package org.apache.directory.server.kerberos.kdc.ticketgrant;

import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Collections;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.kerberos.kdc.KdcContext;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.shared.KerberosUtils;
import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.io.decoder.ApplicationRequestDecoder;
import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.KdcReply;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.KerberosMessage;
import org.apache.directory.server.kerberos.shared.messages.TicketGrantReply;
import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.AuthorizationData;
import org.apache.directory.server.kerberos.shared.messages.value.Checksum;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
import org.apache.directory.server.kerberos.shared.messages.value.LastRequest;
import org.apache.directory.server.kerberos.shared.messages.value.PaData;
import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlag;
import org.apache.directory.server.kerberos.shared.messages.value.types.PaDataType;
import org.apache.directory.server.kerberos.shared.replay.InMemoryReplayCache;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:apacheds-protocol-kerberos-1.5.7.jar:org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.class
 */
/* loaded from: input_file:org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.class */
public class TicketGrantingService {
    private static final String SERVICE_NAME = "Ticket-Granting Service (TGS)";
    private static final Logger LOG = LoggerFactory.getLogger(TicketGrantingService.class);
    private static final InMemoryReplayCache replayCache = new InMemoryReplayCache();
    private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();
    private static final ChecksumHandler checksumHandler = new ChecksumHandler();

    public static void execute(TicketGrantingContext ticketGrantingContext) throws Exception {
        if (LOG.isDebugEnabled()) {
            monitorRequest(ticketGrantingContext);
        }
        configureTicketGranting(ticketGrantingContext);
        selectEncryptionType(ticketGrantingContext);
        getAuthHeader(ticketGrantingContext);
        verifyTgt(ticketGrantingContext);
        getTicketPrincipalEntry(ticketGrantingContext);
        verifyTgtAuthHeader(ticketGrantingContext);
        verifyBodyChecksum(ticketGrantingContext);
        getRequestPrincipalEntry(ticketGrantingContext);
        generateTicket(ticketGrantingContext);
        buildReply(ticketGrantingContext);
        if (LOG.isDebugEnabled()) {
            monitorContext(ticketGrantingContext);
            monitorReply(ticketGrantingContext);
        }
        sealReply(ticketGrantingContext);
    }

    private static void configureTicketGranting(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        replayCache.setClockSkew(ticketGrantingContext.getConfig().getAllowableClockSkew());
        ticketGrantingContext.setReplayCache(replayCache);
        ticketGrantingContext.setCipherTextHandler(cipherTextHandler);
        if (ticketGrantingContext.getRequest().getProtocolVersionNumber() != 5) {
            throw new KerberosException(ErrorType.KDC_ERR_BAD_PVNO);
        }
    }

    private static void monitorRequest(KdcContext kdcContext) throws Exception {
        KdcRequest request = kdcContext.getRequest();
        try {
            String hostAddress = kdcContext.getClientAddress().getHostAddress();
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Received Ticket-Granting Service (TGS) request:");
            stringBuffer.append("\n\tmessageType:           " + request.getMessageType());
            stringBuffer.append("\n\tprotocolVersionNumber: " + request.getProtocolVersionNumber());
            stringBuffer.append("\n\tclientAddress:         " + hostAddress);
            stringBuffer.append("\n\tnonce:                 " + request.getNonce());
            stringBuffer.append("\n\tkdcOptions:            " + request.getKdcOptions());
            stringBuffer.append("\n\tclientPrincipal:       " + request.getClientPrincipal());
            stringBuffer.append("\n\tserverPrincipal:       " + request.getServerPrincipal());
            stringBuffer.append("\n\tencryptionType:        " + KerberosUtils.getEncryptionTypesString(request.getEType()));
            stringBuffer.append("\n\trealm:                 " + request.getRealm());
            stringBuffer.append("\n\tfrom time:             " + request.getFrom());
            stringBuffer.append("\n\ttill time:             " + request.getTill());
            stringBuffer.append("\n\trenew-till time:       " + request.getRtime());
            stringBuffer.append("\n\thostAddresses:         " + request.getAddresses());
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_153, new Object[0]), (Throwable) e);
        }
    }

    private static void selectEncryptionType(TicketGrantingContext ticketGrantingContext) throws Exception {
        EncryptionType bestEncryptionType = KerberosUtils.getBestEncryptionType(ticketGrantingContext.getRequest().getEType(), ticketGrantingContext.getConfig().getEncryptionTypes());
        LOG.debug("Session will use encryption type {}.", bestEncryptionType);
        if (bestEncryptionType == null) {
            throw new KerberosException(ErrorType.KDC_ERR_ETYPE_NOSUPP);
        }
        ticketGrantingContext.setEncryptionType(bestEncryptionType);
    }

    private static void getAuthHeader(TicketGrantingContext ticketGrantingContext) throws Exception {
        PaData[] preAuthData = ticketGrantingContext.getRequest().getPreAuthData();
        if (preAuthData == null || preAuthData.length < 1) {
            throw new KerberosException(ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP);
        }
        byte[] bArr = null;
        for (int i = 0; i < preAuthData.length; i++) {
            if (preAuthData[i].getPaDataType() == PaDataType.PA_TGS_REQ) {
                bArr = preAuthData[i].getPaDataValue();
            }
        }
        if (bArr == null) {
            throw new KerberosException(ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP);
        }
        ApplicationRequest decode = new ApplicationRequestDecoder().decode(bArr);
        Ticket ticket = decode.getTicket();
        ticketGrantingContext.setAuthHeader(decode);
        ticketGrantingContext.setTgt(ticket);
    }

    public static void verifyTgt(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        KdcServer config = ticketGrantingContext.getConfig();
        Ticket tgt = ticketGrantingContext.getTgt();
        if (!tgt.getRealm().equals(config.getPrimaryRealm())) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_NOT_US);
        }
        String name = tgt.getServerPrincipal().getName();
        String name2 = ticketGrantingContext.getRequest().getServerPrincipal().getName();
        if (!name.equals(config.getServicePrincipal().getName()) && !name.equals(name2)) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_NOT_US);
        }
    }

    private static void getTicketPrincipalEntry(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        ticketGrantingContext.setTicketPrincipalEntry(KerberosUtils.getEntry(ticketGrantingContext.getTgt().getServerPrincipal(), ticketGrantingContext.getStore(), ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN));
    }

    private static void verifyTgtAuthHeader(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        ApplicationRequest authHeader = ticketGrantingContext.getAuthHeader();
        Ticket tgt = ticketGrantingContext.getTgt();
        ticketGrantingContext.setAuthenticator(KerberosUtils.verifyAuthHeader(authHeader, tgt, ticketGrantingContext.getTicketPrincipalEntry().getKeyMap().get(tgt.getEncPart().getEType()), ticketGrantingContext.getConfig().getAllowableClockSkew(), ticketGrantingContext.getReplayCache(), ticketGrantingContext.getConfig().isEmptyAddressesAllowed(), ticketGrantingContext.getClientAddress(), ticketGrantingContext.getCipherTextHandler(), KeyUsage.NUMBER7, ticketGrantingContext.getRequest().getKdcOptions().get(31)));
    }

    private static void verifyBodyChecksum(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        if (ticketGrantingContext.getConfig().isBodyChecksumVerified()) {
            byte[] bodyBytes = ticketGrantingContext.getRequest().getBodyBytes();
            Checksum checksum = ticketGrantingContext.getAuthenticator().getChecksum();
            if (checksum == null || checksum.getChecksumType() == null || checksum.getChecksumValue() == null || bodyBytes == null) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_INAPP_CKSUM);
            }
            LOG.debug("Verifying body checksum type '{}'.", checksum.getChecksumType());
            checksumHandler.verifyChecksum(checksum, bodyBytes, null, KeyUsage.NUMBER8);
        }
    }

    public static void getRequestPrincipalEntry(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        ticketGrantingContext.setRequestPrincipalEntry(KerberosUtils.getEntry(ticketGrantingContext.getRequest().getServerPrincipal(), ticketGrantingContext.getStore(), ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN));
    }

    private static void generateTicket(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        KdcRequest request = ticketGrantingContext.getRequest();
        Ticket tgt = ticketGrantingContext.getTgt();
        Authenticator authenticator = ticketGrantingContext.getAuthenticator();
        CipherTextHandler cipherTextHandler2 = ticketGrantingContext.getCipherTextHandler();
        KerberosPrincipal serverPrincipal = request.getServerPrincipal();
        EncryptionKey encryptionKey = ticketGrantingContext.getRequestPrincipalEntry().getKeyMap().get(ticketGrantingContext.getEncryptionType());
        KdcServer config = ticketGrantingContext.getConfig();
        EncTicketPartModifier encTicketPartModifier = new EncTicketPartModifier();
        encTicketPartModifier.setClientAddresses(tgt.getEncTicketPart().getClientAddresses());
        processFlags(config, request, tgt, encTicketPartModifier);
        encTicketPartModifier.setSessionKey(RandomKeyFactory.getRandomKey(ticketGrantingContext.getEncryptionType()));
        encTicketPartModifier.setClientPrincipal(tgt.getEncTicketPart().getClientPrincipal());
        if (request.getEncAuthorizationData() != null) {
            AuthorizationData authorizationData = (AuthorizationData) cipherTextHandler2.unseal(AuthorizationData.class, authenticator.getSubSessionKey(), request.getEncAuthorizationData(), KeyUsage.NUMBER4);
            authorizationData.add(tgt.getEncTicketPart().getAuthorizationData());
            encTicketPartModifier.setAuthorizationData(authorizationData);
        }
        processTransited(encTicketPartModifier, tgt);
        processTimes(config, request, encTicketPartModifier, tgt);
        EncTicketPart encTicketPart = encTicketPartModifier.getEncTicketPart();
        if (request.getOption(28)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
        Ticket ticket = new Ticket(serverPrincipal, cipherTextHandler2.seal(encryptionKey, encTicketPart, KeyUsage.NUMBER2));
        ticket.setEncTicketPart(encTicketPart);
        ticketGrantingContext.setNewTicket(ticket);
    }

    private static void buildReply(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        KdcRequest request = ticketGrantingContext.getRequest();
        Ticket tgt = ticketGrantingContext.getTgt();
        Ticket newTicket = ticketGrantingContext.getNewTicket();
        TicketGrantReply ticketGrantReply = new TicketGrantReply();
        ticketGrantReply.setClientPrincipal(tgt.getEncTicketPart().getClientPrincipal());
        ticketGrantReply.setTicket(newTicket);
        ticketGrantReply.setKey(newTicket.getEncTicketPart().getSessionKey());
        ticketGrantReply.setNonce(request.getNonce());
        ticketGrantReply.setLastRequest(new LastRequest());
        ticketGrantReply.setFlags(newTicket.getEncTicketPart().getFlags());
        ticketGrantReply.setClientAddresses(newTicket.getEncTicketPart().getClientAddresses());
        ticketGrantReply.setAuthTime(newTicket.getEncTicketPart().getAuthTime());
        ticketGrantReply.setStartTime(newTicket.getEncTicketPart().getStartTime());
        ticketGrantReply.setEndTime(newTicket.getEncTicketPart().getEndTime());
        ticketGrantReply.setServerPrincipal(newTicket.getServerPrincipal());
        if (newTicket.getEncTicketPart().getFlags().isRenewable()) {
            ticketGrantReply.setRenewTill(newTicket.getEncTicketPart().getRenewTill());
        }
        ticketGrantingContext.setReply(ticketGrantReply);
    }

    private static void sealReply(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        TicketGrantReply ticketGrantReply = (TicketGrantReply) ticketGrantingContext.getReply();
        Ticket tgt = ticketGrantingContext.getTgt();
        CipherTextHandler cipherTextHandler2 = ticketGrantingContext.getCipherTextHandler();
        Authenticator authenticator = ticketGrantingContext.getAuthenticator();
        ticketGrantReply.setEncPart(authenticator.getSubSessionKey() != null ? cipherTextHandler2.seal(authenticator.getSubSessionKey(), ticketGrantReply, KeyUsage.NUMBER9) : cipherTextHandler2.seal(tgt.getEncTicketPart().getSessionKey(), ticketGrantReply, KeyUsage.NUMBER8));
    }

    private static void monitorContext(TicketGrantingContext ticketGrantingContext) {
        try {
            Ticket tgt = ticketGrantingContext.getTgt();
            long allowableClockSkew = ticketGrantingContext.getConfig().getAllowableClockSkew();
            ChecksumType checksumType = ticketGrantingContext.getAuthenticator().getChecksum().getChecksumType();
            InetAddress clientAddress = ticketGrantingContext.getClientAddress();
            HostAddresses clientAddresses = tgt.getEncTicketPart().getClientAddresses();
            boolean z = false;
            if (tgt.getEncTicketPart().getClientAddresses() != null) {
                z = tgt.getEncTicketPart().getClientAddresses().contains(new HostAddress(clientAddress));
            }
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Monitoring Ticket-Granting Service (TGS) context:");
            stringBuffer.append("\n\tclockSkew              " + allowableClockSkew);
            stringBuffer.append("\n\tchecksumType           " + checksumType);
            stringBuffer.append("\n\tclientAddress          " + clientAddress);
            stringBuffer.append("\n\tclientAddresses        " + clientAddresses);
            stringBuffer.append("\n\tcaddr contains sender  " + z);
            KerberosPrincipal serverPrincipal = ticketGrantingContext.getRequest().getServerPrincipal();
            PrincipalStoreEntry requestPrincipalEntry = ticketGrantingContext.getRequestPrincipalEntry();
            stringBuffer.append("\n\tprincipal              " + serverPrincipal);
            stringBuffer.append("\n\tcn                     " + requestPrincipalEntry.getCommonName());
            stringBuffer.append("\n\trealm                  " + requestPrincipalEntry.getRealmName());
            stringBuffer.append("\n\tprincipal              " + requestPrincipalEntry.getPrincipal());
            stringBuffer.append("\n\tSAM type               " + requestPrincipalEntry.getSamType());
            KerberosPrincipal serverPrincipal2 = ticketGrantingContext.getTgt().getServerPrincipal();
            PrincipalStoreEntry ticketPrincipalEntry = ticketGrantingContext.getTicketPrincipalEntry();
            stringBuffer.append("\n\tprincipal              " + serverPrincipal2);
            stringBuffer.append("\n\tcn                     " + ticketPrincipalEntry.getCommonName());
            stringBuffer.append("\n\trealm                  " + ticketPrincipalEntry.getRealmName());
            stringBuffer.append("\n\tprincipal              " + ticketPrincipalEntry.getPrincipal());
            stringBuffer.append("\n\tSAM type               " + ticketPrincipalEntry.getSamType());
            EncryptionType eType = ticketGrantingContext.getTgt().getEncPart().getEType();
            int keyVersion = ticketPrincipalEntry.getKeyMap().get(eType).getKeyVersion();
            stringBuffer.append("\n\tTicket key type        " + eType);
            stringBuffer.append("\n\tService key version    " + keyVersion);
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_154, new Object[0]), (Throwable) e);
        }
    }

    private static void monitorReply(KdcContext kdcContext) {
        KerberosMessage reply = kdcContext.getReply();
        if (reply instanceof KdcReply) {
            KdcReply kdcReply = (KdcReply) reply;
            try {
                StringBuffer stringBuffer = new StringBuffer();
                stringBuffer.append("Responding with Ticket-Granting Service (TGS) reply:");
                stringBuffer.append("\n\tmessageType:           " + kdcReply.getMessageType());
                stringBuffer.append("\n\tprotocolVersionNumber: " + kdcReply.getProtocolVersionNumber());
                stringBuffer.append("\n\tnonce:                 " + kdcReply.getNonce());
                stringBuffer.append("\n\tclientPrincipal:       " + kdcReply.getClientPrincipal());
                stringBuffer.append("\n\tclient realm:          " + kdcReply.getClientRealm());
                stringBuffer.append("\n\tserverPrincipal:       " + kdcReply.getServerPrincipal());
                stringBuffer.append("\n\tserver realm:          " + kdcReply.getServerRealm());
                stringBuffer.append("\n\tauth time:             " + kdcReply.getAuthTime());
                stringBuffer.append("\n\tstart time:            " + kdcReply.getStartTime());
                stringBuffer.append("\n\tend time:              " + kdcReply.getEndTime());
                stringBuffer.append("\n\trenew-till time:       " + kdcReply.getRenewTill());
                stringBuffer.append("\n\thostAddresses:         " + kdcReply.getClientAddresses());
                LOG.debug(stringBuffer.toString());
            } catch (Exception e) {
                LOG.error(I18n.err(I18n.ERR_155, new Object[0]), (Throwable) e);
            }
        }
    }

    private static void processFlags(KdcServer kdcServer, KdcRequest kdcRequest, Ticket ticket, EncTicketPartModifier encTicketPartModifier) throws KerberosException {
        if (ticket.getEncTicketPart().getFlags().isPreAuth()) {
            encTicketPartModifier.setFlag(TicketFlag.PRE_AUTHENT);
        }
        if (kdcRequest.getOption(1)) {
            if (!kdcServer.isForwardableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isForwardable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(TicketFlag.FORWARDABLE);
        }
        if (kdcRequest.getOption(2)) {
            if (!kdcServer.isForwardableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isForwardable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (kdcRequest.getAddresses() != null && kdcRequest.getAddresses().getAddresses() != null && kdcRequest.getAddresses().getAddresses().length > 0) {
                encTicketPartModifier.setClientAddresses(kdcRequest.getAddresses());
            } else if (!kdcServer.isEmptyAddressesAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(TicketFlag.FORWARDED);
        }
        if (ticket.getEncTicketPart().getFlags().isForwarded()) {
            encTicketPartModifier.setFlag(TicketFlag.FORWARDED);
        }
        if (kdcRequest.getOption(3)) {
            if (!kdcServer.isProxiableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isProxiable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(TicketFlag.PROXIABLE);
        }
        if (kdcRequest.getOption(4)) {
            if (!kdcServer.isProxiableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isProxiable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (kdcRequest.getAddresses() != null && kdcRequest.getAddresses().getAddresses() != null && kdcRequest.getAddresses().getAddresses().length > 0) {
                encTicketPartModifier.setClientAddresses(kdcRequest.getAddresses());
            } else if (!kdcServer.isEmptyAddressesAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(TicketFlag.PROXY);
        }
        if (kdcRequest.getOption(5)) {
            if (!kdcServer.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isMayPosdate()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(TicketFlag.MAY_POSTDATE);
        }
        if (kdcRequest.getOption(6)) {
            if (!kdcServer.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isMayPosdate()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(TicketFlag.POSTDATED);
            encTicketPartModifier.setFlag(TicketFlag.INVALID);
            encTicketPartModifier.setStartTime(kdcRequest.getFrom());
        }
        if (kdcRequest.getOption(31)) {
            if (!kdcServer.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isInvalid()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if ((ticket.getEncTicketPart().getStartTime() != null ? ticket.getEncTicketPart().getStartTime() : ticket.getEncTicketPart().getAuthTime()).greaterThan(new KerberosTime())) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_NYV);
            }
            echoTicket(encTicketPartModifier, ticket);
            encTicketPartModifier.clearFlag(TicketFlag.INVALID);
        }
        if (kdcRequest.getOption(0)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
    }

    private static void processTimes(KdcServer kdcServer, KdcRequest kdcRequest, EncTicketPartModifier encTicketPartModifier, Ticket ticket) throws KerberosException {
        KerberosTime kerberosTime;
        KerberosTime kerberosTime2 = new KerberosTime();
        encTicketPartModifier.setAuthTime(ticket.getEncTicketPart().getAuthTime());
        KerberosTime from = kdcRequest.getFrom();
        if (from == null || from.lessThan(kerberosTime2) || (from.isInClockSkew(kdcServer.getAllowableClockSkew()) && !kdcRequest.getOption(6))) {
            from = kerberosTime2;
        }
        if (from != null && from.greaterThan(kerberosTime2) && !from.isInClockSkew(kdcServer.getAllowableClockSkew()) && (!kdcRequest.getOption(6) || !ticket.getEncTicketPart().getFlags().isMayPosdate())) {
            throw new KerberosException(ErrorType.KDC_ERR_CANNOT_POSTDATE);
        }
        KerberosTime kerberosTime3 = null;
        if (!kdcRequest.getOption(30)) {
            if (encTicketPartModifier.getEncTicketPart().getStartTime() == null) {
                encTicketPartModifier.setStartTime(kerberosTime2);
            }
            KerberosTime till = kdcRequest.getTill().isZero() ? KerberosTime.INFINITY : kdcRequest.getTill();
            ArrayList arrayList = new ArrayList();
            arrayList.add(till);
            arrayList.add(new KerberosTime(from.getTime() + kdcServer.getMaximumTicketLifetime()));
            arrayList.add(ticket.getEncTicketPart().getEndTime());
            kerberosTime = (KerberosTime) Collections.min(arrayList);
            encTicketPartModifier.setEndTime(kerberosTime);
            if (kdcRequest.getOption(27) && kerberosTime.lessThan(kdcRequest.getTill()) && ticket.getEncTicketPart().getFlags().isRenewable()) {
                if (!kdcServer.isRenewableAllowed()) {
                    throw new KerberosException(ErrorType.KDC_ERR_POLICY);
                }
                kdcRequest.setOption(8);
                kerberosTime3 = new KerberosTime(Math.min(kdcRequest.getTill().getTime(), ticket.getEncTicketPart().getRenewTill().getTime()));
            }
        } else {
            if (!kdcServer.isRenewableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isRenewable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (ticket.getEncTicketPart().getRenewTill().lessThan(kerberosTime2)) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_EXPIRED);
            }
            echoTicket(encTicketPartModifier, ticket);
            encTicketPartModifier.setStartTime(kerberosTime2);
            kerberosTime = new KerberosTime(Math.min(ticket.getEncTicketPart().getRenewTill().getTime(), kerberosTime2.getTime() + (ticket.getEncTicketPart().getEndTime().getTime() - (ticket.getEncTicketPart().getStartTime() != null ? ticket.getEncTicketPart().getStartTime() : ticket.getEncTicketPart().getAuthTime()).getTime())));
            encTicketPartModifier.setEndTime(kerberosTime);
        }
        if (kerberosTime3 == null) {
            kerberosTime3 = kdcRequest.getRtime();
        }
        KerberosTime kerberosTime4 = (kerberosTime3 == null || !kerberosTime3.isZero()) ? kerberosTime3 : KerberosTime.INFINITY;
        if (kdcRequest.getOption(8) && ticket.getEncTicketPart().getFlags().isRenewable()) {
            if (!kdcServer.isRenewableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(TicketFlag.RENEWABLE);
            ArrayList arrayList2 = new ArrayList();
            if (kerberosTime4 != null) {
                arrayList2.add(kerberosTime4);
            }
            arrayList2.add(new KerberosTime(from.getTime() + kdcServer.getMaximumRenewableLifetime()));
            arrayList2.add(ticket.getEncTicketPart().getRenewTill());
            encTicketPartModifier.setRenewTill((KerberosTime) Collections.min(arrayList2));
        }
        if (kerberosTime.lessThan(from)) {
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID);
        }
        if (Math.abs(from.getTime() - kerberosTime.getTime()) < kdcServer.getAllowableClockSkew()) {
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID);
        }
    }

    private static void processTransited(EncTicketPartModifier encTicketPartModifier, Ticket ticket) {
        encTicketPartModifier.setTransitedEncoding(ticket.getEncTicketPart().getTransitedEncoding());
    }

    private static void echoTicket(EncTicketPartModifier encTicketPartModifier, Ticket ticket) {
        EncTicketPart encTicketPart = ticket.getEncTicketPart();
        encTicketPartModifier.setAuthorizationData(encTicketPart.getAuthorizationData());
        encTicketPartModifier.setAuthTime(encTicketPart.getAuthTime());
        encTicketPartModifier.setClientAddresses(encTicketPart.getClientAddresses());
        encTicketPartModifier.setClientPrincipal(encTicketPart.getClientPrincipal());
        encTicketPartModifier.setEndTime(encTicketPart.getEndTime());
        encTicketPartModifier.setFlags(encTicketPart.getFlags());
        encTicketPartModifier.setRenewTill(encTicketPart.getRenewTill());
        encTicketPartModifier.setSessionKey(encTicketPart.getSessionKey());
        encTicketPartModifier.setTransitedEncoding(encTicketPart.getTransitedEncoding());
    }
}
