package com.sap.db.util.security;

import com.sap.db.jdbc.ConnectionSapDB;
import com.sap.db.jdbc.exceptions.SQLExceptionSapDB;
import com.sap.db.jdbc.packet.DataPartAuthentication;
import com.sap.db.util.MessageKey;
import com.sap.db.util.StructuredBytes;
import com.sap.db.util.Tracer;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.sql.SQLException;
import javax.security.auth.Subject;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/sap/db/util/security/GSSAuthentication.class */
public class GSSAuthentication extends AbstractAuthenticationMethod {
    static final int REJECT = 0;
    static final int SERVICE_PRINCIPAL_NAME_REQUEST = 1;
    static final int SERVICE_PRINCIPAL_NAME_REPLY = 2;
    static final int UNESTABLISHED_REQUEST = 3;
    static final int UNESTABLISHED_REPLY = 4;
    static final int ESTABLISHED_REQUEST = 5;
    static final int ESTABLISHED_REPLY = 6;
    static final int CONNECT_REPLY = 7;
    static final int c_init = 0;
    static final int c_unestablished = 1;
    static final int c_established = 2;
    Oid m_krb5Oid;
    GSSManager m_manager;
    int m_state;
    private ConnectionSapDB connection;
    private Subject authenticatedSubject;
    private Subject currentContextSubject;
    GSSContext m_context = null;
    byte[] m_finalData = null;
    private String userName = null;

    /* loaded from: input_file:com/sap/db/util/security/GSSAuthentication$EvaluateAuthReplyAction.class */
    private class EvaluateAuthReplyAction implements PrivilegedAction {
        private DataPartAuthentication input;
        private Tracer tracer;
        byte[] result;
        SQLException exception;
        private final GSSAuthentication this$0;

        public EvaluateAuthReplyAction(GSSAuthentication gSSAuthentication, DataPartAuthentication dataPartAuthentication, Tracer tracer) {
            this.this$0 = gSSAuthentication;
            this.input = dataPartAuthentication;
            this.tracer = tracer;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this.result = this.this$0.evaluateAuthReplyInternal(this.input, this.tracer);
                return null;
            } catch (SQLException e) {
                this.exception = e;
                return null;
            }
        }
    }

    /* loaded from: input_file:com/sap/db/util/security/GSSAuthentication$GetInitialDataAction.class */
    private class GetInitialDataAction implements PrivilegedAction {
        private byte[] pass;
        private byte[] result;
        private SQLException exception;
        private final GSSAuthentication this$0;

        public GetInitialDataAction(GSSAuthentication gSSAuthentication, byte[] bArr) {
            this.this$0 = gSSAuthentication;
            this.pass = bArr;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this.result = this.this$0.getInitialDataInternal(this.pass);
                return null;
            } catch (SQLException e) {
                this.exception = e;
                return null;
            }
        }
    }

    public GSSAuthentication(Tracer tracer, ConnectionSapDB connectionSapDB) throws GSSException {
        if (tracer != null) {
            tracer.println(new StringBuffer().append("Property: java.security.auth.login.config=").append(System.getProperty("java.security.auth.login.config", "not set")).toString());
            tracer.println(new StringBuffer().append("Property: javax.security.auth.useSubjectCredsOnly=").append(System.getProperty("javax.security.auth.useSubjectCredsOnly", "not set")).toString());
        }
        this.m_manager = GSSManager.getInstance();
        this.m_krb5Oid = new Oid("1.2.840.113554.1.2.2");
        this.m_state = 0;
        this.connection = connectionSapDB;
        this.authenticatedSubject = this.connection.getAuthenticatedSubject();
        if (tracer != null) {
            if (this.authenticatedSubject != null) {
                tracer.println("Reusing connection subject");
            } else {
                this.currentContextSubject = Subject.getSubject(AccessController.getContext());
                tracer.println("Using current access context subject");
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] reject() {
        return pack(new byte[]{this.m_krb5Oid.toString().getBytes(), new byte[]{0}});
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public byte[] evaluateAuthReply(DataPartAuthentication dataPartAuthentication, Tracer tracer) throws SQLException {
        if (this.authenticatedSubject == null) {
            return evaluateAuthReplyInternal(dataPartAuthentication, tracer);
        }
        EvaluateAuthReplyAction evaluateAuthReplyAction = new EvaluateAuthReplyAction(this, dataPartAuthentication, tracer);
        Subject.doAs(this.authenticatedSubject, evaluateAuthReplyAction);
        if (evaluateAuthReplyAction.exception != null) {
            throw evaluateAuthReplyAction.exception;
        }
        return evaluateAuthReplyAction.result;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v16, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v18, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r2v18, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r2v20, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r2v22, types: [byte[], byte[][]] */
    public byte[] evaluateAuthReplyInternal(DataPartAuthentication dataPartAuthentication, Tracer tracer) throws SQLException {
        DataPartAuthentication dataPartAuthentication2 = new DataPartAuthentication(new StructuredBytes(dataPartAuthentication.getBytes(dataPartAuthentication.getCurrentOffset(), dataPartAuthentication.getCurrentFieldLen())), 1);
        if (!dataPartAuthentication2.nextField()) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT);
        }
        String string = dataPartAuthentication2.getBase().getString(dataPartAuthentication2.getCurrentOffset(), dataPartAuthentication2.getCurrentFieldLen());
        if (!string.equals(this.m_krb5Oid.toString())) {
            if (tracer != null) {
                tracer.println(new StringBuffer().append("Reject GSS Authentication - wrong OID found ").append(string).append(", expected ").append(this.m_krb5Oid.toString()).toString());
            }
            return reject();
        }
        if (!dataPartAuthentication2.nextField()) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT);
        }
        byte int1 = dataPartAuthentication2.getBase().getInt1(dataPartAuthentication2.getCurrentOffset());
        byte[] bArr = null;
        if (dataPartAuthentication2.nextField()) {
            bArr = dataPartAuthentication2.getBase().getBytes(dataPartAuthentication2.getCurrentOffset(), dataPartAuthentication2.getCurrentFieldLen());
        } else if (int1 != 6) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT);
        }
        if (int1 == 2) {
            if (!dataPartAuthentication2.nextField()) {
                throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT);
            }
            String string2 = dataPartAuthentication2.getBase().getString(dataPartAuthentication2.getCurrentOffset(), dataPartAuthentication2.getCurrentFieldLen());
            if (tracer != null) {
                tracer.println(new StringBuffer().append("GSS Authentication - received SPN ").append(string2).toString());
            }
            try {
                if (dataPartAuthentication2.nextField()) {
                    this.userName = dataPartAuthentication2.getBase().getString(dataPartAuthentication2.getCurrentOffset(), dataPartAuthentication2.getCurrentFieldLen());
                    if (tracer != null) {
                        tracer.println(new StringBuffer().append("GSS Authentication - received user name ").append(this.userName).toString());
                    }
                }
            } catch (Exception e) {
            }
            try {
                this.m_context = this.m_manager.createContext(this.m_manager.createName(string2, (Oid) null), this.m_krb5Oid, (GSSCredential) null, 0);
                this.m_context.requestMutualAuth(true);
                this.m_context.requestConf(true);
                this.m_context.requestInteg(true);
                bArr = new byte[0];
            } catch (Exception e2) {
                if (tracer != null) {
                    tracer.println("Reject GSS Authentication");
                    tracer.traceException(e2);
                }
                return reject();
            }
        }
        if (int1 == 4 || int1 == 2) {
            try {
                byte[] initSecContext = this.m_context.initSecContext(bArr, 0, bArr.length);
                if (initSecContext != null) {
                    return this.m_context.isEstablished() ? pack(new byte[]{this.m_krb5Oid.toString().getBytes(), new byte[]{5}, initSecContext}) : pack(new byte[]{this.m_krb5Oid.toString().getBytes(), new byte[]{3}, initSecContext});
                }
                if (tracer != null) {
                    tracer.print("Reject GSS Authentication due to protocol error");
                }
                return reject();
            } catch (Exception e3) {
                if (tracer != null) {
                    tracer.println("Reject GSS Authentication");
                    tracer.traceException(e3);
                }
                return reject();
            }
        }
        if (int1 != 6) {
            if (tracer != null) {
                tracer.println(new StringBuffer().append("Reject GSS Authentication - no suitable communication type (found: ").append((int) int1).append(")").toString());
            }
            return reject();
        }
        if (bArr == null) {
            this.m_finalData = pack(new byte[]{this.m_krb5Oid.toString().getBytes(), new byte[]{5}});
            return null;
        }
        try {
            byte[] initSecContext2 = this.m_context.initSecContext(bArr, 0, bArr.length);
            if (!this.m_context.isEstablished()) {
                if (tracer != null) {
                    tracer.println("Reject GSS Authentication - communication type 6 but not established");
                }
                return reject();
            }
            if (initSecContext2 == null) {
                this.m_finalData = pack(new byte[]{this.m_krb5Oid.toString().getBytes(), new byte[]{5}});
                return null;
            }
            this.m_finalData = pack(new byte[]{this.m_krb5Oid.toString().getBytes(), new byte[]{5}, initSecContext2});
            return null;
        } catch (Exception e4) {
            if (tracer != null) {
                tracer.println("Reject GSS Authentication");
                tracer.traceException(e4);
            }
            return reject();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public byte[] getFinalData(String str, boolean z) throws SQLException {
        if (this.m_finalData != null) {
            return this.m_finalData;
        }
        throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_CONNECTION_GSSAUTHENTICATIONERROR, "GSS Protokoll error, context is still unestablished.");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public String getMethodName() {
        return "GSS";
    }

    private byte[] pack(byte[][] bArr) {
        int i;
        int i2 = 2;
        for (byte[] bArr2 : bArr) {
            int length = bArr2.length;
            i2 = i2 + length + (length <= 250 ? 1 : 3);
        }
        StructuredBytes structuredBytes = new StructuredBytes(i2);
        structuredBytes.putInt2(bArr.length, 0);
        int i3 = 2;
        for (int i4 = 0; i4 < bArr.length; i4++) {
            int length2 = bArr[i4].length;
            if (length2 <= 250) {
                int i5 = i3;
                i = i3 + 1;
                structuredBytes.putInt1(length2, i5);
            } else {
                int i6 = i3;
                int i7 = i3 + 1;
                structuredBytes.putInt1(255, i6);
                structuredBytes.putInt2(length2, i7);
                i = i7 + 2;
            }
            structuredBytes.putBytes(bArr[i4], i);
            i3 = i + length2;
        }
        return structuredBytes.bytes();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public byte[] evaluateConnectReply(DataPartAuthentication dataPartAuthentication, Tracer tracer) throws SQLException {
        DataPartAuthentication dataPartAuthentication2 = new DataPartAuthentication(new StructuredBytes(dataPartAuthentication.getBytes(dataPartAuthentication.getCurrentOffset(), dataPartAuthentication.getCurrentFieldLen())), 1);
        if (!dataPartAuthentication2.nextField()) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT);
        }
        String string = dataPartAuthentication2.getBase().getString(dataPartAuthentication2.getCurrentOffset(), dataPartAuthentication2.getCurrentFieldLen());
        if (!string.equals(this.m_krb5Oid.toString())) {
            if (tracer != null) {
                tracer.println(new StringBuffer().append("Reject GSS Authentication - wrong OID found ").append(string).append(", expected ").append(this.m_krb5Oid.toString()).toString());
            }
            return reject();
        }
        if (!dataPartAuthentication2.nextField()) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT);
        }
        if (dataPartAuthentication2.getBase().getInt1(dataPartAuthentication2.getCurrentOffset()) != 7) {
            return null;
        }
        if (!dataPartAuthentication2.nextField()) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_PACKET_WRONGPACKETFORMAT);
        }
        byte[] bytes = dataPartAuthentication2.getBase().getBytes(dataPartAuthentication2.getCurrentOffset(), dataPartAuthentication2.getCurrentFieldLen());
        if (tracer != null) {
            tracer.println("GSS Authentication - received session cookie");
        }
        return bytes;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public byte[] getInitialData(byte[] bArr) throws SQLException {
        if (this.authenticatedSubject == null) {
            return getInitialDataInternal(bArr);
        }
        GetInitialDataAction getInitialDataAction = new GetInitialDataAction(this, bArr);
        Subject.doAs(this.authenticatedSubject, getInitialDataAction);
        if (getInitialDataAction.exception != null) {
            throw getInitialDataAction.exception;
        }
        return getInitialDataAction.result;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v8, types: [byte[], byte[][]] */
    public byte[] getInitialDataInternal(byte[] bArr) throws SQLException {
        try {
            GSSName canonicalize = this.m_manager.createCredential(1).getName().canonicalize(this.m_krb5Oid);
            return pack(new byte[]{this.m_krb5Oid.toString().getBytes(), new byte[]{1}, canonicalize.getStringNameType().toString().getBytes(), canonicalize.toString().getBytes()});
        } catch (GSSException e) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_CONNECTION_GSSAUTHENTICATIONERROR, e.toString());
        } catch (Exception e2) {
            throw SQLExceptionSapDB.generateSQLException(MessageKey.ERROR_CONNECTION_GSSAUTHENTICATIONERROR, e2.toString());
        }
    }

    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public String getUserNameFromServer() {
        return this.userName;
    }

    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public boolean supportsReconnect() {
        return true;
    }

    @Override // com.sap.db.util.security.AbstractAuthenticationMethod
    public void onAuthenticationCompleted() {
        this.connection.setAuthenticatedSubject(this.currentContextSubject);
    }
}
