package com.ibm.ws.transport.iiop.security.config.tss;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.csiv2.Authenticator;
import com.ibm.ws.security.csiv2.Constants;
import com.ibm.ws.security.csiv2.TraceConstants;
import com.ibm.ws.transport.iiop.security.SASException;
import com.ibm.ws.transport.iiop.security.SASInvalidEvidenceException;
import com.ibm.ws.transport.iiop.security.config.ConfigUtil;
import com.ibm.wsspi.security.csiv2.TrustedIDEvaluator;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import org.omg.CORBA.Any;
import org.omg.CORBA.ORB;
import org.omg.CORBA.UserException;
import org.omg.CSIIOP.TLS_SEC_TRANS;
import org.omg.CSIIOP.TLS_SEC_TRANSHelper;
import org.omg.CSIIOP.TransportAddress;
import org.omg.IOP.Codec;
import org.omg.IOP.TaggedComponent;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/transport/iiop/security/config/tss/TSSSSLTransportConfig.class */
public class TSSSSLTransportConfig extends TSSTransportMechConfig {
    private static final TraceComponent tc = Tr.register(TSSSSLTransportConfig.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private transient Authenticator authenticator;
    private TransportAddress[] transportAddresses;
    private short handshakeTimeout;
    private short supports;
    private short requires;
    static final long serialVersionUID = -4912661872009340581L;

    public TSSSSLTransportConfig() {
        this.handshakeTimeout = (short) -1;
    }

    public TSSSSLTransportConfig(Authenticator authenticator) {
        this.handshakeTimeout = (short) -1;
        this.authenticator = authenticator;
        this.transportAddresses = new TransportAddress[0];
    }

    public TSSSSLTransportConfig(TaggedComponent taggedComponent, Codec codec) throws UserException {
        this.handshakeTimeout = (short) -1;
        TLS_SEC_TRANS extract = TLS_SEC_TRANSHelper.extract(codec.decode_value(taggedComponent.component_data, TLS_SEC_TRANSHelper.type()));
        this.supports = extract.target_supports;
        this.requires = extract.target_requires;
        this.transportAddresses = extract.addresses;
    }

    public void setTransportAddresses(List<TransportAddress> list) {
        this.transportAddresses = (TransportAddress[]) list.toArray(new TransportAddress[list.size()]);
    }

    public TransportAddress[] getTransportAddresses() {
        return (TransportAddress[]) this.transportAddresses.clone();
    }

    public short getHandshakeTimeout() {
        return this.handshakeTimeout;
    }

    public void setHandshakeTimeout(short s) {
        this.handshakeTimeout = s;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSTransportMechConfig
    public short getSupports() {
        return this.supports;
    }

    public void setSupports(short s) {
        this.supports = s;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSTransportMechConfig
    public short getRequires() {
        return this.requires;
    }

    public void setRequires(short s) {
        this.requires = s;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSTransportMechConfig
    public TaggedComponent encodeIOR(Codec codec) {
        TaggedComponent taggedComponent = new TaggedComponent();
        TLS_SEC_TRANS tls_sec_trans = new TLS_SEC_TRANS();
        tls_sec_trans.target_supports = this.supports;
        tls_sec_trans.target_requires = this.requires;
        tls_sec_trans.addresses = this.transportAddresses;
        try {
            Any create_any = ORB.init().create_any();
            TLS_SEC_TRANSHelper.insert(create_any, tls_sec_trans);
            taggedComponent.tag = 36;
            taggedComponent.component_data = codec.encode_value(create_any);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.transport.iiop.security.config.tss.TSSSSLTransportConfig", "135", this, new Object[]{codec});
            Tr.error(tc, "Error enncoding transport tagged component, defaulting encoding to NULL", new Object[0]);
            taggedComponent.tag = 34;
            taggedComponent.component_data = new byte[0];
        }
        return taggedComponent;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSTransportMechConfig
    public Subject check(SSLSession sSLSession) throws SASException {
        validateSSLSessionExistsWhenSSLRequired(sSLSession);
        return tryToAuthenticate(sSLSession);
    }

    private void validateSSLSessionExistsWhenSSLRequired(SSLSession sSLSession) throws SASException {
        if (sSLSession == null && this.requires != 0) {
            throw new SASInvalidEvidenceException("The target security service requires client certificate authentication, but there was no SSL session found.", 1229079296);
        }
    }

    @FFDCIgnore({SSLPeerUnverifiedException.class, Exception.class})
    private Subject tryToAuthenticate(SSLSession sSLSession) throws SASException {
        Subject subject = null;
        try {
            subject = authenticateWithCertificateChain(sSLSession);
        } catch (SSLPeerUnverifiedException e) {
            throwExceptionIfClientCertificateAuthenticationIsRequired(e);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "The peer could not be verified, but ignoring because client certificate authentication is not required. The exception is: " + e.getMessage(), new Object[0]);
            }
        } catch (Exception e2) {
            throwExceptionIfClientCertificateAuthenticationIsRequired(e2);
        }
        return subject;
    }

    private Subject authenticateWithCertificateChain(SSLSession sSLSession) throws SSLPeerUnverifiedException, AuthenticationException, CredentialExpiredException, CredentialDestroyedException {
        Subject subject = null;
        if (sSLSession != null) {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            subject = this.authenticator.authenticate((X509Certificate[]) peerCertificates);
            WSCredential wSCredential = new SubjectHelper().getWSCredential(subject);
            wSCredential.set(Constants.IDENTITY_NAME, Constants.ClientCertificate);
            wSCredential.set(Constants.IDENTITY_VALUE, peerCertificates);
        }
        return subject;
    }

    private void throwExceptionIfClientCertificateAuthenticationIsRequired(Exception exc) throws SASException {
        if (clientCertificateAuthenticationRequired()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Client certificate authentication is required, but it was not possible to authenticate. The exception is: " + exc.getMessage(), new Object[0]);
            }
            throw new SASInvalidEvidenceException(exc.getMessage(), 1229079296);
        }
    }

    private boolean clientCertificateAuthenticationRequired() {
        return (this.requires & 64) != 0;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSTransportMechConfig
    @FFDCIgnore({SSLPeerUnverifiedException.class})
    public boolean isTrusted(TrustedIDEvaluator trustedIDEvaluator, SSLSession sSLSession) {
        if (sSLSession == null) {
            return false;
        }
        try {
            return trustedIDEvaluator.isTrusted((X509Certificate[]) sSLSession.getPeerCertificates());
        } catch (SSLPeerUnverifiedException e) {
            return false;
        }
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSTransportMechConfig
    @Trivial
    void toString(String str, StringBuilder sb) {
        String str2 = str + "  ";
        sb.append(str).append("TSSSSLTransportConfig: [\n");
        sb.append(str2).append("SUPPORTS: ").append(ConfigUtil.flags(this.supports)).append("\n");
        sb.append(str2).append("REQUIRES: ").append(ConfigUtil.flags(this.requires)).append("\n");
        if (this.transportAddresses != null) {
            for (TransportAddress transportAddress : this.transportAddresses) {
                if (transportAddress != null) {
                    sb.append(str2).append("  ").append("hostName: ").append(transportAddress.host_name).append(",  port    : ").append((int) transportAddress.port).append("\n");
                }
            }
        }
        sb.append(str2).append("handshakeTimeout: ").append((int) this.handshakeTimeout).append("\n");
        sb.append(str).append("]\n");
    }
}
