package com.ibm.wsspi.wssecurity.auth.module;

import com.ibm.websphere.wssecurity.callbackhandler.UNTConsumeCallbackHandler;
import com.ibm.ws.wssecurity.xss4j.dsig.KeyInfo;
import com.ibm.wsspi.wssecurity.Constants;
import com.ibm.wsspi.wssecurity.auth.token.X509BSToken;
import com.ibm.xml.soapsec.util.CertificateUtil;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:com/ibm/wsspi/wssecurity/auth/module/PkiPathLoginModule.class */
public class PkiPathLoginModule extends BSTokenLoginModule {
    private static final String comp = "security.wssecurity";
    private static final TraceComponent tc = Tr.register(PkiPathLoginModule.class, UNTConsumeCallbackHandler.TR_GROUP, "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = PkiPathLoginModule.class.getName();

    @Override // com.ibm.wsspi.wssecurity.auth.module.BSTokenLoginModule
    public boolean login() throws LoginException {
        PKIXBuilderParameters pKIXBuilderParameters;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        if (super.login()) {
            Provider provider = (Provider) this._properties.get(X509BSToken.PROVIDER);
            try {
                if (this._binary == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.error(tc, "PkiPath binary is null.");
                    }
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathCallbackHandler.s01", new String[0]));
                }
                CertPath generateCertPath = CertificateUtil.generateCertPath(this._binary, "X.509", "PkiPath", provider);
                if (generateCertPath == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.error(tc, "Result from CertificateUtil.generateCertPath was null.");
                    }
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathCallbackHandler.s01", new String[0]));
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeeded to generate cert path.");
                }
                this._cert = (X509Certificate) generateCertPath.getCertificates().get(0);
                if (this._cert == null) {
                    throw new CertificateException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.setCertToSubject01"));
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeeded to get a X509 certificate [" + this._cert + "]");
                }
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Checking the validity of X509 certificate...");
                    }
                    this._cert.checkValidity();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Succeeded to check the validity of X509 certificate.");
                    }
                    boolean z = false;
                    String str = (String) this._properties.get(X509BSToken.TRUST_ANY);
                    if (str != null && str.length() > 0) {
                        z = ConfigUtil.isTrue(str);
                        if (tc.isDebugEnabled() && z) {
                            Tr.debug(tc, "This login module trusts any certificate.");
                        }
                    }
                    if (!z) {
                        String str2 = (String) this._properties.get(Constants.WSSECURITY_ISSUER_NAME);
                        String str3 = (String) this._properties.get(Constants.WSSECURITY_ISSUER_SERIAL);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Issuer name of its own certificate is [" + str2 + "].");
                            Tr.debug(tc, "Serial number of its own certificate is [" + str3 + "].");
                        }
                        if (str2 == null || str3 == null) {
                            if (str2 != null) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "There is issuer name, but not serial number.");
                                }
                            } else if (str3 != null && tc.isDebugEnabled()) {
                                Tr.debug(tc, "There is serial number, but not issur name.");
                            }
                        } else if (KeyInfo.X509Data.encodeDName(this._cert.getIssuerDN().getName()).equals(KeyInfo.X509Data.encodeDName(str2))) {
                            try {
                                if (this._cert.getSerialNumber().equals(CertificateUtil.convertSerialNumber(str3))) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "The cert is its own certificate, so this login module trusts it.");
                                    }
                                    z = true;
                                }
                            } catch (ParseException e) {
                                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.X509LoginModule.s04", new String[]{str3, e.toString()}));
                            }
                        }
                    }
                    if (!z) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "This login module doesn't trust all certificate, so starts checking the cert path.");
                        }
                        PKIXBuilderParameters pKIXBuilderParameters2 = (PKIXBuilderParameters) this._properties.get(X509BSToken.PKIX_BUILDERPARAM);
                        if (pKIXBuilderParameters2 == null) {
                            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.X509LoginModule.s05"));
                        }
                        synchronized (pKIXBuilderParameters2) {
                            pKIXBuilderParameters = (PKIXBuilderParameters) pKIXBuilderParameters2.clone();
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Provider [" + provider + "], PKIBuilderParameters [" + pKIXBuilderParameters + "].");
                        }
                        try {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Checking the cert path...");
                            }
                            CertificateUtil.validateCertPath(generateCertPath, pKIXBuilderParameters);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Succeeded to validate the cert path.");
                            }
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Building validated cert path.");
                            }
                            CertificateUtil.buildCertPath(this._cert, generateCertPath, pKIXBuilderParameters, provider, false);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Succeeded to build validated cert path.");
                            }
                        } catch (Exception e2) {
                            Tr.processException(e2, clsName + ".login", "204", this);
                            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathLoginModule.s02", new String[]{e2.toString()}));
                        }
                    }
                } catch (Exception e3) {
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.X509LoginModule.s02", new String[]{e3.toString()}));
                }
            } catch (NoSuchProviderException e4) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathLoginModule.s01", new String[]{e4.toString()}));
            } catch (CertificateException e5) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PkiPathLoginModule.s01", new String[]{e5.toString()}));
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "login()");
        return true;
    }
}
