package com.ibm.ws.security.openid20.client;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.security.openid20.util.MessageHelper;
import com.ibm.ws.security.openid20.util.OidUtil;
import com.ibm.wsspi.security.tai.TAIResult;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.net.URLEncoder;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpStatus;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.openid4java.consumer.ConsumerManager;
import org.openid4java.consumer.VerificationResult;
import org.openid4java.discovery.DiscoveryException;
import org.openid4java.discovery.DiscoveryInformation;
import org.openid4java.discovery.Identifier;
import org.openid4java.message.AuthRequest;
import org.openid4java.message.AuthSuccess;
import org.openid4java.message.MessageException;
import org.openid4java.message.MessageExtension;
import org.openid4java.message.ParameterList;
import org.openid4java.message.ax.FetchRequest;
import org.openid4java.message.ax.FetchResponse;

/* loaded from: input_file:com/ibm/ws/security/openid20/client/OpenIDClientAuthenticator.class */
public class OpenIDClientAuthenticator {
    private static final TraceComponent tc = Tr.register(OpenIDClientAuthenticator.class, MessageHelper._TR_GROUP, MessageHelper._MSG_FILE);
    private static SecureRandom srandom = new SecureRandom();
    private static ConsumerManagerFactory consumerManagerFactory = new ConsumerManagerFactory(null);
    private ConsumerManager consumerManager;
    private OpenIDClientConfig openidClientConfig;

    private OpenIDClientAuthenticator() {
        this.consumerManager = null;
        this.openidClientConfig = null;
    }

    public OpenIDClientAuthenticator(OpenIDClientConfig openIDClientConfig) throws OpenIDRelyingPartyException {
        this.consumerManager = null;
        this.openidClientConfig = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "OpenIDClientAuthenticator(openidClientConfig[" + OidUtil.getObjState(openIDClientConfig) + "])");
        }
        this.openidClientConfig = openIDClientConfig;
        RequestCache.CACHE.init(openIDClientConfig);
        this.consumerManager = consumerManagerFactory.getConsumerManager(openIDClientConfig, getDefaultSSLContext());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "OpenIDClientAuthenticator");
        }
    }

    public TAIResult createAuthRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OpenIDRelyingPartyException, WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createAuthRequest(req[" + OidUtil.getObjState(httpServletRequest) + "],res[" + OidUtil.getObjState(httpServletResponse) + "])");
        }
        String providerIdentifier = this.openidClientConfig.getProviderIdentifier();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "openID identifier:" + providerIdentifier);
        }
        DiscoveryInformation discoverOpenID = discoverOpenID(this.consumerManager, providerIdentifier);
        String digest = MessageDigestUtil.getDigest();
        try {
            AuthRequest authenticate = this.consumerManager.authenticate(discoverOpenID, createReturnToUrl(httpServletRequest, digest), getRpRealm(httpServletRequest));
            try {
                addUserInfoAttributes(authenticate);
                try {
                    RequestCache.CACHE.put(digest, new RequestData(discoverOpenID, httpServletRequest.getMethod(), httpServletRequest.getParameterMap()));
                    String encodeRedirectURL = httpServletResponse.encodeRedirectURL(authenticate.getDestinationUrl(true));
                    try {
                        httpServletResponse.sendRedirect(encodeRedirectURL);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "OIDCRelyingParty sent redirect (302) request: [" + encodeRedirectURL + "]");
                        }
                        TAIResult create = TAIResult.create(HttpStatus.SC_MOVED_TEMPORARILY);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "createAuthRequest returns taiResult: [" + OidUtil.getObjState(create) + "]");
                        }
                        return create;
                    } catch (IOException e) {
                        String str = "Failed to set the redirect url - " + e.getMessage();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, str, e);
                        }
                        throw new OpenIDRelyingPartyException(str);
                    }
                } catch (OpenIDRelyingPartyException e2) {
                    httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"" + this.openidClientConfig.getRealmName() + "\", error=TAI internal cache capacity reached");
                    return TAIResult.create(HttpStatus.SC_SERVICE_UNAVAILABLE);
                }
            } catch (MessageException e3) {
                String str2 = "Failed to add attributes to auth request " + e3.getMessage();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, str2, e3);
                }
                throw new OpenIDRelyingPartyException(str2);
            }
        } catch (Exception e4) {
            String str3 = "Failed to create authRequest object " + e4.getMessage();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str3, e4);
            }
            throw new OpenIDRelyingPartyException(str3);
        }
    }

    public TAIResult verifyResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OpenIDRelyingPartyException, WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "verifyResponse(req[" + OidUtil.getObjState(httpServletRequest) + "],res[" + OidUtil.getObjState(httpServletResponse) + "])");
        }
        String receivingUrl = getReceivingUrl(httpServletRequest);
        ParameterList parameterList = new ParameterList(httpServletRequest.getParameterMap());
        String rPIdentifier = getRPIdentifier(httpServletRequest);
        if (rPIdentifier == null) {
            String message = MessageHelper.getMessage("security.openid20.client.noIdentifier");
            Tr.error(tc, message);
            throw new OpenIDRelyingPartyException(message);
        }
        RequestData requestData = RequestCache.CACHE.get(rPIdentifier);
        if (requestData == null) {
            String message2 = MessageHelper.getMessage("security.openid20.client.noCacheHit", new Object[]{rPIdentifier});
            Tr.error(tc, message2);
            throw new OpenIDRelyingPartyException(message2);
        }
        DiscoveryInformation discoveryInformation = requestData.getDiscoveryInformation();
        try {
            VerificationResult verify = this.consumerManager.verify(receivingUrl, parameterList, discoveryInformation);
            if (verify == null) {
                String str = "Failed to get a valid response for " + discoveryInformation.getClaimedIdentifier();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, str);
                }
                throw new OpenIDRelyingPartyException(str);
            }
            Identifier verifiedId = verify.getVerifiedId();
            if (verifiedId == null) {
                String statusMsg = verify.getStatusMsg();
                httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"" + this.openidClientConfig.getRealmName() + "\", error=" + statusMsg);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Verification failed with the message: [" + statusMsg + "]");
                }
                return TAIResult.create(HttpStatus.SC_FORBIDDEN);
            }
            String identifier = verifiedId.getIdentifier();
            AuthSuccess authSuccess = (AuthSuccess) verify.getAuthResponse();
            if (authSuccess == null) {
                String str2 = "Failed to get AuthSuccess response object for identifier " + identifier;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, str2);
                }
                throw new OpenIDRelyingPartyException(str2);
            }
            Map<String, Object> receiveUserInfoAttributes = receiveUserInfoAttributes(authSuccess);
            String resolveMapUserName = resolveMapUserName(authSuccess, receiveUserInfoAttributes);
            RequestCache.CACHE.update(rPIdentifier, getSubject(resolveMapUserName, receiveUserInfoAttributes), resolveMapUserName);
            Cookie cookie = new Cookie(OpenIDConstants.RP_COOKIE_NAME, rPIdentifier);
            cookie.setPath("/");
            cookie.setHttpOnly(this.openidClientConfig.httpOnly());
            cookie.setSecure(this.openidClientConfig.ishttpsRequired());
            httpServletResponse.addCookie(cookie);
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            Map<String, String[]> parameterMap = requestData.getParameterMap();
            String method = requestData.getMethod();
            if (!HttpPost.METHOD_NAME.equals(method) && !HttpPut.METHOD_NAME.equals(method)) {
                String str3 = "";
                if (parameterMap != null) {
                    for (String str4 : parameterMap.keySet()) {
                        for (String str5 : parameterMap.get(str4)) {
                            if (!str3.equals("")) {
                                str3 = str3 + "&";
                            }
                            try {
                                str3 = str3 + str4 + "=" + URLEncoder.encode(str5, "UTF-8");
                            } catch (UnsupportedEncodingException e) {
                                String str6 = "Failed to generate the redirect url string because of exception [" + e.getMessage() + "]";
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, str6);
                                }
                                OpenIDRelyingPartyException openIDRelyingPartyException = new OpenIDRelyingPartyException(str6);
                                openIDRelyingPartyException.initCause(e);
                                throw openIDRelyingPartyException;
                            }
                        }
                    }
                }
                if (!str3.equals("")) {
                    stringBuffer = stringBuffer + OpenIDConstants.QUESTIONMARK + str3;
                }
                try {
                    httpServletResponse.sendRedirect(stringBuffer);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Sending a GET redirect to url " + stringBuffer);
                    }
                    TAIResult create = TAIResult.create(HttpStatus.SC_MOVED_TEMPORARILY);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "verifyResponse returns taiResult: [" + create.getStatus() + "]");
                    }
                    return create;
                } catch (IOException e2) {
                    String str7 = "Failed to set the redirect url " + e2.getMessage();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, str7);
                    }
                    throw new OpenIDRelyingPartyException(str7);
                }
            }
            PrintWriter printWriter = null;
            try {
                try {
                    printWriter = httpServletResponse.getWriter();
                    printWriter.println("<html><head></head>");
                    printWriter.println("<body onload='document.formoidcpost.submit()'>");
                    printWriter.println("<form name='formoidcpost' action='" + stringBuffer + "' method='" + method + "'>");
                    if (parameterMap != null) {
                        for (String str8 : parameterMap.keySet()) {
                            for (String str9 : parameterMap.get(str8)) {
                                printWriter.println("<input type='hidden' name='" + str8 + "' value='" + URLEncoder.encode(str9, "UTF-8") + "'>");
                            }
                        }
                    }
                    printWriter.println("</form></body></html>");
                    if (printWriter != null) {
                        printWriter.close();
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Sending a POST redirect to url " + stringBuffer);
                    }
                    httpServletResponse.setContentType("application/x-www-form-urlencoded; charset=UTF-8");
                    TAIResult create2 = TAIResult.create(HttpStatus.SC_UNAUTHORIZED);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "verifyResponse returns taiResult: [" + create2.getStatus() + "]");
                    }
                    return create2;
                } catch (Exception e3) {
                    String str10 = "Failed to generate the form post html because of exception [" + e3.getMessage() + "]";
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, str10);
                    }
                    OpenIDRelyingPartyException openIDRelyingPartyException2 = new OpenIDRelyingPartyException(str10);
                    openIDRelyingPartyException2.initCause(e3);
                    throw openIDRelyingPartyException2;
                }
            } catch (Throwable th) {
                if (printWriter != null) {
                    printWriter.close();
                }
                throw th;
            }
        } catch (Exception e4) {
            String str11 = "Failed to verify the response for " + discoveryInformation.getClaimedIdentifier() + " exception " + e4.getMessage();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str11, e4);
            }
            throw new OpenIDRelyingPartyException(str11);
        }
    }

    private SSLContext getDefaultSSLContext() throws OpenIDRelyingPartyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultSSLContext()");
        }
        try {
            SSLContext sSLContext = JSSEHelper.getInstance().getSSLContext((String) null, (Map) null, (SSLConfigChangeListener) null);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getDefaultSSLContext returns [" + OidUtil.getObjState(sSLContext) + "]");
            }
            return sSLContext;
        } catch (SSLException e) {
            String message = MessageHelper.getMessage("security.openid20.client.defaultsslcontext", e.getMessage());
            Tr.error(tc, message, e);
            throw new OpenIDRelyingPartyException(message);
        }
    }

    private String createReturnToUrl(HttpServletRequest httpServletRequest, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createReturnToUrl(req[" + OidUtil.getObjState(httpServletRequest) + "],uniqueKey[" + str + "])");
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        requestURL.append(OpenIDConstants.QUESTIONMARK);
        requestURL.append(OpenIDConstants.RP_REQUEST_IDENTIFIER);
        requestURL.append("=");
        requestURL.append(str);
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append("&");
            requestURL.append(httpServletRequest.getQueryString());
        }
        String stringBuffer = requestURL.toString();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createReturnToUrl returns [" + stringBuffer + "]");
        }
        return stringBuffer;
    }

    private String getRpRealm(HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRpRealm(req[" + OidUtil.getObjState(httpServletRequest) + "])");
        }
        StringBuilder sb = new StringBuilder();
        sb.append(httpServletRequest.getScheme());
        sb.append("://");
        sb.append(httpServletRequest.getServerName());
        int serverPort = httpServletRequest.getServerPort();
        if (serverPort != 80 && serverPort != 443) {
            sb.append(":");
            sb.append(httpServletRequest.getServerPort());
        }
        sb.append(httpServletRequest.getContextPath());
        String sb2 = sb.toString();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRpRealm returns [" + sb2 + "]");
        }
        return sb2;
    }

    public String getReceivingUrl(HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getReceivingUrl(req[" + OidUtil.getObjState(httpServletRequest) + "])");
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null && queryString.length() > 0) {
            requestURL.append(OpenIDConstants.QUESTIONMARK).append(httpServletRequest.getQueryString());
        }
        String stringBuffer = requestURL.toString();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getReceivingUrl returns [" + stringBuffer + "]");
        }
        return stringBuffer;
    }

    private DiscoveryInformation discoverOpenID(ConsumerManager consumerManager, String str) throws OpenIDRelyingPartyException, WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "discoverOpenID(consumerManager[" + OidUtil.getObjState(consumerManager) + "],identifier[" + str + "])");
        }
        List list = null;
        int maxDiscoverRetry = this.openidClientConfig.getMaxDiscoverRetry();
        for (int i = 0; i < maxDiscoverRetry; i++) {
            try {
                list = consumerManager.discover(str);
            } catch (DiscoveryException e) {
                String message = MessageHelper.getMessage("security.openid20.client.discoveryfailed", new Object[]{str, e.getMessage()});
                Tr.error(tc, message, e);
                throw new WebTrustAssociationFailedException(message);
            }
        }
        if (list == null) {
            String str2 = "Failed to discover OpenID provider for identifier: " + str + " after " + maxDiscoverRetry + " attempts";
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str2);
            }
            throw new OpenIDRelyingPartyException(str2);
        }
        DiscoveryInformation associate = consumerManager.associate(list);
        if (this.openidClientConfig.ishttpsRequired() && !"https".equals(associate.getOPEndpoint().getProtocol())) {
            String message2 = MessageHelper.getMessage("security.openid20.client.opendpointnothttps", new Object[]{associate.getOPEndpoint().toString(), OpenIDConstants.HTTPS_REQUIRED});
            Tr.error(tc, message2);
            throw new WebTrustAssociationFailedException(message2);
        }
        String version = associate.getVersion();
        if (!associate.isVersion2() && tc.isWarningEnabled()) {
            Tr.warning(tc, MessageHelper.getMessage("security.openid20.client.opnotversion2warn"), version);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "discoverOpenID returns [" + OidUtil.getObjState(associate) + "]");
        }
        return associate;
    }

    private void addUserInfoAttributes(AuthRequest authRequest) throws MessageException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addUserInfoAttributes(authReq[" + OidUtil.getObjState(authRequest) + "])");
        }
        FetchRequest createFetchRequest = FetchRequest.createFetchRequest();
        ArrayList arrayList = (ArrayList) this.openidClientConfig.getUserInfo();
        if (arrayList != null && !arrayList.isEmpty()) {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                UserInfo userInfo = (UserInfo) it.next();
                createFetchRequest.addAttribute(userInfo.getAlias(), userInfo.getType(), userInfo.getRequired(), userInfo.getCount());
            }
            authRequest.addExtension(createFetchRequest);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addUserInfoAttributes returns");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v25, types: [java.util.Map] */
    private Map<String, Object> receiveUserInfoAttributes(AuthSuccess authSuccess) throws OpenIDRelyingPartyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "receiveUserInfoAttributes(authSuccess[" + OidUtil.getObjState(authSuccess) + "])");
        }
        HashMap hashMap = new HashMap();
        if (authSuccess.hasExtension("http://openid.net/srv/ax/1.0")) {
            try {
                MessageExtension extension = authSuccess.getExtension("http://openid.net/srv/ax/1.0");
                if (extension instanceof FetchResponse) {
                    hashMap = ((FetchResponse) extension).getAttributes();
                }
            } catch (MessageException e) {
                String str = "Failed to get parameter of extension type http://openid.net/srv/ax/1.0 " + e.getMessage();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, str);
                }
                throw new OpenIDRelyingPartyException(str);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "receiveUserInfoAttributes returns [" + hashMap + "])");
        }
        return hashMap;
    }

    private String resolveMapUserName(AuthSuccess authSuccess, Map<String, Object> map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resolveMapUserName(authSuccess[" + OidUtil.getObjState(authSuccess) + "],attributes[" + OidUtil.getObjState(map) + "])");
        }
        if (this.openidClientConfig.isUseClientIdentity()) {
            String identityOrClaimedId = getIdentityOrClaimedId(authSuccess);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "resolveMapUserName returns [" + identityOrClaimedId + "])");
            }
            return identityOrClaimedId;
        }
        String[] mapAliasAsPrincipal = this.openidClientConfig.getMapAliasAsPrincipal();
        String str = null;
        if (mapAliasAsPrincipal != null) {
            for (String str2 : mapAliasAsPrincipal) {
                ArrayList arrayList = (ArrayList) map.get(str2);
                if (arrayList != null && arrayList.size() > 0) {
                    str = (String) arrayList.get(0);
                    if (str != null) {
                        break;
                    }
                }
            }
        }
        if (str == null) {
            str = getIdentityOrClaimedId(authSuccess);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resolveMapUserName returns [" + str + "])");
        }
        return str;
    }

    private String getIdentityOrClaimedId(AuthSuccess authSuccess) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getIdentityOrClaimedId(authSuccess[" + OidUtil.getObjState(authSuccess) + "])");
        }
        String identity = authSuccess.getIdentity();
        if (identity == null) {
            identity = authSuccess.getClaimed();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getIdentityOrClaimedId returns [" + identity + "])");
        }
        return identity;
    }

    private String getRealm(Map<String, Object> map) {
        ArrayList arrayList;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRealm(attributes[" + OidUtil.getObjState(map) + "])");
        }
        String str = null;
        String realmIdentifier = this.openidClientConfig.getRealmIdentifier();
        if (realmIdentifier != null && (arrayList = (ArrayList) map.get(realmIdentifier)) != null && arrayList.size() > 0) {
            str = (String) arrayList.get(0);
        }
        if (str == null) {
            str = this.openidClientConfig.getRealmName();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRealm returns [" + str + "])");
        }
        return str;
    }

    private List<String> getGroupIds(Map<String, Object> map, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getGroupIds(attributes[" + OidUtil.getObjState(map) + "])");
        }
        ArrayList arrayList = new ArrayList();
        String groupIdentifier = this.openidClientConfig.getGroupIdentifier();
        if (groupIdentifier != null) {
            ArrayList arrayList2 = (ArrayList) map.get(groupIdentifier);
            if (str == null || str.isEmpty()) {
                return arrayList2;
            }
            if (arrayList2 != null && arrayList2.size() > 0) {
                Iterator it = arrayList2.iterator();
                while (it.hasNext()) {
                    arrayList.add(new StringBuffer("group:").append(str).append("/").append(it.next()).toString());
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getGroupIds returns list of size [" + arrayList.size() + "])");
        }
        return arrayList;
    }

    private Subject getSubject(String str, Map<String, Object> map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubject(mapUserName[" + str + "],attributes[" + OidUtil.getObjState(map) + "])");
        }
        if (str == null || map == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "One or more parameters passed to this method is null");
            }
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getSubject returns [" + OidUtil.getObjState(null) + "]");
            return null;
        }
        Subject subject = new Subject();
        Hashtable hashtable = new Hashtable();
        hashtable.put("com.ibm.wsspi.security.cred.securityName", str);
        if (!this.openidClientConfig.isMapIdentityToRegistryUser()) {
            String realm = getRealm(map);
            List<String> groupIds = getGroupIds(map, realm);
            hashtable.put("com.ibm.wsspi.security.cred.uniqueId", "user:" + realm + "/" + str);
            hashtable.put("com.ibm.wsspi.security.cred.groups", groupIds);
            hashtable.put("com.ibm.wsspi.security.cred.realm", realm);
            if (this.openidClientConfig.isIncludeCustomCacheKeyInSubject()) {
                hashtable.put("com.ibm.wsspi.security.cred.cacheKey", str + new BigInteger(130, srandom).toString(32));
            }
            hashtable.putAll(map);
        }
        addToSubjectAsPrivateCredentials(subject, hashtable);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSubject returns [" + subject + "]");
        }
        return subject;
    }

    private static void addToSubjectAsPrivateCredentials(final Subject subject, final Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubjectAsPrivateCredentials");
        }
        if (subject != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding private credential");
            }
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.openid20.client.OpenIDClientAuthenticator.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    subject.getPrivateCredentials().add(obj);
                    return null;
                }
            });
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Subject is null");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubjectAsPrivateCredentials");
        }
    }

    public String getRPIdentifier(HttpServletRequest httpServletRequest) throws OpenIDRelyingPartyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRPIdentifier(req[" + OidUtil.getObjState(httpServletRequest) + "])");
        }
        String parameter = httpServletRequest.getParameter(OpenIDConstants.RP_REQUEST_IDENTIFIER);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found request identifier in the request: " + parameter);
        }
        if (parameter == null || parameter.trim().isEmpty()) {
            throw new OpenIDRelyingPartyException("Did not find rp_identifier in the incoming request, could not query the cache");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRPIdentifier returns: [" + parameter + "]");
        }
        return parameter;
    }
}
