package com.sun.enterprise.iiop.security;

import com.sun.corba.ee.org.omg.CSI.CompleteEstablishContext;
import com.sun.corba.ee.org.omg.CSI.ContextError;
import com.sun.corba.ee.org.omg.CSI.EstablishContext;
import com.sun.corba.ee.org.omg.CSI.GSS_NT_ExportedNameHelper;
import com.sun.corba.ee.org.omg.CSI.IdentityToken;
import com.sun.corba.ee.org.omg.CSI.SASContextBody;
import com.sun.corba.ee.org.omg.CSI.SASContextBodyHelper;
import com.sun.corba.ee.org.omg.CSI.X501DistinguishedNameHelper;
import com.sun.corba.ee.org.omg.CSI.X509CertificateChainHelper;
import com.sun.enterprise.security.auth.login.PasswordCredential;
import com.sun.enterprise.security.auth.login.X509CertificateCredential;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.enterprise.util.ORBManager;
import com.sun.logging.LogDomains;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import javax.security.auth.Subject;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.ORB;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ForwardRequest;
import org.omg.PortableInterceptor.ServerRequestInfo;
import org.omg.PortableInterceptor.ServerRequestInterceptor;
import sun.rmi.rmic.iiop.Constants;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;

/* loaded from: input_file:116287-16/SUNWascmo/reloc/$ASINSTDIR/lib/appserv-rt.jar:com/sun/enterprise/iiop/security/SecServerRequestInterceptor.class */
public class SecServerRequestInterceptor extends LocalObject implements ServerRequestInterceptor {
    private static java.util.logging.Logger _logger;
    private static LocalStringManagerImpl localStrings;
    protected static final int SECURITY_ATTRIBUTE_SERVICE_ID = 15;
    private static final int INVALID_MECHANISM_MAJOR = 2;
    private static final int INVALID_MECHANISM_MINOR = 1;
    private static final boolean NO_REPLACE = false;
    private String prname;
    private String name;
    private Codec codec;
    private ORB orb;
    static Class class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor;
    static Class class$com$sun$enterprise$iiop$security$AnonCredential;
    static Class class$sun$security$x509$X500Name;
    static Class class$com$sun$enterprise$security$auth$login$X509CertificateCredential;
    static Class class$com$sun$enterprise$iiop$security$GSSUPName;
    static Class class$com$sun$enterprise$security$auth$login$PasswordCredential;
    private InheritableThreadLocal counterForCalls = new InheritableThreadLocal();
    SecurityService secsvc = null;

    public SecServerRequestInterceptor(String str, Codec codec) {
        this.name = str;
        this.codec = codec;
        this.prname = new StringBuffer().append(str).append(Constants.IDL_NAME_SEPARATOR).toString();
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public String name() {
        return this.name;
    }

    private SASContextBody createContextError(int i) {
        _logger.log(Level.FINE, new StringBuffer().append("Creating ContextError message: minor code= ").append(i).toString());
        ContextError contextError = new ContextError(0L, 1, i, new byte[0]);
        SASContextBody sASContextBody = new SASContextBody();
        sASContextBody.error_msg(contextError);
        return sASContextBody;
    }

    private SASContextBody createContextError(int i, int i2) {
        _logger.log(Level.FINE, new StringBuffer().append("Creating ContextError message: major code = ").append(i).append("minor code= ").append(i2).toString());
        ContextError contextError = new ContextError(0L, i, i2, new byte[0]);
        SASContextBody sASContextBody = new SASContextBody();
        sASContextBody.error_msg(contextError);
        return sASContextBody;
    }

    private SASContextBody createCompleteEstablishContext(int i) {
        _logger.log(Level.FINE, "Creating CompleteEstablishContext message");
        CompleteEstablishContext completeEstablishContext = new CompleteEstablishContext(0L, false, new byte[0]);
        SASContextBody sASContextBody = new SASContextBody();
        sASContextBody.complete_msg(completeEstablishContext);
        return sASContextBody;
    }

    private ServiceContext createSvcContext(SASContextBody sASContextBody) {
        Any create_any = this.orb.create_any();
        SASContextBodyHelper.insert(create_any, sASContextBody);
        byte[] bArr = new byte[0];
        try {
            bArr = this.codec.encode_value(create_any);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.encode_exception", (Throwable) e);
        }
        ServiceContext serviceContext = new ServiceContext();
        serviceContext.context_id = 15;
        serviceContext.context_data = bArr;
        return serviceContext;
    }

    private void createIdCred(SecurityContext securityContext, IdentityToken identityToken) throws Exception {
        Class cls;
        Class cls2;
        Class cls3;
        Class cls4;
        switch (identityToken.discriminator()) {
            case 0:
                _logger.log(Level.FINE, "Identity token type is Absent");
                securityContext.identcls = null;
                return;
            case 1:
                _logger.log(Level.FINE, "Identity token type is Anonymous");
                _logger.log(Level.FINE, "Adding AnonyCredential to subject's PublicCredentials");
                securityContext.subject.getPublicCredentials().add(new AnonCredential());
                if (class$com$sun$enterprise$iiop$security$AnonCredential == null) {
                    cls4 = class$("com.sun.enterprise.iiop.security.AnonCredential");
                    class$com$sun$enterprise$iiop$security$AnonCredential = cls4;
                } else {
                    cls4 = class$com$sun$enterprise$iiop$security$AnonCredential;
                }
                securityContext.identcls = cls4;
                return;
            case 2:
                _logger.log(Level.FINE, "Identity token type is GSS Exported Name");
                byte[] extract = GSS_NT_ExportedNameHelper.extract(this.codec.decode_value(identityToken.principal_name(), GSS_NT_ExportedNameHelper.type()));
                if (!GSSUtils.verifyMechOID(GSSUtils.GSSUP_MECH_OID, extract)) {
                    throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
                }
                securityContext.subject.getPublicCredentials().add(new GSSUPName(extract));
                if (class$com$sun$enterprise$iiop$security$GSSUPName == null) {
                    cls = class$("com.sun.enterprise.iiop.security.GSSUPName");
                    class$com$sun$enterprise$iiop$security$GSSUPName = cls;
                } else {
                    cls = class$com$sun$enterprise$iiop$security$GSSUPName;
                }
                securityContext.identcls = cls;
                _logger.log(Level.FINE, "Adding GSSUPName credential to subject");
                return;
            case 3:
            case 5:
            case 6:
            case 7:
            default:
                _logger.log(Level.SEVERE, "iiop.unknown_identity");
                throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
            case 4:
                _logger.log(Level.FINE, "Identity token type is a X509 Certificate Chain");
                DerValue[] sequence = new DerInputStream(X509CertificateChainHelper.extract(this.codec.decode_value(identityToken.certificate_chain(), X509CertificateChainHelper.type()))).getSequence(1);
                X509Certificate[] x509CertificateArr = new X509CertImpl[sequence.length];
                _logger.log(Level.FINE, "Contents of X509 Certificate chain:");
                for (int i = 0; i < x509CertificateArr.length; i++) {
                    x509CertificateArr[i] = new X509CertImpl(sequence[i]);
                    _logger.log(Level.FINE, new StringBuffer().append("    ").append(x509CertificateArr[i].getSubjectDN().getName()).toString());
                }
                _logger.log(Level.FINE, "Creating a X509CertificateCredential object from certchain");
                new X509CertificateCredential(x509CertificateArr, x509CertificateArr[0].getSubjectDN().getName(), "default");
                _logger.log(Level.FINE, "Adding X509CertificateCredential to subject's PublicCredentials");
                securityContext.subject.getPublicCredentials().add(x509CertificateArr);
                if (class$com$sun$enterprise$security$auth$login$X509CertificateCredential == null) {
                    cls2 = class$("com.sun.enterprise.security.auth.login.X509CertificateCredential");
                    class$com$sun$enterprise$security$auth$login$X509CertificateCredential = cls2;
                } else {
                    cls2 = class$com$sun$enterprise$security$auth$login$X509CertificateCredential;
                }
                securityContext.identcls = cls2;
                return;
            case 8:
                byte[] extract2 = X501DistinguishedNameHelper.extract(this.codec.decode_value(identityToken.dn(), X501DistinguishedNameHelper.type()));
                _logger.log(Level.FINE, "Create an X500Name object from identity token");
                X500Name x500Name = new X500Name(extract2);
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, new StringBuffer().append("Identity to be asserted is ").append(x500Name.toString()).toString());
                    _logger.log(Level.FINE, "Adding X500Name to subject's PublicCredentials");
                }
                securityContext.subject.getPublicCredentials().add(x500Name);
                if (class$sun$security$x509$X500Name == null) {
                    cls3 = class$("sun.security.x509.X500Name");
                    class$sun$security$x509$X500Name = cls3;
                } else {
                    cls3 = class$sun$security$x509$X500Name;
                }
                securityContext.identcls = cls3;
                return;
        }
    }

    private void createAuthCred(SecurityContext securityContext, byte[] bArr) throws Exception {
        Class cls;
        _logger.log(Level.FINE, "Constructing a PasswordCredential from client authentication token");
        PasswordCredential pwdcred = new GSSUPToken(this.orb, this.codec, bArr).getPwdcred();
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, new StringBuffer().append("Password credential = ").append(pwdcred.toString()).toString());
            _logger.log(Level.FINE, "Adding PasswordCredential to subject's PrivateCredentials");
        }
        AccessController.doPrivileged(new PrivilegedAction(this, securityContext, pwdcred) { // from class: com.sun.enterprise.iiop.security.SecServerRequestInterceptor.1
            private final SecurityContext val$fsc;
            private final PasswordCredential val$pwdcred;
            private final SecServerRequestInterceptor this$0;

            {
                this.this$0 = this;
                this.val$fsc = securityContext;
                this.val$pwdcred = pwdcred;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                this.val$fsc.subject.getPrivateCredentials().add(this.val$pwdcred);
                return null;
            }
        });
        if (class$com$sun$enterprise$security$auth$login$PasswordCredential == null) {
            cls = class$("com.sun.enterprise.security.auth.login.PasswordCredential");
            class$com$sun$enterprise$security$auth$login$PasswordCredential = cls;
        } else {
            cls = class$com$sun$enterprise$security$auth$login$PasswordCredential;
        }
        securityContext.authcls = cls;
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void receive_request(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        Logger.methodentry(new StringBuffer().append(this.prname).append("receive_request_service_contexts").toString());
        this.secsvc = Csiv2Manager.getSecurityService();
        this.orb = ORBManager.getORB();
        try {
            ServiceContext serviceContext = serverRequestInfo.get_request_service_context(15);
            _logger.log(Level.FINE, "Received a non null SAS context element");
            this.orb.create_any();
            try {
                Any decode_value = this.codec.decode_value(serviceContext.context_data, SASContextBodyHelper.type());
                _logger.log(Level.FINE, "Successfully decoded CDR encoded SAS context element.");
                SASContextBody extract = SASContextBodyHelper.extract(decode_value);
                short discriminator = extract.discriminator();
                _logger.log(Level.FINE, new StringBuffer().append("SAS context element is a/an ").append(SvcContextUtils.getMsgname(discriminator)).append(" message").toString());
                if (discriminator == 5) {
                    ServiceContext createSvcContext = createSvcContext(createContextError(4));
                    _logger.log(Level.FINE, "Adding ContextError message to service context list");
                    serverRequestInfo.add_reply_service_context(createSvcContext, false);
                    _logger.log(Level.FINE, "SecurityContext set to null");
                    throw new NO_PERMISSION();
                }
                if (discriminator != 0) {
                    _logger.log(Level.SEVERE, "iiop.not_establishcontext_msg");
                    throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_not_ec_msg", "Received message not an EstablishContext message."));
                }
                EstablishContext establish_msg = extract.establish_msg();
                SecurityContext securityContext = new SecurityContext();
                securityContext.subject = new Subject();
                try {
                    if (establish_msg.client_authentication_token.length != 0) {
                        _logger.log(Level.FINE, "Message contains Client Authentication Token");
                        createAuthCred(securityContext, establish_msg.client_authentication_token);
                    }
                    try {
                        if (establish_msg.identity_token != null) {
                            _logger.log(Level.FINE, "Message contains an Identity Token");
                            createIdCred(securityContext, establish_msg.identity_token);
                        }
                        _logger.log(Level.FINE, "Invoking setSecurityContext() to set security context");
                        int securityContext2 = this.secsvc.setSecurityContext(securityContext, serverRequestInfo.object_id(), serverRequestInfo.operation());
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, new StringBuffer().append("setSecurityContext() returned status code ").append(securityContext2).toString());
                        }
                        if (securityContext2 != 1) {
                            _logger.log(Level.FINE, "setSecurityContext() returned SUCCESS");
                            ServiceContext createSvcContext2 = createSvcContext(createCompleteEstablishContext(securityContext2));
                            _logger.log(Level.FINE, "Adding CompleteEstablisContext message to service context list");
                            serverRequestInfo.add_reply_service_context(createSvcContext2, false);
                            return;
                        }
                        if (_logger.isLoggable(Level.FINE)) {
                            _logger.log(Level.FINE, "setSecurityContext() returned STATUS_FAILED");
                        }
                        ServiceContext createSvcContext3 = createSvcContext(createContextError(securityContext2));
                        _logger.log(Level.FINE, "Adding ContextError message to service context list");
                        serverRequestInfo.add_reply_service_context(createSvcContext3, false);
                        throw new NO_PERMISSION();
                    } catch (SecurityException e) {
                        _logger.log(Level.SEVERE, "iiop.security_exception", (Throwable) e);
                        _logger.log(Level.SEVERE, "iiop.security_exception");
                        serverRequestInfo.add_reply_service_context(createSvcContext(createContextError(2, 1)), false);
                        throw new NO_PERMISSION();
                    } catch (Exception e2) {
                        _logger.log(Level.SEVERE, "iiop.generic_exception", (Throwable) e2);
                        _logger.log(Level.SEVERE, "iiop.generic_exception");
                        throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
                    }
                } catch (Exception e3) {
                    _logger.log(Level.SEVERE, "iiop.authentication_exception", (Throwable) e3);
                    _logger.log(Level.SEVERE, "iiop.authentication_exception");
                    throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
                }
            } catch (Exception e4) {
                _logger.log(Level.SEVERE, "iiop.decode_exception", (Throwable) e4);
                _logger.log(Level.SEVERE, "iiop.decode_exception");
                throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_cdr_decode", "CDR Decoding error for SAS context element."));
            }
        } catch (BAD_PARAM e5) {
            _logger.log(Level.FINE, "No SAS context element found in service context list");
            if (this.secsvc.setSecurityContext(null, serverRequestInfo.object_id(), serverRequestInfo.operation()) == 1) {
                serverRequestInfo.add_reply_service_context(createSvcContext(createContextError(2, 1)), false);
                throw new NO_PERMISSION();
            }
        }
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void receive_request_service_contexts(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        Counter counter = (Counter) this.counterForCalls.get();
        if (counter == null) {
            counter = new Counter();
            this.counterForCalls.set(counter);
        }
        if (counter.count == 0) {
            Csiv2Manager.getSecurityService().unsetSecurityContext();
        }
        counter.increment();
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_reply(ServerRequestInfo serverRequestInfo) {
        unsetSecurityContext();
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_exception(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        unsetSecurityContext();
    }

    @Override // org.omg.PortableInterceptor.ServerRequestInterceptorOperations
    public void send_other(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
        unsetSecurityContext();
    }

    @Override // org.omg.PortableInterceptor.InterceptorOperations
    public void destroy() {
    }

    private void unsetSecurityContext() {
        Counter counter = (Counter) this.counterForCalls.get();
        if (counter == null) {
            counter = new Counter(1);
        }
        counter.decrement();
        if (counter.count == 0) {
            Csiv2Manager.getSecurityService().unsetSecurityContext();
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        _logger = null;
        _logger = LogDomains.getLogger(LogDomains.CORBA_LOGGER);
        if (class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor == null) {
            cls = class$("com.sun.enterprise.iiop.security.SecServerRequestInterceptor");
            class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor = cls;
        } else {
            cls = class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor;
        }
        localStrings = new LocalStringManagerImpl(cls);
    }
}
