package weblogic.security.utils;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import weblogic.descriptor.BeanUpdateEvent;
import weblogic.descriptor.BeanUpdateListener;
import weblogic.descriptor.BeanUpdateRejectedException;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.management.configuration.SecurityConfigurationMBean;
import weblogic.security.HMAC;
import weblogic.security.SecurityLogger;
import weblogic.security.SecurityRuntimeAccess;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.utils.LocatorUtilities;
import weblogic.utils.encoders.BASE64Decoder;
import weblogic.utils.encoders.BASE64Encoder;

/* loaded from: input_file:weblogic/security/utils/RequestSigner.class */
public class RequestSigner {
    private static final String CACHE_KEY_DELIM = ":";
    private byte[] domainWideSecret = null;
    private volatile boolean gotSecret = false;
    private Map<String, TTLLRUCache> serverNonceCaches = Collections.synchronizedMap(new HashMap());
    private static AuthenticatedSubject KERNEL_ID;
    private static RequestSigner theSigner = new RequestSigner();
    private static boolean disableNonceCache = Boolean.getBoolean("weblogic.security.disableNonceCache");
    private static DebugLogger debugLogger = DebugLogger.getDebugLogger("DebugSecurityRealm");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/security/utils/RequestSigner$SecurityRuntimeAccessService.class */
    public static final class SecurityRuntimeAccessService {
        private static final SecurityRuntimeAccess runtimeAccess = (SecurityRuntimeAccess) AccessController.doPrivileged(new PrivilegedAction<SecurityRuntimeAccess>() { // from class: weblogic.security.utils.RequestSigner.SecurityRuntimeAccessService.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityRuntimeAccess run() {
                return (SecurityRuntimeAccess) LocatorUtilities.getService(SecurityRuntimeAccess.class);
            }
        });

        private SecurityRuntimeAccessService() {
        }
    }

    private RequestSigner() {
        KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
        addBeanUpdateListener();
    }

    public static RequestSigner getInstance() {
        return theSigner;
    }

    public SignedRequestInfo signRequest(AuthenticatedSubject authenticatedSubject, String str) {
        SecurityServiceManager.checkKernelIdentity(authenticatedSubject);
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("targetServerName must not be null or empty");
        }
        byte[] fastRandomBytes = SecurityServiceManager.getFastRandomBytes(16);
        String serverName = SecurityRuntimeAccessService.runtimeAccess.getServerName();
        String l = Long.toString(System.currentTimeMillis());
        BASE64Encoder bASE64Encoder = new BASE64Encoder();
        SignedRequestInfo signedRequestInfo = new SignedRequestInfo(bASE64Encoder.encodeBuffer(HMAC.digest(createDataBuffer(serverName, str, l), getSecret(), fastRandomBytes)), l, serverName, str, bASE64Encoder.encodeBuffer(fastRandomBytes));
        if (debugLogger.isDebugEnabled()) {
            debugLogger.debug("Request signer signRequest - " + signedRequestInfo);
        }
        return signedRequestInfo;
    }

    public boolean verify(SignedRequestInfo signedRequestInfo, boolean z) {
        if (signedRequestInfo == null || signedRequestInfo.getNonce() == null || signedRequestInfo.getClientServerName() == null || signedRequestInfo.getTimeStamp() == null || signedRequestInfo.getSignature() == null || signedRequestInfo.getTargetServerName() == null) {
            if (!debugLogger.isDebugEnabled()) {
                return false;
            }
            debugLogger.debug("Request signer verify - invalid info");
            return false;
        }
        signedRequestInfo.getClientServerName();
        try {
            BASE64Decoder bASE64Decoder = new BASE64Decoder();
            byte[] decodeBuffer = bASE64Decoder.decodeBuffer(signedRequestInfo.getNonce());
            byte[] decodeBuffer2 = bASE64Decoder.decodeBuffer(signedRequestInfo.getSignature());
            byte[] createDataBuffer = createDataBuffer(signedRequestInfo.getClientServerName(), signedRequestInfo.getTargetServerName(), signedRequestInfo.getTimeStamp());
            if (debugLogger.isDebugEnabled()) {
                debugLogger.debug("Request signer verify - " + signedRequestInfo);
            }
            if (!HMAC.verify(decodeBuffer2, createDataBuffer, getSecret(), decodeBuffer)) {
                if (!debugLogger.isDebugEnabled()) {
                    return false;
                }
                debugLogger.debug("Request signer verify - HMAC did not verify");
                return false;
            }
            int nonceTimeoutSeconds = SecurityRuntimeAccessService.runtimeAccess.getDomain().getSecurityConfiguration().getNonceTimeoutSeconds();
            long currentTimeMillis = System.currentTimeMillis();
            try {
                long parseLong = Long.parseLong(signedRequestInfo.getTimeStamp());
                if (parseLong + (nonceTimeoutSeconds * 1000) < currentTimeMillis) {
                    if (debugLogger.isDebugEnabled()) {
                        debugLogger.debug("Request signer verify - expired request. noncetime: " + parseLong + " currenttime: " + currentTimeMillis);
                    }
                    SecurityLogger.logConnectionNonceExpired();
                    return false;
                }
                if (disableNonceCache) {
                    return true;
                }
                TTLLRUCache serverNonceCache = getServerNonceCache(signedRequestInfo.getClientServerName());
                String str = signedRequestInfo.getNonce() + ":" + signedRequestInfo.getTimeStamp();
                synchronized (serverNonceCache) {
                    boolean containsKey = serverNonceCache.containsKey(str);
                    boolean z2 = false;
                    if (containsKey) {
                        z2 = ((Boolean) serverNonceCache.get(str)).booleanValue();
                    }
                    serverNonceCache.removeExpiredEntries();
                    if (debugLogger.isDebugEnabled()) {
                        debugLogger.debug("Request signer size after remove: " + serverNonceCache.size());
                    }
                    if (!containsKey) {
                        serverNonceCache.put(str, new Boolean(z));
                        return true;
                    }
                    if (debugLogger.isDebugEnabled()) {
                        debugLogger.debug("Request signer verify - nonce in cache");
                    }
                    if (!z2) {
                        return false;
                    }
                    if (debugLogger.isDebugEnabled()) {
                        debugLogger.debug("Request signer verify - nonce is repeated once");
                    }
                    serverNonceCache.put(str, new Boolean(false));
                    return true;
                }
            } catch (NumberFormatException e) {
                if (!debugLogger.isDebugEnabled()) {
                    return false;
                }
                debugLogger.debug("Request signer verify - number format exception: ", e);
                return false;
            }
        } catch (IOException e2) {
            if (!debugLogger.isDebugEnabled()) {
                return false;
            }
            debugLogger.debug("Request signer verify - exception creating data buffer: ", e2);
            return false;
        }
    }

    private byte[] getSecret() {
        if (!this.gotSecret) {
            synchronized (RequestSigner.class) {
                if (!this.gotSecret) {
                    this.domainWideSecret = ((String) SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new PrivilegedAction() { // from class: weblogic.security.utils.RequestSigner.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return SecurityRuntimeAccessService.runtimeAccess.getDomain().getSecurityConfiguration().getCredential();
                        }
                    })).getBytes();
                    this.gotSecret = true;
                }
            }
        }
        return this.domainWideSecret;
    }

    private synchronized TTLLRUCache getServerNonceCache(String str) {
        TTLLRUCache tTLLRUCache = this.serverNonceCaches.get(str);
        if (tTLLRUCache == null) {
            int nonceTimeoutSeconds = SecurityRuntimeAccessService.runtimeAccess.getDomain().getSecurityConfiguration().getNonceTimeoutSeconds();
            tTLLRUCache = new TTLLRUCache(nonceTimeoutSeconds > 60 ? (nonceTimeoutSeconds / 60) * 1024 : 1024, nonceTimeoutSeconds);
            this.serverNonceCaches.put(str, tTLLRUCache);
        }
        return tTLLRUCache;
    }

    private byte[] createDataBuffer(String str, String str2, String str3) {
        byte[] bytes;
        byte[] bytes2;
        byte[] bytes3;
        try {
            bytes = str3.getBytes("UTF-8");
            bytes2 = str.getBytes("UTF-8");
            bytes3 = str2.getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            bytes = str3.getBytes();
            bytes2 = str.getBytes();
            bytes3 = str2.getBytes();
        }
        byte[] bArr = new byte[bytes.length + bytes2.length + bytes3.length];
        System.arraycopy(bytes, 0, bArr, 0, bytes.length);
        System.arraycopy(bytes2, 0, bArr, bytes.length, bytes2.length);
        System.arraycopy(bytes3, 0, bArr, bytes.length + bytes2.length, bytes3.length);
        return bArr;
    }

    private void addBeanUpdateListener() {
        SecurityRuntimeAccessService.runtimeAccess.getDomain().getSecurityConfiguration().addBeanUpdateListener(new BeanUpdateListener() { // from class: weblogic.security.utils.RequestSigner.2
            @Override // weblogic.descriptor.BeanUpdateListener
            public void prepareUpdate(BeanUpdateEvent beanUpdateEvent) throws BeanUpdateRejectedException {
            }

            @Override // weblogic.descriptor.BeanUpdateListener
            public void activateUpdate(BeanUpdateEvent beanUpdateEvent) {
                BeanUpdateEvent.PropertyUpdate[] updateList = beanUpdateEvent.getUpdateList();
                if (beanUpdateEvent.getProposedBean() instanceof SecurityConfigurationMBean) {
                    SecurityConfigurationMBean securityConfigurationMBean = (SecurityConfigurationMBean) beanUpdateEvent.getProposedBean();
                    for (BeanUpdateEvent.PropertyUpdate propertyUpdate : updateList) {
                        if (propertyUpdate.getPropertyName().equals("NonceTimeoutSeconds")) {
                            for (TTLLRUCache tTLLRUCache : RequestSigner.this.serverNonceCaches.values()) {
                                synchronized (tTLLRUCache) {
                                    if (RequestSigner.debugLogger.isDebugEnabled()) {
                                        RequestSigner.debugLogger.debug("Request signer activate update - update time to live:  " + securityConfigurationMBean.getNonceTimeoutSeconds());
                                    }
                                    tTLLRUCache.setTimeToLive(securityConfigurationMBean.getNonceTimeoutSeconds());
                                }
                            }
                        }
                    }
                }
            }

            @Override // weblogic.descriptor.BeanUpdateListener
            public void rollbackUpdate(BeanUpdateEvent beanUpdateEvent) {
            }
        });
    }
}
