package oracle.net.ano;

import com.sun.security.auth.module.Krb5LoginModule;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import oracle.net.aso.b;
import oracle.net.ns.NetException;
import oracle.net.ns.SQLnetDef;
import oracle.net.ns.SessionAtts;
import org.apache.cxf.staxutils.PropertiesExpandingStreamReader;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.EncryptionKey;
import sun.security.krb5.Realm;
import sun.security.krb5.internal.APReq;
import sun.security.krb5.internal.Authenticator;
import sun.security.krb5.internal.KRBCred;
import sun.security.util.DerValue;

/* loaded from: input_file:BOOT-INF/lib/ojdbc6-11.2.0.3.jar:oracle/net/ano/AuthenticationService.class */
public class AuthenticationService extends Service implements PrivilegedExceptionAction, SQLnetDef {
    static final String[] a = {"", AnoServices.AUTHENTICATION_RADIUS, AnoServices.AUTHENTICATION_KERBEROS5, AnoServices.AUTHENTICATION_TCPS};
    private static final String[] k = {"", AnoServices.AUTHENTICATION_RADIUS, AnoServices.AUTHENTICATION_KERBEROS5, "tcps"};
    private static final byte[] l = {0, 1, 1, 2};
    private static Method m = i();
    private static Method n = null;
    private boolean o = false;
    private Subject p = null;
    private String q = null;
    private String r = null;
    private int s;

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // oracle.net.ano.Service
    public final int a(SessionAtts sessionAtts) {
        super.a(sessionAtts);
        this.i = 1;
        this.s = 64767;
        String[] authenticationServices = sessionAtts.profile.getAuthenticationServices();
        a(authenticationServices, a);
        this.g = new int[authenticationServices.length];
        for (int i = 0; i < this.g.length; i++) {
            this.g[i] = a(a, authenticationServices[i]);
        }
        return 1;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // oracle.net.ano.Service
    public final void a() {
        b(3 + (this.g.length << 1));
        this.d.b();
        this.d.a(57569);
        this.d.b(this.s);
        for (int i = 0; i < this.g.length; i++) {
            this.d.a(l[this.g[i]]);
            this.d.a(k[this.g[i]]);
        }
    }

    @Override // oracle.net.ano.Service
    final int b() {
        int i = 20;
        for (int i2 = 0; i2 < this.g.length; i2++) {
            i = i + 5 + 4 + k[this.g[i2]].length();
        }
        return i;
    }

    @Override // oracle.net.ano.Service
    final void a(int i) {
        this.d.j();
        int i2 = this.d.i();
        if (i2 != 64255 || i <= 2) {
            if (i2 != 64511) {
                throw new NetException(323, "Authentication service received status failure");
            }
            this.o = false;
            return;
        }
        this.d.e();
        this.j = a(k, this.d.k());
        if (i > 4) {
            this.d.j();
            this.d.g();
            this.d.g();
        }
        this.o = true;
    }

    @Override // oracle.net.ano.Service
    public boolean isActive() {
        return this.o;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final int a_() {
        if (!isActive()) {
            return 0;
        }
        if (this.j == 1) {
            return 32;
        }
        return this.j == 2 ? 37 : 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final void d() {
        if (this.o) {
            if (this.j == 1) {
                b(3);
                this.d.b();
                this.d.a(2L);
                this.d.a(2L);
                return;
            }
            if (this.j == 2) {
                b(4);
                this.d.b();
                this.d.a(2L);
                this.d.a(2L);
                this.d.a((short) 0);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v26 */
    /* JADX WARN: Type inference failed for: r0v37, types: [java.lang.Object] */
    /* JADX WARN: Type inference failed for: r0v51 */
    /* JADX WARN: Type inference failed for: r0v52 */
    public final void e() {
        NetException netException;
        if (this.o) {
            this.e.ano.c();
            Service.a(this.d);
            if (this.j == 1) {
                this.d.n();
                this.d.n();
                return;
            }
            if (this.j == 2) {
                String k2 = this.d.k();
                String k3 = this.d.k();
                this.q = k2 + "/" + k3;
                try {
                    String canonicalHostName = InetAddress.getByName(k3).getCanonicalHostName();
                    if (canonicalHostName.toLowerCase().startsWith(k3.toLowerCase() + ".")) {
                        k3 = canonicalHostName;
                    }
                } catch (UnknownHostException unused) {
                    k3 = k3.toLowerCase();
                }
                this.r = a(k3);
                AccessControlContext context = AccessController.getContext();
                if (context != null) {
                    this.p = Subject.getSubject(context);
                }
                Subject subject = this.p;
                PrivilegedActionException privilegedActionException = subject;
                if (subject == null) {
                    AuthenticationService authenticationService = this;
                    authenticationService.p = h();
                    privilegedActionException = authenticationService;
                }
                try {
                    privilegedActionException = Subject.doAs(this.p, this);
                } catch (PrivilegedActionException e) {
                    Exception exception = privilegedActionException.getException();
                    if (exception instanceof NetException) {
                        netException = (NetException) exception;
                    } else {
                        NetException netException2 = new NetException(323, e.getMessage());
                        netException = netException2;
                        netException2.initCause(e);
                    }
                    throw netException;
                }
            }
        }
    }

    private static String a(String str) {
        String str2 = null;
        if (n == null) {
            try {
                AccessController.doPrivileged(new a(Class.forName("sun.security.krb5.PrincipalName").getDeclaredMethod("mapHostToRealm", String.class)));
            } catch (ClassNotFoundException unused) {
            } catch (NoSuchMethodException unused2) {
            } catch (PrivilegedActionException unused3) {
            }
        }
        try {
            str2 = (String) n.invoke(null, str);
        } catch (IllegalAccessException unused4) {
        } catch (InvocationTargetException unused5) {
        }
        return str2;
    }

    private final Subject h() {
        Subject subject = new Subject();
        Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("useTicketCache", "true");
        hashMap2.put("doNotPrompt", "true");
        String str = (String) this.e.profile.get("oracle.net.kerberos5_cc_name");
        if (str != null && !str.equals("")) {
            hashMap2.put("ticketCache", str);
        }
        krb5LoginModule.initialize(subject, (CallbackHandler) null, hashMap, hashMap2);
        try {
            boolean login = krb5LoginModule.login();
            krb5LoginModule.commit();
            if (login) {
                return subject;
            }
            throw new NetException(323, "Kerberos5 adaptor couldn't retrieve credentials (TGT) from the cache");
        } catch (Exception e) {
            NetException netException = new NetException(323, e.getMessage());
            netException.initCause(e);
            throw netException;
        }
    }

    @Override // java.security.PrivilegedExceptionAction
    public Object run() {
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            Oid oid2 = new Oid("1.2.840.113554.1.2.2.1");
            byte[] der = oid.getDER();
            KerberosPrincipal kerberosPrincipal = null;
            Iterator<Principal> it = this.p.getPrincipals().iterator();
            if (it.hasNext()) {
                Principal next = it.next();
                if (next instanceof KerberosPrincipal) {
                    kerberosPrincipal = (KerberosPrincipal) next;
                }
            }
            GSSContext createContext = gSSManager.createContext(gSSManager.createName(this.q + PropertiesExpandingStreamReader.DELIMITER + (this.r != null ? new Realm(this.r) : new Realm(Realm.parseRealmAtSeparator(this.q + PropertiesExpandingStreamReader.DELIMITER + kerberosPrincipal.getRealm()))).toString(), oid2), oid, gSSManager.createCredential(gSSManager.createName(kerberosPrincipal.getName(), oid2), 0, oid, 1), 0);
            boolean z = true;
            if (((String) this.e.profile.get("oracle.net.kerberos5_mutual_authentication")) != "true") {
                z = false;
            }
            createContext.requestMutualAuth(z);
            createContext.requestConf(false);
            createContext.requestInteg(false);
            createContext.requestCredDeleg(true);
            byte[] initSecContext = createContext.initSecContext(new byte[0], 0, 0);
            byte[] bArr = new byte[initSecContext.length - 17];
            System.arraycopy(initSecContext, 17, bArr, 0, bArr.length);
            byte[] address = InetAddress.getLocalHost().getAddress();
            this.e.ano.a(39 + address.length + 4 + bArr.length, this.i);
            b(4);
            this.d.a(2);
            this.d.a(4L);
            this.d.a(address);
            this.d.a(bArr);
            this.d.a();
            this.e.ano.c();
            int[] a2 = Service.a(this.d);
            this.d.e();
            if (z) {
                if (a2[1] < 2) {
                    throw new NetException(323, "Mutual authentication failed during Kerberos5 authentication");
                }
                byte[] l2 = this.d.l();
                byte[] bArr2 = new byte[der.length + 2 + l2.length];
                System.arraycopy(der, 0, bArr2, 0, der.length);
                bArr2[der.length] = 2;
                bArr2[der.length + 1] = 0;
                System.arraycopy(l2, 0, bArr2, der.length + 2, l2.length);
                byte[] byteArray = new DerValue(DerValue.createTag((byte) 64, true, (byte) 0), bArr2).toByteArray();
                try {
                    createContext.initSecContext(byteArray, 0, byteArray.length);
                    if (!createContext.getMutualAuthState()) {
                        throw new NetException(323, "Mutual authentication failed during Kerberos5 authentication");
                    }
                } catch (GSSException e) {
                    NetException netException = new NetException(323, e.getMessage());
                    netException.initCause(e);
                    throw netException;
                }
            }
            if (!createContext.isEstablished()) {
                throw new NetException(323, "Kerberos5 adaptor couldn't create context");
            }
            byte[] a3 = a(createContext, bArr);
            byte[] bArr3 = a3;
            if (a3 == null) {
                bArr3 = new byte[0];
            }
            this.e.ano.a(25 + bArr3.length, this.i);
            b(1);
            this.d.a(bArr3);
            this.d.a();
            return null;
        } catch (GSSException e2) {
            NetException netException2 = new NetException(323, e2.getMessage());
            netException2.initCause(e2);
            throw netException2;
        }
    }

    private final byte[] a(GSSContext gSSContext, byte[] bArr) {
        byte[] decrypt;
        byte[] bArr2 = null;
        if (gSSContext.getCredDelegState()) {
            byte[] bArr3 = null;
            int i = -1;
            for (Object obj : this.p.getPrivateCredentials().toArray()) {
                KerberosTicket kerberosTicket = (KerberosTicket) obj;
                String name = kerberosTicket.getServer().getName();
                byte[] encoded = kerberosTicket.getSessionKey().getEncoded();
                int sessionKeyType = kerberosTicket.getSessionKeyType();
                if (!name.startsWith("krbtgt")) {
                    bArr3 = encoded;
                    i = sessionKeyType;
                }
            }
            APReq aPReq = new APReq(bArr);
            EncryptionKey encryptionKey = new EncryptionKey(i, bArr3);
            byte[] bytes = new Authenticator(a(aPReq.authenticator, aPReq.authenticator.decrypt(encryptionKey, 11), true)).getChecksum().getBytes();
            if (bytes.length >= 26) {
                int i2 = ((bytes[27] & 255) << 8) + (bytes[26] & 255);
                byte[] bArr4 = new byte[i2];
                System.arraycopy(bytes, 28, bArr4, 0, i2);
                KRBCred kRBCred = new KRBCred(bArr4);
                try {
                    decrypt = kRBCred.encPart.decrypt(EncryptionKey.NULL_KEY, 14);
                } catch (Exception unused) {
                    decrypt = kRBCred.encPart.decrypt(encryptionKey, 14);
                }
                bArr2 = new KRBCred(kRBCred.tickets, new EncryptedData(encryptionKey, a(kRBCred.encPart, decrypt, true), 14)).asn1Encode();
            }
        }
        return bArr2;
    }

    private static byte[] a(EncryptedData encryptedData, Object... objArr) {
        byte[] bArr = null;
        try {
            bArr = m.getParameterTypes().length == 1 ? (byte[]) m.invoke(encryptedData, objArr[0]) : (byte[]) m.invoke(encryptedData, objArr);
        } catch (IllegalAccessException unused) {
        } catch (InvocationTargetException unused2) {
        }
        return bArr;
    }

    private static Method i() {
        Method method = null;
        try {
            Class<?> cls = Class.forName("sun.security.krb5.EncryptedData");
            Class<?>[] clsArr = {byte[].class, Boolean.TYPE};
            try {
                method = cls.getDeclaredMethod("reset", clsArr);
            } catch (NoSuchMethodException unused) {
                method = cls.getDeclaredMethod("reset", clsArr[0]);
            }
        } catch (ClassNotFoundException e) {
        } catch (NoSuchMethodException e2) {
        }
        return method;
    }

    @Override // oracle.net.ano.Service
    final void f() {
        boolean z = this.o;
    }

    public static final byte[] obfuscatePasswordForRadius(byte[] bArr) {
        return b.c(bArr);
    }
}
