package com.bea.security.utils.kerberos;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.security.utils.gss.GSSTokenUtils;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERGeneralString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import weblogic.nodemanager.common.Constants;
import weblogic.utils.Hex;

/* loaded from: input_file:com/bea/security/utils/kerberos/KerberosTokenUtils.class */
public class KerberosTokenUtils {
    public static final String KRB5_MECH_NAME_OID = "1.2.840.113554.1.2.2.1";
    public static final String KRB5_MECH_OID = "1.2.840.113554.1.2.2";
    private static final String KRB5_ACCEPTOR_IBM = "com.ibm.security.jgss.krb5.accept";
    private static final String KRB5_ACCEPTOR_SUN = "com.sun.security.jgss.krb5.accept";
    private static byte[] KRB_AP_REQ_TID = {1, 0};
    static byte[] DER_KRB_AP_REQ = {6, 9, 42, -122, 72, -122, -9, 18, 1, 2, 2, 1, 0};

    private KerberosTokenUtils() {
    }

    public static byte[] getGssInitContextToken(byte[] bArr, LoggerSpi loggerSpi) throws IOException {
        boolean z = loggerSpi != null && loggerSpi.isDebugEnabled();
        if (z) {
            loggerSpi.debug("Encoding GSS InitContextToken from KrbApReqToken...");
        }
        if (bArr == null || bArr.length < 1) {
            throw new IllegalArgumentException("Input KrbApReqToken is null or empty.");
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        if (z) {
            try {
                loggerSpi.debug("Encoding Krb5 OID (0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02)...");
            } finally {
                try {
                    byteArrayOutputStream.close();
                } catch (IOException e) {
                }
            }
        }
        byteArrayOutputStream.write(GSSTokenUtils.KERBEROS_V5_OID);
        if (z) {
            loggerSpi.debug("Encoding Krb AP Req Token ID (0x01, 0x00)...");
        }
        byteArrayOutputStream.write(KRB_AP_REQ_TID);
        if (z) {
            loggerSpi.debug("Encoding Krb AP Req Token ( " + Hex.dump(bArr) + " )...");
        }
        byteArrayOutputStream.write(bArr);
        if (z) {
            loggerSpi.debug("Encoding Application Constructed Object(0x60) and token length...");
        }
        byte[] encodeData = GSSTokenUtils.encodeData(96, byteArrayOutputStream.toByteArray());
        if (z) {
            loggerSpi.debug("Got GSS InitContextToken \n" + Hex.dump(encodeData));
        }
        return encodeData;
    }

    public static byte[] getKrbApReqToken(byte[] bArr, LoggerSpi loggerSpi) throws IOException {
        boolean z = loggerSpi != null && loggerSpi.isDebugEnabled();
        if (z) {
            loggerSpi.debug("Getting KrbApReqToken from GSS InitContextToken...");
        }
        if (bArr == null || bArr.length < 1) {
            throw new IllegalArgumentException("Input InitContextToken is null or empty.");
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        try {
            if (byteArrayInputStream.read() != 96) {
                throw new IOException("Failed to read Application Constructed type tag.");
            }
            int decodeLength = GSSTokenUtils.decodeLength(byteArrayInputStream);
            if (decodeLength == -1) {
                throw new IOException("Failed to read token length.");
            }
            int length = GSSTokenUtils.KERBEROS_V5_OID.length;
            byte[] bArr2 = new byte[length];
            if (byteArrayInputStream.read(bArr2) < length) {
                throw new IOException("Failed to read Krb OID.");
            }
            if (!Arrays.equals(bArr2, GSSTokenUtils.KERBEROS_V5_OID)) {
                throw new IOException("Got non-Krb mech OID (" + Hex.dump(bArr2) + ")");
            }
            int length2 = KRB_AP_REQ_TID.length;
            byte[] bArr3 = new byte[length2];
            if (byteArrayInputStream.read(bArr3) < length2) {
                throw new IOException("Failed to read Kbr AP REQ token Id.");
            }
            if (!Arrays.equals(bArr3, KRB_AP_REQ_TID)) {
                throw new IOException("Got non-Kbr AP REQ token Id (" + Hex.dump(bArr3) + ")");
            }
            int i = (decodeLength - length) - length2;
            byte[] bArr4 = new byte[i];
            if (byteArrayInputStream.read(bArr4) < i) {
                throw new IOException("Failed to read Kbr AP REQ token.");
            }
            if (z) {
                loggerSpi.debug("Got KrbApReqToken ( " + Hex.dump(bArr4) + " )");
            }
            return bArr4;
        } finally {
            try {
                byteArrayInputStream.close();
            } catch (IOException e) {
            }
        }
    }

    public static String extractServicePrincipalFromToken(byte[] bArr, LoggerSpi loggerSpi) {
        boolean z = loggerSpi != null && loggerSpi.isDebugEnabled();
        int positionOfKrbApReq = getPositionOfKrbApReq(bArr);
        if (positionOfKrbApReq < 0) {
            return null;
        }
        try {
            ASN1Sequence object = untag(new ASN1InputStream(Arrays.copyOfRange(bArr, positionOfKrbApReq, bArr.length)).readObject().getObject().getObjectAt(3)).getObject();
            String dERGeneralString = untag(object.getObjectAt(1)).toString();
            StringBuilder sb = new StringBuilder();
            DERSequence untag = untag(object.getObjectAt(2));
            for (int i = 0; i < untag.size(); i++) {
                DERSequence untag2 = untag(untag.getObjectAt(i));
                if (untag2 instanceof DERSequence) {
                    Enumeration objects = untag2.getObjects();
                    while (objects.hasMoreElements()) {
                        if (!sb.toString().isEmpty()) {
                            sb.append("/");
                        }
                        sb.append(((DERGeneralString) objects.nextElement()).toString());
                    }
                }
            }
            return sb.append("@" + dERGeneralString).toString();
        } catch (Exception e) {
            if (!z) {
                return null;
            }
            loggerSpi.debug("catch exception while parsing principal name from the SPNEGO token.", e);
            return null;
        }
    }

    public static GSSContext getAcceptGSSContextForService(GSSManager gSSManager, String str, LoggerSpi loggerSpi) {
        boolean z = loggerSpi != null && loggerSpi.isDebugEnabled();
        GSSContext gSSContext = null;
        if (str != null) {
            try {
                gSSContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(str, new Oid(KRB5_MECH_NAME_OID)), 0, new Oid(KRB5_MECH_OID), 2));
            } catch (GSSException e) {
                if (z) {
                    loggerSpi.debug("Failed to create GSSContext for " + str, e);
                }
            }
        }
        return gSSContext;
    }

    public static boolean isIBMProvider() {
        Provider[] providers = Security.getProviders("GssApiMechanism.1.2.840.113554.1.2.2");
        return providers != null && providers[0].getName().startsWith(Constants.IBM_VENDOR);
    }

    public static List<String> getConfigedPrincipals(LoggerSpi loggerSpi) {
        String str;
        boolean z = loggerSpi != null && loggerSpi.isDebugEnabled();
        ArrayList arrayList = new ArrayList(0);
        try {
            AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(isIBMProvider() ? KRB5_ACCEPTOR_IBM : KRB5_ACCEPTOR_SUN);
            if (appConfigurationEntry != null) {
                for (AppConfigurationEntry appConfigurationEntry2 : appConfigurationEntry) {
                    String loginModuleName = appConfigurationEntry2.getLoginModuleName();
                    if (loginModuleName != null && loginModuleName.indexOf("Krb5LoginModule") > 0 && (str = (String) appConfigurationEntry2.getOptions().get("principal")) != null) {
                        arrayList.add(str);
                    }
                }
            }
        } catch (Exception e) {
            if (z) {
                loggerSpi.debug("Failed to read system's krb5 login module information.", e);
            }
        }
        return arrayList;
    }

    private static int getPositionOfKrbApReq(byte[] bArr) {
        int length = bArr.length;
        int length2 = DER_KRB_AP_REQ.length;
        for (int i = 0; i < length; i++) {
            if (bArr[i] == DER_KRB_AP_REQ[0]) {
                if (i + length2 >= length) {
                    return -1;
                }
                int i2 = 0;
                while (i2 <= length2 && i2 != length2 && bArr[i + i2] == DER_KRB_AP_REQ[i2]) {
                    i2++;
                }
                if (i2 == length2) {
                    return i + length2;
                }
            }
        }
        return -1;
    }

    private static ASN1Primitive untag(ASN1Encodable aSN1Encodable) {
        return aSN1Encodable instanceof DERTaggedObject ? ((DERTaggedObject) aSN1Encodable).getObject() : aSN1Encodable.toASN1Primitive();
    }
}
