package com.ibm.security.krb5.wss;

import com.ibm.misc.BASE64Decoder;
import com.ibm.misc.HexDumpEncoder;
import com.ibm.security.auth.callback.CcacheFileTextInputCallback;
import com.ibm.security.auth.callback.DefaultCcacheTextInputCallback;
import com.ibm.security.auth.callback.DefaultKeytabTextInputCallback;
import com.ibm.security.auth.callback.KeytabFileTextInputCallback;
import com.ibm.security.jgss.TokenHeader;
import com.ibm.security.jgss.i18n.I18NException;
import com.ibm.security.krb5.Credentials;
import com.ibm.security.krb5.EncryptedData;
import com.ibm.security.krb5.EncryptionKey;
import com.ibm.security.krb5.KrbException;
import com.ibm.security.krb5.PrincipalName;
import com.ibm.security.krb5.internal.APOptions;
import com.ibm.security.krb5.internal.APReq;
import com.ibm.security.krb5.internal.Authenticator;
import com.ibm.security.krb5.internal.EncTicketPart;
import com.ibm.security.krb5.internal.KerberosTime;
import com.ibm.security.krb5.internal.Ticket;
import com.ibm.security.krb5.internal.TicketFlags;
import com.ibm.security.krb5.wss.util.Debug;
import com.ibm.ws.wssecurity.util.KRBTokenProfileConstants;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Date;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/security/krb5/wss/KerberosTokenConsumer.class */
public class KerberosTokenConsumer {
    private static final String debugPrefix = "KerberosTokenConsumer: ";
    private static final byte[] AP_REQ_TOK_ID = {1, 0};
    private static final int TOK_ID_LEN = 2;
    private static final int WRAPPED = 1;
    private static final int NOT_WRAPPED = 0;
    public static final int CB_SIZE = 16;
    public static final int CKSUMTYPE_KRB = 32771;
    public static final int CKSUM_SIZE_MIN = 24;
    private static final int Des3EType_KD_KDC_REP_TICKET = 2;
    private static final int AES128_KD_KDC_REP_TICKET = 2;
    private static final int AES256_KD_KDC_REP_TICKET = 2;
    private static final int Rc4HMac_KD_AS_REP_SERV = 2;
    private static final int Rc4HMac_KD_AP_REQ_AUTHN = 11;
    private static final int Des3EType_KD_AP_REQ_AUTH = 11;
    private static final int AES128_KD_AP_REQ_AUTH = 11;
    private static final int AES256_KD_AP_REQ_AUTH = 11;
    private static final int Rc4HMac_KD_TGS_REP = 8;
    public static Oid MECH_TYPE_KRB5;
    private String keyTabFile;
    private String serviceName;
    private String clientName;
    private long clientAuthTime;
    private String realmName;
    private String encoding;
    private Subject subject;
    private boolean useSubject;
    private byte[] rawSubKey;
    private byte[] rawSessionKey;
    private int rawSessionKeyType;
    private byte[] delegCred;
    private KerberosTicket delegatedTicket;
    private EncryptionKey sessionKey;
    private EncryptionKey subKey;
    private EncryptionKey serviceKey;
    private String stringToken;
    private String jaasServiceName;
    private String jaasServicePassword;
    private String jaasRealmName;
    private String jaasLoginConf;
    private byte[] base64token;
    private byte[] decodedtoken;
    private boolean wrapped = false;
    private Authenticator authn = null;
    private Credentials creds = null;
    private Debug debug = new Debug();

    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/security/krb5/wss/KerberosTokenConsumer$NullPrompter.class */
    class NullPrompter implements CallbackHandler {
        private String userName;
        private char[] authenticator;

        private NullPrompter() {
        }

        public NullPrompter(String str, char[] cArr) {
            this.userName = str;
            this.authenticator = cArr;
        }

        public void nukeEm() {
            this.userName = null;
            for (int i = 0; i < this.authenticator.length; i++) {
                this.authenticator[i] = ' ';
            }
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (!(callbackArr[i] instanceof TextOutputCallback) && !(callbackArr[i] instanceof CcacheFileTextInputCallback) && !(callbackArr[i] instanceof DefaultCcacheTextInputCallback) && !(callbackArr[i] instanceof DefaultKeytabTextInputCallback) && !(callbackArr[i] instanceof KeytabFileTextInputCallback)) {
                    if (callbackArr[i] instanceof NameCallback) {
                        ((NameCallback) callbackArr[i]).setName(this.userName);
                    } else if (callbackArr[i] instanceof PasswordCallback) {
                        ((PasswordCallback) callbackArr[i]).setPassword(this.authenticator);
                    } else {
                        KerberosTokenConsumer.this.debug.out(5, "KerberosTokenConsumer: Unrecognized Callback :" + callbackArr[i]);
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/security/krb5/wss/KerberosTokenConsumer$SubjectCredFinder.class */
    public class SubjectCredFinder implements PrivilegedExceptionAction {
        private String client;

        public SubjectCredFinder(String str) {
            this.client = str;
        }

        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws GSSException {
            KerberosTokenConsumer.this.debug.out(5, "KerberosTokenConsumer: SubjectCredFinder: client=" + this.client);
            try {
                if (KerberosTokenConsumer.this.subject == null && KerberosTokenConsumer.this.useSubject) {
                    final AccessControlContext context = AccessController.getContext();
                    KerberosTokenConsumer.this.subject = (Subject) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.security.krb5.wss.KerberosTokenConsumer.SubjectCredFinder.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return Subject.getSubject(context);
                        }
                    });
                }
            } catch (Exception e) {
                KerberosTokenConsumer.this.subject = null;
            }
            if (KerberosTokenConsumer.this.subject == null) {
                I18NException.throwGSSException(13, 0, "SKFNoSubject");
            }
            for (Object obj : KerberosTokenConsumer.this.subject.getPrivateCredentials()) {
                if (obj instanceof KerberosTicket) {
                    KerberosTicket kerberosTicket = (KerberosTicket) obj;
                    String name = kerberosTicket.getClient().getName();
                    if (this.client == null) {
                        KerberosTokenConsumer.this.debug.out(5, "KerberosTokenConsumer: SubjectCredFinder (default) KerberosTicket: client=" + name);
                        return kerberosTicket;
                    }
                    if (name.equals(this.client)) {
                        KerberosTokenConsumer.this.debug.out(5, "KerberosTokenConsumer: SubjectCredFinder KerberosTicket: client=" + name);
                        return kerberosTicket;
                    }
                }
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/security/krb5/wss/KerberosTokenConsumer$SubjectKeyFinder.class */
    public class SubjectKeyFinder implements PrivilegedExceptionAction {
        private String principal;

        public SubjectKeyFinder(String str) {
            this.principal = str;
        }

        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws GSSException {
            try {
                if (KerberosTokenConsumer.this.subject == null && KerberosTokenConsumer.this.useSubject) {
                    final AccessControlContext context = AccessController.getContext();
                    KerberosTokenConsumer.this.subject = (Subject) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.security.krb5.wss.KerberosTokenConsumer.SubjectKeyFinder.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return Subject.getSubject(context);
                        }
                    });
                }
            } catch (Exception e) {
                KerberosTokenConsumer.this.subject = null;
            }
            if (KerberosTokenConsumer.this.subject == null) {
                I18NException.throwGSSException(13, 0, "SKFNoSubject");
            }
            Vector vector = new Vector();
            for (Object obj : KerberosTokenConsumer.this.subject.getPrivateCredentials()) {
                if (obj instanceof KerberosKey) {
                    KerberosKey kerberosKey = (KerberosKey) obj;
                    if (this.principal == null) {
                        this.principal = kerberosKey.getPrincipal().getName();
                        if (this.principal != null) {
                            vector.add(kerberosKey);
                        } else {
                            KerberosTokenConsumer.this.debug.out(5, "KerberosTokenConsumer: SubjectKeyFinder: disregarding key without owner");
                        }
                    } else if (kerberosKey.getPrincipal().getName().equals(this.principal)) {
                        vector.add(kerberosKey);
                    }
                }
            }
            if (vector.size() <= 0) {
                return null;
            }
            KerberosKey[] kerberosKeyArr = (KerberosKey[]) vector.toArray(new KerberosKey[0]);
            if (KerberosTokenConsumer.this.debug.on(5)) {
                String str = "KerberosTokenConsumer: Retrieved " + kerberosKeyArr.length + " keys from Subject. Key types:";
                for (int i = 0; i < kerberosKeyArr.length; i++) {
                    str = str + "\n\t[" + (i + 1) + "] " + EncryptedData.encTypeToString(kerberosKeyArr[i].getKeyType());
                }
                KerberosTokenConsumer.this.debug.out(5, str);
            }
            return kerberosKeyArr;
        }
    }

    public void init(Map map) throws Exception {
        this.keyTabFile = (String) map.get(KerberosTokenConfig.SERVICE_KEYTAB);
        this.subject = (Subject) map.get("subject");
        this.encoding = (String) map.get(KerberosTokenConfig.ENCODING);
        this.base64token = (byte[]) map.get(KerberosTokenConfig.BASE64_TOKEN);
        this.decodedtoken = null;
        if (this.base64token == null) {
            this.decodedtoken = (byte[]) map.get(KerberosTokenConfig.DECODED_TOKEN);
        }
        this.stringToken = null;
        if (this.decodedtoken == null) {
            this.stringToken = (String) map.get(KerberosTokenConfig.STRING_TOKEN);
        }
        if (this.base64token == null && this.decodedtoken == null && this.stringToken == null) {
            throw new RuntimeException("Cannot process a NULL Token");
        }
        this.jaasServiceName = (String) map.get(KerberosTokenConfig.SERVICE_NAME);
        this.jaasServicePassword = (String) map.get(KerberosTokenConfig.SERVICEPASSWORD);
        this.jaasRealmName = (String) map.get(KerberosTokenConfig.REALM_NAME);
        this.jaasLoginConf = (String) map.get(KerberosTokenConfig.LOGINCONF);
    }

    public void invoke(Map<String, Object> map) throws Exception {
        APReq aPReq;
        byte[] decrypt;
        if (map == null) {
            throw new RuntimeException("Cannot process a NULL context");
        }
        String str = null;
        if (this.jaasServiceName != null && this.jaasRealmName != null) {
            str = this.jaasServiceName + "@" + this.jaasRealmName;
        }
        if (this.subject == null && this.jaasLoginConf != null && str != null && this.jaasServicePassword != null) {
            this.debug.out(5, "KerberosTokenConsumer: Attempting to do a JAAS Login for: \n" + str);
            try {
                LoginContext loginContext = new LoginContext(this.jaasLoginConf, new NullPrompter(str, this.jaasServicePassword.toCharArray()));
                loginContext.login();
                this.subject = loginContext.getSubject();
                setUseSubjectCreds(true);
            } catch (Exception e) {
                this.debug.out(5, "KerberosTokenConsumer: Failed to do a JAAS Login for: \n" + str);
                setUseSubjectCreds(false);
            }
        } else if (this.subject != null) {
            this.debug.out(5, "KerberosTokenConsumer: Will attempt to use supplied Subject\n");
            setUseSubjectCreds(true);
        }
        try {
            byte[] bArr = null;
            if (this.base64token != null) {
                this.debug.out(5, "KerberosTokenConsumer: Received a Base 64 encoded Token\n");
                bArr = new BASE64Decoder().decodeBuffer(this.encoding != null ? new String(this.base64token, this.encoding) : new String(this.base64token, "UTF-8"));
            } else if (this.decodedtoken != null) {
                this.debug.out(5, "KerberosTokenConsumer: Received a Decoded Raw Token Token\n");
                bArr = this.decodedtoken;
            } else if (this.stringToken != null) {
                this.debug.out(5, "KerberosTokenConsumer: Received a Base64 Encoded String Token\n");
                bArr = new BASE64Decoder().decodeBuffer(this.stringToken);
            }
            this.debug.out(5, "KerberosTokenConsumer: The Decoded Raw Token BYTES =\n" + new HexDumpEncoder().encodeBuffer(bArr));
            if (bArr[0] == 110) {
                this.debug.out(5, "KerberosTokenConsumer: Decoded an AP_REQ input token\n");
                aPReq = new APReq(bArr);
            } else {
                if (bArr[0] != 96) {
                    throw new RuntimeException("Input Token not of type GSS_Kerberosv5_AP_REQ or Kerberosv5_AP_REQ");
                }
                this.debug.out(5, "KerberosTokenConsumer: Decoded a GSS Wrapped input token\n");
                this.wrapped = true;
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
                TokenHeader tokenHeader = new TokenHeader(byteArrayInputStream);
                Oid mechanism = tokenHeader.getMechanism();
                this.debug.out(5, "KerberosTokenConsumer: The Mechanism OID =\n" + mechanism.toString());
                if (!mechanism.equals(MECH_TYPE_KRB5)) {
                    I18NException.throwGSSException(2, 0, "MismatchedMechs", new String[]{mechanism.toString(), MECH_TYPE_KRB5.toString()});
                }
                int mechTokenLen = tokenHeader.getMechTokenLen();
                byte[] stream2Bytes = stream2Bytes(byteArrayInputStream, mechTokenLen);
                byte[] bArr2 = new byte[mechTokenLen];
                System.arraycopy(stream2Bytes, 0, bArr2, 0, mechTokenLen);
                byte[] bArr3 = new byte[2];
                System.arraycopy(bArr2, 0, bArr3, 0, 2);
                int length = bArr2.length - 2;
                byte[] bArr4 = new byte[length];
                System.arraycopy(bArr2, 2, bArr4, 0, length);
                if (!Arrays.equals(bArr3, AP_REQ_TOK_ID)) {
                    throw new RuntimeException("GSS Token was not an APReq message");
                }
                aPReq = new APReq(bArr4);
            }
            Ticket ticket = aPReq.getTicket();
            APOptions options = aPReq.getOptions();
            EncryptedData encryptedPart = ticket.getEncryptedPart();
            this.realmName = ticket.getRealm().toString();
            this.debug.out(5, "KerberosTokenConsumer: The Ticket Realm Name = " + this.realmName);
            this.serviceName = ticket.getServer().getNameString();
            this.debug.out(5, "KerberosTokenConsumer: The Ticket Service Name = " + this.serviceName);
            String str2 = this.serviceName + "@" + this.realmName;
            try {
                if (useSubjectCredsOnly()) {
                    this.creds = getServerCredsFromSubject(str2);
                    if (this.creds != null) {
                        this.debug.out(5, "KerberosTokenConsumer: Found Credentials in the Subject for = " + str2);
                    }
                }
            } catch (Exception e2) {
                e2.printStackTrace();
                this.debug.out(5, "KerberosTokenConsumer: No Valid Credentials Found in the Subject\n");
                this.creds = null;
            }
            if (this.creds == null && this.keyTabFile != null) {
                this.debug.out(5, "KerberosTokenConsumer: Not using Subject Credentials, using KeyTab creds\n");
                this.creds = Credentials.getServiceCreds(str2, new File(this.keyTabFile));
            } else if (this.creds == null) {
                this.debug.out(5, "KerberosTokenConsumer: Not using Subject Credentials, using default KeyTab creds\n");
                this.creds = Credentials.getServiceCreds(str2, (File) null);
            }
            if (this.creds == null) {
                I18NException.throwGSSException(11, 0, "NoKrbCred", new String[]{"Failed to obtain credentials for " + str2});
            }
            this.serviceKey = this.creds.getServiceKey(encryptedPart.getEType());
            if (encryptedPart.isDesEncType()) {
                decrypt = encryptedPart.reset(encryptedPart.decrypt(this.serviceKey, 2), true);
            } else if (encryptedPart.isAES128EncType()) {
                decrypt = encryptedPart.reset(encryptedPart.decrypt(this.serviceKey, 2), true);
            } else if (encryptedPart.isAES256EncType()) {
                decrypt = encryptedPart.reset(encryptedPart.decrypt(this.serviceKey, 2), true);
            } else {
                try {
                    decrypt = encryptedPart.decrypt(this.serviceKey, 2);
                } catch (KrbException e3) {
                    decrypt = encryptedPart.decrypt(this.serviceKey, 8);
                }
            }
            EncTicketPart encTicketPart = new EncTicketPart(decrypt);
            this.clientName = encTicketPart.getClient().getNameString();
            this.clientAuthTime = encTicketPart.getAuthTime().getTime();
            this.sessionKey = encTicketPart.getEncryptionKey();
            if (options.get(1)) {
                this.sessionKey = this.creds.getSessionKey();
            }
            this.debug.out(5, "KerberosTokenConsumer: The AP_REQ Session Key =\n" + new HexDumpEncoder().encodeBuffer(this.sessionKey.getBytes()));
            EncryptedData encryptedAuthenticator = aPReq.getEncryptedAuthenticator();
            this.subKey = null;
            this.authn = new Authenticator(EncryptedData.isDesEncType(this.sessionKey.getEType()) ? encryptedAuthenticator.reset(encryptedAuthenticator.decrypt(this.sessionKey, 11), true) : EncryptedData.isAES128EncType(this.sessionKey.getEType()) ? encryptedAuthenticator.reset(encryptedAuthenticator.decrypt(this.sessionKey, 11), true) : EncryptedData.isAES256EncType(this.sessionKey.getEType()) ? encryptedAuthenticator.reset(encryptedAuthenticator.decrypt(this.sessionKey, 11), true) : encryptedAuthenticator.decrypt(this.sessionKey, 11));
            this.subKey = this.authn.getSubKey();
            verifyAPReq(this.authn, encTicketPart);
            this.delegCred = getDelegatedCreds(this.authn);
            this.rawSessionKey = this.sessionKey.getBytes();
            this.rawSessionKeyType = this.sessionKey.getEType();
            if (this.delegCred != null && this.delegCred.length > 0) {
                Credentials clientCredentials = KerberosCredsUtil.getClientCredentials(this.delegCred, this.sessionKey);
                this.delegatedTicket = new KerberosTicket(clientCredentials.getEncoded(), new KerberosPrincipal(clientCredentials.getClient().toString()), new KerberosPrincipal(clientCredentials.getServer().toString()), clientCredentials.getSessionKey().getBytes(), clientCredentials.getSessionKey().getEType(), clientCredentials.getFlags(), clientCredentials.getAuthTime(), clientCredentials.getStartTime(), clientCredentials.getEndTime(), clientCredentials.getRenewTill(), clientCredentials.getClientAddresses());
            }
            this.rawSubKey = null;
            if (this.subKey != null) {
                this.rawSubKey = this.subKey.getBytes();
                this.debug.out(5, "KerberosTokenConsumer: The AP_REQ SubSession Key =\n" + new HexDumpEncoder().encodeBuffer(this.rawSubKey));
            }
            fillContext(map);
        } catch (Exception e4) {
            e4.printStackTrace();
            throw new RuntimeException(e4);
        }
    }

    private byte[] getDelegatedCreds(Authenticator authenticator) {
        byte[] bArr = null;
        if (authenticator.getChecksum() != null) {
            try {
                byte[] bytes = authenticator.getChecksum().getBytes();
                int bytesToInt = bytesToInt(bytes);
                if (bytesToInt != 16) {
                    throw new RuntimeException("Length (" + bytesToInt + ") of Channel Binding is not 16");
                }
                int i = 0 + 4;
                System.arraycopy(bytes, i, new byte[bytesToInt], 0, bytesToInt);
                int i2 = i + bytesToInt;
                byte[] bArr2 = new byte[4];
                System.arraycopy(bytes, i2, bArr2, 0, bArr2.length);
                int i3 = i2 + 4;
                if (bytes.length == 24) {
                    return null;
                }
                if (bytes.length < 28) {
                    throw new Exception("Checksum too short");
                }
                int i4 = i3 + 2;
                byte[] bArr3 = new byte[2];
                System.arraycopy(bytes, i4, bArr3, 0, bArr3.length);
                int bytesToInt2 = bytesToInt(bArr3, 2);
                int i5 = i4 + 2;
                if (bytesToInt2 != (bytes.length - 24) - 4) {
                    throw new Exception("Checksum size mismatch");
                }
                bArr = new byte[bytesToInt2];
                System.arraycopy(bytes, i5, bArr, 0, bArr.length);
            } catch (Exception e) {
            }
        }
        return bArr;
    }

    private void fillContext(Map<String, Object> map) {
        if (isWrapped()) {
            Integer num = new Integer(1);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED, num);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED_TYPE, new String(num.getClass().getName()));
        } else {
            Integer num2 = new Integer(0);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED, num2);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED_TYPE, new String(num2.getClass().getName()));
        }
        if (this.rawSessionKey != null) {
            map.put(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES, this.rawSessionKey);
            map.put(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES_TYPE, Integer.valueOf(this.rawSessionKeyType));
        }
        if (this.rawSubKey != null) {
            map.put(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES, this.rawSubKey);
            map.put(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES_TYPE, new String(this.rawSubKey.getClass().getName()));
        }
        if (this.delegCred != null) {
            map.put(KerberosTokenConfig.CONTEXT_DELEG_CREDS_BYTES, this.delegCred);
        }
        if (this.delegatedTicket != null) {
            map.put(KerberosTokenConfig.CONTEXT_DELEG_KERBEROS_TICKET, this.delegatedTicket);
        }
        KerberosKey serviceKerberosKey = getServiceKerberosKey();
        if (serviceKerberosKey != null) {
            map.put(KerberosTokenConfig.CONTEXT_KRB_SERVICE_KEY, serviceKerberosKey);
            map.put(KerberosTokenConfig.CONTEXT_KRB_SERVICE_KEY_TYPE, new String(serviceKerberosKey.getClass().getName()));
        }
        if (this.sessionKey != null) {
            Integer num3 = new Integer(getSessionKeyEncType());
            map.put(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC, num3);
            map.put(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC_TYPE, new String(num3.getClass().getName()));
        }
        if (this.subKey != null) {
            Integer num4 = new Integer(getSubSessionKeyEncType());
            map.put(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC, num4);
            map.put(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC_TYPE, new String(num4.getClass().getName()));
        }
        if (this.subject != null) {
            map.put(KerberosTokenConfig.CONTEXT_SUBJECT, this.subject);
            map.put(KerberosTokenConfig.CONTEXT_SUBJECT_TYPE, new String(this.subject.getClass().getName()));
        }
        if (this.clientName != null) {
            map.put(KerberosTokenConfig.CLIENT_NAME, this.clientName);
        }
        if (this.clientAuthTime > 0) {
            map.put(KerberosTokenConfig.CLIENT_AUTHTIME, Long.valueOf(this.clientAuthTime));
        }
        if (this.realmName != null) {
            map.put(KerberosTokenConfig.REALM_NAME, this.realmName);
        }
    }

    public void setUseSubjectCreds(boolean z) {
        this.useSubject = z;
    }

    private boolean useSubjectCredsOnly() {
        return this.useSubject;
    }

    private boolean isWrapped() {
        return this.wrapped;
    }

    static int bytesToInt(byte[] bArr) {
        int i = 4;
        int i2 = 0;
        while (true) {
            int i3 = i2;
            i--;
            if (i < 0) {
                return i3;
            }
            i2 = (i3 << 8) | (bArr[i] & 255);
        }
    }

    static int bytesToInt(byte[] bArr, int i) {
        int i2 = i;
        if (i2 > 4) {
            i2 = 4;
        } else if (i2 < 0) {
            return 0;
        }
        int i3 = 0;
        while (true) {
            int i4 = i3;
            i2--;
            if (i2 < 0) {
                return i4;
            }
            i3 = (i4 << 8) | (bArr[i2] & 255);
        }
    }

    private KerberosKey getServiceKerberosKey() {
        KerberosKey kerberosKey = null;
        try {
            if (this.serviceKey != null) {
                Integer keyVersionNumber = this.serviceKey.getKeyVersionNumber();
                kerberosKey = new KerberosKey(new KerberosPrincipal(this.serviceName + "@" + this.realmName), this.serviceKey.getBytes(), this.serviceKey.getEType(), keyVersionNumber != null ? keyVersionNumber.intValue() : 0);
            }
            return kerberosKey;
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    private int getSessionKeyEncType() {
        if (this.sessionKey != null) {
            return this.sessionKey.getEType();
        }
        return 0;
    }

    private int getSubSessionKeyEncType() {
        if (this.subKey != null) {
            return this.subKey.getEType();
        }
        return 0;
    }

    private void verifyAPReq(Authenticator authenticator, EncTicketPart encTicketPart) throws GSSException {
        KerberosTime time = authenticator.getTime();
        PrincipalName client = authenticator.getClient();
        PrincipalName client2 = encTicketPart.getClient();
        try {
            time.setMicroSeconds(authenticator.getMicroSeconds());
            if (client.getRealm() == null) {
                client.setRealm(authenticator.getRealm());
            }
            if (client2.getRealm() == null) {
                client2.setRealm(encTicketPart.getClientRealm());
            }
        } catch (Exception e) {
            I18NException.throwGSSException(11, 0, "ErrorAPREQ", new String[]{e.toString()});
        } catch (KrbException e2) {
            I18NException.throwGSSException(11, e2.returnCode(), "KrbErrorAPREQ", new String[]{e2.toString()});
        }
        if (!client.equals(client2)) {
            String str = null;
            if (client2 != null) {
                str = client2.toString();
            }
            if (str != null) {
                I18NException.throwGSSException(10, 36, "TktNameMismatch", new String[]{client.toString(), str});
            } else {
                I18NException.throwGSSException(10, 36, "TktNameMismatch2", new String[]{client.toString()});
            }
        }
        if (!time.inClockSkew()) {
            I18NException.throwGSSException(10, 37, "ClientTimeTooSkewed", new Date[]{time.toDate()});
        }
        KerberosTime startTime = encTicketPart.getStartTime();
        if (startTime == null) {
            startTime = encTicketPart.getAuthTime();
        }
        KerberosTime kerberosTime = new KerberosTime(true);
        if (startTime.greaterThanWRTClockSkew(kerberosTime)) {
            I18NException.throwGSSException(10, 33, "TktNYV", new Date[]{startTime.toDate(), kerberosTime.toDate()});
        }
        if (kerberosTime.greaterThanWRTClockSkew(encTicketPart.getEndTime())) {
            I18NException.throwGSSException(10, 32, "TktExpired", new Date[]{kerberosTime.toDate(), encTicketPart.getEndTime().toDate()});
        }
        TicketFlags ticketFlags = encTicketPart.getTicketFlags();
        if (ticketFlags == null || !ticketFlags.get(7)) {
            return;
        }
        I18NException.throwGSSException(10, 33, "TktInvalid");
    }

    private byte[] stream2Bytes(InputStream inputStream, int i) throws GSSException {
        byte[] bArr = new byte[i];
        int i2 = 0;
        try {
            i2 = inputStream.read(bArr, 0, i);
        } catch (Exception e) {
            I18NException.throwGSSException(10, 0, "StreamReadError", new String[]{e.toString()});
        }
        if (i2 != i) {
            I18NException.throwGSSException(10, 0, "StreamDataLenMismatch", new Integer[]{new Integer(i), new Integer(i2)});
        }
        return bArr;
    }

    private Credentials getServerCredsFromSubject(String str) throws GSSException {
        Credentials credentials = null;
        EncryptionKey[] encryptionKeyArr = null;
        try {
            KerberosKey[] kerberosKeyArr = (KerberosKey[]) AccessController.doPrivileged(new SubjectKeyFinder(str));
            try {
                KerberosTicket kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new SubjectCredFinder(str));
                if (kerberosTicket != null) {
                    if (kerberosKeyArr != null) {
                        encryptionKeyArr = new EncryptionKey[kerberosKeyArr.length];
                        for (int i = 0; i < kerberosKeyArr.length; i++) {
                            encryptionKeyArr[i] = new EncryptionKey(kerberosKeyArr[i].getEncoded(), kerberosKeyArr[i].getKeyType(), new Integer(kerberosKeyArr[i].getVersionNumber()));
                        }
                    }
                    try {
                        credentials = new Credentials(kerberosTicket.getEncoded(), kerberosTicket.getClient().getName(), kerberosTicket.getServer().getName(), kerberosTicket.getSessionKey().getEncoded(), kerberosTicket.getSessionKeyType(), kerberosTicket.getFlags(), kerberosTicket.getAuthTime(), kerberosTicket.getStartTime(), kerberosTicket.getEndTime(), kerberosTicket.getRenewTill(), kerberosTicket.getClientAddresses());
                    } catch (Exception e) {
                        I18NException.throwGSSException(13, 0, "SubjectCredError", new String[]{e.toString()});
                    } catch (KrbException e2) {
                        I18NException.throwGSSException(13, 0, "KrbSubjectCredError", new String[]{e2.toString()});
                    }
                    if (credentials != null && encryptionKeyArr != null) {
                        try {
                            credentials.setServiceKeys(encryptionKeyArr);
                        } catch (Exception e3) {
                            I18NException.throwGSSException(11, 0, "Error", new String[]{e3.toString()});
                        }
                    }
                } else if (kerberosKeyArr != null) {
                    EncryptionKey[] encryptionKeyArr2 = new EncryptionKey[kerberosKeyArr.length];
                    for (int i2 = 0; i2 < kerberosKeyArr.length; i2++) {
                        encryptionKeyArr2[i2] = new EncryptionKey(kerberosKeyArr[i2].getEncoded(), kerberosKeyArr[i2].getKeyType(), new Integer(kerberosKeyArr[i2].getVersionNumber()));
                    }
                    try {
                        credentials = new Credentials(kerberosKeyArr[0].getPrincipal().getName(), encryptionKeyArr2);
                    } catch (KrbException e4) {
                        I18NException.throwGSSException(13, 0, "KrbSubjectCredError", new String[]{e4.toString()});
                    }
                }
                if (credentials == null) {
                    I18NException.throwGSSException(13, 0, "NoSubjectPrincipalCred", new String[]{str});
                }
                return credentials;
            } catch (PrivilegedActionException e5) {
                throw e5.getException();
            }
        } catch (PrivilegedActionException e6) {
            throw e6.getException();
        }
    }

    static {
        try {
            MECH_TYPE_KRB5 = new Oid(KRBTokenProfileConstants.STR_KERBEROS_OID);
        } catch (Exception e) {
            new Debug().out(4, "Exception creating Oid(s)" + e);
        }
    }
}
