package com.sun.enterprise.iiop.security;

import com.sun.corba.ee.org.omg.CSIIOP.AS_ContextSec;
import com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech;
import com.sun.corba.ee.org.omg.CSIIOP.SAS_ContextSec;
import com.sun.corba.ee.org.omg.CSIIOP.TLS_SEC_TRANS;
import com.sun.corba.ee.org.omg.CSIIOP.TransportAddress;
import com.sun.corba.ee.spi.ior.IOR;
import com.sun.corba.ee.spi.ior.iiop.IIOPProfileTemplate;
import com.sun.corba.ee.spi.transport.SocketInfo;
import com.sun.enterprise.common.iiop.security.AnonCredential;
import com.sun.enterprise.common.iiop.security.GSSUPName;
import com.sun.enterprise.common.iiop.security.SecurityContext;
import com.sun.enterprise.deployment.EjbDescriptor;
import com.sun.enterprise.deployment.EjbIORConfigurationDescriptor;
import com.sun.enterprise.security.SecurityServicesUtil;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.auth.login.common.LoginException;
import com.sun.enterprise.security.auth.login.common.PasswordCredential;
import com.sun.enterprise.security.auth.login.common.X509CertificateCredential;
import com.sun.enterprise.security.auth.realm.Realm;
import com.sun.enterprise.security.common.ClientSecurityContext;
import com.sun.enterprise.security.ssl.SSLUtils;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.enterprise.util.Utility;
import com.sun.logging.LogDomains;
import java.net.Socket;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.net.ssl.SSLSocket;
import javax.security.auth.Subject;
import org.glassfish.api.admin.ProcessEnvironment;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.api.invocation.InvocationManager;
import org.glassfish.enterprise.iiop.api.GlassFishORBHelper;
import org.glassfish.enterprise.iiop.api.ProtocolManager;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.internal.api.ORBLocator;
import org.glassfish.web.deployment.runtime.Servlet;
import org.ietf.jgss.Oid;
import org.jvnet.hk2.annotations.Service;
import org.omg.CORBA.ORB;
import sun.security.x509.X500Name;

@Singleton
@Service
/* loaded from: input_file:com/sun/enterprise/iiop/security/SecurityMechanismSelector.class */
public final class SecurityMechanismSelector implements PostConstruct {
    public static final String CLIENT_CONNECTION_CONTEXT = "ClientConnContext";

    @Inject
    private SSLUtils sslUtils;
    private GlassFishORBHelper orbHelper;

    @Inject
    private InvocationManager invMgr;

    @Inject
    private ProcessEnvironment processEnv;
    private static final Hashtable<Integer, String> identityTokenTypes;
    private static final Logger _logger = LogDomains.getLogger(SecurityMechanismSelector.class, "javax.enterprise.system.core.security");
    private static final LocalStringManagerImpl localStrings = new LocalStringManagerImpl(SecServerRequestInterceptor.class);
    private static final String traceIORsProperty = "com.sun.enterprise.iiop.security.traceIORS";
    private static final boolean _traceIORs = Boolean.getBoolean(traceIORsProperty);
    private static final Hashtable<Integer, String> assocOptions = new Hashtable<>();
    private Set<EjbIORConfigurationDescriptor> corbaIORDescSet = null;
    private boolean sslRequired = false;
    private ProtocolManager protocolMgr = null;
    private ORB orb = null;
    private CSIV2TaggedComponentInfo ctc = null;

    @Override // org.glassfish.hk2.api.PostConstruct
    public void postConstruct() {
        try {
            this.orbHelper = Lookups.getGlassFishORBHelper();
            String property = this.orbHelper.getCSIv2Props().getProperty(ORBLocator.ORB_SSL_CLIENT_REQUIRED);
            if (property != null && property.equals("true")) {
                this.sslRequired = true;
            }
            this.corbaIORDescSet = new HashSet();
            EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor = new EjbIORConfigurationDescriptor();
            EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor2 = new EjbIORConfigurationDescriptor();
            String property2 = this.orbHelper.getCSIv2Props().getProperty(ORBLocator.ORB_SSL_SERVER_REQUIRED);
            if (property2 != null && property2.equals("true")) {
                ejbIORConfigurationDescriptor.setIntegrity(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor.setConfidentiality(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor2.setIntegrity(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor2.setConfidentiality(EjbIORConfigurationDescriptor.REQUIRED);
            }
            String property3 = this.orbHelper.getCSIv2Props().getProperty(ORBLocator.ORB_CLIENT_AUTH_REQUIRED);
            if (property3 != null && property3.equals("true")) {
                ejbIORConfigurationDescriptor.setEstablishTrustInClient(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor2.setAuthMethodRequired(true);
                getCorbaIORDescSet().add(ejbIORConfigurationDescriptor2);
            }
            getCorbaIORDescSet().add(ejbIORConfigurationDescriptor);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.Exception", (Throwable) e);
        }
    }

    public ConnectionContext getClientConnectionContext() {
        return (ConnectionContext) ConnectionExecutionContext.getContext().get(CLIENT_CONNECTION_CONTEXT);
    }

    public void setClientConnectionContext(ConnectionContext connectionContext) {
        ConnectionExecutionContext.getContext().put(CLIENT_CONNECTION_CONTEXT, connectionContext);
    }

    public SocketInfo getSSLPort(IOR ior, ConnectionContext connectionContext) {
        try {
            CompoundSecMech selectSecurityMechanism = selectSecurityMechanism(ior);
            connectionContext.setIOR(ior);
            connectionContext.setMechanism(selectSecurityMechanism);
            TLS_SEC_TRANS tls_sec_trans = null;
            if (selectSecurityMechanism != null) {
                tls_sec_trans = getCtc().getSSLInformation(selectSecurityMechanism);
            }
            if (tls_sec_trans == null) {
                if (isSslRequired()) {
                    return IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector1", "SSL", ((IIOPProfileTemplate) ior.getProfile().getTaggedProfileTemplate()).getPrimaryAddress().getHost(), this.orbHelper.getORBPort(this.orbHelper.getORB()));
                }
                return null;
            }
            short s = tls_sec_trans.target_requires;
            short s2 = tls_sec_trans.target_supports;
            if (isSet(s, 2) || isSet(s, 4) || isSet(s, 64)) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Target requires SSL");
                }
                connectionContext.setSSLUsed(true);
                String str = "SSL";
                if (isSet(s, 64)) {
                    str = "SSL_MUTUALAUTH";
                    connectionContext.setSSLClientAuthenticationOccurred(true);
                }
                return IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector2", str, tls_sec_trans.addresses[0].host_name, Utility.shortToInt(tls_sec_trans.addresses[0].port));
            }
            if (!isSet(s2, 2) && !isSet(s2, 4) && !isSet(s2, 64)) {
                if (isSslRequired()) {
                    throw new RuntimeException("SSL required by client but not supported by server.");
                }
                return null;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Target supports SSL");
            }
            if (!isSslRequired()) {
                return null;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Client is configured to require SSL for the target");
            }
            connectionContext.setSSLUsed(true);
            return IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector3", "SSL", tls_sec_trans.addresses[0].host_name, Utility.shortToInt(tls_sec_trans.addresses[0].port));
        } catch (SecurityMechanismException e) {
            throw new RuntimeException(e.getMessage());
        }
    }

    public ORB getOrb() {
        return this.orb;
    }

    public void setOrb(ORB orb) {
        this.orb = orb;
    }

    public synchronized CSIV2TaggedComponentInfo getCtc() {
        if (this.ctc == null) {
            this.ctc = new CSIV2TaggedComponentInfo(this.orbHelper.getORB());
        }
        return this.ctc;
    }

    public List<SocketInfo> getSSLPorts(IOR ior, ConnectionContext connectionContext) {
        try {
            CompoundSecMech selectSecurityMechanism = selectSecurityMechanism(ior);
            connectionContext.setIOR(ior);
            connectionContext.setMechanism(selectSecurityMechanism);
            TLS_SEC_TRANS sSLInformation = selectSecurityMechanism != null ? getCtc().getSSLInformation(selectSecurityMechanism) : null;
            if (sSLInformation == null) {
                if (!isSslRequired()) {
                    return null;
                }
                SocketInfo createSocketInfo = IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector1", "SSL", ((IIOPProfileTemplate) ior.getProfile().getTaggedProfileTemplate()).getPrimaryAddress().getHost(), this.orbHelper.getORBPort(this.orbHelper.getORB()));
                ArrayList arrayList = new ArrayList();
                arrayList.add(createSocketInfo);
                return arrayList;
            }
            short s = sSLInformation.target_requires;
            short s2 = sSLInformation.target_supports;
            if (isSet(s, 2) || isSet(s, 4) || isSet(s, 64)) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Target requires SSL");
                }
                connectionContext.setSSLUsed(true);
                String str = "SSL";
                if (isSet(s, 64)) {
                    str = "SSL_MUTUALAUTH";
                    connectionContext.setSSLClientAuthenticationOccurred(true);
                }
                ArrayList arrayList2 = new ArrayList();
                for (int i = 0; i < sSLInformation.addresses.length; i++) {
                    arrayList2.add(IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector2", str, sSLInformation.addresses[i].host_name, Utility.shortToInt(sSLInformation.addresses[i].port)));
                }
                return arrayList2;
            }
            if (!isSet(s2, 2) && !isSet(s2, 4) && !isSet(s2, 64)) {
                if (isSslRequired()) {
                    throw new RuntimeException("SSL required by client but not supported by server.");
                }
                return null;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Target supports SSL");
            }
            if (!isSslRequired()) {
                return null;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Client is configured to require SSL for the target");
            }
            connectionContext.setSSLUsed(true);
            ArrayList arrayList3 = new ArrayList();
            for (int i2 = 0; i2 < sSLInformation.addresses.length; i2++) {
                arrayList3.add(IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector3", "SSL", sSLInformation.addresses[i2].host_name, Utility.shortToInt(sSLInformation.addresses[i2].port)));
            }
            return arrayList3;
        } catch (SecurityMechanismException e) {
            throw new RuntimeException(e.getMessage());
        }
    }

    public SecurityContext selectSecurityContext(IOR ior) throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
        ConnectionContext connectionContext = new ConnectionContext();
        if (traceIORs()) {
            _logger.info("\nCSIv2 Mechanism List:" + getSecurityMechanismString(this.ctc, ior));
        }
        getSSLPort(ior, connectionContext);
        setClientConnectionContext(connectionContext);
        CompoundSecMech mechanism = connectionContext.getMechanism();
        if (mechanism == null) {
            return null;
        }
        boolean sSLUsed = connectionContext.getSSLUsed();
        boolean sSLClientAuthenticationOccurred = connectionContext.getSSLClientAuthenticationOccurred();
        if (isNotServerOrACC()) {
            return getSecurityContextForAppClient(null, sSLUsed, sSLClientAuthenticationOccurred, mechanism);
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "SSL used:" + sSLUsed + " SSL Mutual auth:" + sSLClientAuthenticationOccurred);
        }
        return isACC() ? getSecurityContextForAppClient(null, sSLUsed, sSLClientAuthenticationOccurred, mechanism) : getSecurityContextForWebOrEJB(null, sSLUsed, sSLClientAuthenticationOccurred, mechanism);
    }

    public SecurityContext getSecurityContextForAppClient(ComponentInvocation componentInvocation, boolean z, boolean z2, CompoundSecMech compoundSecMech) throws InvalidMechanismException, InvalidIdentityTokenException, SecurityMechanismException {
        return sendUsernameAndPassword(componentInvocation, z, z2, compoundSecMech);
    }

    public SecurityContext getSecurityContextForWebOrEJB(ComponentInvocation componentInvocation, boolean z, boolean z2, CompoundSecMech compoundSecMech) throws InvalidMechanismException, InvalidIdentityTokenException, SecurityMechanismException {
        return !z ? propagateIdentity(false, componentInvocation, compoundSecMech) : propagateIdentity(z2, componentInvocation, compoundSecMech);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Object getSSLSocketInfo(Object obj) {
        ConnectionContext connectionContext = new ConnectionContext();
        List<SocketInfo> sSLPorts = getSSLPorts((IOR) obj, connectionContext);
        setClientConnectionContext(connectionContext);
        return sSLPorts;
    }

    private boolean isMechanismSupported(SAS_ContextSec sAS_ContextSec) {
        byte[][] bArr = sAS_ContextSec.supported_naming_mechanisms;
        byte[] mechanism = GSSUtils.getMechanism();
        if (bArr == null) {
            return false;
        }
        for (byte[] bArr2 : bArr) {
            if (Arrays.equals(mechanism, bArr2)) {
                return true;
            }
        }
        return false;
    }

    public boolean isIdentityTypeSupported(SAS_ContextSec sAS_ContextSec) {
        return (sAS_ContextSec.supported_identity_types & 15) != 0;
    }

    private SecurityContext sendUsernameAndPassword(ComponentInvocation componentInvocation, boolean z, boolean z2, CompoundSecMech compoundSecMech) throws SecurityMechanismException {
        if (compoundSecMech == null) {
            return null;
        }
        if (!isSet(compoundSecMech.as_context_mech.target_requires, 64) && (!isSet(compoundSecMech.target_requires, 64) || z2)) {
            return null;
        }
        SecurityContext usernameAndPassword = getUsernameAndPassword(componentInvocation, compoundSecMech);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Sending Username/Password");
        }
        return usernameAndPassword;
    }

    private SecurityContext propagateIdentity(boolean z, ComponentInvocation componentInvocation, CompoundSecMech compoundSecMech) throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
        SecurityContext identity;
        if (compoundSecMech == null) {
            return null;
        }
        AS_ContextSec aS_ContextSec = compoundSecMech.as_context_mech;
        SAS_ContextSec sAS_ContextSec = compoundSecMech.sas_context_mech;
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "SAS CONTEXT's target_requires=" + ((int) sAS_ContextSec.target_requires));
            _logger.log(Level.FINE, "SAS CONTEXT's target_supports=" + ((int) sAS_ContextSec.target_supports));
        }
        if (isSet(aS_ContextSec.target_requires, 64)) {
            identity = getUsernameAndPassword(componentInvocation, compoundSecMech);
            if (identity.authcls == null) {
                String localString = localStrings.getLocalString("securitymechansimselector.runas_cannot_propagate_username_password", "Cannot propagate username/password required by target when using run as identity");
                _logger.log(Level.SEVERE, "iiop.runas_error", localString);
                throw new SecurityMechanismException(localString);
            }
        } else if (isSet(sAS_ContextSec.target_supports, 1024) || isSet(sAS_ContextSec.target_requires, 1024)) {
            if (!isIdentityTypeSupported(sAS_ContextSec)) {
                throw new InvalidIdentityTokenException(localStrings.getLocalString("securitymechanismselector.invalid_identity_type", "The given identity token is unsupported."));
            }
            if (sAS_ContextSec.target_supports == 1024 && !isMechanismSupported(sAS_ContextSec)) {
                String localString2 = localStrings.getLocalString("securitymechanismselector.invalid_mechanism", "The given mechanism type is unsupported.");
                _logger.log(Level.SEVERE, "iiop.unsupported_type_error", localString2);
                throw new InvalidMechanismException(localString2);
            }
            identity = getIdentity();
        } else {
            if (!isSet(aS_ContextSec.target_supports, 64) || !z) {
                return null;
            }
            identity = getUsernameAndPassword(componentInvocation, compoundSecMech);
            if (identity.authcls == null) {
                return null;
            }
        }
        return identity;
    }

    private SecurityContext getUsernameAndPassword(ComponentInvocation componentInvocation, CompoundSecMech compoundSecMech) throws SecurityMechanismException {
        Subject subjectFromSecurityCurrent;
        try {
            if (isNotServerOrACC()) {
                ClientSecurityContext current = ClientSecurityContext.getCurrent();
                if (current == null) {
                    return null;
                }
                subjectFromSecurityCurrent = current.getSubject();
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "SUBJECT:" + subjectFromSecurityCurrent);
                }
            } else if (isACC()) {
                ClientSecurityContext current2 = ClientSecurityContext.getCurrent();
                subjectFromSecurityCurrent = current2 == null ? LoginContextDriver.doClientLogin(1, SecurityServicesUtil.getInstance().getCallbackHandler()) : current2.getSubject();
            } else {
                subjectFromSecurityCurrent = getSubjectFromSecurityCurrent();
            }
            SecurityContext securityContext = new SecurityContext();
            final Subject subject = subjectFromSecurityCurrent;
            securityContext.subject = subjectFromSecurityCurrent;
            Set set = (Set) AccessController.doPrivileged(new PrivilegedAction<Set>() { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Set run() {
                    return subject.getPrivateCredentials(PasswordCredential.class);
                }
            });
            if (set.isEmpty()) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "no private credential run as mode");
                }
                securityContext.authcls = null;
                securityContext.identcls = GSSUPName.class;
            } else {
                byte[] bArr = compoundSecMech.as_context_mech.target_name;
                final String str = new String((bArr == null || bArr.length == 0) ? Realm.getDefaultRealm().getBytes() : GSSUtils.importName(GSSUtils.GSSUP_MECH_OID, bArr));
                final Iterator it = set.iterator();
                while (it.hasNext()) {
                    AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.2
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            ((PasswordCredential) it.next()).setRealm(str);
                            return null;
                        }
                    });
                }
                securityContext.authcls = PasswordCredential.class;
            }
            return securityContext;
        } catch (LoginException e) {
            throw e;
        } catch (Exception e2) {
            _logger.log(Level.SEVERE, "iiop.user_password_exception", (Throwable) e2);
            return null;
        }
    }

    private SecurityContext getIdentity() throws SecurityMechanismException {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Getting PRINCIPAL/DN from TLS");
        }
        final SecurityContext securityContext = new SecurityContext();
        com.sun.enterprise.security.SecurityContext current = com.sun.enterprise.security.SecurityContext.getCurrent();
        if (current == null || current.didServerGenerateCredentials()) {
            securityContext.identcls = AnonCredential.class;
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.3
                @Override // java.security.PrivilegedAction
                public Object run() {
                    securityContext.subject = new Subject();
                    securityContext.subject.getPublicCredentials().add(new AnonCredential());
                    return null;
                }
            });
            return securityContext;
        }
        final Subject subjectFromSecurityCurrent = getSubjectFromSecurityCurrent();
        securityContext.subject = subjectFromSecurityCurrent;
        final Set set = (Set) AccessController.doPrivileged(new PrivilegedAction<Set>() { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Set run() {
                return subjectFromSecurityCurrent.getPrivateCredentials(PasswordCredential.class);
            }
        });
        if (set.size() == 1) {
            securityContext.identcls = GSSUPName.class;
            securityContext.subject = (Subject) AccessController.doPrivileged(new PrivilegedAction<Subject>() { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Subject run() {
                    Subject subject = new Subject();
                    PasswordCredential passwordCredential = (PasswordCredential) set.iterator().next();
                    subject.getPublicCredentials().add(new GSSUPName(passwordCredential.getUser(), passwordCredential.getRealm()));
                    return subject;
                }
            });
            return securityContext;
        }
        Set<Object> publicCredentials = subjectFromSecurityCurrent.getPublicCredentials();
        if (publicCredentials.size() != 1) {
            _logger.log(Level.SEVERE, "iiop.principal_error");
            return null;
        }
        Iterator<Object> it = publicCredentials.iterator();
        if (!it.hasNext()) {
            _logger.log(Level.SEVERE, "iiop.credential_error");
            return null;
        }
        Object next = it.next();
        if (next instanceof GSSUPName) {
            securityContext.identcls = GSSUPName.class;
        } else if (next instanceof X500Name) {
            securityContext.identcls = X500Name.class;
        } else {
            securityContext.identcls = X509CertificateCredential.class;
        }
        return securityContext;
    }

    private Subject getSubjectFromSecurityCurrent() throws SecurityMechanismException {
        com.sun.enterprise.security.SecurityContext current = com.sun.enterprise.security.SecurityContext.getCurrent();
        if (current == null) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, " SETTING GUEST ---");
            }
            current = com.sun.enterprise.security.SecurityContext.init();
        }
        if (current == null) {
            throw new SecurityMechanismException("Could not find  security information");
        }
        Subject subject = current.getSubject();
        if (subject == null) {
            throw new SecurityMechanismException("Could not find  subject information in the security context.");
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Subject in security current:" + subject);
        }
        return subject;
    }

    public CompoundSecMech selectSecurityMechanism(IOR ior) throws SecurityMechanismException {
        return selectSecurityMechanism(getCtc().getSecurityMechanisms(ior));
    }

    private CompoundSecMech selectSecurityMechanism(CompoundSecMech[] compoundSecMechArr) throws SecurityMechanismException {
        if (compoundSecMechArr == null || compoundSecMechArr.length == 0) {
            return null;
        }
        for (CompoundSecMech compoundSecMech : compoundSecMechArr) {
            if (useMechanism(compoundSecMech)) {
                return compoundSecMech;
            }
        }
        throw new SecurityMechanismException("Cannot use any of the  target's supported mechanisms");
    }

    private boolean useMechanism(CompoundSecMech compoundSecMech) {
        boolean z = true;
        TLS_SEC_TRANS sSLInformation = getCtc().getSSLInformation(compoundSecMech);
        if (compoundSecMech.sas_context_mech.supported_naming_mechanisms.length > 0 && !isMechanismSupported(compoundSecMech.sas_context_mech)) {
            return false;
        }
        if (compoundSecMech.as_context_mech.client_authentication_mech.length > 0 && !isMechanismSupportedAS(compoundSecMech.as_context_mech)) {
            return false;
        }
        if (sSLInformation == null) {
            return true;
        }
        if (isSet(sSLInformation.target_requires, 64) && !this.sslUtils.isKeyAvailable()) {
            z = false;
        }
        return z;
    }

    private boolean isMechanismSupportedAS(AS_ContextSec aS_ContextSec) {
        byte[] bArr = aS_ContextSec.client_authentication_mech;
        return bArr != null && Arrays.equals(bArr, GSSUtils.getMechanism());
    }

    private byte[] getTargetName(final Subject subject) {
        byte[] bArr = new byte[0];
        final Set set = (Set) AccessController.doPrivileged(new PrivilegedAction<Set>() { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Set run() {
                return subject.getPrivateCredentials(PasswordCredential.class);
            }
        });
        if (set.size() == 1) {
            bArr = (byte[]) AccessController.doPrivileged(new PrivilegedAction<byte[]>() { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.7
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public byte[] run() {
                    return ((PasswordCredential) set.iterator().next()).getTargetName();
                }
            });
        }
        return bArr;
    }

    private boolean evaluate_client_conformance_ssl(EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor, boolean z, X509Certificate[] x509CertificateArr) {
        try {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl->:");
            }
            int targetRequires = getCtc().getTargetRequires(ejbIORConfigurationDescriptor);
            int targetSupports = getCtc().getTargetSupports(ejbIORConfigurationDescriptor);
            boolean z2 = isSet(targetRequires, 2) || isSet(targetRequires, 4) || isSet(targetRequires, 64);
            boolean z3 = targetSupports != 0;
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl: " + isSet(targetRequires, 2) + " " + isSet(targetRequires, 4) + " " + isSet(targetRequires, 64) + " " + z2 + " " + z3 + " " + z);
            }
            if (z) {
                if (!z2 && !z3) {
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl<-:");
                    }
                    return false;
                }
            } else if (z2) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl<-:");
                }
                return false;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl: " + isSet(targetRequires, 64) + " " + isSet(targetSupports, 64));
            }
            if (x509CertificateArr != null) {
                if (!isSet(targetRequires, 64) && !isSet(targetSupports, 64)) {
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl<-:");
                    }
                    return false;
                }
            } else if (isSet(targetRequires, 64)) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl<-:");
                }
                return false;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl: true");
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl<-:");
            }
            return true;
        } catch (Throwable th) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance_ssl<-:");
            }
            throw th;
        }
    }

    private boolean evaluate_client_conformance_ascontext(SecurityContext securityContext, EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor, String str) {
        try {
            AS_ContextSec createASContextSec = getCtc().createASContextSec(ejbIORConfigurationDescriptor, str);
            if (!((securityContext == null || securityContext.authcls == null || securityContext.subject == null) ? false : true)) {
                return !isSet(createASContextSec.target_requires, 64);
            }
            if (!isSet(createASContextSec.target_requires, 64) && !isSet(createASContextSec.target_supports, 64)) {
                return false;
            }
            byte[] targetName = getTargetName(securityContext.subject);
            if (createASContextSec.target_name.length != targetName.length) {
                return false;
            }
            for (int i = 0; i < createASContextSec.target_name.length; i++) {
                if (createASContextSec.target_name[i] != targetName[i]) {
                    return false;
                }
            }
            return true;
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createcontextsec_exception", (Throwable) e);
            return false;
        }
    }

    private boolean evaluate_client_conformance_sascontext(SecurityContext securityContext, EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor) {
        try {
            return !(securityContext != null && securityContext.identcls != null && securityContext.subject != null) || isSet(getCtc().createSASContextSec(ejbIORConfigurationDescriptor).target_supports, 1024);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createcontextsec_exception", (Throwable) e);
            return false;
        }
    }

    private boolean evaluate_client_conformance(SecurityContext securityContext, byte[] bArr, boolean z, X509Certificate[] x509CertificateArr) {
        if (bArr == null) {
            return true;
        }
        if (this.protocolMgr == null) {
            this.protocolMgr = this.orbHelper.getProtocolManager();
        }
        if (this.protocolMgr == null) {
            return true;
        }
        EjbDescriptor ejbDescriptor = this.protocolMgr.getEjbDescriptor(bArr);
        Set<EjbIORConfigurationDescriptor> iORConfigurationDescriptors = ejbDescriptor != null ? ejbDescriptor.getIORConfigurationDescriptors() : getCorbaIORDescSet();
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance: iorDescSet: " + iORConfigurationDescriptors);
        }
        if (iORConfigurationDescriptors.isEmpty()) {
            return true;
        }
        boolean z2 = false;
        for (EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor : iORConfigurationDescriptors) {
            if (skip_client_conformance(ejbIORConfigurationDescriptor)) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance: skip_client_conformance");
                }
                z2 = true;
            } else if (evaluate_client_conformance_ssl(ejbIORConfigurationDescriptor, z, x509CertificateArr)) {
                String str = "default";
                if (ejbDescriptor != null && ejbDescriptor.getApplication() != null) {
                    str = ejbDescriptor.getApplication().getRealm();
                }
                if (str == null) {
                    str = ejbIORConfigurationDescriptor.getRealmName();
                }
                if (str == null) {
                    str = "default";
                }
                if (!evaluate_client_conformance_ascontext(securityContext, ejbIORConfigurationDescriptor, str)) {
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance: evaluate_client_conformance_ascontext");
                    }
                    z2 = false;
                } else {
                    if (evaluate_client_conformance_sascontext(securityContext, ejbIORConfigurationDescriptor)) {
                        return true;
                    }
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance: evaluate_client_conformance_sascontext");
                    }
                    z2 = false;
                }
            } else {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance: evaluate_client_conformance_ssl");
                }
                z2 = false;
            }
        }
        return z2;
    }

    private boolean skip_client_conformance(EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor) {
        return ejbIORConfigurationDescriptor != null && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getIntegrity()) && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getConfidentiality()) && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getEstablishTrustInClient()) && !ejbIORConfigurationDescriptor.isAuthMethodRequired() && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getCallerPropagation());
    }

    public SecurityContext evaluateTrust(SecurityContext securityContext, byte[] bArr, Socket socket) throws SecurityMechanismException {
        boolean z = false;
        X509Certificate[] x509CertificateArr = null;
        if (socket != null && (socket instanceof SSLSocket)) {
            z = true;
            try {
                x509CertificateArr = (X509Certificate[]) ((SSLSocket) socket).getSession().getPeerCertificates();
            } catch (Exception e) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "iiop.cannot_get_peercert", (Throwable) e);
                }
            }
        }
        Long readClientThreadID = ConnectionExecutionContext.readClientThreadID();
        if (readClientThreadID != null && readClientThreadID.longValue() == Thread.currentThread().getId() && securityContext == null) {
            return null;
        }
        if (!evaluate_client_conformance(securityContext, bArr, z, x509CertificateArr)) {
            throw new SecurityMechanismException("Trust evaluation failed because client does not conform to configured security policies");
        }
        if (securityContext != null) {
            Class cls = securityContext.authcls;
            Class cls2 = securityContext.identcls;
            securityContext.authcls = null;
            securityContext.identcls = null;
            if (cls2 != null) {
                securityContext.identcls = cls2;
            } else if (cls != null) {
                securityContext.authcls = cls;
            } else {
                securityContext.identcls = AnonCredential.class;
            }
            return securityContext;
        }
        if (socket == null || !z || x509CertificateArr == null) {
            return null;
        }
        SecurityContext securityContext2 = new SecurityContext();
        X500Name subjectDN = x509CertificateArr[0].getSubjectDN();
        securityContext2.subject = new Subject();
        securityContext2.subject.getPublicCredentials().add(subjectDN);
        securityContext2.identcls = X500Name.class;
        securityContext2.authcls = null;
        return securityContext2;
    }

    private static boolean isSet(int i, int i2) {
        return (i & i2) == i2;
    }

    private Set<EjbIORConfigurationDescriptor> getCorbaIORDescSet() {
        return this.corbaIORDescSet;
    }

    public boolean isSslRequired() {
        return this.sslRequired;
    }

    private boolean isNotServerOrACC() {
        return this.processEnv.getProcessType().equals(ProcessEnvironment.ProcessType.Other);
    }

    private boolean isACC() {
        return this.processEnv.getProcessType().equals(ProcessEnvironment.ProcessType.ACC);
    }

    public static boolean traceIORs() {
        return _traceIORs;
    }

    public String getSecurityMechanismString(CSIV2TaggedComponentInfo cSIV2TaggedComponentInfo, IOR ior) {
        return getSecurityMechanismString(cSIV2TaggedComponentInfo, cSIV2TaggedComponentInfo.getSecurityMechanisms(ior), ior.getTypeId());
    }

    /* JADX WARN: Finally extract failed */
    public static String getSecurityMechanismString(CSIV2TaggedComponentInfo cSIV2TaggedComponentInfo, CompoundSecMech[] compoundSecMechArr, String str) {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("\ntypeId: " + str);
        int i = 0;
        while (compoundSecMechArr != null) {
            try {
                if (i >= compoundSecMechArr.length) {
                    break;
                }
                CompoundSecMech compoundSecMech = compoundSecMechArr[i];
                stringBuffer.append("\nCSIv2 CompoundSecMech[" + i + "]\n\tTarget Requires:");
                Enumeration<Integer> keys = assocOptions.keys();
                while (keys.hasMoreElements()) {
                    Integer nextElement = keys.nextElement();
                    if (isSet(compoundSecMech.target_requires, nextElement.intValue())) {
                        stringBuffer.append("\n\t\t" + assocOptions.get(nextElement));
                    }
                }
                TLS_SEC_TRANS sSLInformation = cSIV2TaggedComponentInfo.getSSLInformation(compoundSecMech);
                if (sSLInformation != null) {
                    stringBuffer.append("\n\tTLS_SEC_TRANS\n\t\tTarget Requires:");
                    Enumeration<Integer> keys2 = assocOptions.keys();
                    while (keys2.hasMoreElements()) {
                        Integer nextElement2 = keys2.nextElement();
                        if (isSet(sSLInformation.target_requires, nextElement2.intValue())) {
                            stringBuffer.append("\n\t\t\t" + assocOptions.get(nextElement2));
                        }
                    }
                    stringBuffer.append("\n\t\tTarget Supports:");
                    Enumeration<Integer> keys3 = assocOptions.keys();
                    while (keys3.hasMoreElements()) {
                        Integer nextElement3 = keys3.nextElement();
                        if (isSet(sSLInformation.target_supports, nextElement3.intValue())) {
                            stringBuffer.append("\n\t\t\t" + assocOptions.get(nextElement3));
                        }
                    }
                    TransportAddress[] transportAddressArr = sSLInformation.addresses;
                    for (int i2 = 0; i2 < transportAddressArr.length; i2++) {
                        TransportAddress transportAddress = transportAddressArr[i2];
                        stringBuffer.append("\n\t\tAddress[" + i2 + "] Host Name: " + transportAddress.host_name + " port: " + ((int) transportAddress.port));
                    }
                }
                AS_ContextSec aS_ContextSec = compoundSecMech.as_context_mech;
                if (aS_ContextSec != null) {
                    stringBuffer.append("\n\tAS_ContextSec\n\t\tTarget Requires:");
                    Enumeration<Integer> keys4 = assocOptions.keys();
                    while (keys4.hasMoreElements()) {
                        Integer nextElement4 = keys4.nextElement();
                        if (isSet(aS_ContextSec.target_requires, nextElement4.intValue())) {
                            stringBuffer.append("\n\t\t\t" + assocOptions.get(nextElement4));
                        }
                    }
                    stringBuffer.append("\n\t\tTarget Supports:");
                    Enumeration<Integer> keys5 = assocOptions.keys();
                    while (keys5.hasMoreElements()) {
                        Integer nextElement5 = keys5.nextElement();
                        if (isSet(aS_ContextSec.target_supports, nextElement5.intValue())) {
                            stringBuffer.append("\n\t\t\t" + assocOptions.get(nextElement5));
                        }
                    }
                    try {
                        try {
                            if (aS_ContextSec.client_authentication_mech.length > 0) {
                                stringBuffer.append("\n\t\tclient_auth_mech_OID:" + new Oid(aS_ContextSec.client_authentication_mech));
                            } else {
                                stringBuffer.append("\n\t\tclient_auth_mech_OID: undefined");
                            }
                            stringBuffer.append("\n\t\ttarget_name:" + new String(aS_ContextSec.target_name));
                        } catch (Throwable th) {
                            stringBuffer.append("\n\t\ttarget_name:" + new String(aS_ContextSec.target_name));
                            throw th;
                        }
                    } catch (Exception e) {
                        stringBuffer.append("\n\t\tclient_auth_mech_OID: (invalid)" + e.getMessage());
                        stringBuffer.append("\n\t\ttarget_name:" + new String(aS_ContextSec.target_name));
                    }
                }
                SAS_ContextSec sAS_ContextSec = compoundSecMech.sas_context_mech;
                if (sAS_ContextSec != null) {
                    stringBuffer.append("\n\tSAS_ContextSec\n\t\tTarget Requires:");
                    Enumeration<Integer> keys6 = assocOptions.keys();
                    while (keys6.hasMoreElements()) {
                        Integer nextElement6 = keys6.nextElement();
                        if (isSet(sAS_ContextSec.target_requires, nextElement6.intValue())) {
                            stringBuffer.append("\n\t\t\t" + assocOptions.get(nextElement6));
                        }
                    }
                    stringBuffer.append("\n\t\tTarget Supports:");
                    Enumeration<Integer> keys7 = assocOptions.keys();
                    while (keys7.hasMoreElements()) {
                        Integer nextElement7 = keys7.nextElement();
                        if (isSet(sAS_ContextSec.target_supports, nextElement7.intValue())) {
                            stringBuffer.append("\n\t\t\t" + assocOptions.get(nextElement7));
                        }
                    }
                    stringBuffer.append("\n\t\tprivilege authorities:" + Arrays.toString(sAS_ContextSec.privilege_authorities));
                    byte[][] bArr = sAS_ContextSec.supported_naming_mechanisms;
                    for (int i3 = 0; i3 < bArr.length; i3++) {
                        try {
                            if (bArr[i3].length > 0) {
                                stringBuffer.append("\n\t\tSupported Naming Mechanim[" + i3 + "]: " + new Oid(bArr[i3]));
                            } else {
                                stringBuffer.append("\n\t\tSupported Naming Mechanim[" + i3 + "]:  undefined");
                            }
                        } catch (Exception e2) {
                            stringBuffer.append("\n\t\tSupported Naming Mechanism[" + i3 + "]: (invalid)" + e2.getMessage());
                        }
                    }
                    stringBuffer.append("\n\t\tsupported Identity Types:");
                    long j = sAS_ContextSec.supported_identity_types;
                    Enumeration<Integer> keys8 = identityTokenTypes.keys();
                    while (keys8.hasMoreElements()) {
                        Integer nextElement8 = keys8.nextElement();
                        if (isSet(sAS_ContextSec.supported_identity_types, nextElement8.intValue())) {
                            stringBuffer.append("\n\t\t\t" + identityTokenTypes.get(nextElement8));
                            j -= nextElement8.intValue();
                        }
                    }
                    if (j > 0) {
                        stringBuffer.append("\n\t\t\tcustom bits set: " + j);
                    }
                }
                i++;
            } catch (Exception e3) {
                e3.printStackTrace();
                return "Unexpected exception during IOR tracing - unset Property: com.sun.enterprise.iiop.security.traceIORS";
            }
        }
        stringBuffer.append("\n\n");
        return stringBuffer.toString();
    }

    static {
        assocOptions.put(2, "Integrity");
        assocOptions.put(4, "Confidentiality");
        assocOptions.put(32, "EstablishTrustInTarget");
        assocOptions.put(64, "EstablishTrustInClient");
        assocOptions.put(1024, "IdentityAssertion");
        assocOptions.put(2048, "DelegationByClient");
        identityTokenTypes = new Hashtable<>();
        identityTokenTypes.put(1, "Anonymous");
        identityTokenTypes.put(2, Servlet.PRINCIPAL_NAME);
        identityTokenTypes.put(4, "X509CertChain");
        identityTokenTypes.put(8, "DistinguishedName");
    }
}
