName, "validate", IAuditLoggingConstants.SC_VALIDATION_DISABLED_PRINCIPAL_MSG, "com.tivoli.core.security.tms.FNG_sec_msg", iSecurityContext.getPrincipalName());
                            }
                        }
                    } finally {
                    }
                }
            }
            if (z) {
                ((SecurityContext) iSecurityContext).addTransientProperty(ISecurityContextConstants.IS_VALIDATED, "yes");
            }
            if (theTrace.isLogging()) {
                theTrace.exit(256L, theClassName, "validate(SC)");
            }
            return z;
        } catch (Exception e5) {
            CredentialsInvalidException credentialsInvalidException2 = new CredentialsInvalidException("generic", e5.getLocalizedMessage(), e5);
            if (theTrace.isLogging()) {
                theTrace.exception(512L, theClassName, "validate(SC)", credentialsInvalidException2);
            }
            if (auditLogger != null) {
                auditLogger.msg(8L, theClassName, "validate", IAuditLoggingConstants.SC_VALIDATION_SIGNATURE_MSG, "com.tivoli.core.security.tms.FNG_sec_msg");
            }
            throw credentialsInvalidException2;
        }
    }

    private static void verifySecurityContextSignature(ISecurityContext iSecurityContext) throws InvalidSignatureException {
        if (theTrace.isLogging()) {
            theTrace.entry(128L, theClassName, "verifySecurityContextSignature");
        }
        try {
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Getting certificate from SecurityContext");
            }
            byte[] base64 = PKI.base64(iSecurityContext.getSignatureProperty(ISecurityContextConstants.CERTIFICATE));
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Creating new SSLCert");
            }
            SSLCert sSLCert = new SSLCert(base64, (String) null);
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Getting hash");
            }
            iSecurityContext.getSignatureProperty(ISecurityContextConstants.HASH);
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Getting Signature");
            }
            byte[] base642 = PKI.base64(iSecurityContext.getSignatureProperty(ISecurityContextConstants.SIGNATURE));
            Properties signableProperties = ((SecurityContext) iSecurityContext).getSignableProperties();
            signableProperties.toString();
            Iterator it = new TreeSet(signableProperties.keySet()).iterator();
            StringBuffer stringBuffer = new StringBuffer("");
            while (it.hasNext()) {
                String str = (String) it.next();
                stringBuffer.append(new StringBuffer(String.valueOf(str)).append("=").append(signableProperties.getProperty(str)).toString());
                if (it.hasNext()) {
                    stringBuffer.append(", ");
                }
            }
            String stringBuffer2 = stringBuffer.toString();
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", new StringBuffer("SecurityContext signable properties are ").append(stringBuffer2).toString());
            }
            print(new StringBuffer("SecurityContextUtils:SecurityContext string is ").append(stringBuffer2).toString());
            byte[] bytes = stringBuffer2.getBytes(m.e);
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Verifying signature");
            }
            if (!sSLCert.verifySignature(bytes, 0, bytes.length, 4, base642, 0, base642.length)) {
                print("False: Signature verification failed!");
                throw new InvalidSignatureException("sigvalidfail");
            }
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Getting vault");
            }
            if (!getVault().verify(sSLCert, false)) {
                if (theTrace.isLogging()) {
                    theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Signature verified, but we don't trust the signer!");
                }
                throw new InvalidSignatureException();
            }
            if (theTrace.isLogging()) {
                theTrace.text(IRecordType.TYPE_MISC_DATA, theClassName, "verifySecurityContextSignature", "Signature verified and we truse the signer!");
            }
            if (theTrace.isLogging()) {
                theTrace.exit(256L, theClassName, "verifySecurityContextSignature");
            }
        } catch (Exception e) {
            print(new StringBuffer("Exception caught: ").append(e).toString());
            throw new InvalidSignatureException("sigvalidexc", e);
        }
    }
}
