package com.ibm.wsspi.security.token;

import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.auth.WSCredentialImpl;
import com.ibm.ws.security.config.AdminData;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityConfigManager;
import com.ibm.ws.security.config.SecurityConfigObject;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.token.WSSMarkerObject;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.util.WsObjectInputStream;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.ObjectOutputStream;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.Subject;

/* loaded from: input_file:com/ibm/wsspi/security/token/WSOpaqueTokenHelper.class */
public class WSOpaqueTokenHelper {
    public static final String tokenHeader = "WSOPAQUE";
    public static final String wsCredHashHeader = "WSCREDHASH";
    public static final String wsTokensHeader = "WSTOKEN";
    public static final String customTokensHeader = "CUSTOM";
    public static final String customPublicTokensHeader = "CUSTOM_PUBLIC";
    public static final String customPublicTokensHeaderEnding = " (1)";
    public static final String customPrivateTokensHeader = "CUSTOM_PRIVATE";
    public static final String customPrivateTokensHeaderEnding = " (2)";
    public static final String customPrincipalTokensHeader = "CUSTOM_PRINCIPAL";
    public static final String customPrincipalTokensHeaderEnding = " (3)";
    private static WSOpaqueTokenHelper wsOpaqueTokenHelper = null;
    private static ArrayList excludeList = null;
    private static boolean throwExceptionForAllPropagationSerializationProblems = false;
    private static final TraceComponent tc = Tr.register((Class<?>) WSOpaqueTokenHelper.class, "SASRas", AdminConstants.MSG_BUNDLE_NAME);
    private final byte[] tokenHeaderBytes = StringBytesConversion.getConvertedBytes("WSOPAQUE");
    private final int tokenHeaderSize = this.tokenHeaderBytes.length;
    private final int tokenVersion = 1;
    private final String tokenHeaderLookup = "WSOPAQUE:1";
    private final byte[] wsCredHashHeaderBytes = StringBytesConversion.getConvertedBytes(wsCredHashHeader);
    private final int wsCredHashHeaderSize = this.wsCredHashHeaderBytes.length;
    private final byte[] wsTokensHeaderBytes = StringBytesConversion.getConvertedBytes(wsTokensHeader);
    private final int wsTokensHeaderSize = this.wsTokensHeaderBytes.length;
    private final byte[] customTokensHeaderBytes = StringBytesConversion.getConvertedBytes("CUSTOM");
    private final int customTokensHeaderSize = this.customTokensHeaderBytes.length;

    public static WSOpaqueTokenHelper getInstance() {
        if (wsOpaqueTokenHelper == null) {
            wsOpaqueTokenHelper = new WSOpaqueTokenHelper();
        }
        return wsOpaqueTokenHelper;
    }

    private WSOpaqueTokenHelper() {
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        try {
            SecurityConfigObject securityConfigObject = null;
            SecurityConfigManager securityConfigManager = SecurityObjectLocator.getSecurityConfigManager();
            securityConfigObject = securityConfigManager != null ? securityConfigManager.getObject("security") : securityConfigObject;
            if (securityConfigObject != null) {
                String property = securityConfigObject.getProperties().getProperty("com.ibm.CSI.throwExceptionForAllPropagationSerializationProblems");
                throwExceptionForAllPropagationSerializationProblems = property != null && (property.equalsIgnoreCase("true") || property.equalsIgnoreCase("yes"));
            }
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.wsspi.security.token.WSOpaqueTokenHelper.init", "155", new Object[]{this});
            Tr.debug(tc, "Exception getting ContextManager.", new Object[]{e});
            contextManagerFactory.setRootException(e);
        }
    }

    public String getOpaqueTokenName() {
        return "WSOPAQUE";
    }

    public String getOpaqueTokenLookup() {
        return "WSOPAQUE:1";
    }

    public int getOpaqueTokenVersion() {
        return 1;
    }

    public byte[] createOpaqueTokenFromSubject(final Subject subject) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createOpaqueTokenFromSubject");
        }
        if (subject == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "createOpaqueTokenFromSubject");
            return null;
        }
        try {
            ArrayList arrayList = null;
            ArrayList arrayList2 = null;
            if (WSSecurityPropagationHelper.getInstance().isRMIInboundPropagationEnabled() || WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled() || WSSecurityPropagationHelper.getInstance().isWebInboundPropagationEnabled()) {
                try {
                    arrayList = (ArrayList) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.wsspi.security.token.WSOpaqueTokenHelper.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws WSLoginFailedException {
                            return WSOpaqueTokenHelper.this.getForwardableTokensFromSubject(subject);
                        }
                    });
                    if (arrayList == null && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Token list is null.");
                    }
                    arrayList2 = ContextManagerFactory.getInstance().getWSCredTokenMapper().getForwardablePropagationTokensFromContext();
                    if (arrayList2 == null && tc.isDebugEnabled()) {
                        Tr.debug(tc, "propagation token list is null.");
                    }
                } catch (PrivilegedActionException e) {
                    Manager.Ffdc.log(e.getException(), this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.createOpaqueTokenFromSubject", "267", new Object[]{this});
                    Tr.debug(tc, "Exception getting private/public tokens from Subject.", new Object[]{e.getException()});
                    return null;
                }
            }
            if (arrayList2 == null && arrayList == null && tc.isDebugEnabled()) {
                Tr.debug(tc, "Propagation and subject token lists are null.");
            }
            ArrayList arrayList3 = new ArrayList();
            if (arrayList2 != null) {
                for (Object obj : arrayList2.toArray()) {
                    arrayList3.add(obj);
                }
            }
            if (arrayList != null) {
                for (Object obj2 : arrayList.toArray()) {
                    arrayList3.add(obj2);
                }
            }
            if (arrayList3.size() > 0 && SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS)) {
                String createUniqueIDFromAllTokens = ContextManagerFactory.getInstance().getWSCredTokenMapper().createUniqueIDFromAllTokens(subject);
                if (createUniqueIDFromAllTokens == null) {
                    WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                    createUniqueIDFromAllTokens = wSCredentialFromSubject.getRealmName() + ":" + wSCredentialFromSubject.getUniqueSecurityName();
                }
                arrayList3.add(new TokenHolder(StringBytesConversion.getConvertedBytes(createUniqueIDFromAllTokens), AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, 1));
            } else if (arrayList3.size() > 0) {
                WSCredential wSCredentialFromSubject2 = SubjectHelper.getWSCredentialFromSubject(subject);
                arrayList3.add(new TokenHolder(StringBytesConversion.getConvertedBytes(wSCredentialFromSubject2.getRealmName() + ":" + wSCredentialFromSubject2.getUniqueSecurityName()), AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, 1));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createOpaqueTokenFromSubject");
            }
            return createOpaqueTokenFromTokenHolderList(subject, arrayList3);
        } catch (WSLoginFailedException e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSLoginFailedException occurred creating opaque token.", new Object[]{e2});
            }
            Manager.Ffdc.log(e2, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.updatePropagationTokenWithSubjectChange", "345", new Object[]{this});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createOpaqueTokenFromSubject");
            }
            throw e2;
        } catch (Exception e3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception occurred creating opaque token.", new Object[]{e3});
            }
            Manager.Ffdc.log(e3, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.updatePropagationTokenWithSubjectChange", "352", new Object[]{this});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createOpaqueTokenFromSubject");
            }
            throw new WSLoginFailedException(e3.getMessage(), e3);
        }
    }

    public synchronized byte[] createOpaqueTokenFromTokenHolderList(final Subject subject, ArrayList arrayList) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createOpaqueTokenFromTokenHolderList");
        }
        if ((arrayList == null || arrayList.size() == 0) && tc.isDebugEnabled()) {
            Tr.debug(tc, "Returning null token.", new Object[]{arrayList});
        }
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(500);
            DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token header size: " + this.tokenHeaderSize);
            }
            dataOutputStream.write(this.tokenHeaderBytes, 0, this.tokenHeaderSize);
            dataOutputStream.write(1);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Writing opaque token header/version: WSOPAQUE/V1");
            }
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
            Hashtable table = wSCredentialFromSubject != null ? ((WSCredentialImpl) wSCredentialFromSubject).getTable() : null;
            if (table != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Attempting to write wsCred hashtable.");
                }
                try {
                    byte[] serialize_internal = serialize_internal(table, ObjectOutputStream.class);
                    if (serialize_internal != null) {
                        int length = serialize_internal.length;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Offset size: " + byteArrayOutputStream.size());
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "wsCredHashHeaderSize: " + this.wsCredHashHeaderSize);
                        }
                        dataOutputStream.write(this.wsCredHashHeaderBytes, 0, this.wsCredHashHeaderSize);
                        dataOutputStream.writeInt(length);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Writing wsCred hashtable, length: " + length);
                        }
                        dataOutputStream.write(serialize_internal, 0, length);
                    }
                } catch (Exception e) {
                    Tr.warning(tc, "security.sap.warning.serializing.custom.objects.from.subject", new Object[]{table});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception occurred writing wsCred hashtable.", new Object[]{e});
                    }
                    if (throwExceptionForAllPropagationSerializationProblems) {
                        throw e;
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total tokens to write: " + arrayList.size());
            }
            dataOutputStream.write(this.wsTokensHeaderBytes, 0, this.wsTokensHeaderSize);
            dataOutputStream.write(arrayList.size());
            for (int i = 0; i < arrayList.size(); i++) {
                TokenHolder tokenHolder = (TokenHolder) arrayList.get(i);
                if (tokenHolder != null) {
                    String name = tokenHolder.getName();
                    int version = tokenHolder.getVersion();
                    byte[] bytes = tokenHolder.getBytes();
                    if (name != null && version != 0 && bytes != null) {
                        byte[] convertedBytes = StringBytesConversion.getConvertedBytes(name);
                        int length2 = convertedBytes.length;
                        int length3 = bytes.length;
                        dataOutputStream.writeInt(length2);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Writing token name: " + name);
                        }
                        dataOutputStream.write(convertedBytes, 0, length2);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Writing token version: " + version);
                        }
                        dataOutputStream.write(version);
                        dataOutputStream.writeInt(length3);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Writing token bytes, length: " + length3);
                        }
                        dataOutputStream.write(bytes, 0, length3);
                    }
                }
            }
            ArrayList arrayList2 = null;
            if (subject != null) {
                try {
                    arrayList2 = (ArrayList) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.wsspi.security.token.WSOpaqueTokenHelper.2
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            ArrayList arrayList3;
                            synchronized (subject) {
                                arrayList3 = new ArrayList();
                                for (Object obj : subject.getPublicCredentials()) {
                                    if (!(obj instanceof Token) && !(obj instanceof KRBAuthnToken) && !(obj instanceof WSCredential) && !WSOpaqueTokenHelper.this.isExcluded(obj)) {
                                        try {
                                            if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                Tr.debug(WSOpaqueTokenHelper.tc, "Serializing custom public object: ", new Object[]{obj});
                                            }
                                            byte[] serialize_internal2 = WSOpaqueTokenHelper.this.serialize_internal(obj, ObjectOutputStream.class);
                                            String str = null;
                                            try {
                                                str = obj.getClass().getName() + WSOpaqueTokenHelper.customPublicTokensHeaderEnding;
                                            } catch (Exception e2) {
                                            }
                                            if (str == null) {
                                                str = WSOpaqueTokenHelper.customPublicTokensHeader;
                                            }
                                            if (serialize_internal2 != null) {
                                                arrayList3.add(new TokenHolder(serialize_internal2, str, 1));
                                            }
                                        } catch (Exception e3) {
                                            Tr.warning(WSOpaqueTokenHelper.tc, "security.sap.warning.serializing.custom.objects.from.subject", new Object[]{obj});
                                            if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                Tr.debug(WSOpaqueTokenHelper.tc, "Exception occurred serializing custom public object.", new Object[]{e3});
                                            }
                                            Manager.Ffdc.log(e3, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.createOpaqueTokenFromTokenHolderList", "536", new Object[]{this});
                                            if (WSOpaqueTokenHelper.throwExceptionForAllPropagationSerializationProblems) {
                                                throw e3;
                                            }
                                        }
                                    }
                                }
                                for (Object obj2 : subject.getPrivateCredentials()) {
                                    if ((obj2 instanceof Token) || (obj2 instanceof KRBAuthnToken) || (obj2 instanceof WSCredential)) {
                                        String name2 = obj2.getClass().getName();
                                        if ((name2.equals("com.ibm.ws.wssecurity.wssapi.token.impl.SAML11TokenImpl") || name2.equals("com.ibm.ws.wssecurity.wssapi.token.impl.SAML20TokenImpl") || name2.equals("com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.WasSAML11TokenImpl") || name2.equals("com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.WasSAML20TokenImpl")) && !WSOpaqueTokenHelper.this.isExcluded(obj2)) {
                                            try {
                                                if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                    Tr.debug(WSOpaqueTokenHelper.tc, "Serializing AuthnToken as a custom private object : ", new Object[]{obj2});
                                                }
                                                byte[] serialize_internal3 = WSOpaqueTokenHelper.this.serialize_internal(obj2, ObjectOutputStream.class);
                                                String str2 = null;
                                                try {
                                                    str2 = name2 + WSOpaqueTokenHelper.customPrivateTokensHeaderEnding;
                                                } catch (Exception e4) {
                                                }
                                                if (str2 == null) {
                                                    str2 = WSOpaqueTokenHelper.customPrivateTokensHeader;
                                                }
                                                if (serialize_internal3 != null) {
                                                    arrayList3.add(new TokenHolder(serialize_internal3, str2, 1));
                                                }
                                            } catch (Exception e5) {
                                                Tr.warning(WSOpaqueTokenHelper.tc, "security.sap.warning.serializing.custom.objects.from.subject", new Object[]{obj2});
                                                if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                    Tr.debug(WSOpaqueTokenHelper.tc, "Exception occurred serializing custom private object.", new Object[]{e5});
                                                }
                                                Manager.Ffdc.log(e5, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.createOpaqueTokenFromTokenHolderList", "638", new Object[]{this});
                                                if (WSOpaqueTokenHelper.throwExceptionForAllPropagationSerializationProblems) {
                                                    throw e5;
                                                }
                                            }
                                        }
                                    } else if (WSOpaqueTokenHelper.this.isExcluded(obj2)) {
                                        continue;
                                    } else {
                                        try {
                                            if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                Tr.debug(WSOpaqueTokenHelper.tc, "Serializing custom private object: ", new Object[]{obj2});
                                            }
                                            byte[] serialize_internal4 = WSOpaqueTokenHelper.this.serialize_internal(obj2, ObjectOutputStream.class);
                                            String str3 = null;
                                            try {
                                                str3 = obj2.getClass().getName() + WSOpaqueTokenHelper.customPrivateTokensHeaderEnding;
                                            } catch (Exception e6) {
                                            }
                                            if (str3 == null) {
                                                str3 = WSOpaqueTokenHelper.customPrivateTokensHeader;
                                            }
                                            if (serialize_internal4 != null) {
                                                arrayList3.add(new TokenHolder(serialize_internal4, str3, 1));
                                            }
                                        } catch (Exception e7) {
                                            Tr.warning(WSOpaqueTokenHelper.tc, "security.sap.warning.serializing.custom.objects.from.subject", new Object[]{obj2});
                                            if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                Tr.debug(WSOpaqueTokenHelper.tc, "Exception occurred serializing custom private object.", new Object[]{e7});
                                            }
                                            Manager.Ffdc.log(e7, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.createOpaqueTokenFromTokenHolderList", "578", new Object[]{this});
                                            if (WSOpaqueTokenHelper.throwExceptionForAllPropagationSerializationProblems) {
                                                throw e7;
                                            }
                                        }
                                    }
                                }
                                for (Principal principal : subject.getPrincipals()) {
                                    if (!(principal instanceof WSPrincipal) && !WSOpaqueTokenHelper.this.isExcluded(principal)) {
                                        try {
                                            if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                Tr.debug(WSOpaqueTokenHelper.tc, "Serializing custom principal object: ", new Object[]{principal});
                                            }
                                            byte[] serialize_internal5 = WSOpaqueTokenHelper.this.serialize_internal(principal, ObjectOutputStream.class);
                                            String str4 = null;
                                            try {
                                                str4 = principal.getClass().getName() + WSOpaqueTokenHelper.customPrincipalTokensHeaderEnding;
                                            } catch (Exception e8) {
                                            }
                                            if (str4 == null) {
                                                str4 = WSOpaqueTokenHelper.customPrincipalTokensHeader;
                                            }
                                            if (serialize_internal5 != null) {
                                                arrayList3.add(new TokenHolder(serialize_internal5, str4, 1));
                                            }
                                        } catch (Exception e9) {
                                            Tr.warning(WSOpaqueTokenHelper.tc, "security.sap.warning.serializing.custom.objects.from.subject", new Object[]{principal});
                                            if (WSOpaqueTokenHelper.tc.isDebugEnabled()) {
                                                Tr.debug(WSOpaqueTokenHelper.tc, "Exception occurred serializing custom public object.", new Object[]{e9});
                                            }
                                            Manager.Ffdc.log(e9, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.createOpaqueTokenFromTokenHolderList", "619", new Object[]{this});
                                            if (WSOpaqueTokenHelper.throwExceptionForAllPropagationSerializationProblems) {
                                                throw e9;
                                            }
                                        }
                                    }
                                }
                            }
                            return arrayList3;
                        }
                    });
                } catch (PrivilegedActionException e2) {
                    Manager.Ffdc.log(e2.getException(), this, "com.ibm.ws.security.server.lm.wsSAPInboundLoginModule.commit", "636", new Object[]{this});
                    ContextManagerFactory.getInstance().setRootException(e2.getException());
                    throw new WSLoginFailedException(e2.getException().getMessage(), e2.getException());
                }
            }
            if (arrayList2 != null && arrayList2.size() > 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Total custom tokens to write: " + arrayList2.size());
                }
                dataOutputStream.write(this.customTokensHeaderBytes, 0, this.customTokensHeaderSize);
                dataOutputStream.write(arrayList2.size());
                for (int i2 = 0; i2 < arrayList2.size(); i2++) {
                    TokenHolder tokenHolder2 = (TokenHolder) arrayList2.get(i2);
                    if (tokenHolder2 != null) {
                        String name2 = tokenHolder2.getName();
                        int version2 = tokenHolder2.getVersion();
                        byte[] bytes2 = tokenHolder2.getBytes();
                        if (name2 != null && version2 != 0 && bytes2 != null) {
                            byte[] convertedBytes2 = StringBytesConversion.getConvertedBytes(name2);
                            int length4 = convertedBytes2.length;
                            int length5 = bytes2.length;
                            dataOutputStream.writeInt(length4);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Writing token name: " + name2);
                            }
                            dataOutputStream.write(convertedBytes2, 0, length4);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Writing token version: " + version2);
                            }
                            dataOutputStream.write(version2);
                            dataOutputStream.writeInt(length5);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Writing token bytes, length: " + length5);
                            }
                            dataOutputStream.write(bytes2, 0, length5);
                        }
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Total opaque token length: " + byteArrayOutputStream.size());
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createOpaqueTokenFromTokenHolderList");
            }
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e3) {
            Manager.Ffdc.log(e3, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.createOpaqueTokenFromTokenHolderList", "704", new Object[]{this});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception occurred creating opaque token.", new Object[]{e3});
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createOpaqueTokenFromTokenHolderList");
            }
            if (throwExceptionForAllPropagationSerializationProblems) {
                throw e3;
            }
            return null;
        }
    }

    public ArrayList createTokenHolderListFromOpaqueToken(byte[] bArr) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createTokenHolderListFromOpaqueToken");
        }
        if (bArr == null || bArr.length == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Returning null token holder ArrayList.");
            }
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "createTokenHolderListFromOpaqueToken");
            return null;
        }
        try {
            DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(bArr));
            if (!checkOpaqueTokenHeader(dataInputStream)) {
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(tc, "Not a WAS opaque authorization token, returning null.");
                return null;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Successfully read the opaque token header, beginning to process token.");
            }
            ArrayList arrayList = new ArrayList();
            if (checkCredHashHeader(dataInputStream)) {
                byte[] readCredHashTableBytes = readCredHashTableBytes(dataInputStream);
                if (readCredHashTableBytes != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Successfully retrieved wsCredHash bytes.");
                    }
                    arrayList.add(new TokenHolder(readCredHashTableBytes, wsCredHashHeader, 1));
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "wsCredHash bytes could not be read from InputStream.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The wsCred hashtable not present in opaque byte array.");
            }
            if (!checkTokensHeader(dataInputStream)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There are no tokens present in opaque byte array.");
                }
                throw new WSSecurityException("There are no tokens present in opaque byte array.");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Reading standard tokens from opaque token.");
            }
            readTokens(dataInputStream, arrayList);
            if (checkCustomTokensHeader(dataInputStream)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Reading custom tokens from opaque token.");
                }
                readTokens(dataInputStream, arrayList);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There are no custom tokens present in opaque byte array.");
            }
            return arrayList;
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.createOpaqueTokenFromTokenHolderList", "817", new Object[]{this});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception occurred creating opaque token.", new Object[]{e});
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createTokenHolderListFromOpaqueToken");
            }
            if (!throwExceptionForAllPropagationSerializationProblems) {
                return null;
            }
            if (e instanceof WSSecurityException) {
                throw ((WSSecurityException) e);
            }
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    private void readTokens(DataInputStream dataInputStream, ArrayList arrayList) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "readTokens");
        }
        try {
            int readByte = dataInputStream.readByte();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Number of tokens to be handled: " + readByte);
            }
            for (int i = 0; i < readByte; i++) {
                int readInt = dataInputStream.readInt();
                byte[] bArr = new byte[readInt];
                dataInputStream.read(bArr, 0, readInt);
                String convertedString = StringBytesConversion.getConvertedString(bArr);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found token name: " + convertedString);
                }
                byte readByte2 = dataInputStream.readByte();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Token version: " + ((int) readByte2));
                }
                int readInt2 = dataInputStream.readInt();
                byte[] bArr2 = new byte[readInt2];
                dataInputStream.read(bArr2, 0, readInt2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Token bytes length: " + readInt2);
                }
                if (bArr2 == null || convertedString == null) {
                    throw new WSSecurityException("malformed token, cannot retrieve token bytes.");
                }
                arrayList.add(new TokenHolder(bArr2, convertedString, readByte2));
            }
        } catch (WSSecurityException e) {
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.readTokens", "885", new Object[]{this});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "readTokens exception", new Object[]{e});
            }
            throw e;
        } catch (Exception e2) {
            Manager.Ffdc.log(e2, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.readTokens", "891", new Object[]{this});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "readTokens exception", new Object[]{e2});
            }
            throw new WSSecurityException(e2.getMessage(), e2);
        }
    }

    private byte[] readCredHashTableBytes(DataInputStream dataInputStream) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "readCredHashTableBytes");
        }
        try {
            dataInputStream.mark(dataInputStream.available());
            int readInt = dataInputStream.readInt();
            if (readInt > 0) {
                byte[] bArr = new byte[readInt];
                dataInputStream.read(bArr, 0, readInt);
                return bArr;
            }
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "readCredHashTableBytes, invalid size = " + readInt);
            return null;
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.readCredHashTableBytes", "932", new Object[]{this});
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "readCredHashTableBytes exception", new Object[]{e});
            return null;
        }
    }

    private boolean checkOpaqueTokenHeader(DataInputStream dataInputStream) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkOpaqueTokenHeader");
        }
        try {
            byte[] bArr = new byte[this.tokenHeaderSize];
            dataInputStream.read(bArr, 0, this.tokenHeaderSize);
            if (bArr == null) {
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "checkOpaqueTokenHeader, no header, false");
                return false;
            }
            if (!StringBytesConversion.getConvertedString(bArr).equals("WSOPAQUE")) {
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "checkOpaqueTokenHeader, invalid header, false");
                return false;
            }
            byte readByte = dataInputStream.readByte();
            if (readByte == 1) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkOpaqueTokenHeader, true");
                return true;
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkOpaqueTokenHeader, version mismatch, version = " + ((int) readByte));
            return false;
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.checkOpaqueTokenHeader", "987", new Object[]{this});
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkOpaqueTokenHeader exception", new Object[]{e});
            return false;
        }
    }

    private boolean checkCredHashHeader(DataInputStream dataInputStream) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCredHashHeader");
        }
        try {
            dataInputStream.mark(dataInputStream.available());
            byte[] bArr = new byte[this.wsCredHashHeaderSize];
            dataInputStream.read(bArr, 0, this.wsCredHashHeaderSize);
            if (bArr == null) {
                dataInputStream.reset();
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "checkCredHashHeader, no header, false");
                return false;
            }
            if (StringBytesConversion.getConvertedString(bArr).equals(wsCredHashHeader)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkCredHashHeader, true");
                return true;
            }
            dataInputStream.reset();
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkCredHashHeader, false");
            return false;
        } catch (Exception e) {
            try {
                dataInputStream.reset();
            } catch (Exception e2) {
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.checkCredHashHeader", "1041", new Object[]{this});
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkCredHashHeader exception", new Object[]{e});
            return false;
        }
    }

    private boolean checkTokensHeader(DataInputStream dataInputStream) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkTokensHeader");
        }
        try {
            dataInputStream.mark(dataInputStream.available());
            byte[] bArr = new byte[this.wsTokensHeaderSize];
            dataInputStream.read(bArr, 0, this.wsTokensHeaderSize);
            if (bArr == null) {
                dataInputStream.reset();
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "checkTokensHeader, no header, false");
                return false;
            }
            if (StringBytesConversion.getConvertedString(bArr).equals(wsTokensHeader)) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkTokensHeader, true");
                return true;
            }
            dataInputStream.reset();
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkTokensHeader, false");
            return false;
        } catch (Exception e) {
            try {
                dataInputStream.reset();
            } catch (Exception e2) {
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.checkTokensHeader", "1095", new Object[]{this});
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkTokensHeader exception", new Object[]{e});
            return false;
        }
    }

    private boolean checkCustomTokensHeader(DataInputStream dataInputStream) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkCustomTokensHeader");
        }
        try {
            dataInputStream.mark(dataInputStream.available());
            byte[] bArr = new byte[this.customTokensHeaderSize];
            dataInputStream.read(bArr, 0, this.customTokensHeaderSize);
            if (bArr == null) {
                dataInputStream.reset();
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "checkCustomTokensHeader, no header, false");
                return false;
            }
            if (StringBytesConversion.getConvertedString(bArr).equals("CUSTOM")) {
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "checkCustomTokensHeader, true");
                return true;
            }
            dataInputStream.reset();
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkCustomTokensHeader, false");
            return false;
        } catch (Exception e) {
            try {
                dataInputStream.reset();
            } catch (Exception e2) {
            }
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.checkCustomTokensHeader", "1149", new Object[]{this});
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkCustomTokensHeader exception", new Object[]{e});
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] serialize_internal(Object obj, Class cls) throws Exception {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        try {
            try {
                objectOutputStream.writeObject(obj);
                return byteArrayOutputStream.toByteArray();
            } finally {
                try {
                    objectOutputStream.close();
                    byteArrayOutputStream.close();
                } catch (Exception e) {
                }
            }
        } catch (Exception e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception serializing object. ", new Object[]{e2});
            }
            throw e2;
        }
    }

    public static byte[] serialize(Object obj) throws Exception {
        return serialize(obj, ObjectOutputStream.class);
    }

    private static byte[] serialize(Object obj, Class cls) throws Exception {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        try {
            try {
                objectOutputStream.writeObject(obj);
                return byteArrayOutputStream.toByteArray();
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception serializing object. ", new Object[]{e});
                }
                throw e;
            }
        } finally {
            try {
                objectOutputStream.close();
                byteArrayOutputStream.close();
            } catch (Exception e2) {
            }
        }
    }

    public static Object deserialize(byte[] bArr) throws Exception {
        return deserialize(bArr, WsObjectInputStream.class);
    }

    private static Object deserialize(byte[] bArr, Class cls) throws Exception {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        WsObjectInputStream wsObjectInputStream = new WsObjectInputStream(byteArrayInputStream);
        try {
            try {
                return wsObjectInputStream.readObject();
            } catch (Exception e) {
                Tr.warning(tc, "security.sap.warning.deserializing.custom.objects.from.subject");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception deserializing object. ", new Object[]{e});
                }
                throw e;
            }
        } finally {
            try {
                wsObjectInputStream.close();
                byteArrayInputStream.close();
            } catch (Exception e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ArrayList getForwardableTokensFromSubject(Subject subject) throws WSLoginFailedException {
        if (subject == null) {
            Tr.debug(tc, "Null Subject passed in.");
            return null;
        }
        try {
            synchronized (subject) {
                ArrayList arrayList = new ArrayList();
                Set<Object> privateCredentials = subject.getPrivateCredentials();
                Set<Object> publicCredentials = subject.getPublicCredentials();
                for (Object obj : privateCredentials) {
                    if (obj instanceof KRBAuthnToken) {
                        AuthenticationToken authenticationToken = (AuthenticationToken) obj;
                        if (!((KRBAuthnToken) obj).isTokenForwardable()) {
                            Tr.debug(tc, "Token with name " + authenticationToken.getName() + " is not forwardable.");
                        } else {
                            if (!((KRBAuthnToken) obj).isTokenValid()) {
                                Tr.debug(tc, "Token with name " + authenticationToken.getName() + " is expired.");
                                throw new WSLoginFailedException("Token with name " + authenticationToken.getName() + " is expired.");
                            }
                            if (authenticationToken.getBytes() != null && authenticationToken.getName() != null && authenticationToken.getVersion() != 0) {
                                arrayList.add(new TokenHolder(authenticationToken.getBytes(), authenticationToken.getName(), authenticationToken.getVersion()));
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Did not add token " + authenticationToken.getName() + ":" + ((int) authenticationToken.getVersion()) + " to opaque token, bytes null? " + authenticationToken.getBytes());
                            }
                        }
                    } else {
                        String name = obj.getClass().getName();
                        if (name.equals("com.ibm.ws.wssecurity.wssapi.token.impl.SAML11TokenImpl") || name.equals("com.ibm.ws.wssecurity.wssapi.token.impl.SAML20TokenImpl") || name.equals("com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.WasSAML11TokenImpl") || name.equals("com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.WasSAML20TokenImpl")) {
                            Token token = (Token) obj;
                            if (!token.isForwardable()) {
                                Tr.debug(tc, "SAML Token with name " + token.getName() + " is not forwardable.");
                            } else if (token.getBytes() != null && token.getName() != null && token.getVersion() != 0) {
                                arrayList.add(new TokenHolder(token.getBytes(), token.getName(), token.getVersion()));
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Did not add SAML token " + token.getName() + ":" + ((int) token.getVersion()) + " to opaque token, bytes null? " + token.getBytes());
                            }
                        } else if (obj instanceof Token) {
                            Token token2 = (Token) obj;
                            if (!token2.isForwardable()) {
                                Tr.debug(tc, "Token with name " + token2.getName() + " is not forwardable.");
                            } else {
                                if (!token2.isValid()) {
                                    Tr.debug(tc, "Token with name " + token2.getName() + " is expired.");
                                    throw new WSLoginFailedException("Token with name " + token2.getName() + " is expired.");
                                }
                                if (token2.getBytes() != null && token2.getName() != null && token2.getVersion() != 0) {
                                    arrayList.add(new TokenHolder(token2.getBytes(), token2.getName(), token2.getVersion()));
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Did not add token " + token2.getName() + ":" + ((int) token2.getVersion()) + " to opaque token, bytes null? " + token2.getBytes());
                                }
                            }
                        } else {
                            continue;
                        }
                    }
                }
                for (Object obj2 : publicCredentials) {
                    if (obj2 instanceof Token) {
                        Token token3 = (Token) obj2;
                        if (token3.isForwardable() && token3.isValid()) {
                            if (token3.getBytes() != null && token3.getName() != null && token3.getVersion() != 0) {
                                arrayList.add(new TokenHolder(token3.getBytes(), token3.getName(), token3.getVersion()));
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Did not add token " + token3.getName() + ":" + ((int) token3.getVersion()) + " to opaque token, bytes null? " + token3.getBytes());
                            }
                        }
                    }
                }
                if (arrayList == null || arrayList.size() <= 0) {
                    return null;
                }
                return arrayList;
            }
        } catch (WSLoginFailedException e) {
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.getForwardableAuthzTokensFromSubject", "1359", new Object[]{this});
            Tr.debug(tc, "WSLoginFailedException getting forwardable tokens from Subject.", new Object[]{e});
            throw e;
        } catch (Exception e2) {
            Manager.Ffdc.log(e2, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.getForwardableAuthzTokensFromSubject", "1365", new Object[]{this});
            Tr.debug(tc, "Exception getting forwardable tokens from Subject.", new Object[]{e2});
            throw new WSLoginFailedException(e2.getMessage(), e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isExcluded(Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isExcluded");
        }
        try {
            if (excludeList == null) {
                String property = ContextManagerFactory.getInstance().getProperty(SecurityConfig.PROPAGATION_EXCLUDE_LIST);
                excludeList = new ArrayList();
                StringTokenizer stringTokenizer = new StringTokenizer(property, ":");
                while (stringTokenizer.hasMoreTokens()) {
                    String nextToken = stringTokenizer.nextToken();
                    if (nextToken.endsWith("*")) {
                        nextToken = nextToken.substring(0, nextToken.length() - 1);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Adding entry to exclude list: " + nextToken);
                    }
                    excludeList.add(nextToken);
                }
                String name = WSSMarkerObject.class.getName();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding entry to exclude list: " + name);
                }
                excludeList.add(name);
            }
            String name2 = obj.getClass().getName();
            for (int i = 0; i < excludeList.size(); i++) {
                if (name2.equals((String) excludeList.get(i))) {
                    if (!tc.isEntryEnabled()) {
                        return true;
                    }
                    Tr.exit(tc, name2 + " isExcluded (true), list rule -> " + excludeList.get(i));
                    return true;
                }
                if (name2.startsWith((String) excludeList.get(i))) {
                    if (!tc.isEntryEnabled()) {
                        return true;
                    }
                    Tr.exit(tc, name2 + " isExcluded (true), list rule -> " + excludeList.get(i));
                    return true;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, name2 + " isExcluded (false)");
                }
            }
            return false;
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ws.security.token.WSOpaqueTokenHelper.isExcluded", "1418", new Object[]{this});
            Tr.debug(tc, "Exception checking if class is excluded from propagation.", new Object[]{e});
            return false;
        }
    }
}
