package com.ibm.ws.security.zOS;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.NotificationConstants;
import com.ibm.websphere.security.CertificateMapFailedException;
import com.ibm.websphere.security.DistributedUserMappingFailedException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.AuthenticationFailedException;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.websphere.wim.exception.WIMException;
import com.ibm.websphere.wim.util.PrincipalUtil;
import com.ibm.ws.security.auth.Cache;
import com.ibm.ws.security.auth.CacheEvictionListener;
import com.ibm.ws.security.auth.CacheException;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.auth.WSPasswordCheckFailedException;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.JAASLoginConfig;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.profiletask.MessageFormatHelper;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.util.PlatformHelperFactory;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.ResourceBundle;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.CredentialExpiredException;

/* loaded from: input_file:com/ibm/ws/security/zOS/PlatformCredentialManager.class */
public class PlatformCredentialManager {
    public static final String DEFAULT_UNAUTHENTICATED_AUDIT_STRING = "WebSphere Default/Unauthenticated Login";
    public static final String AUTH_CACHE_MAX_SIZE = "com.ibm.websphere.security.util.authCacheMaxSize";
    private static final String DEFAULT_PASSWORD_AUDIT_STRING = "WebSphere Userid/Password Login";
    private static final String DEFAULT_CERTIFICATE_AUDIT_STRING = "WebSphere Certificate Login";
    private static final String DEFAULT_AUTHORIZED_CREATE_AUDIT_STRING = "WebSphere Authorized Login";
    private static final String DEFAULT_SERVER_AUDIT_STRING = "WebSphere Server Identity";
    private static final String DEFAULT_MAPPED_AUDIT_STRING = "WebSphere Mapped Login";
    private Cache _cache;
    private static final String TOKEN_DELIMETER = "::";
    private static final TraceComponent tc = Tr.register(PlatformCredentialManager.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static ResourceBundle msgBundle = ResourceBundle.getBundle(AdminConstants.MSG_BUNDLE_NAME);
    private static final PlatformCredentialManager _instance = new PlatformCredentialManager();
    private static boolean _safVersionset = false;
    private static int _SAFVersionNumber = -1;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/ibm/ws/security/zOS/PlatformCredentialManager$CacheEvictionCallback.class */
    public static final class CacheEvictionCallback implements CacheEvictionListener {
        CacheEvictionCallback() {
        }

        @Override // com.ibm.ws.security.auth.CacheEvictionListener
        public void evicted(List list) {
            boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
            if (isAnyTracingEnabled && PlatformCredentialManager.tc.isEntryEnabled()) {
                Tr.entry(PlatformCredentialManager.tc, "evicted", list);
            }
            for (Object obj : list) {
                if (obj instanceof SAFCredentialTokenImpl) {
                    PlatformCredentialManager._instance.destroyCredential((SAFCredentialTokenImpl) obj);
                }
            }
            if (isAnyTracingEnabled && PlatformCredentialManager.tc.isEntryEnabled()) {
                Tr.exit(PlatformCredentialManager.tc, "evicted");
            }
        }
    }

    /* loaded from: input_file:com/ibm/ws/security/zOS/PlatformCredentialManager$GetPlatformCredentialAction.class */
    private static final class GetPlatformCredentialAction implements PrivilegedExceptionAction {
        final Subject _subject;

        GetPlatformCredentialAction(Subject subject) {
            this._subject = subject;
        }

        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws Exception {
            PlatformCredential platformCredential = null;
            Set privateCredentials = this._subject.getPrivateCredentials(PlatformCredential.class);
            if (privateCredentials.isEmpty()) {
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(this._subject);
                if (wSCredentialFromSubject != null) {
                    platformCredential = (PlatformCredential) wSCredentialFromSubject.get(CommonConstants.PLATFORM_CREDENTIAL);
                }
            } else {
                platformCredential = (PlatformCredential) privateCredentials.iterator().next();
            }
            return platformCredential;
        }
    }

    public static final PlatformCredentialManager instance() {
        return _instance;
    }

    private PlatformCredentialManager() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>");
        }
        initializeCache();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>", this);
        }
    }

    private void initializeCache() {
        String property = SecurityObjectLocator.getSecurityConfig().getProperty("com.ibm.websphere.security.util.authCacheMaxSize");
        if (property == null || property.equals("") || new Integer(property).intValue() < 0) {
            property = "25000";
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "authCacheMaxSize = " + property);
        }
        this._cache = new Cache(100, NotificationConstants.HANDLE_NOTIFICATION_TIMEOUT_DEFAULT, new Integer(property).intValue(), new CacheEvictionCallback());
    }

    public PlatformCredentialManager(Object obj) {
        initializeCache();
    }

    public final PlatformCredential createPasswordCredential(String str, String str2) throws PasswordCheckFailedException, AuthenticationFailedException {
        return createPasswordCredential(str, str2, DEFAULT_PASSWORD_AUDIT_STRING);
    }

    public final PlatformCredential createCertificateCredential(X509Certificate[] x509CertificateArr) throws CertificateMapFailedException {
        return createCertificateCredential(x509CertificateArr, DEFAULT_CERTIFICATE_AUDIT_STRING);
    }

    public final PlatformCredential createMappedCredential(String str, WSCredential wSCredential) throws CredentialExpiredException, CredentialDestroyedException, WSSecurityException, WIMException {
        PlatformCredential platformCredential = null;
        if (PlatformHelperFactory.getPlatformHelper().isZOS() && isSAFIdentityPropagationEnabled()) {
            CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
            boolean z = cSIv2Config.getBoolean(CSIv2Config.IS_USE_REGISTRY_SERVERID);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "useRegistryServerId", new Boolean(z));
            }
            if ((z && wSCredential.getSecurityName().equals(cSIv2Config.getString("com.ibm.CORBA.loginUserid"))) || ContextManagerFactory.getInstance().isInternalServerCredential(wSCredential) || ContextManagerFactory.getInstance().isServerCred(wSCredential)) {
                platformCredential = createServerCredential();
            } else if (isRACFUserInWIM(wSCredential)) {
                String str2 = str;
                int indexOf = str.indexOf("::");
                if (indexOf > 0) {
                    str2 = str.substring(indexOf + "::".length());
                }
                platformCredential = createCredential(str2);
            } else {
                platformCredential = createMappedCredential(wSCredential.getUniqueSecurityName(), wSCredential.getRealmName());
            }
        }
        return platformCredential;
    }

    public final PlatformCredential createMappedCredential(String str, String str2) throws DistributedUserMappingFailedException, PasswordCheckFailedException, AuthenticationFailedException {
        return createMappedCredential(str, str2, DEFAULT_MAPPED_AUDIT_STRING);
    }

    public final PlatformCredential createCredential(String str) {
        return createCredential(str, DEFAULT_AUTHORIZED_CREATE_AUDIT_STRING);
    }

    public final PlatformCredential createDefaultCredential() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "createDefaultCredential");
        }
        PlatformCredential platformCredential = new PlatformCredential();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "createDefaultCredential", platformCredential);
        }
        return platformCredential;
    }

    public final PlatformCredential createPasswordCredential(String str, String str2, String str3) throws PasswordCheckFailedException, AuthenticationFailedException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = str2 != null ? "****" : null;
            objArr[2] = str3;
            Tr.entry(traceComponent, "createPasswordCredential", objArr);
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.BASIC, str, str3);
        try {
            authenticateCredential(platformCredential, str2);
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "createPasswordCredential", platformCredential);
            }
            return platformCredential;
        } catch (PasswordCheckFailedException e) {
            throw e;
        } catch (AuthenticationFailedException e2) {
            throw e2;
        } catch (Throwable th) {
            throw new PasswordCheckFailedException();
        }
    }

    public final PlatformCredential createCertificateCredential(X509Certificate[] x509CertificateArr, String str) throws CertificateMapFailedException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "createCertificateCredential", new Object[]{x509CertificateArr, str});
        }
        PlatformCredential platformCredential = new PlatformCredential(x509CertificateArr, str);
        try {
            authenticateCredential(platformCredential, null);
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "createCertificateCredential", platformCredential);
            }
            return platformCredential;
        } catch (Throwable th) {
            throw new CertificateMapFailedException();
        }
    }

    protected final PlatformCredential createMappedCredential(String str, String str2, String str3) throws DistributedUserMappingFailedException, PasswordCheckFailedException, AuthenticationFailedException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "createMappedCredential", new Object[]{str, str2, str3});
        }
        PlatformCredential platformCredential = new PlatformCredential(str, str2, str3);
        authenticateCredential(platformCredential, null);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "createMappedCredential", platformCredential);
        }
        return platformCredential;
    }

    public final PlatformCredential createRoleCredential(String str, String str2, String str3) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "createRoleCredential", new Object[]{str, str2, str3});
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.ROLE, str3, createRoleAuditString(str, str2, str3));
        try {
            SAFCredentialTokenImpl credentialToken = getCredentialToken(platformCredential);
            if (credentialToken != null) {
                platformCredential.setMvsUserId(credentialToken.getMvsUserId());
            } else {
                platformCredential = null;
            }
        } catch (CredentialDestroyedException e) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.debug(tc, "Credential destroyed", e);
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "createRoleCredential", platformCredential);
        }
        return platformCredential;
    }

    public PlatformCredential createCredential(String str, String str2) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "createCredential", new Object[]{str, str2});
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.ASSERTED, str, str2);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "createCredential", platformCredential);
        }
        return platformCredential;
    }

    public final PlatformCredential createServerCredential() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "createServerCredential");
        }
        PlatformCredential platformCredential = new PlatformCredential(PlatformCredential.SERVER, System.getProperty("user.name"), DEFAULT_SERVER_AUDIT_STRING);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "createServerCredential", platformCredential);
        }
        return platformCredential;
    }

    private final String createRoleAuditString(String str, String str2, String str3) {
        StringBuffer stringBuffer = new StringBuffer("WebSphere Role Delegation:");
        stringBuffer.append(" Application=").append(str);
        stringBuffer.append(",Role=").append(str2);
        stringBuffer.append(",Profile=").append(str3);
        return stringBuffer.toString();
    }

    public final String getKeyFromCredential(PlatformCredential platformCredential) {
        SAFCredentialTokenImpl credentialToken;
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyFromCredential", platformCredential);
        }
        String str = null;
        try {
            credentialToken = getCredentialToken(platformCredential);
        } catch (CredentialDestroyedException e) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.debug(tc, "Credential already destroyed", e);
            }
        }
        if (credentialToken == null) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.debug(tc, "Unable to get native credential token from PlatFormCredential");
            }
            throw new IllegalArgumentException("Unable to get native credential token from PlatFormCredential");
        }
        str = credentialToken.getAsString();
        this._cache.insert(str, platformCredential);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "getKeyFromCredential", str);
        }
        return str;
    }

    public final PlatformCredential getCredentialFromKey(String str) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getCredentialFromKey", str);
        }
        PlatformCredential platformCredential = null;
        try {
            platformCredential = (PlatformCredential) this._cache.get(str);
        } catch (CacheException e) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.debug(tc, "Unexpected cache exception", e);
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "getCredentialFromKey", platformCredential);
        }
        return platformCredential;
    }

    public final byte[] createUtoken(PlatformCredential platformCredential) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "createUtoken", platformCredential);
        }
        byte[] ntv_createUtoken = ntv_createUtoken(platformCredential);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "createUtoken", ntv_createUtoken);
        }
        return ntv_createUtoken;
    }

    public final String mapKerbPrincipal(String str) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "mapKerbPrincipal", str);
        }
        if (str == null || str.length() == 0) {
            if (!isAnyTracingEnabled || !tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "The kerberos principal passed in is either null or an empty string, returning a null userid.");
            return null;
        }
        if (str.indexOf("@") != -1) {
            str = "/.../" + str.substring(str.indexOf("@") + 1) + "/" + str.substring(0, str.indexOf("@"));
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.debug(tc, "Going to call the native mapKerbPrincipal, the effective principal is: " + str);
        }
        String ntv_mapKerbPrincipal = ntv_mapKerbPrincipal(str);
        if (ntv_mapKerbPrincipal == null || ntv_mapKerbPrincipal.length() == 0) {
            Tr.warning(tc, "security.zos.saf.authen.kerb.map.failed.warning", new Object[]{str, SAFServiceResult.getSafServiceResult()});
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "mapKerbPrincipal", ntv_mapKerbPrincipal);
        }
        return ntv_mapKerbPrincipal;
    }

    private final synchronized SAFCredentialTokenImpl getCredentialToken(PlatformCredential platformCredential) throws CredentialDestroyedException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getCredentialToken", platformCredential);
        }
        SAFCredentialTokenImpl sAFCredentialTokenImpl = null;
        try {
            sAFCredentialTokenImpl = (SAFCredentialTokenImpl) this._cache.get(platformCredential);
        } catch (CacheException e) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.debug(tc, "Unexpected cache exception", e);
            }
        }
        if (sAFCredentialTokenImpl == null) {
            sAFCredentialTokenImpl = refreshCredential(platformCredential);
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "getCredentialToken", sAFCredentialTokenImpl);
        }
        return sAFCredentialTokenImpl;
    }

    private final synchronized SAFCredentialTokenImpl refreshCredential(PlatformCredential platformCredential) throws CredentialDestroyedException {
        SAFCredentialTokenImpl sAFCredentialTokenImpl;
        SAFCredentialTokenImpl createMappedCredentialToken;
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "refreshCredential", platformCredential);
        }
        if (platformCredential.getCredentialType() == PlatformCredential.BASIC && !platformCredential.isAuthenticated()) {
            throw new CredentialDestroyedException();
        }
        String aPPLName = getAPPLName();
        try {
            sAFCredentialTokenImpl = (SAFCredentialTokenImpl) this._cache.get(platformCredential);
        } catch (Exception e) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Cache failure", e);
            }
            sAFCredentialTokenImpl = null;
        }
        if (sAFCredentialTokenImpl != null) {
            createMappedCredentialToken = sAFCredentialTokenImpl;
        } else if (platformCredential.getCredentialType() == PlatformCredential.DEFAULT) {
            createMappedCredentialToken = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), null, aPPLName);
        } else if (platformCredential.getCredentialType() == PlatformCredential.BASIC) {
            createMappedCredentialToken = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), null, aPPLName);
        } else if (platformCredential.getCredentialType() == PlatformCredential.ASSERTED) {
            createMappedCredentialToken = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), null, aPPLName);
        } else if (platformCredential.getCredentialType() == PlatformCredential.ROLE) {
            createMappedCredentialToken = ntv_createRoleCredentialToken(platformCredential, platformCredential.getRoleProfile(), platformCredential.getAuditString(), aPPLName);
            if (createMappedCredentialToken != null) {
                createMappedCredentialToken.setMvsUserId(platformCredential.getUserId());
            }
        } else if (platformCredential.getCredentialType() == PlatformCredential.SERVER) {
            createMappedCredentialToken = ntv_createServerCredentialToken(platformCredential);
        } else if (platformCredential.getCredentialType() == PlatformCredential.CERTIFICATE) {
            byte[] encodedCertificate = getEncodedCertificate(platformCredential);
            createMappedCredentialToken = ntv_createCertificateCredentialToken(platformCredential, encodedCertificate, encodedCertificate.length, platformCredential.getAuditString(), aPPLName);
        } else {
            if (platformCredential.getCredentialType() != PlatformCredential.MAPPED) {
                throw new IllegalArgumentException();
            }
            createMappedCredentialToken = createMappedCredentialToken(platformCredential, aPPLName);
        }
        if (sAFCredentialTokenImpl == null && createMappedCredentialToken != null) {
            this._cache.insert(platformCredential, createMappedCredentialToken);
        } else if (createMappedCredentialToken == null) {
            Tr.error(tc, "security.zos.saf.authen.refresh.failed.error", new Object[]{platformCredential.getUserId(), SAFServiceResult.getSafServiceResult()});
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "refreshCredential", createMappedCredentialToken);
        }
        return createMappedCredentialToken;
    }

    private final SAFCredentialTokenImpl authenticateCredential(PlatformCredential platformCredential, String str) throws AuthenticationFailedException, PasswordCheckFailedException, DistributedUserMappingFailedException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = platformCredential;
            objArr[1] = str != null ? "****" : null;
            Tr.entry(traceComponent, "authenticateCredential", objArr);
        }
        SAFCredentialTokenImpl sAFCredentialTokenImpl = null;
        String aPPLName = getAPPLName();
        if (platformCredential.getCredentialType() == PlatformCredential.BASIC) {
            sAFCredentialTokenImpl = ntv_createCredentialToken(platformCredential, platformCredential.getUserId(), platformCredential.getAuditString(), str, aPPLName);
            if (sAFCredentialTokenImpl == null) {
                SAFServiceResult safServiceResult = SAFServiceResult.getSafServiceResult();
                Tr.info(tc, "security.zos.saf.authen.pw.check.failed.info", new Object[]{platformCredential.getUserId(), safServiceResult});
                throwException(safServiceResult.getReturnCode(), safServiceResult.getReasonCode());
            }
        } else if (platformCredential.getCredentialType() == PlatformCredential.CERTIFICATE) {
            byte[] encodedCertificate = getEncodedCertificate(platformCredential);
            sAFCredentialTokenImpl = ntv_createCertificateCredentialToken(platformCredential, encodedCertificate, encodedCertificate.length, platformCredential.getAuditString(), aPPLName);
            if (sAFCredentialTokenImpl == null) {
                X509Certificate x509Certificate = platformCredential.getCertificateChain()[0];
                Tr.info(tc, "security.zos.saf.authen.cert.map.failed.info", new Object[]{x509Certificate.getSubjectX500Principal().getName(), x509Certificate.getIssuerX500Principal().getName(), SAFServiceResult.getSafServiceResult()});
            }
        } else if (platformCredential.getCredentialType() == PlatformCredential.MAPPED) {
            sAFCredentialTokenImpl = createMappedCredentialToken(platformCredential, aPPLName);
            if (sAFCredentialTokenImpl == null) {
                Tr.error(tc, "security.zos.saf.idprop.mapping.failed", new Object[]{platformCredential.getDistributedUser(), platformCredential.getDistributedRealm()});
                throw new DistributedUserMappingFailedException(MessageFormatHelper.getFormattedMessage(msgBundle, "security.zos.saf.idprop.mapping.failed", new Object[]{platformCredential.getDistributedUser(), platformCredential.getDistributedRealm()}));
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.debug(tc, "Updated PlatformCredential", platformCredential);
        }
        if (sAFCredentialTokenImpl == null) {
            throw new AuthenticationFailedException();
        }
        synchronized (this) {
            SAFCredentialTokenImpl sAFCredentialTokenImpl2 = null;
            try {
                sAFCredentialTokenImpl2 = (SAFCredentialTokenImpl) this._cache.get(platformCredential);
            } catch (CacheException e) {
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.debug(tc, "Unexpected cache exception", e);
                }
            }
            if (sAFCredentialTokenImpl2 == null) {
                this._cache.insert(platformCredential, sAFCredentialTokenImpl);
            } else {
                destroyCredential(sAFCredentialTokenImpl);
                sAFCredentialTokenImpl = sAFCredentialTokenImpl2;
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "authenticateCredential", sAFCredentialTokenImpl);
        }
        return sAFCredentialTokenImpl;
    }

    void throwException(int i, int i2) throws AuthenticationFailedException, PasswordCheckFailedException {
        if (i == 8) {
            WSPasswordCheckFailedException wSPasswordCheckFailedException = null;
            switch (i2) {
                case 16:
                    wSPasswordCheckFailedException = new WSPasswordCheckFailedException(1);
                    break;
                case 20:
                    wSPasswordCheckFailedException = new WSPasswordCheckFailedException(2);
                    break;
                case 24:
                    wSPasswordCheckFailedException = new WSPasswordCheckFailedException(4);
                    break;
                case 28:
                    wSPasswordCheckFailedException = new WSPasswordCheckFailedException(3);
                    break;
                case 32:
                    throw new AuthenticationFailedException("The user does not have appropriate RACF access to either the SECLABEL, SERVAUTH profile, or APPL specified in the parmlist.");
            }
            if (wSPasswordCheckFailedException != null) {
                throw new PasswordCheckFailedException(wSPasswordCheckFailedException);
            }
        }
    }

    protected SAFCredentialTokenImpl createMappedCredentialToken(PlatformCredential platformCredential, String str) {
        return ntv_createMappedCredentialToken(platformCredential, platformCredential.getDistributedUser(), platformCredential.getDistributedRealm(), platformCredential.getAuditString(), str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final void destroyCredential(SAFCredentialTokenImpl sAFCredentialTokenImpl) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "destroyCredential", sAFCredentialTokenImpl);
        }
        ntv_destroyCredential(sAFCredentialTokenImpl);
        SAFServiceResult.getSafServiceResult();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "destroyCredential");
        }
    }

    private final byte[] getEncodedCertificate(PlatformCredential platformCredential) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getEncodedCertificate", platformCredential);
        }
        byte[] bArr = null;
        try {
            bArr = platformCredential.getCertificateChain()[0].getEncoded();
        } catch (CertificateEncodingException e) {
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.debug(tc, "Unable to get certificate data", e);
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "getEncodedCertificate", bArr);
        }
        return bArr;
    }

    public final PlatformCredential getPlatformCredentialFromSubject(Subject subject) {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getPlatformCredentialFromSubject", subject);
        }
        PlatformCredential platformCredential = null;
        if (subject != null) {
            try {
                platformCredential = (PlatformCredential) AccessController.doPrivileged(new GetPlatformCredentialAction(subject));
            } catch (PrivilegedActionException e) {
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.debug(tc, "Unable to get platform cred", e);
                }
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "getPlatformCredentialFromSubject", platformCredential);
        }
        return platformCredential;
    }

    private final String getAPPLName() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getAPPLName");
        }
        String str = null;
        if ("true".equalsIgnoreCase(SecurityObjectLocator.getSecurityConfig().getProperty(SecurityConfig.SAF_USE_APPL_PROFILE))) {
            str = SecurityObjectLocator.getSecurityConfig().getSAFProfilePrefix();
            if (str == null || str.equalsIgnoreCase("")) {
                str = "CBS390";
            }
        } else if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.debug(tc, "The APPLName will not be used for RACF authorization because the useAPPLprofile property is set to false.");
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "getAPPLName", str);
        }
        return str;
    }

    protected int getSAFVersionNumber() {
        if (_safVersionset) {
            return _SAFVersionNumber;
        }
        String ntv_getSAFVersion = ntv_getSAFVersion();
        _safVersionset = true;
        try {
            _SAFVersionNumber = Integer.parseInt(ntv_getSAFVersion);
        } catch (NumberFormatException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "caught NumberFormatException trying to parse this to an int: " + ntv_getSAFVersion);
            }
        }
        Tr.info(tc, "security.zos.saf.idprop.versionNumber.info", Integer.valueOf(_SAFVersionNumber).toString());
        return _SAFVersionNumber;
    }

    public boolean isSAFIdentityPropagationEnabled() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSAFIdentityPropagationEnabled");
        }
        boolean z = false;
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        if (PlatformHelperFactory.getPlatformHelper().isZOS() && isSAFVersionValidForIdentityPropagation() && !"LOCALOS".equals(securityConfig.getActiveUserRegistry().getType()) && ("true".equalsIgnoreCase(securityConfig.getProperty("com.ibm.security.SAF.authorization")) || "true".equalsIgnoreCase(securityConfig.getProperty(SecurityConfig.ENABLE_SYNC_TO_OS_THREAD)) || "true".equalsIgnoreCase(securityConfig.getProperty(SecurityConfig.ENABLE_RUN_AS_IDENTITY)))) {
            z = !foundMappingModule();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isSAFIdentityPropagationEnabled", Boolean.valueOf(z));
        }
        return z;
    }

    public boolean isSAFIdPropEnabledForSSO() {
        return isSAFIdPropEnabledForLocalOS(SecurityConfig.SSO_USE_RACMAP_SAF_MAPPING);
    }

    protected boolean isSAFIdPropEnabledForLocalOS(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSAFIdPropEnabledForLocalOS", str);
        }
        boolean z = false;
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        String property = securityConfig.getProperty(str);
        if (isSAFVersionValidForIdentityPropagation() && "LOCALOS".equals(securityConfig.getActiveUserRegistry().getType()) && "true".equalsIgnoreCase(property)) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isSAFIdPropEnabledForLocalOS", Boolean.valueOf(z));
        }
        return z;
    }

    public boolean isSAFVersionValidForIdentityPropagation() {
        return getSAFVersionNumber() >= 7760;
    }

    public boolean isRACFUserInWIM(WSCredential wSCredential) throws WIMException, CredentialExpiredException, CredentialDestroyedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isRACFUserInWIM", wSCredential);
        }
        boolean z = false;
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        if (PlatformHelperFactory.getPlatformHelper().isZOS() && "WIMUserRegistry".equals(securityConfig.getActiveUserRegistry().getType()) && !ContextManagerFactory.getInstance().isInternalServerCredential(wSCredential)) {
            z = isRACFUserInWIMAPI(wSCredential);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isRACFUserInWIM", Boolean.valueOf(z));
        }
        return z;
    }

    protected boolean isRACFUserInWIMAPI(WSCredential wSCredential) throws WIMException, CredentialDestroyedException, CredentialExpiredException {
        return PrincipalUtil.isRACFUser(wSCredential.getSecurityName());
    }

    protected boolean foundMappingModule() {
        String str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "foundMappingModule");
        }
        boolean z = false;
        JAASLoginConfig jAASLoginConfig = SecurityObjectLocator.getSecurityConfig().getJAASLoginConfig();
        if (jAASLoginConfig != null) {
            HashMap hashMap = (HashMap) jAASLoginConfig.getSysMap();
            String[] strArr = {"system.DEFAULT", "system.WEB_INBOUND", "system.RMI_INBOUND"};
            for (int i = 0; i < strArr.length && !z; i++) {
                List list = (List) hashMap.get(strArr[i]);
                if (list != null) {
                    Iterator it = list.iterator();
                    while (true) {
                        if (it.hasNext()) {
                            AppConfigurationEntry appConfigurationEntry = (AppConfigurationEntry) it.next();
                            if ("com.ibm.ws.security.common.auth.module.MapPlatformSubject".equals(appConfigurationEntry.getLoginModuleName())) {
                                z = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found the mapping module in " + strArr[i]);
                                }
                            } else if ("com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy".equals(appConfigurationEntry.getLoginModuleName()) && (str = (String) appConfigurationEntry.getOptions().get(AuditConstants.DELEGATE)) != null && str.equals("com.ibm.ws.security.common.auth.module.MapPlatformSubject")) {
                                z = true;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found the mapping module configured as the delegate in " + strArr[i]);
                                }
                            }
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "foundMappingModule", Boolean.valueOf(z));
        }
        return z;
    }

    public String createNameFromPlatformCredential(PlatformCredential platformCredential) {
        return getKeyFromCredential(platformCredential) + "::" + platformCredential.getUserId();
    }

    public final synchronized void removePlatformCredentialFromCache(PlatformCredential platformCredential) throws CredentialDestroyedException {
        try {
            if (hasCredentialTokenFor(platformCredential)) {
                this._cache.remove(platformCredential);
            }
        } catch (CacheException e) {
        }
    }

    public final synchronized void removeCredential(PlatformCredential platformCredential) {
        try {
            if (hasCredentialTokenFor(platformCredential)) {
                this._cache.remove(platformCredential);
            }
        } catch (CacheException e) {
        }
    }

    private boolean hasCredentialTokenFor(PlatformCredential platformCredential) {
        if (platformCredential == null) {
            return false;
        }
        try {
            return ((SAFCredentialTokenImpl) this._cache.get(platformCredential)) != null;
        } catch (CacheException e) {
            return false;
        }
    }

    private final native SAFCredentialTokenImpl ntv_createCredentialToken(PlatformCredential platformCredential, String str, String str2, String str3, String str4);

    private final native SAFCredentialTokenImpl ntv_createCertificateCredentialToken(PlatformCredential platformCredential, byte[] bArr, int i, String str, String str2);

    private final native SAFCredentialTokenImpl ntv_createRoleCredentialToken(PlatformCredential platformCredential, String str, String str2, String str3);

    private final native SAFCredentialTokenImpl ntv_createServerCredentialToken(PlatformCredential platformCredential);

    private final native SAFCredentialTokenImpl ntv_createMappedCredentialToken(PlatformCredential platformCredential, String str, String str2, String str3, String str4);

    private final native byte[] ntv_createUtoken(PlatformCredential platformCredential);

    private final native String ntv_mapKerbPrincipal(String str);

    private final native void ntv_destroyCredential(SAFCredentialTokenImpl sAFCredentialTokenImpl);

    private final native String ntv_getSAFVersion();
}
