package org.wildfly.security.sasl.gs2;

import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.asn1.ASN1Exception;
import org.wildfly.security.asn1.DEREncoder;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.auth.callback.ServerCredentialCallback;
import org.wildfly.security.credential.GSSKerberosCredential;
import org.wildfly.security.sasl.util.AbstractSaslServer;
import org.wildfly.security.util.ByteIterator;
import org.wildfly.security.util.ByteStringBuilder;
import org.wildfly.security.util.CodePointIterator;

/* loaded from: input_file:lib/wildfly-elytron-1.1.7.Final.jar:org/wildfly/security/sasl/gs2/Gs2SaslServer.class */
final class Gs2SaslServer extends AbstractSaslServer {
    private static final int ST_NO_MESSAGE = 1;
    private static final int ST_FIRST_MESSAGE = 2;
    private static final int ST_ACCEPTOR = 3;
    private final boolean plus;
    private final String bindingType;
    private final byte[] bindingData;
    private final Oid mechanism;
    private GSSContext gssContext;
    private String authorizationID;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public Gs2SaslServer(String str, String str2, String str3, CallbackHandler callbackHandler, GSSManager gSSManager, boolean z, String str4, byte[] bArr) throws SaslException {
        super(str, str2, str3, callbackHandler);
        this.plus = z;
        this.bindingType = str4;
        this.bindingData = bArr;
        try {
            this.mechanism = Gs2.getMechanismForSaslName(gSSManager, str);
            GSSCredential gSSCredential = null;
            ServerCredentialCallback serverCredentialCallback = new ServerCredentialCallback(GSSKerberosCredential.class);
            try {
                ElytronMessages.log.trace("Obtaining GSSCredential for the service from callback handler");
                callbackHandler.handle(new Callback[]{serverCredentialCallback});
                gSSCredential = (GSSCredential) serverCredentialCallback.applyToCredential(GSSKerberosCredential.class, (v0) -> {
                    return v0.getGssCredential();
                });
            } catch (IOException e) {
                throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), e).toSaslException();
            } catch (UnsupportedCallbackException e2) {
                ElytronMessages.log.trace("Unable to obtain GSSCredential from callback handler", e2);
            }
            if (gSSCredential == null) {
                try {
                    String str5 = str2 + "@" + str3;
                    ElytronMessages.log.tracef("Our name '%s'", str5);
                    gSSCredential = gSSManager.createCredential(gSSManager.createName(str5, GSSName.NT_HOSTBASED_SERVICE, this.mechanism), Integer.MAX_VALUE, this.mechanism, 2);
                } catch (GSSException e3) {
                    throw ElytronMessages.log.mechUnableToCreateGssContext(getMechanismName(), e3).toSaslException();
                }
            }
            this.gssContext = gSSManager.createContext(gSSCredential);
        } catch (GSSException e4) {
            throw ElytronMessages.log.mechMechanismToOidMappingFailed(getMechanismName(), e4).toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public String getAuthorizationID() {
        return this.authorizationID;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        int i2;
        int offset;
        byte[] restoreTokenHeader;
        switch (i) {
            case 0:
                if (bArr == null || bArr.length == 0) {
                    return null;
                }
                throw ElytronMessages.log.mechMessageAfterComplete(getMechanismName()).toSaslException();
            case 1:
                if (bArr == null || bArr.length == 0) {
                    setNegotiationState(3);
                    return NO_BYTES;
                }
                break;
            case 2:
                break;
            case 3:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                try {
                    byte[] acceptSecContext = this.gssContext.acceptSecContext(bArr, 0, bArr.length);
                    if (this.gssContext.isEstablished()) {
                        if (!this.mechanism.equals(this.gssContext.getMech())) {
                            throw ElytronMessages.log.mechGssApiMechanismMismatch(getMechanismName()).toSaslException();
                        }
                        checkAuthorizationID();
                        try {
                            GSSCredential delegCred = this.gssContext.getDelegCred();
                            if (delegCred != null) {
                                tryHandleCallbacks(new IdentityCredentialCallback(new GSSKerberosCredential(delegCred), true));
                            } else {
                                ElytronMessages.log.trace("No GSSCredential delegated during authentication.");
                            }
                        } catch (SaslException e) {
                            throw e;
                        } catch (UnsupportedCallbackException | GSSException e2) {
                        }
                        negotiationComplete();
                    }
                    return acceptSecContext;
                } catch (GSSException e3) {
                    throw ElytronMessages.log.mechUnableToAcceptClientMessage(getMechanismName(), e3).toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
        if (!$assertionsDisabled && this.gssContext.isEstablished()) {
            throw new AssertionError();
        }
        if (bArr == null || bArr.length == 0) {
            throw ElytronMessages.log.mechClientRefusesToInitiateAuthentication(getMechanismName()).toSaslException();
        }
        ByteIterator ofBytes = ByteIterator.ofBytes(bArr);
        CodePointIterator asUtf8String = ofBytes.delimitedBy(44).asUtf8String();
        boolean z = false;
        boolean z2 = false;
        int next = ofBytes.next();
        if (next == 70) {
            skipDelimiter(ofBytes);
            z2 = true;
            next = ofBytes.next();
        }
        if (next == 112) {
            z = true;
            if (!this.plus) {
                throw ElytronMessages.log.mechChannelBindingNotSupported(getMechanismName()).toSaslException();
            }
            if (ofBytes.next() != 61) {
                throw ElytronMessages.log.mechInvalidMessageReceived(getMechanismName()).toSaslException();
            }
            if (!$assertionsDisabled && this.bindingType == null) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && this.bindingData == null) {
                throw new AssertionError();
            }
            if (!this.bindingType.equals(asUtf8String.drainToString())) {
                throw ElytronMessages.log.mechChannelBindingTypeMismatch(getMechanismName()).toSaslException();
            }
            skipDelimiter(ofBytes);
        } else if (next == 121) {
            if (this.plus || !(this.bindingType == null || this.bindingData == null)) {
                throw ElytronMessages.log.mechChannelBindingNotProvided(getMechanismName()).toSaslException();
            }
            skipDelimiter(ofBytes);
        } else {
            if (next != 110) {
                throw ElytronMessages.log.mechInvalidMessageReceived(getMechanismName()).toSaslException();
            }
            if (this.plus) {
                throw ElytronMessages.log.mechChannelBindingNotProvided(getMechanismName()).toSaslException();
            }
            skipDelimiter(ofBytes);
        }
        int next2 = ofBytes.next();
        if (next2 == 97) {
            if (ofBytes.next() != 61) {
                throw ElytronMessages.log.mechInvalidMessageReceived(getMechanismName()).toSaslException();
            }
            this.authorizationID = asUtf8String.drainToString();
            skipDelimiter(ofBytes);
        } else if (next2 != 44) {
            throw ElytronMessages.log.mechInvalidMessageReceived(getMechanismName()).toSaslException();
        }
        if (z2) {
            i2 = 2;
            offset = ofBytes.offset() - 2;
            restoreTokenHeader = ofBytes.drain();
        } else {
            i2 = 0;
            offset = ofBytes.offset();
            try {
                restoreTokenHeader = restoreTokenHeader(ofBytes.drain());
            } catch (ASN1Exception e4) {
                throw ElytronMessages.log.mechUnableToCreateResponseTokenWithCause(getMechanismName(), e4).toSaslException();
            }
        }
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        byteStringBuilder.append(bArr, i2, offset);
        try {
            this.gssContext.setChannelBinding(Gs2Util.createChannelBinding(byteStringBuilder.toArray(), z, this.bindingData));
            try {
                byte[] acceptSecContext2 = this.gssContext.acceptSecContext(restoreTokenHeader, 0, restoreTokenHeader.length);
                if (!this.gssContext.isEstablished()) {
                    setNegotiationState(3);
                } else {
                    if (!this.mechanism.equals(this.gssContext.getMech())) {
                        throw ElytronMessages.log.mechGssApiMechanismMismatch(getMechanismName()).toSaslException();
                    }
                    checkAuthorizationID();
                    try {
                        GSSCredential delegCred2 = this.gssContext.getDelegCred();
                        if (delegCred2 != null) {
                            tryHandleCallbacks(new IdentityCredentialCallback(new GSSKerberosCredential(delegCred2), true));
                        } else {
                            ElytronMessages.log.trace("No GSSCredential delegated during authentication.");
                        }
                    } catch (SaslException e5) {
                        throw e5;
                    } catch (UnsupportedCallbackException | GSSException e6) {
                    }
                    negotiationComplete();
                }
                return acceptSecContext2;
            } catch (GSSException e7) {
                throw ElytronMessages.log.mechUnableToAcceptClientMessage(getMechanismName(), e7).toSaslException();
            }
        } catch (GSSException e8) {
            throw ElytronMessages.log.mechUnableToSetChannelBinding(getMechanismName(), e8).toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        try {
            try {
                this.gssContext.dispose();
                this.gssContext = null;
            } catch (GSSException e) {
                throw ElytronMessages.log.mechUnableToDisposeGssContext(getMechanismName(), e).toSaslException();
            }
        } catch (Throwable th) {
            this.gssContext = null;
            throw th;
        }
    }

    private byte[] restoreTokenHeader(byte[] bArr) throws ASN1Exception {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        DEREncoder dEREncoder = new DEREncoder(byteStringBuilder);
        dEREncoder.encodeImplicit(64, 0);
        dEREncoder.startSequence();
        try {
            dEREncoder.writeEncoded(this.mechanism.getDER());
            dEREncoder.writeEncoded(bArr);
            dEREncoder.endSequence();
            return byteStringBuilder.toArray();
        } catch (GSSException e) {
            throw new ASN1Exception((Throwable) e);
        }
    }

    private void checkAuthorizationID() throws SaslException {
        try {
            String gSSName = this.gssContext.getSrcName().toString();
            ElytronMessages.log.tracef("checking if [%s] is authorized to act as [%s]...", gSSName, this.authorizationID);
            if (this.authorizationID == null || this.authorizationID.isEmpty()) {
                this.authorizationID = gSSName;
            }
            AuthorizeCallback authorizeCallback = new AuthorizeCallback(gSSName, this.authorizationID);
            handleCallbacks(authorizeCallback);
            if (!authorizeCallback.isAuthorized()) {
                throw ElytronMessages.log.mechAuthorizationFailed(getMechanismName(), gSSName, this.authorizationID).toSaslException();
            }
            ElytronMessages.log.trace("authorization id check successful");
        } catch (GSSException e) {
            throw ElytronMessages.log.mechUnableToDeterminePeerName(getMechanismName(), e).toSaslException();
        }
    }

    private void skipDelimiter(ByteIterator byteIterator) throws SaslException {
        if (byteIterator.next() != 44) {
            throw ElytronMessages.log.mechInvalidMessageReceived(getMechanismName()).toSaslException();
        }
    }

    static {
        $assertionsDisabled = !Gs2SaslServer.class.desiredAssertionStatus();
    }
}
