package sun.security.ssl.krb5;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import javax.net.ssl.SSLKeyException;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.ServicePermission;
import sun.security.jgss.GSSCaller;
import sun.security.jgss.krb5.Krb5Util;
import sun.security.jgss.krb5.ServiceCreds;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.EncryptionKey;
import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.EncTicketPart;
import sun.security.krb5.internal.Ticket;
import sun.security.ssl.Krb5Helper;
import sun.security.ssl.KrbClientKeyExchangeHelper;
import sun.security.ssl.SSLLogger;
import sun.security.util.SecurityConstants;

/* loaded from: input_file:assets/app_runtime/j2re-image/lib/jsse.jar:sun/security/ssl/krb5/KrbClientKeyExchangeHelperImpl.class */
public final class KrbClientKeyExchangeHelperImpl implements KrbClientKeyExchangeHelper {
    private byte[] preMaster;
    private byte[] preMasterEnc;
    private byte[] encodedTicket;
    private KerberosPrincipal peerPrincipal;
    private KerberosPrincipal localPrincipal;

    @Override // sun.security.ssl.KrbClientKeyExchangeHelper
    public void init(byte[] bArr, String str, AccessControlContext accessControlContext) throws IOException {
        this.preMaster = bArr;
        KerberosTicket serviceTicket = getServiceTicket(str, accessControlContext);
        this.encodedTicket = serviceTicket.getEncoded();
        this.peerPrincipal = serviceTicket.getServer();
        this.localPrincipal = serviceTicket.getClient();
        encryptPremasterSecret(new EncryptionKey(serviceTicket.getSessionKeyType(), serviceTicket.getSessionKey().getEncoded()));
    }

    @Override // sun.security.ssl.KrbClientKeyExchangeHelper
    public void init(byte[] bArr, byte[] bArr2, Object obj, AccessControlContext accessControlContext) throws IOException {
        EncryptionKey encryptionKey;
        EncryptedData encryptedData;
        PrincipalName principalName;
        final ServiceCreds serviceCreds;
        final KerberosPrincipal kerberosPrincipal;
        KerberosKey[] kerberosKeyArr;
        this.encodedTicket = bArr;
        this.preMasterEnc = bArr2;
        try {
            Ticket ticket = new Ticket(bArr);
            encryptedData = ticket.encPart;
            principalName = ticket.sname;
            serviceCreds = (ServiceCreds) obj;
            kerberosPrincipal = new KerberosPrincipal(principalName.toString());
            if (serviceCreds.getName() == null) {
                SecurityManager securityManager = System.getSecurityManager();
                if (securityManager != null) {
                    try {
                        securityManager.checkPermission(Krb5Helper.getServicePermission(principalName.toString(), SecurityConstants.SOCKET_ACCEPT_ACTION), accessControlContext);
                    } catch (SecurityException e) {
                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                            SSLLogger.fine("Permission to access Kerberos secret key denied", new Object[0]);
                        }
                        throw new IOException("Kerberos service not allowed");
                    }
                }
            }
            kerberosKeyArr = (KerberosKey[]) AccessController.doPrivileged(new PrivilegedAction<KerberosKey[]>() { // from class: sun.security.ssl.krb5.KrbClientKeyExchangeHelperImpl.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                /* renamed from: run */
                public KerberosKey[] run2() {
                    return serviceCreds.getKKeys(kerberosPrincipal);
                }
            });
        } catch (Exception e2) {
            encryptionKey = null;
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Error getting the Kerberos session key to decrypt the pre-master secret", new Object[0]);
            }
        }
        if (kerberosKeyArr.length == 0) {
            throw new IOException("Found no key for " + ((Object) kerberosPrincipal) + (serviceCreds.getName() == null ? "" : ", this keytab is for " + serviceCreds.getName() + " only"));
        }
        int eType = encryptedData.getEType();
        try {
            KerberosKey findKey = findKey(eType, encryptedData.getKeyVersionNumber(), kerberosKeyArr);
            if (findKey == null) {
                throw new IOException("Cannot find key of appropriate type to decrypt ticket - need etype " + eType);
            }
            EncTicketPart encTicketPart = new EncTicketPart(encryptedData.reset(encryptedData.decrypt(new EncryptionKey(eType, findKey.getEncoded()), 2)));
            this.peerPrincipal = new KerberosPrincipal(encTicketPart.cname.getName());
            this.localPrincipal = new KerberosPrincipal(principalName.getName());
            encryptionKey = encTicketPart.key;
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("server principal: " + ((Object) principalName), new Object[0]);
                SSLLogger.fine("cname: " + encTicketPart.cname.toString(), new Object[0]);
            }
            if (encryptionKey != null) {
                decryptPremasterSecret(encryptionKey);
            }
        } catch (KrbException e3) {
            throw new IOException("Cannot find key matching version number", e3);
        }
    }

    @Override // sun.security.ssl.KrbClientKeyExchangeHelper
    public byte[] getEncodedTicket() {
        return this.encodedTicket;
    }

    @Override // sun.security.ssl.KrbClientKeyExchangeHelper
    public byte[] getEncryptedPreMasterSecret() {
        return this.preMasterEnc;
    }

    @Override // sun.security.ssl.KrbClientKeyExchangeHelper
    public byte[] getPlainPreMasterSecret() {
        return this.preMaster;
    }

    @Override // sun.security.ssl.KrbClientKeyExchangeHelper
    public KerberosPrincipal getPeerPrincipal() {
        return this.peerPrincipal;
    }

    @Override // sun.security.ssl.KrbClientKeyExchangeHelper
    public KerberosPrincipal getLocalPrincipal() {
        return this.localPrincipal;
    }

    private void encryptPremasterSecret(EncryptionKey encryptionKey) throws IOException {
        if (encryptionKey.getEType() == 16) {
            throw new IOException("session keys with des3-cbc-hmac-sha1-kd encryption type are not supported for TLS Kerberos cipher suites");
        }
        try {
            this.preMasterEnc = new EncryptedData(encryptionKey, this.preMaster, 0).getBytes();
        } catch (KrbException e) {
            throw ((IOException) new SSLKeyException("Kerberos pre-master secret error").initCause(e));
        }
    }

    private void decryptPremasterSecret(EncryptionKey encryptionKey) throws IOException {
        if (encryptionKey.getEType() == 16) {
            throw new IOException("session keys with des3-cbc-hmac-sha1-kd encryption type are not supported for TLS Kerberos cipher suites");
        }
        try {
            EncryptedData encryptedData = new EncryptedData(encryptionKey.getEType(), (Integer) null, this.preMasterEnc);
            byte[] decrypt = encryptedData.decrypt(encryptionKey, 0);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake") && this.preMasterEnc != null) {
                SSLLogger.fine("decrypted premaster secret", decrypt);
            }
            if (decrypt.length == 52 && encryptedData.getEType() == 1) {
                if (paddingByteIs(decrypt, 52, (byte) 4) || paddingByteIs(decrypt, 52, (byte) 0)) {
                    decrypt = Arrays.copyOf(decrypt, 48);
                }
            } else if (decrypt.length == 56 && encryptedData.getEType() == 3 && paddingByteIs(decrypt, 56, (byte) 8)) {
                decrypt = Arrays.copyOf(decrypt, 48);
            }
            this.preMaster = decrypt;
        } catch (Exception e) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Error decrypting the pre-master secret", new Object[0]);
            }
        }
    }

    private static boolean paddingByteIs(byte[] bArr, int i, byte b) {
        for (int i2 = 48; i2 < i; i2++) {
            if (bArr[i2] != b) {
                return false;
            }
        }
        return true;
    }

    private static KerberosTicket getServiceTicket(String str, final AccessControlContext accessControlContext) throws IOException {
        if ("localhost".equals(str) || "localhost.localdomain".equals(str)) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Get the local hostname", new Object[0]);
            }
            String str2 = (String) AccessController.doPrivileged(new PrivilegedAction<String>() { // from class: sun.security.ssl.krb5.KrbClientKeyExchangeHelperImpl.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                /* renamed from: run */
                public String run2() {
                    try {
                        return InetAddress.getLocalHost().getHostName();
                    } catch (UnknownHostException e) {
                        if (!SSLLogger.isOn || !SSLLogger.isOn("ssl,handshake")) {
                            return null;
                        }
                        SSLLogger.fine("Warning, cannot get the local hostname: " + e.getMessage(), new Object[0]);
                        return null;
                    }
                }
            });
            if (str2 != null) {
                str = str2;
            }
        }
        String str3 = "host/" + str;
        try {
            PrincipalName principalName = new PrincipalName(str3, 3);
            String realmAsString = principalName.getRealmAsString();
            final String principalName2 = principalName.toString();
            final String str4 = "krbtgt/" + realmAsString + PrincipalName.NAME_REALM_SEPARATOR_STR + realmAsString;
            final String str5 = null;
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                securityManager.checkPermission(new ServicePermission(principalName2, "initiate"), accessControlContext);
            }
            try {
                KerberosTicket kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new PrivilegedExceptionAction<KerberosTicket>() { // from class: sun.security.ssl.krb5.KrbClientKeyExchangeHelperImpl.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public KerberosTicket run() throws Exception {
                        return Krb5Util.getTicketFromSubjectAndTgs(GSSCaller.CALLER_SSL_CLIENT, String.this, principalName2, str4, accessControlContext);
                    }
                });
                if (kerberosTicket == null) {
                    throw new IOException("Failed to find any kerberos service ticket for " + principalName2);
                }
                return kerberosTicket;
            } catch (PrivilegedActionException e) {
                IOException iOException = new IOException("Attempt to obtain kerberos service ticket for " + principalName2 + " failed!");
                iOException.initCause(e);
                throw iOException;
            }
        } catch (SecurityException e2) {
            throw e2;
        } catch (Exception e3) {
            IOException iOException2 = new IOException("Invalid service principal name: " + str3);
            iOException2.initCause(e3);
            throw iOException2;
        }
    }

    private static boolean versionMatches(Integer num, int i) {
        if (num == null || num.intValue() == 0 || i == 0) {
            return true;
        }
        return num.equals(Integer.valueOf(i));
    }

    private static KerberosKey findKey(int i, Integer num, KerberosKey[] kerberosKeyArr) throws KrbException {
        boolean z = false;
        int i2 = 0;
        KerberosKey kerberosKey = null;
        for (int i3 = 0; i3 < kerberosKeyArr.length; i3++) {
            if (i == kerberosKeyArr[i3].getKeyType()) {
                int versionNumber = kerberosKeyArr[i3].getVersionNumber();
                z = true;
                if (versionMatches(num, versionNumber)) {
                    return kerberosKeyArr[i3];
                }
                if (versionNumber > i2) {
                    kerberosKey = kerberosKeyArr[i3];
                    i2 = versionNumber;
                }
            }
        }
        if (i == 1 || i == 3) {
            for (int i4 = 0; i4 < kerberosKeyArr.length; i4++) {
                int keyType = kerberosKeyArr[i4].getKeyType();
                if (keyType == 1 || keyType == 3) {
                    int versionNumber2 = kerberosKeyArr[i4].getVersionNumber();
                    z = true;
                    if (versionMatches(num, versionNumber2)) {
                        return new KerberosKey(kerberosKeyArr[i4].getPrincipal(), kerberosKeyArr[i4].getEncoded(), i, versionNumber2);
                    }
                    if (versionNumber2 > i2) {
                        kerberosKey = new KerberosKey(kerberosKeyArr[i4].getPrincipal(), kerberosKeyArr[i4].getEncoded(), i, versionNumber2);
                        i2 = versionNumber2;
                    }
                }
            }
        }
        if (z) {
            return kerberosKey;
        }
        return null;
    }
}
