package org.apache.kerberos.kdc;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.kerberos.crypto.RandomKey;
import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
import org.apache.kerberos.exceptions.ErrorType;
import org.apache.kerberos.exceptions.KerberosException;
import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
import org.apache.kerberos.messages.ApplicationRequest;
import org.apache.kerberos.messages.KdcRequest;
import org.apache.kerberos.messages.TicketGrantReply;
import org.apache.kerberos.messages.components.Authenticator;
import org.apache.kerberos.messages.components.EncTicketPart;
import org.apache.kerberos.messages.components.EncTicketPartModifier;
import org.apache.kerberos.messages.components.Ticket;
import org.apache.kerberos.messages.value.AuthorizationData;
import org.apache.kerberos.messages.value.EncryptedData;
import org.apache.kerberos.messages.value.EncryptionKey;
import org.apache.kerberos.messages.value.KerberosTime;
import org.apache.kerberos.messages.value.LastRequest;
import org.apache.kerberos.messages.value.PreAuthenticationDataType;
import org.apache.kerberos.service.KdcConfiguration;
import org.apache.kerberos.service.KerberosService;
import org.apache.kerberos.store.PrincipalStore;

/* loaded from: input_file:zips/geronimo-jetty-j2ee-1.0.zip:geronimo-1.0/repository/directory-protocols/jars/kerberos-protocol-0.5.jar:org/apache/kerberos/kdc/TicketGrantingService.class */
public class TicketGrantingService extends KerberosService {
    private static final Log log;
    static Class class$org$apache$kerberos$kdc$TicketGrantingService;

    public TicketGrantingService(KdcConfiguration kdcConfiguration, PrincipalStore principalStore) {
        super(kdcConfiguration, principalStore);
    }

    public TicketGrantReply getReplyFor(KdcRequest kdcRequest) throws KerberosException, IOException {
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer().append("Responding to authentication request:\n\trealm:                 ").append(kdcRequest.getRealm()).append("\n\tserverPrincipal:       ").append(kdcRequest.getServerPrincipal()).append("\n\tclientPrincipal:       ").append(kdcRequest.getClientPrincipal()).append("\n\thostAddresses:         ").append(kdcRequest.getAddresses()).append("\n\tencryptionType:        ").append(kdcRequest.getEType()).append("\n\tfrom krb time:         ").append(kdcRequest.getFrom()).append("\n\trealm krb time:        ").append(kdcRequest.getRtime()).append("\n\tkdcOptions:            ").append(kdcRequest.getKdcOptions()).append("\n\tmessageType:           ").append(kdcRequest.getMessageType()).append("\n\tnonce:                 ").append(kdcRequest.getNonce()).append("\n\tprotocolVersionNumber: ").append(kdcRequest.getProtocolVersionNumber()).append("\n\ttill:                  ").append(kdcRequest.getTill()).toString());
        }
        ApplicationRequest authHeader = getAuthHeader(kdcRequest);
        Ticket ticket = authHeader.getTicket();
        Authenticator verifyAuthHeader = verifyAuthHeader(authHeader, ticket);
        verifyTicket(ticket, kdcRequest.getServerPrincipal());
        EncryptionKey newSessionKey = new RandomKey().getNewSessionKey();
        TicketGrantReply reply = getReply(ticket, getNewTicket(kdcRequest, ticket, newSessionKey, verifyAuthHeader), newSessionKey, kdcRequest);
        if (verifyAuthHeader.getSubSessionKey() != null) {
            encryptReplyPart(reply, verifyAuthHeader.getSubSessionKey());
        } else {
            encryptReplyPart(reply, ticket.getSessionKey());
        }
        return reply;
    }

    private ApplicationRequest getAuthHeader(KdcRequest kdcRequest) throws KerberosException, IOException {
        if (kdcRequest.getPreAuthData()[0].getDataType() != PreAuthenticationDataType.PA_TGS_REQ) {
            throw new KerberosException(ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP);
        }
        return new ApplicationRequestDecoder().decode(kdcRequest.getPreAuthData()[0].getDataValue());
    }

    private Ticket getNewTicket(KdcRequest kdcRequest, Ticket ticket, EncryptionKey encryptionKey, Authenticator authenticator) throws KerberosException {
        KerberosPrincipal serverPrincipal = kdcRequest.getServerPrincipal();
        EncTicketPartModifier encTicketPartModifier = new EncTicketPartModifier();
        encTicketPartModifier.setClientAddresses(ticket.getClientAddresses());
        processFlags(kdcRequest, ticket, encTicketPartModifier);
        encTicketPartModifier.setSessionKey(encryptionKey);
        encTicketPartModifier.setClientPrincipal(ticket.getClientPrincipal());
        encTicketPartModifier.setAuthorizationData(processAuthorizationData(kdcRequest, authenticator, ticket));
        processTransited(encTicketPartModifier, ticket);
        processTimes(kdcRequest, encTicketPartModifier, ticket);
        EncryptionKey serverKey = getServerKey(kdcRequest.getServerPrincipal());
        EncTicketPart encTicketPart = encTicketPartModifier.getEncTicketPart();
        Ticket ticket2 = new Ticket(serverPrincipal, encryptTicketPart(encTicketPart, serverKey, kdcRequest));
        ticket2.setEncTicketPart(encTicketPart);
        return ticket2;
    }

    private void processFlags(KdcRequest kdcRequest, Ticket ticket, EncTicketPartModifier encTicketPartModifier) throws KerberosException {
        if (kdcRequest.getOption(1)) {
            if (!ticket.getFlag(1)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(1);
        }
        if (kdcRequest.getOption(2)) {
            if (!ticket.getFlag(1)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(2);
            encTicketPartModifier.setClientAddresses(kdcRequest.getAddresses());
        }
        if (ticket.getFlag(2)) {
            encTicketPartModifier.setFlag(2);
        }
        if (kdcRequest.getOption(3)) {
            if (!ticket.getFlag(3)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(3);
        }
        if (kdcRequest.getOption(4)) {
            if (!ticket.getFlag(3)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(4);
            encTicketPartModifier.setClientAddresses(kdcRequest.getAddresses());
        }
        if (kdcRequest.getOption(5)) {
            if (!ticket.getFlag(5)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(5);
        }
        if (kdcRequest.getOption(6)) {
            if (!ticket.getFlag(5)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(6);
            encTicketPartModifier.setFlag(7);
            if (!this.config.isPostdateAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setStartTime(kdcRequest.getFrom());
        }
        if (kdcRequest.getOption(31)) {
            if (!ticket.getFlag(7)) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (ticket.getStartTime().greaterThan(new KerberosTime())) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_NYV);
            }
            echoTicket(encTicketPartModifier, ticket);
            encTicketPartModifier.clearFlag(7);
        }
        if (kdcRequest.getOption(0) || kdcRequest.getOption(27)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
    }

    private void processTimes(KdcRequest kdcRequest, EncTicketPartModifier encTicketPartModifier, Ticket ticket) throws KerberosException {
        KerberosTime kerberosTime = new KerberosTime();
        encTicketPartModifier.setAuthTime(ticket.getAuthTime());
        KerberosTime kerberosTime2 = null;
        if (!kdcRequest.getOption(30)) {
            encTicketPartModifier.setStartTime(kerberosTime);
            KerberosTime till = kdcRequest.getTill().isZero() ? KerberosTime.INFINITY : kdcRequest.getTill();
            ArrayList arrayList = new ArrayList();
            arrayList.add(till);
            arrayList.add(new KerberosTime(kerberosTime.getTime() + this.config.getMaximumTicketLifetime()));
            arrayList.add(ticket.getEndTime());
            KerberosTime kerberosTime3 = (KerberosTime) Collections.min(arrayList);
            encTicketPartModifier.setEndTime(kerberosTime3);
            if (kdcRequest.getOption(27) && kerberosTime3.lessThan(kdcRequest.getTill()) && ticket.getFlag(8)) {
                kdcRequest.setOption(8);
                kerberosTime2 = new KerberosTime(Math.min(kdcRequest.getTill().getTime(), ticket.getRenewTill().getTime()));
            }
        } else {
            if (!ticket.getFlag(8)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (ticket.getRenewTill().greaterThan(kerberosTime)) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_EXPIRED);
            }
            echoTicket(encTicketPartModifier, ticket);
            encTicketPartModifier.setStartTime(kerberosTime);
            encTicketPartModifier.setEndTime(new KerberosTime(Math.min(ticket.getRenewTill().getTime(), kerberosTime.getTime() + (ticket.getEndTime().getTime() - ticket.getStartTime().getTime()))));
        }
        if (kerberosTime2 == null) {
            kerberosTime2 = kdcRequest.getRtime();
        }
        KerberosTime kerberosTime4 = (kerberosTime2 == null || !kerberosTime2.isZero()) ? kerberosTime2 : KerberosTime.INFINITY;
        if (kdcRequest.getOption(8) && ticket.getFlag(8)) {
            encTicketPartModifier.setFlag(8);
            ArrayList arrayList2 = new ArrayList();
            if (kerberosTime4 != null) {
                arrayList2.add(kerberosTime4);
            }
            arrayList2.add(new KerberosTime(kerberosTime.getTime() + this.config.getMaximumRenewableLifetime()));
            arrayList2.add(ticket.getRenewTill());
            encTicketPartModifier.setRenewTill((KerberosTime) Collections.min(arrayList2));
        }
    }

    private AuthorizationData processAuthorizationData(KdcRequest kdcRequest, Authenticator authenticator, Ticket ticket) throws KerberosException {
        AuthorizationData authorizationData = null;
        if (kdcRequest.getEncAuthorizationData() != null) {
            try {
                authorizationData = new AuthorizationDataDecoder().decode(EncryptionEngineFactory.getEncryptionEngineFor(authenticator.getSubSessionKey()).getDecryptedData(authenticator.getSubSessionKey(), kdcRequest.getEncAuthorizationData()));
                authorizationData.add(ticket.getAuthorizationData());
            } catch (IOException e) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_BAD_INTEGRITY);
            } catch (KerberosException e2) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_BAD_INTEGRITY);
            }
        }
        return authorizationData;
    }

    private void processTransited(EncTicketPartModifier encTicketPartModifier, Ticket ticket) {
        encTicketPartModifier.setTransitedEncoding(ticket.getTransitedEncoding());
    }

    private EncryptedData encryptTicketPart(EncTicketPart encTicketPart, EncryptionKey encryptionKey, KdcRequest kdcRequest) throws KerberosException {
        byte[] bArr = null;
        try {
            bArr = new EncTicketPartEncoder().encode(encTicketPart);
        } catch (IOException e) {
            log.error("failed while encoding new ticket body", e);
        }
        if (kdcRequest.getOption(28)) {
        }
        return EncryptionEngineFactory.getEncryptionEngineFor(encryptionKey).getEncryptedData(encryptionKey, bArr);
    }

    private void encryptReplyPart(TicketGrantReply ticketGrantReply, EncryptionKey encryptionKey) {
        try {
            ticketGrantReply.setEncPart(EncryptionEngineFactory.getEncryptionEngineFor(encryptionKey).getEncryptedData(encryptionKey, new EncTgsRepPartEncoder().encode(ticketGrantReply)));
        } catch (Exception e) {
            log.error("failed to encrypt the reply part", e);
        }
    }

    private TicketGrantReply getReply(Ticket ticket, Ticket ticket2, EncryptionKey encryptionKey, KdcRequest kdcRequest) {
        TicketGrantReply ticketGrantReply = new TicketGrantReply();
        ticketGrantReply.setClientPrincipal(ticket.getClientPrincipal());
        ticketGrantReply.setTicket(ticket2);
        ticketGrantReply.setKey(encryptionKey);
        ticketGrantReply.setNonce(kdcRequest.getNonce());
        ticketGrantReply.setLastRequest(new LastRequest());
        ticketGrantReply.setFlags(ticket2.getFlags());
        ticketGrantReply.setClientAddresses(ticket2.getClientAddresses());
        ticketGrantReply.setAuthTime(ticket2.getAuthTime());
        ticketGrantReply.setStartTime(ticket2.getStartTime());
        ticketGrantReply.setEndTime(ticket2.getEndTime());
        ticketGrantReply.setServerPrincipal(ticket2.getServerPrincipal());
        if (ticket2.getFlag(8)) {
            ticketGrantReply.setRenewTill(ticket2.getRenewTill());
        }
        return ticketGrantReply;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$apache$kerberos$kdc$TicketGrantingService == null) {
            cls = class$("org.apache.kerberos.kdc.TicketGrantingService");
            class$org$apache$kerberos$kdc$TicketGrantingService = cls;
        } else {
            cls = class$org$apache$kerberos$kdc$TicketGrantingService;
        }
        log = LogFactory.getLog(cls);
    }
}
