package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.crypto.provider.AESKeySpec;
import com.ibm.misc.HexDumpEncoder;
import com.ibm.nws.ffdc.FFDCFilter;
import com.ibm.security.krb5.internal.Config;
import com.ibm.security.krb5.wss.KerberosTokenConfig;
import com.ibm.security.krb5.wss.KerberosTokenGenerator;
import com.ibm.websphere.wssecurity.admin.PolicyAttributesConstants;
import com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallback;
import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
import com.ibm.ws.websvcs.transport.security.SSLpropertyNames;
import com.ibm.ws.wssecurity.config.DerivedKeyInfoConfig;
import com.ibm.ws.wssecurity.config.KeyInfoContentGeneratorConfig;
import com.ibm.ws.wssecurity.config.WSSGeneratorConfig;
import com.ibm.ws.wssecurity.handler.PolicyOutboundConfig;
import com.ibm.ws.wssecurity.handler.token.SimpleTargetURLCache;
import com.ibm.ws.wssecurity.keyinfo.KeyInfoConsumer;
import com.ibm.ws.wssecurity.keyinfo.WSSKeyInfoComponent;
import com.ibm.ws.wssecurity.platform.auth.WSSContext;
import com.ibm.ws.wssecurity.platform.auth.WSSContextFactory;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.token.CacheableTokenCacheFactory;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.KRB5TokenCacheUtil;
import com.ibm.ws.wssecurity.util.KRB5Util;
import com.ibm.ws.wssecurity.util.NamespaceUtil;
import com.ibm.ws.wssecurity.util.SimpleTargetURL;
import com.ibm.ws.wssecurity.util.TokenHolder;
import com.ibm.ws.wssecurity.util.TokenUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.config.TokenGeneratorConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnTokenFactory;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnTokenFactoryFactory;
import java.net.MalformedURLException;
import java.net.UnknownHostException;
import java.security.AccessController;
import java.security.Key;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:com/ibm/ws/wssecurity/wssapi/token/impl/KRBGenerateLoginModule.class */
public class KRBGenerateLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private static final String newline = "\n";
    public static final String XMLDSIG_NAMESPACE = "http://www.w3.org/2000/09/xmldsig#";
    public static final String XMLENC_NS = "http://www.w3.org/2001/04/xmlenc#";
    public static final String TRIPLEDES_CBC = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
    public static final String AES128_CBC = "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
    public static final String AES192_CBC = "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
    public static final String AES256_CBC = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
    public static final String HMAC = "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
    private static final String endptAddress_JAXWS = "javax.xml.ws.service.endpoint.address";
    private boolean loginSucceeded = false;
    private boolean derivedkeyInfoConfigured = false;
    private boolean useDerivedKey = false;
    private boolean usingWSSAPI = false;
    private boolean isServer = false;
    private boolean isRequest = true;
    private boolean isStandAlone = false;
    private MessageContext messageContext = null;
    private OMNode _referencedTokenElement = null;
    private Subject _subject;
    private CallbackHandler _handler;
    private Map _sharedState;
    private Map _options;
    private List<SecurityToken> _processedTokens;
    private List<SecurityToken> _insertedTokens;
    private SecurityTokenManager _securityTokenManager;
    private Map<Object, Object> _context;
    private static final TraceComponent tc = Tr.register(KRBGenerateLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = KRBGenerateLoginModule.class.getName();
    private static final HexDumpEncoder hexDumper = new HexDumpEncoder();
    private static KRBAuthnTokenFactory _tokenFactory = KRBAuthnTokenFactoryFactory.getFactory();

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        int size = this._processedTokens.size();
        for (int i = 0; i < size; i++) {
            this._securityTokenManager.addToken(this._processedTokens.get(i));
        }
        this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._processedTokens);
        boolean isKeyInfoKeyid = ConfigUtil.isKeyInfoKeyid((String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE));
        if (!isKeyInfoKeyid) {
            this._context.put(Constants.WSSECURITY_TOKEN_TO_BE_INSERTED, this._insertedTokens);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "KEYID is " + isKeyInfoKeyid + "...Not inserting token.");
        }
        this._context.put(Constants.WSSECURITY_TOKENELEMENT_REFERENCED, this._referencedTokenElement);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._subject = subject;
        this._handler = callbackHandler;
        this._sharedState = map;
        this._options = map2;
        this._processedTokens = new ArrayList();
        this._insertedTokens = new ArrayList();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        this.loginSucceeded = false;
        if (this._handler == null) {
            throw new LoginException("No CallbackHandler received.");
        }
        Callback nameCallback = new NameCallback("username: ");
        PasswordCallback passwordCallback = new PasswordCallback("passowrd: ", false);
        PropertyCallback propertyCallback = new PropertyCallback(null);
        final KRBTokenGenerateCallback kRBTokenGenerateCallback = new KRBTokenGenerateCallback();
        Callback[] callbackArr = {nameCallback, passwordCallback, propertyCallback, kRBTokenGenerateCallback};
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Invoking callbacks");
            }
            this._handler.handle(callbackArr);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "krbtokenCallback[" + ConfigUtil.getObjType(kRBTokenGenerateCallback) + "]");
                if (kRBTokenGenerateCallback != null && (kRBTokenGenerateCallback instanceof KRBTokenGenerateCallback)) {
                    char[] cArr = (char[]) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return kRBTokenGenerateCallback.getClientPassword();
                        }
                    });
                    Tr.debug(tc, "From KRBTokenGenerateCallback: clientName[" + kRBTokenGenerateCallback.getClientName() + "], password[" + ((cArr == null || cArr.length == 0) ? "" : SSLpropertyNames.maskedPropertyName) + "], clientKerberosRealm[" + kRBTokenGenerateCallback.getClientKerberosRealm() + "], targetServiceName[" + kRBTokenGenerateCallback.getTargetServiceName() + "], targetServiceHostName[" + kRBTokenGenerateCallback.getTargetServiceHostName() + "], targetServiceKerberosRealm[" + kRBTokenGenerateCallback.getTargetServiceKerberosRealm() + "], valueType[" + kRBTokenGenerateCallback.getValueType() + "]");
                }
            }
            this._context = propertyCallback.getProperties();
            TokenGeneratorConfig tokenGeneratorConfig = (TokenGeneratorConfig) this._context.get(TokenGeneratorConfig.CONFIG_KEY);
            WSSGeneratorConfig wSSGeneratorConfig = (WSSGeneratorConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssGenerator.configKey");
            this._securityTokenManager = (SecurityTokenManager) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            this.messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            try {
                this.isServer = Axis2Util.isServiceProvider(this.messageContext);
                this.isRequest = wSSGeneratorConfig.isRequest();
                this.isStandAlone = tokenGeneratorConfig.isStandAlone();
                QName valueType = kRBTokenGenerateCallback.getValueType() != null ? kRBTokenGenerateCallback.getValueType() : tokenGeneratorConfig.getType();
                if (!valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN) && !valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN)) {
                    throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.PrivateConsumerConfig.s30", new String[]{valueType.toString(), com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ1510_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_AP_REQ4120_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN.toString() + "\n or " + com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN.toString() + newline}));
                }
                KeyInfoContentGeneratorConfig keyInfoContentGeneratorConfig = (KeyInfoContentGeneratorConfig) this._context.get(KeyInfoContentGeneratorConfig.CONFIG_KEY);
                DerivedKeyInfoConfig derivedKeyInfoConfig = keyInfoContentGeneratorConfig != null ? keyInfoContentGeneratorConfig.getDerivedKeyInfoConfig() : null;
                if (derivedKeyInfoConfig != null) {
                    this.derivedkeyInfoConfigured = derivedKeyInfoConfig.isRequireDerivedKeys();
                }
                String str = (String) tokenGeneratorConfig.getProperties().get(Constants.ATTACH_KERBEROS_AP_REQUIRED);
                String str2 = (String) tokenGeneratorConfig.getProperties().get(Constants.ATTACH_HASHKEY_SUPPORT_KRB_TOKEN_REQUIRED);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, Constants.ATTACH_KERBEROS_AP_REQUIRED + ": " + str);
                    Tr.debug(tc, Constants.ATTACH_HASHKEY_SUPPORT_KRB_TOKEN_REQUIRED + ": " + str2);
                }
                boolean z = false;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Support token? " + tokenGeneratorConfig.isStandAlone());
                    Tr.debug(tc, "Is request? " + (!this.isServer));
                }
                if (!tokenGeneratorConfig.isStandAlone() || this.isServer) {
                    if (str != null && str.equalsIgnoreCase("true")) {
                        z = true;
                    }
                } else if (str2 == null || !str2.equalsIgnoreCase("true")) {
                    z = true;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "requireAPREQ? " + z);
                }
                boolean z2 = false;
                KRB5TokenImpl token = getToken(tokenGeneratorConfig, this._securityTokenManager);
                boolean z3 = false;
                TGTAuthToken tGTAuthToken = null;
                TGSAuthToken tGSAuthToken = null;
                byte[] bArr = null;
                boolean z4 = false;
                String str3 = null;
                EndpointReference to = this.messageContext.getTo();
                if (to != null) {
                    str3 = to.getAddress();
                } else if (!this.isServer) {
                    throw new LoginException("There is no End Point Address for the request.");
                }
                if (token == null) {
                    if (this.isServer) {
                        tGSAuthToken = TokenHolder.getKerberosTokenFromContext(this.messageContext);
                        if (tGSAuthToken == null) {
                            tGSAuthToken = (TGSAuthToken) CacheableTokenCacheFactory.getInstance().getToken(TokenHolder.getTokenFromContext(TokenHolder.INBOUND_KRBTOKEN, this.messageContext));
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found TGSAuthToken, Identifier: " + tGSAuthToken.getIdentifier() + ", Id: " + tGSAuthToken.getId() + " from service side.");
                        }
                    } else {
                        String str4 = null;
                        boolean z5 = false;
                        final HashMap finalLoginData = finalLoginData(kRBTokenGenerateCallback);
                        SecurityToken oneTokenFromSharedState = TokenUtils.getOneTokenFromSharedState(this._sharedState, UsernameToken.ValueType, true);
                        if (oneTokenFromSharedState != null && (oneTokenFromSharedState instanceof UsernameToken)) {
                            UsernameToken usernameToken = (UsernameToken) oneTokenFromSharedState;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "UsernameToken found on shared state.  Attempting to override username and password");
                            }
                            String username = usernameToken.getUsername();
                            String str5 = new String(usernameToken.getPassword());
                            if (ConfigUtil.hasValue(username) && str5 != null && str5.length() != 0) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Overriding username and password with UsernameToken in shared state");
                                }
                                finalLoginData.put(KerberosTokenConfig.CLIENT_NAME, usernameToken.getUsername());
                                finalLoginData.put(KerberosTokenConfig.CLIENTPASSWORD, new String(usernameToken.getPassword()));
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Cannot use UsernameToken in shared state.  Either username or password is null: username[" + (username == null ? "null" : username.length() == 0 ? "length=0" : "not null") + "], password[" + (str5 == null ? "null" : str5.length() == 0 ? "length=0" : "not null") + "]");
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Token on shared state is not object type UsernameToken.  Ignoring.");
                        }
                        String clientIdentifierForServiceTicketByCallback = KRB5TokenCacheUtil.getClientIdentifierForServiceTicketByCallback(finalLoginData);
                        String str6 = (String) finalLoginData.get(KerberosTokenConfig.CLIENTPASSWORD);
                        if (str6 == null || str6.isEmpty()) {
                            Subject runAsSubject = KRB5TokenCacheUtil.getRunAsSubject(this.messageContext);
                            r35 = runAsSubject != null ? KRB5TokenCacheUtil.getTgtTicketFromRunAsSubject(runAsSubject) : null;
                            if (r35 != null) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found Kerberos ticket from RunAs Subject: " + r35.toString());
                                }
                                final Subject subject = new Subject();
                                final KerberosTicket kerberosTicket = r35;
                                AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.2
                                    @Override // java.security.PrivilegedAction
                                    public Object run() {
                                        if (KRBGenerateLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(KRBGenerateLoginModule.tc, "Prepare KTP HashMap by adding the Kerberos ticket to a Subject.");
                                        }
                                        subject.getPrivateCredentials().add(kerberosTicket);
                                        finalLoginData.put("subject", subject);
                                        return null;
                                    }
                                });
                                if (!r35.isDestroyed()) {
                                    String stripOutPrincipalName = KRB5Util.stripOutPrincipalName(r35.getClient().getName());
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Setting: KerberosTokenConfig.CLIENT_NAME: " + stripOutPrincipalName + " from RunAs Subject.");
                                        Tr.debug(tc, "Setting: KerberosTokenConfig.CLIENT_REALM_NAME: " + r35.getClient().getRealm() + " from RunAs Subject.");
                                    }
                                    finalLoginData.put(KerberosTokenConfig.CLIENT_NAME, stripOutPrincipalName);
                                    finalLoginData.put(KerberosTokenConfig.CLIENT_REALM_NAME, r35.getClient().getRealm());
                                }
                                String str7 = (String) finalLoginData.get(KerberosTokenConfig.SERVICE_NAME);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "KerberosTokenConfig.SERVICE_NAME : " + str7);
                                    Tr.debug(tc, "KerberosTokenConfig.SERVICE_REALM_NAME: " + ((String) finalLoginData.get(KerberosTokenConfig.SERVICE_REALM_NAME)));
                                }
                                clientIdentifierForServiceTicketByCallback = KRB5TokenCacheUtil.getClientCacheKeyFromKRBAuthnToken(runAsSubject, str7);
                            }
                        } else {
                            str4 = KRB5TokenCacheUtil.getClientIdentifierForTGTByCallback(finalLoginData);
                            tGTAuthToken = (TGTAuthToken) CacheableTokenCacheFactory.getInstance().getToken(str4);
                        }
                        if (clientIdentifierForServiceTicketByCallback != null) {
                            tGSAuthToken = (TGSAuthToken) CacheableTokenCacheFactory.getInstance().getToken(clientIdentifierForServiceTicketByCallback + str3);
                            if (tGSAuthToken != null && r35 != null) {
                                if (tGSAuthToken.getTGT() == null) {
                                    tGSAuthToken = null;
                                } else if (r35.hashCode() != tGSAuthToken.getTGT().hashCode()) {
                                    tGSAuthToken = null;
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found cached TGT token for the RunAsSubject:" + r35.getClient().getName() + ":Expiration at " + r35.getEndTime());
                                }
                            }
                        }
                        if ((str6 == null || str6.isEmpty()) && (!(r35 != null && r35.isCurrent() && r35.isForwardable()) && WSSContextManagerFactory.getInstance().processIsServer() && tc.isDebugEnabled())) {
                            Tr.debug(tc, "There is authentication data or delegation subject to request AP-REQ token");
                            if (str6 == null || str6.isEmpty()) {
                                Tr.debug(tc, "No password");
                            }
                            if (r35 == null) {
                                Tr.debug(tc, "No Kerberos Ticket.");
                            }
                            if (r35 != null) {
                                Tr.debug(tc, "Invalid Kerberos Ticket=" + r35);
                            }
                            Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", new String[]{"There is authentication data or delegation subject to request AP-REQ token"});
                            throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s01", new String[]{"There is authentication data or delegation subject to request AP-REQ token."}));
                        }
                        if (tGTAuthToken == null && tGSAuthToken == null) {
                            z5 = true;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "No TGS authn token found...");
                                Tr.debug(tc, "No TGT authn token found...");
                                Tr.debug(tc, "Check TGT from RunAsSubject: " + KRB5Util.printTGT(r35));
                            }
                            if (r35 != null && !r35.isDestroyed()) {
                                String stripOutPrincipalName2 = KRB5Util.stripOutPrincipalName(r35.getClient().getName());
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Overwriting KerberosTokenConfig.CLIENT_NAME: " + stripOutPrincipalName2);
                                    Tr.debug(tc, "Overwriting KerberosTokenConfig.CLIENT_REALM_NAME: " + r35.getClient().getRealm());
                                }
                                finalLoginData.put(KerberosTokenConfig.CLIENT_NAME, stripOutPrincipalName2);
                                finalLoginData.put(KerberosTokenConfig.CLIENT_REALM_NAME, r35.getClient().getRealm());
                            }
                        } else if (tGTAuthToken == null && str6 != null && !str6.isEmpty()) {
                            z5 = true;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "No TGT authn token found...");
                                Tr.debug(tc, "Login data available...attempt to login.");
                            }
                        } else if (tGSAuthToken != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Found TGS authn token... " + tGSAuthToken);
                            }
                            if (KRB5TokenCacheUtil.TicketActionState.REISSUE.equals(KRB5TokenCacheUtil.getTicketActionState(tGSAuthToken.getTGT()))) {
                                z5 = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Reissue TGT for: " + tGSAuthToken.getTGT().getClient().getName());
                                    Tr.debug(tc, "       AuthTime: " + tGSAuthToken.getTGT().getAuthTime());
                                    Tr.debug(tc, "      StartTime: " + tGSAuthToken.getTGT().getStartTime());
                                    Tr.debug(tc, "        EndTime: " + tGSAuthToken.getTGT().getEndTime());
                                    Tr.debug(tc, "      RenewTill: " + tGSAuthToken.getTGT().getRenewTill());
                                }
                            } else if (KRB5TokenCacheUtil.TicketActionState.REFRESH.equals(KRB5TokenCacheUtil.getTicketActionState(tGSAuthToken.getTGT()))) {
                                z5 = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Refresh TGT for: " + tGSAuthToken.getTGT().getClient().getName());
                                    Tr.debug(tc, "       AuthTime: " + tGSAuthToken.getTGT().getAuthTime());
                                    Tr.debug(tc, "      StartTime: " + tGSAuthToken.getTGT().getStartTime());
                                    Tr.debug(tc, "        EndTime: " + tGSAuthToken.getTGT().getEndTime());
                                    Tr.debug(tc, "      RenewTill: " + tGSAuthToken.getTGT().getRenewTill());
                                }
                                final Subject subject2 = new Subject();
                                try {
                                    final KerberosTicket refresh = KRB5Util.refresh(tGSAuthToken.getTGT());
                                    AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.3
                                        @Override // java.security.PrivilegedAction
                                        public Object run() {
                                            if (KRBGenerateLoginModule.tc.isDebugEnabled()) {
                                                Tr.debug(KRBGenerateLoginModule.tc, "Adding Kerberos ticket to Subject: " + refresh.toString());
                                            }
                                            subject2.getPrivateCredentials().add(refresh);
                                            finalLoginData.put("subject", subject2);
                                            return null;
                                        }
                                    });
                                } catch (Exception e) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Re-issue due to failure in TGT refreshing: " + e.getMessage());
                                    }
                                }
                            } else if (!KRB5TokenCacheUtil.TicketActionState.NONE.equals(KRB5TokenCacheUtil.getTicketActionState(tGSAuthToken.getTGS()))) {
                                z5 = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Refresh TGS for: " + tGSAuthToken.getTGS().getClient().getName());
                                    Tr.debug(tc, "       AuthTime: " + tGSAuthToken.getTGS().getAuthTime());
                                    Tr.debug(tc, "      StartTime: " + tGSAuthToken.getTGS().getStartTime());
                                    Tr.debug(tc, "        EndTime: " + tGSAuthToken.getTGS().getEndTime());
                                    Tr.debug(tc, "      RenewTill: " + tGSAuthToken.getTGS().getRenewTill());
                                    Tr.debug(tc, "\n        TGT for: " + tGSAuthToken.getTGT().getClient().getName());
                                    Tr.debug(tc, "       AuthTime: " + tGSAuthToken.getTGT().getAuthTime());
                                    Tr.debug(tc, "      StartTime: " + tGSAuthToken.getTGT().getStartTime());
                                    Tr.debug(tc, "        EndTime: " + tGSAuthToken.getTGT().getEndTime());
                                    Tr.debug(tc, "      RenewTill: " + tGSAuthToken.getTGT().getRenewTill());
                                }
                                final Subject subject3 = new Subject();
                                final KerberosTicket tgt = tGSAuthToken.getTGT();
                                AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.4
                                    @Override // java.security.PrivilegedAction
                                    public Object run() {
                                        if (KRBGenerateLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(KRBGenerateLoginModule.tc, "Adding Kerberos ticket to Subject: " + tgt.toString());
                                        }
                                        subject3.getPrivateCredentials().add(tgt);
                                        finalLoginData.put("subject", subject3);
                                        return null;
                                    }
                                });
                            } else if (z) {
                                z5 = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Must request AP_REQ for: " + tGSAuthToken.getTGT().getClient().getName());
                                    Tr.debug(tc, "               AuthTime: " + tGSAuthToken.getTGT().getAuthTime());
                                    Tr.debug(tc, "              StartTime: " + tGSAuthToken.getTGT().getStartTime());
                                    Tr.debug(tc, "                EndTime: " + tGSAuthToken.getTGT().getEndTime());
                                    Tr.debug(tc, "              RenewTill: " + tGSAuthToken.getTGT().getRenewTill());
                                }
                                final Subject subject4 = new Subject();
                                final KerberosTicket tgs = tGSAuthToken.getTGS();
                                final KerberosTicket tgt2 = tGSAuthToken.getTGT();
                                AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.5
                                    @Override // java.security.PrivilegedAction
                                    public Object run() {
                                        if (KRBGenerateLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(KRBGenerateLoginModule.tc, "Adding Kerberos ticket to Subject: " + tgs.toString());
                                        }
                                        subject4.getPrivateCredentials().add(tgt2);
                                        subject4.getPublicCredentials().add(tgs);
                                        finalLoginData.put("subject", subject4);
                                        return null;
                                    }
                                });
                                z2 = true;
                            }
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Proceed with TGS authn token... " + tGSAuthToken);
                            }
                        } else if (tGTAuthToken != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "No TGS authn token found...");
                                Tr.debug(tc, "Found TGT authn token though... " + tGTAuthToken);
                            }
                            if (KRB5TokenCacheUtil.TicketActionState.NONE.equals(KRB5TokenCacheUtil.getTicketActionState(tGTAuthToken.getTGT()))) {
                                z5 = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Request TGS for: " + tGTAuthToken.getTGT().getClient().getName());
                                    Tr.debug(tc, "       AuthTime: " + tGTAuthToken.getTGT().getAuthTime());
                                    Tr.debug(tc, "      StartTime: " + tGTAuthToken.getTGT().getStartTime());
                                    Tr.debug(tc, "        EndTime: " + tGTAuthToken.getTGT().getEndTime());
                                    Tr.debug(tc, "      RenewTill: " + tGTAuthToken.getTGT().getRenewTill());
                                }
                                final Subject subject5 = new Subject();
                                final KerberosTicket tgt3 = tGTAuthToken.getTGT();
                                AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.6
                                    @Override // java.security.PrivilegedAction
                                    public Object run() {
                                        if (KRBGenerateLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(KRBGenerateLoginModule.tc, "Adding Kerberos ticket to Subject: " + tgt3.toString());
                                        }
                                        subject5.getPrivateCredentials().add(tgt3);
                                        finalLoginData.put("subject", subject5);
                                        return null;
                                    }
                                });
                            } else if (KRB5TokenCacheUtil.TicketActionState.REISSUE.equals(KRB5TokenCacheUtil.getTicketActionState(tGTAuthToken.getTGT()))) {
                                z5 = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Reissue TGT for: " + tGTAuthToken.getTGT().getClient().getName());
                                    Tr.debug(tc, "       AuthTime: " + tGTAuthToken.getTGT().getAuthTime());
                                    Tr.debug(tc, "      StartTime: " + tGTAuthToken.getTGT().getStartTime());
                                    Tr.debug(tc, "        EndTime: " + tGTAuthToken.getTGT().getEndTime());
                                    Tr.debug(tc, "      RenewTill: " + tGTAuthToken.getTGT().getRenewTill());
                                }
                            } else {
                                z5 = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Refresh TGT for: " + tGTAuthToken.getTGT().getClient().getName());
                                    Tr.debug(tc, "       AuthTime: " + tGTAuthToken.getTGT().getAuthTime());
                                    Tr.debug(tc, "      StartTime: " + tGTAuthToken.getTGT().getStartTime());
                                    Tr.debug(tc, "        EndTime: " + tGTAuthToken.getTGT().getEndTime());
                                    Tr.debug(tc, "      RenewTill: " + tGTAuthToken.getTGT().getRenewTill());
                                }
                                final Subject subject6 = new Subject();
                                try {
                                    final KerberosTicket refresh2 = KRB5Util.refresh(tGTAuthToken.getTGT());
                                    AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.7
                                        @Override // java.security.PrivilegedAction
                                        public Object run() {
                                            if (KRBGenerateLoginModule.tc.isDebugEnabled()) {
                                                Tr.debug(KRBGenerateLoginModule.tc, "Adding Kerberos ticket to Subject: " + refresh2.toString());
                                            }
                                            subject6.getPrivateCredentials().add(refresh2);
                                            finalLoginData.put("subject", subject6);
                                            return null;
                                        }
                                    });
                                } catch (Exception e2) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Re-issue due to failure in TGT refreshing: " + e2.getMessage());
                                    }
                                }
                            }
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Proceed with TGT authn token... " + tGTAuthToken);
                            }
                        }
                        String str8 = (String) finalLoginData.get(KerberosTokenConfig.SERVICE_NAME);
                        if (z5) {
                            z3 = true;
                            try {
                                HashMap callKerberosTokenGenerator = callKerberosTokenGenerator(finalLoginData);
                                String str9 = (String) finalLoginData.get(KerberosTokenConfig.CLIENT_NAME);
                                TGTAuthToken tGTAuthToken2 = new TGTAuthToken(callKerberosTokenGenerator, str9);
                                if (str4 != null && !z2) {
                                    tGTAuthToken2.setIdentifier(str4);
                                    KRB5TokenCacheUtil.setKRB5TokenToCache(tGTAuthToken2, str4, tGTAuthToken2.getTGT().getEndTime());
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Created and cached TGT authn token.");
                                    }
                                }
                                bArr = getAPREQ_TOKEN_Byte(finalLoginData, callKerberosTokenGenerator);
                                String sha1FromBytes = KRB5TokenCacheUtil.getSha1FromBytes(bArr);
                                if (z2) {
                                    tGSAuthToken = tGSAuthToken.modifyTGSAuthToken(getSecretByteFromAPREQ(callKerberosTokenGenerator), sha1FromBytes);
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Updated AP_REQ keys in cached token: " + tGSAuthToken);
                                    }
                                } else {
                                    tGSAuthToken = new TGSAuthToken(callKerberosTokenGenerator, str9, str8, valueType, sha1FromBytes);
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Created TGS token: " + tGSAuthToken);
                                    }
                                }
                                if (clientIdentifierForServiceTicketByCallback == null && tGTAuthToken2.getTGT() != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "idForServiceTicket is null.");
                                    }
                                    clientIdentifierForServiceTicketByCallback = KRB5TokenCacheUtil.getClientCacheKeyFromSubject(tGTAuthToken2.getTGT(), str8);
                                }
                                tGSAuthToken.setIdentifier(clientIdentifierForServiceTicketByCallback + str3);
                                Date serviceTicketExpirationTime = tGSAuthToken.getServiceTicketExpirationTime();
                                if (clientIdentifierForServiceTicketByCallback != null) {
                                    KRB5TokenCacheUtil.setKRB5TokenToCache(tGSAuthToken, tGSAuthToken.getIdentifier(), serviceTicketExpirationTime);
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Updated service token with: " + tGSAuthToken.getIdentifier());
                                    }
                                }
                                TGSAuthToken tGSAuthToken2 = (TGSAuthToken) tGSAuthToken.clone();
                                tGSAuthToken2.setIdentifier(tGSAuthToken2.getSHA1ofAPREQ());
                                if (z) {
                                    serviceTicketExpirationTime = new Date();
                                    TokenHolder.setInboundKerberosTokenToContext(tGSAuthToken2, this.messageContext);
                                }
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Updated service token with identifier: " + tGSAuthToken2.getIdentifier());
                                }
                                KRB5TokenCacheUtil.setKRB5TokenToCache(tGSAuthToken2, tGSAuthToken2.getIdentifier(), serviceTicketExpirationTime);
                                if (!WSSContextManagerFactory.getInstance().processIsServer()) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Cache token for thin client...");
                                    }
                                    Object property = this.messageContext.getProperty("com.ibm.wsspi.websphere.security.SecurityContext");
                                    if (property != null && !(property instanceof WSSContext)) {
                                        property = this.messageContext.getProperty(com.ibm.ws.wssecurity.common.Constants.WSSECURITY_LOGINPROMPT_CONTEXT);
                                    }
                                    if (property != null && (property instanceof WSSContext)) {
                                        WSSContext wSSContext = (WSSContext) property;
                                        Subject subject7 = null;
                                        try {
                                            subject7 = wSSContext.getRunAsSubject(this.messageContext);
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "RunAsSubject from WEBSPHERE_SECURITY_CONTEXT: " + subject7);
                                            }
                                            if (subject7 == null) {
                                                subject7 = new Subject();
                                                wSSContext.setRunAsSubject(subject7, this.messageContext);
                                            } else {
                                                Set<SecurityTokenWrapper> privateCredentials = subject7.getPrivateCredentials(SecurityTokenWrapper.class);
                                                if (privateCredentials != null && !privateCredentials.isEmpty()) {
                                                    for (SecurityTokenWrapper securityTokenWrapper : privateCredentials) {
                                                        SecurityToken securityToken = securityTokenWrapper.getSecurityToken();
                                                        if (securityToken != null && (securityToken instanceof KRBAuthnToken)) {
                                                            subject7.getPrivateCredentials().remove(securityTokenWrapper);
                                                        }
                                                    }
                                                }
                                            }
                                        } catch (Exception e3) {
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "Exception caught " + e3.getMessage());
                                            }
                                        }
                                        if (subject7 != null && this.messageContext.getTo() != null) {
                                            SecurityTokenWrapper securityTokenWrapper2 = new SecurityTokenWrapper(createKrbTokenImpl(tGSAuthToken));
                                            securityTokenWrapper2.setEndPoint(this.messageContext.getTo().getAddress());
                                            subject7.getPrivateCredentials().add(securityTokenWrapper2);
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "Established SecurityTokenWrapper: " + securityTokenWrapper2);
                                            }
                                        }
                                    }
                                }
                            } catch (Throwable th) {
                                Tr.processException(th, clsName + ".login", "%C", this);
                                Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", th);
                                throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s01", new String[]{KRB5Util.stackToString(th)}));
                            }
                        } else {
                            z4 = true;
                        }
                    }
                    if (tGSAuthToken == null) {
                        Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", "Token NotFound");
                        throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s01", new String[]{"None Kerberos Token Found"}));
                    }
                    token = createKrbTokenImpl(tGSAuthToken);
                    String makeUniqueId = IdUtils.getInstance().makeUniqueId(this._context, "krb5_");
                    token.setId(makeUniqueId);
                    if (bArr != null) {
                        token.setBinary(bArr);
                    }
                    int i = 0;
                    Object obj = this._context.get(com.ibm.ws.wssecurity.common.Constants.WSS_VERSION);
                    if (obj != null && (obj instanceof Integer)) {
                        i = ((Integer) obj).intValue();
                    }
                    if (tGSAuthToken.getSecretKeyByte() == null) {
                        throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{"Failed to get key from AP_REQ token."}));
                    }
                    String sHA1ofAPREQ = token.getSHA1ofAPREQ();
                    token.setIdentifier(sHA1ofAPREQ);
                    OMElement oMElement = (OMElement) this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
                    if (bArr != null) {
                        token.setXML(new OMStructure(createTokenElement(oMElement.getOMFactory(), oMElement, tokenGeneratorConfig, bArr, makeUniqueId, i)));
                        String str10 = "#" + makeUniqueId;
                        token.setReferenceURI(str10);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Setting the token's Reference URI = " + str10);
                        }
                    } else {
                        setupKEYID(token, sHA1ofAPREQ);
                        if (!this.isServer && z4 && this.isStandAlone) {
                            token.setXML(new OMStructure(createSecurityTokenReferenceElement(oMElement.getOMFactory(), oMElement, sHA1ofAPREQ, i)));
                            token.setReferenceURI(sHA1ofAPREQ);
                            z3 = true;
                        }
                    }
                    if (!this.derivedkeyInfoConfigured) {
                        createKey(token);
                    }
                    this._processedTokens.add(token);
                    if (z3) {
                        this._insertedTokens.add(token);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Generated Kerberos security token: " + token);
                    }
                } else {
                    if (regenerateKey(token)) {
                        createKey(token);
                    }
                    this._processedTokens.add(token);
                    OMStructure oMStructure = (OMStructure) token.getXML();
                    if (oMStructure != null) {
                        this._referencedTokenElement = oMStructure.getNode();
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found the Kerberos security token: " + token);
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "DerivedKeyInfo configured? " + this.derivedkeyInfoConfigured);
                }
                if (this.derivedkeyInfoConfigured) {
                    populateSharedStateForDkey(token);
                } else if (token.getKeyIdentifier() != null && !this.isStandAlone) {
                    this._context.put(Constants.WSSECURITY_KEYINFO_TYPE, KeyInfoConsumer.KEYID);
                }
                if (token != null) {
                    this.loginSucceeded = true;
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login()");
                }
                return this.loginSucceeded;
            } catch (Exception e4) {
                throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s02", new String[]{KRB5Util.stackToString(e4)}));
            }
        } catch (Throwable th2) {
            FFDCFilter.processException(th2, "com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule", "%C", this);
            Tr.processException(th2, clsName + ".login", "%C", this);
            Tr.error(tc, "security.wssecurity.BSTokenLoginModule.s01", th2);
            throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{KRB5Util.stackToString(th2)}));
        }
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private HashMap callKerberosTokenGenerator(HashMap hashMap) throws LoginException {
        String str = (String) hashMap.get(KerberosTokenConfig.SERVICE_NAME);
        if (!KRB5Util.hasValue(str) || (KRB5Util.hasValue(str) && !KRB5Util.spnValid(str))) {
            StringBuilder append = new StringBuilder().append(newline);
            String[] strArr = new String[1];
            strArr[0] = str == null ? "" : str;
            throw new LoginException(append.append(ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s03", strArr)).toString());
        }
        HashMap hashMap2 = new HashMap();
        KerberosTokenGenerator kerberosTokenGenerator = new KerberosTokenGenerator();
        try {
            if (tc.isDebugEnabled() && this.isServer) {
                Tr.debug(tc, "Calling KerberosTokenGenerator.init()");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "\nKerberosTokenGenerator init Map contains: \nclientName: " + hashMap.get(KerberosTokenConfig.CLIENT_NAME) + newline + KerberosTokenConfig.CLIENTPASSWORD + ": " + (!KRB5Util.hasValue((String) hashMap.get(KerberosTokenConfig.CLIENTPASSWORD)) ? "" : SSLpropertyNames.maskedPropertyName) + newline + KerberosTokenConfig.CLIENTLOGINCONF + ": " + hashMap.get(KerberosTokenConfig.CLIENTLOGINCONF) + newline + KerberosTokenConfig.CLIENT_REALM_NAME + ": " + hashMap.get(KerberosTokenConfig.CLIENT_REALM_NAME) + newline + KerberosTokenConfig.SERVICE_KEYTAB + ": " + hashMap.get(KerberosTokenConfig.SERVICE_KEYTAB) + newline + KerberosTokenConfig.SERVICE_NAME + ": " + hashMap.get(KerberosTokenConfig.SERVICE_NAME) + newline + KerberosTokenConfig.SERVICEPASSWORD + ": " + (!KRB5Util.hasValue((String) hashMap.get(KerberosTokenConfig.SERVICEPASSWORD)) ? "" : SSLpropertyNames.maskedPropertyName) + newline + KerberosTokenConfig.SERVICE_REALM_NAME + ": " + hashMap.get(KerberosTokenConfig.SERVICE_REALM_NAME) + newline + KerberosTokenConfig.WRAPPED + ": " + hashMap.get(KerberosTokenConfig.WRAPPED) + newline + "subject: " + hashMap.get("subject") + newline);
            }
            kerberosTokenGenerator.init(hashMap);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Calling KerberosTokenGenerator.invoke():");
            }
            kerberosTokenGenerator.invoke(hashMap2);
            byte[] bArr = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
            Integer num = (Integer) hashMap2.get(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC);
            if (!KRB5Util.hasValue(bArr)) {
                byte[] bArr2 = (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
                Integer num2 = (Integer) hashMap2.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC);
                if (KRB5Util.hasValue(bArr2) && !KRB5Util.isSessKeyEncTypeSupported(num2)) {
                    throw new LoginException("\nUnsupported Kerberos session key encryption type...Please verify Kerberos configuration.");
                }
            } else if (!KRB5Util.isSubKeyEncTypeSupported(num)) {
                throw new LoginException("\nUnsupported Kerberos sub-key encryption type...Please verify Kerberos configuration.");
            }
            return hashMap2;
        } catch (Throwable th) {
            FFDCFilter.processException(th, KRBGenerateLoginModule.class.getName(), "1");
            Tr.processException(th, clsName + ".login", "%C", this);
            Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", KRB5Util.stackToString(th));
            throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s01", new String[]{KRB5Util.stackToString(th)}));
        }
    }

    private boolean regenerateKey(KRB5TokenImpl kRB5TokenImpl) {
        boolean equals;
        boolean equals2;
        if (this.derivedkeyInfoConfigured) {
            return false;
        }
        String str = (String) this._context.get(Constants.WSSECURITY_KEY_TYPE);
        if (str == null) {
            equals2 = false;
            equals = false;
        } else {
            equals = WSSKeyInfoComponent.KEY_SIGNING.equals(str);
            equals2 = WSSKeyInfoComponent.KEY_ENCRYPTING.equals(str);
            if (tc.isDebugEnabled()) {
                if (equals) {
                    Tr.debug(tc, "Signing key type");
                } else if (equals2) {
                    Tr.debug(tc, " Encrypting key type");
                }
            }
        }
        boolean z = false;
        if (equals2) {
            try {
                if (kRB5TokenImpl.getKey(62) == null) {
                    z = true;
                }
            } catch (Exception e) {
            }
        }
        if (equals) {
            if (kRB5TokenImpl.getKey(61) == null) {
                z = true;
            }
        }
        return z;
    }

    public static byte[] getAPREQ_TOKEN_Byte(HashMap hashMap, HashMap hashMap2) {
        return ((Integer) hashMap.get(KerberosTokenConfig.WRAPPED)).intValue() == 1 ? (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_GSS_TOKEN) : (byte[]) hashMap2.get(KerberosTokenConfig.CONTEXT_APREQ_TOKEN);
    }

    private byte[] getSecretByteFromAPREQ(Map map) {
        byte[] bArr = (byte[]) map.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES);
        if (bArr == null) {
            bArr = (byte[]) map.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
            if (bArr != null && tc.isDebugEnabled()) {
                Tr.debug(tc, "Found session key of type: " + map.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES_TYPE) + " from kerberos token.");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found sub key of type: " + map.get(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES_TYPE) + " from kerberos token.");
        }
        return bArr;
    }

    private void populateSharedStateForDkey(KRB5TokenImpl kRB5TokenImpl) throws LoginException {
        String str;
        QName qName;
        String str2 = (String) this._sharedState.get(Constants.BASE_TOKEN_IDENTIFIER_TYPE);
        String str3 = (String) this._sharedState.get(Constants.BASE_TOKEN_IDENTIFIER_ENCODED_TYPE);
        QName qName2 = (QName) this._sharedState.get(Constants.BASE_TOKEN_VALUE_TYPE);
        String str4 = (String) this._sharedState.get(Constants.BASE_TOKEN_REFERENCE);
        String str5 = (String) this._sharedState.get(Constants.INTERNAL_TOKEN_REFERENCE);
        byte[] bArr = (byte[]) this._sharedState.get(Constants.BASE_TOKEN_KEY_BYTES);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Previous com.ibm.wsspi.wssecurity.dktlogin.howToReferenceBaseToken: " + (KRB5Util.hasValue(str2) ? str2 : ""));
            Tr.debug(tc, "Previous com.ibm.wsspi.wssecurity.dktlogin.baseToken.encodeType: " + (KRB5Util.hasValue(str3) ? str3 : ""));
            Tr.debug(tc, "Previous com.ibm.wsspi.wssecurity.dktlogin.referencedTokenValueType: " + qName2);
            Tr.debug(tc, "Previous com.ibm.wsspi.wssecurity.dktlogin.referencedTokenId: " + (KRB5Util.hasValue(str4) ? str4 : ""));
            Tr.debug(tc, "Previous com.ibm.wsspi.wssecurity.dktlogin.internalTokenReference: " + (KRB5Util.hasValue(str5) ? str5 : ""));
            Tr.debug(tc, "Previous com.ibm.wsspi.wssecurity.dktlogin.referencedTokenKeyBytes: " + (KRB5Util.hasValue(bArr) ? bArr : ""));
        }
        boolean z = true;
        String referenceURI = kRB5TokenImpl.getReferenceURI();
        if (referenceURI != null && referenceURI.startsWith("#")) {
            z = false;
        }
        if (z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Subsequent messages using KeyIdentifier...");
            }
            str = Constants.WSSECURITY_KEY_ID;
            String localPart = com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY.getLocalPart();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Overwrites com.ibm.wsspi.wssecurity.dktlogin.baseToken.encodeType with " + localPart);
            }
            this._sharedState.put(Constants.BASE_TOKEN_IDENTIFIER_ENCODED_TYPE, localPart);
            qName = com.ibm.ws.wssecurity.common.Constants.KRB5_APREQ_SHA1;
            String identifier = kRB5TokenImpl.getIdentifier();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Overwrites com.ibm.wsspi.wssecurity.dktlogin.referencedTokenId with " + identifier);
            }
            this._sharedState.put(Constants.BASE_TOKEN_REFERENCE, identifier);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "1st request using Security Token Reference...");
            }
            str = Constants.WSSECURITY_KEY_REFERENCE;
            qName = kRB5TokenImpl.getValueType();
            kRB5TokenImpl.getId();
            String id = kRB5TokenImpl.getId();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Overwrites com.ibm.wsspi.wssecurity.dktlogin.internalTokenReference with " + id);
            }
            this._sharedState.put(Constants.INTERNAL_TOKEN_REFERENCE, id);
        }
        byte[] aPREQKeyByte = kRB5TokenImpl.getAPREQKeyByte();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Overwrites com.ibm.wsspi.wssecurity.dktlogin.howToReferenceBaseToken with " + str);
            Tr.debug(tc, "Overwrites com.ibm.wsspi.wssecurity.dktlogin.referencedTokenValueType with " + qName);
            Tr.debug(tc, "Overwrites com.ibm.wsspi.wssecurity.dktlogin.referencedTokenKeyBytes with " + aPREQKeyByte);
        }
        this._sharedState.put(Constants.BASE_TOKEN_IDENTIFIER_TYPE, str);
        this._sharedState.put(Constants.BASE_TOKEN_VALUE_TYPE, qName);
        this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, aPREQKeyByte);
        this._processedTokens.add(kRB5TokenImpl);
        this._sharedState.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._processedTokens);
        this._sharedState.put(Constants.WSSECURITY_TOKEN_TO_BE_INSERTED, this._insertedTokens);
    }

    private KerberosTicket getkrbTktFromSubject(MessageContext messageContext, HashMap hashMap) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getkrbTktFromSubject() entry...");
        }
        KerberosTicket kerberosTicket = null;
        WSSContext wSSContextFactory = WSSContextFactory.getInstance();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found a WSSContext: " + wSSContextFactory);
        }
        if (wSSContextFactory != null) {
            try {
                final Subject runAsSubject = wSSContextFactory.getRunAsSubject(messageContext);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "RunAs Subject: " + runAsSubject + " is found.");
                }
                if (runAsSubject != null) {
                    kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.8
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            Set privateCredentials = runAsSubject.getPrivateCredentials(KerberosTicket.class);
                            if (privateCredentials == null || privateCredentials.size() <= 0) {
                                return null;
                            }
                            Iterator it = privateCredentials.iterator();
                            if (it.hasNext()) {
                                return it.next();
                            }
                            return null;
                        }
                    });
                    if (kerberosTicket != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found KerberosTicket: " + kerberosTicket);
                        }
                        if (kerberosTicket.isCurrent() && kerberosTicket.isForwardable() && !kerberosTicket.isDestroyed()) {
                            String name = kerberosTicket.getClient().getName();
                            String realm = kerberosTicket.getClient().getRealm();
                            if (KRB5Util.hasValue(name) && KRB5Util.hasValue(realm)) {
                                String substring = name.substring(0, name.lastIndexOf(realm) - 1);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Use a found Kerberos ticket for " + substring + " in realm: " + realm);
                                }
                                hashMap.put(KerberosTokenConfig.CLIENT_NAME, substring);
                                hashMap.put(KerberosTokenConfig.CLIENT_REALM_NAME, realm);
                                hashMap.put("subject", runAsSubject);
                            }
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "KerberosTicket not found.");
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.warning(tc, "No RunAs Subject is found.");
                }
            } catch (Exception e) {
                Tr.processException(e, clsName + ".login", "%C", this);
                Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", e);
                throw new LoginException(newline + ConfigUtil.getMessage("security.wssecurity.KRBGenerateLoginModule.s01", new String[]{KRB5Util.stackToString(e)}));
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No WSSContext is found. Return.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getkrbTktFromSubject() exits...");
        }
        return kerberosTicket;
    }

    private void setupKEYID(KRB5TokenImpl kRB5TokenImpl, String str) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setupKEYID()");
        }
        QName qName = (QName) this._context.get(Constants.WSSECURITY_KEY_ENCODING);
        QName qName2 = (QName) this._context.get(Constants.WSSECURITY_KEY_IDTYPE);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, Constants.WSSECURITY_KEY_ENCODING + ": " + qName);
            Tr.debug(tc, Constants.WSSECURITY_KEY_IDTYPE + ": " + qName2);
        }
        if ((qName == null || NamespaceUtil.equals(qName, com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY)) && (qName2 == null || NamespaceUtil.equals(qName2, com.ibm.ws.wssecurity.common.Constants.KRB5_APREQ_SHA1))) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Set KeyIdentifier: " + str);
            }
            kRB5TokenImpl.setKeyIdentifier(str);
            kRB5TokenImpl.setKeyIdentifierEncodingType(com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY);
            kRB5TokenImpl.setKeyIdentifierValueType(com.ibm.ws.wssecurity.common.Constants.KRB5_APREQ_SHA1);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setupKEYID()");
        }
    }

    private SimpleTargetURL getSimpleTargetURL(final String str) throws PrivilegedActionException {
        SimpleTargetURL simpleTargetURL;
        SimpleTargetURLCache cache = SimpleTargetURL.getCache();
        if (cache.contains(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str + " key is found in cache.");
            }
            simpleTargetURL = (SimpleTargetURL) cache.get(str);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str + " key is not in cache. Insert...");
            }
            simpleTargetURL = (SimpleTargetURL) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.9
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws MalformedURLException, UnknownHostException {
                    return new SimpleTargetURL(str);
                }
            });
            if (simpleTargetURL != null) {
                cache.insert(str, simpleTargetURL);
            }
        }
        return simpleTargetURL;
    }

    private HashMap finalLoginData(final KRBTokenGenerateCallback kRBTokenGenerateCallback) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "finalLoginData()");
        }
        int i = 2;
        HashMap hashMap = new HashMap();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "ktokenCB [" + ConfigUtil.getObjState(kRBTokenGenerateCallback) + "]");
        }
        if (kRBTokenGenerateCallback == null) {
            hashMap.put(KerberosTokenConfig.CLIENT_NAME, "");
            hashMap.put(KerberosTokenConfig.CLIENTPASSWORD, "");
            hashMap.put(KerberosTokenConfig.CLIENT_REALM_NAME, null);
            hashMap.put(KerberosTokenConfig.WRAPPED, new Integer(0));
            hashMap.put(KerberosTokenConfig.CLIENTLOGINCONF, KRB5Util.DEFAULT_JAAS_LOGIN_CONFIG);
        } else {
            String clientName = kRBTokenGenerateCallback.getClientName();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "value: [" + ConfigUtil.getObjState(clientName) + "]");
                if (clientName != null) {
                    Tr.debug(tc, "Resolved client principal: [" + clientName + "]");
                }
            }
            if (KRB5Util.hasValue(clientName)) {
                hashMap.put(KerberosTokenConfig.CLIENT_NAME, clientName);
            }
            char[] cArr = (char[]) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule.10
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return kRBTokenGenerateCallback.getClientPassword();
                }
            });
            if (KRB5Util.hasValue(cArr)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Resolved client password: ******");
                }
                hashMap.put(KerberosTokenConfig.CLIENTPASSWORD, new String(cArr));
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Resolved client password: [" + ConfigUtil.getObjState(clientName) + "]");
                }
                hashMap.put(KerberosTokenConfig.CLIENTPASSWORD, "");
            }
            String clientKerberosRealm = kRBTokenGenerateCallback.getClientKerberosRealm();
            String str = null;
            try {
                if (!KRB5Util.hasValue(clientKerberosRealm)) {
                    Config config = Config.getInstance();
                    if (config != null) {
                        str = config.getDefaultRealm();
                        clientKerberosRealm = str;
                    } else {
                        Tr.error(tc, "security.wssecurity.LoginProcessor.s11", "Unable to locate a Kerberos configuration. Please verify the Kerberos configuration and keytab file.");
                    }
                }
            } catch (Throwable th) {
                FFDCFilter.processException(th, "com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule", "%C", this);
                Tr.processException(th, clsName + ".login", "%C", this);
                Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", "\nUnable to locate a Kerberos configuration. Please verify the Kerberos configuration and keytab file.\n" + KRB5Util.stackToString(th));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved client Kerberos realm: " + clientKerberosRealm);
            }
            if (KRB5Util.hasValue(clientKerberosRealm)) {
                hashMap.put(KerberosTokenConfig.CLIENT_REALM_NAME, clientKerberosRealm);
            }
            String targetServiceKerberosRealm = kRBTokenGenerateCallback.getTargetServiceKerberosRealm();
            if (!KRB5Util.hasValue(targetServiceKerberosRealm)) {
                if (str == null) {
                    try {
                        Config config2 = Config.getInstance();
                        if (config2 != null) {
                            str = config2.getDefaultRealm();
                        } else {
                            Tr.error(tc, "security.wssecurity.LoginProcessor.s11", "Unable to locate a Kerberos configuration. Please verify the Kerberos configuration and keytab file.");
                        }
                    } catch (Throwable th2) {
                        FFDCFilter.processException(th2, "com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule", "%C", this);
                        Tr.processException(th2, clsName + ".login", "%C", this);
                        Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", "\nUnable to locate a Kerberos configuration. Please verify the Kerberos configuration and keytab file.\n" + KRB5Util.stackToString(th2));
                    }
                }
                targetServiceKerberosRealm = str;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved service Kerberos realm name: " + targetServiceKerberosRealm);
            }
            if (KRB5Util.hasValue(targetServiceKerberosRealm)) {
                hashMap.put(KerberosTokenConfig.SERVICE_REALM_NAME, targetServiceKerberosRealm);
            }
            String str2 = null;
            String targetServiceName = kRBTokenGenerateCallback.getTargetServiceName();
            if (!KRB5Util.hasValue(targetServiceName)) {
                targetServiceName = this.messageContext.getAxisService().getName();
                if (targetServiceName != null && targetServiceName.contains(PolicyAttributesConstants.DELIMITER)) {
                    targetServiceName = targetServiceName.substring(0, targetServiceName.indexOf(PolicyAttributesConstants.DELIMITER));
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved service name: " + targetServiceName);
            }
            String targetServiceHostName = kRBTokenGenerateCallback.getTargetServiceHostName();
            if (!KRB5Util.hasValue(targetServiceHostName)) {
                SimpleTargetURL simpleTargetURL = null;
                String address = this.messageContext.getTo().getAddress();
                if (address == null) {
                    address = (String) this.messageContext.getProperty(endptAddress_JAXWS);
                }
                if (address != null) {
                    StringTokenizer stringTokenizer = new StringTokenizer(address, "/", true);
                    StringBuffer stringBuffer = new StringBuffer();
                    int i2 = 0;
                    while (stringTokenizer.hasMoreTokens()) {
                        String nextToken = stringTokenizer.nextToken();
                        if (nextToken.equals("/")) {
                            i2++;
                        }
                        if (i2 == 3) {
                            break;
                        }
                        stringBuffer.append(nextToken);
                    }
                    String stringBuffer2 = stringBuffer.toString();
                    if (0 == 0) {
                        try {
                            simpleTargetURL = getSimpleTargetURL(stringBuffer2);
                        } catch (PrivilegedActionException e) {
                            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule", "%C", this);
                            Tr.processException(e, clsName + ".login", "%C", this);
                            Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s01", newline + KRB5Util.stackToString(e));
                            targetServiceHostName = null;
                        }
                    }
                    if (simpleTargetURL != null) {
                        targetServiceHostName = simpleTargetURL.getHostname();
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved service host name: " + targetServiceHostName);
            }
            if (KRB5Util.hasValue(targetServiceName) && KRB5Util.hasValue(targetServiceHostName)) {
                str2 = targetServiceName + "/" + targetServiceHostName;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved service principal name(SPN): " + str2);
            }
            hashMap.put(KerberosTokenConfig.SERVICE_NAME, str2);
            QName valueType = kRBTokenGenerateCallback.getValueType();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved Kerberos token type: " + valueType);
            }
            if (valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN) || valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ1510_TOKEN) || valueType.equals(com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ4120_TOKEN)) {
                i = 1;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved to GSS wrap? " + i);
            }
            hashMap.put(KerberosTokenConfig.WRAPPED, new Integer(i));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved client JAAS Kerberos login: JAASClient");
            }
            hashMap.put(KerberosTokenConfig.CLIENTLOGINCONF, KRB5Util.DEFAULT_JAAS_LOGIN_CONFIG);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "finalLoginData()");
        }
        return hashMap;
    }

    private static final OMElement createTokenElement(OMFactory oMFactory, OMElement oMElement, TokenGeneratorConfig tokenGeneratorConfig, byte[] bArr, String str, int i) {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("createTokenElement(");
            stringBuffer.append("OMFactory factory,");
            stringBuffer.append("OMElement parent[").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("TokenGeneratorConfig config, ");
            stringBuffer.append("byte[] credToken[");
            stringBuffer.append(bArr == null ? "null" : "not null");
            stringBuffer.append("], ");
            stringBuffer.append("String id[").append(str).append("], ");
            stringBuffer.append("int wssVersion[").append(i).append("])");
            Tr.entry(tc, stringBuffer.toString());
        }
        String str2 = com.ibm.ws.wssecurity.common.Constants.NAMESPACES[0][i];
        String str3 = com.ibm.ws.wssecurity.common.Constants.NAMESPACES[1][i];
        boolean z = false;
        String str4 = null;
        if (oMElement != null) {
            str4 = DOMUtils.getNamespacePrefix(oMElement, str2);
        }
        if (str4 == null) {
            z = true;
            str4 = "wsse";
        }
        OMElement createOMElement = oMFactory.createOMElement("BinarySecurityToken", str2, str4);
        if (z) {
            createOMElement.declareNamespace(str2, "wsse");
        }
        if (str != null) {
            boolean z2 = false;
            String namespacePrefix = DOMUtils.getNamespacePrefix(oMElement, str3);
            if (namespacePrefix == null) {
                z2 = true;
                namespacePrefix = "wsu";
            }
            if (z2) {
                createOMElement.declareNamespace(str3, "wsu");
            }
            createOMElement.addAttribute("Id", str, oMFactory.createOMNamespace(com.ibm.ws.wssecurity.common.Constants.NS_WSU, namespacePrefix));
        }
        QName type = tokenGeneratorConfig.getType();
        if (type == null) {
            type = com.ibm.ws.wssecurity.common.Constants.KRB5_GSS_AP_REQ_TOKEN;
        }
        DOMUtils.setQNameAttr(createOMElement, null, "ValueType", type, i);
        createOMElement.addChild(oMFactory.createOMText(Base64.encode(bArr)));
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("createTokenElement(");
            stringBuffer2.append("OMFactory, OMElement, TokenGeneratorConfig, byte[], String, int)");
            stringBuffer2.append(" returns OMElement[").append(createOMElement).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return createOMElement;
    }

    private static final OMElement createSecurityTokenReferenceElement(OMFactory oMFactory, OMElement oMElement, String str, int i) {
        String str2 = com.ibm.ws.wssecurity.common.Constants.NAMESPACES[0][i];
        String str3 = com.ibm.ws.wssecurity.common.Constants.NAMESPACES[1][i];
        boolean z = false;
        String str4 = null;
        if (oMElement != null) {
            str4 = DOMUtils.getNamespacePrefix(oMElement, str2);
        }
        if (str4 == null) {
            z = true;
            str4 = "wsse";
        }
        OMElement createOMElement = oMFactory.createOMElement("SecurityTokenReference", str2, str4);
        if (z) {
            createOMElement.declareNamespace(str2, "wsse");
        }
        OMElement createOMElement2 = oMFactory.createOMElement("KeyIdentifier", str2, str4);
        oMFactory.createOMNamespace(com.ibm.ws.wssecurity.common.Constants.NS_WSSE, "wsse");
        DOMUtils.setQNameAttr(createOMElement2, null, "EncodingType", com.ibm.ws.wssecurity.common.Constants.BASE64_BINARY, i);
        DOMUtils.setQNameAttr(createOMElement2, null, "ValueType", com.ibm.ws.wssecurity.common.Constants.KRB5_APREQ_SHA1, i);
        createOMElement2.setText(str);
        createOMElement.addChild(createOMElement2);
        return createOMElement;
    }

    private static final KRB5TokenImpl getToken(TokenGeneratorConfig tokenGeneratorConfig, SecurityTokenManager securityTokenManager) {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("getToken(");
            stringBuffer.append("TokenGeneratorConfig config, ");
            stringBuffer.append("byte[] binary[");
            stringBuffer.append("], SecurityTokenManager securityTokenManager)");
            Tr.entry(tc, stringBuffer.toString());
        }
        KRB5TokenImpl kRB5TokenImpl = null;
        Collection<SecurityToken> tokens = securityTokenManager.getTokens(tokenGeneratorConfig);
        if (tokens != null && tokens.size() > 0) {
            Iterator<SecurityToken> it = tokens.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SecurityToken next = it.next();
                if (next instanceof KRB5TokenImpl) {
                    kRB5TokenImpl = (KRB5TokenImpl) next;
                    break;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("getToken(");
            stringBuffer2.append("TokenGeneratorConfig, byte[], SecurityTokenManager)");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return kRB5TokenImpl;
    }

    private void createKey(KRB5TokenImpl kRB5TokenImpl) throws LoginException {
        boolean equals;
        boolean equals2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createKey()");
        }
        Key[] keyArr = new Key[2];
        String str = (String) this._context.get(Constants.WSSECURITY_KEY_TYPE);
        if (str == null) {
            equals2 = false;
            equals = false;
        } else {
            equals = WSSKeyInfoComponent.KEY_SIGNING.equals(str);
            equals2 = WSSKeyInfoComponent.KEY_ENCRYPTING.equals(str);
            if (tc.isDebugEnabled()) {
                if (equals) {
                    Tr.debug(tc, "Signing key type");
                } else if (equals2) {
                    Tr.debug(tc, " Encrypting key type");
                }
            }
        }
        String str2 = (String) this._context.get(Constants.WSSECURITY_KEYINFO_TYPE);
        if (str2 != null) {
            ConfigUtil.isKeyInfoStrref(str2);
        }
        WSSGeneratorConfig wSSGeneratorConfig = (WSSGeneratorConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssGenerator.configKey");
        String str3 = null;
        String str4 = null;
        if (equals) {
            str4 = (String) this._context.get(com.ibm.ws.wssecurity.common.Constants.KEY_ALGORITHM);
        }
        if (equals2) {
            str3 = (String) this._context.get(com.ibm.ws.wssecurity.common.Constants.KEY_ALGORITHM);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The supplied algorithms from WSSAPI, Encryption Algorithm: " + str3 + " and Signature Algorithm: = " + str4);
        }
        if (wSSGeneratorConfig instanceof PolicyOutboundConfig) {
            str3 = ((PolicyOutboundConfig) wSSGeneratorConfig).getEncryptionAlgorithm();
            str4 = ((PolicyOutboundConfig) wSSGeneratorConfig).getSymmetricSignatureAlgorithm();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The supplied algorithms from algorithm suite, Encryption Algorithm: " + str3 + " and Signature Algorithm: = " + str4);
            }
        }
        if (KRB5Util.hasValue(str3)) {
            str3 = DKTGenerateLoginModule.mapKeyAlgorithm2JCE(str3, false, false, false, true);
        }
        if (KRB5Util.hasValue(str4)) {
            str4 = DKTGenerateLoginModule.mapKeyAlgorithm2JCE(str4, false, false, true, false);
        }
        byte[] aPREQKeyByte = kRB5TokenImpl.getAPREQKeyByte();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Kerberos key length is " + ((aPREQKeyByte == null || aPREQKeyByte.length == 0) ? 0 : aPREQKeyByte.length));
        }
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Security token: " + kRB5TokenImpl);
            }
            if (str4 != null && str4.compareTo("HmacSHA1") == 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Generating key for..." + str4);
                }
                keyArr[0] = new SecretKeySpec(aPREQKeyByte, "HmacSHA1");
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Not generating key for..." + str4);
            }
            if (str3 != null && str3.compareTo("AES") == 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Generating key for..." + str3);
                }
                keyArr[1] = SecretKeyFactory.getInstance("AES", "IBMJCE").generateSecret(new AESKeySpec(aPREQKeyByte));
            } else if (str3 != null && str3.compareTo("DESede") == 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Generating key for..." + str3);
                }
                keyArr[1] = SecretKeyFactory.getInstance("DESede", "IBMJCE").generateSecret(new DESedeKeySpec(aPREQKeyByte));
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Not generating key for..." + str3);
            }
            if (kRB5TokenImpl != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding " + keyArr[0] + " for SecurityToken.SIGNING_KEY  in " + kRB5TokenImpl);
                }
                kRB5TokenImpl.setKey(61, keyArr[0]);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding " + keyArr[1] + " for SecurityToken.ENCRYPTING_KEY  in " + kRB5TokenImpl);
                }
                kRB5TokenImpl.setKey(62, keyArr[1]);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createKey()");
            }
        } catch (Throwable th) {
            Tr.processException(th, clsName + ".createKey", "%C", this);
            Tr.error(tc, "security.wssecurity.KRBGenerateLoginModule.s02", newline + KRB5Util.stackToString(th));
            throw new LoginException("Failed to generate key: " + KRB5Util.stackToString(th));
        }
    }

    public static KRB5TokenImpl createKrbTokenImpl(TGSAuthToken tGSAuthToken) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createKrbTokenImpl()");
        }
        KRB5TokenImpl kRB5TokenImpl = (KRB5TokenImpl) _tokenFactory.createToken(tGSAuthToken.getTGSAuthTokenAsMap());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createKrbTokenImpl()");
        }
        return kRB5TokenImpl;
    }
}
