package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.security.trust10.util.DerivedKeyGenerator;
import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.common.Constants;
import com.ibm.ws.wssecurity.config.DerivedKeyInfoConfig;
import com.ibm.ws.wssecurity.config.KeyInfoContentConsumerConfig;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.handler.PolicyInboundConfig;
import com.ibm.ws.wssecurity.keyinfo.WSSKeyInfoComponent;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.trust.server.sts.Util.STSTokenUtil;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.DerivedKeyUtil;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import java.security.AccessController;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/DKTConsumeLoginModule.class */
public class DKTConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private Map _sharedState;
    private SecurityToken _token;
    private SecurityTokenManager _securityTokenManager;
    private Map<Object, Object> _context;
    private static final TraceComponent tc = Tr.register(DKTConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = DKTConsumeLoginModule.class.getName();
    private static Map<String, String> tokensMap = new HashMap();

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        this._sharedState = map;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        boolean z;
        boolean isKeyInfoStrref;
        boolean isKeyInfoEmb;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{propertyCallback});
            this._token = null;
            this._context = propertyCallback.getProperties();
            OMElement oMElement = (OMElement) this._context.get(Constants.PROCESSING_ELEMENT);
            if (oMElement != null && !"DerivedKeyToken".equalsIgnoreCase(oMElement.getLocalName())) {
                return true;
            }
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.AUTHN_TYPE, tokenConsumerConfig.getType().toString());
            }
            DKToken dKToken = new DKToken();
            this._context.put(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING, dKToken);
            this._securityTokenManager = (SecurityTokenManagerImpl) this._context.get(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            String str = (String) this._context.get(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEYINFO_TYPE);
            if (str == null) {
                z = true;
                isKeyInfoEmb = false;
                isKeyInfoStrref = false;
            } else {
                z = false;
                isKeyInfoStrref = ConfigUtil.isKeyInfoStrref(str);
                isKeyInfoEmb = ConfigUtil.isKeyInfoEmb(str);
            }
            if (z || isKeyInfoEmb) {
                this._token = processElement(dKToken, oMElement, tokenConsumerConfig, z, isKeyInfoEmb, this._securityTokenManager, this._context);
            } else if (isKeyInfoStrref) {
                this._token = deriveKey(dKToken, tokenConsumerConfig, isKeyInfoStrref, this._securityTokenManager);
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "login()");
            return true;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".login", "160", this);
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e.toString()}));
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (this._token != null) {
            this._securityTokenManager.addToken(this._token);
            this._context.put(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private final SecurityToken deriveKey(DKToken dKToken, TokenConsumerConfig tokenConsumerConfig, boolean z, SecurityTokenManager securityTokenManager) throws LoginException {
        boolean equals;
        boolean equals2;
        SecretKey createDerivedKey;
        String str;
        String str2;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("deriveKey(");
            stringBuffer.append("DKToken dkToken, TokenConsumerConfig config, ");
            stringBuffer.append("boolean isStrref[").append(z).append("])");
            Tr.entry(tc, stringBuffer.toString());
        }
        DerivedKeyInfoConfig derivedKeyInfoConfig = ((KeyInfoContentConsumerConfig) this._context.get(KeyInfoContentConsumerConfig.CONFIG_KEY)).getDerivedKeyInfoConfig();
        if (derivedKeyInfoConfig == null || !derivedKeyInfoConfig.isRequireDerivedKeys()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "DerivedKey is not required.");
            return null;
        }
        DKToken dKToken2 = null;
        final DKToken dKToken3 = new DKToken();
        if (z) {
            if (this._context.get(Constants.IMPLIED_DERIVED_KEY_NONCE) != null || (derivedKeyInfoConfig != null && derivedKeyInfoConfig.isRequireImpliedDerivedKeys())) {
                int i = 32;
                byte[] bArr = null;
                String str3 = (String) this._context.get(Constants.IMPLIED_DERIVED_KEY_NONCE);
                String str4 = (String) this._context.get(Constants.IMPLIED_DERIVED_KEY_LENGTH);
                if (str4 != null) {
                    i = new Integer(str4).intValue();
                }
                if (str3 != null) {
                    bArr = Base64.decode(str3);
                }
                String str5 = (String) this._context.get(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_REFERENCE);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Implied derived keys are used");
                    Tr.debug(tc, "Token identifier is [" + str5 + "]");
                }
                if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                    WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, str5);
                }
                SecurityToken token = securityTokenManager.getToken(tokenConsumerConfig, str5);
                if (token == null) {
                    Tr.error(tc, "security.wssecurity.SCTConsumeLoginModule.missingDKT", new Object[]{str5});
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.missingDKT", new String[]{str5}));
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There was the token [" + str5 + "] in the Subject.");
                }
                if (token instanceof SCTWrapper) {
                    dKToken3.setrefTokenId(((SCTWrapper) token).getSCT().getId());
                    dKToken3.setrefTokenType("", ((SCTWrapper) token).getSCT().getValueType().getLocalPart());
                } else {
                    dKToken3.setrefTokenId(token.getId());
                    dKToken3.setrefTokenType("", token.getValueType().getLocalPart());
                }
                dKToken3.setLength(i);
                dKToken3.setNonce(bArr);
                if (derivedKeyInfoConfig == null || !derivedKeyInfoConfig.isRequireImpliedDerivedKeys()) {
                    str = (String) tokenConsumerConfig.getProperties().get("com.ibm.ws.wssecurity.sc.dkt.ClientLabel");
                    str2 = (String) tokenConsumerConfig.getProperties().get("com.ibm.ws.wssecurity.sc.dkt.ServiceLabel");
                } else {
                    str = derivedKeyInfoConfig.getClientLabel();
                    str2 = derivedKeyInfoConfig.getServiceLabel();
                }
                if (str == null) {
                    str = DerivedKeyGenerator.DEFLABEL;
                }
                if (str2 == null) {
                    str2 = DerivedKeyGenerator.DEFLABEL;
                }
                final String str6 = str;
                final String str7 = str2;
                final String uuid = ((SCTWrapper) token).getSCT().getUUID();
                AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        dKToken3.setSecurityContextTokenUUID(uuid);
                        dKToken3.setClientLabel(str6);
                        dKToken3.setServiceLabel(str7);
                        return null;
                    }
                });
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Labels via properties, service label = " + str2 + " and client label = " + str);
                }
                dKToken = dKToken3;
                dKToken2 = dKToken;
            } else {
                String str8 = (String) this._context.get(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_REFERENCE);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Token identifier is [" + str8 + "]");
                }
                if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                    WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, str8);
                }
                SecurityToken token2 = securityTokenManager.getToken(tokenConsumerConfig, str8);
                if (token2 == null) {
                    Tr.error(tc, "security.wssecurity.SCTConsumeLoginModule.missingDKT", new Object[]{str8});
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.missingDKT", new String[]{str8}));
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There was the token [" + str8 + "] in the Subject.");
                }
                dKToken = (DKToken) token2;
                if (dKToken.getClientLabel() == null && dKToken.getServiceLabel() == null) {
                    String str9 = null;
                    String str10 = null;
                    if (derivedKeyInfoConfig != null) {
                        str9 = derivedKeyInfoConfig.getClientLabel();
                        str10 = derivedKeyInfoConfig.getServiceLabel();
                    }
                    if (str9 == null) {
                        str9 = DerivedKeyGenerator.DEFLABEL;
                    }
                    if (str10 == null) {
                        str10 = DerivedKeyGenerator.DEFLABEL;
                    }
                    dKToken.setClientLabel(str9);
                    dKToken.setServiceLabel(str10);
                }
                dKToken2 = dKToken;
            }
        }
        String str11 = (String) this._context.get(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_KEY_TYPE);
        if (str11 == null) {
            equals2 = false;
            equals = false;
        } else {
            equals = WSSKeyInfoComponent.KEY_VERIFYING.equals(str11);
            equals2 = WSSKeyInfoComponent.KEY_DECRYPTING.equals(str11);
            if (tc.isDebugEnabled()) {
                if (equals) {
                    Tr.debug(tc, "Verifying key type");
                } else if (equals2) {
                    Tr.debug(tc, "Decrypting key type");
                }
            }
        }
        if (!equals && !equals2) {
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.KeyStoreKeyLocator.getKey02", new String[]{str11}));
        }
        byte[] bArr2 = null;
        byte[] bArr3 = null;
        byte[] bytes = dKToken.getBytes();
        if (bytes != null) {
            bArr2 = dKToken.getClientSecret();
            bArr3 = dKToken.getServerSecret();
        }
        if (bArr2 == null && bytes == null) {
            throw new LoginException("Cannot get SCT info to derive key");
        }
        int length = dKToken.getLength();
        String str12 = null;
        if (length == 0) {
            if (derivedKeyInfoConfig != null) {
                str12 = derivedKeyInfoConfig.getKeyLength();
            }
            if (str12 == null) {
                str12 = (String) tokenConsumerConfig.getProperties().get(com.ibm.wsspi.wssecurity.core.Constants.DERIVED_KEY_LENGTH);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The specified Dervived Key Length is " + str12);
            }
            if (str12 != null && str12.length() > 0) {
                length = Integer.parseInt(str12);
            }
        }
        WSSConsumerConfig wSSConsumerConfig = (WSSConsumerConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey");
        if (wSSConsumerConfig != null && (wSSConsumerConfig instanceof PolicyInboundConfig)) {
            String algorithmSuite = ((PolicyInboundConfig) wSSConsumerConfig).getAlgorithmSuite();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The Algorithm Suite = " + algorithmSuite);
            }
        }
        int minKeyLengthFromAlgorithm = DKTGenerateLoginModule.getMinKeyLengthFromAlgorithm((String) this._context.get(Constants.KEY_ALGORITHM), equals, equals2, false, false, length);
        if (length == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Missing Length information in the message. Using the key Length based on the algorithm = " + minKeyLengthFromAlgorithm);
            }
            length = minKeyLengthFromAlgorithm;
        } else {
            if ((length > 0 && length < minKeyLengthFromAlgorithm) || length > 32) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The key Length from the message = " + length + " is incorrect.");
                }
                throw new LoginException("DerivedKey Length in the message doesn't match with the algorithm's");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Using the key Length from the message = " + length);
            }
        }
        String str13 = null;
        if (((String) this._context.get(Constants.KEY_ALGORITHM)) != null) {
            str13 = DKTGenerateLoginModule.mapKeyAlgorithm2JCE((String) this._context.get(Constants.KEY_ALGORITHM), equals, equals2, false, false);
            if (str13 == null) {
                throw new LoginException("Missing Algorithm info in the config");
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The supplied algorithm: " + ((String) this._context.get(Constants.KEY_ALGORITHM)) + "Key algorithm and key length based on algorithm are = " + str13 + ", " + length);
            Tr.debug(tc, "The key Length from the message = " + length);
        }
        try {
            if (bytes != null) {
                String label = dKToken.getLabel();
                if (label == null) {
                    String clientLabel = dKToken.getClientLabel() == null ? DerivedKeyGenerator.DEFLABEL : dKToken.getClientLabel();
                    label = dKToken.getServiceLabel() == null ? clientLabel + DerivedKeyGenerator.DEFLABEL : clientLabel + dKToken.getServiceLabel();
                }
                createDerivedKey = DerivedKeyUtil.createDerivedKey(bytes, label, dKToken.getNonce(), length, 0, 0, "HmacSha1", "AES");
            } else {
                createDerivedKey = DerivedKeyUtil.createDerivedKey(bArr2, bArr3, dKToken.getClientLabel(), dKToken.getServiceLabel(), dKToken.getNonce(), length, 0, 0, "HmacSha1", "AES");
            }
            if (createDerivedKey == null) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTGenerateLoginModule.DKG02"));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Derived key algorithm =  " + createDerivedKey.getAlgorithm() + ", and key = " + Base64.encode(createDerivedKey.getEncoded()) + ", key length = " + createDerivedKey.getEncoded().length);
            }
            if (equals) {
                dKToken.setKey(63, createDerivedKey);
            } else if (equals2) {
                dKToken.setKey(64, createDerivedKey);
            }
            if (tc.isEntryEnabled()) {
                StringBuffer stringBuffer2 = new StringBuffer("deriveKey(");
                stringBuffer2.append("DKToken, TokenConsumerConfig, ");
                stringBuffer2.append("boolean, String, String, boolean, ");
                stringBuffer2.append("SecurityTokenManager)");
                stringBuffer2.append(" returns SecurityToken[").append(dKToken2).append("]");
                Tr.exit(tc, stringBuffer2.toString());
            }
            return dKToken2;
        } catch (InvalidKeyException e) {
            Tr.error(tc, "security.wssecurity.SCTGenerateLoginModule.DKG", new Object[]{e});
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTGenerateLoginModule.DKG", new String[]{e.toString()}));
        } catch (NoSuchAlgorithmException e2) {
            Tr.error(tc, "security.wssecurity.SCTGenerateLoginModule.DKG", new Object[]{e2});
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTGenerateLoginModule.DKG", new String[]{e2.toString()}));
        }
    }

    private final SecurityToken processElement(DKToken dKToken, OMElement oMElement, TokenConsumerConfig tokenConsumerConfig, boolean z, boolean z2, SecurityTokenManager securityTokenManager, Map<Object, Object> map) throws LoginException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("processElement(");
            stringBuffer.append("DKToken dkToken, ");
            stringBuffer.append("OMElement target[").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("TokenConsumerConfig config, ");
            stringBuffer.append("boolean isNone[").append(z).append("], ");
            stringBuffer.append("boolean isEmb[").append(z2).append("], ");
            stringBuffer.append("SecurityTokenManager securityTokenManager, Map context, String encAlg)");
            Tr.entry(tc, stringBuffer.toString());
        }
        MessageContext messageContext = (MessageContext) this._context.get(com.ibm.wsspi.wssecurity.core.Constants.WSSECURITY_MESSAGE_CONTEXT);
        DKToken dKToken2 = null;
        String str = Constants.NS_WSC_SCT_13;
        String str2 = Constants.NS_WSC_SC_13;
        String str3 = Constants.NS_WSC_DKT_13;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " Target Element namespace URI = " + oMElement.getNamespace().getNamespaceURI());
        }
        if (Constants.NS_WSC_SC.equals(oMElement.getNamespace().getNamespaceURI())) {
            str = Constants.NS_WSC_SCT;
            str2 = Constants.NS_WSC_SC;
            String str4 = Constants.NS_WSC_DKT;
        }
        messageContext.setProperty(Constants.SCT_TOKEN_VALUE_TYPE, str);
        if (oMElement.getNamespace().getNamespaceURI().equals(str2) && oMElement.getLocalName().equals("DerivedKeyToken")) {
            boolean z3 = false;
            String str5 = null;
            if (z) {
                QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The identifier attribute of the dktoken target element is [" + idAttributeName + "].");
                }
                if (idAttributeName != null) {
                    str5 = oMElement.getAttributeValue(idAttributeName);
                }
            }
            dKToken.setId(str5);
            if (Constants.NS_WSC_SCT_13.equals(str)) {
                dKToken.setType("", Constants.NS_WSC_DKT_13);
            }
            consumeDKTokenElement(dKToken, oMElement, messageContext, map);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "dktoken id = " + dKToken.getId());
                Tr.debug(tc, "dktoken's reference token Id = " + dKToken.getrefTokenId());
            }
            if (WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS) || WSSContextManagerFactory.getInstance().getAuditService().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                WSSAuditEventGeneratorFactory.getInstance().setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, str5);
            }
            if (dKToken.getBytes() != null || dKToken.getClientSecret() != null) {
                z3 = true;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found referenced token secret in the dktoken. Verification of DKtoken is successful!!");
                }
            }
            if (!z3) {
                Tr.error(tc, "Cannot find the token's key bytes referenced from the DerivedKeyToken Element. ");
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.SCTConsumeLoginModule.verifyDKT"));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding DKT to the subject using id: " + dKToken.getId());
            }
            dKToken2 = dKToken;
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("processElement(");
            stringBuffer2.append("DKToken, OMElement, TokenConsumerConfig, ");
            stringBuffer2.append("boolean, boolean, boolean, securityTokenManager, Map)");
            stringBuffer2.append(" returns SecurityToken[").append(dKToken2).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return dKToken2;
    }

    private static SCT checkKeyInstance(SCT sct, String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkKeyInstance");
        }
        String[] instances = sct.getInstances();
        for (String str3 : instances) {
            if (str3.equalsIgnoreCase(str)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found matching key instance in SCT.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "checkKeyInstance");
                }
                return sct;
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Not Found matching key instance in SCT due to replication. Retry from cache.");
        }
        SCT sct2 = null;
        for (int i = 0; 0 == 0 && i < 10; i++) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Not Found matching key instance in SCT. Retry from cache " + i + "1 times.");
            }
            try {
                Thread.sleep(20L);
            } catch (Exception e) {
            }
            try {
                sct2 = (SCT) STSTokenUtil.getToken(sct.getUUID(), str2);
                instances = sct2.getInstances();
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception while getting SCT from trust service:" + e2.getMessage());
                }
            }
            for (String str4 : instances) {
                if (str4.equalsIgnoreCase(str)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found matching key instance in SCT during " + i + "1 retry.");
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "checkKeyInstance");
                    }
                    return sct2;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkKeyInstance Fails.");
        }
        return sct;
    }

    private final void consumeDKTokenElement(final DKToken dKToken, OMElement oMElement, MessageContext messageContext, Map<Object, Object> map) throws LoginException {
        String stringValue;
        String stringValue2;
        String attributeValue;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("consumeDKTokenElement(");
            stringBuffer.append("DKToken dkToken, ");
            stringBuffer.append("OMElement target(").append(DOMUtils.getDisplayName((OMNode) oMElement)).append("], ");
            stringBuffer.append("MessageContext messageContext, Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        String str = Constants.NS_WSC_SC_13;
        String str2 = Constants.NS_WSC_DKT_13;
        String str3 = (String) messageContext.getProperty(Constants.SCT_TOKEN_VALUE_TYPE);
        if (Constants.NS_WSC_SCT.equals(str3)) {
            str = Constants.NS_WSC_SC;
            String str4 = Constants.NS_WSC_DKT;
        }
        if (oMElement != null && oMElement.getNamespace().getNamespaceURI().equals(str) && oMElement.getLocalName().equals("DerivedKeyToken")) {
            dKToken.setXML(new OMStructure(oMElement));
            QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
            }
            if (idAttributeName != null && (attributeValue = oMElement.getAttributeValue(idAttributeName)) != null) {
                dKToken.setId(attributeValue);
            }
            String str5 = null;
            String str6 = null;
            String str7 = null;
            String str8 = null;
            OMElement childElement = DOMUtils.getChildElement(oMElement, Constants.NS_WSSE, "SecurityTokenReference");
            if (childElement != null) {
                OMElement childElement2 = DOMUtils.getChildElement(childElement, Constants.NS_WSSE, "Reference");
                if (childElement2 != null) {
                    str7 = childElement2.getAttributeValue(Constants.VALUETYPE_Q);
                    String attributeValue2 = childElement2.getAttributeValue(Constants.URI_Q);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Reference Token URI in DerivedKeyToken element: " + attributeValue2);
                    }
                    if (Constants.NS_WSC_SCT.equals(str7) || Constants.NS_WSC_SCT_13.equals(str7)) {
                        if (attributeValue2.startsWith("#")) {
                            str5 = attributeValue2.substring(1);
                            str6 = SCTConsumeLoginModule.getUUIDByRef(str5, messageContext, map, str);
                            str8 = (String) messageContext.getProperty(Constants.INSTANCE_FROM_MESSAGE);
                        } else {
                            str6 = attributeValue2;
                            str8 = childElement2.getAttributeValue(new QName(str, "Instance"));
                        }
                        final String str9 = str6;
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule.2
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                dKToken.setSecurityContextTokenUUID(str9);
                                return null;
                            }
                        });
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Key instance = " + str8);
                        }
                    }
                    if (str7.equals(Constants.KRB5_AP_REQ_TOKEN.getLocalPart()) || str7.equals(Constants.KRB5_AP_REQ1510_TOKEN.getLocalPart()) || str7.equals(Constants.KRB5_AP_REQ4120_TOKEN.getLocalPart()) || str7.equals(Constants.KRB5_GSS_AP_REQ_TOKEN.getLocalPart()) || str7.equals(Constants.KRB5_GSS_AP_REQ1510_TOKEN.getLocalPart()) || str7.equals(Constants.KRB5_GSS_AP_REQ4120_TOKEN.getLocalPart())) {
                        str5 = attributeValue2.startsWith("#") ? attributeValue2.substring(1) : attributeValue2;
                    }
                } else {
                    OMElement childElement3 = DOMUtils.getChildElement(DOMUtils.getChildElement(oMElement, Constants.NS_WSSE, "SecurityTokenReference"), Constants.NS_WSSE, "KeyIdentifier");
                    String attributeValue3 = childElement3.getAttributeValue(Constants.ENCODINGTYPE_Q);
                    String attributeValue4 = childElement3.getAttributeValue(Constants.VALUETYPE_Q);
                    int i = 0;
                    Object obj = this._context.get(Constants.WSS_VERSION);
                    if (obj != null && (obj instanceof Integer)) {
                        i = ((Integer) obj).intValue();
                    }
                    QName qName = DOMUtils.getQName(childElement3, attributeValue3, i);
                    QName qName2 = DOMUtils.getQName(childElement3, attributeValue4, i);
                    str7 = childElement3.getAttributeValue(Constants.VALUETYPE_Q);
                    str5 = childElement3.getText();
                    dKToken.setKeyIdentifierEncodingType(qName);
                    dKToken.setKeyIdentifierValueType(qName2);
                }
            }
            dKToken.setClientSecret((byte[]) this._sharedState.get(com.ibm.wsspi.wssecurity.core.Constants.BASE_TOKEN_CLIENT_SECRET));
            dKToken.setServerSecret((byte[]) this._sharedState.get(com.ibm.wsspi.wssecurity.core.Constants.BASE_TOKEN_SERVER_SECRET));
            dKToken.setBytes((byte[]) this._sharedState.get(com.ibm.wsspi.wssecurity.core.Constants.BASE_TOKEN_KEY_BYTES));
            dKToken.setrefTokenType("", str7);
            dKToken.setrefTokenId(str5);
            int i2 = 0;
            OMElement childElement4 = DOMUtils.getChildElement(oMElement, str, "Length");
            if (childElement4 != null && (stringValue2 = DOMUtils.getStringValue(childElement4)) != null) {
                i2 = new Integer(stringValue2).intValue();
            }
            dKToken.setLength(i2);
            OMElement childElement5 = DOMUtils.getChildElement(oMElement, str, "Nonce");
            byte[] bArr = null;
            if (childElement5 != null && (stringValue = DOMUtils.getStringValue(childElement5)) != null) {
                bArr = Base64.decode(stringValue);
            }
            dKToken.setNonce(bArr);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "refTokenId = " + str5 + ", refTokenUUID = " + str6 + ", ttype = " + str7);
                Tr.debug(tc, "Length = " + i2);
                Tr.debug(tc, "nonce = " + (bArr != null ? "true" : "false"));
                Tr.debug(tc, "Key instance = " + str8);
                Tr.debug(tc, "sct value type = " + str3);
            }
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("consumeDKTokenElement(DKToken, ");
            stringBuffer2.append("OMElement, MessageContext, Map)");
            Tr.exit(tc, stringBuffer2.toString());
        }
    }

    static {
        tokensMap.put(Constants.NS_WSC_SC, "resolveSCT");
        tokensMap.put("com.ibm.websphere.wssecurity.wssapi.token.SecurityContextToken13", "com.ibm.ws.wssecurity.wssapi.token.impl.SCT13");
    }
}
