package com.sap.db.util.security;

import com.sap.db.annotations.NotThreadSafe;
import com.sap.db.jdbc.ConnectionSapDB;
import com.sap.db.jdbc.exceptions.SQLExceptionSapDB;
import com.sap.db.jdbc.packet.HAuthenticationPart;
import com.sap.db.jdbc.trace.Tracer;
import com.sap.db.util.ByteUtils;
import com.sap.db.util.MessageKey;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.sql.SQLException;
import javax.security.auth.Subject;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* JADX INFO: Access modifiers changed from: package-private */
@NotThreadSafe
/* loaded from: input_file:com/sap/db/util/security/GSSAuthentication.class */
public class GSSAuthentication extends AbstractAuthenticationMethod {
    static final String METHOD_NAME = "GSS";
    private static final int REJECT = 0;
    private static final int SERVICE_PRINCIPAL_NAME_REQUEST = 1;
    private static final int SERVICE_PRINCIPAL_NAME_REPLY = 2;
    private static final int UNESTABLISHED_REQUEST = 3;
    private static final int UNESTABLISHED_REPLY = 4;
    private static final int ESTABLISHED_REQUEST = 5;
    private static final int ESTABLISHED_REPLY = 6;
    private static final int CONNECT_REPLY = 7;
    private static final int Max1ByteLengthKerberos = 250;
    private static final int TwoByteLengthKerberos = 255;
    private final ConnectionSapDB _connection;
    private final GSSManager _manager;
    private final Oid _krb5Oid;
    private final String _krb5OidString;
    private final byte[] _krb5OidBytes;
    private final Subject _authenticatedSubject;
    private final Subject _currentContextSubject;
    private byte[] _finalData;
    private String _userName;
    private GSSContext _context;

    /* loaded from: input_file:com/sap/db/util/security/GSSAuthentication$EvaluateAuthenticateReplyAction.class */
    private class EvaluateAuthenticateReplyAction implements PrivilegedAction<Object> {
        private final Tracer _tracer;
        private final HAuthenticationPart _authenticationPart;
        private byte[] _result;
        private SQLException _exception;

        private EvaluateAuthenticateReplyAction(Tracer tracer, HAuthenticationPart hAuthenticationPart) {
            this._authenticationPart = hAuthenticationPart;
            this._tracer = tracer;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this._result = GSSAuthentication.this._evaluateAuthenticateReply(this._tracer, this._authenticationPart);
                return null;
            } catch (SQLException e) {
                this._exception = e;
                return null;
            }
        }
    }

    /* loaded from: input_file:com/sap/db/util/security/GSSAuthentication$GetInitialDataAction.class */
    private class GetInitialDataAction implements PrivilegedAction<Object> {
        private byte[] _result;
        private SQLException _exception;

        private GetInitialDataAction() {
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this._result = GSSAuthentication.this._getInitialData();
                return null;
            } catch (SQLException e) {
                this._exception = e;
                return null;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GSSAuthentication(ConnectionSapDB connectionSapDB) throws GSSException {
        this._connection = connectionSapDB;
        Tracer tracer = connectionSapDB.getTracer();
        if (tracer.on()) {
            tracer.printDebugMessage("Property: java.security.auth.login.config = " + System.getProperty("java.security.auth.login.config", "null") + "\nProperty: javax.security.auth.useSubjectCredsOnly = " + System.getProperty("javax.security.auth.useSubjectCredsOnly", "null"));
        }
        this._manager = GSSManager.getInstance();
        this._krb5Oid = new Oid("1.2.840.113554.1.2.2");
        this._krb5OidString = this._krb5Oid.toString();
        this._krb5OidBytes = this._krb5OidString.getBytes(StandardCharsets.UTF_8);
        this._authenticatedSubject = this._connection.getAuthenticatedSubject();
        if (this._authenticatedSubject != null) {
            this._currentContextSubject = null;
            if (tracer.on()) {
                tracer.printDebugMessage("Reusing connection subject");
                return;
            }
            return;
        }
        this._currentContextSubject = Subject.getSubject(AccessController.getContext());
        if (tracer.on()) {
            tracer.printDebugMessage("Using current access context subject");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public String getMethodName() {
        return METHOD_NAME;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public byte[] getInitialData(byte[] bArr) throws SQLException {
        if (this._authenticatedSubject == null) {
            return _getInitialData();
        }
        GetInitialDataAction getInitialDataAction = new GetInitialDataAction();
        Subject.doAs(this._authenticatedSubject, getInitialDataAction);
        if (getInitialDataAction._exception != null) {
            throw getInitialDataAction._exception;
        }
        return getInitialDataAction._result;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public byte[] getFinalData(String str, String str2) throws SQLException {
        if (this._finalData != null) {
            return this._finalData;
        }
        throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_CONNECTION_GSSAUTHENTICATIONERROR, "KERBEROS Protocol error: Context is still unestablished.");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public byte[] evaluateAuthenticateReply(Tracer tracer, HAuthenticationPart hAuthenticationPart) throws SQLException {
        if (this._authenticatedSubject == null) {
            return _evaluateAuthenticateReply(tracer, hAuthenticationPart);
        }
        EvaluateAuthenticateReplyAction evaluateAuthenticateReplyAction = new EvaluateAuthenticateReplyAction(tracer, hAuthenticationPart);
        Subject.doAs(this._authenticatedSubject, evaluateAuthenticateReplyAction);
        if (evaluateAuthenticateReplyAction._exception != null) {
            throw evaluateAuthenticateReplyAction._exception;
        }
        return evaluateAuthenticateReplyAction._result;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public String evaluateConnectReply(Tracer tracer, HAuthenticationPart hAuthenticationPart) throws SQLException {
        HAuthenticationPart hAuthenticationPart2 = new HAuthenticationPart(hAuthenticationPart);
        if (!hAuthenticationPart2.nextField()) {
            throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT, new String[0]);
        }
        String valueAsString = hAuthenticationPart2.getValueAsString();
        if (!valueAsString.equals(this._krb5OidString)) {
            if (tracer.on()) {
                tracer.printDebugMessage("Reject KERBEROS Authentication: Wrong OID found: expected: " + this._krb5OidString + ", actual: " + valueAsString);
            }
            throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_CONNECTION_GSSAUTHENTICATIONERROR, "Wrong OID found: expected: " + this._krb5OidString + ", actual: " + valueAsString);
        }
        if (!hAuthenticationPart2.nextField()) {
            throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT, new String[0]);
        }
        if (hAuthenticationPart2.getValueAsUByte() != 7) {
            return null;
        }
        if (!hAuthenticationPart2.nextField()) {
            throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT, new String[0]);
        }
        String valueAsString2 = hAuthenticationPart2.getValueAsString();
        if (tracer.on()) {
            tracer.printDebugMessage("KERBEROS Authentication: Received session cookie");
        }
        return valueAsString2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public String getUserNameFromServer() {
        return this._userName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public void onAuthenticationCompleted() {
        this._connection.setAuthenticatedSubject(this._currentContextSubject);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v11, types: [byte[], byte[][]] */
    public byte[] _getInitialData() throws SQLException {
        try {
            GSSName canonicalize = this._manager.createCredential(1).getName().canonicalize(this._krb5Oid);
            return pack(new byte[]{this._krb5OidBytes, new byte[]{1}, canonicalize.getStringNameType().toString().getBytes(StandardCharsets.UTF_8), canonicalize.toString().getBytes(StandardCharsets.UTF_8)});
        } catch (GSSException e) {
            throw SQLExceptionSapDB.newInstance(e, MessageKey.ERROR_CONNECTION_GSSAUTHENTICATIONERROR, e.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v30, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r0v33, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v24, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v27, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v30, types: [byte[], byte[][]] */
    public byte[] _evaluateAuthenticateReply(Tracer tracer, HAuthenticationPart hAuthenticationPart) throws SQLException {
        HAuthenticationPart hAuthenticationPart2 = new HAuthenticationPart(hAuthenticationPart);
        if (!hAuthenticationPart2.nextField()) {
            throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT, new String[0]);
        }
        String valueAsString = hAuthenticationPart2.getValueAsString();
        if (!valueAsString.equals(this._krb5OidString)) {
            if (tracer.on()) {
                tracer.printDebugMessage("Reject KERBEROS Authentication: Wrong OID found: expected: " + this._krb5OidString + ", actual: " + valueAsString);
            }
            return reject();
        }
        if (!hAuthenticationPart2.nextField()) {
            throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT, new String[0]);
        }
        int valueAsUByte = hAuthenticationPart2.getValueAsUByte();
        if (!hAuthenticationPart2.nextField() && valueAsUByte != 6) {
            throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT, new String[0]);
        }
        byte[] valueAsBytes = hAuthenticationPart2.getValueAsBytes();
        if (valueAsUByte == 2) {
            if (!hAuthenticationPart2.nextField()) {
                throw SQLExceptionSapDB.newInstance(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT, new String[0]);
            }
            String valueAsString2 = hAuthenticationPart2.getValueAsString();
            if (tracer.on()) {
                tracer.printDebugMessage("KERBEROS Authentication: Received SPN: " + valueAsString2);
            }
            if (hAuthenticationPart2.nextField()) {
                this._userName = hAuthenticationPart2.getValueAsString();
                if (tracer.on()) {
                    tracer.printDebugMessage("KERBEROS Authentication: Received user name: " + this._userName);
                }
            }
            try {
                this._context = this._manager.createContext(this._manager.createName(valueAsString2, (Oid) null), this._krb5Oid, (GSSCredential) null, 0);
                this._context.requestMutualAuth(true);
                this._context.requestConf(true);
                this._context.requestInteg(true);
                valueAsBytes = new byte[0];
            } catch (GSSException e) {
                if (tracer.on()) {
                    tracer.printDebugThrowable(e, "Reject KERBEROS Authentication");
                }
                return reject();
            }
        }
        if (valueAsUByte == 4 || valueAsUByte == 2) {
            try {
                byte[] initSecContext = this._context.initSecContext(valueAsBytes, 0, valueAsBytes.length);
                if (initSecContext != null) {
                    return this._context.isEstablished() ? pack(new byte[]{this._krb5OidBytes, new byte[]{5}, initSecContext}) : pack(new byte[]{this._krb5OidBytes, new byte[]{3}, initSecContext});
                }
                if (tracer.on()) {
                    tracer.printDebugMessage("Reject KERBEROS Authentication: Protocol error");
                }
                return reject();
            } catch (GSSException e2) {
                if (tracer.on()) {
                    tracer.printDebugThrowable(e2, "Reject KERBEROS Authentication");
                }
                return reject();
            }
        }
        if (valueAsUByte != 6) {
            if (tracer.on()) {
                tracer.printDebugMessage("Reject KERBEROS Authentication: No suitable communication type: Found request type: " + valueAsUByte);
            }
            return reject();
        }
        if (valueAsBytes == null) {
            this._finalData = pack(new byte[]{this._krb5OidBytes, new byte[]{5}});
            return null;
        }
        try {
            byte[] initSecContext2 = this._context.initSecContext(valueAsBytes, 0, valueAsBytes.length);
            if (!this._context.isEstablished()) {
                if (tracer.on()) {
                    tracer.printDebugMessage("Reject KERBEROS Authentication: Communication type 6 but not established");
                }
                return reject();
            }
            if (initSecContext2 == null) {
                this._finalData = pack(new byte[]{this._krb5OidBytes, new byte[]{5}});
                return null;
            }
            this._finalData = pack(new byte[]{this._krb5OidBytes, new byte[]{5}, initSecContext2});
            return null;
        } catch (GSSException e3) {
            if (tracer.on()) {
                tracer.printDebugThrowable(e3, "Reject KERBEROS Authentication");
            }
            return reject();
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], byte[][]] */
    private byte[] reject() {
        return pack(new byte[]{this._krb5OidBytes, new byte[]{0}});
    }

    private static byte[] pack(byte[][] bArr) {
        int i;
        int i2 = 2;
        for (byte[] bArr2 : bArr) {
            int length = bArr2.length;
            i2 = i2 + length + (length <= Max1ByteLengthKerberos ? 1 : 3);
        }
        byte[] bArr3 = new byte[i2];
        ByteUtils.putShortBigEndian(bArr.length, bArr3, 0);
        int i3 = 2;
        for (byte[] bArr4 : bArr) {
            int length2 = bArr4.length;
            if (length2 <= Max1ByteLengthKerberos) {
                int i4 = i3;
                i = i3 + 1;
                ByteUtils.putByte(length2, bArr3, i4);
            } else {
                int i5 = i3;
                int i6 = i3 + 1;
                ByteUtils.putByte(255, bArr3, i5);
                ByteUtils.putShortBigEndian(length2, bArr3, i6);
                i = i6 + 2;
            }
            ByteUtils.putBytes(bArr4, bArr3, i);
            i3 = i + length2;
        }
        return bArr3;
    }
}
