package com.ibm.ws.security.token;

import com.ibm.ISecurityUtilityImpl.RealmSecurityName;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ras.RASFormatter;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.spnego.Constants;
import com.ibm.wsspi.security.csiv2.CSIv2PerformPolicy;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.KerberosToken;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/ibm/ws/security/token/KerberosServiceTicketImpl.class */
public class KerberosServiceTicketImpl extends AbstractTokenImpl implements KerberosToken {
    private byte[] tokenBytes;
    private GSSCredential gssCredential;
    private String targetServerName;
    private static final TraceComponent tc = Tr.register((Class<?>) KerberosServiceTicketImpl.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private String KERBEROS_MECH = Constants.OID_KRB5_MECH;
    private String KERBEROS_OID = "oid:" + this.KERBEROS_MECH;
    private ContextManager contextManager = null;
    private String tokenName = AttributeNameConstants.WSKERBEROSTICKET_NAME;
    private boolean forwardable = true;
    private boolean isReadOnly = false;
    private short version = 1;

    public KerberosServiceTicketImpl(KerberosTokenImpl kerberosTokenImpl, CSIv2PerformPolicy cSIv2PerformPolicy) {
        this.tokenBytes = null;
        this.gssCredential = null;
        this.targetServerName = null;
        String targetHostName = cSIv2PerformPolicy.getTargetHostName();
        String targetSecurityName = cSIv2PerformPolicy.getTargetSecurityName();
        String securityName = RealmSecurityName.getSecurityName(targetSecurityName);
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, "hostName: " + targetHostName);
            Tr.debug(tc, "targetRealmSecurityName: " + targetSecurityName);
            Tr.debug(tc, "targetSecurityName: " + securityName);
        }
        this.targetServerName = cSIv2PerformPolicy.getTargetSecurityName();
        int indexOf = this.targetServerName.indexOf("@");
        String substring = indexOf != -1 ? this.targetServerName.substring(indexOf + 1, this.targetServerName.length()) : "";
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, "Calling initSecContext with targetServerName: " + this.targetServerName + " realm: " + substring);
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "KerberosServiceTicketImpl server = " + this.targetServerName);
        }
        this.gssCredential = kerberosTokenImpl.getGSSCredential();
        if (this.gssCredential == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Missing GSSCredential in KerberosTokenImpl object");
            }
            throw new NullPointerException("No GSSCredential");
        }
        if (kerberosTokenImpl.isValid()) {
            this.tokenBytes = getServiceTicket();
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Expired GSSCredential in KerberosTokenImpl object");
            }
            throw new IllegalStateException("Expired GSSCredential");
        }
    }

    public KerberosServiceTicketImpl(KerberosServiceTicketImpl kerberosServiceTicketImpl) {
        this.tokenBytes = null;
        this.gssCredential = null;
        this.targetServerName = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "KerberosServiceTicketImpl server = " + kerberosServiceTicketImpl.targetServerName);
        }
        this.targetServerName = kerberosServiceTicketImpl.targetServerName;
        this.gssCredential = kerberosServiceTicketImpl.gssCredential;
        if (this.gssCredential == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "gssCredential is null");
            }
            throw new NullPointerException("No GSSCredential");
        }
        if (kerberosServiceTicketImpl.isValid()) {
            this.tokenBytes = getServiceTicket();
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Expired GSSCredential in KerberosServiceTicketImpl object");
            }
            throw new IllegalStateException("Expired GSSCredential");
        }
    }

    private byte[] getServiceTicket() {
        String replace;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServiceTicket for target service " + this.targetServerName);
        }
        GSSManager gSSManager = GSSManager.getInstance();
        byte[] bArr = null;
        try {
            try {
                Oid oid = new Oid(this.KERBEROS_MECH);
                if (this.targetServerName.indexOf("/") == -1) {
                    replace = this.targetServerName;
                } else {
                    int indexOf = this.targetServerName.indexOf("@");
                    replace = indexOf == -1 ? this.targetServerName.replace("/", "@") : this.targetServerName.substring(0, indexOf).replace("/", "@");
                }
                try {
                    GSSName createName = gSSManager.createName(replace, GSSName.NT_HOSTBASED_SERVICE, oid);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "targetGSSServiceName: " + replace);
                    }
                    try {
                        GSSContext createContext = gSSManager.createContext(createName, oid, this.gssCredential, 0);
                        try {
                            createContext.requestCredDeleg(true);
                            try {
                                bArr = createContext.initSecContext((byte[]) null, 0, 0);
                                Tr.debug(tc, "Token = " + bArr.length + RASFormatter.DEFAULT_SEPARATOR + bArr);
                                if (!createContext.isEstablished()) {
                                    Object[] objArr = {createContext, this.targetServerName};
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "initSecContext: clientContext not established.");
                                    }
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "initSecContext: clientContext established successfully.");
                                }
                            } catch (GSSException e) {
                                Object[] objArr2 = {createContext, "initSecContext()", e};
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Exception calling initSecContext: " + e.getMessage());
                                }
                                throw e;
                            }
                        } catch (GSSException e2) {
                            Object[] objArr3 = {createContext, "requestCredDeleg(true)", e2};
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Exception calling requestCredDeleg: " + e2.getMessage());
                            }
                            throw e2;
                        }
                    } catch (GSSException e3) {
                        Object[] objArr4 = {gSSManager, "createContext()", e3};
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception calling createContext: " + e3.getMessage());
                        }
                        throw e3;
                    }
                } catch (GSSException e4) {
                    Object[] objArr5 = {gSSManager, "createName()", e4};
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception calling createName: " + e4.getMessage());
                    }
                    throw e4;
                }
            } catch (GSSException e5) {
                Object[] objArr6 = {Oid.class, "Oid(\"" + this.KERBEROS_MECH + "\")", e5};
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting OID: " + e5.getMessage());
                }
                throw e5;
            }
        } catch (Exception e6) {
            FFDCFilter.processException(e6, "com.ibm.ws.security.token.KerberosServiceTicketImpli.getServiceTicket", "1571", this);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "Exception occurred getting service ticket.", new Object[]{e6});
            }
        }
        if (bArr == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getInitialContextToken returns null.");
            }
        } else if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getServiceTicket returns a service ticket.");
        }
        return bArr;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public boolean isValid() {
        int i = 0;
        try {
            i = this.gssCredential.getRemainingLifetime();
        } catch (Exception e) {
            Tr.debug(tc, "Exception getting expiraion from GSSCredential.", new Object[]{e});
        }
        return i > 0;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public long getExpiration() {
        try {
            return (this.gssCredential.getRemainingLifetime() * 1000) + System.currentTimeMillis();
        } catch (Exception e) {
            Tr.debug(tc, "Exception getting expiraion from GSSCredential.", new Object[]{e});
            return -1L;
        }
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public boolean isForwardable() {
        return true;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public String getPrincipal() {
        if (this.gssCredential == null) {
            Tr.debug(tc, "GSSCredential is null, cannot get principal.");
            return null;
        }
        String str = null;
        try {
            str = Krb5WSCredentialUtils.Krb5ToRegistryDN(this.gssCredential.getName().toString());
            addAttribute("u", str);
        } catch (Exception e) {
            Tr.debug(tc, "Exception getting principal name from GSSCredential.", new Object[]{e});
        }
        return str;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public String getUniqueID() {
        return getPrincipal();
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public byte[] getBytes() {
        return this.tokenBytes;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public String getName() {
        return this.tokenName;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public short getVersion() {
        return this.version;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.AuthenticationToken
    public boolean isBasicAuth() {
        return false;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public void setReadOnly() {
        this.isReadOnly = true;
    }

    @Override // com.ibm.ws.security.token.AbstractTokenImpl, com.ibm.wsspi.security.token.Token
    public Object clone() {
        try {
            return new KerberosServiceTicketImpl(this);
        } catch (Exception e) {
            Tr.debug(tc, "Exception creating clone of Kerberos service ticket.", new Object[]{e});
            FFDCFilter.processException(e, "com.ibm.ws.security.token.KerberosServiceTicketImpl.clone", "662");
            return null;
        }
    }

    @Override // com.ibm.wsspi.security.token.KerberosToken
    public GSSCredential getGSSCredential() {
        return this.gssCredential;
    }
}
