package org.wildfly.security.sasl.gssapi;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.MessageProp;
import org.wildfly.common.Assert;
import org.wildfly.security.manager.action.SetContextClassLoaderAction;
import org.wildfly.security.manager.action.SetContextClassLoaderFromClassAction;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.sasl.gssapi.AbstractGssapiMechanism;

/* JADX WARN: Classes with same name are omitted:
  input_file:BOOT-INF/lib/wildfly-elytron-1.15.3.Final-redhat-00001.jar:org/wildfly/security/sasl/gssapi/GssapiClient.class
 */
/* loaded from: input_file:BOOT-INF/lib/wildfly-elytron-sasl-gssapi-1.15.3.Final-redhat-00001.jar:org/wildfly/security/sasl/gssapi/GssapiClient.class */
final class GssapiClient extends AbstractGssapiMechanism implements SaslClient {
    private static final int INITIAL_CHALLENGE_STATE = 1;
    private static final int CHALLENGE_RESPONSE_STATE = 2;
    private static final int SECURITY_LAYER_NEGOTIATION_STATE = 3;
    private final String authorizationId;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Code restructure failed: missing block: B:48:0x01fd, code lost:
    
        org.wildfly.security.mechanism._private.ElytronMessages.saslGssapi.trace("Requesting confidentiality");
        r0.requestConf(true);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public GssapiClient(java.lang.String r8, java.lang.String r9, java.util.Map<java.lang.String, ?> r10, javax.security.auth.callback.CallbackHandler r11, java.lang.String r12) throws javax.security.sasl.SaslException {
        /*
            Method dump skipped, instructions count: 562
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.wildfly.security.sasl.gssapi.GssapiClient.<init>(java.lang.String, java.lang.String, java.util.Map, javax.security.auth.callback.CallbackHandler, java.lang.String):void");
    }

    private boolean mayRequireSecurityLater(AbstractGssapiMechanism.QOP[] qopArr) {
        for (AbstractGssapiMechanism.QOP qop : qopArr) {
            if (qop == AbstractGssapiMechanism.QOP.AUTH_INT || qop == AbstractGssapiMechanism.QOP.AUTH_CONF) {
                return true;
            }
        }
        return false;
    }

    private AbstractGssapiMechanism.QOP findAgreeableQop(byte b) throws SaslException {
        for (AbstractGssapiMechanism.QOP qop : this.orderedQops) {
            if (qop.includedBy(b) && isCompatibleWithGssContext(qop)) {
                return qop;
            }
        }
        throw ElytronMessages.saslGssapi.mechInsufficientQopsAvailable().toSaslException();
    }

    private boolean isCompatibleWithGssContext(AbstractGssapiMechanism.QOP qop) {
        switch (qop) {
            case AUTH_INT:
                return this.gssContext.getIntegState();
            case AUTH_CONF:
                return this.gssContext.getIntegState() && this.gssContext.getConfState();
            default:
                return true;
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public boolean hasInitialResponse() {
        return true;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        return evaluateMessage(bArr);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        switch (i) {
            case 1:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                if (bArr.length > 0) {
                    throw ElytronMessages.saslGssapi.mechInitialChallengeMustBeEmpty().toSaslException();
                }
                try {
                    byte[] initSecContext = initSecContext(this.gssContext, NO_BYTES, 0, 0);
                    if (this.gssContext.isEstablished()) {
                        ElytronMessages.saslGssapi.trace("GSSContext established, transitioning to negotiate security layer.");
                        setNegotiationState(3);
                    } else {
                        ElytronMessages.saslGssapi.trace("GSSContext not established, expecting subsequent exchanges.");
                        setNegotiationState(2);
                    }
                    return initSecContext;
                } catch (GSSException e) {
                    throw ElytronMessages.saslGssapi.mechUnableToCreateResponseToken(e).toSaslException();
                }
            case 2:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                try {
                    byte[] initSecContext2 = initSecContext(this.gssContext, bArr, 0, bArr.length);
                    if (this.gssContext.isEstablished()) {
                        ElytronMessages.saslGssapi.trace("GSSContext established, transitioning to negotiate security layer.");
                        setNegotiationState(3);
                        if (initSecContext2 == null) {
                            initSecContext2 = NO_BYTES;
                        }
                    } else {
                        ElytronMessages.saslGssapi.trace("GSSContext not established, expecting subsequent exchanges.");
                    }
                    return initSecContext2;
                } catch (GSSException e2) {
                    throw ElytronMessages.saslGssapi.mechUnableToHandleResponseFromServer(e2).toSaslException();
                }
            case 3:
                if (!$assertionsDisabled && !this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                try {
                    byte[] unwrap = this.gssContext.unwrap(bArr, 0, bArr.length, new MessageProp(0, false));
                    if (unwrap.length != 4) {
                        throw ElytronMessages.saslGssapi.mechBadLengthOfMessageForNegotiatingSecurityLayer().toSaslException();
                    }
                    byte b = unwrap[0];
                    this.selectedQop = findAgreeableQop(b);
                    this.maxBuffer = networkOrderBytesToInt(unwrap, 1, 3);
                    ElytronMessages.saslGssapi.tracef("Selected QOP=%s, maxBuffer=%d", this.selectedQop, Integer.valueOf(this.maxBuffer));
                    if (!this.relaxComplianceChecks && this.maxBuffer > 0 && (b & AbstractGssapiMechanism.QOP.AUTH_INT.getValue()) == 0 && (b & AbstractGssapiMechanism.QOP.AUTH_CONF.getValue()) == 0) {
                        throw ElytronMessages.saslGssapi.mechReceivedMaxMessageSizeWhenNoSecurityLayer(this.maxBuffer).toSaslException();
                    }
                    this.maxBuffer = this.gssContext.getWrapSizeLimit(0, this.selectedQop == AbstractGssapiMechanism.QOP.AUTH_CONF, this.maxBuffer);
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    byteArrayOutputStream.write(this.selectedQop.getValue());
                    if (this.selectedQop == AbstractGssapiMechanism.QOP.AUTH) {
                        byteArrayOutputStream.write(new byte[]{0, 0, 0});
                    } else {
                        this.actualMaxReceiveBuffer = this.configuredMaxReceiveBuffer != 0 ? this.configuredMaxReceiveBuffer : this.maxBuffer;
                        ElytronMessages.saslGssapi.tracef("Out max buffer %d", this.actualMaxReceiveBuffer);
                        byteArrayOutputStream.write(intToNetworkOrderBytes(this.actualMaxReceiveBuffer));
                    }
                    if (this.authorizationId != null) {
                        byteArrayOutputStream.write(this.authorizationId.getBytes(StandardCharsets.UTF_8));
                    }
                    byte[] byteArray = byteArrayOutputStream.toByteArray();
                    byte[] wrap = this.gssContext.wrap(byteArray, 0, byteArray.length, new MessageProp(0, false));
                    if (this.selectedQop != AbstractGssapiMechanism.QOP.AUTH) {
                        ElytronMessages.saslGssapi.trace("Setting message wrapper.");
                        setWrapper(new AbstractGssapiMechanism.GssapiWrapper(this.selectedQop == AbstractGssapiMechanism.QOP.AUTH_CONF));
                    }
                    ElytronMessages.saslGssapi.trace("Negotiation Complete");
                    negotiationComplete();
                    return wrap;
                } catch (IOException e3) {
                    throw ElytronMessages.saslGssapi.mechUnableToCreateResponseToken(e3).toSaslException();
                } catch (GSSException e4) {
                    throw ElytronMessages.saslGssapi.mechUnableToUnwrapSecurityLayerNegotiationMessage(e4).toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    private static byte[] initSecContext(GSSContext gSSContext, byte[] bArr, int i, int i2) throws GSSException {
        ClassLoader classLoader = (ClassLoader) doPrivileged(new SetContextClassLoaderFromClassAction(GssapiClient.class));
        try {
            byte[] initSecContext = gSSContext.initSecContext(bArr, i, i2);
            doPrivileged(new SetContextClassLoaderAction(classLoader));
            return initSecContext;
        } catch (Throwable th) {
            doPrivileged(new SetContextClassLoaderAction(classLoader));
            throw th;
        }
    }

    private static <T> T doPrivileged(PrivilegedAction<T> privilegedAction) {
        return System.getSecurityManager() != null ? (T) AccessController.doPrivileged(privilegedAction) : privilegedAction.run();
    }

    static {
        $assertionsDisabled = !GssapiClient.class.desiredAssertionStatus();
    }
}
