package com.maverick.sshd;

import com.maverick.util.ByteArrayReader;
import com.maverick.util.ByteArrayWriter;
import com.maverick.util.UnsignedInteger32;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/maverick/sshd/GSSAPIWithMICAuthentication.class */
public class GSSAPIWithMICAuthentication implements AuthenticationMechanism {
    static final Logger log = LoggerFactory.getLogger(GSSAPIWithMICAuthentication.class);
    static final int SSH_MSG_USERAUTH_GSSAPI_RESPONSE = 60;
    static final int SSH_MSG_USERAUTH_GSSAPI_TOKEN = 61;
    static final int SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE = 63;
    static final int SSH_MSG_USERAUTH_GSSAPI_MIC = 66;
    public static final String NAME = "gssapi-with-mic";
    private TransportProtocol transport;
    private AuthenticationProtocol authentication;
    private Subject subject;
    private Oid krb5Oid;
    private LoginContext loginContext;
    private String username;
    private GSSContext gssContext;

    @Override // com.maverick.sshd.AuthenticationMechanism
    public String getMethod() {
        return NAME;
    }

    @Override // com.maverick.sshd.AuthenticationMechanism
    public void init(TransportProtocol transportProtocol, AuthenticationProtocol authenticationProtocol) throws IOException {
        this.transport = transportProtocol;
        this.authentication = authenticationProtocol;
        try {
            final SshContext sshContext = transportProtocol.getSshContext();
            this.krb5Oid = new Oid("1.2.840.113554.1.2.2");
            CallbackHandler callbackHandler = new CallbackHandler() { // from class: com.maverick.sshd.GSSAPIWithMICAuthentication.1
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    char[] kerberosServicePassword;
                    for (int i = 0; i < callbackArr.length; i++) {
                        if (callbackArr[i] instanceof NameCallback) {
                            String servicePrinicipal = GSSAPIWithMICAuthentication.this.getServicePrinicipal(sshContext);
                            if (servicePrinicipal != null && !servicePrinicipal.equals("")) {
                                ((NameCallback) callbackArr[i]).setName(servicePrinicipal);
                            }
                        } else if ((callbackArr[i] instanceof PasswordCallback) && (kerberosServicePassword = sshContext.getKerberosServicePassword()) != null) {
                            ((PasswordCallback) callbackArr[i]).setPassword(kerberosServicePassword);
                        }
                    }
                }
            };
            this.loginContext = null;
            if (sshContext.getKerberosConfiguration() != null) {
                this.loginContext = new LoginContext("com.maverick.sshd.gssapi", (Subject) null, callbackHandler, sshContext.getKerberosConfiguration());
            } else {
                this.loginContext = new LoginContext("com.maverick.sshd.gssapi", (Subject) null, callbackHandler, createDefaultConfiguration(sshContext));
            }
            this.loginContext.login();
            if (log.isDebugEnabled()) {
                log.debug("Logged into GSSAPI context");
            }
            this.subject = this.loginContext.getSubject();
        } catch (GSSException e) {
            IOException iOException = new IOException("Failed to initialise GSS");
            iOException.initCause(e);
            throw iOException;
        } catch (LoginException e2) {
            IOException iOException2 = new IOException("Failed to login via GSS to Kerbero server");
            iOException2.initCause(e2);
            throw iOException2;
        }
    }

    protected Configuration createDefaultConfiguration(final SshContext sshContext) {
        return new Configuration() { // from class: com.maverick.sshd.GSSAPIWithMICAuthentication.2
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                HashMap hashMap = new HashMap();
                String servicePrinicipal = GSSAPIWithMICAuthentication.this.getServicePrinicipal(sshContext);
                if (servicePrinicipal != null) {
                    hashMap.put("principal", servicePrinicipal);
                }
                hashMap.put("debug", String.valueOf(GSSAPIWithMICAuthentication.log.isDebugEnabled()));
                hashMap.put("isInitiator", "false");
                hashMap.put("useKeyTab", "false");
                hashMap.put("storeKey", "true");
                hashMap.put("useTicketCache", "false");
                hashMap.put("useSubjectCredsOnly", "true");
                hashMap.put("doNotPrompt", String.valueOf(sshContext.getKerberosServicePassword() == null && (sshContext.getKerberosServicePrincipal() == null || sshContext.getKerberosServicePrincipal().equals(""))));
                return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
            }

            public void refresh() {
            }
        };
    }

    protected String getServicePrinicipal(SshContext sshContext) {
        if (sshContext.getKerberosServicePrincipal() != null) {
            return sshContext.getKerberosServicePrincipal();
        }
        try {
            return "host/" + InetAddress.getLocalHost().getCanonicalHostName();
        } catch (UnknownHostException e) {
            log.error("Failed to get canonical hostname. You should set the Kerberos service principal manually.", e);
            return null;
        }
    }

    @Override // com.maverick.sshd.AuthenticationMechanism
    public boolean startRequest(String str, byte[] bArr) throws IOException {
        this.username = str;
        ByteArrayReader byteArrayReader = new ByteArrayReader(bArr);
        try {
            try {
                UnsignedInteger32 readUINT32 = byteArrayReader.readUINT32();
                byte[] der = this.krb5Oid.getDER();
                for (int i = 0; i < readUINT32.intValue(); i++) {
                    if (!Arrays.equals(byteArrayReader.readBinaryString(), der)) {
                        log.error("Client requested an Oid that is not supported.");
                        this.authentication.failedAuthentication();
                        byteArrayReader.close();
                        return false;
                    }
                }
                this.gssContext = createGSSContext();
                if (this.gssContext == null) {
                    log.error("No GSS context, rejecting authentication.");
                    this.authentication.failedAuthentication();
                    byteArrayReader.close();
                    return false;
                }
                final ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
                byteArrayWriter.write(60);
                byteArrayWriter.writeBinaryString(der);
                this.transport.postMessage(new SshMessage() { // from class: com.maverick.sshd.GSSAPIWithMICAuthentication.3
                    @Override // com.maverick.sshd.SshMessage
                    public boolean writeMessageIntoBuffer(ByteBuffer byteBuffer) {
                        byteBuffer.put(byteArrayWriter.toByteArray());
                        try {
                            byteArrayWriter.close();
                            return true;
                        } catch (IOException e) {
                            return true;
                        }
                    }

                    @Override // com.maverick.sshd.SshMessage
                    public void messageSent() {
                        if (GSSAPIWithMICAuthentication.log.isDebugEnabled()) {
                            GSSAPIWithMICAuthentication.log.debug("Sent SSH_MSG_USERAUTH_GSSAPI_RESPONSE");
                        }
                    }
                });
                byteArrayReader.close();
                return true;
            } catch (GSSException e) {
                IOException iOException = new IOException("Failed to decide Oid");
                iOException.initCause(e);
                throw iOException;
            }
        } catch (Throwable th) {
            byteArrayReader.close();
            throw th;
        }
    }

    @Override // com.maverick.sshd.AuthenticationMechanism
    public boolean processMessage(byte[] bArr) throws IOException {
        ByteArrayReader byteArrayReader = new ByteArrayReader(bArr);
        try {
            int read = byteArrayReader.read();
            if (this.gssContext.isEstablished()) {
                if (log.isDebugEnabled()) {
                    log.debug("GSS established");
                }
                if (read != SSH_MSG_USERAUTH_GSSAPI_MIC) {
                    log.warn("Expected GSSAPI_MIC because context was established. Rejecting authentication.");
                    this.authentication.failedAuthentication(false, false);
                    byteArrayReader.close();
                    return true;
                }
                validateMIC(byteArrayReader);
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("GSS not established");
                }
                if (read != 61) {
                    log.error("Expected SSH_MSG_USERAUTH_GSSAPI_TOKEN");
                    this.authentication.failedAuthentication();
                } else {
                    try {
                        acceptSecurityContext(byteArrayReader.readBinaryString());
                    } catch (GSSException e) {
                        log.error("GSS failed", e);
                        this.authentication.failedAuthentication(false, false);
                    }
                }
            }
            return true;
        } finally {
            byteArrayReader.close();
        }
    }

    private void acceptSecurityContext(byte[] bArr) throws GSSException, IOException {
        final byte[] acceptSecContext = this.gssContext.acceptSecContext(bArr, 0, bArr.length);
        if (log.isDebugEnabled()) {
            log.debug("Security context accept: " + acceptSecContext);
        }
        boolean isEstablished = this.gssContext.isEstablished();
        if (acceptSecContext != null) {
            this.transport.postMessage(new SshMessage() { // from class: com.maverick.sshd.GSSAPIWithMICAuthentication.4
                @Override // com.maverick.sshd.SshMessage
                public boolean writeMessageIntoBuffer(ByteBuffer byteBuffer) {
                    byteBuffer.put((byte) 61);
                    ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
                    try {
                        try {
                            byteArrayWriter.writeBinaryString(acceptSecContext);
                            byteBuffer.put(byteArrayWriter.toByteArray());
                            try {
                                return true;
                            } catch (IOException e) {
                                return true;
                            }
                        } finally {
                            try {
                                byteArrayWriter.close();
                            } catch (IOException e2) {
                            }
                        }
                    } catch (IOException e3) {
                        throw new Error(e3);
                    }
                }

                @Override // com.maverick.sshd.SshMessage
                public void messageSent() {
                    if (GSSAPIWithMICAuthentication.log.isDebugEnabled()) {
                        GSSAPIWithMICAuthentication.log.debug("Sent SSH_MSG_USERAUTH_GSSAPI_TOKEN");
                    }
                }
            });
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("No token returned, sending result of " + isEstablished);
        }
        if (isEstablished) {
            this.authentication.completedAuthentication();
        } else {
            this.authentication.failedAuthentication(false, false);
        }
    }

    private void validateMIC(ByteArrayReader byteArrayReader) throws IOException {
        byte[] readBinaryString = byteArrayReader.readBinaryString();
        ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
        try {
            try {
                byteArrayWriter.writeBinaryString(this.transport.getSessionKey());
                byteArrayWriter.write(50);
                byteArrayWriter.writeString(this.username);
                byteArrayWriter.writeString("ssh-connection");
                byteArrayWriter.writeString(getMethod());
                byte[] byteArray = byteArrayWriter.toByteArray();
                this.gssContext.verifyMIC(readBinaryString, 0, readBinaryString.length, byteArray, 0, byteArray.length, new MessageProp(false));
                if (log.isDebugEnabled()) {
                    log.debug("MIC OK");
                }
                this.authentication.completedAuthentication();
                byteArrayWriter.close();
            } catch (GSSException e) {
                if (log.isDebugEnabled()) {
                    log.debug("GSS verify failed. ", e);
                }
                this.authentication.failedAuthentication();
                byteArrayWriter.close();
            }
        } catch (Throwable th) {
            byteArrayWriter.close();
            throw th;
        }
    }

    private GSSContext createGSSContext() throws GSSException {
        final GSSManager gSSManager = GSSManager.getInstance();
        GSSCredential gSSCredential = (GSSCredential) Subject.doAs(this.subject, new PrivilegedAction<GSSCredential>() { // from class: com.maverick.sshd.GSSAPIWithMICAuthentication.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public GSSCredential run() {
                try {
                    return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, GSSAPIWithMICAuthentication.this.krb5Oid, 2);
                } catch (Exception e) {
                    GSSAPIWithMICAuthentication.log.error("Failed to create GSS credential.", e);
                    return null;
                }
            }
        });
        if (gSSCredential == null) {
            return null;
        }
        return gSSManager.createContext(gSSCredential);
    }
}
