package com.ibm.security.krb5.wss;

import com.ibm.misc.HexDumpEncoder;
import com.ibm.security.auth.callback.CcacheFileTextInputCallback;
import com.ibm.security.auth.callback.DefaultCcacheTextInputCallback;
import com.ibm.security.auth.callback.DefaultKeytabTextInputCallback;
import com.ibm.security.auth.callback.KeytabFileTextInputCallback;
import com.ibm.security.jgss.TokenHeader;
import com.ibm.security.jgss.i18n.I18NException;
import com.ibm.security.krb5.Checksum;
import com.ibm.security.krb5.Credentials;
import com.ibm.security.krb5.EncryptedData;
import com.ibm.security.krb5.EncryptionKey;
import com.ibm.security.krb5.HostAddresses;
import com.ibm.security.krb5.KDCOptions;
import com.ibm.security.krb5.KrbException;
import com.ibm.security.krb5.PrincipalName;
import com.ibm.security.krb5.internal.APOptions;
import com.ibm.security.krb5.internal.APReq;
import com.ibm.security.krb5.internal.Authenticator;
import com.ibm.security.krb5.internal.AuthorizationData;
import com.ibm.security.krb5.internal.Config;
import com.ibm.security.krb5.internal.EncKrbCredPart;
import com.ibm.security.krb5.internal.HostAddress;
import com.ibm.security.krb5.internal.KRBCred;
import com.ibm.security.krb5.internal.KerberosTime;
import com.ibm.security.krb5.internal.KrbCredInfo;
import com.ibm.security.krb5.internal.LocalSeqNumber;
import com.ibm.security.krb5.internal.ServiceName;
import com.ibm.security.krb5.internal.Ticket;
import com.ibm.security.krb5.wss.util.Debug;
import com.ibm.ws.wssecurity.util.KRBTokenProfileConstants;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.UnknownHostException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.SecureRandom;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import javax.crypto.KeyGenerator;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/security/krb5/wss/KerberosTokenGenerator.class */
public class KerberosTokenGenerator {
    private static final String debugPrefix = "KerberosTokenGenerator: ";
    private static final int DELEG_FLAG = 1;
    private static final int WRAPPED = 1;
    private static final int NOT_WRAPPED = 0;
    private static final int KD_AP_REQ_AUTHN = 11;
    public static final int CKSUMTYPE_KRB = 32771;
    private static final int TOK_ID_LEN = 2;
    private static final byte[] AP_REQ_TOK_ID = {1, 0};
    private boolean isWrapped;
    private Subject subject;
    private byte[] gssWrappedToken;
    private byte[] apReqToken;
    private String clientRealmName;
    private String serviceRealmName;
    private String clientName;
    private String serviceName;
    private Integer wrapped;
    private boolean useSubject;
    private String jaasClientPassword;
    private String jaasLoginConf;
    private byte[] delegatedCreds;
    private int sessionKey4DelegateType;
    private EncryptionKey sessionKey = null;
    private EncryptionKey localSubKey = null;
    private Debug debug = new Debug();
    private boolean useDelegatedCreds = false;
    private byte[] sessionKey4Delegate = null;
    private KerberosTicket serviceTicket = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/security/krb5/wss/KerberosTokenGenerator$NullPrompter.class */
    public class NullPrompter implements CallbackHandler {
        private String userName;
        private char[] authenticator;

        private NullPrompter() {
        }

        public NullPrompter(String str, char[] cArr) {
            this.userName = str;
            this.authenticator = cArr;
        }

        public void nukeEm() {
            this.userName = null;
            for (int i = 0; i < this.authenticator.length; i++) {
                this.authenticator[i] = ' ';
            }
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (int i = 0; i < callbackArr.length; i++) {
                if (!(callbackArr[i] instanceof TextOutputCallback) && !(callbackArr[i] instanceof CcacheFileTextInputCallback) && !(callbackArr[i] instanceof DefaultCcacheTextInputCallback) && !(callbackArr[i] instanceof DefaultKeytabTextInputCallback) && !(callbackArr[i] instanceof KeytabFileTextInputCallback)) {
                    if (callbackArr[i] instanceof NameCallback) {
                        ((NameCallback) callbackArr[i]).setName(this.userName);
                    } else if (callbackArr[i] instanceof PasswordCallback) {
                        ((PasswordCallback) callbackArr[i]).setPassword(this.authenticator);
                    } else {
                        KerberosTokenGenerator.this.debug.out(5, "KerberosTokenGenerator: Unrecognized Callback :" + callbackArr[i]);
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/security/krb5/wss/KerberosTokenGenerator$SubjectCredFinder.class */
    public class SubjectCredFinder implements PrivilegedExceptionAction {
        private String clientPrinc;
        private String serviceStarts;

        public SubjectCredFinder(String str, String str2) {
            this.clientPrinc = str;
            this.serviceStarts = str2;
        }

        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws GSSException {
            try {
                if (KerberosTokenGenerator.this.subject == null && KerberosTokenGenerator.this.useSubject) {
                    final AccessControlContext context = AccessController.getContext();
                    KerberosTokenGenerator.this.subject = (Subject) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.security.krb5.wss.KerberosTokenGenerator.SubjectCredFinder.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return Subject.getSubject(context);
                        }
                    });
                }
            } catch (Exception e) {
                KerberosTokenGenerator.this.subject = null;
            }
            if (KerberosTokenGenerator.this.subject == null) {
                I18NException.throwGSSException(13, 0, "SKFNoSubject");
            }
            for (KerberosTicket kerberosTicket : KerberosTokenGenerator.this.subject.getPrivateCredentials(KerberosTicket.class)) {
                KerberosTokenGenerator.this.debug.out(5, "KerberosTokenGenerator: SubjectCredFinder: Found Cred from private set: " + kerberosTicket.toString());
                if (this.clientPrinc != null && kerberosTicket.getClient().toString().equals(this.clientPrinc) && kerberosTicket.getServer().toString().startsWith(this.serviceStarts)) {
                    return kerberosTicket;
                }
            }
            for (KerberosTicket kerberosTicket2 : KerberosTokenGenerator.this.subject.getPublicCredentials(KerberosTicket.class)) {
                KerberosTokenGenerator.this.debug.out(5, "KerberosTokenGenerator: SubjectCredFinder: Found Cred from public set: " + kerberosTicket2.toString());
                if (this.clientPrinc != null && kerberosTicket2.getClient().toString().equals(this.clientPrinc) && kerberosTicket2.getServer().toString().startsWith(this.serviceStarts)) {
                    return kerberosTicket2;
                }
            }
            return null;
        }
    }

    public void init(Map map) throws Exception {
        try {
            this.clientRealmName = (String) map.get(KerberosTokenConfig.CLIENT_REALM_NAME);
            this.clientName = (String) map.get(KerberosTokenConfig.CLIENT_NAME);
            this.serviceName = (String) map.get("serviceName");
            this.serviceRealmName = (String) map.get(KerberosTokenConfig.SERVICE_REALM_NAME);
            this.wrapped = (Integer) map.get("wrapped");
            if (this.wrapped != null && this.wrapped.intValue() == 1) {
                this.isWrapped = true;
            }
            this.subject = (Subject) map.get("subject");
            if (this.subject != null) {
                setUseSubjectCredsOnly(true);
            }
            String defaultRealm = Config.getInstance().getDefaultRealm();
            if (this.clientRealmName == null || this.clientRealmName.trim().equals("")) {
                this.clientRealmName = defaultRealm;
            }
            if (this.serviceRealmName == null || this.serviceRealmName.trim().equals("")) {
                this.serviceRealmName = defaultRealm;
            }
            if (this.clientRealmName == null || this.serviceName == null || this.serviceRealmName == null) {
                throw new IllegalStateException("Null Input values");
            }
            this.jaasClientPassword = (String) map.get(KerberosTokenConfig.CLIENTPASSWORD);
            this.jaasLoginConf = (String) map.get(KerberosTokenConfig.CLIENTLOGINCONF);
            this.delegatedCreds = (byte[]) map.get(KerberosTokenConfig.CONTEXT_DELEG_CREDS_BYTES);
            if (this.delegatedCreds != null && this.delegatedCreds.length > 0) {
                this.useDelegatedCreds = true;
                this.sessionKey4Delegate = (byte[]) map.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES);
                this.sessionKey4DelegateType = ((Integer) map.get(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES_TYPE)).intValue();
                if (this.sessionKey4Delegate == null || this.sessionKey4Delegate.length == 0 || "".equals(Integer.valueOf(this.sessionKey4DelegateType))) {
                    this.debug.out(4, "KerberosTokenGenerator: sessionKey/keyType missing for delegated credentials");
                    throw new IllegalStateException("session key or key type missing for delegated credentials");
                }
            }
        } catch (Exception e) {
            throw new IllegalStateException("Invalid config parameters", e);
        }
    }

    public void invoke(Map map) throws Exception {
        Credentials clientCredentials;
        if (this.useDelegatedCreds) {
            clientCredentials = new KerberosCredsUtil().getClientCredentials(this.delegatedCreds, new EncryptionKey(this.sessionKey4Delegate, this.sessionKey4DelegateType, 1));
        } else {
            jaasLogin();
            clientCredentials = getClientCredentials(this.clientName);
        }
        if (this.isWrapped) {
            requestorSideGSSTokenCreation(this.serviceRealmName, this.clientName, clientCredentials, this.serviceName);
        } else {
            requestorSideAPReqCreation(this.serviceRealmName, this.clientName, clientCredentials, this.serviceName);
        }
        fillContext(map);
    }

    private void jaasLogin() {
        String str = this.clientName + "@" + this.clientRealmName;
        if (this.subject != null || useSubjectCredsOnly() || this.jaasLoginConf == null || this.jaasClientPassword == null) {
            if (this.subject != null) {
                this.debug.out(5, "KerberosTokenGenerator: Will attempt to use supplied Subject\n");
                setUseSubjectCredsOnly(true);
                return;
            }
            return;
        }
        this.debug.out(5, "KerberosTokenGenerator: Attempting to do a JAAS Login for: \n" + str);
        try {
            LoginContext loginContext = new LoginContext(this.jaasLoginConf, new NullPrompter(str, this.jaasClientPassword.toCharArray()));
            loginContext.login();
            this.subject = loginContext.getSubject();
            setUseSubjectCredsOnly(true);
        } catch (Exception e) {
            e.printStackTrace();
            this.debug.out(5, "KerberosTokenGenerator: Failed to do a JAAS Login for: \n" + str);
            setUseSubjectCredsOnly(false);
        }
    }

    private void fillContext(Map map) {
        if (isWrapped()) {
            Integer num = new Integer(1);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED, num);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED_TYPE, new String(num.getClass().getName()));
        } else {
            Integer num2 = new Integer(0);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED, num2);
            map.put(KerberosTokenConfig.CONTEXT_WRAPPED_TYPE, new String(num2.getClass().getName()));
        }
        if (this.sessionKey != null) {
            map.put(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES, this.sessionKey.getBytes());
            map.put(KerberosTokenConfig.CONTEXT_SESSION_KEY_BYTES_TYPE, Integer.valueOf(this.sessionKey.getEType()));
        }
        if (this.localSubKey != null) {
            map.put(KerberosTokenConfig.CONTEXT_SUB_KEY_BYTES, this.localSubKey.getBytes());
        }
        if (this.apReqToken != null) {
            map.put(KerberosTokenConfig.CONTEXT_APREQ_TOKEN, this.apReqToken);
            map.put(KerberosTokenConfig.CONTEXT_APREQ_TOKEN_TYPE, new String(this.apReqToken.getClass().getName()));
        }
        if (this.gssWrappedToken != null) {
            map.put(KerberosTokenConfig.CONTEXT_GSS_TOKEN, this.gssWrappedToken);
            map.put(KerberosTokenConfig.CONTEXT_GSS_TOKEN_TYPE, new String(this.gssWrappedToken.getClass().getName()));
        }
        if (this.sessionKey != null) {
            map.put(KerberosTokenConfig.CONTEXT_SESSION_KEY_ENC, new Integer(getSessionKeyEncType()));
        }
        if (this.localSubKey != null) {
            Integer num3 = new Integer(getSubSessionKeyEncType());
            map.put(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC, num3);
            map.put(KerberosTokenConfig.CONTEXT_SUB_KEY_ENC_TYPE, new String(num3.getClass().getName()));
        }
        if (this.subject != null) {
            map.put(KerberosTokenConfig.CONTEXT_SUBJECT, this.subject);
            map.put(KerberosTokenConfig.CONTEXT_SUBJECT_TYPE, new String(this.subject.getClass().getName()));
        }
        if (this.serviceTicket != null) {
            map.put(KerberosTokenConfig.CONTEXT_SERVICE_TICKET, this.serviceTicket);
        }
    }

    private void requestorSideGSSTokenCreation(String str, String str2, Credentials credentials, String str3) throws Exception {
        this.debug.out(7, "KerberosTokenGenerator: Creating an GSS Wrapped output token");
        this.debug.out(7, "KerberosTokenGenerator: The Realm name = " + str);
        this.debug.out(7, "KerberosTokenGenerator: The Client name = " + str2);
        this.debug.out(7, "KerberosTokenGenerator: The Service name = " + str3);
        try {
            APReq createAPReq = createAPReq(str, credentials, str3);
            this.gssWrappedToken = createAPReq != null ? gssWrapAPReqToken(createAPReq) : null;
            this.debug.out(7, "KerberosTokenGenerator: The GSS Wrapped Token DER Coded =\n" + new HexDumpEncoder().encodeBuffer(this.gssWrappedToken));
        } catch (Exception e) {
            e.printStackTrace();
            throw e;
        }
    }

    private byte[] gssWrapAPReqToken(APReq aPReq) throws Exception {
        byte[] bArr = AP_REQ_TOK_ID;
        byte[] asn1Encode = aPReq.asn1Encode();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(bArr, 0, 2);
        byteArrayOutputStream.write(asn1Encode, 0, asn1Encode.length);
        ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
        new TokenHeader(new Oid(KRBTokenProfileConstants.STR_KERBEROS_OID), byteArrayOutputStream.toByteArray()).asn1Encode(byteArrayOutputStream2);
        return byteArrayOutputStream2.toByteArray();
    }

    private void requestorSideAPReqCreation(String str, String str2, Credentials credentials, String str3) throws Exception {
        this.debug.out(7, "KerberosTokenGenerator: Creating an AP_REQ output token");
        this.debug.out(7, "KerberosTokenGenerator: The Realm name = " + str);
        this.debug.out(7, "KerberosTokenGenerator: The Client name = " + str2);
        this.debug.out(7, "KerberosTokenGenerator: The Service name = " + str3);
        try {
            APReq createAPReq = createAPReq(str, credentials, str3);
            this.apReqToken = createAPReq != null ? createAPReq.asn1Encode() : null;
        } catch (Exception e) {
            e.printStackTrace();
            throw e;
        }
    }

    private Credentials getClientCredentials(String str) throws Exception {
        KerberosTicket kerberosTicket = null;
        Credentials credentials = null;
        if (useSubjectCredsOnly()) {
            this.debug.out(5, "KerberosTokenGenerator: use creds from subject ");
            try {
                kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new SubjectCredFinder(str + "@" + this.clientRealmName, "krbtgt"));
            } catch (PrivilegedActionException e) {
                throw e.getException();
            }
        } else {
            try {
                if (str == null) {
                    this.debug.out(5, "KerberosTokenGenerator: acquiring default creds");
                    credentials = Credentials.acquireDefaultCreds();
                } else {
                    String str2 = str + "@" + this.clientRealmName;
                    this.debug.out(5, "KerberosTokenGenerator: acquiring creds for " + str2);
                    credentials = Credentials.acquireCreds(str2, (String) null);
                    if (credentials != null && !credentials.getClient().toString().equals(str2)) {
                        this.debug.out(5, "KerberosTokenGenerator: Cached creds belongs to " + credentials.getClient().toString());
                        credentials = null;
                    }
                }
            } catch (Exception e2) {
                I18NException.throwGSSException(11, 0, "NoKrbCred", new String[]{e2.toString()});
            }
        }
        if (kerberosTicket != null && credentials == null) {
            credentials = new Credentials(kerberosTicket.getEncoded(), kerberosTicket.getClient().getName(), kerberosTicket.getServer().getName(), kerberosTicket.getSessionKey().getEncoded(), kerberosTicket.getSessionKeyType(), kerberosTicket.getFlags(), kerberosTicket.getAuthTime(), kerberosTicket.getStartTime(), kerberosTicket.getEndTime(), kerberosTicket.getRenewTill(), kerberosTicket.getClientAddresses());
        }
        if (credentials == null) {
            I18NException.throwGSSException(11, 0, "NoKrbCred", new String[]{"Failed to obtain credentials for " + str + "@" + this.clientRealmName});
        }
        return credentials;
    }

    private APReq createAPReq(String str, Credentials credentials, String str2) throws Exception {
        StringBuffer stringBuffer = new StringBuffer(str2);
        stringBuffer.append("@");
        stringBuffer.append(str);
        String stringBuffer2 = stringBuffer.toString();
        try {
            Credentials serviceCredentialFromSubject = getServiceCredentialFromSubject();
            if (serviceCredentialFromSubject == null) {
                this.debug.out(5, "KerberosTokenGenerator:  found no service credential from subject, need to acquire it");
                serviceCredentialFromSubject = credentials.acquireSvcCreds(new PrincipalName(str2), (KDCOptions) null, (HostAddresses) null);
            }
            PrincipalName principalName = new PrincipalName(stringBuffer2);
            this.serviceTicket = new KerberosTicket(serviceCredentialFromSubject.getEncoded(), new KerberosPrincipal(serviceCredentialFromSubject.getClient().toString()), new KerberosPrincipal(serviceCredentialFromSubject.getServer().toString()), serviceCredentialFromSubject.getSessionKey().getBytes(), serviceCredentialFromSubject.getSessionKey().getEType(), serviceCredentialFromSubject.getFlags(), serviceCredentialFromSubject.getAuthTime(), serviceCredentialFromSubject.getStartTime(), serviceCredentialFromSubject.getEndTime(), serviceCredentialFromSubject.getRenewTill(), serviceCredentialFromSubject.getClientAddresses());
            this.sessionKey = serviceCredentialFromSubject.getSessionKey();
            APOptions aPOptions = new APOptions();
            aPOptions.set(2, false);
            aPOptions.set(1, false);
            this.debug.out(4, "KerberosTokenGenerator: The APOptions DER Coded =\n" + new HexDumpEncoder().encodeBuffer(aPOptions.asn1Encode()));
            LocalSeqNumber localSeqNumber = new LocalSeqNumber();
            int current = localSeqNumber.current();
            if (current == 0) {
                current = (int) (Math.random() * 16384.0d);
            }
            localSeqNumber.init(Math.abs(current));
            if (this.localSubKey == null) {
                this.localSubKey = generateSubKey(this.sessionKey);
            }
            KerberosTime kerberosTime = new KerberosTime(true);
            Authenticator authenticator = new Authenticator(serviceCredentialFromSubject.getClient().getRealm(), serviceCredentialFromSubject.getClient(), new Checksum(encodeCksum(principalName, credentials, serviceCredentialFromSubject), 32771), kerberosTime.getMicroSeconds(), kerberosTime, this.localSubKey, new Integer(localSeqNumber.step()), (AuthorizationData) null);
            EncryptedData encryptedData = new EncryptedData(this.sessionKey, authenticator.asn1Encode(), 11);
            APReq aPReq = new APReq(aPOptions, serviceCredentialFromSubject.getTicket(), encryptedData);
            this.debug.out(7, "KerberosTokenGenerator: The AP_REQ DER Coded =\n" + new HexDumpEncoder().encodeBuffer(aPReq.asn1Encode()));
            this.debug.out(7, "KerberosTokenGenerator: The Authenicator =\n" + new HexDumpEncoder().encodeBuffer(authenticator.asn1Encode()));
            this.debug.out(7, "KerberosTokenGenerator: The encrypted Authenicator enc type=\n" + encryptedData.encTypeToString() + " " + encryptedData.getEType());
            return aPReq;
        } catch (Exception e) {
            e.printStackTrace();
            throw e;
        }
    }

    private byte[] encodeCksum(PrincipalName principalName, Credentials credentials, Credentials credentials2) throws GSSException {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] intToBytes = intToBytes(16);
            byteArrayOutputStream.write(intToBytes, 0, intToBytes.length);
            byte[] encodeNull = encodeNull();
            byteArrayOutputStream.write(encodeNull, 0, encodeNull.length);
            byte[] intToBytes2 = intToBytes(0 | 1);
            byteArrayOutputStream.write(intToBytes2, 0, intToBytes2.length);
            KRBCred delgCreds = getDelgCreds(principalName, credentials, credentials2);
            if (delgCreds != null) {
                byte[] intToBytes3 = intToBytes(1, 2);
                byteArrayOutputStream.write(intToBytes3, 0, intToBytes3.length);
                byte[] asn1Encode = delgCreds.asn1Encode();
                byteArrayOutputStream.write(intToBytes(asn1Encode.length, 2), 0, 2);
                byteArrayOutputStream.write(asn1Encode, 0, asn1Encode.length);
            }
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            I18NException.throwGSSException(11, 0, "CksumEncodingError", new String[]{e.toString()});
            return null;
        }
    }

    static byte[] intToBytes(int i, int i2) {
        if (i2 > 4 || i2 < 0) {
            i2 = 4;
        }
        if (i2 == 0) {
            return null;
        }
        byte[] bArr = new byte[i2];
        int i3 = 0;
        while (i3 < i2) {
            bArr[i3] = (byte) (i & 255);
            i3++;
            i >>>= 8;
        }
        return bArr;
    }

    static byte[] intToBytes(int i) {
        return intToBytes(i, 4);
    }

    private byte[] encodeNull() {
        byte[] bArr = new byte[16];
        for (int i = 0; i < bArr.length; i++) {
            bArr[i] = 0;
        }
        this.debug.out(4, "Encoded null channel binding");
        return bArr;
    }

    public void setUseSubjectCredsOnly(boolean z) {
        this.useSubject = z;
    }

    private boolean useSubjectCredsOnly() {
        return this.useSubject;
    }

    private EncryptionKey generateSubKey(EncryptionKey encryptionKey) throws Exception {
        int eType = encryptionKey.getEType();
        KeyGenerator keyGenerator = KeyGenerator.getInstance(EncryptedData.isRc4HMacEncType(eType) ? "RC4" : eType == 16 ? "Desede" : eType == 17 ? "AES" : eType == 18 ? "AES" : "DES");
        if (eType == 17) {
            keyGenerator.init(128, new SecureRandom());
        } else if (eType == 18) {
            keyGenerator.init(256, new SecureRandom());
        } else if (EncryptedData.isRc4HMacEncType(eType)) {
            keyGenerator.init(encryptionKey.getBytes().length << 3, new SecureRandom());
        } else {
            keyGenerator.init(new SecureRandom());
        }
        return new EncryptionKey(keyGenerator.generateKey().getEncoded(), eType, encryptionKey.getKeyVersionNumber());
    }

    private boolean isWrapped() {
        return this.isWrapped;
    }

    private int getSessionKeyEncType() {
        if (this.sessionKey != null) {
            return this.sessionKey.getEType();
        }
        return 0;
    }

    private int getSubSessionKeyEncType() {
        if (this.localSubKey != null) {
            return this.localSubKey.getEType();
        }
        return 0;
    }

    private KRBCred getDelgCreds(PrincipalName principalName, Credentials credentials, Credentials credentials2) throws GSSException {
        if (!credentials.isForwardable()) {
            this.debug.out(5, "The client credentials are not forwardable");
            return null;
        }
        this.debug.out(5, "The client credentials are forwardable");
        try {
            int defaultIntValue = Config.getInstance().getDefaultIntValue("check_delegate", "libdefaults");
            this.debug.out(5, "check_delegate=" + defaultIntValue);
            if (defaultIntValue == 1) {
                if (!credentials2.checkDelegate()) {
                    this.debug.out(5, "Peer not trusted for delegation");
                    return null;
                }
                this.debug.out(5, "Peer  trusted for delegation");
            }
            this.debug.out(5, "Delegating creds");
            KDCOptions kDCOptions = new KDCOptions();
            kDCOptions.set(2, true);
            kDCOptions.set(1, true);
            String realmString = credentials.getClient().getRealmString();
            ServiceName serviceName = new ServiceName("krbtgt", realmString, realmString);
            HostAddresses hostAddresses = null;
            try {
                hostAddresses = new HostAddresses(principalName);
            } catch (Exception e) {
            }
            Credentials acquireSvcCreds = 0 == 0 ? credentials.acquireSvcCreds(serviceName, kDCOptions, hostAddresses) : null;
            if (useSubjectCredsOnly()) {
                final AccessControlContext context = AccessController.getContext();
                final Subject subject = (Subject) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.security.krb5.wss.KerberosTokenGenerator.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return Subject.getSubject(context);
                    }
                });
                if (subject == null || subject.isReadOnly()) {
                    this.debug.out(5, "Subject is readOnly;Kerberos Delegate Service ticket not stored");
                } else {
                    final KerberosTicket kerberosTicket = new KerberosTicket(acquireSvcCreds.getEncoded(), new KerberosPrincipal(acquireSvcCreds.getClient().toString()), new KerberosPrincipal(acquireSvcCreds.getServer().toString()), this.sessionKey.getBytes(), this.sessionKey.getEType(), acquireSvcCreds.getFlags(), acquireSvcCreds.getAuthTime(), acquireSvcCreds.getStartTime(), acquireSvcCreds.getEndTime(), acquireSvcCreds.getRenewTill(), acquireSvcCreds.getClientAddresses());
                    EncryptionKey[] serviceKeys = credentials2.getServiceKeys();
                    KerberosKey[] kerberosKeyArr = null;
                    if (serviceKeys != null) {
                        kerberosKeyArr = new KerberosKey[serviceKeys.length];
                        for (int i = 0; i < serviceKeys.length; i++) {
                            Integer keyVersionNumber = serviceKeys[i].getKeyVersionNumber();
                            kerberosKeyArr[i] = new KerberosKey(new KerberosPrincipal(credentials2.getClient().toString()), serviceKeys[i].getBytes(), serviceKeys[i].getEType(), keyVersionNumber != null ? keyVersionNumber.intValue() : 0);
                        }
                    }
                    AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.security.krb5.wss.KerberosTokenGenerator.2
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            subject.getPrivateCredentials().add(kerberosTicket);
                            return null;
                        }
                    });
                    if (kerberosKeyArr != null) {
                        if (this.debug.on(5)) {
                            this.debug.out(5, "Attempting to add " + kerberosKeyArr.length + " Kerberos key(s) to Subject");
                        }
                        int i2 = 0;
                        Set<Object> privateCredentials = subject.getPrivateCredentials();
                        for (int i3 = 0; i3 < kerberosKeyArr.length; i3++) {
                            if (privateCredentials.add(kerberosKeyArr[i3])) {
                                i2++;
                                if (this.debug.on(5)) {
                                    this.debug.out(5, "added key of type " + EncryptedData.encTypeToString(kerberosKeyArr[i3].getKeyType()));
                                }
                            } else if (this.debug.on(5)) {
                                this.debug.out(5, "key of type " + EncryptedData.encTypeToString(kerberosKeyArr[i3].getKeyType()) + " already exists in Subject");
                            }
                        }
                        if (this.debug.on(5)) {
                            this.debug.out(5, "Successfully added " + i2 + " keys to Subject.");
                        }
                    }
                    this.debug.out(5, "Kerberos Service ticket stored in subject");
                    this.debug.out(5, "Kerberos Delegate Service ticket stored in subject");
                }
            }
            this.debug.out(5, "Packaging creds for delegation to server " + principalName);
            return createKRBCred(hostAddresses, acquireSvcCreds);
        } catch (Exception e2) {
            if (this.debug.on(5)) {
                e2.printStackTrace();
            }
            I18NException.throwGSSException(11, 0, "ErrorCredFormat", new String[]{e2.toString()});
            return null;
        } catch (KrbException e3) {
            if (this.debug.on(5)) {
                e3.printStackTrace();
            }
            I18NException.throwGSSException(11, e3.returnCode(), "KrbErrorCredFormat", new Integer[]{new Integer(e3.returnCode())});
            return null;
        }
    }

    private KRBCred createKRBCred(HostAddresses hostAddresses, Credentials credentials) throws KrbException, UnknownHostException, Exception {
        Date authTime = credentials.getAuthTime();
        Date startTime = credentials.getStartTime();
        Date endTime = credentials.getEndTime();
        Date renewTill = credentials.getRenewTill();
        KrbCredInfo[] krbCredInfoArr = {new KrbCredInfo(credentials.getSessionKey(), credentials.getClient().getRealm(), credentials.getClient(), credentials.getTicketFlags(), authTime != null ? new KerberosTime(authTime) : null, startTime != null ? new KerberosTime(startTime) : null, endTime != null ? new KerberosTime(endTime) : null, renewTill != null ? new KerberosTime(renewTill) : null, credentials.getTicket().getRealm(), credentials.getTicket().getServer(), new HostAddresses(credentials.getClientAddresses()))};
        Ticket[] ticketArr = {credentials.getTicket()};
        KerberosTime kerberosTime = new KerberosTime(true);
        EncKrbCredPart encKrbCredPart = new EncKrbCredPart(krbCredInfoArr, kerberosTime, new Integer(kerberosTime.getMicroSeconds()), new Integer((int) kerberosTime.getTime()), new HostAddress(), hostAddresses);
        EncryptionKey sessionKey = getSessionKey();
        return new KRBCred(ticketArr, EncryptedData.isDesEncType(sessionKey.getEType()) ? new EncryptedData(sessionKey, encKrbCredPart.asn1Encode(), 14) : new EncryptedData(sessionKey, encKrbCredPart.asn1Encode(), 14));
    }

    private EncryptionKey getSessionKey() {
        return this.sessionKey;
    }

    private Credentials getServiceCredentialFromSubject() throws GSSException {
        Credentials credentials = null;
        if (useSubjectCredsOnly()) {
            try {
                KerberosTicket kerberosTicket = (KerberosTicket) AccessController.doPrivileged(new SubjectCredFinder(this.clientName + "@" + this.clientRealmName, this.serviceName));
                if (kerberosTicket != null) {
                    try {
                        this.debug.out(4, "KerberosTokenGenerator: Found KerberosTicket from subject =\n" + kerberosTicket.toString());
                        credentials = new Credentials(kerberosTicket.getEncoded(), kerberosTicket.getClient().getName(), kerberosTicket.getServer().getName(), kerberosTicket.getSessionKey().getEncoded(), kerberosTicket.getSessionKeyType(), kerberosTicket.getFlags(), kerberosTicket.getAuthTime(), kerberosTicket.getStartTime(), kerberosTicket.getEndTime(), kerberosTicket.getRenewTill(), kerberosTicket.getClientAddresses());
                    } catch (IOException e) {
                        e.printStackTrace();
                    } catch (KrbException e2) {
                        e2.printStackTrace();
                    }
                }
            } catch (PrivilegedActionException e3) {
                throw e3.getException();
            }
        }
        return credentials;
    }
}
