package org.wildfly.security.sasl.gs2;

import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.wildfly.common.Assert;
import org.wildfly.common.bytes.ByteStringBuilder;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.asn1.ASN1Exception;
import org.wildfly.security.asn1.DEREncoder;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.auth.callback.ServerCredentialCallback;
import org.wildfly.security.credential.GSSKerberosCredential;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.sasl.util.AbstractSaslServer;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-1.15.5.Final.jar:org/wildfly/security/sasl/gs2/Gs2SaslServer.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-sasl-gs2-1.15.5.Final.jar:org/wildfly/security/sasl/gs2/Gs2SaslServer.class */
final class Gs2SaslServer extends AbstractSaslServer {
    private static final int ST_NO_MESSAGE = 1;
    private static final int ST_FIRST_MESSAGE = 2;
    private static final int ST_ACCEPTOR = 3;
    private final boolean plus;
    private final String bindingType;
    private final byte[] bindingData;
    private final Oid mechanism;
    private GSSContext gssContext;
    private String authorizationID;
    private String boundServerName;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public Gs2SaslServer(String str, String str2, String str3, CallbackHandler callbackHandler, GSSManager gSSManager, boolean z, String str4, byte[] bArr) throws SaslException {
        super(str, str2, str3, callbackHandler, ElytronMessages.saslGs2);
        GSSName gSSName;
        this.plus = z;
        this.bindingType = str4;
        this.bindingData = bArr;
        try {
            this.mechanism = Gs2.getMechanismForSaslName(gSSManager, str);
            GSSCredential gSSCredential = null;
            ServerCredentialCallback serverCredentialCallback = new ServerCredentialCallback(GSSKerberosCredential.class);
            try {
                ElytronMessages.saslGs2.trace("Obtaining GSSCredential for the service from callback handler");
                callbackHandler.handle(new Callback[]{serverCredentialCallback});
                gSSCredential = (GSSCredential) serverCredentialCallback.applyToCredential(GSSKerberosCredential.class, (v0) -> {
                    return v0.getGssCredential();
                });
            } catch (IOException e) {
                throw ElytronMessages.saslGs2.mechCallbackHandlerFailedForUnknownReason(e).toSaslException();
            } catch (UnsupportedCallbackException e2) {
                ElytronMessages.saslGs2.trace("Unable to obtain GSSCredential from callback handler", e2);
            }
            try {
                if (gSSCredential == null) {
                    if (str3 != null) {
                        String str5 = str2 + "@" + str3;
                        ElytronMessages.saslGs2.tracef("Our name is '%s'", str5);
                        gSSName = gSSManager.createName(str5, GSSName.NT_HOSTBASED_SERVICE, this.mechanism);
                    } else {
                        ElytronMessages.saslGs2.tracef("Our name is unbound", new Object[0]);
                        gSSName = null;
                    }
                    gSSCredential = gSSManager.createCredential(gSSName, Integer.MAX_VALUE, this.mechanism, 2);
                }
                this.gssContext = gSSManager.createContext(gSSCredential);
            } catch (GSSException e3) {
                throw ElytronMessages.saslGs2.mechUnableToCreateGssContext(e3).toSaslException();
            }
        } catch (GSSException e4) {
            throw ElytronMessages.saslGs2.mechMechanismToOidMappingFailed(e4).toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public String getAuthorizationID() {
        return this.authorizationID;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        int i2;
        int index;
        byte[] restoreTokenHeader;
        switch (i) {
            case 0:
                if (bArr == null || bArr.length == 0) {
                    return null;
                }
                throw ElytronMessages.saslGs2.mechMessageAfterComplete().toSaslException();
            case 1:
                if (bArr == null || bArr.length == 0) {
                    setNegotiationState(3);
                    return NO_BYTES;
                }
                break;
            case 2:
                break;
            case 3:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                try {
                    byte[] acceptSecContext = this.gssContext.acceptSecContext(bArr, 0, bArr.length);
                    if (this.gssContext.isEstablished()) {
                        if (!this.mechanism.equals(this.gssContext.getMech())) {
                            throw ElytronMessages.saslGs2.mechGssApiMechanismMismatch().toSaslException();
                        }
                        storeBoundServerName();
                        checkAuthorizationID();
                        storeDelegatedGSSCredential();
                        negotiationComplete();
                    }
                    return acceptSecContext;
                } catch (GSSException e) {
                    throw ElytronMessages.saslGs2.mechUnableToAcceptClientMessage(e).toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
        if (!$assertionsDisabled && this.gssContext.isEstablished()) {
            throw new AssertionError();
        }
        if (bArr == null || bArr.length == 0) {
            throw ElytronMessages.saslGs2.mechClientRefusesToInitiateAuthentication().toSaslException();
        }
        ByteIterator ofBytes = ByteIterator.ofBytes(bArr);
        CodePointIterator asUtf8String = ofBytes.delimitedBy(44).asUtf8String();
        boolean z = false;
        boolean z2 = false;
        int next = ofBytes.next();
        if (next == 70) {
            skipDelimiter(ofBytes);
            z2 = true;
            next = ofBytes.next();
        }
        if (next == 112) {
            z = true;
            if (!this.plus) {
                throw ElytronMessages.saslGs2.mechChannelBindingNotSupported().toSaslException();
            }
            if (ofBytes.next() != 61) {
                throw ElytronMessages.saslGs2.mechInvalidMessageReceived().toSaslException();
            }
            if (!$assertionsDisabled && this.bindingType == null) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && this.bindingData == null) {
                throw new AssertionError();
            }
            if (!this.bindingType.equals(asUtf8String.drainToString())) {
                throw ElytronMessages.saslGs2.mechChannelBindingTypeMismatch().toSaslException();
            }
            skipDelimiter(ofBytes);
        } else if (next == 121) {
            if (this.plus || !(this.bindingType == null || this.bindingData == null)) {
                throw ElytronMessages.saslGs2.mechChannelBindingNotProvided().toSaslException();
            }
            skipDelimiter(ofBytes);
        } else {
            if (next != 110) {
                throw ElytronMessages.saslGs2.mechInvalidMessageReceived().toSaslException();
            }
            if (this.plus) {
                throw ElytronMessages.saslGs2.mechChannelBindingNotProvided().toSaslException();
            }
            skipDelimiter(ofBytes);
        }
        int next2 = ofBytes.next();
        if (next2 == 97) {
            if (ofBytes.next() != 61) {
                throw ElytronMessages.saslGs2.mechInvalidMessageReceived().toSaslException();
            }
            this.authorizationID = asUtf8String.drainToString();
            skipDelimiter(ofBytes);
        } else if (next2 != 44) {
            throw ElytronMessages.saslGs2.mechInvalidMessageReceived().toSaslException();
        }
        if (z2) {
            i2 = 2;
            index = (int) (ofBytes.getIndex() - 2);
            restoreTokenHeader = ofBytes.drain();
        } else {
            i2 = 0;
            index = (int) ofBytes.getIndex();
            try {
                restoreTokenHeader = restoreTokenHeader(ofBytes.drain());
            } catch (ASN1Exception e2) {
                throw ElytronMessages.saslGs2.mechUnableToCreateResponseTokenWithCause(e2).toSaslException();
            }
        }
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        byteStringBuilder.append(bArr, i2, index);
        try {
            this.gssContext.setChannelBinding(Gs2Util.createChannelBinding(byteStringBuilder.toArray(), z, this.bindingData));
            try {
                byte[] acceptSecContext2 = this.gssContext.acceptSecContext(restoreTokenHeader, 0, restoreTokenHeader.length);
                if (!this.gssContext.isEstablished()) {
                    setNegotiationState(3);
                } else {
                    if (!this.mechanism.equals(this.gssContext.getMech())) {
                        throw ElytronMessages.saslGs2.mechGssApiMechanismMismatch().toSaslException();
                    }
                    storeBoundServerName();
                    checkAuthorizationID();
                    storeDelegatedGSSCredential();
                    negotiationComplete();
                }
                return acceptSecContext2;
            } catch (GSSException e3) {
                throw ElytronMessages.saslGs2.mechUnableToAcceptClientMessage(e3).toSaslException();
            }
        } catch (GSSException e4) {
            throw ElytronMessages.saslGs2.mechUnableToSetChannelBinding(e4).toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        try {
            try {
                this.gssContext.dispose();
                this.gssContext = null;
            } catch (GSSException e) {
                throw ElytronMessages.saslGs2.mechUnableToDisposeGssContext(e).toSaslException();
            }
        } catch (Throwable th) {
            this.gssContext = null;
            throw th;
        }
    }

    private byte[] restoreTokenHeader(byte[] bArr) throws ASN1Exception {
        DEREncoder dEREncoder = new DEREncoder();
        dEREncoder.encodeImplicit(64, 0);
        dEREncoder.startSequence();
        try {
            dEREncoder.writeEncoded(this.mechanism.getDER());
            dEREncoder.writeEncoded(bArr);
            dEREncoder.endSequence();
            return dEREncoder.getEncoded();
        } catch (GSSException e) {
            throw new ASN1Exception((Throwable) e);
        }
    }

    private void storeBoundServerName() throws SaslException {
        try {
            String gSSName = this.gssContext.getTargName().toString();
            String[] split = gSSName.split("[/@]");
            this.boundServerName = split.length > 1 ? split[1] : gSSName;
        } catch (GSSException e) {
            throw ElytronMessages.saslGs2.mechUnableToDetermineBoundServerName(e).toSaslException();
        }
    }

    private void checkAuthorizationID() throws SaslException {
        try {
            String gSSName = this.gssContext.getSrcName().toString();
            ElytronMessages.saslGs2.tracef("checking if [%s] is authorized to act as [%s]...", gSSName, this.authorizationID);
            if (this.authorizationID == null || this.authorizationID.isEmpty()) {
                this.authorizationID = gSSName;
            }
            AuthorizeCallback authorizeCallback = new AuthorizeCallback(gSSName, this.authorizationID);
            handleCallbacks(authorizeCallback);
            if (!authorizeCallback.isAuthorized()) {
                throw ElytronMessages.saslGs2.mechAuthorizationFailed(gSSName, this.authorizationID).toSaslException();
            }
            ElytronMessages.saslGs2.trace("authorization id check successful");
        } catch (GSSException e) {
            throw ElytronMessages.saslGs2.mechUnableToDeterminePeerName(e).toSaslException();
        }
    }

    private void storeDelegatedGSSCredential() throws SaslException {
        try {
            GSSCredential delegCred = this.gssContext.getDelegCred();
            if (delegCred != null) {
                tryHandleCallbacks(new IdentityCredentialCallback(new GSSKerberosCredential(delegCred), true));
            } else {
                ElytronMessages.saslGs2.trace("No GSSCredential delegated during authentication.");
            }
        } catch (UnsupportedCallbackException | GSSException e) {
        }
    }

    private void skipDelimiter(ByteIterator byteIterator) throws SaslException {
        if (byteIterator.next() != 44) {
            throw ElytronMessages.saslGs2.mechInvalidMessageReceived().toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public Object getNegotiatedProperty(String str) {
        assertComplete();
        if ("javax.security.sasl.bound.server.name".equals(str)) {
            return this.boundServerName;
        }
        return null;
    }

    static {
        $assertionsDisabled = !Gs2SaslServer.class.desiredAssertionStatus();
    }
}
