package org.apache.wss4j.stax.impl.securityToken;

import java.io.IOException;
import java.security.Key;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
import org.apache.wss4j.common.kerberos.KerberosServiceContext;
import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderException;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-439.zip:modules/system/layers/fuse/org/apache/ws/security/2.1/wss4j-ws-security-stax-2.1.7.jar:org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.class */
public class KerberosServiceSecurityTokenImpl extends AbstractInboundSecurityToken implements KerberosServiceSecurityToken {
    private CallbackHandler callbackHandler;
    private byte[] binaryContent;
    private String kerberosTokenValueType;
    private KerberosTokenDecoder kerberosTokenDecoder;
    private Subject subject;
    private Principal principal;

    public KerberosServiceSecurityTokenImpl(WSInboundSecurityContext wSInboundSecurityContext, CallbackHandler callbackHandler, byte[] bArr, String str, String str2, SecurityTokenConstants.KeyIdentifier keyIdentifier) {
        super(wSInboundSecurityContext, str2, keyIdentifier, true);
        this.callbackHandler = callbackHandler;
        this.binaryContent = bArr;
        this.kerberosTokenValueType = str;
    }

    @Override // org.apache.xml.security.stax.impl.securityToken.AbstractSecurityToken, org.apache.xml.security.stax.securityToken.SecurityToken
    public boolean isAsymmetric() throws XMLSecurityException {
        return false;
    }

    @Override // org.apache.xml.security.stax.securityToken.SecurityToken
    public SecurityTokenConstants.TokenType getTokenType() {
        return WSSecurityTokenConstants.KERBEROS_TOKEN;
    }

    protected KerberosTokenDecoder getTGT() throws WSSecurityException {
        try {
            KerberosContextAndServiceNameCallback kerberosContextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
            this.callbackHandler.handle(new Callback[]{kerberosContextAndServiceNameCallback});
            if (kerberosContextAndServiceNameCallback.getContextName() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackContextNameNotSupplied");
            }
            if (kerberosContextAndServiceNameCallback.getServiceName() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackServiceNameNotSupplied");
            }
            LoginContext loginContext = new LoginContext(kerberosContextAndServiceNameCallback.getContextName(), this.callbackHandler);
            loginContext.login();
            this.subject = loginContext.getSubject();
            String serviceName = kerberosContextAndServiceNameCallback.getServiceName();
            if (serviceName == null) {
                Set<Principal> principals = this.subject.getPrincipals();
                if (principals.isEmpty()) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosLoginError", new Object[]{"No Client principals found after login"});
                }
                serviceName = principals.iterator().next().getName();
            }
            try {
                KerberosServiceContext kerberosServiceContext = (KerberosServiceContext) Subject.doAs(this.subject, new KerberosServiceExceptionAction(this.binaryContent, serviceName, kerberosContextAndServiceNameCallback.isUsernameServiceNameForm(), false));
                this.principal = kerberosServiceContext.getPrincipal();
                final Key sessionKey = kerberosServiceContext.getSessionKey();
                if (null != sessionKey) {
                    return new KerberosTokenDecoder() { // from class: org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl.1
                        @Override // org.apache.wss4j.common.kerberos.KerberosTokenDecoder
                        public void setToken(byte[] bArr) {
                        }

                        @Override // org.apache.wss4j.common.kerberos.KerberosTokenDecoder
                        public void setSubject(Subject subject) {
                        }

                        @Override // org.apache.wss4j.common.kerberos.KerberosTokenDecoder
                        public byte[] getSessionKey() throws KerberosTokenDecoderException {
                            return sessionKey.getEncoded();
                        }

                        @Override // org.apache.wss4j.common.kerberos.KerberosTokenDecoder
                        public void clear() {
                        }
                    };
                }
                KerberosTokenDecoderImpl kerberosTokenDecoderImpl = new KerberosTokenDecoderImpl();
                kerberosTokenDecoderImpl.setToken(this.binaryContent);
                kerberosTokenDecoderImpl.setSubject(this.subject);
                return kerberosTokenDecoderImpl;
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (cause instanceof WSSecurityException) {
                    throw ((WSSecurityException) cause);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception(cause), "kerberosTicketValidationError");
            }
        } catch (IOException | UnsupportedCallbackException | LoginException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken
    public Key getKey(String str, XMLSecurityConstants.AlgorithmUsage algorithmUsage, String str2) throws XMLSecurityException {
        Key key = getSecretKey().get(str);
        if (key != null) {
            return key;
        }
        if (this.kerberosTokenDecoder == null) {
            this.kerberosTokenDecoder = getTGT();
        }
        try {
            SecretKey prepareSecretKey = KeyUtils.prepareSecretKey(str, this.kerberosTokenDecoder.getSessionKey());
            setSecretKey(str, prepareSecretKey);
            return prepareSecretKey;
        } catch (KerberosTokenDecoderException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
        }
    }

    @Override // org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken
    public byte[] getBinaryContent() {
        return this.binaryContent;
    }

    @Override // org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken
    public String getKerberosTokenValueType() {
        return this.kerberosTokenValueType;
    }

    @Override // org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken
    public Subject getSubject() throws WSSecurityException {
        return this.subject;
    }

    @Override // org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken
    public Principal getPrincipal() throws WSSecurityException {
        return this.principal;
    }
}
