package org.apache.directory.server.kerberos.kdc.preauthentication;

import java.io.IOException;
import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
import org.apache.directory.server.kerberos.kdc.authentication.AuthenticationContext;
import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.io.decoder.EncryptedDataDecoder;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationData;
import org.apache.directory.server.kerberos.shared.messages.value.PreAuthenticationDataType;
import org.apache.directory.server.kerberos.shared.service.LockBox;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:apacheds-protocol-kerberos-1.0.2.jar:org/apache/directory/server/kerberos/kdc/preauthentication/VerifyEncryptedTimestamp.class */
public class VerifyEncryptedTimestamp extends VerifierBase {
    private static final Logger log;
    static Class class$org$apache$directory$server$kerberos$kdc$preauthentication$VerifyEncryptedTimestamp;
    static Class class$org$apache$directory$server$kerberos$shared$messages$value$EncryptedTimeStamp;

    @Override // org.apache.mina.handler.chain.IoHandlerCommand
    public void execute(IoHandlerCommand.NextCommand nextCommand, IoSession ioSession, Object obj) throws Exception {
        Class cls;
        AuthenticationContext authenticationContext = (AuthenticationContext) ioSession.getAttribute(getContextKey());
        if (authenticationContext.getClientKey() != null) {
            nextCommand.execute(ioSession, obj);
        }
        log.debug("Verifying using encrypted timestamp.");
        KdcConfiguration config = authenticationContext.getConfig();
        KdcRequest request = authenticationContext.getRequest();
        LockBox lockBox = authenticationContext.getLockBox();
        PrincipalStoreEntry clientEntry = authenticationContext.getClientEntry();
        String name = clientEntry.getPrincipal().getName();
        EncryptionKey encryptionKey = null;
        if (clientEntry.getSamType() == null) {
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer().append("entry for client principal ").append(name).append(" has no SAM type: proceeding with standard pre-authentication").toString());
            }
            encryptionKey = clientEntry.getEncryptionKey();
            if (encryptionKey == null) {
                throw new KerberosException(ErrorType.KDC_ERR_NULL_KEY);
            }
            if (config.isPaEncTimestampRequired()) {
                PreAuthenticationData[] preAuthData = request.getPreAuthData();
                if (preAuthData == null) {
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError());
                }
                EncryptedTimeStamp encryptedTimeStamp = null;
                for (int i = 0; i < preAuthData.length; i++) {
                    if (preAuthData[i].getDataType().equals(PreAuthenticationDataType.PA_ENC_TIMESTAMP)) {
                        try {
                            EncryptedData decode = EncryptedDataDecoder.decode(preAuthData[i].getDataValue());
                            if (class$org$apache$directory$server$kerberos$shared$messages$value$EncryptedTimeStamp == null) {
                                cls = class$("org.apache.directory.server.kerberos.shared.messages.value.EncryptedTimeStamp");
                                class$org$apache$directory$server$kerberos$shared$messages$value$EncryptedTimeStamp = cls;
                            } else {
                                cls = class$org$apache$directory$server$kerberos$shared$messages$value$EncryptedTimeStamp;
                            }
                            encryptedTimeStamp = (EncryptedTimeStamp) lockBox.unseal(cls, encryptionKey, decode);
                        } catch (IOException e) {
                            throw new KerberosException(ErrorType.KRB_AP_ERR_BAD_INTEGRITY);
                        } catch (ClassCastException e2) {
                            throw new KerberosException(ErrorType.KRB_AP_ERR_BAD_INTEGRITY);
                        }
                    }
                }
                if (encryptedTimeStamp == null) {
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError());
                }
                if (!encryptedTimeStamp.getTimeStamp().isInClockSkew(config.getClockSkew())) {
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_FAILED);
                }
            }
        }
        authenticationContext.setClientKey(encryptionKey);
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer().append("Pre-authentication by encrypted timestamp successful for ").append(name).append(".").toString());
        }
        nextCommand.execute(ioSession, obj);
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$apache$directory$server$kerberos$kdc$preauthentication$VerifyEncryptedTimestamp == null) {
            cls = class$("org.apache.directory.server.kerberos.kdc.preauthentication.VerifyEncryptedTimestamp");
            class$org$apache$directory$server$kerberos$kdc$preauthentication$VerifyEncryptedTimestamp = cls;
        } else {
            cls = class$org$apache$directory$server$kerberos$kdc$preauthentication$VerifyEncryptedTimestamp;
        }
        log = LoggerFactory.getLogger(cls);
    }
}
