package com.ibm.ws.security.ltpa;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.NotificationConstants;
import com.ibm.websphere.security.auth.InvalidTokenException;
import com.ibm.websphere.security.auth.TokenCreationFailedException;
import com.ibm.websphere.security.auth.TokenExpiredException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.Base64Coder;
import com.ibm.ws.security.util.StringUtil;
import com.ibm.wsspi.security.ltpa.Token;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedList;

/* loaded from: input_file:com/ibm/ws/security/ltpa/LTPAToken.class */
public class LTPAToken implements Token, Serializable {
    static final long serialVersionUID = 2864617589188090142L;
    private UserData userData;
    private long expiration;
    private int defaultExpirationMins;
    private byte[] signature;
    public static final String DELIM = "%";
    private byte[] encryptedBytes;
    private byte[] sharedKey;
    private LTPAPrivateKey privateKey;
    private LTPAPublicKey publicKey;
    private String userId;
    private short version;
    private static final TraceComponent tc = Tr.register(LTPAToken.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private static SimpleDateFormat dateFormat = new SimpleDateFormat("yy.MM.dd kk:mm:ss:SSS z");
    static long ecreated = 0;
    static long ecacheHits = 0;
    static long vcreated = 0;
    static long vcacheHits = 0;

    public LTPAToken(byte[] bArr, byte[] bArr2, LTPAPrivateKey lTPAPrivateKey, LTPAPublicKey lTPAPublicKey) throws InvalidTokenException, TokenExpiredException {
        this.defaultExpirationMins = 120;
        this.encryptedBytes = null;
        this.sharedKey = null;
        this.privateKey = null;
        this.publicKey = null;
        this.userId = null;
        this.version = (short) 1;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "LTPAToken(byte[],byte[],LTPAPrivateKey,LTPAPublicKey");
        }
        checkTokenBytes(bArr);
        this.expiration = 0L;
        this.sharedKey = bArr2;
        this.privateKey = lTPAPrivateKey;
        this.publicKey = lTPAPublicKey;
        this.encryptedBytes = bArr;
        decrypt();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, getLogInfo().toString());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "LTPAToken(byte[],byte[],LTPAPrivateKey,LTPAPublicKey");
        }
    }

    public LTPAToken(String str, long j, byte[] bArr, LTPAPrivateKey lTPAPrivateKey, LTPAPublicKey lTPAPublicKey) throws TokenCreationFailedException {
        this.defaultExpirationMins = 120;
        this.encryptedBytes = null;
        this.sharedKey = null;
        this.privateKey = null;
        this.publicKey = null;
        this.userId = null;
        this.version = (short) 1;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "new LTPAToken from accessID");
        }
        this.encryptedBytes = null;
        this.expiration = (((System.currentTimeMillis() + ((j * 60) * 1000)) + NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT) / NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT) * NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Expiration set to: " + new Date(this.expiration));
        }
        this.sharedKey = bArr;
        this.privateKey = lTPAPrivateKey;
        this.publicKey = lTPAPublicKey;
        this.userData = new UserData(str);
        this.userId = str;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "new LTPAToken from accessID");
        }
    }

    protected LTPAToken(long j, byte[] bArr, LTPAPrivateKey lTPAPrivateKey, LTPAPublicKey lTPAPublicKey, UserData userData) throws TokenCreationFailedException {
        this.defaultExpirationMins = 120;
        this.encryptedBytes = null;
        this.sharedKey = null;
        this.privateKey = null;
        this.publicKey = null;
        this.userId = null;
        this.version = (short) 1;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "new LTPAToken from clone");
        }
        this.encryptedBytes = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Refreshing expiration of token.");
        }
        this.expiration = (((System.currentTimeMillis() + ((Long.valueOf(SecurityObjectLocator.getSecurityConfig().getAuthMechanism("LTPA").getLong(AuthMechanismConfig.TIMEOUT)).longValue() * 60) * 1000)) + NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT) / NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT) * NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Expiration set to: " + new Date(this.expiration));
        }
        this.sharedKey = bArr;
        this.privateKey = lTPAPrivateKey;
        this.publicKey = lTPAPublicKey;
        this.userData = userData;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "new LTPAToken from clone");
        }
    }

    protected void encrypt() {
        LTPAServerObject lTPAServerObject = null;
        try {
            lTPAServerObject = LTPAServerObject.getLTPAServer();
        } catch (Exception e) {
        }
        HashMap lTPAKeyCache = lTPAServerObject.getLTPAKeyCache(1);
        LinkedList linkedList1 = lTPAServerObject.getLinkedList1(1);
        LinkedList linkedList2 = lTPAServerObject.getLinkedList2(1);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "encrypt.key.cache.size:" + lTPAKeyCache.size() + " ell:" + linkedList1.size() + " el2:" + linkedList2.size());
        }
        String stringUtil = StringUtil.toString(Base64Coder.base64Encode(this.signature));
        String formatUserData = formatUserData();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "userData: " + this.userData.toString() + " userData for encryption: " + formatUserData);
        }
        byte[] bytes = toBytes(formatUserData);
        StringBuffer stringBuffer = new StringBuffer("%");
        stringBuffer.append(getExpirationFromUserData()).append("%").append(stringUtil);
        String stringBuffer2 = stringBuffer.toString();
        byte[] bytes2 = StringUtil.getBytes(stringBuffer2);
        synchronized (lTPAKeyCache) {
            byte[] bArr = (byte[]) lTPAKeyCache.get(stringBuffer2);
            if (bArr != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "cache hit in encrypt.");
                }
                ecacheHits++;
                this.encryptedBytes = new byte[bArr.length];
                System.arraycopy(bArr, 0, this.encryptedBytes, 0, bArr.length);
                return;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "tokenData before encrypt: " + stringBuffer2);
            }
            byte[] bArr2 = new byte[bytes.length + bytes2.length];
            for (int i = 0; i < bytes.length; i++) {
                bArr2[i] = bytes[i];
            }
            for (int length = bytes.length; length < bArr2.length; length++) {
                bArr2[length] = bytes2[length - bytes.length];
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "whole data before encrypt: " + toStrings(bArr2));
            }
            this.encryptedBytes = LTPACrypto.encrypt(bArr2, this.sharedKey);
            synchronized (lTPAKeyCache) {
                ecreated++;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "encrypt [" + ecreated + "/" + ecacheHits + "]added:" + stringBuffer2);
                }
                lTPAKeyCache.put(stringBuffer2, this.encryptedBytes);
                linkedList1.addLast(stringBuffer2);
                linkedList2.addLast(new Long(System.currentTimeMillis()));
                while (lTPAKeyCache.size() > 5000) {
                    linkedList2.removeFirst();
                    lTPAKeyCache.remove(linkedList1.removeFirst());
                }
                long currentTimeMillis = System.currentTimeMillis();
                while (currentTimeMillis - ((Long) linkedList2.getFirst()).longValue() > NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT) {
                    linkedList2.removeFirst();
                    lTPAKeyCache.remove(linkedList1.removeFirst());
                }
            }
        }
    }

    protected void decrypt() throws InvalidTokenException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.DECRYPT);
        }
        try {
            byte[] decrypt = LTPACrypto.decrypt((byte[]) this.encryptedBytes.clone(), this.sharedKey);
            checkTokenBytes(decrypt);
            this.userData = new UserData(LTPATokenizer.parseUserData(LTPATokenizer.parseToken(toStrings(decrypt))[0]));
            String stringUtil = StringUtil.toString(decrypt);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "tokenString after decrypt: " + stringUtil);
            }
            String[] parseToken = LTPATokenizer.parseToken(stringUtil);
            String[] attributes = this.userData.getAttributes(AttributeNameConstants.WSTOKEN_EXPIRATION);
            if (attributes == null || attributes.length <= 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Getting expiration from expiration field: " + new Date(Long.parseLong(parseToken[1])));
                }
                this.expiration = Long.parseLong(parseToken[1]);
            } else {
                this.expiration = Long.parseLong(attributes[attributes.length - 1]);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Getting expiration from userdata area: " + new Date(this.expiration));
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Expiration set to: " + new Date(this.expiration));
            }
            setSignature(StringUtil.getBytes(Base64Coder.base64Decode(parseToken[2])));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.DECRYPT);
            }
        } catch (Throwable th) {
            ContextManagerFactory.getInstance().setRootException(th);
            throw new InvalidTokenException(th.getMessage(), th);
        }
    }

    protected void sign() throws NoSuchAlgorithmException {
        setSignature(LTPADigSignature.sign(toBytes(formatUserData()), this.privateKey));
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public boolean isValid() throws InvalidTokenException, TokenExpiredException {
        Date date = new Date();
        Date date2 = new Date(this.expiration);
        boolean before = date.before(date2);
        if (!before) {
            StringBuffer logInfo = getLogInfo();
            logInfo.insert(0, "token expired ");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, logInfo.toString());
            }
            throw new TokenExpiredException(this.expiration, "Token expiration Date: " + date2 + ", current Date: " + date + " " + LTPAUtil.dumpAttributesInfo(this.userData));
        }
        try {
            boolean verify = verify();
            if (!verify) {
                StringBuffer logInfo2 = getLogInfo();
                logInfo2.insert(0, "invalid signature ");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, logInfo2.toString());
                }
            }
            return before && verify;
        } catch (Exception e) {
            throw new InvalidTokenException(e.getMessage(), e);
        }
    }

    private boolean verify() throws NoSuchAlgorithmException {
        LTPAServerObject lTPAServerObject = null;
        try {
            lTPAServerObject = LTPAServerObject.getLTPAServer();
        } catch (Exception e) {
        }
        HashMap lTPAKeyCache = lTPAServerObject.getLTPAKeyCache(2);
        LinkedList linkedList1 = lTPAServerObject.getLinkedList1(2);
        LinkedList linkedList2 = lTPAServerObject.getLinkedList2(2);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "verify.key.cache.size:" + lTPAKeyCache.size() + " vll:" + linkedList1.size() + " vl2:" + linkedList2.size());
        }
        String formatUserData = formatUserData();
        byte[] signature = getSignature();
        byte[] bytes = toBytes(formatUserData);
        StringBuffer stringBuffer = new StringBuffer(formatUserData);
        stringBuffer.append(toStrings2(signature)).append(toStrings2(bytes));
        String stringBuffer2 = stringBuffer.toString();
        synchronized (lTPAKeyCache) {
            Boolean bool = (Boolean) lTPAKeyCache.get(stringBuffer2);
            if (bool != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "cache hit in verify.");
                }
                vcacheHits++;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "cache key: " + stringBuffer2);
                }
                return bool.booleanValue();
            }
            boolean verify = LTPADigSignature.verify(bytes, signature, this.publicKey);
            synchronized (lTPAKeyCache) {
                vcreated++;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "verify [" + vcreated + "/" + vcacheHits + "]added:" + stringBuffer2);
                }
                lTPAKeyCache.put(stringBuffer2, new Boolean(verify));
                linkedList1.addLast(stringBuffer2);
                linkedList2.addLast(new Long(System.currentTimeMillis()));
                while (lTPAKeyCache.size() > 5000) {
                    linkedList2.removeFirst();
                    lTPAKeyCache.remove(linkedList1.removeFirst());
                }
                long currentTimeMillis = System.currentTimeMillis();
                while (currentTimeMillis - ((Long) linkedList2.getFirst()).longValue() > NotificationConstants.LOCAL_NOTIFICATION_SERVICE_THREAD_KEEPALIVE_TIME_DEFAULT) {
                    linkedList2.removeFirst();
                    lTPAKeyCache.remove(linkedList1.removeFirst());
                }
            }
            return verify;
        }
    }

    private static String toStrings2(byte[] bArr) {
        StringBuffer stringBuffer = new StringBuffer(bArr.length * 3);
        for (int length = bArr.length - 1; length >= 0; length--) {
            stringBuffer.append((int) bArr[length]);
        }
        return stringBuffer.toString();
    }

    private static String toStrings(byte[] bArr) {
        String str = null;
        try {
            str = new String(bArr, "UTF8");
        } catch (UnsupportedEncodingException e) {
            Tr.debug(tc, "to UTF8 Strings =" + e.toString());
        }
        return str;
    }

    private static byte[] toBytes(String str) {
        byte[] bArr = null;
        try {
            bArr = str.getBytes("UTF8");
        } catch (UnsupportedEncodingException e) {
            Tr.debug(tc, "to UTF8 bytes =" + e.toString());
        }
        return bArr;
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public byte[] getBytes() throws InvalidTokenException, TokenExpiredException {
        if (this.encryptedBytes != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Returning existing encrypted bytes from token object.");
            }
            return (byte[]) this.encryptedBytes.clone();
        }
        try {
            sign();
            encrypt();
            if (!isValid() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Expired or invalid LTPA token constructed");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, getLogInfo().toString());
            }
            return (byte[]) this.encryptedBytes.clone();
        } catch (NoSuchAlgorithmException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "NoSuchAlgorithmException: " + e.getMessage(), new Object[]{e});
            }
            throw new InvalidTokenException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public long getExpiration() {
        return this.expiration;
    }

    byte[] getSignature() {
        return this.signature;
    }

    UserData getUserData() {
        return this.userData;
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public String[] addAttribute(String str, String str2) {
        this.encryptedBytes = null;
        return this.userData.addAttribute(str, str2);
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public String[] getAttributes(String str) {
        return this.userData.getAttributes(str);
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public Enumeration getAttributeNames() {
        return this.userData.getAttributeNames();
    }

    void setSignature(byte[] bArr) {
        this.signature = bArr;
    }

    public String toString() {
        return StringUtil.toString(this.encryptedBytes);
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public short getVersion() {
        return this.version;
    }

    private StringBuffer getLogInfo() {
        StringBuffer stringBuffer = new StringBuffer();
        Enumeration attributeNames = getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            String str = (String) attributeNames.nextElement();
            String[] attributes = getAttributes(str);
            stringBuffer.append(str);
            stringBuffer.append(": ");
            for (int i = 0; i < attributes.length; i++) {
                stringBuffer.append(attributes[i]);
                if (i < attributes.length - 1) {
                    stringBuffer.append(" | ");
                }
            }
            stringBuffer.append(", ");
        }
        stringBuffer.append("Expiration time: ");
        stringBuffer.append(dateFormat.format(new Date(this.expiration)));
        return stringBuffer;
    }

    @Override // com.ibm.wsspi.security.ltpa.Token
    public Object clone() {
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Expiration passed into cloned token: " + this.expiration);
            }
            UserData userData = (UserData) this.userData.clone();
            LTPAServerObject lTPAServerObject = LTPAServerObject.getInstance();
            HashMap primaryTokenFactoryMap = lTPAServerObject.getPrimaryTokenFactoryMap();
            if (primaryTokenFactoryMap != null && primaryTokenFactoryMap.size() > 0) {
                byte[] bArr = (byte[]) primaryTokenFactoryMap.get("com.ibm.wsspi.security.ltpa.ltpa_shared_key");
                LTPAPublicKey lTPAPublicKey = (LTPAPublicKey) primaryTokenFactoryMap.get("com.ibm.wsspi.security.ltpa.ltpa_public_key");
                LTPAPrivateKey lTPAPrivateKey = (LTPAPrivateKey) primaryTokenFactoryMap.get("com.ibm.wsspi.security.ltpa.ltpa_private_key");
                if (bArr != null && lTPAPrivateKey != null && lTPAPublicKey != null) {
                    this.sharedKey = bArr;
                    this.privateKey = lTPAPrivateKey;
                    this.publicKey = lTPAPublicKey;
                }
            }
            if (lTPAServerObject.getSharedKey() != null && lTPAServerObject.getLtpaPrivateKey() != null && lTPAServerObject.getLtpaPublicKey() != null) {
                this.sharedKey = lTPAServerObject.getSharedKey();
                this.privateKey = lTPAServerObject.getLtpaPrivateKey();
                this.publicKey = lTPAServerObject.getLtpaPublicKey();
            }
            return new LTPAToken(this.expiration, this.sharedKey, this.privateKey, this.publicKey, userData);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.ltpa.LTPAToken.clone", "597");
            return null;
        }
    }

    public static void checkTokenBytes(byte[] bArr) throws InvalidTokenException {
        if (bArr == null) {
            throw new InvalidTokenException("Token bytes are null");
        }
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, "Token bytes length = " + bArr.length);
        }
        if (bArr.length == 0) {
            throw new InvalidTokenException("Token bytes are empty");
        }
    }

    private long getExpirationFromUserData() {
        long j = this.expiration;
        String[] attributes = this.userData.getAttributes(AttributeNameConstants.WSTOKEN_EXPIRATION);
        if (attributes != null && attributes.length > 0) {
            j = Long.parseLong(attributes[attributes.length - 1]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting expiration from userdata area: " + j);
            }
        }
        return j;
    }

    protected String formatUserData() {
        String userData = this.userData.containsCustomAttributes() ? this.userData.toString() : new UserData(this.userData.getID()).toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "userData: " + this.userData.toString() + " formatted userData: " + userData);
        }
        return userData;
    }
}
