package org.apache.wss4j.stax.impl.securityToken;

import java.io.IOException;
import java.security.Key;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.kerberos.KerberosClientExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosContext;
import org.apache.wss4j.common.kerberos.KerberosContextAndServiceNameCallback;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;

/* loaded from: input_file:WEB-INF/lib/wss4j-ws-security-stax-2.3.0.jar:org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.class */
public class KerberosClientSecurityToken extends GenericOutboundSecurityToken {
    private CallbackHandler callbackHandler;
    private Key secretKey;
    private byte[] ticket;

    public KerberosClientSecurityToken(byte[] bArr, Key key, String str) {
        super(str, WSSecurityTokenConstants.KERBEROS_TOKEN);
        this.ticket = bArr;
        this.secretKey = key;
    }

    public KerberosClientSecurityToken(CallbackHandler callbackHandler, String str) {
        super(str, WSSecurityTokenConstants.KERBEROS_TOKEN);
        this.callbackHandler = callbackHandler;
    }

    private void getTGT() throws WSSecurityException {
        try {
            KerberosContextAndServiceNameCallback kerberosContextAndServiceNameCallback = new KerberosContextAndServiceNameCallback();
            this.callbackHandler.handle(new Callback[]{kerberosContextAndServiceNameCallback});
            if (kerberosContextAndServiceNameCallback.getContextName() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackContextNameNotSupplied");
            }
            if (kerberosContextAndServiceNameCallback.getServiceName() == null) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosCallbackServiceNameNotSupplied");
            }
            LoginContext loginContext = new LoginContext(kerberosContextAndServiceNameCallback.getContextName(), this.callbackHandler);
            loginContext.login();
            Subject subject = loginContext.getSubject();
            Set<Principal> principals = subject.getPrincipals();
            if (principals.isEmpty()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosLoginError", new Object[]{"No Client principals found after login"});
            }
            KerberosTicket kerberosTicket = getKerberosTicket(subject, null);
            try {
                KerberosContext kerberosContext = (KerberosContext) Subject.doAs(subject, new KerberosClientExceptionAction(principals.iterator().next(), kerberosContextAndServiceNameCallback.getServiceName(), kerberosContextAndServiceNameCallback.isUsernameServiceNameForm(), kerberosContextAndServiceNameCallback.isRequestCredDeleg()));
                Key secretKey = kerberosContext.getSecretKey();
                if (secretKey != null) {
                    this.secretKey = new SecretKeySpec(secretKey.getEncoded(), secretKey.getAlgorithm());
                } else {
                    this.secretKey = getKerberosTicket(subject, kerberosTicket).getSessionKey();
                }
                this.ticket = kerberosContext.getKerberosToken();
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (!(cause instanceof WSSecurityException)) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError");
                }
                throw ((WSSecurityException) cause);
            }
        } catch (IOException | UnsupportedCallbackException | LoginException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2);
        }
    }

    private KerberosTicket getKerberosTicket(Subject subject, KerberosTicket kerberosTicket) {
        Set<KerberosTicket> privateCredentials = subject.getPrivateCredentials(KerberosTicket.class);
        if (privateCredentials == null || privateCredentials.isEmpty()) {
            return null;
        }
        for (KerberosTicket kerberosTicket2 : privateCredentials) {
            if (!kerberosTicket2.equals(kerberosTicket)) {
                return kerberosTicket2;
            }
        }
        return null;
    }

    @Override // org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken, org.apache.xml.security.stax.securityToken.OutboundSecurityToken
    public Key getSecretKey(String str) throws XMLSecurityException {
        Key secretKey = super.getSecretKey(str);
        if (secretKey != null) {
            return secretKey;
        }
        if (this.secretKey == null) {
            getTGT();
        }
        SecretKey prepareSecretKey = KeyUtils.prepareSecretKey(str, this.secretKey.getEncoded());
        setSecretKey(str, prepareSecretKey);
        return prepareSecretKey;
    }

    public byte[] getTicket() throws XMLSecurityException {
        if (this.ticket == null) {
            getTGT();
        }
        return this.ticket;
    }
}
