package oracle.net.ano;

import com.helger.photon.uictrls.fineupload5.servlet.AbstractFineUploader5Servlet;
import com.ibm.db2.cmx.runtime.internal.StaticProfileConstants;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Iterator;
import java.util.logging.Level;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import oracle.jdbc.OracleConnection;
import oracle.jdbc.diagnostics.CommonDiagnosable;
import oracle.jdbc.diagnostics.SecurityLabel;
import oracle.jdbc.internal.OpaqueString;
import oracle.net.aso.Radius;
import oracle.net.ns.NetException;
import oracle.net.ns.SessionAtts;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import sun.security.krb5.Asn1Exception;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.EncryptionKey;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.RealmException;
import sun.security.krb5.internal.APReq;
import sun.security.krb5.internal.Authenticator;
import sun.security.krb5.internal.KRBCred;
import sun.security.krb5.internal.KdcErrException;
import sun.security.krb5.internal.KrbApErrException;

/* loaded from: input_file:WEB-INF/lib/ojdbc8-23.7.0.25.01.jar:oracle/net/ano/AuthenticationService.class */
public class AuthenticationService extends Service implements PrivilegedExceptionAction {
    private static final String CLASS_NAME = AuthenticationService.class.getName();
    static final String[] AUTH_JAVA_ANO_ID = {"", AnoServices.AUTHENTICATION_RADIUS, AnoServices.AUTHENTICATION_KERBEROS5, "TCPS", "BEQ"};
    private static final String[] AUTH_ORACLE_NAME = {"", AnoServices.AUTHENTICATION_RADIUS, AnoServices.AUTHENTICATION_KERBEROS5, "tcps", "beq"};
    private static final byte[] AUTH_ORACLE_ID = {0, 1, 1, 2, 2};
    private static Method resetMethod = null;
    private static Method getEncodedMethod = null;
    private static boolean isExKrbSupportedAvailable;
    private static boolean isInternalSunAPIAvailable;
    private int status;
    static final int NAU_OK = 64255;
    static final int NAU_DONT_USE_AUTH = 64511;
    static final int NAU_AUTH_NOT_REQUIRED = 64767;
    static final int NAU_AUTH_REQUIRED = 65023;
    static final int NAU_NO_DRIVERS_LINKED_IN = 65279;
    static final int NAU_USE_IMPLICIT_AUTH = 63999;
    static final int NAU_PROXY_NO_AUTH = 63743;
    static final int NAU_AUTH_DISABLED = 63487;
    static final int NAUCX_CLIENT_SERVER = 57569;
    private boolean authenticationActivated = false;
    private Subject jdbcUserSubject = null;
    private String servicePrincipal4Kerberos = null;
    private String servicePrincipal4KerberosNTFormat = null;
    private String mapRealm = null;
    private GSSCredential userGSSCredential = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // oracle.net.ano.Service
    public int init(SessionAtts sessionAtts) throws NetException {
        super.init(sessionAtts);
        this.service = 1;
        this.status = NAU_AUTH_NOT_REQUIRED;
        CommonDiagnosable.getInstance().debug(Level.FINEST, SecurityLabel.UNKNOWN, CLASS_NAME, "init", "Entering init for Authentication, service={0} status={1}", (String) null, null, Integer.valueOf(this.service), Integer.valueOf(this.status));
        String[] authenticationServices = sessionAtts.profile.getAuthenticationServices();
        getValidUserChoices(authenticationServices, AUTH_JAVA_ANO_ID);
        this.userChoiceDriversId = new int[authenticationServices.length];
        for (int i = 0; i < this.userChoiceDriversId.length; i++) {
            this.userChoiceDriversId[i] = getDriverID(AUTH_JAVA_ANO_ID, authenticationServices[i]);
        }
        return 1;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // oracle.net.ano.Service
    public void sendServiceData() throws NetException, IOException {
        sendHeader(3 + (this.userChoiceDriversId.length * 2));
        this.comm.sendVersion();
        this.comm.sendUB2(NAUCX_CLIENT_SERVER);
        this.comm.sendStatus(this.status);
        for (int i = 0; i < this.userChoiceDriversId.length; i++) {
            this.comm.sendUB1(AUTH_ORACLE_ID[this.userChoiceDriversId[i]]);
            this.comm.sendString(AUTH_ORACLE_NAME[this.userChoiceDriversId[i]]);
        }
    }

    @Override // oracle.net.ano.Service
    int getServiceDataLength() {
        int i = 20;
        for (int i2 = 0; i2 < this.userChoiceDriversId.length; i2++) {
            i = i + 5 + 4 + AUTH_ORACLE_NAME[this.userChoiceDriversId[i2]].length();
        }
        return i;
    }

    @Override // oracle.net.ano.Service
    void receiveServiceData(int i) throws NetException, IOException {
        this.version = this.comm.receiveVersion();
        this.sAtts.profile.setANOVersion(this.version);
        int receiveStatus = this.comm.receiveStatus();
        if (receiveStatus != NAU_OK || i <= 2) {
            if (receiveStatus != NAU_DONT_USE_AUTH) {
                throw new NetException(NetException.INVALID_SERVICE, "Authentication service received status failure");
            }
            this.authenticationActivated = false;
            return;
        }
        this.comm.receiveUB1();
        this.algID = getDriverID(AUTH_ORACLE_NAME, this.comm.receiveString());
        if (i > 4) {
            this.comm.receiveVersion();
            this.comm.receiveUB4();
            this.comm.receiveUB4();
        }
        this.authenticationActivated = true;
    }

    @Override // oracle.net.ano.Service
    public boolean isActive() {
        return this.authenticationActivated;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] getSessionKey() {
        if (this.jdbcUserSubject == null) {
            return null;
        }
        return (byte[]) Subject.doAs(this.jdbcUserSubject, () -> {
            byte[] bArr = null;
            KerberosTicket kerberosTicket = getKerberosTicket();
            if (kerberosTicket != null) {
                bArr = kerberosTicket.getSessionKey().getEncoded();
            }
            return bArr;
        });
    }

    private KerberosTicket getKerberosTicket() {
        if (this.jdbcUserSubject == null) {
            return null;
        }
        for (Object obj : this.jdbcUserSubject.getPrivateCredentials()) {
            if (obj instanceof KerberosTicket) {
                KerberosTicket kerberosTicket = (KerberosTicket) obj;
                String name = kerberosTicket.getServer().getName();
                if (name.startsWith(this.servicePrincipal4Kerberos) || name.startsWith(this.servicePrincipal4KerberosNTFormat)) {
                    return kerberosTicket;
                }
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int bytesNeededForActivationPhase1() {
        if (!isActive()) {
            return 0;
        }
        if (this.algID == 1) {
            return 32;
        }
        return this.algID == 2 ? 37 : 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void activateAuthenticatorPhase1() throws NetException, IOException {
        if (this.authenticationActivated) {
            if (this.algID == 1) {
                sendHeader(3);
                this.comm.sendVersion();
                this.comm.sendUB4(2L);
                this.comm.sendUB4(2L);
                return;
            }
            if (this.algID == 2) {
                sendHeader(4);
                this.comm.sendVersion();
                this.comm.sendUB4(2L);
                this.comm.sendUB4(2L);
                this.comm.sendUB1((short) 0);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void activateAuthenticatorPhase2(GSSCredential gSSCredential) throws NetException, IOException {
        NetException netException;
        if (this.authenticationActivated) {
            this.sAtts.ano.receiveANOHeader();
            int[] receiveHeader = Service.receiveHeader(this.comm);
            if (receiveHeader[2] != 0) {
                throw new NetException(receiveHeader[2]);
            }
            if (this.algID == 1) {
                new RadiusAuthenticationService(this.sAtts, this).handleRadiusAuthentication();
                return;
            }
            if (this.algID == 2) {
                String receiveString = this.comm.receiveString();
                String receiveString2 = this.comm.receiveString();
                this.servicePrincipal4Kerberos = receiveString + "/" + receiveString2;
                this.servicePrincipal4KerberosNTFormat = receiveString + "@" + receiveString2;
                try {
                    if (InetAddress.getByName(receiveString2).getCanonicalHostName().toLowerCase().startsWith(receiveString2.toLowerCase() + ".")) {
                    }
                } catch (UnknownHostException e) {
                    receiveString2.toLowerCase();
                }
                this.mapRealm = (String) this.sAtts.profile.get(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_KRB_REALM);
                if (this.mapRealm != null && this.mapRealm.indexOf(64) != -1) {
                    this.mapRealm = this.mapRealm.substring(this.mapRealm.indexOf(64));
                }
                this.userGSSCredential = gSSCredential;
                AccessControlContext context = AccessController.getContext();
                if (this.userGSSCredential == null) {
                    if (context != null) {
                        this.jdbcUserSubject = Subject.getSubject(context);
                    }
                    if (this.jdbcUserSubject == null) {
                        this.jdbcUserSubject = jaasKerberosAuthenticateUsingCacheOnly();
                    }
                } else {
                    this.jdbcUserSubject = new Subject();
                }
                try {
                    Subject.doAs(this.jdbcUserSubject, this);
                } catch (PrivilegedActionException e2) {
                    Exception exception = e2.getException();
                    if (exception instanceof NetException) {
                        netException = (NetException) exception;
                    } else {
                        netException = new NetException(NetException.INVALID_SERVICE, e2.getMessage());
                        netException.initCause(e2);
                    }
                    throw netException;
                }
            }
        }
    }

    private final Subject jaasKerberosAuthenticateUsingCacheOnly() throws NetException {
        String property = this.sAtts.profile.getProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_KRB_JAAS_LOGIN_MODULE);
        try {
            return property == null ? getSubject(getDefaultJAASConfig(), "defaultModule") : getSubject(Configuration.getConfiguration(), property);
        } catch (Exception e) {
            NetException netException = new NetException(NetException.AUTHENTICATION_KERBEROS5_FAILURE);
            netException.initCause(e);
            throw netException;
        }
    }

    private Subject getSubject(Configuration configuration, String str) throws LoginException {
        LoginContext loginContext = new LoginContext(str, (Subject) null, getDefaultCredentialCallBack(), configuration);
        loginContext.login();
        return loginContext.getSubject();
    }

    private CallbackHandler getDefaultCredentialCallBack() {
        char[] chars = this.sAtts.profile.containsKey(AnoServices.AUTHENTICATION_PROPERTY_KRB5_PWD) ? ((OpaqueString) this.sAtts.profile.get(AnoServices.AUTHENTICATION_PROPERTY_KRB5_PWD)).getChars() : null;
        String property = this.sAtts.profile.containsKey(AnoServices.AUTHENTICATION_PROPERTY_KRB5_USER) ? this.sAtts.profile.getProperty(AnoServices.AUTHENTICATION_PROPERTY_KRB5_USER) : null;
        if (chars == null) {
            return null;
        }
        return callbackArr -> {
            for (Callback callback : callbackArr) {
                if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(chars);
                } else if (property != null && (callback instanceof NameCallback)) {
                    ((NameCallback) callback).setName(property);
                }
            }
        };
    }

    private Configuration getDefaultJAASConfig() {
        return new Configuration() { // from class: oracle.net.ano.AuthenticationService.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                HashMap hashMap = new HashMap();
                hashMap.put("useTicketCache", "true");
                if (AuthenticationService.this.sAtts.profile.containsKey(AnoServices.AUTHENTICATION_PROPERTY_KRB5_USER)) {
                    hashMap.put("principal", AuthenticationService.this.sAtts.profile.getProperty(AnoServices.AUTHENTICATION_PROPERTY_KRB5_USER));
                }
                if (!AuthenticationService.this.sAtts.profile.containsKey(AnoServices.AUTHENTICATION_PROPERTY_KRB5_PWD)) {
                    hashMap.put("doNotPrompt", "true");
                }
                String str2 = (String) AuthenticationService.this.sAtts.profile.get("oracle.net.kerberos5_cc_name");
                if (str2 != null && !str2.isEmpty()) {
                    hashMap.put("ticketCache", str2);
                }
                return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
            }
        };
    }

    @Override // java.security.PrivilegedExceptionAction
    public Object run() throws Exception {
        byte[] bArr;
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            Oid oid2 = new Oid("1.2.840.113554.1.2.2.1");
            byte[] der = oid.getDER();
            KerberosPrincipal kerberosPrincipal = null;
            if (this.userGSSCredential == null) {
                Iterator<Principal> it = this.jdbcUserSubject.getPrincipals().iterator();
                if (it.hasNext()) {
                    Principal next = it.next();
                    if (next instanceof KerberosPrincipal) {
                        kerberosPrincipal = (KerberosPrincipal) next;
                    }
                }
                if (kerberosPrincipal == null) {
                    throw new NetException(NetException.INVALID_SERVICE, "Unable to find valid kerberos principal for authentication");
                }
            }
            GSSContext createContext = gSSManager.createContext(this.mapRealm != null ? gSSManager.createName(this.servicePrincipal4Kerberos, oid2) : gSSManager.createName(this.servicePrincipal4KerberosNTFormat, GSSName.NT_HOSTBASED_SERVICE), oid, this.userGSSCredential == null ? gSSManager.createCredential(gSSManager.createName(kerberosPrincipal != null ? kerberosPrincipal.getName() : null, oid2), 0, oid, 1) : this.userGSSCredential, 0);
            boolean z = true;
            if (((String) this.sAtts.profile.get("oracle.net.kerberos5_mutual_authentication")) != "true") {
                z = false;
            }
            createContext.requestMutualAuth(z);
            createContext.requestConf(false);
            createContext.requestInteg(false);
            if (this.userGSSCredential == null) {
                createContext.requestCredDeleg(true);
            } else {
                createContext.requestCredDeleg(false);
            }
            byte[] initSecContext = createContext.initSecContext(new byte[0], 0, 0);
            byte[] bArr2 = new byte[initSecContext.length - 17];
            System.arraycopy(initSecContext, 17, bArr2, 0, bArr2.length);
            byte[] address = InetAddress.getLocalHost().getAddress();
            this.sAtts.ano.sendANOHeader(39 + address.length + 4 + bArr2.length, this.service, (short) 0);
            sendHeader(4);
            this.comm.sendUB2(2);
            this.comm.sendUB4(4L);
            this.comm.sendRaw(address);
            this.comm.sendRaw(bArr2);
            this.comm.flush();
            this.sAtts.ano.receiveANOHeader();
            int[] receiveHeader = Service.receiveHeader(this.comm);
            this.comm.receiveUB1();
            if (z) {
                if (receiveHeader[1] < 2) {
                    throw new NetException(NetException.INVALID_SERVICE, "Mutual authentication failed during Kerberos5 authentication");
                }
                byte[] receiveRaw = this.comm.receiveRaw();
                byte[] bArr3 = new byte[der.length + 2 + receiveRaw.length];
                System.arraycopy(der, 0, bArr3, 0, der.length);
                bArr3[der.length] = 2;
                bArr3[der.length + 1] = 0;
                System.arraycopy(receiveRaw, 0, bArr3, der.length + 2, receiveRaw.length);
                byte[] length = getLength(bArr3.length);
                byte[] bArr4 = new byte[1 + length.length + bArr3.length];
                bArr4[0] = 96;
                System.arraycopy(length, 0, bArr4, 1, length.length);
                System.arraycopy(bArr3, 0, bArr4, length.length + 1, bArr3.length);
                try {
                    createContext.initSecContext(bArr4, 0, bArr4.length);
                    if (!createContext.getMutualAuthState()) {
                        throw new NetException(NetException.INVALID_SERVICE, "Mutual authentication failed during Kerberos5 authentication");
                    }
                } catch (GSSException e) {
                    NetException netException = new NetException(NetException.INVALID_SERVICE, e.getMessage());
                    netException.initCause(e);
                    throw netException;
                }
            }
            if (!createContext.isEstablished()) {
                throw new NetException(NetException.INVALID_SERVICE, "Kerberos5 adaptor couldn't create context");
            }
            if (this.userGSSCredential == null) {
                bArr = isInternalSunAPIAvailable ? getKRBCredForDelegation(createContext, bArr2) : null;
            } else {
                bArr = null;
            }
            if (bArr == null) {
                bArr = new byte[0];
            }
            this.sAtts.ano.sendANOHeader(25 + bArr.length, this.service, (short) 0);
            sendHeader(1);
            this.comm.sendRaw(bArr);
            this.comm.flush();
            return null;
        } catch (GSSException e2) {
            NetException netException2 = new NetException(NetException.INVALID_SERVICE, e2.getMessage());
            netException2.initCause(e2);
            throw netException2;
        }
    }

    private final byte[] getKRBCredForDelegation(GSSContext gSSContext, byte[] bArr) throws KdcErrException, KrbApErrException, KrbCryptoException, Asn1Exception, RealmException, IOException {
        byte[] decrypt;
        byte[] bArr2 = null;
        if (gSSContext.getCredDelegState() && this.jdbcUserSubject != null) {
            byte[] bArr3 = null;
            int i = -1;
            KerberosTicket kerberosTicket = getKerberosTicket();
            if (kerberosTicket != null) {
                bArr3 = kerberosTicket.getSessionKey().getEncoded();
                i = kerberosTicket.getSessionKeyType();
            }
            APReq aPReq = new APReq(bArr);
            EncryptionKey encryptionKey = new EncryptionKey(i, bArr3);
            byte[] bytes = new Authenticator(reset(aPReq.authenticator, aPReq.authenticator.decrypt(encryptionKey, 11), true)).getChecksum().getBytes();
            if (bytes.length >= 26) {
                int i2 = ((bytes[27] & 255) << 8) + (bytes[26] & 255);
                byte[] bArr4 = new byte[i2];
                System.arraycopy(bytes, 28, bArr4, 0, i2);
                KRBCred kRBCred = new KRBCred(bArr4);
                try {
                    decrypt = kRBCred.encPart.decrypt(EncryptionKey.NULL_KEY, 14);
                } catch (Exception e) {
                    decrypt = kRBCred.encPart.decrypt(encryptionKey, 14);
                }
                bArr2 = new KRBCred(kRBCred.tickets, new EncryptedData(encryptionKey, reset(kRBCred.encPart, decrypt, true), 14)).asn1Encode();
            }
        }
        return bArr2;
    }

    private byte[] reset(EncryptedData encryptedData, Object... objArr) {
        byte[] bArr = null;
        if (resetMethod == null) {
            resetMethod = getResetMethod();
        }
        try {
            bArr = resetMethod.getParameterTypes().length == 1 ? (byte[]) resetMethod.invoke(encryptedData, objArr[0]) : (byte[]) resetMethod.invoke(encryptedData, objArr);
        } catch (IllegalAccessException e) {
        } catch (InvocationTargetException e2) {
        }
        return bArr;
    }

    private static Method getResetMethod() {
        Method method = null;
        try {
            Class<?> cls = Class.forName("sun.security.krb5.EncryptedData");
            Class<?>[] clsArr = {byte[].class, Boolean.TYPE};
            try {
                method = cls.getDeclaredMethod(AbstractFineUploader5Servlet.Response.JSON_RESET, clsArr);
            } catch (NoSuchMethodException e) {
                method = cls.getDeclaredMethod(AbstractFineUploader5Servlet.Response.JSON_RESET, clsArr[0]);
            }
        } catch (ClassNotFoundException e2) {
        } catch (NoSuchMethodException e3) {
        }
        return method;
    }

    @Override // oracle.net.ano.Service
    void validateResponse() throws NetException, IOException {
        if (this.authenticationActivated) {
        }
    }

    private byte[] getLength(int i) throws IOException {
        return i < 128 ? new byte[]{(byte) i} : i < 256 ? new byte[]{-127, (byte) i} : i < 65536 ? new byte[]{-126, (byte) (i >> 8), (byte) i} : i < 16777216 ? new byte[]{-125, (byte) (i >> 16), (byte) (i >> 8), (byte) i} : new byte[]{-124, (byte) (i >> 24), (byte) (i >> 16), (byte) (i >> 8), (byte) i};
    }

    public static final byte[] obfuscatePasswordForRadius(byte[] bArr) {
        return Radius.obfuscatePassword(bArr);
    }

    static String dump(byte[] bArr, int i, int i2) {
        String str;
        Charset forName = Charset.forName("ASCII");
        int i3 = 0;
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("Buffer dump\n");
        stringBuffer.append("buffer.length=" + bArr.length + "\n");
        stringBuffer.append("offset       =" + i + "\n");
        stringBuffer.append("len          =" + i2 + "\n");
        ByteBuffer allocate = ByteBuffer.allocate(8);
        allocate.position(0);
        allocate.limit(allocate.capacity());
        for (int i4 = i; i4 < i2; i4 += 8) {
            int i5 = 0;
            while (i5 < 8 && i3 < i2 - 1) {
                i3 = i4 + i5;
                String hexString = Integer.toHexString(bArr[i3] & 255);
                while (true) {
                    str = hexString;
                    if (str.length() >= 2) {
                        break;
                    }
                    hexString = "0" + str;
                }
                stringBuffer.append(str);
                stringBuffer.append(" ");
                if (bArr[i3] <= 33 || bArr[i3] >= Byte.MAX_VALUE) {
                    allocate.put((byte) 46);
                } else {
                    allocate.put(bArr[i3]);
                }
                i5++;
            }
            while (i5 <= 7) {
                stringBuffer.append("   ");
                i5++;
            }
            stringBuffer.append(StaticProfileConstants.CONTINUATION_TOKEN);
            allocate.rewind();
            CharBuffer decode = forName.decode(allocate);
            allocate.rewind();
            stringBuffer.append(" " + decode.toString() + " |\n");
        }
        stringBuffer.append("finish dump\n");
        return stringBuffer.toString();
    }

    static {
        isExKrbSupportedAvailable = false;
        isInternalSunAPIAvailable = true;
        try {
            Class.forName("javax.security.auth.kerberos.KerberosCredMessage");
            isExKrbSupportedAvailable = true;
        } catch (Exception e) {
            isExKrbSupportedAvailable = false;
        }
        try {
            Class.forName("sun.security.krb5.internal.APReq");
            isInternalSunAPIAvailable = true;
        } catch (Exception e2) {
            isInternalSunAPIAvailable = false;
        }
    }
}
