package com.sun.identity.authentication.modules.safeword;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.Misc;
import com.iplanet.am.util.SystemProperties;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.InvalidPasswordException;
import com.sun.identity.common.Constants;
import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.security.Provider;
import java.security.Security;
import java.util.Locale;
import java.util.Map;
import java.util.ResourceBundle;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import securecomputing.ssl.SimpleSSLClient;
import securecomputing.swec.AuthenState;
import securecomputing.swec.AuthenticatorData;
import securecomputing.swec.DynamicPwdData;
import securecomputing.swec.Eassp2Const;
import securecomputing.swec.EasspMessage;
import securecomputing.swec.FixedPwdData;
import securecomputing.swec.SafeWordClient;
import securecomputing.swec.SwecConfig;
import sun.security.provider.Sun;

/* loaded from: input_file:119465-06/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/authentication/modules/safeword/SafeWord.class */
public class SafeWord extends AMLoginModule {
    private static Debug debug;
    private Map sharedState;
    private static final String ATTRIBUTE_SERVER_SPECIFICATION = "iplanet-am-auth-safeword-server-specification";
    private static final String ATTRIBUTE_SYSTEM_NAME = "iplanet-am-auth-safeword-system-name";
    private static final String ATTRIBUTE_SRVR_VERIF_PATH = "iplanet-am-auth-safeword-srvr-verif-path";
    private static final String ATTRIBUTE_LOG_ENABLE = "iplanet-am-auth-safeword-log-enable";
    private static final String ATTRIBUTE_LOG_LEVEL = "iplanet-am-auth-safeword-log-level";
    private static final String ATTRIBUTE_LOG_PATH = "iplanet-am-auth-safeword-log-path";
    private static final String ATTRIBUTE_AUTH_LEVEL = "iplanet-am-auth-safeword-auth-level";
    private static final String ATTRIBUTE_CLIENT_TYPE = "iplanet-am-auth-safeword-client-type";
    private static final String ATTRIBUTE_MINIMUM_STRENGTH = "iplanet-am-auth-safeword-minimum-strength";
    private static final String ATTRIBUTE_EASSP_VERSION = "iplanet-am-auth-safeword-eassp-version";
    private static final String ATTRIBUTE_TIMEOUT = "iplanet-am-auth-safeword-timeout";
    private static final String DEFAULT_EASSP_VERSION = "101";
    private static final String DEFAULT_SERVER_SPECIFICATION = "localhost 7482";
    private static final String DEFAULT_TIMEOUT = "120";
    private static final String DEFAULT_MINIMUM_STRENGTH = "5";
    private static final String DEFAULT_LOG_LEVEL = "DEBUG";
    private String serverSpec;
    private String statusLogLevel;
    private String authLevel;
    private String clientType;
    private String minimumStrength;
    private String version;
    private String challengeID;
    private String timeOut;
    private String userTokenId;
    private SafeWordPrincipal userPrincipal;
    private Map options;
    private static final int PAGE_USERNAME = 1;
    private static final int PAGE_PASSWORD = 2;
    private static final String amAuthSafeWord = "amAuthSafeWord";
    private boolean getCredentialsFromSharedState;
    private static final String DEFAULT_VAR_DIR = SystemProperties.get(Constants.AM_INSTALL_VARDIR);
    private static boolean isIAIKLoaded = false;
    private ResourceBundle bundle = null;
    private String serverVerifFilesPath = null;
    private String logEnabled = "ON";
    private String statusLogFilePath = null;
    private SafeWordClient swClient = null;
    private AuthenState aState = null;
    private boolean flag = false;
    private Provider defProv = null;
    private boolean switchProvider = false;

    /* loaded from: input_file:119465-06/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/authentication/modules/safeword/SafeWord$TimeoutThread.class */
    class TimeoutThread extends Thread {
        long start;
        int iTimeOut;
        private final SafeWord this$0;

        public TimeoutThread(SafeWord safeWord, long j) {
            this.this$0 = safeWord;
            this.iTimeOut = Integer.parseInt(this.this$0.timeOut);
            this.start = j;
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (true) {
                try {
                } catch (InterruptedException e) {
                    if (SafeWord.debug.messageEnabled()) {
                        SafeWord.debug.message(new StringBuffer().append("Error in timeout thread run : ").append(e).toString());
                    }
                }
                if (System.currentTimeMillis() - this.start >= this.iTimeOut * 1000 && !this.this$0.flag) {
                    this.this$0.closeClient();
                    return;
                } else if (this.this$0.flag) {
                    return;
                } else {
                    Thread.sleep(5000L);
                }
            }
        }
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void init(Subject subject, Map map, Map map2) {
        Locale loginLocale = getLoginLocale();
        this.bundle = AMLoginModule.amCache.getResBundle(amAuthSafeWord, loginLocale);
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("SafeWord resource bundle locale = ").append(loginLocale).toString());
        }
        this.options = map2;
        this.sharedState = map;
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        try {
            if (i != 1) {
                if (i != 2) {
                    if (debug.messageEnabled()) {
                        debug.message(new StringBuffer().append("Invalid login state: ").append(i).toString());
                    }
                    setFailureID(this.userTokenId);
                    throw new AuthLoginException(amAuthSafeWord, "SafeWordInvalidState", new Object[]{new Integer(i)});
                }
                String password = getPassword(callbackArr);
                storeUsernamePasswd(this.userTokenId, password);
                this.flag = true;
                authenticate(password);
                return -1;
            }
            initAuthConfig();
            if (callbackArr == null || callbackArr.length != 0) {
                this.userTokenId = getUserName(callbackArr);
            } else {
                this.userTokenId = (String) this.sharedState.get(getUserKey());
                if (this.userTokenId == null) {
                    return 1;
                }
                this.getCredentialsFromSharedState = true;
            }
            initSafeWordClient();
            if (sendRequestForChallengeID()) {
                setDynamicText(2);
            }
            if (this.version == null || !this.version.equals("101")) {
                return 2;
            }
            new TimeoutThread(this, System.currentTimeMillis()).start();
            return 2;
        } catch (AuthLoginException e) {
            if (this.getCredentialsFromSharedState) {
                this.getCredentialsFromSharedState = false;
                return 1;
            }
            setFailureID(this.userTokenId);
            throw e;
        }
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public Principal getPrincipal() {
        if (this.userPrincipal != null) {
            return this.userPrincipal;
        }
        if (this.userTokenId == null) {
            return null;
        }
        this.userPrincipal = new SafeWordPrincipal(this.userTokenId);
        return this.userPrincipal;
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void destroyModuleState() {
        this.userTokenId = null;
        this.userPrincipal = null;
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void nullifyUsedVars() {
        this.bundle = null;
        this.sharedState = null;
        this.serverSpec = null;
        this.serverVerifFilesPath = null;
        this.statusLogLevel = null;
        this.logEnabled = null;
        this.statusLogFilePath = null;
        this.authLevel = null;
        this.clientType = null;
        this.minimumStrength = null;
        this.version = null;
        this.aState = null;
        this.challengeID = null;
        this.options = null;
        this.defProv = null;
    }

    private synchronized void setSecurityProvider() {
        try {
            Provider[] providers = Security.getProviders();
            if (!isIAIKLoaded) {
                Provider provider = (Provider) Class.forName("iaik.security.provider.IAIK").newInstance();
                Security.removeProvider(provider.getName());
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("Loaded provider : ").append(provider.getInfo()).toString());
                }
                Security.insertProviderAt(provider, 2);
                isIAIKLoaded = true;
            }
            this.defProv = providers[0];
            Sun sun = new Sun();
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("default provider: ").append(this.defProv.getName()).append(", sun provider: ").append(sun.getName()).toString());
            }
            if (!this.defProv.getName().equals(sun.getName())) {
                Security.removeProvider(sun.getName());
                Security.insertProviderAt(sun, 1);
                this.switchProvider = true;
            }
            if (debug.messageEnabled()) {
                StringBuffer stringBuffer = new StringBuffer();
                for (Provider provider2 : Security.getProviders()) {
                    stringBuffer.append(new StringBuffer().append("\t").append(provider2.getName()).append("\n").toString());
                }
                debug.message(new StringBuffer().append("Current providers = ").append(stringBuffer.toString()).toString());
            }
        } catch (ClassNotFoundException e) {
            debug.message("Provider IAIK not found. Add iaik_jce.jar or iaik_jce_full.jar to your classpath.");
        } catch (Exception e2) {
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Error in 'setSecurityProvider' : ").append(e2).toString());
            }
        }
    }

    private void resetProvider() {
        if (this.switchProvider) {
            debug.message("resetting provider ...");
            Security.removeProvider(this.defProv.getName());
            Security.insertProviderAt(this.defProv, 1);
            this.switchProvider = false;
            this.defProv = null;
        }
    }

    private void initAuthConfig() throws AuthLoginException {
        if (this.options == null) {
            debug.error("options is null");
            throw new AuthLoginException(amAuthSafeWord, "SafeWordOptInit", null);
        }
        this.serverSpec = Misc.getMapAttr(this.options, ATTRIBUTE_SERVER_SPECIFICATION, DEFAULT_SERVER_SPECIFICATION);
        this.version = Misc.getMapAttr(this.options, ATTRIBUTE_EASSP_VERSION, "101");
        this.serverVerifFilesPath = Misc.getMapAttr(this.options, ATTRIBUTE_SRVR_VERIF_PATH);
        if (this.serverVerifFilesPath == null) {
            this.serverVerifFilesPath = getServerConfigPath();
        }
        if (Misc.getMapAttr(this.options, ATTRIBUTE_LOG_ENABLE, "true").equals("false")) {
            this.logEnabled = "OFF";
        }
        this.statusLogLevel = Misc.getMapAttr(this.options, ATTRIBUTE_LOG_LEVEL, DEFAULT_LOG_LEVEL);
        this.statusLogFilePath = Misc.getMapAttr(this.options, ATTRIBUTE_LOG_PATH);
        if (this.statusLogFilePath == null) {
            this.statusLogFilePath = getServerLogPath();
        }
        this.authLevel = Misc.getMapAttr(this.options, ATTRIBUTE_AUTH_LEVEL);
        this.clientType = Misc.getMapAttr(this.options, ATTRIBUTE_CLIENT_TYPE);
        this.minimumStrength = Misc.getMapAttr(this.options, ATTRIBUTE_MINIMUM_STRENGTH, "5");
        this.timeOut = Misc.getMapAttr(this.options, ATTRIBUTE_TIMEOUT, "120");
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("SafeWord Auth config parameters:\niplanet-am-auth-safeword-server-specification: ").append(this.serverSpec).append("\n").append(ATTRIBUTE_SRVR_VERIF_PATH).append(": ").append(this.serverVerifFilesPath).append("\n").append(ATTRIBUTE_TIMEOUT).append(": ").append(" timeOut: ").append(this.timeOut).append("\n").append(ATTRIBUTE_LOG_ENABLE).append(": ").append(this.logEnabled).append("\n").append(ATTRIBUTE_LOG_LEVEL).append(": ").append(this.statusLogLevel).append("\n").append(ATTRIBUTE_LOG_PATH).append(": ").append(this.statusLogFilePath).append("\n").append(ATTRIBUTE_EASSP_VERSION).append(": ").append(this.version).append("\n").append(ATTRIBUTE_CLIENT_TYPE).append(": ").append(this.clientType).append("\n").append(ATTRIBUTE_AUTH_LEVEL).append(": ").append(this.authLevel).append("\n").toString());
        }
    }

    private String getUserName(Callback[] callbackArr) throws AuthLoginException {
        return ((NameCallback) callbackArr[0]).getName();
    }

    private void initSafeWordClient() throws AuthLoginException {
        setSecurityProvider();
        SwecConfig swecConfig = new SwecConfig();
        swecConfig.setDefaults();
        swecConfig.setProperty(SwecConfig.EASSP_VERSION, this.version);
        swecConfig.setProperty(SwecConfig.SERVER_SPEC, this.serverSpec);
        swecConfig.setProperty(SwecConfig.SERVER_VERIFICATION_FILES_PATH, this.serverVerifFilesPath);
        swecConfig.setProperty(SwecConfig.STATUS_LOG_FILE_PATH, this.statusLogFilePath);
        swecConfig.setProperty(SwecConfig.SOCKET_TIMEOUT, this.timeOut);
        swecConfig.setProperty(SwecConfig.FILE_STATUS_LOG_ENABLE, this.logEnabled);
        swecConfig.setProperty("GLOBAL_Message_Level", this.statusLogLevel);
        swecConfig.setProperty(SwecConfig.SOCKET_TIMEOUT, this.timeOut);
        if (this.version != null && (this.version.equals(Eassp2Const.SWEC_PROTOCOL_VERSION_201_STR) || this.version.equals(Eassp2Const.SWEC_PROTOCOL_VERSION_200_STR))) {
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Set 20x specific configuration - EASSP Ver: ").append(this.version).toString());
            }
            swecConfig.setProperty(SwecConfig.SSL_ENABLE, "ON");
            SimpleSSLClient.seedRandomGenerator();
        }
        debug.message("About to get new SafeWordClient");
        try {
            this.swClient = new SafeWordClient(swecConfig);
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("New SafeWordClient: ").append(this.swClient.getResultText()).toString());
            }
            debug.message("Done init new SafeWordClient");
            resetProvider();
        } catch (Exception e) {
            debug.error("Failed to create new SafeWordClient.", e);
            throw new AuthLoginException(amAuthSafeWord, "SafeWordNewSWClient", null, e);
        }
    }

    private boolean sendRequestForChallengeID() throws AuthLoginException {
        if (this.userTokenId == null || this.userTokenId.equals("")) {
            closeClient();
            throw new AuthLoginException(amAuthSafeWord, "SafeWordUserIdNull", null);
        }
        try {
            if (!this.userTokenId.equals(new String(this.userTokenId.getBytes("ASCII"), "ASCII"))) {
                closeClient();
                throw new AuthLoginException(amAuthSafeWord, "SafeWordUseridNotASCII", null);
            }
            try {
                EasspMessage createRequestMsg = this.swClient.createRequestMsg(this.userTokenId, "name");
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("Submitting requestMsg for userID: ").append(this.userTokenId).toString());
                }
                createRequestMsg.setAgentName(this.clientType);
                createRequestMsg.setClientType(this.clientType);
                createRequestMsg.setAuthenticationRequirements(true, this.minimumStrength, null);
                EasspMessage sendMessage = this.swClient.sendMessage(createRequestMsg);
                String idData = sendMessage.getIdData();
                String statusText = sendMessage.getStatusText();
                switch (sendMessage.getMessageType()) {
                    case 1:
                        if (debug.messageEnabled()) {
                            debug.message(new StringBuffer().append("Received challenge to auth request by ").append(idData).toString());
                        }
                        this.aState = new AuthenState(sendMessage);
                        AuthenticatorData currentAuthenticator = this.aState.getCurrentAuthenticator();
                        try {
                            if (!(currentAuthenticator instanceof FixedPwdData)) {
                                if (!(currentAuthenticator instanceof DynamicPwdData)) {
                                    break;
                                } else {
                                    debug.message("Current Authenticator Dynamic Password");
                                    this.challengeID = ((DynamicPwdData) currentAuthenticator).getChallenge();
                                    return true;
                                }
                            } else {
                                debug.message("Current Authenticator Fixed Password");
                                return false;
                            }
                        } catch (Exception e) {
                            debug.error("Received Non-Dynamic Authenticator");
                            setFailureID(this.userTokenId);
                            closeClient();
                            throw new AuthLoginException(amAuthSafeWord, "SafeWordUnsupportedAuthenticator", null, e);
                        }
                    case 3:
                        break;
                    default:
                        closeClient();
                        setFailureID(this.userTokenId);
                        debug.error(new StringBuffer().append("Authentication Failed, unknown return value: ").append(sendMessage.getMessageType()).toString());
                        throw new AuthLoginException(amAuthSafeWord, "SafeWordLoginFailedUnknown", new Object[]{statusText});
                }
                closeClient();
                if (sendMessage.passedCheck()) {
                    debug.error(new StringBuffer().append("Successful Authentication, but only id sent. Msg: ").append(statusText).toString());
                    setFailureID(this.userTokenId);
                    throw new AuthLoginException(amAuthSafeWord, "SafeWordSuccessOnlyUserID", new Object[]{statusText});
                }
                debug.error(new StringBuffer().append("Authentication Failed, only id sent. Check for lockout on server. Msg: ").append(statusText).toString());
                setFailureID(this.userTokenId);
                throw new AuthLoginException(amAuthSafeWord, "SafeWordLoginFailed", new Object[]{statusText});
            } catch (Exception e2) {
                debug.error(new StringBuffer().append("Failed to send/receive eassp message :").append(e2.getMessage()).toString());
                closeClient();
                throw new AuthLoginException(amAuthSafeWord, "SafeWordEasspError", null);
            }
        } catch (UnsupportedEncodingException e3) {
            closeClient();
            throw new AuthLoginException(amAuthSafeWord, "SafeWordInputEncodingException", null);
        }
    }

    private void setDynamicText(int i) throws AuthLoginException {
        Callback[] callback = getCallback(i);
        String prompt = ((PasswordCallback) callback[0]).getPrompt();
        boolean isEchoOn = ((PasswordCallback) callback[0]).isEchoOn();
        if (debug.messageEnabled()) {
            debug.message(new StringBuffer().append("Set dynamic text: challengeID: ").append(this.challengeID).toString());
        }
        if (this.challengeID != null) {
            prompt = new StringBuffer().append(prompt).append("[").append(this.challengeID).append("]: ").toString();
        }
        callback[0] = new PasswordCallback(prompt, isEchoOn);
        replaceCallback(i, 0, callback[0]);
    }

    private String getPassword(Callback[] callbackArr) throws AuthLoginException {
        char[] password = ((PasswordCallback) callbackArr[0]).getPassword();
        if (password == null) {
            password = new char[0];
        }
        char[] cArr = new char[password.length];
        System.arraycopy(password, 0, cArr, 0, password.length);
        ((PasswordCallback) callbackArr[0]).clearPassword();
        return new String(cArr);
    }

    private void authenticate(String str) throws AuthLoginException {
        if (str == null || str.equals("")) {
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append(this.userTokenId).append(" supplied no challenge response").toString());
            }
            closeClient();
            throw new AuthLoginException(amAuthSafeWord, "SafeWordNoChallRsp", null);
        }
        try {
            if (!str.equals(new String(str.getBytes("ASCII"), "ASCII"))) {
                closeClient();
                throw new AuthLoginException(amAuthSafeWord, "SafeWordChalRspNotASCII", null);
            }
            int authenComboCount = this.aState.getAuthenComboCount();
            if (authenComboCount > 1 && debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Authenticator Combo (").append(authenComboCount).append(" authenticators) not supported").toString());
            }
            if (debug.messageEnabled()) {
                debug.message(new StringBuffer().append("Anthenticator Combo count = ").append(authenComboCount).toString());
            }
            AuthenticatorData currentAuthenticator = this.aState.getCurrentAuthenticator();
            debug.message("Checking challenge response return message type");
            try {
                if (currentAuthenticator instanceof FixedPwdData) {
                    ((FixedPwdData) currentAuthenticator).setPwd(str);
                } else if (currentAuthenticator instanceof DynamicPwdData) {
                    ((DynamicPwdData) currentAuthenticator).setPwd(str);
                }
                debug.message("Challenge response return message type Dynamic");
                EasspMessage createResponseMsg = this.swClient.createResponseMsg(this.aState);
                debug.message("After creating new responseMsg");
                createResponseMsg.setAgentName(this.clientType);
                createResponseMsg.setClientType(this.clientType);
                createResponseMsg.setAuthenticationRequirements(true, this.minimumStrength, null);
                EasspMessage sendMessage = this.swClient.sendMessage(createResponseMsg);
                debug.message("After creating new returnMsg");
                String idData = sendMessage.getIdData();
                String statusText = sendMessage.getStatusText();
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("Challenge response returns '").append(statusText).append("' for userid ").append(idData).toString());
                }
                closeClient();
                if (!sendMessage.passedCheck()) {
                    debug.error(new StringBuffer().append("SafeWord authentication failed for userid = ").append(this.userTokenId).append(", id = ").append(idData).toString());
                    throw new InvalidPasswordException(amAuthSafeWord, "SafeWordChallFailed", null, this.userTokenId, null);
                }
                if (debug.messageEnabled()) {
                    debug.message(new StringBuffer().append("Authentication successful for userid = ").append(this.userTokenId).append(", id = ").append(idData).toString());
                }
                setAuthLevel(Integer.parseInt(this.authLevel));
            } catch (Exception e) {
                closeClient();
                debug.error("Received unknown Authenticator");
                throw new AuthLoginException(amAuthSafeWord, "SafeWordUnsupportedAuthenticator", null, e);
            }
        } catch (UnsupportedEncodingException e2) {
            closeClient();
            throw new AuthLoginException(amAuthSafeWord, "SafeWordInputEncodingException", null);
        }
    }

    private String getServerConfigPath() {
        if (this.serverVerifFilesPath == null) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append(DEFAULT_VAR_DIR).append("/auth/safeword/serverVerification");
            this.serverVerifFilesPath = stringBuffer.toString();
        }
        return this.serverVerifFilesPath;
    }

    private String getServerLogPath() {
        if (this.statusLogFilePath == null) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append(DEFAULT_VAR_DIR).append("/auth/safeword/safe.log");
            this.statusLogFilePath = stringBuffer.toString();
        }
        return this.statusLogFilePath;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void closeClient() {
        this.swClient.close();
        this.swClient = null;
    }

    static {
        debug = null;
        if (debug == null) {
            debug = Debug.getInstance(amAuthSafeWord);
        }
    }
}
