package org.apache.directory.kerberos.client;

import java.io.IOException;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.security.SecureRandom;
import java.text.ParseException;
import java.util.Iterator;
import java.util.List;
import org.apache.directory.api.asn1.Asn1Object;
import org.apache.directory.api.asn1.ber.Asn1Decoder;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswdErrorType;
import org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException;
import org.apache.directory.server.kerberos.changepwd.io.ChangePasswordDecoder;
import org.apache.directory.server.kerberos.changepwd.io.ChangePasswordEncoder;
import org.apache.directory.server.kerberos.changepwd.messages.AbstractPasswordMessage;
import org.apache.directory.server.kerberos.changepwd.messages.ChangePasswordError;
import org.apache.directory.server.kerberos.changepwd.messages.ChangePasswordReply;
import org.apache.directory.server.kerberos.changepwd.messages.ChangePasswordRequest;
import org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder;
import org.apache.directory.server.kerberos.protocol.codec.KerberosEncoder;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.directory.shared.kerberos.KerberosTime;
import org.apache.directory.shared.kerberos.codec.KerberosMessageContainer;
import org.apache.directory.shared.kerberos.codec.options.ApOptions;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.codec.types.PaDataType;
import org.apache.directory.shared.kerberos.codec.types.PrincipalNameType;
import org.apache.directory.shared.kerberos.components.EncKdcRepPart;
import org.apache.directory.shared.kerberos.components.EncKrbPrivPart;
import org.apache.directory.shared.kerberos.components.EncryptedData;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.components.HostAddress;
import org.apache.directory.shared.kerberos.components.HostAddresses;
import org.apache.directory.shared.kerberos.components.KdcReqBody;
import org.apache.directory.shared.kerberos.components.PaData;
import org.apache.directory.shared.kerberos.components.PaEncTsEnc;
import org.apache.directory.shared.kerberos.components.PrincipalName;
import org.apache.directory.shared.kerberos.exceptions.ErrorType;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
import org.apache.directory.shared.kerberos.messages.ApReq;
import org.apache.directory.shared.kerberos.messages.AsRep;
import org.apache.directory.shared.kerberos.messages.AsReq;
import org.apache.directory.shared.kerberos.messages.Authenticator;
import org.apache.directory.shared.kerberos.messages.ChangePasswdData;
import org.apache.directory.shared.kerberos.messages.EncTgsRepPart;
import org.apache.directory.shared.kerberos.messages.KerberosMessage;
import org.apache.directory.shared.kerberos.messages.KrbError;
import org.apache.directory.shared.kerberos.messages.KrbPriv;
import org.apache.directory.shared.kerberos.messages.TgsRep;
import org.apache.directory.shared.kerberos.messages.TgsReq;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/kerberos/client/KdcConnection.class */
public class KdcConnection {
    private static final Logger LOG = LoggerFactory.getLogger(KdcConnection.class);
    static final String TIME_OUT_ERROR = "TimeOut occured";
    private KdcConfig config;
    private SecureRandom nonceGenerator = new SecureRandom(String.valueOf(System.currentTimeMillis()).getBytes());
    private CipherTextHandler cipherTextHandler = new CipherTextHandler();
    private KerberosChannel channel = new KerberosChannel();

    public KdcConnection(KdcConfig kdcConfig) {
        this.config = kdcConfig;
    }

    private void connect() throws IOException {
        this.channel.openConnection(this.config.getHostName(), this.config.getKdcPort(), this.config.getTimeout(), this.config.isUseUdp());
    }

    public TgTicket getTgt(String str, String str2) throws Exception {
        TgtRequest tgtRequest = new TgtRequest();
        tgtRequest.setClientPrincipal(str);
        tgtRequest.setPassword(str2);
        return getTgt(tgtRequest);
    }

    public ServiceTicket getServiceTicket(String str, String str2, String str3) throws KerberosException {
        TgtRequest tgtRequest = new TgtRequest();
        tgtRequest.setClientPrincipal(str);
        tgtRequest.setPassword(str2);
        return getServiceTicket(new ServiceTicketRequest(getTgt(tgtRequest), str3));
    }

    public TgTicket getTgt(TgtRequest tgtRequest) throws KerberosException {
        TgTicket tgTicket = null;
        KerberosException kerberosException = null;
        for (int i = 0; i < 2; i++) {
            kerberosException = null;
            try {
                tgTicket = _getTgt(tgtRequest);
            } catch (KerberosException e) {
                kerberosException = e;
            }
            if (kerberosException != null && kerberosException.getErrorCode() == ErrorType.KDC_ERR_PREAUTH_REQUIRED.getValue()) {
                tgtRequest.setETypes(KdcClientUtil.getEtypesFromError(kerberosException.getError()));
                tgtRequest.setPreAuthEnabled(true);
            }
        }
        if (kerberosException != null) {
            throw kerberosException;
        }
        return tgTicket;
    }

    TgTicket _getTgt(TgtRequest tgtRequest) throws KerberosException {
        EncKdcRepPart encKdcRepPart;
        String realm = tgtRequest.getRealm();
        if (tgtRequest.getServerPrincipal() == null) {
            tgtRequest.setServerPrincipal("krbtgt/" + realm + "@" + realm);
        }
        if (tgtRequest.getETypes() == null) {
            tgtRequest.setETypes(this.config.getEncryptionTypes());
        }
        KdcReqBody kdcReqBody = new KdcReqBody();
        kdcReqBody.setFrom(new KerberosTime(tgtRequest.getStartTime()));
        try {
            PrincipalName principalName = new PrincipalName(tgtRequest.getCName(), PrincipalNameType.KRB_NT_PRINCIPAL);
            kdcReqBody.setCName(principalName);
            kdcReqBody.setRealm(realm);
            kdcReqBody.setSName(new PrincipalName(tgtRequest.getSName(), PrincipalNameType.KRB_NT_SRV_INST));
            kdcReqBody.setTill(new KerberosTime(tgtRequest.getExpiryTime()));
            int nextInt = this.nonceGenerator.nextInt();
            kdcReqBody.setNonce(nextInt);
            kdcReqBody.setEType(tgtRequest.getETypes());
            kdcReqBody.setKdcOptions(tgtRequest.getOptions());
            List<HostAddress> hostAddresses = tgtRequest.getHostAddresses();
            if (!hostAddresses.isEmpty()) {
                HostAddresses hostAddresses2 = new HostAddresses();
                Iterator<HostAddress> it = hostAddresses.iterator();
                while (it.hasNext()) {
                    hostAddresses2.addHostAddress(it.next());
                }
                kdcReqBody.setAddresses(hostAddresses2);
            }
            EncryptionType next = tgtRequest.getETypes().iterator().next();
            EncryptionKey string2Key = KerberosKeyFactory.string2Key(tgtRequest.getClientPrincipal(), tgtRequest.getPassword(), next);
            AsReq asReq = new AsReq();
            asReq.setKdcReqBody(kdcReqBody);
            if (tgtRequest.isPreAuthEnabled()) {
                PaEncTsEnc paEncTsEnc = new PaEncTsEnc();
                paEncTsEnc.setPaTimestamp(new KerberosTime());
                EncryptedData encrypt = this.cipherTextHandler.encrypt(string2Key, getEncoded(paEncTsEnc), KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY);
                PaData paData = new PaData();
                paData.setPaDataType(PaDataType.PA_ENC_TIMESTAMP);
                paData.setPaDataValue(getEncoded(encrypt));
                asReq.addPaData(paData);
            }
            try {
                try {
                    try {
                        connect();
                        KrbError sendAndReceiveKrbMsg = sendAndReceiveKrbMsg(asReq);
                        if (sendAndReceiveKrbMsg == null) {
                            LOG.error("Authentication failed : timeout occured");
                            throw new KerberosException(ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR);
                        }
                        if (sendAndReceiveKrbMsg instanceof KrbError) {
                            LOG.debug("Authentication failed : {}", sendAndReceiveKrbMsg);
                            throw new KerberosException(sendAndReceiveKrbMsg);
                        }
                        AsRep asRep = (AsRep) sendAndReceiveKrbMsg;
                        if (!principalName.getNameString().equals(asRep.getCName().getNameString())) {
                            throw new KerberosException(ErrorType.KDC_ERR_CLIENT_NAME_MISMATCH);
                        }
                        if (!realm.equals(asRep.getCRealm())) {
                            throw new KerberosException(ErrorType.KRB_ERR_WRONG_REALM);
                        }
                        if (next != asRep.getEncPart().getEType()) {
                            string2Key = KerberosKeyFactory.string2Key(tgtRequest.getClientPrincipal(), tgtRequest.getPassword(), asRep.getEncPart().getEType());
                        }
                        byte[] decrypt = this.cipherTextHandler.decrypt(string2Key, asRep.getEncPart(), KeyUsage.AS_REP_ENC_PART_WITH_CKEY);
                        try {
                            encKdcRepPart = KerberosDecoder.decodeEncAsRepPart(decrypt).getEncKdcRepPart();
                        } catch (KerberosException e) {
                            LOG.info("Trying an encTgsRepPart instead");
                            encKdcRepPart = KerberosDecoder.decodeEncTgsRepPart(decrypt).getEncKdcRepPart();
                        }
                        if (nextInt != encKdcRepPart.getNonce()) {
                            throw new KerberosException(ErrorType.KRB_ERR_GENERIC, "received nonce didn't match with the nonce sent in the request");
                        }
                        if (!encKdcRepPart.getSName().getNameString().equals(tgtRequest.getSName())) {
                            throw new KerberosException(ErrorType.KDC_ERR_SERVER_NOMATCH);
                        }
                        if (!encKdcRepPart.getSRealm().equals(tgtRequest.getRealm())) {
                            throw new KerberosException(ErrorType.KRB_ERR_GENERIC, "received server realm does not match with requested server realm");
                        }
                        List<HostAddress> hostAddresses3 = tgtRequest.getHostAddresses();
                        if (!hostAddresses3.isEmpty()) {
                            HostAddresses clientAddresses = encKdcRepPart.getClientAddresses();
                            for (HostAddress hostAddress : hostAddresses3) {
                                if (!clientAddresses.contains(hostAddress)) {
                                    throw new KerberosException(ErrorType.KRB_ERR_GENERIC, "requested client address" + hostAddress + " is not found in the ticket");
                                }
                            }
                        }
                        LOG.debug("Authentication successful : {}", sendAndReceiveKrbMsg);
                        TgTicket tgTicket = new TgTicket(asRep.getTicket(), encKdcRepPart, asRep.getCName().getNameString());
                        if (this.channel != null) {
                            try {
                                this.channel.close();
                            } catch (IOException e2) {
                                LOG.warn("Failed to close the channel", e2);
                            }
                        }
                        return tgTicket;
                    } catch (KerberosException e3) {
                        throw e3;
                    }
                } catch (Exception e4) {
                    LOG.error("Authentication failed");
                    throw new KerberosException(ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR);
                }
            } catch (Throwable th) {
                if (this.channel != null) {
                    try {
                        this.channel.close();
                    } catch (IOException e5) {
                        LOG.warn("Failed to close the channel", e5);
                    }
                }
                throw th;
            }
        } catch (ParseException e6) {
            throw new IllegalArgumentException("Couldn't parse the given principals", e6);
        }
    }

    private ServiceTicket getServiceTicket(ServiceTicketRequest serviceTicketRequest) throws KerberosException {
        String serverPrincipal = serviceTicketRequest.getServerPrincipal();
        EncryptionKey sessionKey = serviceTicketRequest.getTgt().getSessionKey();
        Authenticator authenticator = new Authenticator();
        try {
            authenticator.setCName(new PrincipalName(serviceTicketRequest.getTgt().getClientName(), PrincipalNameType.KRB_NT_PRINCIPAL));
            authenticator.setCRealm(serviceTicketRequest.getTgt().getRealm());
            authenticator.setCTime(new KerberosTime());
            authenticator.setCusec(0);
            if (serviceTicketRequest.getSubSessionKey() != null) {
                sessionKey = serviceTicketRequest.getSubSessionKey();
                authenticator.setSubKey(sessionKey);
            }
            EncryptedData encrypt = this.cipherTextHandler.encrypt(sessionKey, getEncoded(authenticator), KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_TGS_SESS_KEY);
            ApReq apReq = new ApReq();
            apReq.setAuthenticator(encrypt);
            apReq.setTicket(serviceTicketRequest.getTgt().getTicket());
            apReq.setApOptions(serviceTicketRequest.getApOptions());
            KdcReqBody kdcReqBody = new KdcReqBody();
            kdcReqBody.setKdcOptions(serviceTicketRequest.getKdcOptions());
            kdcReqBody.setRealm(KdcClientUtil.extractRealm(serverPrincipal));
            kdcReqBody.setTill(getDefaultTill());
            int nextInt = this.nonceGenerator.nextInt();
            kdcReqBody.setNonce(nextInt);
            kdcReqBody.setEType(this.config.getEncryptionTypes());
            kdcReqBody.setSName(new PrincipalName(KdcClientUtil.extractName(serverPrincipal), 3));
            TgsReq tgsReq = new TgsReq();
            tgsReq.setKdcReqBody(kdcReqBody);
            PaData paData = new PaData();
            paData.setPaDataType(PaDataType.PA_TGS_REQ);
            paData.setPaDataValue(getEncoded(apReq));
            tgsReq.addPaData(paData);
            try {
                try {
                    try {
                        connect();
                        KrbError sendAndReceiveKrbMsg = sendAndReceiveKrbMsg(tgsReq);
                        if (sendAndReceiveKrbMsg == null) {
                            LOG.error("TGT request failed : timeout occured");
                            throw new KerberosException(ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR);
                        }
                        if (sendAndReceiveKrbMsg instanceof KrbError) {
                            LOG.debug("TGT request failed : {}", sendAndReceiveKrbMsg);
                            throw new KerberosException(sendAndReceiveKrbMsg);
                        }
                        TgsRep tgsRep = (TgsRep) sendAndReceiveKrbMsg;
                        EncTgsRepPart decodeEncTgsRepPart = KerberosDecoder.decodeEncTgsRepPart(this.cipherTextHandler.decrypt(sessionKey, tgsRep.getEncPart(), KeyUsage.TGS_REP_ENC_PART_TGS_SESS_KEY));
                        if (nextInt != decodeEncTgsRepPart.getEncKdcRepPart().getNonce()) {
                            throw new KerberosException(ErrorType.KRB_ERR_GENERIC, "received nonce didn't match with the nonce sent in the request");
                        }
                        LOG.debug("TGT request successful : {}", tgsRep);
                        ServiceTicket serviceTicket = new ServiceTicket(tgsRep.getTicket(), decodeEncTgsRepPart.getEncKdcRepPart());
                        if (this.channel != null) {
                            try {
                                this.channel.close();
                            } catch (IOException e) {
                                LOG.warn("Failed to close the channel", e);
                            }
                        }
                        return serviceTicket;
                    } catch (Throwable th) {
                        if (this.channel != null) {
                            try {
                                this.channel.close();
                            } catch (IOException e2) {
                                LOG.warn("Failed to close the channel", e2);
                            }
                        }
                        throw th;
                    }
                } catch (KerberosException e3) {
                    throw e3;
                }
            } catch (Exception e4) {
                LOG.error("TGT request failed : timeout occured");
                throw new KerberosException(ErrorType.KRB_ERR_GENERIC, TIME_OUT_ERROR);
            }
        } catch (ParseException e5) {
            throw new IllegalArgumentException("Couldn't parse the given principal", e5);
        }
    }

    public ChangePasswordResult changePassword(String str, String str2, String str3) throws ChangePasswordException {
        KerberosChannel kerberosChannel = null;
        try {
            try {
                TgtRequest tgtRequest = new TgtRequest();
                tgtRequest.setClientPrincipal(str);
                tgtRequest.setPassword(str2);
                tgtRequest.setServerPrincipal("kadmin/changepw@" + KdcClientUtil.extractRealm(str));
                TgTicket tgt = getTgt(tgtRequest);
                ApReq apReq = new ApReq();
                apReq.setApOptions(new ApOptions());
                apReq.setTicket(tgt.getTicket());
                Authenticator authenticator = new Authenticator();
                authenticator.setCName(new PrincipalName(tgt.getClientName(), PrincipalNameType.KRB_NT_PRINCIPAL));
                authenticator.setCRealm(tgt.getRealm());
                authenticator.setCTime(new KerberosTime());
                authenticator.setCusec(0);
                authenticator.setSeqNumber(this.nonceGenerator.nextInt());
                EncryptionKey randomKey = RandomKeyFactory.getRandomKey(tgt.getEncKdcRepPart().getKey().getKeyType());
                authenticator.setSubKey(randomKey);
                apReq.setAuthenticator(this.cipherTextHandler.encrypt(tgt.getSessionKey(), getEncoded(authenticator), KeyUsage.AP_REQ_AUTHNT_SESS_KEY));
                KrbPriv krbPriv = new KrbPriv();
                EncKrbPrivPart encKrbPrivPart = new EncKrbPrivPart();
                encKrbPrivPart.setSenderAddress(new HostAddress(InetAddress.getLocalHost()));
                encKrbPrivPart.setSeqNumber(authenticator.getSeqNumber().intValue());
                encKrbPrivPart.setTimestamp(authenticator.getCtime());
                short s = -128;
                if (this.config.isUseLegacyChngPwdProtocol()) {
                    encKrbPrivPart.setUserData(Strings.getBytesUtf8(str3));
                    s = 1;
                } else {
                    ChangePasswdData changePasswdData = new ChangePasswdData();
                    changePasswdData.setNewPasswd(Strings.getBytesUtf8(str3));
                    encKrbPrivPart.setUserData(getEncoded(changePasswdData));
                }
                krbPriv.setEncPart(this.cipherTextHandler.encrypt(randomKey, getEncoded(encKrbPrivPart), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY));
                ChangePasswordRequest changePasswordRequest = new ChangePasswordRequest(s, apReq, krbPriv);
                KerberosChannel kerberosChannel2 = new KerberosChannel();
                kerberosChannel2.openConnection(this.config.getHostName(), this.config.getPasswdPort(), this.config.getTimeout(), this.config.isUseUdp());
                ChangePasswordError sendAndReceiveChngPwdMsg = sendAndReceiveChngPwdMsg(changePasswordRequest, kerberosChannel2);
                if (sendAndReceiveChngPwdMsg instanceof ChangePasswordError) {
                    ChangePasswordResult changePasswordResult = new ChangePasswordResult(sendAndReceiveChngPwdMsg.getKrbError().getEData());
                    if (kerberosChannel2 != null) {
                        try {
                            kerberosChannel2.close();
                        } catch (IOException e) {
                            LOG.warn("Failed to close the channel", e);
                        }
                    }
                    return changePasswordResult;
                }
                ChangePasswordResult changePasswordResult2 = new ChangePasswordResult(KerberosDecoder.decodeEncKrbPrivPart(this.cipherTextHandler.decrypt(randomKey, ((ChangePasswordReply) sendAndReceiveChngPwdMsg).getPrivateMessage().getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY)).getUserData());
                if (kerberosChannel2 != null) {
                    try {
                        kerberosChannel2.close();
                    } catch (IOException e2) {
                        LOG.warn("Failed to close the channel", e2);
                    }
                }
                return changePasswordResult2;
            } catch (Exception e3) {
                LOG.warn("failed to change the password", e3);
                throw new ChangePasswordException(ChangePasswdErrorType.KRB5_KPASSWD_HARDERROR, e3);
            } catch (ChangePasswordException e4) {
                throw e4;
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    kerberosChannel.close();
                } catch (IOException e5) {
                    LOG.warn("Failed to close the channel", e5);
                }
            }
            throw th;
        }
    }

    private byte[] getEncoded(Asn1Object asn1Object) {
        try {
            ByteBuffer allocate = ByteBuffer.allocate(asn1Object.computeLength());
            asn1Object.encode(allocate);
            return allocate.array();
        } catch (Exception e) {
            LOG.error("Failed to encode the ASN.1 object {}", asn1Object);
            throw new RuntimeException(e);
        }
    }

    private KerberosTime getDefaultTill() {
        return new KerberosTime(System.currentTimeMillis() + 3600000);
    }

    private KerberosMessage sendAndReceiveKrbMsg(KerberosMessage kerberosMessage) throws Exception {
        ByteBuffer encode = KerberosEncoder.encode(kerberosMessage, this.channel.isUseTcp());
        encode.flip();
        ByteBuffer sendAndReceive = this.channel.sendAndReceive(encode);
        KerberosMessageContainer kerberosMessageContainer = new KerberosMessageContainer();
        kerberosMessageContainer.setStream(sendAndReceive);
        kerberosMessageContainer.setGathering(true);
        kerberosMessageContainer.setTCP(this.channel.isUseTcp());
        return (KerberosMessage) KerberosDecoder.decode(kerberosMessageContainer, new Asn1Decoder());
    }

    private AbstractPasswordMessage sendAndReceiveChngPwdMsg(AbstractPasswordMessage abstractPasswordMessage, KerberosChannel kerberosChannel) throws Exception {
        ByteBuffer encode = ChangePasswordEncoder.encode(abstractPasswordMessage, kerberosChannel.isUseTcp());
        encode.flip();
        return ChangePasswordDecoder.decode(kerberosChannel.sendAndReceive(encode), kerberosChannel.isUseTcp());
    }
}
