package org.apache.directory.server.kerberos.kdc.ticketgrant;

import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.Collections;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.kerberos.kdc.KdcContext;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.protocol.KerberosDecoder;
import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.directory.shared.asn1.EncoderException;
import org.apache.directory.shared.kerberos.KerberosMessageType;
import org.apache.directory.shared.kerberos.KerberosTime;
import org.apache.directory.shared.kerberos.KerberosUtils;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.codec.types.PaDataType;
import org.apache.directory.shared.kerberos.components.AuthorizationData;
import org.apache.directory.shared.kerberos.components.Checksum;
import org.apache.directory.shared.kerberos.components.EncKdcRepPart;
import org.apache.directory.shared.kerberos.components.EncTicketPart;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.components.HostAddress;
import org.apache.directory.shared.kerberos.components.HostAddresses;
import org.apache.directory.shared.kerberos.components.KdcReq;
import org.apache.directory.shared.kerberos.components.KdcReqBody;
import org.apache.directory.shared.kerberos.components.LastReq;
import org.apache.directory.shared.kerberos.components.PaData;
import org.apache.directory.shared.kerberos.components.PrincipalName;
import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
import org.apache.directory.shared.kerberos.exceptions.ErrorType;
import org.apache.directory.shared.kerberos.exceptions.InvalidTicketException;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
import org.apache.directory.shared.kerberos.flags.TicketFlag;
import org.apache.directory.shared.kerberos.messages.ApReq;
import org.apache.directory.shared.kerberos.messages.Authenticator;
import org.apache.directory.shared.kerberos.messages.EncTgsRepPart;
import org.apache.directory.shared.kerberos.messages.TgsRep;
import org.apache.directory.shared.kerberos.messages.Ticket;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.class */
public class TicketGrantingService {
    private static final String SERVICE_NAME = "Ticket-Granting Service (TGS)";
    private static final Logger LOG = LoggerFactory.getLogger(TicketGrantingService.class);
    private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();
    private static final ChecksumHandler checksumHandler = new ChecksumHandler();

    public static void execute(TicketGrantingContext ticketGrantingContext) throws Exception {
        if (LOG.isDebugEnabled()) {
            monitorRequest(ticketGrantingContext);
        }
        configureTicketGranting(ticketGrantingContext);
        selectEncryptionType(ticketGrantingContext);
        getAuthHeader(ticketGrantingContext);
        verifyTgt(ticketGrantingContext);
        getTicketPrincipalEntry(ticketGrantingContext);
        verifyTgtAuthHeader(ticketGrantingContext);
        verifyBodyChecksum(ticketGrantingContext);
        getRequestPrincipalEntry(ticketGrantingContext);
        generateTicket(ticketGrantingContext);
        buildReply(ticketGrantingContext);
    }

    private static void configureTicketGranting(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        ticketGrantingContext.setCipherTextHandler(cipherTextHandler);
        if (ticketGrantingContext.getRequest().getProtocolVersionNumber() != 5) {
            throw new KerberosException(ErrorType.KDC_ERR_BAD_PVNO);
        }
    }

    private static void monitorRequest(KdcContext kdcContext) throws Exception {
        KdcReq request = kdcContext.getRequest();
        try {
            String hostAddress = kdcContext.getClientAddress().getHostAddress();
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Received Ticket-Granting Service (TGS) request:");
            stringBuffer.append("\n\tmessageType:           " + request.getMessageType());
            stringBuffer.append("\n\tprotocolVersionNumber: " + request.getProtocolVersionNumber());
            stringBuffer.append("\n\tclientAddress:         " + hostAddress);
            stringBuffer.append("\n\tnonce:                 " + request.getKdcReqBody().getNonce());
            stringBuffer.append("\n\tkdcOptions:            " + request.getKdcReqBody().getKdcOptions());
            stringBuffer.append("\n\tclientPrincipal:       " + request.getKdcReqBody().getCName());
            stringBuffer.append("\n\tserverPrincipal:       " + request.getKdcReqBody().getSName());
            stringBuffer.append("\n\tencryptionType:        " + KerberosUtils.getEncryptionTypesString(request.getKdcReqBody().getEType()));
            stringBuffer.append("\n\trealm:                 " + request.getKdcReqBody().getRealm());
            stringBuffer.append("\n\tfrom time:             " + request.getKdcReqBody().getFrom());
            stringBuffer.append("\n\ttill time:             " + request.getKdcReqBody().getTill());
            stringBuffer.append("\n\trenew-till time:       " + request.getKdcReqBody().getRTime());
            stringBuffer.append("\n\thostAddresses:         " + request.getKdcReqBody().getAddresses());
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_153, new Object[0]), e);
        }
    }

    private static void selectEncryptionType(TicketGrantingContext ticketGrantingContext) throws Exception {
        EncryptionType bestEncryptionType = KerberosUtils.getBestEncryptionType(ticketGrantingContext.getRequest().getKdcReqBody().getEType(), ticketGrantingContext.getConfig().getEncryptionTypes());
        LOG.debug("Session will use encryption type {}.", bestEncryptionType);
        if (bestEncryptionType == null) {
            throw new KerberosException(ErrorType.KDC_ERR_ETYPE_NOSUPP);
        }
        ticketGrantingContext.setEncryptionType(bestEncryptionType);
    }

    private static void getAuthHeader(TicketGrantingContext ticketGrantingContext) throws Exception {
        KdcReq request = ticketGrantingContext.getRequest();
        if (request.getPaData() == null || request.getPaData().size() < 1) {
            throw new KerberosException(ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP);
        }
        byte[] bArr = null;
        for (PaData paData : request.getPaData()) {
            if (paData.getPaDataType() == PaDataType.PA_TGS_REQ) {
                bArr = paData.getPaDataValue();
            }
        }
        if (bArr == null) {
            throw new KerberosException(ErrorType.KDC_ERR_PADATA_TYPE_NOSUPP);
        }
        ApReq decodeApReq = KerberosDecoder.decodeApReq(bArr);
        Ticket ticket = decodeApReq.getTicket();
        ticketGrantingContext.setAuthHeader(decodeApReq);
        ticketGrantingContext.setTgt(ticket);
    }

    public static void verifyTgt(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        KdcServer config = ticketGrantingContext.getConfig();
        Ticket tgt = ticketGrantingContext.getTgt();
        if (!tgt.getRealm().equals(config.getPrimaryRealm())) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_NOT_US);
        }
        String name = KerberosUtils.getKerberosPrincipal(tgt.getSName(), tgt.getRealm()).getName();
        String name2 = KerberosUtils.getKerberosPrincipal(ticketGrantingContext.getRequest().getKdcReqBody().getSName(), ticketGrantingContext.getRequest().getKdcReqBody().getRealm()).getName();
        if (!name.equals(config.getServicePrincipal().getName()) && !name.equals(name2)) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_NOT_US);
        }
    }

    private static void getTicketPrincipalEntry(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        PrincipalName sName = ticketGrantingContext.getTgt().getSName();
        ticketGrantingContext.setTicketPrincipalEntry(getEntry(KerberosUtils.getKerberosPrincipal(sName, ticketGrantingContext.getTgt().getRealm()), ticketGrantingContext.getStore(), ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN));
    }

    private static void verifyTgtAuthHeader(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        ApReq authHeader = ticketGrantingContext.getAuthHeader();
        Ticket tgt = ticketGrantingContext.getTgt();
        ticketGrantingContext.setAuthenticator(verifyAuthHeader(authHeader, tgt, (EncryptionKey) ticketGrantingContext.getTicketPrincipalEntry().getKeyMap().get(tgt.getEncPart().getEType()), ticketGrantingContext.getConfig().getAllowableClockSkew(), ticketGrantingContext.getConfig().getReplayCache(), ticketGrantingContext.getConfig().isEmptyAddressesAllowed(), ticketGrantingContext.getClientAddress(), ticketGrantingContext.getCipherTextHandler(), KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_TGS_SESS_KEY, ticketGrantingContext.getRequest().getKdcReqBody().getKdcOptions().get(31)));
    }

    private static void verifyBodyChecksum(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        if (ticketGrantingContext.getConfig().isBodyChecksumVerified()) {
            KdcReqBody kdcReqBody = ticketGrantingContext.getRequest().getKdcReqBody();
            ByteBuffer allocate = ByteBuffer.allocate(kdcReqBody.computeLength());
            try {
                kdcReqBody.encode(allocate);
                byte[] array = allocate.array();
                Checksum cksum = ticketGrantingContext.getAuthenticator().getCksum();
                EncryptionKey key = ticketGrantingContext.getTgt().getEncTicketPart().getKey();
                if (cksum == null || cksum.getChecksumType() == null || cksum.getChecksumValue() == null || array == null) {
                    throw new KerberosException(ErrorType.KRB_AP_ERR_INAPP_CKSUM);
                }
                LOG.debug("Verifying body checksum type '{}'.", cksum.getChecksumType());
                checksumHandler.verifyChecksum(cksum, array, key.getKeyValue(), KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_AUTHNT_CKSUM_TGS_SESS_KEY);
            } catch (EncoderException e) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_INAPP_CKSUM);
            }
        }
    }

    public static void getRequestPrincipalEntry(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        ticketGrantingContext.setRequestPrincipalEntry(getEntry(KerberosUtils.getKerberosPrincipal(ticketGrantingContext.getRequest().getKdcReqBody().getSName(), ticketGrantingContext.getRequest().getKdcReqBody().getRealm()), ticketGrantingContext.getStore(), ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN));
    }

    private static void generateTicket(TicketGrantingContext ticketGrantingContext) throws KerberosException, InvalidTicketException {
        KdcReq request = ticketGrantingContext.getRequest();
        Ticket tgt = ticketGrantingContext.getTgt();
        Authenticator authenticator = ticketGrantingContext.getAuthenticator();
        CipherTextHandler cipherTextHandler2 = ticketGrantingContext.getCipherTextHandler();
        KerberosUtils.getKerberosPrincipal(request.getKdcReqBody().getSName(), request.getKdcReqBody().getRealm());
        EncryptionKey encryptionKey = (EncryptionKey) ticketGrantingContext.getRequestPrincipalEntry().getKeyMap().get(ticketGrantingContext.getEncryptionType());
        KdcServer config = ticketGrantingContext.getConfig();
        EncTicketPart encTicketPart = new EncTicketPart();
        encTicketPart.setClientAddresses(tgt.getEncTicketPart().getClientAddresses());
        processFlags(config, request, tgt, encTicketPart);
        encTicketPart.setKey(RandomKeyFactory.getRandomKey(ticketGrantingContext.getEncryptionType()));
        encTicketPart.setCName(tgt.getEncTicketPart().getCName());
        encTicketPart.setCRealm(tgt.getEncTicketPart().getCRealm());
        if (request.getKdcReqBody().getEncAuthorizationData() != null) {
            AuthorizationData decodeAuthorizationData = KerberosDecoder.decodeAuthorizationData(cipherTextHandler2.decrypt(authenticator.getSubKey(), request.getKdcReqBody().getEncAuthorizationData(), KeyUsage.TGS_REQ_KDC_REQ_BODY_AUTHZ_DATA_ENC_WITH_TGS_SESS_KEY));
            decodeAuthorizationData.addEntry(tgt.getEncTicketPart().getAuthorizationData().getCurrentAD());
            encTicketPart.setAuthorizationData(decodeAuthorizationData);
        }
        processTransited(encTicketPart, tgt);
        processTimes(config, request, encTicketPart, tgt);
        if (request.getKdcReqBody().getKdcOptions().get(28)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
        Ticket ticket = new Ticket(request.getKdcReqBody().getSName(), cipherTextHandler2.seal(encryptionKey, encTicketPart, KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY));
        ticket.setEncTicketPart(encTicketPart);
        ticket.setRealm(request.getKdcReqBody().getRealm());
        ticketGrantingContext.setNewTicket(ticket);
    }

    private static void buildReply(TicketGrantingContext ticketGrantingContext) throws KerberosException {
        KdcReq request = ticketGrantingContext.getRequest();
        Ticket tgt = ticketGrantingContext.getTgt();
        Ticket newTicket = ticketGrantingContext.getNewTicket();
        TgsRep tgsRep = new TgsRep();
        tgsRep.setCName(tgt.getEncTicketPart().getCName());
        tgsRep.setCRealm(tgt.getEncTicketPart().getCRealm());
        tgsRep.setTicket(newTicket);
        EncKdcRepPart encKdcRepPart = new EncKdcRepPart();
        encKdcRepPart.setKey(newTicket.getEncTicketPart().getKey());
        encKdcRepPart.setNonce(request.getKdcReqBody().getNonce());
        encKdcRepPart.setLastReq(new LastReq());
        encKdcRepPart.setFlags(newTicket.getEncTicketPart().getFlags());
        encKdcRepPart.setClientAddresses(newTicket.getEncTicketPart().getClientAddresses());
        encKdcRepPart.setAuthTime(newTicket.getEncTicketPart().getAuthTime());
        encKdcRepPart.setStartTime(newTicket.getEncTicketPart().getStartTime());
        encKdcRepPart.setEndTime(newTicket.getEncTicketPart().getEndTime());
        encKdcRepPart.setSName(newTicket.getSName());
        encKdcRepPart.setSRealm(newTicket.getRealm());
        if (newTicket.getEncTicketPart().getFlags().isRenewable()) {
            encKdcRepPart.setRenewTill(newTicket.getEncTicketPart().getRenewTill());
        }
        if (LOG.isDebugEnabled()) {
            monitorContext(ticketGrantingContext);
            monitorReply(tgsRep, encKdcRepPart);
        }
        EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
        encTgsRepPart.setEncKdcRepPart(encKdcRepPart);
        Authenticator authenticator = ticketGrantingContext.getAuthenticator();
        tgsRep.setEncPart(authenticator.getSubKey() != null ? cipherTextHandler.seal(authenticator.getSubKey(), encTgsRepPart, KeyUsage.TGS_REP_ENC_PART_TGS_AUTHNT_SUB_KEY) : cipherTextHandler.seal(tgt.getEncTicketPart().getKey(), encTgsRepPart, KeyUsage.TGS_REP_ENC_PART_TGS_SESS_KEY));
        tgsRep.setEncKdcRepPart(encKdcRepPart);
        ticketGrantingContext.setReply(tgsRep);
    }

    private static void monitorContext(TicketGrantingContext ticketGrantingContext) {
        try {
            Ticket tgt = ticketGrantingContext.getTgt();
            long allowableClockSkew = ticketGrantingContext.getConfig().getAllowableClockSkew();
            ChecksumType checksumType = ticketGrantingContext.getAuthenticator().getCksum().getChecksumType();
            InetAddress clientAddress = ticketGrantingContext.getClientAddress();
            HostAddresses clientAddresses = tgt.getEncTicketPart().getClientAddresses();
            boolean z = false;
            if (tgt.getEncTicketPart().getClientAddresses() != null) {
                z = tgt.getEncTicketPart().getClientAddresses().contains(new HostAddress(clientAddress));
            }
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Monitoring Ticket-Granting Service (TGS) context:");
            stringBuffer.append("\n\tclockSkew              " + allowableClockSkew);
            stringBuffer.append("\n\tchecksumType           " + checksumType);
            stringBuffer.append("\n\tclientAddress          " + clientAddress);
            stringBuffer.append("\n\tclientAddresses        " + clientAddresses);
            stringBuffer.append("\n\tcaddr contains sender  " + z);
            PrincipalName sName = ticketGrantingContext.getRequest().getKdcReqBody().getSName();
            PrincipalStoreEntry requestPrincipalEntry = ticketGrantingContext.getRequestPrincipalEntry();
            stringBuffer.append("\n\tprincipal              " + sName);
            stringBuffer.append("\n\tcn                     " + requestPrincipalEntry.getCommonName());
            stringBuffer.append("\n\trealm                  " + requestPrincipalEntry.getRealmName());
            stringBuffer.append("\n\tprincipal              " + requestPrincipalEntry.getPrincipal());
            stringBuffer.append("\n\tSAM type               " + requestPrincipalEntry.getSamType());
            PrincipalName sName2 = ticketGrantingContext.getTgt().getSName();
            PrincipalStoreEntry ticketPrincipalEntry = ticketGrantingContext.getTicketPrincipalEntry();
            stringBuffer.append("\n\tprincipal              " + sName2);
            stringBuffer.append("\n\tcn                     " + ticketPrincipalEntry.getCommonName());
            stringBuffer.append("\n\trealm                  " + ticketPrincipalEntry.getRealmName());
            stringBuffer.append("\n\tprincipal              " + ticketPrincipalEntry.getPrincipal());
            stringBuffer.append("\n\tSAM type               " + ticketPrincipalEntry.getSamType());
            EncryptionType eType = ticketGrantingContext.getTgt().getEncPart().getEType();
            int keyVersion = ((EncryptionKey) ticketPrincipalEntry.getKeyMap().get(eType)).getKeyVersion();
            stringBuffer.append("\n\tTicket key type        " + eType);
            stringBuffer.append("\n\tService key version    " + keyVersion);
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_154, new Object[0]), e);
        }
    }

    private static void monitorReply(TgsRep tgsRep, EncKdcRepPart encKdcRepPart) {
        try {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Responding with Ticket-Granting Service (TGS) reply:");
            stringBuffer.append("\n\tmessageType:           " + tgsRep.getMessageType());
            stringBuffer.append("\n\tprotocolVersionNumber: " + tgsRep.getProtocolVersionNumber());
            stringBuffer.append("\n\tnonce:                 " + encKdcRepPart.getNonce());
            stringBuffer.append("\n\tclientPrincipal:       " + tgsRep.getCName());
            stringBuffer.append("\n\tclient realm:          " + tgsRep.getCRealm());
            stringBuffer.append("\n\tserverPrincipal:       " + encKdcRepPart.getSName());
            stringBuffer.append("\n\tserver realm:          " + encKdcRepPart.getSRealm());
            stringBuffer.append("\n\tauth time:             " + encKdcRepPart.getAuthTime());
            stringBuffer.append("\n\tstart time:            " + encKdcRepPart.getStartTime());
            stringBuffer.append("\n\tend time:              " + encKdcRepPart.getEndTime());
            stringBuffer.append("\n\trenew-till time:       " + encKdcRepPart.getRenewTill());
            stringBuffer.append("\n\thostAddresses:         " + encKdcRepPart.getClientAddresses());
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_155, new Object[0]), e);
        }
    }

    private static void processFlags(KdcServer kdcServer, KdcReq kdcReq, Ticket ticket, EncTicketPart encTicketPart) throws KerberosException {
        if (ticket.getEncTicketPart().getFlags().isPreAuth()) {
            encTicketPart.setFlag(TicketFlag.PRE_AUTHENT);
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(1)) {
            if (!kdcServer.isForwardableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isForwardable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPart.setFlag(TicketFlag.FORWARDABLE);
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(2)) {
            if (!kdcServer.isForwardableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isForwardable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (kdcReq.getKdcReqBody().getAddresses() != null && kdcReq.getKdcReqBody().getAddresses().getAddresses() != null && kdcReq.getKdcReqBody().getAddresses().getAddresses().length > 0) {
                encTicketPart.setClientAddresses(kdcReq.getKdcReqBody().getAddresses());
            } else if (!kdcServer.isEmptyAddressesAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPart.setFlag(TicketFlag.FORWARDED);
        }
        if (ticket.getEncTicketPart().getFlags().isForwarded()) {
            encTicketPart.setFlag(TicketFlag.FORWARDED);
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(3)) {
            if (!kdcServer.isProxiableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isProxiable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPart.setFlag(TicketFlag.PROXIABLE);
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(4)) {
            if (!kdcServer.isProxiableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isProxiable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (kdcReq.getKdcReqBody().getAddresses() != null && kdcReq.getKdcReqBody().getAddresses().getAddresses() != null && kdcReq.getKdcReqBody().getAddresses().getAddresses().length > 0) {
                encTicketPart.setClientAddresses(kdcReq.getKdcReqBody().getAddresses());
            } else if (!kdcServer.isEmptyAddressesAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPart.setFlag(TicketFlag.PROXY);
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(5)) {
            if (!kdcServer.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isMayPosdate()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPart.setFlag(TicketFlag.MAY_POSTDATE);
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(6)) {
            if (!kdcServer.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isMayPosdate()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPart.setFlag(TicketFlag.POSTDATED);
            encTicketPart.setFlag(TicketFlag.INVALID);
            encTicketPart.setStartTime(kdcReq.getKdcReqBody().getFrom());
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(31)) {
            if (!kdcServer.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isInvalid()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if ((ticket.getEncTicketPart().getStartTime() != null ? ticket.getEncTicketPart().getStartTime() : ticket.getEncTicketPart().getAuthTime()).greaterThan(new KerberosTime())) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_NYV);
            }
            echoTicket(encTicketPart, ticket);
            encTicketPart.getFlags().clearFlag(TicketFlag.INVALID);
        }
        if (kdcReq.getKdcReqBody().getKdcOptions().get(0) || kdcReq.getKdcReqBody().getKdcOptions().get(7) || kdcReq.getKdcReqBody().getKdcOptions().get(9) || kdcReq.getKdcReqBody().getKdcOptions().get(10) || kdcReq.getKdcReqBody().getKdcOptions().get(11) || kdcReq.getKdcReqBody().getKdcOptions().get(12) || kdcReq.getKdcReqBody().getKdcOptions().get(13) || kdcReq.getKdcReqBody().getKdcOptions().get(14) || kdcReq.getKdcReqBody().getKdcOptions().get(15) || kdcReq.getKdcReqBody().getKdcOptions().get(16) || kdcReq.getKdcReqBody().getKdcOptions().get(17) || kdcReq.getKdcReqBody().getKdcOptions().get(18) || kdcReq.getKdcReqBody().getKdcOptions().get(19) || kdcReq.getKdcReqBody().getKdcOptions().get(20) || kdcReq.getKdcReqBody().getKdcOptions().get(21) || kdcReq.getKdcReqBody().getKdcOptions().get(22) || kdcReq.getKdcReqBody().getKdcOptions().get(23) || kdcReq.getKdcReqBody().getKdcOptions().get(24) || kdcReq.getKdcReqBody().getKdcOptions().get(25) || kdcReq.getKdcReqBody().getKdcOptions().get(29)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
    }

    private static void processTimes(KdcServer kdcServer, KdcReq kdcReq, EncTicketPart encTicketPart, Ticket ticket) throws KerberosException {
        KerberosTime kerberosTime;
        KerberosTime kerberosTime2 = new KerberosTime();
        encTicketPart.setAuthTime(ticket.getEncTicketPart().getAuthTime());
        KerberosTime from = kdcReq.getKdcReqBody().getFrom();
        if (from == null || from.lessThan(kerberosTime2) || (from.isInClockSkew(kdcServer.getAllowableClockSkew()) && !kdcReq.getKdcReqBody().getKdcOptions().get(6))) {
            from = kerberosTime2;
        }
        if (from != null && from.greaterThan(kerberosTime2) && !from.isInClockSkew(kdcServer.getAllowableClockSkew()) && (!kdcReq.getKdcReqBody().getKdcOptions().get(6) || !ticket.getEncTicketPart().getFlags().isMayPosdate())) {
            throw new KerberosException(ErrorType.KDC_ERR_CANNOT_POSTDATE);
        }
        KerberosTime kerberosTime3 = null;
        if (!kdcReq.getKdcReqBody().getKdcOptions().get(30)) {
            if (encTicketPart.getStartTime() == null) {
                encTicketPart.setStartTime(kerberosTime2);
            }
            KerberosTime till = kdcReq.getKdcReqBody().getTill().isZero() ? KerberosTime.INFINITY : kdcReq.getKdcReqBody().getTill();
            ArrayList arrayList = new ArrayList();
            arrayList.add(till);
            arrayList.add(new KerberosTime(from.getTime() + kdcServer.getMaximumTicketLifetime()));
            arrayList.add(ticket.getEncTicketPart().getEndTime());
            kerberosTime = (KerberosTime) Collections.min(arrayList);
            encTicketPart.setEndTime(kerberosTime);
            if (kdcReq.getKdcReqBody().getKdcOptions().get(27) && kerberosTime.lessThan(kdcReq.getKdcReqBody().getTill()) && ticket.getEncTicketPart().getFlags().isRenewable()) {
                if (!kdcServer.isRenewableAllowed()) {
                    throw new KerberosException(ErrorType.KDC_ERR_POLICY);
                }
                kdcReq.getKdcReqBody().getKdcOptions().set(8);
                kerberosTime3 = new KerberosTime(Math.min(kdcReq.getKdcReqBody().getTill().getTime(), ticket.getEncTicketPart().getRenewTill().getTime()));
            }
        } else {
            if (!kdcServer.isRenewableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (!ticket.getEncTicketPart().getFlags().isRenewable()) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (ticket.getEncTicketPart().getRenewTill().lessThan(kerberosTime2)) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_EXPIRED);
            }
            echoTicket(encTicketPart, ticket);
            encTicketPart.setStartTime(kerberosTime2);
            kerberosTime = new KerberosTime(Math.min(ticket.getEncTicketPart().getRenewTill().getTime(), kerberosTime2.getTime() + (ticket.getEncTicketPart().getEndTime().getTime() - (ticket.getEncTicketPart().getStartTime() != null ? ticket.getEncTicketPart().getStartTime() : ticket.getEncTicketPart().getAuthTime()).getTime())));
            encTicketPart.setEndTime(kerberosTime);
        }
        if (kerberosTime3 == null) {
            kerberosTime3 = kdcReq.getKdcReqBody().getRTime();
        }
        KerberosTime kerberosTime4 = (kerberosTime3 == null || !kerberosTime3.isZero()) ? kerberosTime3 : KerberosTime.INFINITY;
        if (kdcReq.getKdcReqBody().getKdcOptions().get(8) && ticket.getEncTicketPart().getFlags().isRenewable()) {
            if (!kdcServer.isRenewableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPart.setFlag(TicketFlag.RENEWABLE);
            ArrayList arrayList2 = new ArrayList();
            if (kerberosTime4 != null) {
                arrayList2.add(kerberosTime4);
            }
            arrayList2.add(new KerberosTime(from.getTime() + kdcServer.getMaximumRenewableLifetime()));
            arrayList2.add(ticket.getEncTicketPart().getRenewTill());
            encTicketPart.setRenewTill((KerberosTime) Collections.min(arrayList2));
        }
        if (kerberosTime.lessThan(from)) {
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID);
        }
        if (Math.abs(from.getTime() - kerberosTime.getTime()) < kdcServer.getAllowableClockSkew()) {
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID);
        }
    }

    private static void processTransited(EncTicketPart encTicketPart, Ticket ticket) {
        encTicketPart.setTransited(ticket.getEncTicketPart().getTransited());
    }

    private static void echoTicket(EncTicketPart encTicketPart, Ticket ticket) {
        EncTicketPart encTicketPart2 = ticket.getEncTicketPart();
        encTicketPart.setAuthorizationData(encTicketPart2.getAuthorizationData());
        encTicketPart.setAuthTime(encTicketPart2.getAuthTime());
        encTicketPart.setClientAddresses(encTicketPart2.getClientAddresses());
        encTicketPart.setCName(encTicketPart2.getCName());
        encTicketPart.setEndTime(encTicketPart2.getEndTime());
        encTicketPart.setFlags(encTicketPart2.getFlags());
        encTicketPart.setRenewTill(encTicketPart2.getRenewTill());
        encTicketPart.setKey(encTicketPart2.getKey());
        encTicketPart.setTransited(encTicketPart2.getTransited());
    }

    public static PrincipalStoreEntry getEntry(KerberosPrincipal kerberosPrincipal, PrincipalStore principalStore, ErrorType errorType) throws KerberosException {
        try {
            PrincipalStoreEntry principal = principalStore.getPrincipal(kerberosPrincipal);
            if (principal == null) {
                throw new KerberosException(errorType);
            }
            if (principal.getKeyMap() == null || principal.getKeyMap().isEmpty()) {
                throw new KerberosException(ErrorType.KDC_ERR_NULL_KEY);
            }
            return principal;
        } catch (Exception e) {
            throw new KerberosException(errorType, e);
        }
    }

    public static Authenticator verifyAuthHeader(ApReq apReq, Ticket ticket, EncryptionKey encryptionKey, long j, ReplayCache replayCache, boolean z, InetAddress inetAddress, CipherTextHandler cipherTextHandler2, KeyUsage keyUsage, boolean z2) throws KerberosException {
        if (apReq.getProtocolVersionNumber() != 5) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_BADVERSION);
        }
        if (apReq.getMessageType() != KerberosMessageType.AP_REQ) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_MSG_TYPE);
        }
        if (apReq.getTicket().getTktVno() != 5) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_BADVERSION);
        }
        EncryptionKey key = apReq.getOption(1) ? apReq.getTicket().getEncTicketPart().getKey() : encryptionKey;
        if (key == null) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_NOKEY);
        }
        ticket.setEncTicketPart(KerberosDecoder.decodeEncTicketPart(cipherTextHandler2.decrypt(key, ticket.getEncPart(), KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY)));
        Authenticator decodeAuthenticator = KerberosDecoder.decodeAuthenticator(cipherTextHandler2.decrypt(ticket.getEncTicketPart().getKey(), apReq.getAuthenticator(), keyUsage));
        if (!decodeAuthenticator.getCName().getNameString().equals(ticket.getEncTicketPart().getCName().getNameString())) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_BADMATCH);
        }
        if (ticket.getEncTicketPart().getClientAddresses() != null) {
            if (!ticket.getEncTicketPart().getClientAddresses().contains(new HostAddress(inetAddress))) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_BADADDR);
            }
        } else if (!z) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_BADADDR);
        }
        KerberosPrincipal kerberosPrincipal = KerberosUtils.getKerberosPrincipal(ticket.getSName(), ticket.getRealm());
        KerberosPrincipal kerberosPrincipal2 = KerberosUtils.getKerberosPrincipal(decodeAuthenticator.getCName(), decodeAuthenticator.getCRealm());
        KerberosTime ctime = decodeAuthenticator.getCtime();
        int cusec = decodeAuthenticator.getCusec();
        if (replayCache != null) {
            if (replayCache.isReplay(kerberosPrincipal, kerberosPrincipal2, ctime, cusec)) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_REPEAT);
            }
            replayCache.save(kerberosPrincipal, kerberosPrincipal2, ctime, cusec);
        }
        if (!decodeAuthenticator.getCtime().isInClockSkew(j)) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_SKEW);
        }
        KerberosTime startTime = ticket.getEncTicketPart().getStartTime() != null ? ticket.getEncTicketPart().getStartTime() : ticket.getEncTicketPart().getAuthTime();
        KerberosTime kerberosTime = new KerberosTime();
        if (!startTime.lessThan(kerberosTime) || (ticket.getEncTicketPart().getFlags().isInvalid() && !z2)) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_NYV);
        }
        if (!ticket.getEncTicketPart().getEndTime().greaterThan(kerberosTime)) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_EXPIRED);
        }
        apReq.getApOptions().set(2);
        return decodeAuthenticator;
    }
}
