package com.ibm.ws.transport.iiop.security.config.tss;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.csiv2.SecurityMinorCodes;
import com.ibm.ws.security.csiv2.TraceConstants;
import com.ibm.ws.transport.iiop.security.SASException;
import com.ibm.ws.transport.iiop.security.SASInvalidEvidenceException;
import com.ibm.ws.transport.iiop.security.config.ConfigUtil;
import com.ibm.ws.transport.iiop.security.util.Util;
import com.ibm.wsspi.security.csiv2.TrustedIDEvaluator;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.net.ssl.SSLSession;
import javax.security.auth.Subject;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.IdentityToken;
import org.omg.CSIIOP.SAS_ContextSec;
import org.omg.CSIIOP.ServiceConfiguration;
import org.omg.IOP.Codec;

@InjectedFFDC
@TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/transport/iiop/security/config/tss/TSSSASMechConfig.class */
public class TSSSASMechConfig implements Serializable {
    public static final String TYPE_ITTAnonymous = "ITTAnonymous";
    public static final String TYPE_ITTPrincipalName = "ITTPrincipalName";
    public static final String TYPE_ITTX509CertChain = "ITTX509CertChain";
    public static final String TYPE_ITTDistinguishedName = "ITTDistinguishedName";
    private short supports;
    private short requires;
    private int supportedIdentityTypes;
    private boolean required;
    private final ArrayList<TSSServiceConfigurationConfig> privilegeAuthorities = new ArrayList<>();
    private final Map<Short, TSSSASIdentityToken> idTokens = new HashMap();
    private transient TrustedIDEvaluator trustedIDEvaluator;
    static final long serialVersionUID = 7773202148556350667L;
    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.transport.iiop.security.config.tss.TSSSASMechConfig", TSSSASMechConfig.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);

    public TSSSASMechConfig() {
    }

    public TSSSASMechConfig(TrustedIDEvaluator trustedIDEvaluator) {
        this.trustedIDEvaluator = trustedIDEvaluator;
    }

    public TSSSASMechConfig(SAS_ContextSec sAS_ContextSec) throws Exception {
        this.supports = sAS_ContextSec.target_supports;
        this.requires = sAS_ContextSec.target_requires;
        for (ServiceConfiguration serviceConfiguration : sAS_ContextSec.privilege_authorities) {
            this.privilegeAuthorities.add(TSSServiceConfigurationConfig.decodeIOR(serviceConfiguration));
        }
        for (byte[] bArr : sAS_ContextSec.supported_naming_mechanisms) {
            if (TSSITTPrincipalNameGSSUP.OID.equals(Util.decodeOID(bArr))) {
                addIdentityToken(new TSSITTPrincipalNameGSSUP(null, null, null));
            }
        }
        this.supports = sAS_ContextSec.target_supports;
        this.requires = sAS_ContextSec.target_requires;
        this.supportedIdentityTypes = sAS_ContextSec.supported_identity_types;
    }

    public void addServiceConfigurationConfig(TSSServiceConfigurationConfig tSSServiceConfigurationConfig) {
        this.privilegeAuthorities.add(tSSServiceConfigurationConfig);
        this.supports = (short) (this.supports | 2048);
        if (this.required) {
            this.requires = (short) 2048;
        }
    }

    public TSSServiceConfigurationConfig serviceConfigurationAt(int i) {
        return this.privilegeAuthorities.get(i);
    }

    public int paSize() {
        return this.privilegeAuthorities.size();
    }

    public void addIdentityToken(TSSSASIdentityToken tSSSASIdentityToken) {
        short type = tSSSASIdentityToken.getType();
        this.idTokens.put(Short.valueOf(type), tSSSASIdentityToken);
        this.supportedIdentityTypes |= type;
        if (tSSSASIdentityToken.getType() > 0) {
            this.supports = (short) (this.supports | 1024);
        }
    }

    public short getSupports() {
        return this.supports;
    }

    public short getRequires() {
        return this.requires;
    }

    public int getSupportedIdentityTypes() {
        return this.supportedIdentityTypes;
    }

    public boolean isRequired() {
        return this.required;
    }

    public void setRequired(boolean z) {
        this.required = z;
        if (z) {
            this.requires = (short) (this.requires | ((short) (this.supports & 2048)));
        }
    }

    /* JADX WARN: Type inference failed for: r1v8, types: [byte[], byte[][]] */
    public SAS_ContextSec encodeIOR(Codec codec) throws Exception {
        SAS_ContextSec sAS_ContextSec = new SAS_ContextSec();
        int i = 0;
        sAS_ContextSec.privilege_authorities = new ServiceConfiguration[this.privilegeAuthorities.size()];
        Iterator<TSSServiceConfigurationConfig> it = this.privilegeAuthorities.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            sAS_ContextSec.privilege_authorities[i2] = it.next().generateServiceConfiguration();
        }
        ArrayList arrayList = new ArrayList();
        for (TSSSASIdentityToken tSSSASIdentityToken : this.idTokens.values()) {
            if (tSSSASIdentityToken.getType() == 2) {
                arrayList.add(tSSSASIdentityToken);
            }
        }
        int i3 = 0;
        sAS_ContextSec.supported_naming_mechanisms = new byte[arrayList.size()];
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            int i4 = i3;
            i3++;
            sAS_ContextSec.supported_naming_mechanisms[i4] = Util.encodeOID(((TSSSASIdentityToken) it2.next()).getOID());
        }
        sAS_ContextSec.target_supports = this.supports;
        sAS_ContextSec.target_requires = this.requires;
        sAS_ContextSec.supported_identity_types = this.supportedIdentityTypes;
        return sAS_ContextSec;
    }

    public Subject check(TSSCompoundSecMechConfig tSSCompoundSecMechConfig, SSLSession sSLSession, EstablishContext establishContext, Codec codec) throws SASException {
        if (establishContext == null || establishContext.identity_token == null) {
            return null;
        }
        IdentityToken identityToken = establishContext.identity_token;
        int discriminator = identityToken.discriminator();
        TSSSASIdentityToken tSSSASIdentityToken = this.idTokens.get(Short.valueOf((short) discriminator));
        if (tSSSASIdentityToken == null) {
            throw new SASInvalidEvidenceException("Unsupported identity token type: " + discriminator, SecurityMinorCodes.INVALID_IDENTITY_TOKEN);
        }
        if (isTokenTypeAlwaysAllowed(discriminator) || isPresumedTrust() || tSSCompoundSecMechConfig.getAs_mech().isTrusted(this.trustedIDEvaluator, establishContext, codec) || tSSCompoundSecMechConfig.getTransport_mech().isTrusted(this.trustedIDEvaluator, sSLSession)) {
            return tSSSASIdentityToken.check(identityToken, codec);
        }
        throw new SASInvalidEvidenceException("Authentication failed. Could not validate Client Authentication Token and/or Client Certificates during Identity Assertion", SecurityMinorCodes.IDENTITY_SERVER_NOT_TRUSTED);
    }

    private boolean isTokenTypeAlwaysAllowed(int i) {
        return i == 0 || i == 1;
    }

    private boolean isPresumedTrust() {
        return this.trustedIDEvaluator.isTrusted("*");
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString("", sb);
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Trivial
    public void toString(String str, StringBuilder sb) {
        String str2 = str + "  ";
        sb.append(str).append(getName()).append(": [\n");
        sb.append(str2).append("required: ").append(this.required).append("\n");
        sb.append(str2).append("SUPPORTS: ").append(ConfigUtil.flags(this.supports)).append("\n");
        sb.append(str2).append("REQUIRES: ").append(ConfigUtil.flags(this.requires)).append("\n");
        Iterator<TSSServiceConfigurationConfig> it = this.privilegeAuthorities.iterator();
        while (it.hasNext()) {
            it.next().toString(str2, sb);
        }
        sb.append("\n");
        Iterator<TSSSASIdentityToken> it2 = this.idTokens.values().iterator();
        while (it2.hasNext()) {
            it2.next().toString(str2, sb);
        }
        sb.append(str).append("]\n");
    }

    protected String getName() {
        return "TSSSASMechConfig";
    }
}
