package com.ibm.ws.security.zOS;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.CertificateMapFailedException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.auth.AuthenticationFailedException;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.ws.security.auth.Cache;
import com.ibm.ws.security.auth.CacheEvictionListener;
import com.ibm.ws.security.auth.CacheException;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.xslt4j.bcel.Constants;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.List;

/* loaded from: input_file:lib/securityimpl.jar:com/ibm/ws/security/zOS/PlatformCredentialManager.class */
public final class PlatformCredentialManager {
    public static final String DEFAULT_UNAUTHENTICATED_AUDIT_STRING = "WebSphere Default/Unauthenticated Login";
    private static final String DEFAULT_PASSWORD_AUDIT_STRING = "WebSphere Userid/Password Login";
    private static final String DEFAULT_CERTIFICATE_AUDIT_STRING = "WebSphere Certificate Login";
    private static final String DEFAULT_AUTHORIZED_CREATE_AUDIT_STRING = "WebSphere Authorized Login";
    private static final TraceComponent tc;
    private static final PlatformCredentialManager _instance;
    private String unauthenticatedUserId;
    private Cache _cache;
    static Class class$com$ibm$ws$security$zOS$PlatformCredentialManager;

    /* loaded from: input_file:lib/securityimpl.jar:com/ibm/ws/security/zOS/PlatformCredentialManager$CacheEvictionCallback.class */
    private static final class CacheEvictionCallback implements CacheEvictionListener {
        CacheEvictionCallback() {
        }

        @Override // com.ibm.ws.security.auth.CacheEvictionListener
        public void evicted(List list) {
            if (PlatformCredentialManager.tc.isEntryEnabled()) {
                Tr.entry(PlatformCredentialManager.tc, "evicted", list);
            }
            for (Object obj : list) {
                if (obj instanceof SAFCredentialTokenImpl) {
                    PlatformCredentialManager._instance.ntv_destroyCredential((SAFCredentialTokenImpl) obj);
                }
            }
            if (PlatformCredentialManager.tc.isEntryEnabled()) {
                Tr.exit(PlatformCredentialManager.tc, "evicted");
            }
        }
    }

    public static PlatformCredentialManager instance() {
        return _instance;
    }

    private PlatformCredentialManager() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
        this._cache = new Cache(100, 300000L, 1000, new CacheEvictionCallback());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.CONSTRUCTOR_NAME, this);
        }
    }

    public PlatformCredential createPasswordCredential(String str, String str2) throws PasswordCheckFailedException {
        return createPasswordCredential(str, str2, DEFAULT_PASSWORD_AUDIT_STRING);
    }

    public PlatformCredential createCertificateCredential(X509Certificate[] x509CertificateArr) throws CertificateMapFailedException {
        return createCertificateCredential(x509CertificateArr, DEFAULT_CERTIFICATE_AUDIT_STRING);
    }

    public PlatformCredential createCredential(String str) {
        return createCredential(str, DEFAULT_AUTHORIZED_CREATE_AUDIT_STRING);
    }

    public PlatformCredential createDefaultCredential() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createDefaultCredential");
        }
        PlatformCredential platformCredential = new PlatformCredential();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createDefaultCredential", platformCredential);
        }
        return platformCredential;
    }

    public PlatformCredential createPasswordCredential(String str, String str2, String str3) throws PasswordCheckFailedException {
        if (tc.isEntryEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = str2 != null ? "****" : null;
            objArr[2] = str3;
            Tr.entry(traceComponent, "createPasswordCredential", objArr);
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.BASIC, str, str3);
        try {
            authenticateCredential(platformCredential, str2);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createPasswordCredential", platformCredential);
            }
            return platformCredential;
        } catch (Throwable th) {
            throw new PasswordCheckFailedException();
        }
    }

    public PlatformCredential createCertificateCredential(X509Certificate[] x509CertificateArr, String str) throws CertificateMapFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createCertificateCredential", new Object[]{x509CertificateArr, str});
        }
        PlatformCredential platformCredential = new PlatformCredential(x509CertificateArr, str);
        try {
            authenticateCredential(platformCredential, null);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createCertificateCredential", platformCredential);
            }
            return platformCredential;
        } catch (Throwable th) {
            throw new CertificateMapFailedException();
        }
    }

    public PlatformCredential createRoleCredential(String str, String str2, String str3) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createRoleCredential", new Object[]{str, str2, str3});
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.ROLE, str3, createRoleAuditString(str, str2, str3));
        try {
            SAFCredentialTokenImpl credentialToken = getCredentialToken(platformCredential);
            if (credentialToken != null) {
                platformCredential.setMvsUserId(credentialToken.getMvsUserId());
            } else {
                platformCredential = null;
            }
        } catch (CredentialDestroyedException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential destroyed", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createRoleCredential", platformCredential);
        }
        return platformCredential;
    }

    public PlatformCredential createCredential(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createCredential", new Object[]{str, str2});
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.ASSERTED, str, str2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createCredential", platformCredential);
        }
        return platformCredential;
    }

    public PlatformCredential createServerCredential() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createServerCredential", null);
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.SERVER, System.getProperty("user.name"), null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createServerCredential", platformCredential);
        }
        return platformCredential;
    }

    private String createRoleAuditString(String str, String str2, String str3) {
        StringBuffer stringBuffer = new StringBuffer("WebSphere Role Delegation:");
        stringBuffer.append(" Application=").append(str);
        stringBuffer.append(",Role=").append(str2);
        stringBuffer.append(",Profile=").append(str3);
        return stringBuffer.toString();
    }

    public String getKeyFromCredential(PlatformCredential platformCredential) {
        SAFCredentialTokenImpl credentialToken;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyFromCredential", platformCredential);
        }
        String str = null;
        try {
            credentialToken = getCredentialToken(platformCredential);
        } catch (CredentialDestroyedException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential already destroyed", e);
            }
        }
        if (credentialToken == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to get native credential token from PlatFormCredential");
            }
            throw new IllegalArgumentException("Unable to get native credential token from PlatFormCredential");
        }
        str = credentialToken.getAsString();
        this._cache.insert(str, platformCredential);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKeyFromCredential", str);
        }
        return str;
    }

    public PlatformCredential getCredentialFromKey(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCredentialFromKey", str);
        }
        PlatformCredential platformCredential = null;
        try {
            platformCredential = (PlatformCredential) this._cache.get(str);
        } catch (CacheException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected cache exception", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCredentialFromKey", platformCredential);
        }
        return platformCredential;
    }

    public byte[] createUtoken(PlatformCredential platformCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createUtoken", platformCredential);
        }
        byte[] bArr = null;
        if (platformCredential.getUserId() == null) {
            try {
                getCredentialToken(platformCredential);
            } catch (CredentialDestroyedException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unable to create UTOKEN", e);
                }
            }
        }
        if (platformCredential.getUserId() != null) {
            bArr = ntv_createUtoken(platformCredential.getUserId());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createUtoken", bArr);
        }
        return bArr;
    }

    private SAFCredentialTokenImpl getCredentialToken(PlatformCredential platformCredential) throws CredentialDestroyedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCredentialToken", platformCredential);
        }
        SAFCredentialTokenImpl sAFCredentialTokenImpl = null;
        try {
            sAFCredentialTokenImpl = (SAFCredentialTokenImpl) this._cache.get(platformCredential);
        } catch (CacheException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected cache exception", e);
            }
        }
        if (sAFCredentialTokenImpl == null) {
            sAFCredentialTokenImpl = refreshCredential(platformCredential);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCredentialToken", sAFCredentialTokenImpl);
        }
        return sAFCredentialTokenImpl;
    }

    public SAFCredentialTokenImpl refreshCredential(PlatformCredential platformCredential) throws CredentialDestroyedException {
        SAFCredentialTokenImpl ntv_createCertificateCredentialToken;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "refreshCredential", platformCredential);
        }
        if (platformCredential.getCredentialType() == PlatformCredential.BASIC && !platformCredential.isAuthenticated()) {
            throw new CredentialDestroyedException();
        }
        if (platformCredential.getCredentialType() == PlatformCredential.DEFAULT) {
            ntv_createCertificateCredentialToken = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), null);
        } else if (platformCredential.getCredentialType() == PlatformCredential.BASIC) {
            ntv_createCertificateCredentialToken = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), null);
        } else if (platformCredential.getCredentialType() == PlatformCredential.ASSERTED) {
            ntv_createCertificateCredentialToken = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), null);
        } else if (platformCredential.getCredentialType() == PlatformCredential.ROLE) {
            ntv_createCertificateCredentialToken = ntv_createRoleCredentialToken(platformCredential, platformCredential.getRoleProfile(), platformCredential.getAuditString());
            if (ntv_createCertificateCredentialToken != null) {
                ntv_createCertificateCredentialToken.setMvsUserId(platformCredential.getUserId());
            }
        } else if (platformCredential.getCredentialType() == PlatformCredential.SERVER) {
            ntv_createCertificateCredentialToken = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), null);
        } else {
            if (platformCredential.getCredentialType() != PlatformCredential.CERTIFICATE) {
                throw new IllegalArgumentException();
            }
            byte[] encodedCertificate = getEncodedCertificate(platformCredential);
            ntv_createCertificateCredentialToken = ntv_createCertificateCredentialToken(platformCredential, encodedCertificate, encodedCertificate.length, platformCredential.getAuditString());
        }
        if (ntv_createCertificateCredentialToken != null) {
            this._cache.insert(platformCredential, ntv_createCertificateCredentialToken);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "refreshCredential", ntv_createCertificateCredentialToken);
        }
        return ntv_createCertificateCredentialToken;
    }

    private SAFCredentialTokenImpl authenticateCredential(PlatformCredential platformCredential, String str) throws AuthenticationFailedException {
        if (tc.isEntryEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = platformCredential;
            objArr[1] = str != null ? "****" : null;
            Tr.entry(traceComponent, "authenticateCredential", objArr);
        }
        SAFCredentialTokenImpl sAFCredentialTokenImpl = null;
        if (platformCredential.getCredentialType() == PlatformCredential.BASIC) {
            sAFCredentialTokenImpl = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), str);
        } else if (platformCredential.getCredentialType() == PlatformCredential.CERTIFICATE) {
            byte[] encodedCertificate = getEncodedCertificate(platformCredential);
            sAFCredentialTokenImpl = ntv_createCertificateCredentialToken(platformCredential, encodedCertificate, encodedCertificate.length, platformCredential.getAuditString());
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Updated PlatformCredential", platformCredential);
        }
        if (sAFCredentialTokenImpl == null) {
            throw new AuthenticationFailedException();
        }
        this._cache.insert(platformCredential, sAFCredentialTokenImpl);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "authenticateCredential", sAFCredentialTokenImpl);
        }
        return sAFCredentialTokenImpl;
    }

    private byte[] getEncodedCertificate(PlatformCredential platformCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getEncodedCertificate", platformCredential);
        }
        byte[] bArr = null;
        try {
            bArr = platformCredential.getCertificateChain()[0].getEncoded();
        } catch (CertificateEncodingException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to get certificate data", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getEncodedCertificate", bArr);
        }
        return bArr;
    }

    public void setOSThreadSecurityEnvironment(PlatformCredential platformCredential) throws CredentialDestroyedException, IllegalArgumentException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setOSThreadSecurityEnvironment", platformCredential);
        }
        if (getCredentialToken(platformCredential) == null) {
            throw new IllegalArgumentException("SAF cred token from PlatformCredential is null.");
        }
        int ntv_setOSThreadSecurityEnvironment = ntv_setOSThreadSecurityEnvironment(platformCredential);
        if (ntv_setOSThreadSecurityEnvironment == 1) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "ntv_setOSThreadSecurityEnvironment failed, attempting to refresh credential", null);
            }
            if (refreshCredential(platformCredential) == null) {
                throw new IllegalArgumentException("SAF cred token from PlatformCredential is null.");
            }
            int ntv_setOSThreadSecurityEnvironment2 = ntv_setOSThreadSecurityEnvironment(platformCredential);
            if (ntv_setOSThreadSecurityEnvironment2 != 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Second ntv_setOSThreadSecurityEnvironment failed, return code:", new Integer(ntv_setOSThreadSecurityEnvironment2));
                }
                throw new IllegalArgumentException("Unable to set SAF cred token on native thread.");
            }
        } else if (ntv_setOSThreadSecurityEnvironment != 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "ntv_setOSThreadSecurityEnvironment failed, return code:", new Integer(ntv_setOSThreadSecurityEnvironment));
            }
            throw new IllegalArgumentException("Unable to set SAF cred token on native thread.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setOSThreadSecurityEnvironment");
        }
    }

    private native SAFCredentialTokenImpl ntv_createCredentialToken(PlatformCredential platformCredential, String str, String str2, String str3);

    private native SAFCredentialTokenImpl ntv_createCertificateCredentialToken(PlatformCredential platformCredential, byte[] bArr, int i, String str);

    private native SAFCredentialTokenImpl ntv_createRoleCredentialToken(PlatformCredential platformCredential, String str, String str2);

    private native int ntv_setOSThreadSecurityEnvironment(PlatformCredential platformCredential);

    /* JADX INFO: Access modifiers changed from: private */
    public native void ntv_destroyCredential(SAFCredentialTokenImpl sAFCredentialTokenImpl);

    private native byte[] ntv_createUtoken(String str);

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$zOS$PlatformCredentialManager == null) {
            cls = class$("com.ibm.ws.security.zOS.PlatformCredentialManager");
            class$com$ibm$ws$security$zOS$PlatformCredentialManager = cls;
        } else {
            cls = class$com$ibm$ws$security$zOS$PlatformCredentialManager;
        }
        tc = Tr.register(cls, "Security", "com.ibm.ejs.resources.security");
        _instance = new PlatformCredentialManager();
    }
}
