package org.wildfly.security.sasl.gs2;

import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslException;
import org.fusesource.jansi.AnsiRenderer;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.asn1.DERDecoder;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.sasl.WildFlySasl;
import org.wildfly.security.sasl.util.AbstractSaslClient;
import org.wildfly.security.sasl.util.StringPrep;
import org.wildfly.security.util.ByteIterator;
import org.wildfly.security.util.ByteStringBuilder;

/* loaded from: input_file:org/wildfly/security/sasl/gs2/Gs2SaslClient.class */
final class Gs2SaslClient extends AbstractSaslClient {
    private static final int ST_INITIAL_CHALLENGE = 1;
    private static final int ST_CHALLENGE_RESPONSE = 2;
    private final boolean plus;
    private final byte[] bindingData;
    private final String bindingType;
    private final Oid mechanism;
    private final GSSManager gssManager;
    private GSSContext gssContext;
    private ByteStringBuilder gs2HeaderExcludingNonStdFlag;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public Gs2SaslClient(String str, String str2, String str3, CallbackHandler callbackHandler, String str4, Map<String, ?> map, GSSManager gSSManager, boolean z, String str5, byte[] bArr) throws SaslException {
        super(str, str2, str3, callbackHandler, str4, true);
        this.bindingType = str5;
        this.plus = z;
        this.bindingData = bArr;
        this.gssManager = gSSManager;
        try {
            this.mechanism = Gs2.getMechanismForSaslName(str);
            try {
                GSSName createName = gSSManager.createName(str2 + "@" + str3, GSSName.NT_HOSTBASED_SERVICE, this.mechanism);
                GSSCredential gSSCredential = null;
                CredentialCallback credentialCallback = new CredentialCallback(GSSCredential.class);
                try {
                    tryHandleCallbacks(credentialCallback);
                    gSSCredential = (GSSCredential) credentialCallback.getCredential();
                } catch (UnsupportedCallbackException e) {
                }
                try {
                    this.gssContext = gSSManager.createContext(createName, this.mechanism, gSSCredential, Integer.MAX_VALUE);
                    try {
                        this.gssContext.requestCredDeleg(map.containsKey(WildFlySasl.GS2_DELEGATE_CREDENTIAL) ? Boolean.parseBoolean((String) map.get(WildFlySasl.GS2_DELEGATE_CREDENTIAL)) : gSSCredential != null);
                        this.gssContext.requestMutualAuth(true);
                        this.gs2HeaderExcludingNonStdFlag = createGs2HeaderExcludingNonStdFlag();
                        try {
                            this.gssContext.setChannelBinding(Gs2Util.createChannelBinding(this.gs2HeaderExcludingNonStdFlag, bArr != null && z, bArr));
                        } catch (GSSException e2) {
                            throw ElytronMessages.log.saslUnableToSetChannelBinding(getMechanismName(), e2);
                        }
                    } catch (GSSException e3) {
                        throw ElytronMessages.log.saslUnableToSetGssContextRequestFlags(getMechanismName(), e3);
                    }
                } catch (GSSException e4) {
                    throw ElytronMessages.log.saslUnableToCreateGssContext(getMechanismName(), e4);
                }
            } catch (GSSException e5) {
                throw ElytronMessages.log.saslUnableToCreateNameForAcceptor(getMechanismName(), e5);
            }
        } catch (GSSException e6) {
            throw ElytronMessages.log.saslMechanismToOidMappingFailed(getMechanismName(), e6);
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        try {
            try {
                this.gssContext.dispose();
                this.gssContext = null;
            } catch (GSSException e) {
                throw ElytronMessages.log.saslUnableToDisposeGssContext(getMechanismName(), e);
            }
        } catch (Throwable th) {
            this.gssContext = null;
            throw th;
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        switch (i) {
            case 1:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                if (bArr != null && bArr.length != 0) {
                    throw ElytronMessages.log.saslInitialChallengeMustBeEmpty(getMechanismName());
                }
                try {
                    byte[] initSecContext = this.gssContext.initSecContext(NO_BYTES, 0, 0);
                    if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                        throw new AssertionError();
                    }
                    setNegotiationState(2);
                    return modifyInitialContextToken(initSecContext);
                } catch (GSSException e) {
                    throw ElytronMessages.log.saslUnableToCreateResponseTokenWithCause(getMechanismName(), e);
                }
            case 2:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                try {
                    byte[] initSecContext2 = this.gssContext.initSecContext(bArr, 0, bArr.length);
                    if (this.gssContext.isEstablished()) {
                        if (!this.gssContext.getMutualAuthState()) {
                            throw ElytronMessages.log.saslMutualAuthenticationNotEnabled(getMechanismName());
                        }
                        negotiationComplete();
                    }
                    return initSecContext2;
                } catch (GSSException e2) {
                    throw ElytronMessages.log.saslUnableToCreateResponseTokenWithCause(getMechanismName(), e2);
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    private ByteStringBuilder createGs2HeaderExcludingNonStdFlag() {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        if (this.bindingData == null) {
            byteStringBuilder.append("n,");
        } else if (this.plus) {
            byteStringBuilder.append("p=");
            byteStringBuilder.append(this.bindingType);
            byteStringBuilder.append(',');
        } else {
            byteStringBuilder.append("y,");
        }
        String authorizationId = getAuthorizationId();
        if (authorizationId != null) {
            byteStringBuilder.append("a=");
            StringPrep.encode(authorizationId, byteStringBuilder, 2147500031L);
        }
        byteStringBuilder.append(AnsiRenderer.CODE_LIST_SEPARATOR);
        return byteStringBuilder;
    }

    private byte[] modifyInitialContextToken(byte[] bArr) throws GSSException {
        boolean z = false;
        if (bArr[0] == 96) {
            ByteIterator ofBytes = ByteIterator.ofBytes(bArr);
            DERDecoder dERDecoder = new DERDecoder(ofBytes);
            dERDecoder.decodeImplicit(64, 0);
            dERDecoder.startSequence();
            if (!this.mechanism.equals(new Oid(dERDecoder.decodeObjectIdentifier()))) {
                throw new GSSException(10);
            }
            bArr = ofBytes.drain();
        } else {
            z = true;
        }
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        if (z) {
            byteStringBuilder.append("F,");
        }
        byteStringBuilder.append(this.gs2HeaderExcludingNonStdFlag);
        byteStringBuilder.append(bArr);
        return byteStringBuilder.toArray();
    }

    static {
        $assertionsDisabled = !Gs2SaslClient.class.desiredAssertionStatus();
    }
}
