package com.ibm.ws.transport.iiop.security.config.tss;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.csiv2.Authenticator;
import com.ibm.ws.security.csiv2.SecurityMinorCodes;
import com.ibm.ws.security.csiv2.TraceConstants;
import com.ibm.ws.transport.iiop.security.SASException;
import com.ibm.ws.transport.iiop.security.SASInvalidEvidenceException;
import com.ibm.ws.transport.iiop.security.SASInvalidMechanismException;
import com.ibm.ws.transport.iiop.security.util.Util;
import com.ibm.wsspi.security.csiv2.TrustedIDEvaluator;
import java.io.UnsupportedEncodingException;
import javax.security.auth.Subject;
import org.omg.CSI.EstablishContext;
import org.omg.CSIIOP.AS_ContextSec;
import org.omg.GSSUP.InitialContextToken;
import org.omg.IOP.Codec;

@InjectedFFDC
@TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/transport/iiop/security/config/tss/TSSGSSUPMechConfig.class */
public class TSSGSSUPMechConfig extends TSSASMechConfig {
    private transient Authenticator authenticator;
    public static final String mechanism = "GSSUP";
    private String targetName;
    private boolean required;
    static final long serialVersionUID = 7106726903269059196L;
    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(TSSGSSUPMechConfig.class);

    public TSSGSSUPMechConfig() {
        this.authenticator = null;
    }

    public TSSGSSUPMechConfig(Authenticator authenticator, String str, boolean z) {
        this.authenticator = null;
        this.authenticator = authenticator;
        this.targetName = str;
        this.required = z;
    }

    public String getTargetName() {
        return this.targetName;
    }

    public void setTargetName(String str) {
        this.targetName = str;
    }

    public boolean isRequired() {
        return this.required;
    }

    public void setRequired(boolean z) {
        this.required = z;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public short getSupports() {
        return (short) 64;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public short getRequires() {
        return this.required ? (short) 64 : (short) 0;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public AS_ContextSec encodeIOR(Codec codec) throws Exception {
        AS_ContextSec aS_ContextSec = new AS_ContextSec();
        aS_ContextSec.target_supports = (short) 64;
        aS_ContextSec.target_requires = this.required ? (short) 64 : (short) 0;
        aS_ContextSec.client_authentication_mech = Util.encodeOID(TSSNULLASMechConfig.NULL_OID);
        aS_ContextSec.target_name = Util.encodeGSSExportName(TSSNULLASMechConfig.NULL_OID, this.targetName);
        return aS_ContextSec;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    @FFDCIgnore({AuthenticationException.class})
    public Subject check(EstablishContext establishContext, Codec codec) throws SASException {
        Subject subject = null;
        if (establishContext != null && establishContext.client_authentication_token != null && establishContext.client_authentication_token.length > 0) {
            InitialContextToken initialContextToken = new InitialContextToken();
            if (!Util.decodeGSSUPToken(codec, establishContext.client_authentication_token, initialContextToken)) {
                throw new SASInvalidMechanismException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_SERVER_CANNOT_DECODE_GSSUP", new Object[0], "CWWKS9549E: The server cannot decode the GSSUP token sent by the client and it cannot authenticate the token."), SecurityMinorCodes.GSS_FORMAT_ERROR);
            }
            if (initialContextToken.target_name == null) {
                return null;
            }
            try {
                if (!this.targetName.equals(new String(initialContextToken.target_name, "UTF8"))) {
                    throw new SASException(2);
                }
                subject = this.authenticator.authenticate(Util.extractUserNameFromScopedName(initialContextToken.username), new String(initialContextToken.password, "UTF8"));
            } catch (AuthenticationException e) {
                throw new SASInvalidEvidenceException(e.getMessage(), 1229079296);
            } catch (UnsupportedEncodingException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.transport.iiop.security.config.tss.TSSGSSUPMechConfig", "126", this, new Object[]{establishContext, codec});
                throw new SASException(1, e2);
            }
        } else if (this.required) {
            throw new SASInvalidEvidenceException("Client authentication is required at the server, but there was no client authentication token sent by the client.", 1229079296);
        }
        return subject;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    @FFDCIgnore({UnsupportedEncodingException.class})
    public boolean isTrusted(TrustedIDEvaluator trustedIDEvaluator, EstablishContext establishContext, Codec codec) {
        if (establishContext == null || establishContext.client_authentication_token == null || establishContext.client_authentication_token.length <= 0) {
            return false;
        }
        InitialContextToken initialContextToken = new InitialContextToken();
        if (!Util.decodeGSSUPToken(codec, establishContext.client_authentication_token, initialContextToken)) {
            return false;
        }
        try {
            return trustedIDEvaluator.isTrusted(Util.extractUserNameFromScopedName(initialContextToken.username), new String(initialContextToken.password, "UTF8"));
        } catch (UnsupportedEncodingException e) {
            return false;
        }
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public String getMechanism() {
        return "GSSUP";
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString("", sb);
        return sb.toString();
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    @Trivial
    public void toString(String str, StringBuilder sb) {
        String str2 = str + "  ";
        sb.append(str).append("TSSGSSUPMechConfig: [\n");
        sb.append(str2).append("targetName:   ").append(this.targetName).append("\n");
        sb.append(str2).append("required  :   ").append(this.required).append("\n");
        sb.append(str).append("]\n");
    }
}
