package org.apache.kerberos.kdc;

import java.io.IOException;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.kerberos.crypto.RandomKey;
import org.apache.kerberos.crypto.encryption.EncryptionEngineFactory;
import org.apache.kerberos.crypto.encryption.EncryptionType;
import org.apache.kerberos.exceptions.ErrorType;
import org.apache.kerberos.exceptions.KerberosException;
import org.apache.kerberos.io.decoder.EncryptedDataDecoder;
import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
import org.apache.kerberos.io.encoder.EncryptionTypeInfoEncoder;
import org.apache.kerberos.io.encoder.PreAuthenticationDataEncoder;
import org.apache.kerberos.messages.AuthenticationReply;
import org.apache.kerberos.messages.KdcRequest;
import org.apache.kerberos.messages.components.EncTicketPart;
import org.apache.kerberos.messages.components.EncTicketPartModifier;
import org.apache.kerberos.messages.components.Ticket;
import org.apache.kerberos.messages.value.EncryptedData;
import org.apache.kerberos.messages.value.EncryptedTimeStamp;
import org.apache.kerberos.messages.value.EncryptionKey;
import org.apache.kerberos.messages.value.EncryptionTypeInfoEntry;
import org.apache.kerberos.messages.value.KerberosTime;
import org.apache.kerberos.messages.value.LastRequest;
import org.apache.kerberos.messages.value.PreAuthenticationData;
import org.apache.kerberos.messages.value.PreAuthenticationDataModifier;
import org.apache.kerberos.messages.value.PreAuthenticationDataType;
import org.apache.kerberos.messages.value.TransitedEncoding;
import org.apache.kerberos.sam.SamException;
import org.apache.kerberos.sam.SamSubsystem;
import org.apache.kerberos.sam.TimestampChecker;
import org.apache.kerberos.service.KdcConfiguration;
import org.apache.kerberos.service.KerberosService;
import org.apache.kerberos.store.PrincipalStore;
import org.apache.kerberos.store.PrincipalStoreEntry;

/* loaded from: input_file:zips/geronimo-jetty-j2ee-1.0.zip:geronimo-1.0/repository/directory-protocols/jars/kerberos-protocol-0.5.jar:org/apache/kerberos/kdc/AuthenticationService.class */
public class AuthenticationService extends KerberosService {
    private static final Log log;
    static Class class$org$apache$kerberos$kdc$AuthenticationService;

    public AuthenticationService(KdcConfiguration kdcConfiguration, PrincipalStore principalStore) {
        super(kdcConfiguration, principalStore);
    }

    public AuthenticationReply getReplyFor(KdcRequest kdcRequest) throws KerberosException {
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer().append("Responding to authentication request:\n\trealm:                 ").append(kdcRequest.getRealm()).append("\n\tserverPrincipal:       ").append(kdcRequest.getServerPrincipal()).append("\n\tclientPrincipal:       ").append(kdcRequest.getClientPrincipal()).append("\n\thostAddresses:         ").append(kdcRequest.getAddresses()).append("\n\tencryptionType:        ").append(kdcRequest.getEType()).append("\n\tfrom krb time:         ").append(kdcRequest.getFrom()).append("\n\trealm krb time:        ").append(kdcRequest.getRtime()).append("\n\tkdcOptions:            ").append(kdcRequest.getKdcOptions()).append("\n\tmessageType:           ").append(kdcRequest.getMessageType()).append("\n\tnonce:                 ").append(kdcRequest.getNonce()).append("\n\tprotocolVersionNumber: ").append(kdcRequest.getProtocolVersionNumber()).append("\n\ttill:                  ").append(kdcRequest.getTill()).toString());
        }
        EncryptionKey verifyPreAuthentication = verifyPreAuthentication(kdcRequest);
        AuthenticationReply authenticationReply = getAuthenticationReply(kdcRequest, generateNewTicket(kdcRequest));
        encryptReplyPart(authenticationReply, verifyPreAuthentication);
        return authenticationReply;
    }

    private EncryptionKey verifyPreAuthentication(KdcRequest kdcRequest) throws KerberosException {
        KerberosPrincipal clientPrincipal = kdcRequest.getClientPrincipal();
        PrincipalStoreEntry entryForClient = getEntryForClient(clientPrincipal);
        EncryptionKey encryptionKey = null;
        if (entryForClient.getSamType() == null) {
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer().append("entry for client principal ").append(clientPrincipal.getName()).append(" has no SAM type: proceeding with standard pre-authentication").toString());
            }
            encryptionKey = entryForClient.getEncryptionKey();
            if (encryptionKey == null) {
                throw new KerberosException(ErrorType.KDC_ERR_NULL_KEY);
            }
            if (this.config.isPaEncTimestampRequired()) {
                PreAuthenticationData[] preAuthData = kdcRequest.getPreAuthData();
                if (preAuthData == null) {
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError());
                }
                EncryptedTimeStamp encryptedTimeStamp = null;
                for (int i = 0; i < preAuthData.length; i++) {
                    if (preAuthData[i].getDataType().equals(PreAuthenticationDataType.PA_ENC_TIMESTAMP)) {
                        try {
                            encryptedTimeStamp = new EncryptedTimestampDecoder().decode(EncryptionEngineFactory.getEncryptionEngineFor(encryptionKey).getDecryptedData(encryptionKey, EncryptedDataDecoder.decode(preAuthData[i].getDataValue())));
                        } catch (IOException e) {
                            throw new KerberosException(ErrorType.KRB_AP_ERR_BAD_INTEGRITY);
                        } catch (ClassCastException e2) {
                            throw new KerberosException(ErrorType.KRB_AP_ERR_BAD_INTEGRITY);
                        } catch (KerberosException e3) {
                            throw new KerberosException(ErrorType.KRB_AP_ERR_BAD_INTEGRITY);
                        }
                    }
                }
                if (encryptedTimeStamp == null) {
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError());
                }
                if (!encryptedTimeStamp.getTimeStamp().isInClockSkew(this.config.getClockSkew())) {
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_FAILED);
                }
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer().append("entry for client principal ").append(clientPrincipal.getName()).append(" has a valid SAM type: invoking SAM subsystem for pre-authentication").toString());
            }
            PreAuthenticationData[] preAuthData2 = kdcRequest.getPreAuthData();
            if (preAuthData2 == null || preAuthData2.length == 0) {
                throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError());
            }
            for (int i2 = 0; i2 < preAuthData2.length; i2++) {
                try {
                    if (preAuthData2[i2].getDataType().equals(PreAuthenticationDataType.PA_ENC_TIMESTAMP)) {
                        KerberosKey verify = SamSubsystem.getInstance().verify(entryForClient, preAuthData2[i2].getDataValue());
                        encryptionKey = new EncryptionKey(EncryptionType.getTypeByOrdinal(verify.getKeyType()), verify.getEncoded());
                    }
                } catch (SamException e4) {
                    throw new KerberosException(60, e4.getMessage());
                }
            }
        }
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer().append("Ticket will be issued to client ").append(clientPrincipal.toString()).append(".").toString());
        }
        return encryptionKey;
    }

    private byte[] preparePreAuthenticationError() {
        PreAuthenticationData[] preAuthenticationDataArr = new PreAuthenticationData[2];
        PreAuthenticationDataModifier preAuthenticationDataModifier = new PreAuthenticationDataModifier();
        preAuthenticationDataModifier.setDataType(PreAuthenticationDataType.PA_ENC_TIMESTAMP);
        preAuthenticationDataModifier.setDataValue(new byte[0]);
        preAuthenticationDataArr[0] = preAuthenticationDataModifier.getPreAuthenticationData();
        try {
            byte[] encode = EncryptionTypeInfoEncoder.encode(new EncryptionTypeInfoEntry[]{new EncryptionTypeInfoEntry(EncryptionType.DES_CBC_MD5, null)});
            PreAuthenticationDataModifier preAuthenticationDataModifier2 = new PreAuthenticationDataModifier();
            preAuthenticationDataModifier2.setDataType(PreAuthenticationDataType.PA_ENCTYPE_INFO);
            preAuthenticationDataModifier2.setDataValue(encode);
            preAuthenticationDataArr[1] = preAuthenticationDataModifier2.getPreAuthenticationData();
            try {
                return PreAuthenticationDataEncoder.encode(preAuthenticationDataArr);
            } catch (IOException e) {
                log.error("returning null pre-authentication error", e);
                return null;
            }
        } catch (IOException e2) {
            log.error("returning null pre-authentication error", e2);
            return null;
        }
    }

    private Ticket generateNewTicket(KdcRequest kdcRequest) throws KerberosException {
        KerberosPrincipal serverPrincipal = kdcRequest.getServerPrincipal();
        EncryptionKey serverKey = getServerKey(serverPrincipal);
        KerberosPrincipal serverPrincipal2 = kdcRequest.getServerPrincipal();
        EncTicketPartModifier encTicketPartModifier = new EncTicketPartModifier();
        if (kdcRequest.getKdcOptions().get(1)) {
            encTicketPartModifier.setFlag(1);
        }
        if (kdcRequest.getKdcOptions().get(3)) {
            encTicketPartModifier.setFlag(3);
        }
        if (kdcRequest.getKdcOptions().get(5)) {
            encTicketPartModifier.setFlag(5);
        }
        if (kdcRequest.getKdcOptions().get(30) || kdcRequest.getKdcOptions().get(31) || kdcRequest.getKdcOptions().get(4) || kdcRequest.getKdcOptions().get(2) || kdcRequest.getKdcOptions().get(28)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
        encTicketPartModifier.setSessionKey(new RandomKey().getNewSessionKey());
        encTicketPartModifier.setClientPrincipal(kdcRequest.getClientPrincipal());
        encTicketPartModifier.setTransitedEncoding(new TransitedEncoding());
        KerberosTime kerberosTime = new KerberosTime();
        encTicketPartModifier.setAuthTime(kerberosTime);
        if (kdcRequest.getKdcOptions().get(6)) {
            if (!this.config.isPostdateAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(7);
            encTicketPartModifier.setStartTime(kdcRequest.getFrom());
        }
        KerberosTime kerberosTime2 = new KerberosTime(Math.min(kerberosTime.getTime() + this.config.getMaximumTicketLifetime(), kdcRequest.getTill().getTime() == 0 ? Long.MAX_VALUE : kdcRequest.getTill().getTime()));
        encTicketPartModifier.setEndTime(kerberosTime2);
        long j = 0;
        if (kdcRequest.getKdcOptions().get(27) && kdcRequest.getTill().greaterThan(kerberosTime2)) {
            kdcRequest.getKdcOptions().set(8);
            j = kdcRequest.getTill().getTime();
        }
        long time = j == 0 ? Long.MAX_VALUE : kdcRequest.getRtime().getTime();
        if (kdcRequest.getKdcOptions().get(8)) {
            encTicketPartModifier.setFlag(8);
            KerberosTime from = kdcRequest.getFrom();
            if (from == null) {
                from = new KerberosTime();
            }
            encTicketPartModifier.setRenewTill(new KerberosTime(Math.min(from.getTime() + this.config.getMaximumRenewableLifetime(), time)));
        }
        if (kdcRequest.getAddresses() != null) {
            encTicketPartModifier.setClientAddresses(kdcRequest.getAddresses());
        }
        EncTicketPart encTicketPart = encTicketPartModifier.getEncTicketPart();
        Ticket ticket = new Ticket(serverPrincipal2, encryptTicketPart(encTicketPart, serverKey));
        ticket.setEncTicketPart(encTicketPart);
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer().append("Ticket will be issued for access to ").append(serverPrincipal.toString()).append(".").toString());
        }
        return ticket;
    }

    private EncryptedData encryptTicketPart(EncTicketPart encTicketPart, EncryptionKey encryptionKey) {
        EncryptedData encryptedData = null;
        try {
            encryptedData = EncryptionEngineFactory.getEncryptionEngineFor(encryptionKey).getEncryptedData(encryptionKey, new EncTicketPartEncoder().encode(encTicketPart));
        } catch (Exception e) {
            e.printStackTrace();
        }
        return encryptedData;
    }

    private void encryptReplyPart(AuthenticationReply authenticationReply, EncryptionKey encryptionKey) {
        try {
            authenticationReply.setEncPart(EncryptionEngineFactory.getEncryptionEngineFor(encryptionKey).getEncryptedData(encryptionKey, new EncAsRepPartEncoder().encode(authenticationReply)));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    private AuthenticationReply getAuthenticationReply(KdcRequest kdcRequest, Ticket ticket) {
        AuthenticationReply authenticationReply = new AuthenticationReply();
        authenticationReply.setClientPrincipal(kdcRequest.getClientPrincipal());
        authenticationReply.setTicket(ticket);
        authenticationReply.setKey(ticket.getSessionKey());
        authenticationReply.setLastRequest(new LastRequest());
        authenticationReply.setNonce(kdcRequest.getNonce());
        authenticationReply.setFlags(ticket.getFlags());
        authenticationReply.setAuthTime(ticket.getAuthTime());
        authenticationReply.setStartTime(ticket.getStartTime());
        authenticationReply.setEndTime(ticket.getEndTime());
        if (ticket.getFlags().get(8)) {
            authenticationReply.setRenewTill(ticket.getRenewTill());
        }
        authenticationReply.setServerPrincipal(ticket.getServerPrincipal());
        authenticationReply.setClientAddresses(ticket.getClientAddresses());
        return authenticationReply;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$apache$kerberos$kdc$AuthenticationService == null) {
            cls = class$("org.apache.kerberos.kdc.AuthenticationService");
            class$org$apache$kerberos$kdc$AuthenticationService = cls;
        } else {
            cls = class$org$apache$kerberos$kdc$AuthenticationService;
        }
        log = LogFactory.getLog(cls);
        log.debug("Initializing SAM subsystem");
        SamSubsystem.getInstance().setIntegrityChecker(new TimestampChecker());
    }
}
