package com.ibm.ISecurityLocalObjectBaseL13Impl;

import com.ibm.CORBA.channel.giop.GIOPConnectionContext;
import com.ibm.CORBA.channel.giop.GIOPMessageContext;
import com.ibm.CORBA.iiop.ExtendedClientRequestInfo;
import com.ibm.CORBA.iiop.IOR;
import com.ibm.CORBA.iiop.ORB;
import com.ibm.CORBA.iiop.Profile;
import com.ibm.CORBA.iiop.ServiceContextList;
import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2TaggedComponent;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.ClientSessionKey;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSFactory;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.OID;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.SecurityExecutionEnvironment;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.SessionEntry;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.SessionManager;
import com.ibm.ISecurityUtilityImpl.CSIUtil;
import com.ibm.ISecurityUtilityImpl.MechanismAmbiguityException;
import com.ibm.ISecurityUtilityImpl.MechanismFactory;
import com.ibm.ISecurityUtilityImpl.ObjectList;
import com.ibm.ISecurityUtilityImpl.RealmSecurityName;
import com.ibm.ISecurityUtilityImpl.SecConstants;
import com.ibm.ISecurityUtilityImpl.SecurityMinorCodes;
import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.ISecurityUtilityImpl.VaultConstants;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.connmgmt.ConnectionHandle;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.config.AdminData;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.iiop.channel.ConnectionStateElement;
import com.ibm.wsspi.security.auth.WSSubjectWrapper;
import com.ibm.wsspi.security.csiv2.CSIv2PerformPolicy;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509CertSelector;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.INTERNAL;
import org.omg.CORBA.IntHolder;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.Object;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.GSS_NT_ExportedNameHelper;
import org.omg.CSI.IdentityToken;
import org.omg.CSI.KRB5MechOID;
import org.omg.CSI.MessageInContext;
import org.omg.CSI.SASContextBody;
import org.omg.CSI.X501DistinguishedNameHelper;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.IOP.TaggedComponent;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.ClientRequestInterceptor;
import org.omg.PortableInterceptor.ForwardRequest;
import org.omg.PortableInterceptor.ORBInitInfo;

/* loaded from: input_file:com/ibm/ISecurityLocalObjectBaseL13Impl/CSIClientRIBase.class */
public class CSIClientRIBase extends CSIORBInit implements ClientRequestInterceptor {
    private static final String ADMIN_CLASS = "adminsec.txt";
    public int slotid;
    private static final TraceComponent tc = Tr.register(CSIClientRIBase.class, "SASRas", "com.ibm.ISecurityL13SupportImpl.sec");
    private static ObjectList list = null;
    protected ORB orb = null;
    protected Codec codec = null;
    protected VaultImpl myVault = null;
    protected SecurityConnectionInterceptor _securityConnectionInterceptor = null;
    protected MechanismFactory _mechanismFactory = null;
    protected int csiClientCertPort = 0;
    protected IntHolder expiry_time_now = new IntHolder(0);
    protected CSIUtil csiUtil = new CSIUtil();
    protected SessionManager sessionMgr = null;
    protected CSICredentialsManager credsMgr = new CSICredentialsManager();
    protected Hashtable sessionRequestTable = new Hashtable();

    public void init(ORB orb) {
        if (SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.CORBA.securityEnabled")) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "init", new Object[]{orb, this});
            }
            this.myVault = VaultImpl.getInstance();
            if (this.myVault != null) {
                this.sessionMgr = this.myVault.getSessionManager();
                this.orb = this.myVault.getORB();
                this._mechanismFactory = this.myVault.getMechanismFactory();
            } else {
                Tr.error(tc, "security.JSAS0010E");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "init");
            }
        }
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIORBInit
    public void pre_init(ORBInitInfo oRBInitInfo) {
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.CSIORBInit
    public void post_init(ORBInitInfo oRBInitInfo) {
        if (SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.CORBA.securityEnabled")) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "post_init", new Object[]{oRBInitInfo, this});
            }
            SecurityObjectLocator.getCSIv2Config();
            this.myVault = VaultImpl.getInstance();
            if (this.myVault != null) {
                this.sessionMgr = this.myVault.getSessionManager();
                this.orb = this.myVault.getORB();
                this._mechanismFactory = this.myVault.getMechanismFactory();
            } else {
                Tr.error(tc, "security.JSAS0010E");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "post_init");
            }
        }
    }

    public void destroy() {
    }

    public void send_request(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    public void send_poll(ClientRequestInfo clientRequestInfo) {
    }

    public void receive_reply(ClientRequestInfo clientRequestInfo) {
    }

    public void receive_exception(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    public void receive_other(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean namingReadUnprotected(ClientRequestInfo clientRequestInfo, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy) throws ForwardRequest {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "namingReadUnprotected", new Object[]{clientRequestInfo, this});
        }
        if (SecurityConnectionInterceptor.isNamingMethodUnprotected(clientRequestInfo.operation(), clientRequestInfo.effective_target() != null ? clientRequestInfo.effective_target().getClass().getName() : "<unknown>")) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "namingReadUnprotected", Boolean.TRUE);
            return true;
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "namingReadUnprotected", Boolean.FALSE);
        return false;
    }

    protected boolean qualifyClientRequest(ClientRequestInfo clientRequestInfo, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy) throws ForwardRequest {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "qualifyClientRequest", new Object[]{clientRequestInfo, this});
        }
        CurrentImpl current = this.csiUtil.getCurrent();
        String name = clientRequestInfo.effective_target() != null ? clientRequestInfo.effective_target().getClass().getName() : "<unknown>";
        if (is_local_client_request(clientRequestInfo)) {
            send_request_local(clientRequestInfo);
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "qualifyClientRequest", Boolean.FALSE);
            return false;
        }
        if (cSIv2EffectivePerformPolicy == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Effective policy object is null, not a CSIv2 request.");
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "qualifyClentRequest", Boolean.FALSE);
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Effective policy object instance is: " + cSIv2EffectivePerformPolicy);
        }
        boolean serverSecurityEnabled = current.getServerSecurityEnabled();
        if (!serverSecurityEnabled) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "CSIClientRI: appSecEnabledState = " + serverSecurityEnabled);
            }
            if (list == null) {
                list = new ObjectList(ADMIN_CLASS);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "class_name: " + name + " method_name: " + clientRequestInfo.operation() + " effective_target: " + clientRequestInfo.effective_target());
            }
            if (SecurityConnectionInterceptor.isSpecialClass(clientRequestInfo.operation(), name) && (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) || !list.find(name))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Special naming method or other corba special method. Return from interceptor.");
                }
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "qualifyClientRequest", Boolean.FALSE);
                return false;
            }
        }
        if (cSIv2EffectivePerformPolicy.getIsInternalRequestPolicy() || !(SecurityConnectionInterceptor.isSpecialNamingMethod(clientRequestInfo.operation(), name) || SecurityConnectionInterceptor.isSpecialSSLRequiredNamingMethod(clientRequestInfo.operation(), name) || (cSIv2EffectivePerformPolicy.getTargetTCPPort() != 0 && !cSIv2EffectivePerformPolicy.claimClientAuthenticationRequired() && ORB.isSpecialMethod(clientRequestInfo.operation()) && !this.csiUtil.isCORBAAuthRequired()))) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "qualifyClientRequest", Boolean.TRUE);
            return true;
        }
        Tr.debug(tc, "Special naming method or other corba special method. Return from interceptor.");
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "qualifyClientRequest", Boolean.FALSE);
        return false;
    }

    /*  JADX ERROR: NullPointerException in pass: RegionMakerVisitor
        java.lang.NullPointerException
        */
    protected javax.security.auth.Subject retrieveSubject(final java.lang.String r11, final com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy r12, final com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager r13) {
        /*
            Method dump skipped, instructions count: 745
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.retrieveSubject(java.lang.String, com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy, com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager):javax.security.auth.Subject");
    }

    protected ClientSessionKey getClientSessionKey(String str, Subject subject, String str2, String str3, int i) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClentSessionKey", new Object[]{str, subject, str2, str3, new Integer(i), this});
        }
        String str4 = "";
        try {
            if (str3 != null) {
                str4 = str3 + ":" + i;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "localHostPort for client session key: " + str4);
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Connection data is null, this may cause a problem with multi-thread stateful clients.");
            }
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
            String str5 = null;
            if (SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS)) {
                str5 = ContextManagerFactory.getInstance().getClientUniqueIDForOutboundRequests(subject);
            }
            if (str5 == null) {
                str5 = wSCredentialFromSubject.getRealmUniqueSecurityName();
            }
            ClientSessionKey clientSessionKey = new ClientSessionKey(str5, Integer.toString(wSCredentialFromSubject.hashCode()), new Long(wSCredentialFromSubject.getExpiration()).toString(), str, str2, str4);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getClientSessionKey", clientSessionKey);
            }
            return clientSessionKey;
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.getClientSessionKey", "606", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, SecurityMessages.getMsgOrUseDefault("JSAS0030W", "JSAS0030W: Credentials are invalid. Trying unauthenticated login."), new Object[]{e});
            }
            throw new NO_PERMISSION("Credentials have expired.  Exception = " + e, SecurityMinorCodes.CREDENTIAL_TOKEN_EXPIRED, CompletionStatus.COMPLETED_NO);
        }
    }

    protected SessionEntry determineStatefulContextID(String str, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy, SessionManager sessionManager, ClientRequestInfo clientRequestInfo, Subject subject, String str2, String str3, int i) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "determineStatefulContextID", new Object[]{str, sessionManager, clientRequestInfo, subject, str2, str3, new Integer(i), this});
        }
        ClientSessionKey clientSessionKey = getClientSessionKey(str, subject, str2, str3, i);
        cSIv2EffectivePerformPolicy.setClientSessionKey(clientSessionKey);
        SessionEntry csi_client_session_lookup = sessionManager.csi_client_session_lookup(clientSessionKey);
        if (csi_client_session_lookup == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "determineStatefulContextID", csi_client_session_lookup);
            }
            csi_client_session_lookup.set_client_context_id(0L);
            return csi_client_session_lookup;
        }
        switch (csi_client_session_lookup.get_session_state()) {
            case 1:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  SESSION_IN_COMPLETE_STATE.  Proceeding with MessageInContext.");
                }
                MessageInContext messageInContext = new MessageInContext(csi_client_session_lookup.get_client_context_id(), false);
                this.csiUtil.print_mic_message(messageInContext, "determineStatefulContextID");
                ServiceContext serviceContext = null;
                if (messageInContext != null) {
                    serviceContext = this.csiUtil.create_sc_from_mic_message(messageInContext);
                }
                if (serviceContext == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Service context not available.  Going out in stateless mode.");
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "determineStatefulContextID", csi_client_session_lookup);
                    }
                    csi_client_session_lookup.set_renegotiate_to_stateless();
                    return csi_client_session_lookup;
                }
                clientRequestInfo.add_request_service_context(serviceContext, true);
                cSIv2EffectivePerformPolicy.setStatefulContextID(csi_client_session_lookup.get_client_context_id());
                cSIv2EffectivePerformPolicy.setClientSessionKey(clientSessionKey);
                this.csiUtil.getVault().put_effective_policy(clientRequestInfo.request_id(), cSIv2EffectivePerformPolicy);
                this.csiUtil.setUnauthenticatedToNullIfNeeded();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "*** SENDING REQUEST ***");
                }
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.exit(tc, "determineStatefulContextID", null);
                return null;
            case 2:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  SESSION_IN_INCOMPLETE_STATE.  Proceeding to authenticate in stateless mode.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "determineStatefulContextID", csi_client_session_lookup);
                }
                csi_client_session_lookup.set_renegotiate_to_stateless();
                return csi_client_session_lookup;
            case 3:
            case 5:
            default:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  INVALID STATE.  Proceeding to authenticate in stateless mode.");
                }
                csi_client_session_lookup.set_session_state(7);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "determineStatefulContextID");
                }
                csi_client_session_lookup.set_renegotiate_to_stateless();
                return csi_client_session_lookup;
            case 4:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  SESSION_NEW.  Proceeding to authenticate in stateful mode.");
                }
                csi_client_session_lookup.set_session_state(2);
                return csi_client_session_lookup;
            case 6:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  SESSION_AUTHENTICATING.  Proceeding to authenticate in stateless mode.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "determineStatefulContextID", csi_client_session_lookup);
                }
                csi_client_session_lookup.set_renegotiate_to_stateless();
                return csi_client_session_lookup;
        }
    }

    protected SessionEntry determineStatefulContextIDForCFW(ClientSessionKey clientSessionKey, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy, GIOPConnectionContext gIOPConnectionContext, GIOPMessageContext gIOPMessageContext) throws ForwardRequest {
        SessionEntry sessionEntry;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "determineStatefulContextIDForCFW", new Object[]{clientSessionKey, gIOPConnectionContext, gIOPMessageContext, this});
        }
        String str = "";
        if (this.sessionMgr == null) {
            this.sessionMgr = VaultImpl.getInstance().getSessionManager();
        }
        if (cSIv2EffectivePerformPolicy.isStateful()) {
            if (tc.isDebugEnabled()) {
                str = "Creating a stateful session.";
                Tr.debug(tc, str);
            }
            sessionEntry = this.sessionMgr.csi_client_session_lookup(clientSessionKey);
        } else {
            if (tc.isDebugEnabled()) {
                str = "Creating a stateless session.";
                Tr.debug(tc, str);
            }
            sessionEntry = new SessionEntry(0L);
        }
        if (sessionEntry == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No session available, throw exception.");
            }
            throw new NO_PERMISSION("Cannot generate a client session");
        }
        sessionEntry.set_effective_policy(cSIv2EffectivePerformPolicy);
        int i = sessionEntry.get_session_state();
        sessionEntry.set_client_session_key(clientSessionKey);
        switch (i) {
            case 1:
                if (tc.isDebugEnabled()) {
                    str = "Session state:  SESSION_IN_COMPLETE_STATE.  Proceeding with MessageInContext.";
                    Tr.debug(tc, str);
                }
                MessageInContext messageInContext = new MessageInContext(sessionEntry.get_client_context_id(), false);
                this.csiUtil.print_mic_message(messageInContext, "determineStatefulContextIDForCFW");
                ServiceContext serviceContext = null;
                if (messageInContext != null) {
                    serviceContext = this.csiUtil.create_sc_from_mic_message(messageInContext);
                }
                if (serviceContext != null) {
                    com.ibm.rmi.ServiceContext serviceContext2 = new com.ibm.rmi.ServiceContext(serviceContext.context_id, serviceContext.context_data);
                    try {
                        ServiceContextList serviceContexts = gIOPMessageContext.getServiceContexts();
                        if (serviceContexts != null) {
                            serviceContexts.add(serviceContext2, true);
                            gIOPMessageContext.setServiceContexts(serviceContexts);
                        }
                    } catch (UnsupportedOperationException e) {
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "*** SENDING REQUEST ***");
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "determineStatefulContextIDForCFW", sessionEntry);
                    }
                    return sessionEntry;
                }
                if (tc.isDebugEnabled()) {
                    str = "Service context not available.  Going out in stateless mode.";
                    Tr.debug(tc, str);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "determineStatefulContextIDForCFW", "ForwardRequest");
                }
                SessionEntry sessionEntry2 = new SessionEntry(0L);
                sessionEntry2.set_renegotiate_to_stateless();
                sessionEntry2.set_client_session_key(clientSessionKey);
                sessionEntry2.set_effective_policy(cSIv2EffectivePerformPolicy);
                try {
                    com.ibm.rmi.ServiceContext serviceContext3 = new com.ibm.rmi.ServiceContext(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID, sessionEntry2.getBytes());
                    try {
                        ServiceContextList serviceContexts2 = gIOPMessageContext.getServiceContexts();
                        if (serviceContexts2 != null) {
                            serviceContexts2.add(serviceContext3, true);
                            gIOPMessageContext.setServiceContexts(serviceContexts2);
                        }
                    } catch (UnsupportedOperationException e2) {
                    }
                    Object currentObjectFromGIOPMessageContext = getCurrentObjectFromGIOPMessageContext(gIOPMessageContext);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "determineStatefulContextIDForCFW", "ForwardRequest");
                    }
                    throw new ForwardRequest(currentObjectFromGIOPMessageContext);
                } catch (Exception e3) {
                    if (tc.isDebugEnabled()) {
                        str = "Could not get session bytes to create private service context.";
                        Tr.debug(tc, str, new Object[]{e3});
                    }
                    throw new NO_PERMISSION(str);
                }
            case 2:
            case 3:
            case 5:
            default:
                if (tc.isDebugEnabled()) {
                    str = "Session state:  SESSION_IN_INCOMPLETE_STATE, SESSION_AUTHENTICATING, or state unknown -> proceeding to authenticate in stateless mode.";
                    Tr.debug(tc, str);
                }
                SessionEntry sessionEntry3 = new SessionEntry(0L);
                sessionEntry3.set_renegotiate_to_stateless();
                sessionEntry3.set_effective_policy(cSIv2EffectivePerformPolicy);
                sessionEntry3.set_client_session_key(clientSessionKey);
                sessionEntry3.set_session_state(2);
                try {
                    com.ibm.rmi.ServiceContext serviceContext4 = new com.ibm.rmi.ServiceContext(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID, sessionEntry3.getBytes());
                    try {
                        ServiceContextList serviceContexts3 = gIOPMessageContext.getServiceContexts();
                        if (serviceContexts3 != null) {
                            serviceContexts3.add(serviceContext4, true);
                            gIOPMessageContext.setServiceContexts(serviceContexts3);
                        }
                    } catch (UnsupportedOperationException e4) {
                    }
                    Object currentObjectFromGIOPMessageContext2 = getCurrentObjectFromGIOPMessageContext(gIOPMessageContext);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "determineStatefulContextIDForCFW", "ForwardRequest");
                    }
                    throw new ForwardRequest(currentObjectFromGIOPMessageContext2);
                } catch (Exception e5) {
                    if (tc.isDebugEnabled()) {
                        str = "Could not get session bytes to create private service context.";
                        Tr.debug(tc, str, new Object[]{e5});
                    }
                    throw new NO_PERMISSION(str);
                }
            case 4:
                if (tc.isDebugEnabled()) {
                    str = "Session state:  SESSION_NEW.  Proceeding to authenticate in stateful mode.";
                    Tr.debug(tc, str);
                }
                sessionEntry.set_session_state(2);
                try {
                    com.ibm.rmi.ServiceContext serviceContext5 = new com.ibm.rmi.ServiceContext(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID, sessionEntry.getBytes());
                    try {
                        ServiceContextList serviceContexts4 = gIOPMessageContext.getServiceContexts();
                        if (serviceContexts4 != null) {
                            serviceContexts4.add(serviceContext5, true);
                            gIOPMessageContext.setServiceContexts(serviceContexts4);
                        }
                    } catch (UnsupportedOperationException e6) {
                    }
                    Object currentObjectFromGIOPMessageContext3 = getCurrentObjectFromGIOPMessageContext(gIOPMessageContext);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "determineStatefulContextIDForCFW", "ForwardRequest");
                    }
                    throw new ForwardRequest(currentObjectFromGIOPMessageContext3);
                } catch (Exception e7) {
                    if (tc.isDebugEnabled()) {
                        str = "Could not get session bytes to create private service context.";
                        Tr.debug(tc, str, new Object[]{e7});
                    }
                    throw new NO_PERMISSION(str);
                }
            case 6:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  SESSION_AUTHENTICATING.  Proceeding to EstablishContext in stateful mode.");
                }
                EstablishContext establishContext = sessionEntry.get_ec_message();
                if (establishContext != null) {
                    this.csiUtil.print_ec_message(establishContext, "determineStatefulContextIDForCFW");
                }
                ServiceContext serviceContext6 = null;
                if (establishContext != null) {
                    serviceContext6 = this.csiUtil.create_sc_from_ec_message(establishContext);
                }
                if (serviceContext6 != null) {
                    com.ibm.rmi.ServiceContext serviceContext7 = new com.ibm.rmi.ServiceContext(serviceContext6.context_id, serviceContext6.context_data);
                    try {
                        ServiceContextList serviceContexts5 = gIOPMessageContext.getServiceContexts();
                        if (serviceContexts5 != null) {
                            serviceContexts5.add(serviceContext7, true);
                            gIOPMessageContext.setServiceContexts(serviceContexts5);
                        }
                    } catch (UnsupportedOperationException e8) {
                    }
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "determineStatefulContextIDForCFW", sessionEntry);
                }
                return sessionEntry;
        }
    }

    public void doFilterSendRequest(GIOPConnectionContext gIOPConnectionContext, GIOPMessageContext gIOPMessageContext, ConnectionStateElement connectionStateElement) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doFilterSendRequest");
        }
        int requestId = gIOPMessageContext.getRequestId();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Request ID: " + Integer.toString(requestId));
        }
        com.ibm.CORBA.iiop.ServiceContext serviceContext = null;
        com.ibm.CORBA.iiop.ServiceContext serviceContext2 = null;
        try {
            serviceContext2 = gIOPMessageContext.getServiceContexts().get(SecurityMinorCodes.CSIV2_ZOS_PRIVATE_CTX_ID);
        } catch (UnsupportedOperationException e) {
        }
        try {
            serviceContext = gIOPMessageContext.getServiceContexts().get(SecurityMinorCodes.CSIV2_SEED_CTX_ID);
        } catch (UnsupportedOperationException e2) {
        }
        if (serviceContext2 != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found session context on filter second pass.  Updating session.");
            }
            SessionEntry sessionEntry = new SessionEntry(serviceContext2.getContextData());
            if (sessionEntry != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Adding session to table using request ID: " + requestId);
                }
                this.sessionRequestTable.put(Integer.toString(requestId), sessionEntry);
            }
            updateSessionFromSR(sessionEntry, gIOPConnectionContext, gIOPMessageContext);
        } else if (serviceContext != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found seed context on filter first pass.  Creating session.");
            }
            SecurityExecutionEnvironment createFromBytes = SecurityExecutionEnvironment.createFromBytes(serviceContext.getContextData());
            if (createFromBytes == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Could not recreate seed.  Throwing NO_PERMISSION.");
                }
                throw new INTERNAL("Error deserializing security execution environment.");
            }
            CSIv2EffectivePerformPolicy effectivePolicyFromIOR = getEffectivePolicyFromIOR(gIOPMessageContext);
            if (effectivePolicyFromIOR != null) {
                String localHost = gIOPConnectionContext.getLocalHost();
                int localPort = gIOPConnectionContext.getGIOPConnectionInfo().getLocalPort();
                String realmOrReturnSecurityName = RealmSecurityName.getRealmOrReturnSecurityName(effectivePolicyFromIOR.getTargetSecurityName(), effectivePolicyFromIOR.getPerformClientAuthMechOID(), effectivePolicyFromIOR.getTargetAuthMechOID());
                ConnectionHandle connectionHandle = connectionStateElement.getConnectionHandle();
                if (connectionHandle != null && connectionHandle.getIsLocalComm()) {
                    effectivePolicyFromIOR.setConnectionKey(connectionHandle.toString());
                    localHost = "";
                    localPort = 0;
                }
                SessionEntry determineStatefulContextIDForCFW = determineStatefulContextIDForCFW(new ClientSessionKey(createFromBytes.getClientUniqueId(), "", Long.toString(createFromBytes.getCredentialExpiration()), realmOrReturnSecurityName, effectivePolicyFromIOR.getConnectionKey(), localHost + ":" + localPort), effectivePolicyFromIOR, gIOPConnectionContext, gIOPMessageContext);
                if (determineStatefulContextIDForCFW != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found a valid session, sending the request.");
                    }
                    this.sessionRequestTable.put(Integer.toString(requestId), determineStatefulContextIDForCFW);
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Could not get an effective policy from the IOR.  Treating as if NO CSIv2 tags present in IOR (unauthenticated).");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "This is an unauthenticated request, no session processing needed in filter.");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "*** SENDING REQUEST ***");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "doFilterSendRequest");
        }
    }

    CSIv2EffectivePerformPolicy getEffectivePolicyFromIOR(GIOPMessageContext gIOPMessageContext) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getEffectivePolicyFromIOR", gIOPMessageContext);
        }
        CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = null;
        try {
            IOR currentIOR = gIOPMessageContext.getCurrentIOR();
            if (currentIOR == null) {
                currentIOR = gIOPMessageContext.getTargetIOR();
            }
            if (currentIOR == null) {
                currentIOR = gIOPMessageContext.getInitialIOR();
            }
            byte[] bArr = null;
            short s = 1;
            short s2 = 0;
            try {
                bArr = currentIOR.getProfile(0).getTaggedComponent(SecConstants.APP_SEC_ENABLED_TAG);
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "caught exception attempting to get the APPSECTaggedComponent from proxyProfile but will assume admin domain and continue");
                }
            }
            if (bArr != null) {
                try {
                    APPSECTaggedComponent aPPSECTaggedComponent = new APPSECTaggedComponent(bArr);
                    s = aPPSECTaggedComponent.get_isAdminFlag();
                    s2 = aPPSECTaggedComponent.get_isNamingReadUnprotectedFlag();
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "caught exception attempting to get construct the APPSECTaggedComponent object from its bytes but will assume admin domain and continue");
                    }
                }
            }
            if (currentIOR != null) {
                cSIv2EffectivePerformPolicy = getEffectivePolicyFromIOR(currentIOR, s, s2);
            }
        } catch (UnsupportedOperationException e3) {
            Manager.Ffdc.log(e3, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.getEffectivePolicyFromIOR", "1254", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to acquire IOR from GIOP message context", e3);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getEffectivePolicyFromIOR", cSIv2EffectivePerformPolicy);
        }
        return cSIv2EffectivePerformPolicy;
    }

    CSIv2EffectivePerformPolicy getEffectivePolicyFromIOR(IOR ior, short s, short s2) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getEffectivePolicyFromIOR", ior);
        }
        CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = null;
        CSIv2TaggedComponent[] cSIv2TaggedComponentList = CSIv2TaggedComponent.getCSIv2TaggedComponentList(ior.getProfile(), ior);
        if (cSIv2TaggedComponentList != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found CSIv2 tagged component, getting policy from cache or building new one.");
            }
            cSIv2EffectivePerformPolicy = CSIv2EffectivePerformPolicy.getInstance(cSIv2TaggedComponentList, s, s2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getEffectivePolicyFromIOR", cSIv2EffectivePerformPolicy);
        }
        return cSIv2EffectivePerformPolicy;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CSIv2EffectivePerformPolicy getEffectivePolicyFromClientRequestInfo(ClientRequestInfo clientRequestInfo) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getEffectivePolicyFromClientRequestInfo", clientRequestInfo);
        }
        CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = null;
        short s = 1;
        short s2 = 0;
        try {
            byte[] bArr = null;
            TaggedComponent taggedComponent = clientRequestInfo.get_effective_component(SecConstants.APP_SEC_ENABLED_TAG);
            if (taggedComponent != null) {
                bArr = taggedComponent.component_data;
            }
            APPSECTaggedComponent aPPSECTaggedComponent = new APPSECTaggedComponent(bArr);
            if (aPPSECTaggedComponent != null) {
                s = aPPSECTaggedComponent.get_isAdminFlag();
                s2 = aPPSECTaggedComponent.get_isNamingReadUnprotectedFlag();
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "caught exception attempting to get the APPSECTaggedComponent object from its bytes but will assume admin domain and continue");
            }
        }
        CSIv2TaggedComponent[] cSIv2TaggedComponentArr = null;
        try {
            cSIv2TaggedComponentArr = CSIv2TaggedComponent.getCSIv2TaggedComponentList(clientRequestInfo.get_effective_component(33).component_data, (Profile) null);
        } catch (BAD_PARAM e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "BAD_PARAM exception getting CSIv2 tagged component from ClientRequestInfo, returning null effective policy", e2);
            }
        }
        if (cSIv2TaggedComponentArr != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found CSIv2 tagged component, getting policy from cache or building new one.");
            }
            cSIv2EffectivePerformPolicy = CSIv2EffectivePerformPolicy.getInstance(cSIv2TaggedComponentArr, s, s2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getEffectivePolicyFromClientRequestInfo", cSIv2EffectivePerformPolicy);
        }
        return cSIv2EffectivePerformPolicy;
    }

    public void doFilterReceiveReply(GIOPConnectionContext gIOPConnectionContext, GIOPMessageContext gIOPMessageContext, ConnectionStateElement connectionStateElement) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doFilterReceiveReply", new Object[]{gIOPConnectionContext, gIOPMessageContext, connectionStateElement, this});
        }
        String num = Integer.toString(gIOPMessageContext.getRequestId());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Request ID: " + num);
        }
        SessionEntry sessionEntry = (SessionEntry) this.sessionRequestTable.get(num);
        if (sessionEntry != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Session entry for reply: " + sessionEntry);
            }
            this.sessionRequestTable.remove(num);
            long j = sessionEntry.get_client_context_id();
            boolean z = (sessionEntry.get_renegotiate_to_stateless() || j == 0) ? false : true;
            if (!z) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session is stateless, returning without any updates.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "doFilterReceiveReply");
                    return;
                }
                return;
            }
            SASContextBody sASContextBody = null;
            com.ibm.CORBA.iiop.ServiceContext serviceContext = this.csiUtil.get_sc_from_reply(gIOPMessageContext);
            if (serviceContext != null) {
                sASContextBody = this.csiUtil.get_message_from_sc(serviceContext);
            }
            if (sASContextBody != null && sASContextBody.discriminator() == 1) {
                this.csiUtil.print_cec_message(sASContextBody.complete_msg(), "doFilterReceiveReply");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Updating stateful session as MTCompleteEstablishContext for ID: " + j);
                }
                this.sessionMgr.csi_client_session_complete(sASContextBody, z, j, sessionEntry.get_client_session_key());
            } else if (sASContextBody != null && sASContextBody.discriminator() == 4) {
                this.csiUtil.print_ce_message(sASContextBody.error_msg(), "doFilterReceiveReply");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Updating stateful session as MTContextError for ID: " + j);
                }
                this.sessionMgr.csi_client_session_complete_exception(sASContextBody, z, sessionEntry.get_client_session_key());
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected message type.");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Session is not found for request ID, returning without any updates.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "doFilterReceiveReply");
        }
    }

    protected void updateSessionFromSR(SessionEntry sessionEntry, GIOPConnectionContext gIOPConnectionContext, GIOPMessageContext gIOPMessageContext) throws ForwardRequest {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "updateSessionFromSR", new Object[]{sessionEntry, gIOPConnectionContext, gIOPMessageContext, this});
        }
        String str = "";
        if (sessionEntry.get_client_context_id() == 0 || sessionEntry.get_renegotiate_to_stateless()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Session is stateless, returning without any updates.");
                return;
            }
            return;
        }
        if (this.sessionMgr.csi_client_session_lookup(sessionEntry.get_client_session_key()) == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Session passed in is null, could be unauthenticated request.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "updateSessionFromSR");
                return;
            }
            return;
        }
        switch (sessionEntry.get_session_state()) {
            case 1:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  SESSION_IN_COMPLETE_STATE.  Proceeding with MessageInContext.");
                }
                this.sessionMgr.update_client_session(sessionEntry.get_client_session_key(), sessionEntry);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "updateSessionFromSR");
                    return;
                }
                return;
            case 2:
                if (tc.isDebugEnabled()) {
                    str = "Invalid session state:  SESSION_IN_INCOMPLETE_STATE.";
                    Tr.debug(tc, str);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "updateSessionFromSR", "NO_PERMISSION");
                }
                throw new NO_PERMISSION(str);
            case 3:
            case 5:
            default:
                if (tc.isDebugEnabled()) {
                    str = "Session state:  INVALID STATE.  Proceeding to authenticate in stateless mode.";
                    Tr.debug(tc, str);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "updateSessionFromSR", "NO_PERMISSION");
                }
                throw new NO_PERMISSION(str);
            case 4:
                if (tc.isDebugEnabled()) {
                    str = "Invalid session state:  SESSION_NEW.";
                    Tr.debug(tc, str);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "updateSessionFromSR", "NO_PERMISSION");
                }
                throw new NO_PERMISSION(str);
            case 6:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Session state:  SESSION_AUTHENTICATING.  Proceeding to EstablishContext in stateful mode.");
                }
                this.sessionMgr.update_client_session(sessionEntry.get_client_session_key(), sessionEntry);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "updateSessionFromSR");
                    return;
                }
                return;
        }
    }

    Object getCurrentObjectFromGIOPMessageContext(GIOPMessageContext gIOPMessageContext) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCurrentObjectFromGIOPMessageContext", new Object[]{gIOPMessageContext, this});
        }
        Object IORToObject = this.orb.IORToObject(gIOPMessageContext.getCurrentIOR());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCurrentObjectFromGIOPMessageContext", IORToObject);
        }
        return IORToObject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Subject mapOutboundOrCreateOAT(final Subject subject, final CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapOutboundOrCreateOAT", new Object[]{subject, this});
        }
        final CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Going into outbound login config.  Outbound login: " + cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundLoginEnabled") + ", Authz Token: " + cSIv2EffectivePerformPolicy.performAuthorizationToken());
            }
            final CSIv2PerformPolicy cSIv2PerformPolicy = new CSIv2PerformPolicy(cSIv2EffectivePerformPolicy);
            Subject subject2 = (SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) || cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundLoginEnabled")) ? (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.3
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws WSLoginFailedException {
                    return ContextManagerFactory.getInstance().login(cSIv2Config.getString("com.ibm.CSI.rmiOutboundLoginConfig"), cSIv2PerformPolicy, SubjectHelper.createNewSubjectFromExisting(subject, cSIv2EffectivePerformPolicy));
                }
            }) : (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.4
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws WSLoginFailedException {
                    Subject createNewSubjectFromExisting = SubjectHelper.createNewSubjectFromExisting(subject, cSIv2EffectivePerformPolicy);
                    byte[] createOpaqueTokenFromSubject = WSOpaqueTokenHelper.getInstance().createOpaqueTokenFromSubject(subject);
                    if (createOpaqueTokenFromSubject != null) {
                        createNewSubjectFromExisting.getPrivateCredentials().add(new TokenHolder(createOpaqueTokenFromSubject, WSOpaqueTokenHelper.getInstance().getOpaqueTokenName(), WSOpaqueTokenHelper.getInstance().getOpaqueTokenVersion()));
                    }
                    return createNewSubjectFromExisting;
                }
            });
            if (tc.isDebugEnabled()) {
                final Subject subject3 = subject2;
                Tr.debug(tc, (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.5
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return "Subject with opaque token: " + subject3;
                    }
                }));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "mapOutboundOrCreateOAT", subject2);
            }
            return subject2;
        } catch (PrivilegedActionException e) {
            Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.mapOutboundOrCreateOAT", "1646", this);
            Exception exception = e.getException();
            Tr.debug(tc, "Privileged Action Exception", new Object[]{exception});
            throw new NO_PERMISSION("Problem occurred in credential mapping or attribute propagation.  Exception = " + exception.toString(), 1229079296, CompletionStatus.COMPLETED_NO);
        } catch (Exception e2) {
            Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.mapOutboundOrCreateOAT", "1654", this);
            Tr.debug(tc, "Java runtime exception.", new Object[]{e2});
            throw new INTERNAL("Java runtime exception.  Exception = " + e2.toString(), SecurityMinorCodes.JAVA_EXCEPTION, CompletionStatus.COMPLETED_NO);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityContextImpl determineSecurityContextType(Subject subject, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy, String str, SessionManager sessionManager, SessionEntry sessionEntry) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "determineSecurityContextType", new Object[]{subject, str, sessionManager, sessionEntry, this});
        }
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        long statefulContextID = cSIv2EffectivePerformPolicy.getStatefulContextID();
        ClientSessionKey clientSessionKey = cSIv2EffectivePerformPolicy.getClientSessionKey();
        try {
            String str2 = null;
            String str3 = null;
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
            if (wSCredentialFromSubject != null) {
                try {
                    str3 = wSCredentialFromSubject.getOID();
                } catch (Exception e) {
                    Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.determineSecurityContextType", "1703", this);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, SecurityMessages.getMsgOrUseDefault("JSAS0030W", "JSAS0030W: Credentials are invalid. Trying unauthenticated login."), new Object[]{e});
                    }
                    throw new NO_PERMISSION("Credentials have expired.  Exception = " + e, SecurityMinorCodes.CREDENTIAL_TOKEN_EXPIRED, CompletionStatus.COMPLETED_NO);
                }
            }
            String performClientAuthMechOID = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOID();
            if (str3 == null) {
                str3 = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOID();
            } else if (OID.compareOIDs(performClientAuthMechOID, KRB5MechOID.value) && OID.compareOIDs(str3, "oid:1.3.18.0.2.30.2")) {
                ArrayList performClientAuthMechOIDList = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOIDList();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "determineSecurityContextType oid list", performClientAuthMechOIDList);
                }
                boolean z = false;
                if (performClientAuthMechOIDList != null) {
                    ArrayList performClientAuthMechList = cSIv2EffectivePerformPolicy.getPerformClientAuthMechList();
                    for (int i = 0; i < performClientAuthMechOIDList.size() && !z; i++) {
                        String str4 = (String) performClientAuthMechOIDList.get(i);
                        if (OID.compareOIDs(str4, "oid:1.3.18.0.2.30.2")) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "determineSecurityContextType found LTPA oid in target");
                            }
                            z = true;
                            cSIv2EffectivePerformPolicy.setPerformClientAuthMechOID(str4);
                            cSIv2EffectivePerformPolicy.setPerformClientAuthMech((String) performClientAuthMechList.get(i));
                            performClientAuthMechOID = str4;
                            cSIv2EffectivePerformPolicy.setTargetSecurityName((String) cSIv2EffectivePerformPolicy.getTargetSecurityNameList().get(i));
                        }
                    }
                }
                if (!z) {
                    Tr.debug(tc, SecurityMessages.getMsgOrUseDefault("JSAS1505E", "JSAS1505E: LTPA WSCredential can not go outbound with Kerberos authentication."));
                    throw new NO_PERMISSION("Mis-match wsCredential.  ", SecurityMinorCodes.CREDENTIAL_TOKEN_EXPIRED, CompletionStatus.COMPLETED_NO);
                }
            } else if (OID.compareOIDs(performClientAuthMechOID, KRB5MechOID.value) && OID.compareOIDs(str3, KRB5MechOID.value) && SubjectHelper.getGSSCredentialFromSubject(subject) == null) {
                ArrayList performClientAuthMechOIDList2 = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOIDList();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "EffectivePolicyPerformMech and performMech are KRB5MechOid");
                    Tr.debug(tc, "determineSecurityContextType oid list", performClientAuthMechOIDList2);
                }
                boolean z2 = false;
                if (performClientAuthMechOIDList2 != null) {
                    ArrayList performClientAuthMechList2 = cSIv2EffectivePerformPolicy.getPerformClientAuthMechList();
                    for (int i2 = 0; i2 < performClientAuthMechOIDList2.size() && !z2; i2++) {
                        String str5 = (String) performClientAuthMechOIDList2.get(i2);
                        if (OID.compareOIDs(str5, "oid:1.3.18.0.2.30.2")) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "determineSecurityContextType found LTPA oid in target");
                            }
                            z2 = true;
                            cSIv2EffectivePerformPolicy.setPerformClientAuthMechOID(str5);
                            cSIv2EffectivePerformPolicy.setPerformClientAuthMech((String) performClientAuthMechList2.get(i2));
                            performClientAuthMechOID = str5;
                            cSIv2EffectivePerformPolicy.setTargetSecurityName((String) cSIv2EffectivePerformPolicy.getTargetSecurityNameList().get(i2));
                        }
                    }
                }
                if (!z2) {
                    Tr.debug(tc, SecurityMessages.getMsgOrUseDefault("JSAS1506E", "JSAS1506E: Kerberos WSCredential without GSSCredential can not go outbound with Kerberos authentication."));
                    throw new NO_PERMISSION("Mis-match wsCredential.  ", SecurityMinorCodes.CREDENTIAL_TOKEN_EXPIRED, CompletionStatus.COMPLETED_NO);
                }
            }
            if (OID.compareOIDs(performClientAuthMechOID, "oid:1.3.18.0.2.30.2") && OID.compareOIDs(str3, KRB5MechOID.value)) {
                str3 = performClientAuthMechOID;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WSCred is Kerberos but going outbound with LTPA mech");
                }
            }
            if (OID.compareOIDs(str3, "oid:2.23.130.1.1.1")) {
                str2 = VaultConstants.GSSUP_MECH_TYPE;
            } else if (OID.compareOIDs(str3, cSIv2Config.getString(CSIv2Config.CUSTOM_AUTH_MECH_OID))) {
                str2 = VaultConstants.CUSTOM_MECH_TYPE;
            } else if (OID.compareOIDs(str3, "oid:1.3.18.0.2.30.2")) {
                str2 = VaultConstants.LTPA_MECH_TYPE;
            } else if (cSIv2EffectivePerformPolicy.isAdmin() && OID.compareOIDs(str3, "oid:1.3.18.0.2.30.6")) {
                str2 = VaultConstants.RSA_PROP_MECH_TYPE;
            } else if (OID.compareOIDs(str3, KRB5MechOID.value)) {
                str2 = VaultConstants.KRB5_MECH_TYPE;
            } else {
                String[] performIDANamingMechList = cSIv2EffectivePerformPolicy.getPerformIDANamingMechList();
                if (performIDANamingMechList != null) {
                    for (int i3 = 0; i3 < performIDANamingMechList.length; i3++) {
                        if (OID.compareOIDs(performIDANamingMechList[i3], "oid:2.23.130.1.1.1")) {
                            str2 = VaultConstants.GSSUP_MECH_TYPE;
                        } else if (OID.compareOIDs(performIDANamingMechList[i3], cSIv2Config.getString(CSIv2Config.CUSTOM_AUTH_MECH_OID))) {
                            str2 = VaultConstants.CUSTOM_MECH_TYPE;
                        } else if (OID.compareOIDs(performIDANamingMechList[i3], KRB5MechOID.value)) {
                            str2 = VaultConstants.KRB5_MECH_TYPE;
                        } else if (OID.compareOIDs(performIDANamingMechList[i3], "oid:1.3.18.0.2.30.2")) {
                            str2 = VaultConstants.LTPA_MECH_TYPE;
                        } else if (cSIv2EffectivePerformPolicy.isAdmin() && OID.compareOIDs(performIDANamingMechList[i3], "oid:1.3.18.0.2.30.6")) {
                            str2 = VaultConstants.RSA_PROP_MECH_TYPE;
                        }
                    }
                }
                if (str2 == null) {
                    str2 = VaultConstants.GSSUP_MECH_TYPE;
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Creating " + str2 + " security context.");
            }
            SecurityContextImpl securityContext = this._mechanismFactory.getSecurityContext(str2, str);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "determineSecurityContextType", securityContext);
            }
            return securityContext;
        } catch (MechanismAmbiguityException e2) {
            Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.determineSecurityContextType", "1851", this);
            Tr.error(tc, "security.JSAS0120E", new Object[]{e2});
            if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                sessionEntry.set_session_state(7);
            }
            throw new NO_PERMISSION("security.JSAS0120E  Original exception = " + e2, SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setIdentityToken(IdentityToken identityToken, Subject subject, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy, SessionManager sessionManager, SessionEntry sessionEntry) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setIdentityToken", new Object[]{identityToken, subject, sessionManager, sessionEntry, this});
        }
        String str = "";
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        long statefulContextID = cSIv2EffectivePerformPolicy.getStatefulContextID();
        ClientSessionKey clientSessionKey = cSIv2EffectivePerformPolicy.getClientSessionKey();
        boolean performIdentityAssertion = cSIv2EffectivePerformPolicy.performIdentityAssertion();
        final WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        if (!performIdentityAssertion) {
            identityToken.absent(true);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Identity Assertion set to absent.");
            }
        } else if (performIdentityAssertion && (wSCredentialFromSubject == null || wSCredentialFromSubject.isUnauthenticated())) {
            if ((cSIv2EffectivePerformPolicy.getPerformIdentityTokenType() & 1) == 0) {
                Tr.error(tc, "security.JSAS0489E");
                throw new NO_PERMISSION("security.JSAS0489E", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Identity Assertion set to anonymous: ");
            }
            identityToken.anonymous(true);
        } else if (performIdentityAssertion) {
            try {
                PrivilegedExceptionAction privilegedExceptionAction = new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.6
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws WSLoginFailedException, CredentialDestroyedException, CredentialExpiredException {
                        return wSCredentialFromSubject.get("wssecurity.identity_name");
                    }
                };
                PrivilegedExceptionAction privilegedExceptionAction2 = new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.7
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws WSLoginFailedException, CredentialDestroyedException, CredentialExpiredException {
                        return wSCredentialFromSubject.get("wssecurity.identity_value");
                    }
                };
                try {
                    String str2 = (String) AccessController.doPrivileged(privilegedExceptionAction);
                    byte[] bArr = (byte[]) AccessController.doPrivileged(privilegedExceptionAction2);
                    if (str2 == null) {
                        str2 = VaultConstants.ClientAuthToken;
                        bArr = StringBytesConversion.getConvertedBytes(wSCredentialFromSubject.getRealmSecurityName());
                    }
                    boolean z = false;
                    boolean z2 = false;
                    boolean z3 = false;
                    String[] performIDANamingMechList = cSIv2EffectivePerformPolicy.getPerformIDANamingMechList();
                    if (performIDANamingMechList == null) {
                        z2 = true;
                    } else {
                        for (int i = 0; i < performIDANamingMechList.length; i++) {
                            if (OID.compareOIDs(performIDANamingMechList[i], "oid:2.23.130.1.1.1")) {
                                z2 = true;
                            }
                            if (OID.compareOIDs(performIDANamingMechList[i], KRB5MechOID.value)) {
                                z = true;
                            }
                            if (OID.compareOIDs(performIDANamingMechList[i], "oid:1.3.18.0.2.30.2")) {
                                z3 = true;
                            }
                            if (tc.isDebugEnabled()) {
                                str = "Mechanism available from target: " + performIDANamingMechList[i];
                                Tr.debug(tc, str);
                            }
                        }
                    }
                    if (tc.isDebugEnabled()) {
                        str = "Identity Name in Credential: " + str2;
                        Tr.debug(tc, str);
                    }
                    if (VaultConstants.ClientAuthToken.equals(str2) || VaultConstants.DeserializedSubjectIdentity.equals(str2)) {
                        String convertedString = StringBytesConversion.getConvertedString(bArr);
                        String realm = RealmSecurityName.getRealm(convertedString);
                        String securityName = RealmSecurityName.getSecurityName(convertedString);
                        boolean z4 = (cSIv2Config.getBoolean("com.ibm.ws.security.assertLDAPShortName") || !cSIv2Config.getString(CSIv2Config.ACTIVE_USER_REGISTRY).equals("LDAP") || (cSIv2EffectivePerformPolicy.getPerformIdentityTokenType() & 8) == 0) ? false : true;
                        if (tc.isDebugEnabled()) {
                            str = "performDNAssertion: " + z4;
                            Tr.debug(tc, str);
                        }
                        if (z4 || (cSIv2EffectivePerformPolicy.getPerformIdentityTokenType() & 2) == 0) {
                            if (!z4) {
                                Tr.error(tc, "security.JSAS0490E");
                                if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                    sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                    sessionEntry.set_session_state(7);
                                }
                                throw new NO_PERMISSION("security.JSAS0490E", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                            }
                            try {
                                String uniqueSecurityName = wSCredentialFromSubject.getUniqueSecurityName();
                                if (tc.isDebugEnabled()) {
                                    str = "principal: " + uniqueSecurityName;
                                    Tr.debug(tc, str);
                                }
                                if (ContextManagerFactory.getInstance().isInternalServerCredential(wSCredentialFromSubject)) {
                                    uniqueSecurityName = formatInternalServerId(wSCredentialFromSubject);
                                }
                                wSCredentialFromSubject.getRealmUniqueSecurityName();
                                try {
                                    Any create_any = this.orb.create_any();
                                    final String str3 = uniqueSecurityName;
                                    X501DistinguishedNameHelper.insert(create_any, (byte[]) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.8
                                        @Override // java.security.PrivilegedExceptionAction
                                        public Object run() throws Exception {
                                            X509CertSelector x509CertSelector = new X509CertSelector();
                                            x509CertSelector.setIssuer(str3);
                                            return x509CertSelector.getIssuerAsBytes();
                                        }
                                    }));
                                    identityToken.dn(this.csiUtil.getCodec().encode_value(create_any));
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Identity Assertion set to DN name (clientAuthenticationToken): " + uniqueSecurityName);
                                    }
                                } catch (PrivilegedActionException e) {
                                    Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.setIdentityToken", "2193", this);
                                    Tr.error(tc, "security.JSAS0622E", new Object[]{e.getException()});
                                    if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                        sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                        sessionEntry.set_session_state(7);
                                    }
                                    throw new NO_PERMISSION("security.JSAS0622E  Privileged exception = " + e, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
                                } catch (Exception e2) {
                                    Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.setIdentityToken", "2209", this);
                                    Tr.error(tc, "security.JSAS0622E", new Object[]{e2});
                                    if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                        sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                        sessionEntry.set_session_state(7);
                                    }
                                    throw new NO_PERMISSION("security.JSAS0622E  Original exception = " + e2, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
                                }
                            } catch (Exception e3) {
                                if (tc.isDebugEnabled()) {
                                    str = "Exception occurred getting unique security name from credential: " + e3.getMessage();
                                    Tr.debug(tc, str, new Object[]{e3});
                                }
                                Manager.Ffdc.log(e3, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.send_request", "2153", this);
                                throw new NO_PERMISSION(str + "  Original exception = " + e3, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
                            }
                        } else {
                            try {
                                Any create_any2 = this.orb.create_any();
                                if (z2) {
                                    if (securityName != null && securityName.length() > 0 && securityName.indexOf("@") > -1) {
                                        int length = securityName.length();
                                        StringBuffer stringBuffer = new StringBuffer(2 * length);
                                        for (int i2 = 0; i2 < length; i2++) {
                                            char charAt = securityName.charAt(i2);
                                            if (charAt == '@') {
                                                stringBuffer.append(SecConstants.STRING_ESCAPE_CHARACTER).append(charAt);
                                            } else {
                                                stringBuffer.append(charAt);
                                            }
                                        }
                                        securityName = stringBuffer.toString();
                                    }
                                    GSSFactory gSSFactory = new GSSFactory("oid:2.23.130.1.1.1");
                                    if ((realm == null || realm.equals("")) && securityName != null && !securityName.equals("")) {
                                        GSS_NT_ExportedNameHelper.insert(create_any2, gSSFactory.encodeExportedTargetName(securityName));
                                    } else if (realm == null || realm.equals("") || !(securityName == null || securityName.equals(""))) {
                                        GSS_NT_ExportedNameHelper.insert(create_any2, gSSFactory.encodeExportedTargetName(securityName + "@" + realm));
                                    } else {
                                        GSS_NT_ExportedNameHelper.insert(create_any2, gSSFactory.encodeExportedTargetName("@" + realm));
                                    }
                                } else if (!z && z3) {
                                    GSS_NT_ExportedNameHelper.insert(create_any2, new GSSFactory("oid:1.3.18.0.2.30.2").encodeExportedTargetName(convertedString));
                                }
                                identityToken.principal_name(this.csiUtil.getCodec().encode_value(create_any2));
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Identity Assertion set to principal_name (clientAuthenticationToken): " + securityName);
                                }
                            } catch (Exception e4) {
                                Manager.Ffdc.log(e4, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.setIdentityToken", "2104", this);
                                Tr.error(tc, "security.JSAS0622E", new Object[]{e4});
                                if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                    sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                    sessionEntry.set_session_state(7);
                                }
                                throw new NO_PERMISSION("security.JSAS0622E  Original exception = " + e4, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
                            }
                        }
                    } else if (VaultConstants.ClientCertificate.equals(str2)) {
                        if ((cSIv2EffectivePerformPolicy.getPerformIdentityTokenType() & 4) == 0) {
                            Tr.error(tc, "security.JSAS0491E");
                            if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                sessionEntry.set_session_state(7);
                            }
                            throw new NO_PERMISSION("security.JSAS0491E", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                        }
                        identityToken.certificate_chain(bArr);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Identity Assertion set to certificates (clientCertificate).");
                        }
                    } else if (VaultConstants.ITTPrincipalName.equals(str2)) {
                        if ((cSIv2EffectivePerformPolicy.getPerformIdentityTokenType() & 2) == 0) {
                            Tr.error(tc, "security.JSAS0492E");
                            if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                sessionEntry.set_session_state(7);
                            }
                            throw new NO_PERMISSION("security.JSAS0492E", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                        }
                        identityToken.principal_name(bArr);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Identity Assertion set to principal_name (ITTPrincipalName): " + StringBytesConversion.getConvertedString(bArr));
                        }
                    } else if (VaultConstants.ITTDistinguishedName.equals(str2)) {
                        if ((cSIv2EffectivePerformPolicy.getPerformIdentityTokenType() & 8) == 0) {
                            Tr.error(tc, "security.JSAS0493E");
                            if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                sessionEntry.set_session_state(7);
                            }
                            throw new NO_PERMISSION("security.JSAS0493E", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                        }
                        identityToken.dn(bArr);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Identity Assertion set to distinguished name (ITTDistinguishedName): " + StringBytesConversion.getConvertedString(bArr));
                        }
                    } else if (VaultConstants.ITTX509CertChain.equals(str2)) {
                        if ((cSIv2EffectivePerformPolicy.getPerformIdentityTokenType() & 4) == 0) {
                            Tr.error(tc, "security.JSAS0491E");
                            if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                                sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                                sessionEntry.set_session_state(7);
                            }
                            throw new NO_PERMISSION("security.JSAS0491E", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                        }
                        identityToken.certificate_chain(bArr);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Identity Assertion set to certificates (ITTX509CertChain).");
                        }
                    } else if (cSIv2Config.getInteger("com.ibm.CORBA.authenticationTarget") == 4) {
                        identityToken.absent(true);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Identity Assertion set to absent: ");
                        }
                    }
                } catch (PrivilegedActionException e5) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception occurred: " + e5.getException().getMessage());
                    }
                    Manager.Ffdc.log(e5.getException(), this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.setIdentityToken", "1970", this);
                    throw e5.getException();
                }
            } catch (Exception e6) {
                Manager.Ffdc.log(e6, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.setIdentityToken", "1976", this);
                Tr.audit(tc, "Cannot get Identity Values: ");
                if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                    sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                    sessionEntry.set_session_state(7);
                }
                throw new NO_PERMISSION(str + "  Original exception = " + e6, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setIdentityToken");
        }
    }

    protected String formatInternalServerId(WSCredential wSCredential) throws CredentialExpiredException, CredentialDestroyedException {
        String realmUniqueSecurityName = wSCredential.getRealmUniqueSecurityName();
        int indexOf = realmUniqueSecurityName.indexOf("/");
        String str = indexOf == -1 ? "cn=" + ((String) null) : "cn=" + realmUniqueSecurityName.substring(indexOf + 1) + "@" + realmUniqueSecurityName.substring(0, indexOf);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Converted internal server id to DN format: " + str);
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setSecurityContext(ClientRequestInfo clientRequestInfo, SecurityContextImpl securityContextImpl, IdentityToken identityToken, Subject subject, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy, SessionManager sessionManager, SessionEntry sessionEntry, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setSecurityContext", new Object[]{clientRequestInfo, securityContextImpl, identityToken, subject, sessionManager, sessionEntry, str, this});
        }
        String str2 = "";
        long statefulContextID = cSIv2EffectivePerformPolicy.getStatefulContextID();
        ClientSessionKey clientSessionKey = cSIv2EffectivePerformPolicy.getClientSessionKey();
        boolean performIdentityAssertion = cSIv2EffectivePerformPolicy.performIdentityAssertion();
        boolean performClientAuthentication = cSIv2EffectivePerformPolicy.performClientAuthentication();
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        if (securityContextImpl == null) {
            Tr.error(tc, "security.JSAS0120E");
            if (cSIv2EffectivePerformPolicy.isStateful() && sessionEntry != null && statefulContextID != 0) {
                sessionManager.csi_client_session_status_update(statefulContextID, clientSessionKey, 7);
                sessionEntry.set_session_state(7);
            }
            throw new NO_PERMISSION("security.JSAS0120E", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
        }
        if (performClientAuthentication && !performIdentityAssertion) {
            try {
                if (wSCredentialFromSubject.getCredentialToken() == null && SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS)) {
                    Tr.debug(tc, "The WSCredential does not contain a forwardable token. Please enable Identity Assertion for this scenario.");
                    throw new NO_PERMISSION("The WSCredential does not contain a forwardable token. Please enable Identity Assertion for this scenario.", SecurityMinorCodes.INVALID_CREDENTIAL_TOKEN, CompletionStatus.COMPLETED_NO);
                }
                securityContextImpl.set_target_host_and_port(cSIv2EffectivePerformPolicy.getTargetHostName());
                securityContextImpl.set_target_realm(str);
                securityContextImpl.setTokenType(VaultConstants.CLIENTAUTH_ONLY);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Setting Client Authentication Token in the SecurityContextImpl. ");
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    str2 = "Exception occurred getting token from credential: " + e.getMessage();
                    Tr.debug(tc, str2, new Object[]{e});
                }
                Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.setSecurityContext", "2473", this);
                throw new NO_PERMISSION(str2 + "  Original exception = " + e, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
            }
        } else if (performIdentityAssertion && performClientAuthentication) {
            securityContextImpl.setTokenType(VaultConstants.CLIENTAUTH_AND_IDENTITY);
        } else if (performIdentityAssertion) {
            securityContextImpl.setTokenType(VaultConstants.IDENTITY_ONLY);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Set token type to: " + securityContextImpl.getTokenType());
        }
        securityContextImpl.setIdentityToken(identityToken);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Setting Identity Token in the SecurityContextImpl. ");
        }
        securityContextImpl.setClientSubject(subject);
        securityContextImpl.csi_client_preprotect(clientRequestInfo, securityContextImpl);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setSecurityContext");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean is_local_client_request(ClientRequestInfo clientRequestInfo) {
        if (((ExtendedClientRequestInfo) clientRequestInfo).isLocal()) {
            if (!tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "Local ORB request.");
            return true;
        }
        if (!tc.isDebugEnabled()) {
            return false;
        }
        Tr.debug(tc, "Remote ORB request.");
        return false;
    }

    public void send_request_local(ClientRequestInfo clientRequestInfo) throws ForwardRequest {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Subject unwrapSubject(final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "CSIClientRIBase.unwrapSubject");
        }
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        if (subject == null || !cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundMappingEnabled")) {
            return subject;
        }
        Subject subject2 = (Subject) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSIClientRIBase.9
            @Override // java.security.PrivilegedAction
            public Object run() {
                Iterator it = subject.getPrivateCredentials(WSSubjectWrapper.class).iterator();
                if (it == null || !it.hasNext()) {
                    if (CSIClientRIBase.tc.isDebugEnabled()) {
                        Tr.debug(CSIClientRIBase.tc, "unwrapSubject: no embedded subject found");
                    }
                    return subject;
                }
                if (CSIClientRIBase.tc.isDebugEnabled()) {
                    Tr.debug(CSIClientRIBase.tc, "unwrapSubject: found embedded subject");
                }
                WSSubjectWrapper wSSubjectWrapper = (WSSubjectWrapper) it.next();
                if (it.hasNext()) {
                    Tr.warning(CSIClientRIBase.tc, "Embedded subject contains more than one WSSubjectWrapper object");
                }
                return wSSubjectWrapper.getSubject();
            }
        });
        if (subject2 == null) {
            return subject;
        }
        if (tc.isDebugEnabled()) {
            try {
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject2);
                if (wSCredentialFromSubject != null) {
                    Tr.debug(tc, "subject security name = " + wSCredentialFromSubject.getSecurityName());
                } else {
                    Tr.debug(tc, "subject with null WSCredential");
                }
            } catch (Exception e) {
            }
        }
        return subject2;
    }
}
