package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.SAMLConsumeCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.common.SCAndTrustConstants;
import com.ibm.ws.wssecurity.config.DerivedKeyInfoConfig;
import com.ibm.ws.wssecurity.config.KeyInfoContentConsumerConfig;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.handler.PolicyInboundConfig;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.saml.common.util.IdUtils;
import com.ibm.ws.wssecurity.saml.config.impl.ConsumerConfigImpl;
import com.ibm.ws.wssecurity.saml.config.impl.KeyInformationConfigImpl;
import com.ibm.ws.wssecurity.saml.config.impl.KeyStoreConfigImpl;
import com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil;
import com.ibm.ws.wssecurity.saml.security.impl.EncryptedDataConsumer;
import com.ibm.ws.wssecurity.token.CacheableTokenCache;
import com.ibm.ws.wssecurity.token.CacheableTokenCacheFactory;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.CacheConfigFactory;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.SAMLTokenHelper;
import com.ibm.ws.wssecurity.util.StringUtil;
import com.ibm.ws.wssecurity.util.TokenUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.SoapSecurityFaultCode;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import java.util.ArrayList;
import java.util.ListIterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:com/ibm/ws/wssecurity/wssapi/token/impl/SAMLConsumeLoginModule.class */
public class SAMLConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private Map _sharedState;
    private Map _options;
    private boolean isDuplicated = false;
    private SecurityToken _token;
    private SecurityTokenManager _securityTokenManager;
    private Map<Object, Object> _context;
    private static final TraceComponent tc = Tr.register(SAMLConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = SAMLConsumeLoginModule.class.getName();
    private static CacheableTokenCache cacheObject = CacheableTokenCacheFactory.getInstance();
    private static long extraTime = CacheConfigFactory.getInstance().getCacheGraceTimeMilliseconds();
    private static long cushionTime = CacheConfigFactory.getInstance().getCacheCushionMilliseconds();
    private static long clockSkew = CacheConfigFactory.getInstance().getClockSkewToleranceMilliseconds();

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        this._sharedState = map;
        this._options = map2;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        boolean isKeyInfoKeyid;
        boolean isKeyInfoStrref;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        SAMLConsumeCallback sAMLConsumeCallback = new SAMLConsumeCallback();
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{sAMLConsumeCallback, propertyCallback});
            this._context = propertyCallback.getProperties();
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            QName type = tokenConsumerConfig.getType();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "vtype[" + (type == null ? "null" : type.getLocalPart()) + "]");
            }
            if (type == null || !type.getLocalPart().contains("SAML")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Wrong token type: " + type.toString());
                    Tr.debug(tc, "The token type must be SAML, which is the only token type processed by this login module.");
                }
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7515E", new String[]{type.toString()}));
            }
            WSSConsumerConfig wSSConsumerConfig = (WSSConsumerConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey");
            MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            this._securityTokenManager = (SecurityTokenManager) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            String str = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
            OMElement oMElement = (OMElement) this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "target: [" + (oMElement == null ? "null" : DOMUtils.getDisplayName((OMNode) oMElement)) + "]");
            }
            if (oMElement == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing target[null]");
                    Tr.debug(tc, "keyInfoType: [" + (str == null ? "null" : "not null") + "]");
                }
                if (str == null) {
                    isKeyInfoStrref = false;
                    isKeyInfoKeyid = false;
                } else {
                    isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid(str);
                    isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isKeyId[" + isKeyInfoKeyid + "], isStrref[" + isKeyInfoStrref + "]");
                }
                resolveKeyInfo(sAMLConsumeCallback, tokenConsumerConfig, wSSConsumerConfig, messageContext, str, isKeyInfoKeyid, isKeyInfoStrref, this._securityTokenManager, this._context);
            } else if (oMElement.getLocalName().equals("DerivedKeyToken")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing target[DerivedKeyToken]");
                }
                SAMLToken preProcessDKTokenElement = preProcessDKTokenElement(oMElement, tokenConsumerConfig, messageContext);
                this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, preProcessDKTokenElement.getHolderOfKeyBytes());
                this._context.put(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN, preProcessDKTokenElement);
            } else if (oMElement.getLocalName().equals("Assertion") && oMElement.getNamespace().getNamespaceURI().indexOf("SAML") > 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing target[Assertion/SAML]");
                }
                this._token = processSAMLElement(sAMLConsumeCallback, oMElement, tokenConsumerConfig, wSSConsumerConfig, messageContext, this._context);
                messageContext.setProperty("samlAssertionId", this._token);
            } else if (oMElement.getLocalName().equals("SecurityTokenReference")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing target==SecurityTokenReference");
                }
                this._token = resolveSTR(oMElement, tokenConsumerConfig, messageContext);
            } else {
                if (!oMElement.getLocalName().equals("EncryptedData") && !oMElement.getLocalName().equals("EncryptedAssertion")) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Wrong token type: " + oMElement.getNamespace().getNamespaceURI());
                        Tr.debug(tc, "The token type must be SAML, which is the only token type processed by this login module.");
                    }
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7515E", new String[]{oMElement.getNamespace().getNamespaceURI()}));
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing target[EncryptedData||EncryptedAssertion]");
                }
                this._token = processEncryptedData(sAMLConsumeCallback, oMElement, tokenConsumerConfig, wSSConsumerConfig, messageContext, this._context);
            }
            try {
                boolean isServiceProvider = Axis2Util.isServiceProvider(messageContext);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isServer[" + isServiceProvider + "], this_token[" + (this._token == null ? "null" : "not null") + "], _token is SAML token?[" + (this._token instanceof SAMLToken ? "true" : "false") + "])");
                }
                if (isServiceProvider && this._token != null && (this._token instanceof SAMLToken)) {
                    SAMLToken sAMLToken = (SAMLToken) this._token;
                    validateSAMLToken(sAMLToken, sAMLConsumeCallback, messageContext);
                    messageContext.setProperty(SAMLTokenHelper.SAMLTOKEN_ID, sAMLToken.getSamlID());
                    SAMLTokenHelper.setSAMLTokenToContext(sAMLToken, messageContext);
                    WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
                    WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
                    if (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, this._context)) {
                        Map<String, Object> extendedAuditData = wSSAuditEventGeneratorFactory.setExtendedAuditData(this._context, WSSAuditEventGenerator.SAML_TOKEN_ID, sAMLToken.getSamlID());
                        wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.TOKEN_PRINCIPAL, sAMLToken.getPrincipal());
                        wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.TOKEN_ISSUER, sAMLToken.getSAMLIssuerName());
                        wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.TOKEN_CONFIRM_METHOD, sAMLToken.getConfirmationMethod());
                        String str2 = null;
                        if (sAMLToken.getSamlExpires() != null) {
                            str2 = sAMLToken.getSamlExpires().toString();
                        }
                        wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, "Expiration", str2);
                        wSSAuditEventGeneratorFactory.setAuditEventContext(this._context, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
                        wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, this._context);
                    }
                    SAMLTokenHelper.setSAMLHoKToContext(sAMLToken, messageContext);
                }
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "login()");
                return true;
            } catch (Exception e) {
                Tr.processException(e, clsName + ".login", "246", this);
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        } catch (Exception e2) {
            Tr.processException(e2, clsName + ".login", "127", this);
            LoginException loginException2 = new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e2.toString()}));
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    private void validateSAMLToken(SAMLToken sAMLToken, SAMLConsumeCallback sAMLConsumeCallback, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSAMLToken()");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isOneTimeUse[" + sAMLToken.isOneTimeUse() + "], enforceOneTimeUse[" + sAMLConsumeCallback.enforceOneTimeUse() + "]");
        }
        if (sAMLToken.isOneTimeUse() && sAMLConsumeCallback.enforceOneTimeUse()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "OneTimeUse or DoNotCacheCondition are not supported.");
            }
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7540E"));
        }
        if (tc.isDebugEnabled()) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("getAudienceRestriction[" + (sAMLToken.getAudienceRestriction() == null ? "null" : "not null") + "]");
            if (sAMLToken.getAudienceRestriction() != null) {
                stringBuffer.append(", getAudienceRestriction().isEmpty()[" + sAMLToken.getAudienceRestriction().isEmpty() + "]");
            }
            Tr.debug(tc, stringBuffer.toString());
        }
        if (sAMLToken.getAudienceRestriction() != null && !sAMLToken.getAudienceRestriction().isEmpty() && sAMLConsumeCallback.enforceAudienceRestriction()) {
            String address = messageContext.getTo().getAddress();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "endpointAddress[" + address + "]");
            }
            if (!sAMLToken.getAudienceRestriction().contains(address)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "AudienceRestriction validation fails.");
                }
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7541E"));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "AudienceRestriction is validated.");
            }
        }
        if (!validateTrustedIssuers(sAMLToken, sAMLConsumeCallback.getTrustedIssuers())) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The [" + sAMLToken.getSAMLIssuerName() + "] ] SAML issuer name or signer SubjectDN of the certificate are not trusted.");
            }
            throw new LoginException(ConfigUtil.getMessage(ConfigUtil.getMessage("security.wssecurity.CWWSS7542E"), new String[]{sAMLToken.getSAMLIssuerName()}));
        }
        if (!SamlConfigUtil.isConfirmationMethod(sAMLToken.getConfirmationMethod())) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Confirmation method: " + sAMLToken.getConfirmationMethod() + " is not supported.");
            }
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7543E", new String[]{sAMLToken.getConfirmationMethod()}));
        }
        if (sAMLConsumeCallback.getConfirmationMethod() != null && !sAMLConsumeCallback.getConfirmationMethod().isEmpty()) {
            String normalizeMethod = SamlConfigUtil.normalizeMethod(sAMLConsumeCallback.getConfirmationMethod(), sAMLToken.getValueType().getLocalPart());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Received Confirmation method: " + sAMLToken.getConfirmationMethod());
            }
            if (!normalizeMethod.equals(sAMLToken.getConfirmationMethod())) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Required Confirmation method: " + normalizeMethod);
                }
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7539E", new String[]{sAMLToken.getConfirmationMethod(), normalizeMethod}));
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateSAMLToken()");
        }
    }

    private static boolean validateTrustedIssuers(SAMLToken sAMLToken, ArrayList<String[]> arrayList) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateTrustedIssuers()");
        }
        ListIterator<String[]> listIterator = arrayList.listIterator();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "it[" + (listIterator == null ? "null" : "not null") + "], " + (arrayList != null ? "trustedList.isEmpty[" + arrayList.isEmpty() + "]" : ""));
        }
        if (listIterator == null || arrayList.isEmpty()) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "validateTrustedIssuers()");
            return true;
        }
        boolean z = false;
        while (listIterator.hasNext()) {
            String[] next = listIterator.next();
            if (next[0] == null || next[1] != null) {
                if (next[0] != null || next[1] == null) {
                    if (sAMLToken.getSignerCertificate() != null && StringUtil.removeDNSpace(next[0]).equalsIgnoreCase(StringUtil.removeDNSpace(sAMLToken.getSAMLIssuerName())) && StringUtil.removeDNSpace(next[1]).equalsIgnoreCase(StringUtil.removeDNSpace(sAMLToken.getSignerCertificate().getSubjectDN().getName()))) {
                        z = true;
                    }
                } else if (sAMLToken.getSignerCertificate() != null && StringUtil.removeDNSpace(next[0]).equalsIgnoreCase(StringUtil.removeDNSpace(sAMLToken.getSignerCertificate().getSubjectDN().getName()))) {
                    z = true;
                }
            } else if (StringUtil.removeDNSpace(next[0]).equalsIgnoreCase(StringUtil.removeDNSpace(sAMLToken.getSAMLIssuerName()))) {
                z = true;
            }
            if (z) {
                break;
            }
        }
        if (tc.isDebugEnabled()) {
            if (z) {
                Tr.debug(tc, sAMLToken.getSAMLIssuerName() + " is trusted.");
            } else {
                Tr.debug(tc, sAMLToken.getSAMLIssuerName() + " is not trusted.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateTrustedIssuers()");
        }
        return z;
    }

    public boolean abort() throws LoginException {
        return false;
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (this._token != null) {
            if (!this.isDuplicated) {
                this._securityTokenManager.addToken(this._token);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The token hash value = " + this._token.hashCode());
            }
            this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean logout() throws LoginException {
        return false;
    }

    private static final SAMLToken processSAMLElement(SAMLConsumeCallback sAMLConsumeCallback, OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, WSSConsumerConfig wSSConsumerConfig, MessageContext messageContext, Map<Object, Object> map) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processSAMLElement(target[" + DOMUtils.getDisplayName((OMNode) oMElement) + "])");
        }
        String str = null;
        QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
        }
        if (idAttributeName != null) {
            str = oMElement.getAttributeValue(idAttributeName);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier of the token is [" + str + "]");
        }
        ConsumerConfigImpl consumerConfigImpl = new ConsumerConfigImpl();
        consumerConfigImpl.setAliasForTokenProvider(sAMLConsumeCallback.getTrustedSTSAlias());
        consumerConfigImpl.setTrustAnySTS(sAMLConsumeCallback.isTrustAnySigner());
        consumerConfigImpl.setAssertionSignatureRequired(sAMLConsumeCallback.isSignatureRequired());
        consumerConfigImpl.setClockSkew(sAMLConsumeCallback.getClockSkew());
        consumerConfigImpl.setAllowUnencKey(sAMLConsumeCallback.getAllowUnencKey());
        String algorithmSuite = ((PolicyInboundConfig) wSSConsumerConfig).getAlgorithmSuite();
        if (algorithmSuite != null) {
            String str2 = "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
            if (algorithmSuite.contains("Basic256")) {
                str2 = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
            } else if (algorithmSuite.contains("Basic192")) {
                str2 = "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
            }
            consumerConfigImpl.setAlgorithmSuite(str2);
        }
        char[] decodePassword = SAMLTokenHelper.decodePassword(sAMLConsumeCallback.getKeyStorePassword());
        KeyStoreConfigImpl keyStoreConfigImpl = null;
        KeyStoreConfigImpl keyStoreConfigImpl2 = null;
        KeyInformationConfigImpl keyInformationConfigImpl = null;
        if (ConfigUtil.hasValue(decodePassword) || sAMLConsumeCallback.getKeyStoreReference() != null) {
            String str3 = null;
            if (ConfigUtil.hasValue(decodePassword)) {
                str3 = new String(decodePassword);
            }
            keyStoreConfigImpl = new KeyStoreConfigImpl(sAMLConsumeCallback.getKeyStoreType(), sAMLConsumeCallback.getKeyStorePath(), str3, sAMLConsumeCallback.getKeyStoreReference());
        }
        char[] decodePassword2 = SAMLTokenHelper.decodePassword(sAMLConsumeCallback.getTrustStorePassword());
        if (ConfigUtil.hasValue(decodePassword2) || sAMLConsumeCallback.getTrustStoreRef() != null) {
            String str4 = null;
            if (ConfigUtil.hasValue(decodePassword2)) {
                str4 = new String(decodePassword2);
            }
            keyStoreConfigImpl2 = new KeyStoreConfigImpl(sAMLConsumeCallback.getTrustStoreType(), sAMLConsumeCallback.getTrustStorePath(), str4, sAMLConsumeCallback.getTrustStoreRef());
        }
        String alias = sAMLConsumeCallback.getAlias();
        char[] decodePassword3 = SAMLTokenHelper.decodePassword(sAMLConsumeCallback.getKeyPassword());
        String str5 = null;
        if (ConfigUtil.hasValue(decodePassword3)) {
            str5 = new String(decodePassword3);
        }
        if (ConfigUtil.hasValue(alias)) {
            keyInformationConfigImpl = new KeyInformationConfigImpl(sAMLConsumeCallback.getAlias(), str5, sAMLConsumeCallback.getKeyName());
        }
        consumerConfigImpl.setKeyStoreConfig(keyStoreConfigImpl);
        consumerConfigImpl.setKeyInformationConfig(keyInformationConfigImpl);
        consumerConfigImpl.setTrustStoreConfig(keyStoreConfigImpl2);
        consumerConfigImpl.setX509Path(sAMLConsumeCallback.getX509Paths());
        consumerConfigImpl.setCRLPath(sAMLConsumeCallback.getCRLPaths());
        try {
            SamlConfigUtil.createCertStoreObject(consumerConfigImpl);
            try {
                SAMLTokenFactory sAMLTokenFactory = SAMLTokenFactory.getInstance(tokenConsumerConfig.getType().getLocalPart());
                OMStructure oMStructure = new OMStructure();
                oMStructure.setNode(oMElement);
                SAMLToken newSAMLToken = sAMLTokenFactory.newSAMLToken(consumerConfigImpl, oMStructure);
                String str6 = (String) tokenConsumerConfig.getProperties().get(Constants.TOKEN_FORWARDABLE);
                if (str6 != null && str6.equalsIgnoreCase("false") && (newSAMLToken instanceof SAMLTokenImpl)) {
                    ((SAMLTokenImpl) newSAMLToken).setIsForwardable(false);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The SAML hash value = " + newSAMLToken.hashCode());
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "processSAMLElement=" + newSAMLToken);
                }
                return newSAMLToken;
            } catch (Exception e) {
                Tr.processException(e, clsName + ".processSAMLElement", "585");
                map.put(SCAndTrustConstants.SC_FAULT_CODE, SoapSecurityFaultCode.InvalidSecurityToken);
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        } catch (SoapSecurityException e2) {
            Tr.processException(e2, clsName + ".processSAMLElement", "557");
            map.put(SCAndTrustConstants.SC_FAULT_CODE, SoapSecurityFaultCode.InvalidSecurity);
            LoginException loginException2 = new LoginException(e2.getMessage());
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    private static final SecurityToken processEncryptedData(SAMLConsumeCallback sAMLConsumeCallback, OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, WSSConsumerConfig wSSConsumerConfig, MessageContext messageContext, Map<Object, Object> map) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processEncryptedAssertion=" + oMElement.getLocalName());
        }
        String str = null;
        QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
        }
        if (idAttributeName != null) {
            str = oMElement.getAttributeValue(idAttributeName);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The identifier of the token is [" + str + "]");
        }
        ConsumerConfigImpl consumerConfigImpl = new ConsumerConfigImpl();
        consumerConfigImpl.setAliasForTokenProvider(sAMLConsumeCallback.getTrustedSTSAlias());
        String algorithmSuite = ((PolicyInboundConfig) wSSConsumerConfig).getAlgorithmSuite();
        if (algorithmSuite != null) {
            String str2 = "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
            if (algorithmSuite.contains("Basic256")) {
                str2 = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
            } else if (algorithmSuite.contains("Basic192")) {
                str2 = "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
            }
            consumerConfigImpl.setAlgorithmSuite(str2);
        }
        char[] decodePassword = SAMLTokenHelper.decodePassword(sAMLConsumeCallback.getKeyStorePassword());
        KeyStoreConfigImpl keyStoreConfigImpl = null;
        KeyStoreConfigImpl keyStoreConfigImpl2 = null;
        KeyInformationConfigImpl keyInformationConfigImpl = null;
        if (ConfigUtil.hasValue(decodePassword) || sAMLConsumeCallback.getKeyStoreReference() != null) {
            String str3 = null;
            if (ConfigUtil.hasValue(decodePassword)) {
                str3 = new String(decodePassword);
            }
            keyStoreConfigImpl = new KeyStoreConfigImpl(sAMLConsumeCallback.getKeyStoreType(), sAMLConsumeCallback.getKeyStorePath(), str3, sAMLConsumeCallback.getKeyStoreReference());
        }
        char[] decodePassword2 = SAMLTokenHelper.decodePassword(sAMLConsumeCallback.getTrustStorePassword());
        if (ConfigUtil.hasValue(decodePassword2) || sAMLConsumeCallback.getTrustStoreRef() != null) {
            String str4 = null;
            if (ConfigUtil.hasValue(decodePassword2)) {
                str4 = new String(decodePassword2);
            }
            keyStoreConfigImpl2 = new KeyStoreConfigImpl(sAMLConsumeCallback.getTrustStoreType(), sAMLConsumeCallback.getTrustStorePath(), str4, sAMLConsumeCallback.getTrustStoreRef());
        }
        String alias = sAMLConsumeCallback.getAlias();
        char[] decodePassword3 = SAMLTokenHelper.decodePassword(sAMLConsumeCallback.getKeyPassword());
        String str5 = null;
        if (ConfigUtil.hasValue(decodePassword3)) {
            str5 = new String(decodePassword3);
        }
        if (ConfigUtil.hasValue(alias)) {
            keyInformationConfigImpl = new KeyInformationConfigImpl(sAMLConsumeCallback.getAlias(), str5, sAMLConsumeCallback.getKeyName());
        }
        consumerConfigImpl.setKeyStoreConfig(keyStoreConfigImpl);
        consumerConfigImpl.setKeyInformationConfig(keyInformationConfigImpl);
        consumerConfigImpl.setTrustStoreConfig(keyStoreConfigImpl2);
        try {
            OMElement oMElement2 = oMElement;
            if ("EncryptedAssertion".equals(oMElement.getLocalName())) {
                oMElement2 = DOMUtils.getFirstChildElement(oMElement);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, oMElement2.getLocalName());
            }
            SAMLToken processSAMLElement = processSAMLElement(sAMLConsumeCallback, EncryptedDataConsumer.DecryptEncryptedData(oMElement2, consumerConfigImpl), tokenConsumerConfig, wSSConsumerConfig, messageContext, map);
            if (processSAMLElement instanceof SAMLTokenImpl) {
                ((SAMLTokenImpl) processSAMLElement).getProperties().put(com.ibm.ws.wssecurity.common.Constants.WSUID_FOR_ENCRYPTED_SAML, str);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "processEncryptedAssertion=" + processSAMLElement.getSamlID());
            }
            return processSAMLElement;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".processEncryptedData", "704");
            map.put(SCAndTrustConstants.SC_FAULT_CODE, SoapSecurityFaultCode.InvalidSecurityToken);
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    private SAMLToken preProcessDKTokenElement(OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("preProcessDKTokenElement(");
            stringBuffer.append("\nOMElement target [").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            Tr.entry(tc, stringBuffer.toString());
        }
        SAMLToken sAMLToken = null;
        int i = 0;
        Object obj = this._context.get(com.ibm.ws.wssecurity.common.Constants.WSS_VERSION);
        if (obj != null && (obj instanceof Integer)) {
            i = ((Integer) obj).intValue();
        }
        OMElement childElement = DOMUtils.getChildElement(oMElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "SecurityTokenReference");
        if (childElement != null) {
            OMElement childElement2 = DOMUtils.getChildElement(childElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "KeyIdentifier");
            if (childElement2 != null) {
                QName qName = DOMUtils.getQName(childElement2, childElement2.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q), i);
                String stringValue = DOMUtils.getStringValue(childElement2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found ValueType: " + qName + "\nFound KeyIdentifier value: " + stringValue);
                }
                SecurityToken token = this._securityTokenManager.getToken(tokenConsumerConfig, stringValue);
                if (token instanceof SAMLToken) {
                    sAMLToken = (SAMLToken) token;
                }
                if (sAMLToken == null) {
                    sAMLToken = SAMLTokenHelper.getSAMLTokenFromContext(messageContext);
                }
            } else {
                OMElement childElement3 = DOMUtils.getChildElement(childElement, com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "Reference");
                if (childElement3 != null) {
                    String attributeValue = childElement3.getAttributeValue(com.ibm.ws.wssecurity.common.Constants.URI_Q);
                    if (attributeValue != null && attributeValue.startsWith("#")) {
                        attributeValue = attributeValue.substring(1);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Reference element uri[" + attributeValue + "]");
                    }
                    SecurityToken token2 = this._securityTokenManager.getToken(tokenConsumerConfig, attributeValue);
                    if (token2 instanceof SAMLToken) {
                        sAMLToken = (SAMLToken) token2;
                    }
                    if (sAMLToken == null) {
                        sAMLToken = SAMLTokenHelper.getSAMLTokenFromContext(messageContext);
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "preProcessDKTokenElement()");
        }
        return sAMLToken;
    }

    /* JADX WARN: Code restructure failed: missing block: B:10:0x0067, code lost:
    
        if (r0 != null) goto L12;
     */
    /* JADX WARN: Code restructure failed: missing block: B:12:0x0071, code lost:
    
        if (r0.hasNext() == false) goto L52;
     */
    /* JADX WARN: Code restructure failed: missing block: B:13:0x0074, code lost:
    
        r0 = (org.apache.axiom.om.OMAttribute) r0.next();
     */
    /* JADX WARN: Code restructure failed: missing block: B:14:0x0093, code lost:
    
        if (r0.getQName().getLocalPart().equals(com.ibm.ws.wssecurity.common.Constants.VALUETYPE_Q.getLocalPart()) == false) goto L17;
     */
    /* JADX WARN: Code restructure failed: missing block: B:15:0x0096, code lost:
    
        r12 = new javax.xml.namespace.QName(r0.getAttributeValue());
     */
    /* JADX WARN: Code restructure failed: missing block: B:17:0x00a8, code lost:
    
        if (r12 == null) goto L54;
     */
    /* JADX WARN: Code restructure failed: missing block: B:19:0x00ab, code lost:
    
        r14 = r0.getText();
     */
    /* JADX WARN: Code restructure failed: missing block: B:20:0x00ba, code lost:
    
        r10 = (com.ibm.websphere.wssecurity.wssapi.token.SAMLToken) r6._securityTokenManager.getToken(r8, r14);
     */
    /* JADX WARN: Code restructure failed: missing block: B:21:0x00cd, code lost:
    
        if (r10 != null) goto L24;
     */
    /* JADX WARN: Code restructure failed: missing block: B:22:0x00d0, code lost:
    
        r10 = com.ibm.ws.wssecurity.util.SAMLTokenHelper.getSAMLTokenFromContext(r9);
     */
    /* JADX WARN: Code restructure failed: missing block: B:23:0x00d9, code lost:
    
        r6.isDuplicated = true;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private com.ibm.websphere.wssecurity.wssapi.token.SAMLToken resolveSTR(org.apache.axiom.om.OMElement r7, com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig r8, org.apache.axis2.context.MessageContext r9) {
        /*
            Method dump skipped, instructions count: 448
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.wssecurity.wssapi.token.impl.SAMLConsumeLoginModule.resolveSTR(org.apache.axiom.om.OMElement, com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig, org.apache.axis2.context.MessageContext):com.ibm.websphere.wssecurity.wssapi.token.SAMLToken");
    }

    private void resolveKeyInfo(SAMLConsumeCallback sAMLConsumeCallback, TokenConsumerConfig tokenConsumerConfig, WSSConsumerConfig wSSConsumerConfig, MessageContext messageContext, String str, boolean z, boolean z2, SecurityTokenManager securityTokenManager, Map<Object, Object> map) throws LoginException {
        DerivedKeyInfoConfig derivedKeyInfoConfig;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("resolveKeyInfo(");
            stringBuffer.append("TokenConsumerConfig config, CertCacheManager cmanager, ");
            stringBuffer.append("SOAPMessageContext messageContext, ");
            stringBuffer.append("String keyInfoType[").append(str).append("], ");
            stringBuffer.append("boolean isKeyId[").append(z).append("], ");
            stringBuffer.append("boolean isStrref[").append(z2).append("], ");
            stringBuffer.append("SecurityTokenManager securityTokenManager, Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        if (z2) {
            mapRefUriToToken((String) this._context.get(Constants.WSSECURITY_KEY_REFERENCE));
        } else if (z) {
            mapKeyIdToToken((String) this._context.get(Constants.WSSECURITY_KEY_ID), (QName) this._context.get(Constants.WSSECURITY_KEY_ENCODING), (QName) this._context.get(Constants.WSSECURITY_KEY_VALUETYPE), messageContext);
        }
        if (this._token != null && (derivedKeyInfoConfig = ((KeyInfoContentConsumerConfig) this._context.get(KeyInfoContentConsumerConfig.CONFIG_KEY)).getDerivedKeyInfoConfig()) != null && derivedKeyInfoConfig.isRequireDerivedKeys()) {
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "DerivedKey is required.");
            }
            if (derivedKeyInfoConfig.isRequireImpliedDerivedKeys()) {
                if (tc.isDebugEnabled()) {
                    Tr.exit(tc, "ImpliedDerivedKeys is used.");
                }
                this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, ((SAMLToken) this._token).getHolderOfKeyBytes());
                this._context.put(com.ibm.ws.wssecurity.common.Constants.MASTER_TOKEN, this._token);
            }
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("resolveKeyInfo(");
            stringBuffer2.append(" returns SecurityToken[").append(this._token).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
    }

    private SecurityToken mapRefUriToToken(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapRefUriToToken()");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Token identifier is [" + str + "]");
        }
        SecurityToken token = this._securityTokenManager.getToken((TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY), str);
        if (token != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is the token [" + str + "] stored in the Subject.");
                Tr.debug(tc, "Token instance: " + token + " and hashcode: " + token.hashCode());
            }
            this._token = token;
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "WARNING: SecurityToken whose identifier is \"" + str + "\" was not found in the Subject.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapRefUriToToken()");
        }
        return token;
    }

    private boolean mapKeyIdToToken(String str, QName qName, QName qName2, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapKeyIdToToken() for token id: " + str + "...encoding type: " + qName + "...value type:" + qName2);
        }
        this._token = this._securityTokenManager.getToken((TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY), str);
        if (this._token != null) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "mapKeyIdToToken(): Found token from SecurityTokenManager");
            return true;
        }
        SAMLToken sAMLTokenFromContext = SAMLTokenHelper.getSAMLTokenFromContext(messageContext);
        if (sAMLTokenFromContext != null && sAMLTokenFromContext.getId() != null && sAMLTokenFromContext.getId().equals(str)) {
            this._token = sAMLTokenFromContext;
        }
        if (sAMLTokenFromContext == null) {
            this._context.put(SCAndTrustConstants.SC_FAULT_CODE, SoapSecurityFaultCode.SecurityTokenUnavailable);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, getClass().getName() + " Failed to locate token of: " + qName2.toString() + " for key id: " + str);
            }
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7516E", new String[]{getClass().getName(), qName2.toString(), str}));
        }
        updateSharedState();
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "mapKeyIdToToken()");
        return true;
    }

    private void updateSharedState() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "updateSharedState(this._token[" + (this._token == null ? "null" : "not null") + "])");
        }
        if (this._token == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "updateSharedState()");
                return;
            }
            return;
        }
        TokenUtils.putTokenToSharedState(this._sharedState, this._token, false);
        String principal = this._token.getPrincipal();
        if (principal != null) {
            this._sharedState.put(Constants.WSSECURITY_DN, principal);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML client principal: " + principal);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "updateSharedState()");
        }
    }
}
