package com.sun.enterprise.iiop.security;

import com.sun.appserv.management.config.HTTPListenerConfigKeys;
import com.sun.corba.ee.org.omg.CSIIOP.AS_ContextSec;
import com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech;
import com.sun.corba.ee.org.omg.CSIIOP.SAS_ContextSec;
import com.sun.corba.ee.org.omg.CSIIOP.TLS_SEC_TRANS;
import com.sun.corba.ee.spi.ior.IOR;
import com.sun.corba.ee.spi.ior.iiop.IIOPProfileTemplate;
import com.sun.corba.ee.spi.transport.SocketInfo;
import com.sun.enterprise.ComponentInvocation;
import com.sun.enterprise.InvocationManager;
import com.sun.enterprise.Switch;
import com.sun.enterprise.appclient.AppContainer;
import com.sun.enterprise.deployment.EjbDescriptor;
import com.sun.enterprise.deployment.EjbIORConfigurationDescriptor;
import com.sun.enterprise.iiop.CSIV2TaggedComponentInfo;
import com.sun.enterprise.iiop.IORToSocketInfoImpl;
import com.sun.enterprise.iiop.POAProtocolMgr;
import com.sun.enterprise.security.ClientSecurityContext;
import com.sun.enterprise.security.SSLUtils;
import com.sun.enterprise.security.auth.LoginContextDriver;
import com.sun.enterprise.security.auth.login.PasswordCredential;
import com.sun.enterprise.util.LocalStringManagerImpl;
import com.sun.enterprise.util.ORBManager;
import com.sun.enterprise.util.TypeUtil;
import com.sun.enterprise.util.Utility;
import com.sun.logging.LogDomains;
import java.net.InetAddress;
import java.net.Socket;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLSocket;
import javax.security.auth.Subject;
import org.omg.CORBA.ORB;
import sun.security.x509.X500Name;

/* loaded from: input_file:119167-02/SUNWascmn/reloc/appserver/lib/appserv-rt.jar:com/sun/enterprise/iiop/security/SecurityMechanismSelector.class */
public final class SecurityMechanismSelector {
    private static Logger _logger;
    public static final String CLIENT_CONNECTION_CONTEXT = "ClientConnContext";
    public static final String SERVER_CONNECTION_CONTEXT = "ServerConnContext";
    private static Set corbaIORDescSet;
    private static boolean sslRequired;
    private static String[] serverTrustedHosts = null;
    private static LocalStringManagerImpl localStrings;
    private static POAProtocolMgr protocolMgr;
    private CompoundSecMech mechanism = null;
    private ORB orb;
    private CSIV2TaggedComponentInfo ctc;
    static Class class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor;
    static Class class$com$sun$enterprise$iiop$security$GSSUPName;
    static Class class$com$sun$enterprise$security$auth$login$PasswordCredential;
    static Class class$com$sun$enterprise$iiop$security$AnonCredential;
    static Class class$sun$security$x509$X500Name;
    static Class class$com$sun$enterprise$security$auth$login$X509CertificateCredential;

    public SecurityMechanismSelector() {
        this.orb = null;
        this.ctc = null;
        this.orb = ORBManager.getORB();
        this.ctc = new CSIV2TaggedComponentInfo(this.orb);
    }

    public static ServerConnectionContext getServerConnectionContext() {
        return (ServerConnectionContext) ConnectionExecutionContext.getContext().get(SERVER_CONNECTION_CONTEXT);
    }

    public static void setServerConnectionContext(ServerConnectionContext serverConnectionContext) {
        ConnectionExecutionContext.getContext().put(SERVER_CONNECTION_CONTEXT, serverConnectionContext);
    }

    public ConnectionContext getClientConnectionContext() {
        return (ConnectionContext) ConnectionExecutionContext.getContext().get(CLIENT_CONNECTION_CONTEXT);
    }

    public void setClientConnectionContext(ConnectionContext connectionContext) {
        ConnectionExecutionContext.getContext().put(CLIENT_CONNECTION_CONTEXT, connectionContext);
    }

    public SocketInfo getSSLPort(IOR ior, ConnectionContext connectionContext) {
        try {
            this.mechanism = selectSecurityMechanism(ior);
            connectionContext.setIOR(ior);
            connectionContext.setMechanism(this.mechanism);
            TLS_SEC_TRANS tls_sec_trans = null;
            if (this.mechanism != null) {
                tls_sec_trans = this.ctc.getSSLInformation(this.mechanism);
            }
            if (tls_sec_trans == null) {
                if (sslRequired) {
                    return IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector1", HTTPListenerConfigKeys.SSL_PARAMS_KEY, ((IIOPProfileTemplate) ior.getProfile().getTaggedProfileTemplate()).getPrimaryAddress().getHost(), ORBManager.getORBInitialPort());
                }
                return null;
            }
            short s = tls_sec_trans.target_requires;
            short s2 = tls_sec_trans.target_supports;
            if (isSet(s, 2) || isSet(s, 4) || isSet(s, 64)) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "Target requires SSL");
                }
                connectionContext.setSSLUsed(true);
                String str = HTTPListenerConfigKeys.SSL_PARAMS_KEY;
                if (isSet(s, 64)) {
                    str = "SSL_MUTUALAUTH";
                    connectionContext.setSSLClientAuthenticationOccurred(true);
                }
                return IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector2", str, tls_sec_trans.addresses[0].host_name, Utility.shortToInt(tls_sec_trans.addresses[0].port));
            }
            if (!isSet(s2, 2) && !isSet(s2, 4) && !isSet(s2, 64)) {
                if (sslRequired) {
                    throw new RuntimeException("SSL required by client but not supported by server.");
                }
                return null;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Target supports SSL");
            }
            if (!sslRequired) {
                return null;
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "Client is configured to require SSL for the target");
            }
            connectionContext.setSSLUsed(true);
            return IORToSocketInfoImpl.createSocketInfo("SecurityMechanismSelector3", HTTPListenerConfigKeys.SSL_PARAMS_KEY, tls_sec_trans.addresses[0].host_name, Utility.shortToInt(tls_sec_trans.addresses[0].port));
        } catch (SecurityMechanismException e) {
            throw new RuntimeException(e.getMessage());
        }
    }

    public SecurityContext selectSecurityContext(IOR ior) throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
        ConnectionContext clientConnectionContext = getClientConnectionContext();
        if (clientConnectionContext == null) {
            return null;
        }
        this.mechanism = clientConnectionContext.getMechanism();
        if (this.mechanism == null) {
            return null;
        }
        boolean sSLUsed = clientConnectionContext.getSSLUsed();
        boolean sSLClientAuthenticationOccurred = clientConnectionContext.getSSLClientAuthenticationOccurred();
        InvocationManager invocationManager = Switch.getSwitch().getInvocationManager();
        if (invocationManager == null) {
            return getSecurityContextForAppClient(null, sSLUsed, sSLClientAuthenticationOccurred);
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, new StringBuffer().append("SSL used:").append(sSLUsed).append(" SSL Mutual auth:").append(sSLClientAuthenticationOccurred).toString());
        }
        ComponentInvocation currentInvocation = invocationManager.getCurrentInvocation();
        if (currentInvocation == null) {
            return null;
        }
        return currentInvocation.getContainerContext() instanceof AppContainer ? getSecurityContextForAppClient(currentInvocation, sSLUsed, sSLClientAuthenticationOccurred) : getSecurityContextForWebOrEJB(currentInvocation, sSLUsed, sSLClientAuthenticationOccurred);
    }

    public SecurityContext getSecurityContextForAppClient(ComponentInvocation componentInvocation, boolean z, boolean z2) throws InvalidMechanismException, InvalidIdentityTokenException, SecurityMechanismException {
        return sendUsernameAndPassword(componentInvocation, z, z2);
    }

    public SecurityContext getSecurityContextForWebOrEJB(ComponentInvocation componentInvocation, boolean z, boolean z2) throws InvalidMechanismException, InvalidIdentityTokenException, SecurityMechanismException {
        return !z ? propagateIdentity(false, componentInvocation) : propagateIdentity(z2, componentInvocation);
    }

    private boolean isMechanismSupported(SAS_ContextSec sAS_ContextSec) {
        byte[][] bArr = sAS_ContextSec.supported_naming_mechanisms;
        byte[] bArr2 = new byte[0];
        try {
            byte[] der = GSSUtils.getDER(GSSUtils.GSSUP_MECH_OID);
            if (bArr[0].length != der.length) {
                return false;
            }
            for (int i = 0; i < bArr[0].length; i++) {
                if (bArr[0][i] != der[i]) {
                    return false;
                }
            }
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public boolean isIdentityTypeSupported(SAS_ContextSec sAS_ContextSec) {
        return (sAS_ContextSec.supported_identity_types & 15) != 0;
    }

    private SecurityContext sendUsernameAndPassword(ComponentInvocation componentInvocation, boolean z, boolean z2) throws SecurityMechanismException {
        if (this.mechanism == null) {
            return null;
        }
        if (!isSet(this.mechanism.as_context_mech.target_requires, 64) && (!isSet(this.mechanism.target_requires, 64) || z2)) {
            return null;
        }
        SecurityContext usernameAndPassword = getUsernameAndPassword(componentInvocation);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Sending Username/Password");
        }
        return usernameAndPassword;
    }

    private SecurityContext propagateIdentity(boolean z, ComponentInvocation componentInvocation) throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
        SecurityContext identity;
        if (this.mechanism == null) {
            return null;
        }
        AS_ContextSec aS_ContextSec = this.mechanism.as_context_mech;
        SAS_ContextSec sAS_ContextSec = this.mechanism.sas_context_mech;
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, new StringBuffer().append("SAS CONTEXT's target_requires=").append((int) sAS_ContextSec.target_requires).toString());
            _logger.log(Level.FINE, new StringBuffer().append("SAS CONTEXT's target_supports=").append((int) sAS_ContextSec.target_supports).toString());
        }
        if (isSet(aS_ContextSec.target_requires, 64)) {
            identity = getUsernameAndPassword(componentInvocation);
            if (identity.authcls == null) {
                String localString = localStrings.getLocalString("securitymechansimselector.runas_cannot_propagate_username_password", "Cannot propagate username/password required by target when using run as identity");
                _logger.log(Level.SEVERE, "iiop.runas_error", localString);
                throw new SecurityMechanismException(localString);
            }
        } else if (isSet(sAS_ContextSec.target_supports, 1024) || isSet(sAS_ContextSec.target_requires, 1024)) {
            if (!isIdentityTypeSupported(sAS_ContextSec)) {
                throw new InvalidIdentityTokenException(localStrings.getLocalString("securitymechanismselector.invalid_identity_type", "The given identity token is unsupported."));
            }
            if (sAS_ContextSec.target_supports == 1024 && !isMechanismSupported(sAS_ContextSec)) {
                String localString2 = localStrings.getLocalString("securitymechanismselector.invalid_mechanism", "The given mechanism type is unsupported.");
                _logger.log(Level.SEVERE, "iiop.unsupported_type_error", localString2);
                throw new InvalidMechanismException(localString2);
            }
            identity = getIdentity();
        } else {
            if (!isSet(aS_ContextSec.target_supports, 64) || !z) {
                return null;
            }
            identity = getUsernameAndPassword(componentInvocation);
            if (identity.authcls == null) {
                return null;
            }
        }
        return identity;
    }

    private boolean isServerTrusted() {
        for (int i = 0; i < serverTrustedHosts.length; i++) {
            if (serverTrustedHosts[i].length() == 1 && serverTrustedHosts[i].equals("*")) {
                return true;
            }
        }
        ConnectionContext clientConnectionContext = getClientConnectionContext();
        if (clientConnectionContext != null) {
            return isDomainInTrustedList(clientConnectionContext.getSocket().getInetAddress(), serverTrustedHosts);
        }
        return false;
    }

    private boolean isDomainInTrustedList(InetAddress inetAddress, String[] strArr) throws SecurityException {
        boolean z = false;
        try {
            String hostName = inetAddress.getHostName();
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, new StringBuffer().append(" Verifying if domain address =").append(inetAddress.toString()).append(" is in the Trusted list ").toString());
                _logger.log(Level.FINE, new StringBuffer().append(" the domain name is = ").append(hostName).toString());
            }
            String[] stringToArray = TypeUtil.stringToArray(hostName, ".");
            for (String str : strArr) {
                String[] stringToArray2 = TypeUtil.stringToArray(str, ".");
                if (stringToArray2.length != stringToArray.length) {
                    z = false;
                } else {
                    int length = stringToArray2.length - 1;
                    while (true) {
                        if (length < 0) {
                            break;
                        }
                        if (!stringToArray2[length].equals(stringToArray[length]) && !stringToArray2[length].equals("*")) {
                            z = false;
                            break;
                        }
                        z = true;
                        length--;
                    }
                    if (z) {
                        return z;
                    }
                }
            }
            return z;
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.domain_lookup_failed", inetAddress.getHostAddress());
            return false;
        }
    }

    private SecurityContext getUsernameAndPassword(ComponentInvocation componentInvocation) throws SecurityMechanismException {
        Subject subjectFromSecurityCurrent;
        Class cls;
        Class cls2;
        try {
            if (componentInvocation == null) {
                ClientSecurityContext current = ClientSecurityContext.getCurrent();
                if (current == null) {
                    return null;
                }
                subjectFromSecurityCurrent = current.getSubject();
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, new StringBuffer().append("SUBJECT:").append(subjectFromSecurityCurrent).toString());
                }
            } else if (componentInvocation.getContainerContext() instanceof AppContainer) {
                ClientSecurityContext current2 = ClientSecurityContext.getCurrent();
                subjectFromSecurityCurrent = current2 == null ? LoginContextDriver.doClientLogin(1, AppContainer.getCallbackHandler()) : current2.getSubject();
            } else {
                subjectFromSecurityCurrent = getSubjectFromSecurityCurrent();
            }
            SecurityContext securityContext = new SecurityContext();
            securityContext.subject = subjectFromSecurityCurrent;
            Set set = (Set) AccessController.doPrivileged(new PrivilegedAction(this, subjectFromSecurityCurrent) { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.1
                private final Subject val$sub;
                private final SecurityMechanismSelector this$0;

                {
                    this.this$0 = this;
                    this.val$sub = subjectFromSecurityCurrent;
                }

                @Override // java.security.PrivilegedAction
                public Object run() {
                    return this.val$sub.getPrivateCredentials();
                }
            });
            if (set.isEmpty()) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.log(Level.FINE, "no private credential run as mode");
                }
                securityContext.authcls = null;
                if (class$com$sun$enterprise$iiop$security$GSSUPName == null) {
                    cls2 = class$("com.sun.enterprise.iiop.security.GSSUPName");
                    class$com$sun$enterprise$iiop$security$GSSUPName = cls2;
                } else {
                    cls2 = class$com$sun$enterprise$iiop$security$GSSUPName;
                }
                securityContext.identcls = cls2;
            } else {
                String str = new String(GSSUtils.importName(GSSUtils.GSSUP_MECH_OID, this.mechanism.as_context_mech.target_name));
                Iterator it = set.iterator();
                while (it.hasNext()) {
                    AccessController.doPrivileged(new PrivilegedAction(this, it, str) { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.2
                        private final Iterator val$it;
                        private final String val$realm_name;
                        private final SecurityMechanismSelector this$0;

                        {
                            this.this$0 = this;
                            this.val$it = it;
                            this.val$realm_name = str;
                        }

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            ((PasswordCredential) this.val$it.next()).setRealm(this.val$realm_name);
                            return null;
                        }
                    });
                }
                if (class$com$sun$enterprise$security$auth$login$PasswordCredential == null) {
                    cls = class$("com.sun.enterprise.security.auth.login.PasswordCredential");
                    class$com$sun$enterprise$security$auth$login$PasswordCredential = cls;
                } else {
                    cls = class$com$sun$enterprise$security$auth$login$PasswordCredential;
                }
                securityContext.authcls = cls;
            }
            return securityContext;
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.user_password_exception", (Throwable) e);
            return null;
        }
    }

    private SecurityContext getIdentity() throws SecurityMechanismException {
        Class cls;
        Class cls2;
        Class cls3;
        Class cls4;
        Class cls5;
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Getting PRINCIPAL/DN from TLS");
        }
        SecurityContext securityContext = new SecurityContext();
        com.sun.enterprise.security.SecurityContext current = com.sun.enterprise.security.SecurityContext.getCurrent();
        if (current == null || current.didServerGenerateCredentials()) {
            if (class$com$sun$enterprise$iiop$security$AnonCredential == null) {
                cls = class$("com.sun.enterprise.iiop.security.AnonCredential");
                class$com$sun$enterprise$iiop$security$AnonCredential = cls;
            } else {
                cls = class$com$sun$enterprise$iiop$security$AnonCredential;
            }
            securityContext.identcls = cls;
            AccessController.doPrivileged(new PrivilegedAction(this, securityContext) { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.3
                private final SecurityContext val$sCtx;
                private final SecurityMechanismSelector this$0;

                {
                    this.this$0 = this;
                    this.val$sCtx = securityContext;
                }

                @Override // java.security.PrivilegedAction
                public Object run() {
                    this.val$sCtx.subject = new Subject();
                    this.val$sCtx.subject.getPublicCredentials().add(new AnonCredential());
                    return null;
                }
            });
            return securityContext;
        }
        Subject subjectFromSecurityCurrent = getSubjectFromSecurityCurrent();
        securityContext.subject = subjectFromSecurityCurrent;
        Set set = (Set) AccessController.doPrivileged(new PrivilegedAction(this, subjectFromSecurityCurrent) { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.4
            private final Subject val$sub;
            private final SecurityMechanismSelector this$0;

            {
                this.this$0 = this;
                this.val$sub = subjectFromSecurityCurrent;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                Class cls6;
                Subject subject = this.val$sub;
                if (SecurityMechanismSelector.class$com$sun$enterprise$security$auth$login$PasswordCredential == null) {
                    cls6 = SecurityMechanismSelector.class$("com.sun.enterprise.security.auth.login.PasswordCredential");
                    SecurityMechanismSelector.class$com$sun$enterprise$security$auth$login$PasswordCredential = cls6;
                } else {
                    cls6 = SecurityMechanismSelector.class$com$sun$enterprise$security$auth$login$PasswordCredential;
                }
                return subject.getPrivateCredentials(cls6);
            }
        });
        if (set.size() == 1) {
            if (class$com$sun$enterprise$iiop$security$GSSUPName == null) {
                cls5 = class$("com.sun.enterprise.iiop.security.GSSUPName");
                class$com$sun$enterprise$iiop$security$GSSUPName = cls5;
            } else {
                cls5 = class$com$sun$enterprise$iiop$security$GSSUPName;
            }
            securityContext.identcls = cls5;
            securityContext.subject = (Subject) AccessController.doPrivileged(new PrivilegedAction(this, set) { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.5
                private final Set val$cs;
                private final SecurityMechanismSelector this$0;

                {
                    this.this$0 = this;
                    this.val$cs = set;
                }

                @Override // java.security.PrivilegedAction
                public Object run() {
                    Subject subject = new Subject();
                    PasswordCredential passwordCredential = (PasswordCredential) this.val$cs.iterator().next();
                    subject.getPublicCredentials().add(new GSSUPName(passwordCredential.getUser(), passwordCredential.getRealm()));
                    return subject;
                }
            });
            return securityContext;
        }
        Set<Object> publicCredentials = subjectFromSecurityCurrent.getPublicCredentials();
        if (publicCredentials.size() != 1) {
            _logger.log(Level.SEVERE, "iiop.principal_error");
            return null;
        }
        Iterator<Object> it = publicCredentials.iterator();
        if (!it.hasNext()) {
            _logger.log(Level.SEVERE, "iiop.credential_error");
            return null;
        }
        Object next = it.next();
        if (next instanceof GSSUPName) {
            if (class$com$sun$enterprise$iiop$security$GSSUPName == null) {
                cls4 = class$("com.sun.enterprise.iiop.security.GSSUPName");
                class$com$sun$enterprise$iiop$security$GSSUPName = cls4;
            } else {
                cls4 = class$com$sun$enterprise$iiop$security$GSSUPName;
            }
            securityContext.identcls = cls4;
        } else if (next instanceof X500Name) {
            if (class$sun$security$x509$X500Name == null) {
                cls3 = class$("sun.security.x509.X500Name");
                class$sun$security$x509$X500Name = cls3;
            } else {
                cls3 = class$sun$security$x509$X500Name;
            }
            securityContext.identcls = cls3;
        } else {
            if (class$com$sun$enterprise$security$auth$login$X509CertificateCredential == null) {
                cls2 = class$("com.sun.enterprise.security.auth.login.X509CertificateCredential");
                class$com$sun$enterprise$security$auth$login$X509CertificateCredential = cls2;
            } else {
                cls2 = class$com$sun$enterprise$security$auth$login$X509CertificateCredential;
            }
            securityContext.identcls = cls2;
        }
        return securityContext;
    }

    private Subject getSubjectFromSecurityCurrent() throws SecurityMechanismException {
        com.sun.enterprise.security.SecurityContext current = com.sun.enterprise.security.SecurityContext.getCurrent();
        if (current == null) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, " SETTING GUEST ---");
            }
            current = com.sun.enterprise.security.SecurityContext.init();
        }
        if (current == null) {
            throw new SecurityMechanismException("Could not find  security information");
        }
        Subject subject = current.getSubject();
        if (subject == null) {
            throw new SecurityMechanismException("Could not find  subject information in the security context.");
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, new StringBuffer().append("Subject in security current:").append(subject).toString());
        }
        return subject;
    }

    public CompoundSecMech selectSecurityMechanism(IOR ior) throws SecurityMechanismException {
        return selectSecurityMechanism(this.ctc.getSecurityMechanisms(ior));
    }

    private CompoundSecMech selectSecurityMechanism(CompoundSecMech[] compoundSecMechArr) throws SecurityMechanismException {
        if (compoundSecMechArr == null || compoundSecMechArr.length == 0) {
            return null;
        }
        for (CompoundSecMech compoundSecMech : compoundSecMechArr) {
            if (useMechanism(compoundSecMech)) {
                return compoundSecMech;
            }
        }
        throw new SecurityMechanismException("Cannot use any of the  target's supported mechanisms");
    }

    private boolean useMechanism(CompoundSecMech compoundSecMech) {
        boolean z = true;
        TLS_SEC_TRANS sSLInformation = this.ctc.getSSLInformation(compoundSecMech);
        if (sSLInformation == null) {
            return true;
        }
        if (isSet(sSLInformation.target_requires, 64) && !SSLUtils.isKeyAvailable()) {
            z = false;
        }
        return z;
    }

    private byte[] getTargetName(Subject subject) {
        byte[] bArr = new byte[0];
        Set set = (Set) AccessController.doPrivileged(new PrivilegedAction(this, subject) { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.6
            private final Subject val$sub;
            private final SecurityMechanismSelector this$0;

            {
                this.this$0 = this;
                this.val$sub = subject;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                Class cls;
                Subject subject2 = this.val$sub;
                if (SecurityMechanismSelector.class$com$sun$enterprise$security$auth$login$PasswordCredential == null) {
                    cls = SecurityMechanismSelector.class$("com.sun.enterprise.security.auth.login.PasswordCredential");
                    SecurityMechanismSelector.class$com$sun$enterprise$security$auth$login$PasswordCredential = cls;
                } else {
                    cls = SecurityMechanismSelector.class$com$sun$enterprise$security$auth$login$PasswordCredential;
                }
                return subject2.getPrivateCredentials(cls);
            }
        });
        if (set.size() == 1) {
            bArr = (byte[]) AccessController.doPrivileged(new PrivilegedAction(this, set) { // from class: com.sun.enterprise.iiop.security.SecurityMechanismSelector.7
                private final Set val$credset;
                private final SecurityMechanismSelector this$0;

                {
                    this.this$0 = this;
                    this.val$credset = set;
                }

                @Override // java.security.PrivilegedAction
                public Object run() {
                    return ((PasswordCredential) this.val$credset.iterator().next()).getTargetName();
                }
            });
        }
        return bArr;
    }

    private boolean evaluate_client_conformance_ssl(EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor, boolean z, X509Certificate[] x509CertificateArr) {
        int targetRequires = this.ctc.getTargetRequires(ejbIORConfigurationDescriptor);
        int targetSupports = this.ctc.getTargetSupports(ejbIORConfigurationDescriptor);
        boolean z2 = isSet(targetRequires, 2) || isSet(targetRequires, 4) || isSet(targetRequires, 64);
        boolean z3 = targetSupports != 0;
        if (z) {
            if (!z2 && !z3) {
                return false;
            }
        } else if (z2) {
            return false;
        }
        return x509CertificateArr != null ? isSet(targetRequires, 64) || isSet(targetSupports, 64) : !isSet(targetRequires, 64);
    }

    private boolean evaluate_client_conformance_ascontext(SecurityContext securityContext, EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor) {
        try {
            AS_ContextSec createASContextSec = this.ctc.createASContextSec(ejbIORConfigurationDescriptor);
            if (createASContextSec == null) {
                return false;
            }
            if (!((securityContext == null || securityContext.authcls == null || securityContext.subject == null) ? false : true)) {
                return !isSet(createASContextSec.target_requires, 64);
            }
            if (!isSet(createASContextSec.target_requires, 64) && !isSet(createASContextSec.target_supports, 64)) {
                return false;
            }
            byte[] targetName = getTargetName(securityContext.subject);
            if (createASContextSec.target_name.length != targetName.length) {
                return false;
            }
            for (int i = 0; i < createASContextSec.target_name.length; i++) {
                if (createASContextSec.target_name[i] != targetName[i]) {
                    return false;
                }
            }
            return true;
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createcontextsec_exception", (Throwable) e);
            return false;
        }
    }

    private boolean evaluate_client_conformance_sascontext(SecurityContext securityContext, EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor) {
        try {
            SAS_ContextSec createSASContextSec = this.ctc.createSASContextSec(ejbIORConfigurationDescriptor);
            if (createSASContextSec == null) {
                return false;
            }
            return !(securityContext != null && securityContext.identcls != null && securityContext.subject != null) || isSet(createSASContextSec.target_supports, 1024);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createcontextsec_exception", (Throwable) e);
            return false;
        }
    }

    private boolean evaluate_client_conformance(SecurityContext securityContext, byte[] bArr, boolean z, X509Certificate[] x509CertificateArr) {
        if (bArr == null) {
            return true;
        }
        if (protocolMgr == null) {
            protocolMgr = (POAProtocolMgr) Switch.getSwitch().getProtocolManager();
        }
        if (protocolMgr == null) {
            return true;
        }
        EjbDescriptor ejbDescriptor = protocolMgr.getEjbDescriptor(bArr);
        Set<EjbIORConfigurationDescriptor> iORConfigurationDescriptors = ejbDescriptor != null ? ejbDescriptor.getIORConfigurationDescriptors() : corbaIORDescSet;
        if (iORConfigurationDescriptors.isEmpty()) {
            return true;
        }
        boolean z2 = false;
        for (EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor : iORConfigurationDescriptors) {
            if (skip_client_conformance(ejbIORConfigurationDescriptor)) {
                z2 = true;
            } else if (!evaluate_client_conformance_ssl(ejbIORConfigurationDescriptor, z, x509CertificateArr)) {
                z2 = false;
            } else if (!evaluate_client_conformance_ascontext(securityContext, ejbIORConfigurationDescriptor)) {
                z2 = false;
            } else {
                if (evaluate_client_conformance_sascontext(securityContext, ejbIORConfigurationDescriptor)) {
                    return true;
                }
                z2 = false;
            }
        }
        return z2;
    }

    private boolean skip_client_conformance(EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor) {
        return ejbIORConfigurationDescriptor != null && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getIntegrity()) && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getConfidentiality()) && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getEstablishTrustInClient()) && !ejbIORConfigurationDescriptor.isAuthMethodRequired() && "NONE".equalsIgnoreCase(ejbIORConfigurationDescriptor.getCallerPropagation());
    }

    public SecurityContext evaluateTrust(SecurityContext securityContext, byte[] bArr) throws SecurityMechanismException {
        Class cls;
        Class cls2;
        Socket socket = null;
        boolean z = false;
        X509Certificate[] x509CertificateArr = null;
        ServerConnectionContext serverConnectionContext = getServerConnectionContext();
        if (serverConnectionContext != null) {
            socket = serverConnectionContext.getSocket();
            if (socket != null && (socket instanceof SSLSocket)) {
                z = true;
                try {
                    x509CertificateArr = (X509Certificate[]) ((SSLSocket) socket).getSession().getPeerCertificates();
                } catch (Exception e) {
                    if (_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "iiop.cannot_get_peercert", (Throwable) e);
                    }
                }
            }
        }
        if (socket == null && securityContext == null) {
            return null;
        }
        if (!evaluate_client_conformance(securityContext, bArr, z, x509CertificateArr)) {
            throw new SecurityMechanismException(new StringBuffer().append("Trust evaluation failed because ").append("client does not conform to configured security policies").toString());
        }
        if (securityContext == null) {
            if (socket == null || !z || x509CertificateArr == null) {
                return null;
            }
            SecurityContext securityContext2 = new SecurityContext();
            X500Name subjectDN = x509CertificateArr[0].getSubjectDN();
            securityContext2.subject = new Subject();
            securityContext2.subject.getPublicCredentials().add(subjectDN);
            if (class$sun$security$x509$X500Name == null) {
                cls2 = class$("sun.security.x509.X500Name");
                class$sun$security$x509$X500Name = cls2;
            } else {
                cls2 = class$sun$security$x509$X500Name;
            }
            securityContext2.identcls = cls2;
            securityContext2.authcls = null;
            return securityContext2;
        }
        Class cls3 = securityContext.authcls;
        Class cls4 = securityContext.identcls;
        securityContext.subject = securityContext.subject;
        securityContext.authcls = null;
        securityContext.identcls = null;
        if (cls4 != null) {
            securityContext.identcls = cls4;
        } else if (cls3 != null) {
            securityContext.authcls = cls3;
        } else {
            if (class$com$sun$enterprise$iiop$security$AnonCredential == null) {
                cls = class$("com.sun.enterprise.iiop.security.AnonCredential");
                class$com$sun$enterprise$iiop$security$AnonCredential = cls;
            } else {
                cls = class$com$sun$enterprise$iiop$security$AnonCredential;
            }
            securityContext.identcls = cls;
        }
        return securityContext;
    }

    private boolean isSet(int i, int i2) {
        return (i & i2) == i2;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        _logger = null;
        _logger = LogDomains.getLogger(LogDomains.CORBA_LOGGER);
        corbaIORDescSet = null;
        sslRequired = false;
        if (class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor == null) {
            cls = class$("com.sun.enterprise.iiop.security.SecServerRequestInterceptor");
            class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor = cls;
        } else {
            cls = class$com$sun$enterprise$iiop$security$SecServerRequestInterceptor;
        }
        localStrings = new LocalStringManagerImpl(cls);
        protocolMgr = null;
        try {
            String property = System.getProperty(ORBManager.ORB_SSL_CLIENT_REQUIRED);
            if (property != null && property.equals("true")) {
                sslRequired = true;
            }
            corbaIORDescSet = new HashSet();
            EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor = new EjbIORConfigurationDescriptor();
            EjbIORConfigurationDescriptor ejbIORConfigurationDescriptor2 = new EjbIORConfigurationDescriptor();
            String property2 = System.getProperty(ORBManager.ORB_SSL_SERVER_REQUIRED);
            if (property2 != null && property2.equals("true")) {
                ejbIORConfigurationDescriptor.setIntegrity(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor.setConfidentiality(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor2.setIntegrity(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor2.setConfidentiality(EjbIORConfigurationDescriptor.REQUIRED);
            }
            String property3 = System.getProperty(ORBManager.ORB_CLIENT_AUTH_REQUIRED);
            if (property3 != null && property3.equals("true")) {
                ejbIORConfigurationDescriptor.setEstablishTrustInClient(EjbIORConfigurationDescriptor.REQUIRED);
                ejbIORConfigurationDescriptor2.setAuthMethodRequired(true);
                corbaIORDescSet.add(ejbIORConfigurationDescriptor2);
            }
            corbaIORDescSet.add(ejbIORConfigurationDescriptor);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.Exception", (Throwable) e);
        }
    }
}
