package com.sun.xml.ws.security.kerb;

import com.sun.xml.ws.security.jgss.XWSSProvider;
import java.security.Provider;
import java.util.Vector;
import javax.security.auth.kerberos.ServicePermission;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import sun.security.jgss.GSSUtil;
import sun.security.jgss.spi.GSSContextSpi;
import sun.security.jgss.spi.GSSCredentialSpi;
import sun.security.jgss.spi.GSSNameSpi;
import sun.security.jgss.spi.MechanismFactory;

/* loaded from: input_file:spg-ui-war-2.1.43rel-2.1.24.war:WEB-INF/lib/xws-security-3.0.jar:com/sun/xml/ws/security/kerb/Krb5MechFactory.class */
public final class Krb5MechFactory implements MechanismFactory {
    private static final boolean DEBUG = Krb5Util.DEBUG;
    static final Provider PROVIDER = new XWSSProvider();
    static final Oid GSS_KRB5_MECH_OID = createOid("1.2.840.113554.1.2.2");
    static final Oid NT_GSS_KRB5_PRINCIPAL = createOid("1.2.840.113554.1.2.2.1");
    private static Oid[] nameTypes = {GSSName.NT_USER_NAME, GSSName.NT_HOSTBASED_SERVICE, GSSName.NT_EXPORT_NAME, NT_GSS_KRB5_PRINCIPAL};
    private final int caller;

    private static Krb5CredElement getCredFromSubject(GSSNameSpi gSSNameSpi, boolean z) throws GSSException {
        Vector searchSubject = GSSUtil.searchSubject(gSSNameSpi, GSS_KRB5_MECH_OID, z, z ? Krb5InitCredential.class : Krb5AcceptCredential.class);
        Krb5CredElement krb5CredElement = (searchSubject == null || searchSubject.isEmpty()) ? null : (Krb5CredElement) searchSubject.firstElement();
        if (krb5CredElement != null) {
            if (z) {
                checkInitCredPermission((Krb5NameElement) krb5CredElement.getName());
            } else {
                checkAcceptCredPermission((Krb5NameElement) krb5CredElement.getName(), gSSNameSpi);
            }
        }
        return krb5CredElement;
    }

    public Krb5MechFactory(int i) {
        this.caller = i;
    }

    public GSSNameSpi getNameElement(String str, Oid oid) throws GSSException {
        return Krb5NameElement.getInstance(str, oid);
    }

    public GSSNameSpi getNameElement(byte[] bArr, Oid oid) throws GSSException {
        return Krb5NameElement.getInstance(new String(bArr), oid);
    }

    public GSSCredentialSpi getCredentialElement(GSSNameSpi gSSNameSpi, int i, int i2, int i3) throws GSSException {
        if (gSSNameSpi != null && !(gSSNameSpi instanceof Krb5NameElement)) {
            gSSNameSpi = Krb5NameElement.getInstance(gSSNameSpi.toString(), gSSNameSpi.getStringNameType());
        }
        Krb5CredElement credFromSubject = getCredFromSubject(gSSNameSpi, i3 != 2);
        if (credFromSubject == null) {
            if (i3 == 1 || i3 == 0) {
                credFromSubject = Krb5InitCredential.getInstance(this.caller, (Krb5NameElement) gSSNameSpi, i);
                checkInitCredPermission((Krb5NameElement) credFromSubject.getName());
            } else {
                if (i3 != 2) {
                    throw new GSSException(11, -1, "Unknown usage mode requested");
                }
                credFromSubject = Krb5AcceptCredential.getInstance(this.caller, (Krb5NameElement) gSSNameSpi);
                checkAcceptCredPermission((Krb5NameElement) credFromSubject.getName(), gSSNameSpi);
            }
        }
        return credFromSubject;
    }

    public static void checkInitCredPermission(Krb5NameElement krb5NameElement) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            String realmAsString = krb5NameElement.getKrb5PrincipalName().getRealmAsString();
            try {
                securityManager.checkPermission(new ServicePermission(new String("krbtgt/" + realmAsString + '@' + realmAsString), "initiate"));
            } catch (SecurityException e) {
                if (DEBUG) {
                    System.out.println("Permission to initiatekerberos init credential" + e.getMessage());
                }
                throw e;
            }
        }
    }

    public static void checkAcceptCredPermission(Krb5NameElement krb5NameElement, GSSNameSpi gSSNameSpi) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            try {
                securityManager.checkPermission(new ServicePermission(krb5NameElement.getKrb5PrincipalName().getName(), "accept"));
            } catch (SecurityException e) {
                e = e;
                if (gSSNameSpi == null) {
                    e = new SecurityException("No permission to acquire Kerberos accept credential");
                }
                throw e;
            }
        }
    }

    public GSSContextSpi getMechanismContext(GSSNameSpi gSSNameSpi, GSSCredentialSpi gSSCredentialSpi, int i) throws GSSException {
        if (gSSNameSpi != null && !(gSSNameSpi instanceof Krb5NameElement)) {
            gSSNameSpi = Krb5NameElement.getInstance(gSSNameSpi.toString(), gSSNameSpi.getStringNameType());
        }
        if (gSSCredentialSpi == null) {
            gSSCredentialSpi = getCredentialElement(null, i, 0, 1);
        }
        return new Krb5Context(this.caller, (Krb5NameElement) gSSNameSpi, (Krb5CredElement) gSSCredentialSpi, i);
    }

    public GSSContextSpi getMechanismContext(GSSCredentialSpi gSSCredentialSpi) throws GSSException {
        if (gSSCredentialSpi == null) {
            gSSCredentialSpi = getCredentialElement(null, 0, Integer.MAX_VALUE, 2);
        }
        return new Krb5Context(this.caller, (Krb5CredElement) gSSCredentialSpi);
    }

    public GSSContextSpi getMechanismContext(byte[] bArr) throws GSSException {
        return new Krb5Context(this.caller, bArr);
    }

    public final Oid getMechanismOid() {
        return GSS_KRB5_MECH_OID;
    }

    public Provider getProvider() {
        return PROVIDER;
    }

    public Oid[] getNameTypes() {
        return nameTypes;
    }

    private static Oid createOid(String str) {
        Oid oid = null;
        try {
            oid = new Oid(str);
        } catch (GSSException e) {
        }
        return oid;
    }
}
