package org.wildfly.security.sasl.gs2;

import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.wildfly.common.Assert;
import org.wildfly.common.bytes.ByteStringBuilder;
import org.wildfly.security.asn1.DERDecoder;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.credential.GSSKerberosCredential;
import org.wildfly.security.manager.action.SetContextClassLoaderAction;
import org.wildfly.security.manager.action.SetContextClassLoaderFromClassAction;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.sasl.WildFlySasl;
import org.wildfly.security.sasl.util.AbstractSaslClient;
import org.wildfly.security.sasl.util.StringPrep;
import shaded.org.infinispan.protostream.annotations.ProtoReserved;

/* loaded from: input_file:org/wildfly/security/sasl/gs2/Gs2SaslClient.class */
final class Gs2SaslClient extends AbstractSaslClient {
    private static final int ST_INITIAL_CHALLENGE = 1;
    private static final int ST_CHALLENGE_RESPONSE = 2;
    private final boolean plus;
    private final byte[] bindingData;
    private final String bindingType;
    private final Oid mechanism;
    private GSSContext gssContext;
    private ByteStringBuilder gs2HeaderExcludingNonStdFlag;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public Gs2SaslClient(String str, String str2, String str3, CallbackHandler callbackHandler, String str4, Map<String, ?> map, GSSManager gSSManager, boolean z, String str5, byte[] bArr) throws SaslException {
        super(str, str2, str3, callbackHandler, str4, true, ElytronMessages.saslGs2);
        this.bindingType = str5;
        this.plus = z;
        this.bindingData = bArr;
        try {
            this.mechanism = Gs2.getMechanismForSaslName(gSSManager, str);
            try {
                GSSName createName = gSSManager.createName(str2 + "@" + str3, GSSName.NT_HOSTBASED_SERVICE, this.mechanism);
                GSSCredential gSSCredential = null;
                CredentialCallback credentialCallback = new CredentialCallback(GSSKerberosCredential.class);
                try {
                    tryHandleCallbacks(credentialCallback);
                    gSSCredential = (GSSCredential) credentialCallback.applyToCredential(GSSKerberosCredential.class, (v0) -> {
                        return v0.getGssCredential();
                    });
                } catch (UnsupportedCallbackException e) {
                    ElytronMessages.saslGs2.trace("Unable to obtain GSSCredential, ignored (act as the default initiator principal instead)", e);
                }
                try {
                    this.gssContext = gSSManager.createContext(createName, this.mechanism, gSSCredential, ProtoReserved.Range.MAX_ENUM);
                    try {
                        this.gssContext.requestCredDeleg(map.containsKey(WildFlySasl.GS2_DELEGATE_CREDENTIAL) ? Boolean.parseBoolean((String) map.get(WildFlySasl.GS2_DELEGATE_CREDENTIAL)) : gSSCredential != null);
                        this.gssContext.requestMutualAuth(true);
                        this.gs2HeaderExcludingNonStdFlag = createGs2HeaderExcludingNonStdFlag();
                        try {
                            this.gssContext.setChannelBinding(Gs2Util.createChannelBinding(this.gs2HeaderExcludingNonStdFlag.toArray(), bArr != null && z, bArr));
                        } catch (GSSException e2) {
                            throw ElytronMessages.saslGs2.mechUnableToSetChannelBinding(e2).toSaslException();
                        }
                    } catch (GSSException e3) {
                        throw ElytronMessages.saslGs2.mechUnableToSetGssContextRequestFlags(e3).toSaslException();
                    }
                } catch (GSSException e4) {
                    throw ElytronMessages.saslGs2.mechUnableToCreateGssContext(e4).toSaslException();
                }
            } catch (GSSException e5) {
                throw ElytronMessages.saslGs2.mechUnableToCreateNameForAcceptor(e5).toSaslException();
            }
        } catch (GSSException e6) {
            throw ElytronMessages.saslGs2.mechMechanismToOidMappingFailed(e6).toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        try {
            try {
                this.gssContext.dispose();
                this.gssContext = null;
            } catch (GSSException e) {
                throw ElytronMessages.saslGs2.mechUnableToDisposeGssContext(e).toSaslException();
            }
        } catch (Throwable th) {
            this.gssContext = null;
            throw th;
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        switch (i) {
            case 1:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                if (bArr != null && bArr.length != 0) {
                    throw ElytronMessages.saslGs2.mechInitialChallengeMustBeEmpty().toSaslException();
                }
                try {
                    byte[] initSecContext = initSecContext(this.gssContext, NO_BYTES, 0, 0);
                    if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                        throw new AssertionError();
                    }
                    setNegotiationState(2);
                    return modifyInitialContextToken(initSecContext);
                } catch (GSSException e) {
                    throw ElytronMessages.saslGs2.mechUnableToCreateResponseTokenWithCause(e).toSaslException();
                }
            case 2:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                try {
                    byte[] initSecContext2 = initSecContext(this.gssContext, bArr, 0, bArr.length);
                    if (this.gssContext.isEstablished()) {
                        if (!this.gssContext.getMutualAuthState()) {
                            throw ElytronMessages.saslGs2.mechMutualAuthenticationNotEnabled().toSaslException();
                        }
                        negotiationComplete();
                    }
                    return initSecContext2;
                } catch (GSSException e2) {
                    throw ElytronMessages.saslGs2.mechUnableToCreateResponseTokenWithCause(e2).toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    private ByteStringBuilder createGs2HeaderExcludingNonStdFlag() {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        if (this.bindingData == null) {
            byteStringBuilder.append("n,");
        } else if (this.plus) {
            byteStringBuilder.append("p=");
            byteStringBuilder.append(this.bindingType);
            byteStringBuilder.append(',');
        } else {
            byteStringBuilder.append("y,");
        }
        String authorizationId = getAuthorizationId();
        if (authorizationId != null) {
            byteStringBuilder.append("a=");
            StringPrep.encode(authorizationId, byteStringBuilder, 2147500031L);
        }
        byteStringBuilder.append(",");
        return byteStringBuilder;
    }

    private byte[] modifyInitialContextToken(byte[] bArr) throws GSSException {
        boolean z = false;
        if (bArr[0] == 96) {
            DERDecoder dERDecoder = new DERDecoder(bArr);
            dERDecoder.decodeImplicit(64, 0);
            dERDecoder.startSequence();
            if (!this.mechanism.equals(new Oid(dERDecoder.decodeObjectIdentifier()))) {
                throw new GSSException(10);
            }
            bArr = dERDecoder.drain();
        } else {
            z = true;
        }
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        if (z) {
            byteStringBuilder.append("F,");
        }
        byteStringBuilder.append(this.gs2HeaderExcludingNonStdFlag);
        byteStringBuilder.append(bArr);
        return byteStringBuilder.toArray();
    }

    private static byte[] initSecContext(GSSContext gSSContext, byte[] bArr, int i, int i2) throws GSSException {
        ClassLoader classLoader = (ClassLoader) doPrivileged(new SetContextClassLoaderFromClassAction(Gs2SaslClient.class));
        try {
            byte[] initSecContext = gSSContext.initSecContext(bArr, i, i2);
            doPrivileged(new SetContextClassLoaderAction(classLoader));
            return initSecContext;
        } catch (Throwable th) {
            doPrivileged(new SetContextClassLoaderAction(classLoader));
            throw th;
        }
    }

    private static <T> T doPrivileged(PrivilegedAction<T> privilegedAction) {
        return System.getSecurityManager() != null ? (T) AccessController.doPrivileged(privilegedAction) : privilegedAction.run();
    }

    static {
        $assertionsDisabled = !Gs2SaslClient.class.desiredAssertionStatus();
    }
}
