package com.sun.security.sasl.gsskerb;

import com.sun.org.apache.xml.internal.security.c14n.Canonicalizer;
import java.io.IOException;
import java.util.Map;
import java.util.logging.Level;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import sun.security.krb5.PrincipalName;

/* loaded from: classes2.dex */
final class GssKrb5Client extends GssKrb5Base implements SaslClient {
    private static final String MY_CLASS_NAME = GssKrb5Client.class.getName();
    private byte[] authzID;
    private boolean finalHandshake;
    private boolean mutual;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GssKrb5Client(String str, String str2, String str3, Map map, CallbackHandler callbackHandler) throws SaslException {
        super(map, MY_CLASS_NAME);
        GSSCredential gSSCredential;
        String str4;
        Object obj;
        this.finalHandshake = false;
        this.mutual = false;
        String str5 = str2 + PrincipalName.NAME_REALM_SEPARATOR_STR + str3;
        logger.log(Level.FINE, "KRB5CLNT01:Requesting service name: {0}", str5);
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSName createName = gSSManager.createName(str5, GSSName.NT_HOSTBASED_SERVICE, KRB5_OID);
            if (map == null || (obj = map.get(Sasl.CREDENTIALS)) == null || !(obj instanceof GSSCredential)) {
                gSSCredential = null;
            } else {
                gSSCredential = (GSSCredential) obj;
                logger.log(Level.FINE, "KRB5CLNT01:Using the credentials supplied in javax.security.sasl.credentials");
            }
            this.secCtx = gSSManager.createContext(createName, KRB5_OID, gSSCredential, Integer.MAX_VALUE);
            if (gSSCredential != null) {
                this.secCtx.requestCredDeleg(true);
            }
            if (map != null && (str4 = (String) map.get(Sasl.SERVER_AUTH)) != null) {
                this.mutual = "true".equalsIgnoreCase(str4);
            }
            this.secCtx.requestMutualAuth(this.mutual);
            this.secCtx.requestConf(true);
            this.secCtx.requestInteg(true);
            if (str == null || str.length() <= 0) {
                return;
            }
            try {
                this.authzID = str.getBytes(Canonicalizer.ENCODING);
            } catch (IOException e) {
                throw new SaslException("Cannot encode authorization ID", e);
            }
        } catch (GSSException e2) {
            throw new SaslException("Failure to initialize security context", e2);
        }
    }

    private byte[] doFinalHandshake(byte[] bArr) throws SaslException {
        try {
            if (logger.isLoggable(Level.FINER)) {
                traceOutput(MY_CLASS_NAME, "doFinalHandshake", "KRB5CLNT04:Challenge [raw]:", bArr);
            }
            if (bArr.length == 0) {
                return EMPTY;
            }
            byte[] unwrap = this.secCtx.unwrap(bArr, 0, bArr.length, new MessageProp(0, false));
            if (logger.isLoggable(Level.FINE)) {
                if (logger.isLoggable(Level.FINER)) {
                    traceOutput(MY_CLASS_NAME, "doFinalHandshake", "KRB5CLNT05:Challenge [unwrapped]:", unwrap);
                }
                logger.log(Level.FINE, "KRB5CLNT06:Server protections: {0}", new Byte(unwrap[0]));
            }
            byte findPreferredMask = findPreferredMask(unwrap[0], this.qop);
            if (findPreferredMask == 0) {
                throw new SaslException("No common protection layer between client and server");
            }
            if ((findPreferredMask & 4) != 0) {
                this.privacy = true;
                this.integrity = true;
            } else if ((findPreferredMask & 2) != 0) {
                this.integrity = true;
            }
            int networkByteOrderToInt = networkByteOrderToInt(unwrap, 1, 3);
            this.sendMaxBufSize = this.sendMaxBufSize == 0 ? networkByteOrderToInt : Math.min(this.sendMaxBufSize, networkByteOrderToInt);
            this.rawSendSize = this.secCtx.getWrapSizeLimit(0, this.privacy, this.sendMaxBufSize);
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "KRB5CLNT07:Client max recv size: {0}; server max recv size: {1}; rawSendSize: {2}", new Object[]{new Integer(this.recvMaxBufSize), new Integer(networkByteOrderToInt), new Integer(this.rawSendSize)});
            }
            byte[] bArr2 = new byte[this.authzID != null ? 4 + this.authzID.length : 4];
            bArr2[0] = findPreferredMask;
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "KRB5CLNT08:Selected protection: {0}; privacy: {1}; integrity: {2}", new Object[]{new Byte(findPreferredMask), Boolean.valueOf(this.privacy), Boolean.valueOf(this.integrity)});
            }
            intToNetworkByteOrder(this.recvMaxBufSize, bArr2, 1, 3);
            if (this.authzID != null) {
                System.arraycopy(this.authzID, 0, bArr2, 4, this.authzID.length);
                logger.log(Level.FINE, "KRB5CLNT09:Authzid: {0}", this.authzID);
            }
            if (logger.isLoggable(Level.FINER)) {
                traceOutput(MY_CLASS_NAME, "doFinalHandshake", "KRB5CLNT10:Response [raw]", bArr2);
            }
            byte[] wrap = this.secCtx.wrap(bArr2, 0, bArr2.length, new MessageProp(0, false));
            if (logger.isLoggable(Level.FINER)) {
                traceOutput(MY_CLASS_NAME, "doFinalHandshake", "KRB5CLNT11:Response [after wrap]", wrap);
            }
            this.completed = true;
            this.msgProp = new MessageProp(0, this.privacy);
            return wrap;
        } catch (GSSException e) {
            throw new SaslException("Final handshake failed", e);
        }
    }

    @Override // javax.security.sasl.SaslClient
    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        if (this.completed) {
            throw new IllegalStateException("GSSAPI authentication already complete");
        }
        if (this.finalHandshake) {
            return doFinalHandshake(bArr);
        }
        try {
            byte[] initSecContext = this.secCtx.initSecContext(bArr, 0, bArr.length);
            if (logger.isLoggable(Level.FINER)) {
                traceOutput(MY_CLASS_NAME, "evaluteChallenge", "KRB5CLNT02:Challenge: [raw]", bArr);
                traceOutput(MY_CLASS_NAME, "evaluateChallenge", "KRB5CLNT03:Response: [after initSecCtx]", initSecContext);
            }
            if (!this.secCtx.isEstablished()) {
                return initSecContext;
            }
            this.finalHandshake = true;
            return initSecContext == null ? EMPTY : initSecContext;
        } catch (GSSException e) {
            throw new SaslException("GSS initiate failed", e);
        }
    }

    @Override // javax.security.sasl.SaslClient
    public boolean hasInitialResponse() {
        return true;
    }
}
