package com.sun.security.sasl.gsskerb;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Map;
import java.util.logging.Level;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import sun.security.krb5.PrincipalName;

/* loaded from: input_file:jre/lib/rt.jar:com/sun/security/sasl/gsskerb/GssKrb5Server.class */
final class GssKrb5Server extends GssKrb5Base implements SaslServer {
    private static final String MY_CLASS_NAME = GssKrb5Server.class.getName();
    private int handshakeStage;
    private String peer;
    private String me;
    private String authzid;
    private CallbackHandler cbh;
    private final String protocolSaved;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GssKrb5Server(String str, String str2, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
        super(map, MY_CLASS_NAME);
        String str3;
        this.handshakeStage = 0;
        this.cbh = callbackHandler;
        if (str2 == null) {
            this.protocolSaved = str;
            str3 = null;
        } else {
            this.protocolSaved = null;
            str3 = str + PrincipalName.NAME_REALM_SEPARATOR_STR + str2;
        }
        logger.log(Level.FINE, "KRB5SRV01:Using service name: {0}", str3);
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            this.secCtx = gSSManager.createContext(gSSManager.createCredential(str3 == null ? null : gSSManager.createName(str3, GSSName.NT_HOSTBASED_SERVICE, KRB5_OID), Integer.MAX_VALUE, KRB5_OID, 2));
            if ((this.allQop & 2) != 0) {
                this.secCtx.requestInteg(true);
            }
            if ((this.allQop & 4) != 0) {
                this.secCtx.requestConf(true);
            }
            logger.log(Level.FINE, "KRB5SRV02:Initialization complete");
        } catch (GSSException e) {
            throw new SaslException("Failure to initialize security context", e);
        }
    }

    @Override // javax.security.sasl.SaslServer
    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        if (this.completed) {
            throw new SaslException("SASL authentication already complete");
        }
        if (logger.isLoggable(Level.FINER)) {
            traceOutput(MY_CLASS_NAME, "evaluateResponse", "KRB5SRV03:Response [raw]:", bArr);
        }
        switch (this.handshakeStage) {
            case 1:
                return doHandshake1(bArr);
            case 2:
                return doHandshake2(bArr);
            default:
                try {
                    byte[] acceptSecContext = this.secCtx.acceptSecContext(bArr, 0, bArr.length);
                    if (logger.isLoggable(Level.FINER)) {
                        traceOutput(MY_CLASS_NAME, "evaluateResponse", "KRB5SRV04:Challenge: [after acceptSecCtx]", acceptSecContext);
                    }
                    if (this.secCtx.isEstablished()) {
                        this.handshakeStage = 1;
                        this.peer = this.secCtx.getSrcName().toString();
                        this.me = this.secCtx.getTargName().toString();
                        logger.log(Level.FINE, "KRB5SRV05:Peer name is : {0}, my name is : {1}", new Object[]{this.peer, this.me});
                        if (this.protocolSaved != null && !this.protocolSaved.equalsIgnoreCase(this.me.split("[/@]")[0])) {
                            throw new SaslException("GSS context targ name protocol error: " + this.me);
                        }
                        if (acceptSecContext == null) {
                            return doHandshake1(EMPTY);
                        }
                    }
                    return acceptSecContext;
                } catch (GSSException e) {
                    throw new SaslException("GSS initiate failed", e);
                }
        }
    }

    private byte[] doHandshake1(byte[] bArr) throws SaslException {
        if (bArr != null) {
            try {
                if (bArr.length > 0) {
                    throw new SaslException("Handshake expecting no response data from server");
                }
            } catch (GSSException e) {
                throw new SaslException("Problem wrapping handshake1", e);
            }
        }
        byte[] bArr2 = new byte[4];
        bArr2[0] = this.allQop;
        intToNetworkByteOrder(this.recvMaxBufSize, bArr2, 1, 3);
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, "KRB5SRV06:Supported protections: {0}; recv max buf size: {1}", new Object[]{new Byte(this.allQop), new Integer(this.recvMaxBufSize)});
        }
        this.handshakeStage = 2;
        if (logger.isLoggable(Level.FINER)) {
            traceOutput(MY_CLASS_NAME, "doHandshake1", "KRB5SRV07:Challenge [raw]", bArr2);
        }
        byte[] wrap = this.secCtx.wrap(bArr2, 0, bArr2.length, new MessageProp(0, false));
        if (logger.isLoggable(Level.FINER)) {
            traceOutput(MY_CLASS_NAME, "doHandshake1", "KRB5SRV08:Challenge [after wrap]", wrap);
        }
        return wrap;
    }

    private byte[] doHandshake2(byte[] bArr) throws SaslException {
        try {
            byte[] unwrap = this.secCtx.unwrap(bArr, 0, bArr.length, new MessageProp(0, false));
            if (logger.isLoggable(Level.FINER)) {
                traceOutput(MY_CLASS_NAME, "doHandshake2", "KRB5SRV09:Response [after unwrap]", unwrap);
            }
            byte b = unwrap[0];
            if ((b & this.allQop) == 0) {
                throw new SaslException("Client selected unsupported protection: " + ((int) b));
            }
            if ((b & 4) != 0) {
                this.privacy = true;
                this.integrity = true;
            } else if ((b & 2) != 0) {
                this.integrity = true;
            }
            int networkByteOrderToInt = networkByteOrderToInt(unwrap, 1, 3);
            this.sendMaxBufSize = this.sendMaxBufSize == 0 ? networkByteOrderToInt : Math.min(this.sendMaxBufSize, networkByteOrderToInt);
            this.rawSendSize = this.secCtx.getWrapSizeLimit(0, this.privacy, this.sendMaxBufSize);
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "KRB5SRV10:Selected protection: {0}; privacy: {1}; integrity: {2}", new Object[]{new Byte(b), Boolean.valueOf(this.privacy), Boolean.valueOf(this.integrity)});
                logger.log(Level.FINE, "KRB5SRV11:Client max recv size: {0}; server max send size: {1}; rawSendSize: {2}", new Object[]{new Integer(networkByteOrderToInt), new Integer(this.sendMaxBufSize), new Integer(this.rawSendSize)});
            }
            if (unwrap.length > 4) {
                try {
                    this.authzid = new String(unwrap, 4, unwrap.length - 4, "UTF-8");
                } catch (UnsupportedEncodingException e) {
                    throw new SaslException("Cannot decode authzid", e);
                }
            } else {
                this.authzid = this.peer;
            }
            logger.log(Level.FINE, "KRB5SRV12:Authzid: {0}", this.authzid);
            AuthorizeCallback authorizeCallback = new AuthorizeCallback(this.peer, this.authzid);
            this.cbh.handle(new Callback[]{authorizeCallback});
            if (!authorizeCallback.isAuthorized()) {
                throw new SaslException(this.peer + " is not authorized to connect as " + this.authzid);
            }
            this.authzid = authorizeCallback.getAuthorizedID();
            this.completed = true;
            return null;
        } catch (IOException e2) {
            throw new SaslException("Problem with callback handler", e2);
        } catch (UnsupportedCallbackException e3) {
            throw new SaslException("Problem with callback handler", e3);
        } catch (GSSException e4) {
            throw new SaslException("Final handshake step failed", e4);
        }
    }

    @Override // javax.security.sasl.SaslServer
    public String getAuthorizationID() {
        if (this.completed) {
            return this.authzid;
        }
        throw new IllegalStateException("Authentication incomplete");
    }

    @Override // com.sun.security.sasl.util.AbstractSaslImpl
    public Object getNegotiatedProperty(String str) {
        Object obj;
        if (!this.completed) {
            throw new IllegalStateException("Authentication incomplete");
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case 183461877:
                if (str.equals(Sasl.BOUND_SERVER_NAME)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                try {
                    obj = this.me.split("[/@]")[1];
                    break;
                } catch (Exception e) {
                    obj = null;
                    break;
                }
            default:
                obj = super.getNegotiatedProperty(str);
                break;
        }
        return obj;
    }
}
