package com.bea.common.security.provider;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.utils.HMAC;
import java.security.Principal;
import weblogic.management.security.RealmMBean;
import weblogic.security.principal.PrincipalConfigurationDelegate;
import weblogic.security.principal.WLSAbstractPrincipal;
import weblogic.security.principal.WLSPrincipal;
import weblogic.security.spi.PrincipalValidator;
import weblogic.utils.collections.SecondChanceCacheMap;

/* loaded from: input_file:com/bea/common/security/provider/PrincipalValidatorImpl.class */
public class PrincipalValidatorImpl implements PrincipalValidator {
    private byte[] secret;
    private LoggerSpi logger;
    private SecondChanceCacheMap sigCache;
    private PrincipalConfigurationDelegate delegate;

    /* loaded from: input_file:com/bea/common/security/provider/PrincipalValidatorImpl$SigCacheEntry.class */
    private final class SigCacheEntry {
        byte[] sig;
        byte[] salt;

        SigCacheEntry(byte[] bArr, byte[] bArr2) {
            this.sig = bArr;
            this.salt = bArr2;
        }
    }

    public PrincipalValidatorImpl(LoggerSpi loggerSpi, byte[] bArr) {
        this(loggerSpi, bArr, true, 500);
    }

    public PrincipalValidatorImpl(LoggerSpi loggerSpi, byte[] bArr, RealmMBean realmMBean) {
        this(loggerSpi, bArr, realmMBean.isEnableWebLogicPrincipalValidatorCache(), realmMBean.getMaxWebLogicPrincipalsInCache().intValue());
    }

    public PrincipalValidatorImpl(LoggerSpi loggerSpi, byte[] bArr, boolean z, int i) {
        this.logger = null;
        this.sigCache = null;
        this.delegate = null;
        this.logger = loggerSpi;
        this.secret = bArr;
        if (z) {
            if (i <= 0) {
                throw new IllegalArgumentException("sigCacheSize=" + i);
            }
            this.sigCache = new SecondChanceCacheMap(i);
        }
        if (loggerSpi.isDebugEnabled()) {
            loggerSpi.debug("Principal validator cache enabled: " + z);
            if (z) {
                loggerSpi.debug("Principal validator cache size: " + i);
            }
        }
        this.delegate = PrincipalConfigurationDelegate.getInstance();
    }

    @Override // weblogic.security.spi.PrincipalValidator
    public boolean validate(Principal principal) throws SecurityException {
        if (!(principal instanceof WLSPrincipal)) {
            return false;
        }
        checkInteropAndThirdPartyPrincipal(principal);
        WLSPrincipal wLSPrincipal = (WLSPrincipal) principal;
        byte[] signature = wLSPrincipal.getSignature();
        if (signature == null) {
            return false;
        }
        boolean verify = HMAC.verify(signature, wLSPrincipal.getSignedData(), this.secret, wLSPrincipal.getSalt());
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Validate WLS principal " + wLSPrincipal.getName() + " returns " + verify);
        }
        return verify;
    }

    private void checkInteropAndThirdPartyPrincipal(Principal principal) {
        boolean isEqualsCaseInsensitive;
        boolean isEqualsCompareDnAndGuid;
        synchronized (PrincipalConfigurationDelegate.class) {
            isEqualsCaseInsensitive = this.delegate.isEqualsCaseInsensitive();
            isEqualsCompareDnAndGuid = this.delegate.isEqualsCompareDnAndGuid();
        }
        if (principal instanceof WLSAbstractPrincipal) {
            WLSAbstractPrincipal wLSAbstractPrincipal = (WLSAbstractPrincipal) principal;
            if (wLSAbstractPrincipal.isPrincipalFactoryCreated()) {
                return;
            }
            wLSAbstractPrincipal.setEqualsCaseInsensitive(isEqualsCaseInsensitive);
            wLSAbstractPrincipal.setEqualsCompareDnAndGuid(isEqualsCompareDnAndGuid);
        }
    }

    @Override // weblogic.security.spi.PrincipalValidator
    public boolean sign(Principal principal) {
        boolean isEqualsCaseInsensitive;
        if (!(principal instanceof WLSPrincipal)) {
            return false;
        }
        checkInteropAndThirdPartyPrincipal(principal);
        WLSPrincipal wLSPrincipal = (WLSPrincipal) principal;
        String name = wLSPrincipal.getName();
        synchronized (PrincipalConfigurationDelegate.class) {
            isEqualsCaseInsensitive = this.delegate.isEqualsCaseInsensitive();
        }
        boolean z = this.sigCache != null && (principal instanceof WLSAbstractPrincipal);
        if (z) {
            SigCacheEntry sigCacheEntry = (SigCacheEntry) this.sigCache.get(isEqualsCaseInsensitive ? name.toLowerCase() : name);
            if (sigCacheEntry != null) {
                ((WLSAbstractPrincipal) wLSPrincipal).setSalt(sigCacheEntry.salt);
                wLSPrincipal.setSignature(sigCacheEntry.sig);
                if (!this.logger.isDebugEnabled()) {
                    return true;
                }
                this.logger.debug("Signed WLS principal " + name);
                return true;
            }
        }
        byte[] salt = wLSPrincipal.getSalt();
        byte[] digest = HMAC.digest(wLSPrincipal.getSignedData(), this.secret, salt);
        wLSPrincipal.setSignature(digest);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Generated signature and signed WLS principal " + name);
        }
        if (!z) {
            return true;
        }
        this.sigCache.put(isEqualsCaseInsensitive ? name.toLowerCase() : name, new SigCacheEntry(digest, salt));
        return true;
    }

    @Override // weblogic.security.spi.PrincipalValidator
    public Class getPrincipalBaseClass() {
        return WLSPrincipal.class;
    }
}
