package com.ibm.ISecurityLocalObjectGSSUPImpl;

import com.ibm.CORBA.iiop.ORB;
import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason;
import com.ibm.ISecurityLocalObjectBaseL13Impl.VaultImpl;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2TaggedComponent;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2TaggedComponentHolder;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.ClientSessionKey;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSEncodeDecodeException;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSFactory;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.SessionManager;
import com.ibm.ISecurityUtilityImpl.CSIUtil;
import com.ibm.ISecurityUtilityImpl.MechanismAmbiguityException;
import com.ibm.ISecurityUtilityImpl.MechanismFactory;
import com.ibm.ISecurityUtilityImpl.RealmSecurityName;
import com.ibm.ISecurityUtilityImpl.SecurityMinorCodes;
import com.ibm.ISecurityUtilityImpl.StateofCurrObj;
import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.ISecurityUtilityImpl.VaultConstants;
import com.ibm.ISecurityUtilityImpl.WSSecurityContextFactory;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.security.krb5.wss.util.SoapFault;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSSecurityContext;
import com.ibm.websphere.security.auth.WSSecurityContextException;
import com.ibm.websphere.security.auth.WSSecurityContextResult;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.security.token.WSSecurityPropagationHelper;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.INTERNAL;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.StringHolder;
import org.omg.CORBA.TypeCodePackage.BadKind;
import org.omg.CSI.AuthorizationElement;
import org.omg.CSI.CompleteEstablishContext;
import org.omg.CSI.ContextError;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.IdentityToken;
import org.omg.GSSUP.GSSUPMechOID;
import org.omg.GSSUP.InitialContextToken;
import org.omg.GSSUP.InitialContextTokenHelper;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ServerRequestInfo;
import org.omg.Security.AuthenticationStatus;
import org.omg.Security.OpaqueHolder;

/* loaded from: input_file:com/ibm/ISecurityLocalObjectGSSUPImpl/SecurityContextImpl.class */
public class SecurityContextImpl extends com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl {
    private static final long serialVersionUID = -1105303684764338362L;
    private static final TraceComponent tc = Tr.register((Class<?>) SecurityContextImpl.class, "SASRas", "com.ibm.ISecurityL13SupportImpl.sec");
    ORB orb;
    Codec codec;
    VaultImpl vault;
    String mechType;
    GSSFactory _gFactory;

    private SecurityContextImpl() {
        this.orb = null;
        this.codec = null;
        this.vault = null;
        this.mechType = null;
        this._gFactory = null;
    }

    public SecurityContextImpl(VaultImpl vaultImpl, String str) {
        super(vaultImpl, str);
        this.orb = null;
        this.codec = null;
        this.vault = null;
        this.mechType = null;
        this._gFactory = null;
        if (vaultImpl != null) {
            this.vault = vaultImpl;
            this.orb = vaultImpl.getORB();
            MechanismFactory mechanismFactory = vaultImpl.getMechanismFactory();
            this._gFactory = this.vault.getGSSFactory(GSSUPMechOID.value);
            if (mechanismFactory != null) {
                try {
                    this._mechanismType = mechanismFactory.getMechanismTypeIdentity();
                } catch (MechanismAmbiguityException e) {
                    Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.SecurityContextImpl", "157", new Object[]{this});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "MechanismAmbiguityException occurred in getMechanismTypeIdentity.", new Object[]{e});
                    }
                }
            }
        }
    }

    public SecurityContextImpl(VaultImpl vaultImpl, String str, String str2) {
        super(vaultImpl, str);
        this.orb = null;
        this.codec = null;
        this.vault = null;
        this.mechType = null;
        this._gFactory = null;
        if (vaultImpl != null) {
            this.vault = vaultImpl;
            MechanismFactory mechanismFactory = vaultImpl.getMechanismFactory();
            if (mechanismFactory != null) {
                try {
                    this._mechanismType = mechanismFactory.getMechanismTypeIdentity();
                } catch (MechanismAmbiguityException e) {
                    Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.SecurityContextImpl", "184", new Object[]{this});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "MechanismAmbiguityException occurred in getMechanismTypeIdentity.", new Object[]{e});
                    }
                }
            }
        }
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:5:0x0038. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:29:0x0248  */
    /* JADX WARN: Removed duplicated region for block: B:8:0x00b8  */
    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public synchronized org.omg.Security.AssociationStatus csi_continue_security_context(org.omg.PortableInterceptor.ClientRequestInfo r11, com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl r12) {
        /*
            Method dump skipped, instructions count: 599
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_continue_security_context(org.omg.PortableInterceptor.ClientRequestInfo, com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl):org.omg.Security.AssociationStatus");
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized void csi_initialize(byte[] bArr, byte[] bArr2, X509Certificate[] x509CertificateArr, OpaqueHolder opaqueHolder) throws WSLoginFailedException {
        csi_initialize(bArr, bArr2, x509CertificateArr, opaqueHolder, null);
    }

    /* JADX WARN: Finally extract failed */
    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized void csi_initialize(byte[] bArr, byte[] bArr2, final X509Certificate[] x509CertificateArr, OpaqueHolder opaqueHolder, final Map map) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "csi_initialize", new Object[]{bArr, bArr2, x509CertificateArr, opaqueHolder, this});
        }
        String str = "";
        OpaqueHolder opaqueHolder2 = new OpaqueHolder();
        OpaqueHolder opaqueHolder3 = new OpaqueHolder();
        byte[] bArr3 = {100};
        opaqueHolder3.value = bArr3;
        opaqueHolder2.value = StringBytesConversion.getConvertedBytes(str);
        Subject subject = null;
        final ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        final String defaultRealm = contextManagerFactory.getDefaultRealm();
        try {
            if (tc.isDebugEnabled()) {
                str = "Setting identityName: " + getIdentityName();
                Tr.debug(tc, str);
            }
            if (getIdentityName().equals(VaultConstants.ClientAuthToken)) {
                WSSecurityContext wSSecurityContext = null;
                try {
                    try {
                        WSSecurityContext createContext = WSSecurityContextFactory.getInstance().createContext(GSSUPMechOID.value);
                        if (this._gFactory == null) {
                            this._gFactory = this.vault.getGSSFactory(GSSUPMechOID.value);
                        }
                        byte[] decodeGSSToken = this._gFactory.decodeGSSToken(bArr2);
                        WSSecurityContextResult acceptSecContext = map == null ? createContext.acceptSecContext(decodeGSSToken) : createContext.acceptSecContext(decodeGSSToken, map);
                        if (acceptSecContext == null || acceptSecContext.getSubject() == null) {
                            if (tc.isDebugEnabled()) {
                                str = "Subject returned from acceptSecContext is NULL, must be unuathenticated cred.";
                                Tr.debug(tc, str);
                            }
                            subject = SubjectHelper.createUnauthenticatedSubject();
                            this._contextState = 3;
                            this._principalAuthFailReason = (byte) 100;
                            this._clientSubject = subject;
                            this._targetSubject = null;
                            this._mechanismType = this.mechType;
                        } else {
                            subject = acceptSecContext.getSubject();
                            if (acceptSecContext.getFinalToken() != null) {
                                setFinalToken(acceptSecContext.getFinalToken());
                            }
                            this._contextState = 3;
                            this._principalAuthFailReason = (byte) 100;
                            this._clientSubject = subject;
                            this._targetSubject = null;
                            this._mechanismType = this.mechType;
                            if (tc.isDebugEnabled()) {
                                str = "Authentication success";
                                Tr.debug(tc, str);
                            }
                        }
                        opaqueHolder3.value = bArr3;
                        opaqueHolder2.value = StringBytesConversion.getConvertedBytes(str);
                        if (null == AuthenticationStatus.SecAuthFailure) {
                            Tr.debug(tc, str);
                        }
                        try {
                            createContext.dispose();
                        } catch (WSSecurityContextException e) {
                            Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "496", new Object[]{this});
                            AuthenticationStatus authenticationStatus = AuthenticationStatus.SecAuthFailure;
                            bArr3[0] = (byte) e.getMajor();
                            Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: " + e.toString(), new Object[]{e});
                        }
                    } finally {
                    }
                } catch (WSSecurityContextException e2) {
                    Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "460", new Object[]{this});
                    AuthenticationStatus authenticationStatus2 = AuthenticationStatus.SecAuthFailure;
                    bArr3[0] = (byte) e2.getMajor();
                    Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: " + e2.toString(), new Object[]{e2});
                    throw e2;
                } catch (Exception e3) {
                    Manager.Ffdc.log(e3, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "470", new Object[]{this});
                    AuthenticationStatus authenticationStatus3 = AuthenticationStatus.SecAuthFailure;
                    bArr3[0] = 13;
                    Tr.debug(tc, "Caught Java exception in WSSecurityContext.acceptSecContext(), reason: " + e3.toString(), new Object[]{e3});
                    throw e3;
                }
            } else if (getIdentityName().equals(VaultConstants.ClientCertificate) && x509CertificateArr != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ClientCertificate == " + x509CertificateArr[0].toString());
                }
                final String identityName = getIdentityName();
                final byte[] identityValue = getIdentityValue();
                try {
                    subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws WSLoginFailedException, CredentialDestroyedException, CredentialExpiredException {
                            Subject login = contextManagerFactory.login(defaultRealm, x509CertificateArr, SecurityObjectLocator.getCSIv2Config().getString("com.ibm.CSI.rmiInboundLoginConfig"), (HttpServletRequest) null, (HttpServletResponse) null, map);
                            if (login == null) {
                                return null;
                            }
                            WSCredential wSCredential = (WSCredential) login.getPublicCredentials().iterator().next();
                            if (identityName != null) {
                                wSCredential.set("wssecurity.identity_name", identityName);
                                wSCredential.set("wssecurity.identity_value", identityValue);
                            }
                            return login;
                        }
                    });
                    this._contextState = 3;
                    this._principalAuthFailReason = (byte) 100;
                    this._clientSubject = subject;
                    this._targetSubject = null;
                    this._mechanismType = this.mechType;
                } catch (PrivilegedActionException e4) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception occurred: " + e4.getException().getMessage());
                    }
                    Manager.Ffdc.log(e4.getException(), this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "562", new Object[]{this});
                    throw e4.getException();
                }
            } else if (getIdentityName().startsWith("ITT") || (getIdentityName().equals(VaultConstants.TransportLayerData) && bArr2 != null)) {
                final String convertedString = StringBytesConversion.getConvertedString(bArr2);
                if (convertedString == null || convertedString.length() < 1) {
                    Tr.debug(tc, "IdentityAssertion Security name == NULL.");
                    this._contextState = 4;
                    this._principalAuthFailReason = (byte) 1;
                    this._principalAuthFailDetail = StringBytesConversion.getConvertedBytes("IdentityAssertion Security name == NULL.");
                    return;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IdentityAssertion Security name == " + convertedString);
                }
                final String identityName2 = getIdentityName();
                final byte[] identityValue2 = getIdentityValue();
                PrivilegedExceptionAction privilegedExceptionAction = new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.2
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws WSLoginFailedException, CredentialDestroyedException, CredentialExpiredException {
                        Subject login = contextManagerFactory.login(defaultRealm, convertedString, SecurityObjectLocator.getCSIv2Config().getString("com.ibm.CSI.rmiInboundLoginConfig"), (HttpServletRequest) null, (HttpServletResponse) null, map);
                        if (login == null) {
                            return null;
                        }
                        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(login);
                        if (identityName2 != null) {
                            wSCredentialFromSubject.set("wssecurity.identity_name", identityName2);
                            wSCredentialFromSubject.set("wssecurity.identity_value", identityValue2);
                        }
                        return login;
                    }
                };
                StateofCurrObj stateofCurrObj = contextManagerFactory.getThreadLocal().get_state_of_curr_obj();
                try {
                    try {
                        if (stateofCurrObj.getIdentityTokenServerId()) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Returning ServerId without login");
                            }
                            subject = contextManagerFactory.getServerSubject();
                        } else {
                            subject = (Subject) AccessController.doPrivileged(privilegedExceptionAction);
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Clearing IdentityTokenServerId on thread");
                        }
                        stateofCurrObj.setIdentityTokenServerId(false);
                    } catch (PrivilegedActionException e5) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception occurred: " + e5.getException().getMessage(), new Object[]{e5.getException()});
                        }
                        Manager.Ffdc.log(e5.getException(), this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "630", new Object[]{this});
                        throw e5.getException();
                    }
                } catch (Throwable th) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Clearing IdentityTokenServerId on thread");
                    }
                    stateofCurrObj.setIdentityTokenServerId(false);
                    throw th;
                }
            }
            if (subject == null) {
                throw new WSLoginFailedException("Subject is null.  Authentication Failed.");
            }
            this._contextState = 3;
            this._principalAuthFailReason = (byte) 100;
            this._clientSubject = subject;
            this._targetSubject = null;
            this._mechanismType = this.mechType;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication success");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "csi_initialize");
            }
        } catch (WSLoginFailedException e6) {
            Manager.Ffdc.log(e6, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "679", new Object[]{this});
            this._contextState = 4;
            this._principalAuthFailReason = opaqueHolder3.value[0];
            this._principalAuthFailDetail = opaqueHolder2.value;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, SoapFault.FS_FAIL_AUTH);
            }
            throw e6;
        } catch (Exception e7) {
            Manager.Ffdc.log(e7, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "695", new Object[]{this});
            this._contextState = 4;
            this._principalAuthFailReason = opaqueHolder3.value[0];
            this._principalAuthFailDetail = opaqueHolder2.value;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, SoapFault.FS_FAIL_AUTH);
            }
            throw new WSLoginFailedException(e7.getMessage(), e7);
        }
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized boolean csi_client_preprotect(ClientRequestInfo clientRequestInfo, com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl securityContextImpl) {
        String str = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "csi_client_preprotect", new Object[]{clientRequestInfo, securityContextImpl, this});
        }
        ServiceContext serviceContext = null;
        StringHolder stringHolder = new StringHolder();
        CSIUtil cSIUtil = new CSIUtil();
        Subject subject = null;
        AuthorizationElement[] authorizationElementArr = {new AuthorizationElement(0, new byte[0])};
        IdentityToken identityToken = securityContextImpl.getIdentityToken();
        CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = this.vault.get_effective_policy(clientRequestInfo.request_id());
        ClientSessionKey clientSessionKey = cSIv2EffectivePerformPolicy.getClientSessionKey();
        String str2 = "";
        String str3 = "";
        byte[] bArr = null;
        long j = 0;
        SessionManager sessionManager = this.vault.getSessionManager();
        if (cSIv2EffectivePerformPolicy.isStateful()) {
            j = cSIv2EffectivePerformPolicy.getStatefulContextID();
            if (tc.isDebugEnabled()) {
                str = "Effective policy indicates stateful request, client_context_id: " + j;
                Tr.debug(tc, str);
            }
        } else if (tc.isDebugEnabled()) {
            str = "Effective policy indicates stateless request.";
            Tr.debug(tc, str);
        }
        String tokenType = securityContextImpl.getTokenType();
        if (tokenType != null && tokenType.equals(VaultConstants.CLIENTAUTH_ONLY)) {
            if (cSIv2EffectivePerformPolicy != null) {
                str3 = RealmSecurityName.getRealm(cSIv2EffectivePerformPolicy.getTargetSecurityName(), cSIv2EffectivePerformPolicy.getPerformClientAuthMechOID(), cSIv2EffectivePerformPolicy.getTargetAuthMechOID());
                if (str3 == null || str3.equals("")) {
                    str3 = cSIv2EffectivePerformPolicy.getTargetSecurityName();
                }
            }
            if (str3 == null || str3.equals("")) {
                str3 = RealmSecurityName.getRealm(stringHolder.value);
            }
            subject = getClientSubject();
        } else if (tokenType != null && tokenType.equals(VaultConstants.CLIENTAUTH_AND_IDENTITY)) {
            try {
                CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                String string = cSIv2Config.getString(CSIv2Config.PERFORM_ALTERNATE_INDENTITY_ASSERTION_TRUSTED_ID);
                String string2 = cSIv2Config.getString(CSIv2Config.PERFORM_ALTERNATE_INDENTITY_ASSERTION_TRUSTED_PASSWORD);
                if (string != null && !string.equals("") && string2 != null && !string2.equals("")) {
                    if (tc.isDebugEnabled()) {
                        str = "Alternate ID/Password has been specified.  Sending alternate Userid/Password for trusted identity.";
                        Tr.debug(tc, str);
                    }
                    str2 = string;
                    str3 = ContextManagerFactory.getInstance().getDefaultRealm();
                    subject = SubjectHelper.createBasicAuthSubject(str3, str2, string2);
                } else if (cSIv2Config.getBoolean(CSIv2Config.IS_USE_REGISTRY_SERVERID)) {
                    if (tc.isDebugEnabled()) {
                        str = "Alternate ID/Password is not specified.  Sending server's Userid/Password for trusted identity.";
                        Tr.debug(tc, str);
                    }
                    str2 = cSIv2Config.getString("com.ibm.CORBA.loginUserid");
                    str3 = RealmSecurityName.getRealm(cSIv2Config.getString("com.ibm.CORBA.principalName"));
                    String string3 = cSIv2Config.getString("com.ibm.CORBA.loginPassword");
                    if (string3 == null || string3.equals("")) {
                        if (tc.isDebugEnabled()) {
                            str = "UserRegistry server passowrd is not set and alternate ID/Password is not specified.  Sending server's LTPA token for trusted identity.";
                            Tr.debug(tc, str);
                        }
                        subject = ContextManagerFactory.getInstance().getServerSubject();
                    } else {
                        if (tc.isDebugEnabled()) {
                            str = "Alternate ID/Password is not specified.  Sending server's Userid/Password for trusted identity.";
                            Tr.debug(tc, str);
                        }
                        subject = SubjectHelper.createBasicAuthSubject(str3, str2, string3);
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        str = "UserRegistry server ID is not set and alternate ID/Password is not specified.  Sending server's LTPA token for trusted identity.";
                        Tr.debug(tc, str);
                    }
                    ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
                    str3 = contextManagerFactory.getDefaultRealm();
                    subject = contextManagerFactory.getServerSubject();
                }
                if (tc.isDebugEnabled()) {
                    str = "Forming Client Authentication Token with Server's credentials: username = " + str2 + " realm = " + str3;
                    Tr.debug(tc, str);
                }
            } catch (Exception e) {
                Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_client_preprotect", "872", new Object[]{this});
                if (tc.isDebugEnabled()) {
                    str = "Cannot get server's credentials (userid/password/realm) from security configuration";
                    Tr.debug(tc, str, new Object[]{e});
                }
                if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                    sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
                }
                throw new NO_PERMISSION(str, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
            }
        } else if (tc.isDebugEnabled()) {
            str = "No Client Authentication Token will be put in the request";
            Tr.debug(tc, str);
        }
        if (subject != null) {
            try {
                WSSecurityContext createContext = WSSecurityContextFactory.getInstance().createContext(GSSUPMechOID.value);
                cSIUtil.getCurrent().setWSSecurityContext(createContext);
                byte[] initSecContext = createContext.initSecContext(subject, cSIv2EffectivePerformPolicy.getTargetHostName(), str3);
                if (initSecContext == null) {
                    Tr.debug(tc, "The token returned by initSecContext was null.");
                    if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                        sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
                    }
                    throw new BAD_PARAM("csi_client_preprotect: The token returned by initSecContext was null.", SecurityMinorCodes.GSS_FORMAT_ERROR, CompletionStatus.COMPLETED_NO);
                }
                if (this._gFactory == null) {
                    this._gFactory = this.vault.getGSSFactory(GSSUPMechOID.value);
                }
                bArr = this._gFactory.encodeGSSToken(initSecContext);
                if (WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Adding authorization token to the request.");
                    }
                    final Subject subject2 = subject;
                    TokenHolder tokenHolder = null;
                    try {
                        tokenHolder = (TokenHolder) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.3
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws Exception {
                                Iterator<Object> it = subject2.getPrivateCredentials().iterator();
                                while (it != null && it.hasNext()) {
                                    Object next = it.next();
                                    if ((next instanceof TokenHolder) && ((TokenHolder) next).getName().equals(WSOpaqueTokenHelper.getInstance().getOpaqueTokenName()) && ((TokenHolder) next).getVersion() == WSOpaqueTokenHelper.getInstance().getOpaqueTokenVersion()) {
                                        if (SecurityContextImpl.tc.isDebugEnabled()) {
                                            Tr.debug(SecurityContextImpl.tc, "Returning token holder containing opaque authz token.");
                                        }
                                        return (TokenHolder) next;
                                    }
                                }
                                return null;
                            }
                        });
                    } catch (PrivilegedActionException e2) {
                        Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_client_preprotect", "985", new Object[]{this});
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception getting private/public tokens from Subject.", new Object[]{e2.getException()});
                        }
                    }
                    if (tokenHolder != null) {
                        authorizationElementArr[0] = new AuthorizationElement(SecurityMinorCodes.CSIV2_AUTHZ_TOKEN, tokenHolder.getBytes());
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Didn't find an authz token to propagate.");
                    }
                }
            } catch (WSSecurityContextException e3) {
                Manager.Ffdc.log(e3, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_client_preprotect", "1012", new Object[]{this});
                Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.initSecContext(), reason: " + e3.toString(), new Object[]{e3});
                if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                    sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
                }
                PrincipalAuthFailReason.map_auth_fail_to_minor_code(e3.getMajor(), StringBytesConversion.getConvertedBytes(e3.toString()));
            } catch (Exception e4) {
                Manager.Ffdc.log(e4, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_client_preprotect", "1023", new Object[]{this});
                String str4 = "Caught Java exception in WSSecurityContext.initSecContext(), reason:, " + e4.toString();
                Tr.debug(tc, str4, new Object[]{e4});
                if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                    sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
                }
                throw new INTERNAL(str4, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
            }
        } else if ((tokenType != null && tokenType.equals(VaultConstants.CLIENTAUTH_ONLY)) || (tokenType != null && tokenType.equals(VaultConstants.CLIENTAUTH_AND_IDENTITY) && subject == null)) {
            if (tc.isDebugEnabled()) {
                str = SecurityMessages.getMsgOrUseDefault("JSAS0020W", "JSAS0020W: Unable to get credentials.");
                Tr.debug(tc, str);
            }
            if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
            }
            throw new NO_PERMISSION(str, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
        }
        if (bArr == null) {
            bArr = new byte[0];
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Client Authentication Token is null.");
            }
        }
        EstablishContext establishContext = new EstablishContext(j, authorizationElementArr, identityToken, bArr);
        cSIUtil.print_ec_message(establishContext, "csi_client_preprotect");
        if (establishContext != null) {
            serviceContext = cSIUtil.create_sc_from_ec_message(establishContext);
            if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                sessionManager.csi_client_session_ecmessage_update(j, clientSessionKey, establishContext);
            }
        }
        if (serviceContext != null) {
            clientRequestInfo.add_request_service_context(serviceContext, true);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Security context data is " + serviceContext.context_data.length + " bytes in length");
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "csi_client_preprotect", Boolean.TRUE);
        return true;
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized boolean csi_server_preprotect(ServerRequestInfo serverRequestInfo, com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl securityContextImpl) {
        ContextError contextError;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "csi_server_preprotect", new Object[]{serverRequestInfo, securityContextImpl, this});
        }
        CSIUtil cSIUtil = new CSIUtil();
        long j = get_stateful_context_id();
        boolean z = false;
        if (SecurityObjectLocator.getCSIv2Config().getBoolean(CSIv2Config.CLAIM_STATEFUL) && j > 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Stateful set to true for CompleteEstablishContext.  ContextID: " + j);
            }
            z = true;
        }
        switch (serverRequestInfo.reply_status()) {
            case 0:
                if (cSIUtil.get_message_type(serverRequestInfo) != 5) {
                    byte[] bArr = new byte[0];
                    if (getFinalToken() != null) {
                        bArr = getFinalToken();
                    }
                    CompleteEstablishContext completeEstablishContext = new CompleteEstablishContext(j, z, bArr);
                    cSIUtil.print_cec_message(completeEstablishContext, "csi_server_preprotect");
                    ServiceContext create_sc_from_cec_message = cSIUtil.create_sc_from_cec_message(completeEstablishContext);
                    if (create_sc_from_cec_message != null) {
                        serverRequestInfo.add_reply_service_context(create_sc_from_cec_message, true);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Security context data is " + create_sc_from_cec_message.context_data.length + " bytes in length");
                            break;
                        }
                    }
                } else {
                    if (!tc.isDebugEnabled()) {
                        return true;
                    }
                    Tr.debug(tc, "SUCCESSFUL reply for MessageInContext.  No service context created for reply per CSIv2 spec.");
                    return true;
                }
                break;
            case 1:
                try {
                    Any sending_exception = serverRequestInfo.sending_exception();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "A SYSTEM_EXCEPTION occurred: " + sending_exception.type().id() + ".  Sending ContextError.");
                    }
                } catch (BadKind e) {
                    Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_server_preprotect", "1179", new Object[]{this});
                }
                byte[] serializeRootException = cSIUtil.serializeRootException();
                if (securityContextImpl != null) {
                    contextError = securityContextImpl.get_minor_code() == 1229079304 ? new ContextError(j, 4, 1, serializeRootException) : new ContextError(j, 0, securityContextImpl.get_minor_code(), serializeRootException);
                    cSIUtil.print_ce_message(contextError, "csi_server_preprotect");
                } else {
                    contextError = new ContextError(j, 0, 0, serializeRootException);
                    cSIUtil.print_ce_message(contextError, "csi_server_preprotect");
                }
                ServiceContext create_sc_from_ce_message = cSIUtil.create_sc_from_ce_message(contextError);
                if (create_sc_from_ce_message != null) {
                    serverRequestInfo.add_reply_service_context(create_sc_from_ce_message, true);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Security context data is " + create_sc_from_ce_message.context_data.length + " bytes in length");
                        break;
                    }
                }
                break;
            case 2:
                if (cSIUtil.get_message_type(serverRequestInfo) != 5) {
                    try {
                        Any sending_exception2 = serverRequestInfo.sending_exception();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "A USER_EXCEPTION occurred: " + sending_exception2.type().id() + ".  Sending CompleteEstablishContext.");
                        }
                    } catch (BadKind e2) {
                        Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_server_preprotect", "1241", new Object[]{this});
                    }
                    byte[] bArr2 = new byte[0];
                    if (getFinalToken() != null) {
                        bArr2 = getFinalToken();
                    }
                    CompleteEstablishContext completeEstablishContext2 = new CompleteEstablishContext(j, z, bArr2);
                    cSIUtil.print_cec_message(completeEstablishContext2, "csi_server_preprotect");
                    ServiceContext create_sc_from_cec_message2 = cSIUtil.create_sc_from_cec_message(completeEstablishContext2);
                    if (create_sc_from_cec_message2 != null) {
                        serverRequestInfo.add_reply_service_context(create_sc_from_cec_message2, true);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Security context data is " + create_sc_from_cec_message2.context_data.length + " bytes in length");
                            break;
                        }
                    }
                } else {
                    if (!tc.isDebugEnabled()) {
                        return true;
                    }
                    Tr.debug(tc, "USER_EXCEPTION reply for MessageInContext.  No service context created for reply per CSIv2 spec.");
                    return true;
                }
                break;
            case 3:
                if (cSIUtil.get_message_type(serverRequestInfo) != 5) {
                    byte[] bArr3 = new byte[0];
                    if (getFinalToken() != null) {
                        bArr3 = getFinalToken();
                    }
                    CompleteEstablishContext completeEstablishContext3 = new CompleteEstablishContext(j, z, bArr3);
                    cSIUtil.print_cec_message(completeEstablishContext3, "csi_server_preprotect");
                    ServiceContext create_sc_from_cec_message3 = cSIUtil.create_sc_from_cec_message(completeEstablishContext3);
                    if (create_sc_from_cec_message3 != null) {
                        serverRequestInfo.add_reply_service_context(create_sc_from_cec_message3, true);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Security context data is " + create_sc_from_cec_message3.context_data.length + " bytes in length");
                            break;
                        }
                    }
                } else {
                    if (!tc.isDebugEnabled()) {
                        return true;
                    }
                    Tr.debug(tc, "LOCATION_FORWARD reply for MessageInContext.  No service context created for reply per CSIv2 spec.");
                    return true;
                }
                break;
            case 4:
                if (cSIUtil.get_message_type(serverRequestInfo) != 5) {
                    byte[] bArr4 = new byte[0];
                    if (getFinalToken() != null) {
                        bArr4 = getFinalToken();
                    }
                    CompleteEstablishContext completeEstablishContext4 = new CompleteEstablishContext(j, z, bArr4);
                    cSIUtil.print_cec_message(completeEstablishContext4, "csi_server_preprotect");
                    ServiceContext create_sc_from_cec_message4 = cSIUtil.create_sc_from_cec_message(completeEstablishContext4);
                    if (create_sc_from_cec_message4 != null) {
                        serverRequestInfo.add_reply_service_context(create_sc_from_cec_message4, true);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Security context data is " + create_sc_from_cec_message4.context_data.length + " bytes in length");
                            break;
                        }
                    }
                } else {
                    if (!tc.isDebugEnabled()) {
                        return true;
                    }
                    Tr.debug(tc, "TRANSPORT_RETRY reply for MessageInContext.  No service context created for reply per CSIv2 spec.");
                    return true;
                }
                break;
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "csi_server_preprotect", Boolean.TRUE);
        return true;
    }

    protected Codec getCodec() {
        return this.vault.getCodec();
    }

    public byte[] create_gssup_initial_context_token(String str, String str2, String str3, ClientRequestInfo clientRequestInfo) {
        CSIv2TaggedComponentHolder cSIv2TaggedComponent;
        CSIv2TaggedComponent cSIv2TaggedComponent2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "create_gssup_initial_context_token", new Object[]{str, str2, str3, clientRequestInfo, this});
        }
        try {
            CSIUtil cSIUtil = new CSIUtil();
            GSSFactory gSSFactory = this.vault.getGSSFactory(GSSUPMechOID.value);
            InitialContextToken initialContextToken = new InitialContextToken();
            String str4 = null;
            CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = null;
            if (cSIUtil.getVault() != null) {
                cSIv2EffectivePerformPolicy = cSIUtil.getVault().get_effective_policy(clientRequestInfo.request_id());
            } else if (this.vault != null) {
                cSIv2EffectivePerformPolicy = this.vault.get_effective_policy(clientRequestInfo.request_id());
            }
            if (cSIv2EffectivePerformPolicy != null && (cSIv2TaggedComponent = cSIv2EffectivePerformPolicy.getCSIv2TaggedComponent()) != null && (cSIv2TaggedComponent2 = cSIv2TaggedComponent.value) != null && cSIv2TaggedComponent2.getAS_context_mech_holder() != null && cSIv2TaggedComponent2.getAS_context_mech_holder().value != null) {
                try {
                    initialContextToken.target_name = cSIv2TaggedComponent2.getAS_context_mech_holder().value.target_name;
                    if (initialContextToken.target_name != null) {
                        try {
                            str4 = gSSFactory.decodeExportedTargetName(initialContextToken.target_name);
                        } catch (GSSEncodeDecodeException e) {
                            Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.create_gssup_initial_context_token", "1408", new Object[]{this});
                            throw new BAD_PARAM("  Original exception = " + e, SecurityMinorCodes.GSS_FORMAT_ERROR, CompletionStatus.COMPLETED_NO);
                        }
                    }
                } catch (Exception e2) {
                    Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.create_gssup_initial_context_token", "1392", new Object[]{this});
                    throw new BAD_PARAM("Unable to get target_name from AS_Context.  Original exception = " + e2, SecurityMinorCodes.TAG_COMPONENT_FORMAT_ERROR, CompletionStatus.COMPLETED_NO);
                }
            }
            if (initialContextToken.target_name == null) {
                initialContextToken.target_name = new byte[0];
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Sending NULL target_name in GSSUP token.");
                }
            }
            if (str3 == null || str3.equals("")) {
                str3 = RealmSecurityName.getRealm(str4);
                if (str3 == null || str3.equals("")) {
                    str3 = str4;
                }
            }
            String str5 = ((str3 != null && !str3.equals("")) || str == null || str.equals("")) ? ((str != null && !str.equals("")) || str3 == null || str3.equals("")) ? (str == null || str.equals("") || str3 == null || str3.equals("")) ? "" : str + "@" + str3 : "@" + str3 : str;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Scoped username in GSSUP token: " + str5);
            }
            initialContextToken.username = str5.getBytes("UTF8");
            if (str2 == null) {
                str2 = "";
            }
            initialContextToken.password = str2.getBytes("UTF8");
            if (this.orb == null && cSIUtil.getVault() != null) {
                this.orb = cSIUtil.getVault().getORB();
                if (this.orb == null) {
                    throw new INTERNAL("Orb is NULL.", SecurityMinorCodes.NULL_POINTER_EXCEPTION, CompletionStatus.COMPLETED_NO);
                }
            }
            Any create_any = this.orb.create_any();
            if (create_any == null) {
                throw new INTERNAL("Any is NULL.", SecurityMinorCodes.NULL_POINTER_EXCEPTION, CompletionStatus.COMPLETED_NO);
            }
            InitialContextTokenHelper.insert(create_any, initialContextToken);
            try {
                byte[] encodeGSSToken = gSSFactory.encodeGSSToken(getCodec().encode_value(create_any));
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "create_gssup_initial_context_token", encodeGSSToken);
                }
                return encodeGSSToken;
            } catch (Exception e3) {
                Manager.Ffdc.log(e3, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.create_gssup_initial_context_token", "1487", new Object[]{this});
                throw new INTERNAL("Exception getting codec factory and encoding Any.  Original exception: " + e3, SecurityMinorCodes.JAVA_EXCEPTION, CompletionStatus.COMPLETED_NO);
            }
        } catch (Exception e4) {
            Manager.Ffdc.log(e4, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.create_gssup_initial_context_token", "1500", new Object[]{this});
            throw new BAD_PARAM("  Original exception = " + e4, SecurityMinorCodes.GSS_FORMAT_ERROR, CompletionStatus.COMPLETED_NO);
        }
    }
}
