package com.bea.security.utils.kerberos;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.SecurityLogger;
import com.bea.common.security.utils.encoders.BASE64Decoder;
import com.bea.security.utils.gss.GSSExceptionInfo;
import com.bea.security.utils.negotiate.CredentialObject;
import com.bea.security.utils.negotiate.NegotiateTokenUtils;
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import weblogic.utils.Hex;

/* loaded from: input_file:com/bea/security/utils/kerberos/KerberosTokenHandler.class */
public class KerberosTokenHandler {
    private LoggerSpi logger;
    private boolean isDebugEnabled;
    private String username = null;
    private boolean moreRequired = true;
    boolean acceptCompleted = false;
    private byte[] outputToken = null;
    private CredentialObject delegatedCredential = null;
    private GSSManager gssManager = GSSManager.getInstance();

    public KerberosTokenHandler(LoggerSpi loggerSpi) {
        this.logger = loggerSpi;
        this.isDebugEnabled = loggerSpi != null && loggerSpi.isDebugEnabled();
    }

    public String getUsername() {
        return this.username;
    }

    public boolean isMoreRequired() {
        return this.moreRequired;
    }

    public boolean isAcceptCompleted() {
        return this.acceptCompleted;
    }

    public byte[] getOutputToken() {
        return this.outputToken;
    }

    public CredentialObject getDelegatedCredential() {
        return this.delegatedCredential;
    }

    public void acceptGssInitContextToken(NegotiateTokenUtils.NegTokenInitInfo negTokenInitInfo) throws KerberosException {
        if (this.username != null) {
            return;
        }
        if (negTokenInitInfo == null || negTokenInitInfo.mechToken == null || negTokenInitInfo.mechToken.length < 1) {
            throw new IllegalArgumentException("Input token cannot be null or empty.");
        }
        try {
            GSSContext createContext = this.gssManager.createContext((GSSCredential) null);
            if (negTokenInitInfo.contextFlagDeleg) {
                createContext.requestCredDeleg(true);
            }
            if (negTokenInitInfo.contextFlagMutual) {
                createContext.requestMutualAuth(true);
            }
            if (negTokenInitInfo.contextFlagReplay) {
                createContext.requestReplayDet(true);
            }
            if (negTokenInitInfo.contextFlagSequence) {
                createContext.requestSequenceDet(true);
            }
            if (negTokenInitInfo.contextFlagAnon) {
                createContext.requestAnonymity(true);
            }
            if (negTokenInitInfo.contextFlagConf) {
                createContext.requestConf(true);
            }
            if (negTokenInitInfo.contextFlagInteg) {
                createContext.requestInteg(true);
            }
            acceptGssInitContextToken(createContext, negTokenInitInfo.mechToken, negTokenInitInfo.contextFlagMutual);
        } catch (GSSException e) {
            String message = e.getMessage();
            if (this.isDebugEnabled) {
                this.logger.debug(message, e);
            }
            throw new KerberosException(message, e);
        }
    }

    public void acceptGssInitContextToken(String str, boolean z) throws KerberosException {
        if (this.username != null) {
            return;
        }
        if (str == null || str.length() < 1) {
            throw new IllegalArgumentException("Input token cannot be null or empty.");
        }
        try {
            acceptGssInitContextToken(null, new BASE64Decoder().decodeBuffer(str), z);
        } catch (IOException e) {
            String message = e.getMessage();
            if (this.isDebugEnabled) {
                this.logger.debug(message, e);
            }
            throw new KerberosException(message, e);
        }
    }

    public void acceptKrbApReqToken(String str, boolean z) throws KerberosException {
        if (this.username != null) {
            return;
        }
        if (str == null || str.length() < 1) {
            throw new IllegalArgumentException("Input token cannot be null or empty.");
        }
        try {
            acceptGssInitContextToken(null, KerberosTokenUtils.getGssInitContextToken(new BASE64Decoder().decodeBuffer(str), this.logger), z);
        } catch (IOException e) {
            String message = e.getMessage();
            if (this.isDebugEnabled) {
                this.logger.debug("Base64 decoding error: " + message, e);
            }
            throw new KerberosException(message, e);
        }
    }

    private void acceptGssInitContextToken(final GSSContext gSSContext, final byte[] bArr, final boolean z) throws KerberosException {
        try {
            Subject.doAsPrivileged((Subject) null, new PrivilegedExceptionAction<Object>() { // from class: com.bea.security.utils.kerberos.KerberosTokenHandler.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws KerberosException {
                    KerberosTokenHandler.this.acceptGssInitContextTokenInDoAs(gSSContext, bArr, z);
                    return null;
                }
            }, (AccessControlContext) null);
        } catch (PrivilegedActionException e) {
            KerberosException kerberosException = (KerberosException) e.getException();
            if (this.isDebugEnabled) {
                this.logger.debug("acceptGssInitContextToken failed", kerberosException);
            }
            throw kerberosException;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void acceptGssInitContextTokenInDoAs(GSSContext gSSContext, byte[] bArr, boolean z) throws KerberosException {
        try {
            if (gSSContext == null) {
                try {
                    gSSContext = this.gssManager.createContext((GSSCredential) null);
                } catch (Exception e) {
                    this.moreRequired = false;
                    String message = e.getMessage();
                    if (this.isDebugEnabled) {
                        this.logger.debug("Exception: " + message, e);
                    }
                    throw new KerberosException(message, e);
                } catch (GSSException e2) {
                    this.moreRequired = false;
                    if (this.isDebugEnabled) {
                        GSSExceptionInfo.logInterpretedFailureInfo(this.logger, e2);
                    }
                    throw new KerberosException(e2.getMessage(), e2);
                }
            }
            try {
                byte[] acceptSecContext = gSSContext.acceptSecContext(bArr, 0, bArr.length);
                this.acceptCompleted = gSSContext.isEstablished();
                if (this.isDebugEnabled) {
                    this.logger.debug("gssContext isEstablished " + this.acceptCompleted);
                }
                this.outputToken = null;
                if (acceptSecContext != null) {
                    if (this.isDebugEnabled) {
                        this.logger.debug("Out token \n" + Hex.dump(acceptSecContext));
                    }
                    if (z) {
                        this.outputToken = acceptSecContext;
                    }
                } else if (this.isDebugEnabled) {
                    this.logger.debug("No Output token present");
                }
                if (this.acceptCompleted) {
                    GSSName srcName = gSSContext.getSrcName();
                    String obj = srcName.toString();
                    if (this.isDebugEnabled) {
                        this.logger.debug("GSS name is " + obj);
                    }
                    int indexOf = obj.indexOf(64);
                    if (indexOf != -1) {
                        this.username = obj.substring(0, indexOf);
                    } else {
                        this.username = obj;
                    }
                    if (this.isDebugEnabled) {
                        this.logger.debug("User name is " + this.username);
                    }
                    this.moreRequired = false;
                    if (gSSContext.getCredDelegState()) {
                        if (this.isDebugEnabled) {
                            this.logger.debug("delegate state is true, acquire delegated credential...");
                        }
                        GSSCredential delegCred = gSSContext.getDelegCred();
                        try {
                            this.delegatedCredential = new CredentialObject((Subject) Class.forName("com.sun.security.jgss.GSSUtil").getMethod("createSubject", GSSName.class, GSSCredential.class).invoke(null, srcName, delegCred));
                        } catch (ClassNotFoundException e3) {
                            this.delegatedCredential = new CredentialObject(delegCred);
                        }
                    } else if (this.isDebugEnabled) {
                        this.logger.debug("delegate state is false, no delegated credential will be obtained.");
                    }
                } else {
                    this.moreRequired = true;
                }
                if (gSSContext != null) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e4) {
                    }
                }
            } catch (NullPointerException e5) {
                if (this.isDebugEnabled) {
                    this.logger.debug("NPE caught accepting the context, verify the JCE configuration is correct in java.security and the sun.security.jgss.SunProvider is configured");
                }
                throw new KerberosException(SecurityLogger.getUnableToAcceptKrbSecContext(), e5);
            }
        } catch (Throwable th) {
            if (gSSContext != null) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e6) {
                }
            }
            throw th;
        }
    }
}
