package org.apache.wss4j.dom.message.token;

import java.io.IOException;
import java.security.Key;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.kerberos.KerberosClientExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosContext;
import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
import org.apache.wss4j.common.token.BinarySecurity;
import org.ietf.jgss.GSSCredential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/wss4j-ws-security-dom-2.2.2.jar:org/apache/wss4j/dom/message/token/KerberosSecurity.class */
public class KerberosSecurity extends BinarySecurity {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KerberosSecurity.class);
    private SecretKey secretKey;

    public KerberosSecurity(Element element, BSPEnforcer bSPEnforcer) throws WSSecurityException {
        super(element, bSPEnforcer);
        if ("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(getValueType())) {
            return;
        }
        bSPEnforcer.handleBSPRule(BSPRule.R6902);
    }

    public KerberosSecurity(Document document) {
        super(document);
    }

    public boolean isV5ApReq() {
        String valueType = getValueType();
        return "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ".equals(valueType) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510".equals(valueType) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120".equals(valueType);
    }

    public boolean isGssV5ApReq() {
        String valueType = getValueType();
        return "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(valueType) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510".equals(valueType) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120".equals(valueType);
    }

    public void retrieveServiceTicket(CallbackHandler callbackHandler) throws WSSecurityException {
        KerberosContextAndServiceNameCallback kerberosContextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
        try {
            callbackHandler.handle(new Callback[]{kerberosContextAndServiceNameCallback});
            String contextName = kerberosContextAndServiceNameCallback.getContextName();
            if (contextName == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackContextNameNotSupplied");
            }
            String serviceName = kerberosContextAndServiceNameCallback.getServiceName();
            if (serviceName == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackServiceNameNotSupplied");
            }
            retrieveServiceTicket(contextName, callbackHandler, serviceName);
        } catch (IOException | UnsupportedCallbackException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
        }
    }

    public void retrieveServiceTicket(String str, CallbackHandler callbackHandler, String str2) throws WSSecurityException {
        retrieveServiceTicket(str, callbackHandler, str2, false);
    }

    public void retrieveServiceTicket(String str, CallbackHandler callbackHandler, String str2, boolean z) throws WSSecurityException {
        retrieveServiceTicket(str, callbackHandler, str2, z, false);
    }

    public void retrieveServiceTicket(String str, CallbackHandler callbackHandler, String str2, boolean z, boolean z2) throws WSSecurityException {
        retrieveServiceTicket(str, callbackHandler, str2, z, z2, null);
    }

    /* JADX WARN: Finally extract failed */
    public void retrieveServiceTicket(String str, CallbackHandler callbackHandler, String str2, boolean z, boolean z2, GSSCredential gSSCredential) throws WSSecurityException {
        try {
            LoginContext loginContext = callbackHandler == null ? new LoginContext(str) : new LoginContext(str, callbackHandler);
            loginContext.login();
            LOG.debug("Successfully authenticated to the TGT");
            Subject subject = loginContext.getSubject();
            Set<Principal> principals = subject.getPrincipals();
            if (principals.isEmpty()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosLoginError", new Object[]{"No Client principals found after login"});
            }
            KerberosTicket kerberosTicket = getKerberosTicket(subject, null);
            decorateSubject(subject);
            KerberosContext kerberosContext = null;
            try {
                try {
                    kerberosContext = (KerberosContext) Subject.doAs(subject, new KerberosClientExceptionAction(principals.iterator().next(), str2, z, z2, gSSCredential, false, false));
                    Key secretKey = kerberosContext.getSecretKey();
                    if (secretKey != null) {
                        this.secretKey = new SecretKeySpec(secretKey.getEncoded(), secretKey.getAlgorithm());
                    } else {
                        KerberosTicket kerberosTicket2 = getKerberosTicket(subject, kerberosTicket);
                        if (kerberosTicket2 != null) {
                            this.secretKey = kerberosTicket2.getSessionKey();
                        }
                    }
                    if (this.secretKey == null) {
                        LOG.debug("No secret key for kerberos was found");
                    } else {
                        LOG.debug("Successfully retrieved a secret key for kerberos");
                    }
                    setToken(kerberosContext.getKerberosToken());
                    if (kerberosContext != null) {
                        kerberosContext.dispose();
                    }
                    LOG.debug("Successfully retrieved a service ticket");
                    if ("".equals(getValueType())) {
                        setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
                    }
                } catch (PrivilegedActionException e) {
                    Throwable cause = e.getCause();
                    if (!(cause instanceof WSSecurityException)) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError");
                    }
                    throw ((WSSecurityException) cause);
                }
            } catch (Throwable th) {
                if (kerberosContext != null) {
                    kerberosContext.dispose();
                }
                throw th;
            }
        } catch (LoginException e2) {
            LOG.debug(e2.getMessage(), (Throwable) e2);
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "kerberosLoginError", new Object[]{e2.getMessage()});
        }
    }

    protected void decorateSubject(Subject subject) {
    }

    private KerberosTicket getKerberosTicket(Subject subject, KerberosTicket kerberosTicket) {
        Set<KerberosTicket> privateCredentials = subject.getPrivateCredentials(KerberosTicket.class);
        if (privateCredentials == null || privateCredentials.isEmpty()) {
            LOG.debug("Kerberos client subject private credentials are null");
            return null;
        }
        for (KerberosTicket kerberosTicket2 : privateCredentials) {
            if (!kerberosTicket2.equals(kerberosTicket)) {
                return kerberosTicket2;
            }
        }
        return null;
    }

    public SecretKey getSecretKey() {
        return this.secretKey;
    }

    public static boolean isKerberosToken(String str) {
        return "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ".equals(str) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ".equals(str) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510".equals(str) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510".equals(str) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120".equals(str) || "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120".equals(str);
    }

    @Override // org.apache.wss4j.common.token.BinarySecurity
    public boolean equals(Object obj) {
        if (!(obj instanceof KerberosSecurity)) {
            return false;
        }
        KerberosSecurity kerberosSecurity = (KerberosSecurity) obj;
        if (this.secretKey != null && !this.secretKey.equals(kerberosSecurity.secretKey)) {
            return false;
        }
        if (this.secretKey != null || kerberosSecurity.secretKey == null) {
            return super.equals(obj);
        }
        return false;
    }

    @Override // org.apache.wss4j.common.token.BinarySecurity
    public int hashCode() {
        int i = 17;
        if (this.secretKey != null) {
            i = 17 * (31 + this.secretKey.hashCode());
        }
        return i * (31 + super.hashCode());
    }
}
