package org.pac4j.kerberos.credentials.authenticator;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.pac4j.core.exception.BadCredentialsException;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.core.util.InitializableObject;
import org.springframework.core.io.Resource;

/* loaded from: input_file:org/pac4j/kerberos/credentials/authenticator/SunJaasKerberosTicketValidator.class */
public class SunJaasKerberosTicketValidator extends InitializableObject implements KerberosTicketValidator {
    private String servicePrincipal;
    private Resource keyTabLocation;
    private Subject serviceSubject;
    private boolean holdOnToGSSContext;
    private boolean debug = false;

    /* loaded from: input_file:org/pac4j/kerberos/credentials/authenticator/SunJaasKerberosTicketValidator$KerberosValidateAction.class */
    private class KerberosValidateAction implements PrivilegedExceptionAction<KerberosTicketValidation> {
        byte[] kerberosTicket;

        public KerberosValidateAction(byte[] bArr) {
            this.kerberosTicket = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public KerberosTicketValidation run() throws Exception {
            byte[] bArr = new byte[0];
            GSSName gSSName = null;
            GSSContext createContext = GSSManager.getInstance().createContext((GSSCredential) null);
            boolean z = true;
            while (true) {
                boolean z2 = z;
                if (createContext.isEstablished()) {
                    if (!SunJaasKerberosTicketValidator.this.holdOnToGSSContext) {
                        createContext.dispose();
                    }
                    return new KerberosTicketValidation(gSSName.toString(), SunJaasKerberosTicketValidator.this.servicePrincipal, bArr, createContext);
                }
                if (z2) {
                    this.kerberosTicket = SunJaasKerberosTicketValidator.tweakJdkRegression(this.kerberosTicket);
                }
                bArr = createContext.acceptSecContext(this.kerberosTicket, 0, this.kerberosTicket.length);
                gSSName = createContext.getSrcName();
                if (gSSName == null) {
                    throw new BadCredentialsException("GSSContext name of the context initiator is null");
                }
                z = false;
            }
        }
    }

    /* loaded from: input_file:org/pac4j/kerberos/credentials/authenticator/SunJaasKerberosTicketValidator$LoginConfig.class */
    private static class LoginConfig extends Configuration {
        private String keyTabLocation;
        private String servicePrincipalName;
        private boolean debug;

        public LoginConfig(String str, String str2, boolean z) {
            this.keyTabLocation = str;
            this.servicePrincipalName = str2;
            this.debug = z;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("useKeyTab", "true");
            hashMap.put("keyTab", this.keyTabLocation);
            hashMap.put("principal", this.servicePrincipalName);
            hashMap.put("storeKey", "true");
            hashMap.put("doNotPrompt", "true");
            if (this.debug) {
                hashMap.put("debug", "true");
            }
            hashMap.put("isInitiator", "false");
            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    @Override // org.pac4j.kerberos.credentials.authenticator.KerberosTicketValidator
    public KerberosTicketValidation validateTicket(byte[] bArr) {
        init();
        try {
            return (KerberosTicketValidation) Subject.doAs(this.serviceSubject, new KerberosValidateAction(bArr));
        } catch (PrivilegedActionException e) {
            throw new BadCredentialsException("Kerberos validation not successful", e);
        }
    }

    protected void internalInit() {
        try {
            CommonHelper.assertNotNull("servicePrincipal must be specified", this.servicePrincipal);
            CommonHelper.assertNotNull("keyTab must be specified", this.keyTabLocation);
            String externalForm = this.keyTabLocation.getURL().toExternalForm();
            if (externalForm.startsWith("file:")) {
                externalForm = externalForm.substring(5);
            }
            LoginConfig loginConfig = new LoginConfig(externalForm, this.servicePrincipal, this.debug);
            HashSet hashSet = new HashSet(1);
            hashSet.add(new KerberosPrincipal(this.servicePrincipal));
            LoginContext loginContext = new LoginContext("", new Subject(false, hashSet, new HashSet(), new HashSet()), (CallbackHandler) null, loginConfig);
            loginContext.login();
            this.serviceSubject = loginContext.getSubject();
        } catch (IOException | LoginException e) {
            throw new TechnicalException(e);
        }
    }

    public void setServicePrincipal(String str) {
        this.servicePrincipal = str;
    }

    public void setKeyTabLocation(Resource resource) {
        this.keyTabLocation = resource;
    }

    public void setDebug(boolean z) {
        this.debug = z;
    }

    public void setHoldOnToGSSContext(boolean z) {
        this.holdOnToGSSContext = z;
    }

    private static byte[] tweakJdkRegression(byte[] bArr) throws GSSException {
        if (bArr == null || bArr.length < 48) {
            return bArr;
        }
        int[] iArr = {6, 9, 42, 134, 72, 130, 247, 18, 1, 2, 2, 6, 9, 42, 134, 72, 134, 247, 18, 1, 2, 2};
        for (int i = 0; i < 22; i++) {
            if (((byte) iArr[i]) != bArr[i + 24]) {
                return bArr;
            }
        }
        byte[] bArr2 = new byte[bArr.length];
        System.arraycopy(bArr, 0, bArr2, 0, 24);
        System.arraycopy(bArr, 35, bArr2, 24, 11);
        System.arraycopy(bArr, 24, bArr2, 35, 11);
        System.arraycopy(bArr, 46, bArr2, 46, ((bArr.length - 24) - 11) - 11);
        return bArr2;
    }
}
