package org.apache.ws.security.kerberos;

import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import sun.security.krb5.EncryptionKey;
import sun.security.krb5.internal.EncTicketPart;
import sun.security.krb5.internal.Ticket;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;

/* loaded from: input_file:WEB-INF/lib/wss4j-1.5.11-wso2v5.jar:org/apache/ws/security/kerberos/KrbTicketDecoder.class */
public class KrbTicketDecoder {
    private byte[] serviceTicket;
    private Subject subject;

    public KrbTicketDecoder(byte[] bArr, Subject subject) {
        this.serviceTicket = bArr;
        this.subject = subject;
    }

    public SecretKey getSessionKey() throws Exception {
        return new SecretKeySpec(parseServiceTicket(this.serviceTicket).getBytes(), "DES");
    }

    private EncryptionKey parseServiceTicket(byte[] bArr) throws Exception {
        for (DerValue derValue : new DerInputStream(bArr).getSet(bArr.length, true)) {
            if (derValue.isConstructed((byte) 14)) {
                derValue.resetTag((byte) 49);
                return parseApReq(derValue.toDerInputStream(), derValue.length());
            }
        }
        throw new Exception("Could not find AP-REQ in service ticket.");
    }

    private EncryptionKey parseApReq(DerInputStream derInputStream, int i) throws Exception {
        DerValue derValue = null;
        for (DerValue derValue2 : derInputStream.getSet(i, true)) {
            if (derValue2.isContextSpecific((byte) 3)) {
                derValue = derValue2.getData().getDerValue();
            }
        }
        if (derValue == null) {
            throw new Exception("No Ticket found in AP-REQ PDU");
        }
        return decryptTicket(new Ticket(derValue), this.subject);
    }

    private EncryptionKey decryptTicket(Ticket ticket, Subject subject) throws Exception {
        byte[] decrypt = ticket.encPart.decrypt(getPrivateKey(subject, ticket.encPart.getEType()), 2);
        if (decrypt.length <= 0) {
            throw new Exception("Key is empty.");
        }
        return new EncTicketPart(ticket.encPart.reset(decrypt, true)).key;
    }

    private EncryptionKey getPrivateKey(Subject subject, int i) throws Exception {
        KerberosKey krbKey = getKrbKey(subject, i);
        return new EncryptionKey(krbKey.getEncoded(), krbKey.getKeyType(), new Integer(i));
    }

    private KerberosKey getKrbKey(Subject subject, int i) {
        for (Object obj : subject.getPrivateCredentials(Object.class)) {
            if ((obj instanceof KerberosKey) && ((KerberosKey) obj).getKeyType() == i) {
                return (KerberosKey) obj;
            }
        }
        return null;
    }
}
