package org.apache.kerby.kerberos.kerb.request;

import java.net.InetAddress;
import java.util.EnumSet;
import java.util.Iterator;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ap.ApOption;
import org.apache.kerby.kerberos.kerb.type.ap.ApOptions;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;

/* loaded from: input_file:org/apache/kerby/kerberos/kerb/request/ApRequest.class */
public class ApRequest {
    private PrincipalName clientPrincipal;
    private SgtTicket sgtTicket;
    private ApReq apReq;
    private EnumSet<ApOption> flags;

    public ApRequest(PrincipalName principalName, SgtTicket sgtTicket) {
        this(principalName, sgtTicket, EnumSet.of(ApOption.USE_SESSION_KEY));
    }

    public ApRequest(PrincipalName principalName, SgtTicket sgtTicket, EnumSet<ApOption> enumSet) {
        this.clientPrincipal = principalName;
        this.sgtTicket = sgtTicket;
        this.flags = enumSet;
    }

    public ApReq getApReq() throws KrbException {
        if (this.apReq == null) {
            this.apReq = makeApReq();
        }
        return this.apReq;
    }

    public void setApReq(ApReq apReq) {
        this.apReq = apReq;
    }

    private ApReq makeApReq() throws KrbException {
        ApReq apReq = new ApReq();
        Authenticator makeAuthenticator = makeAuthenticator();
        apReq.setEncryptedAuthenticator(EncryptionUtil.seal(makeAuthenticator, this.sgtTicket.getSessionKey(), KeyUsage.AP_REQ_AUTH));
        apReq.setAuthenticator(makeAuthenticator);
        apReq.setTicket(this.sgtTicket.getTicket());
        ApOptions apOptions = new ApOptions();
        Iterator it = this.flags.iterator();
        while (it.hasNext()) {
            apOptions.setFlag((ApOption) it.next());
        }
        apReq.setApOptions(apOptions);
        return apReq;
    }

    private Authenticator makeAuthenticator() throws KrbException {
        Authenticator authenticator = new Authenticator();
        authenticator.setAuthenticatorVno(5);
        authenticator.setCname(this.clientPrincipal);
        authenticator.setCrealm(this.sgtTicket.getRealm());
        long currentTimeMillis = System.currentTimeMillis();
        authenticator.setCtime(new KerberosTime(currentTimeMillis - (currentTimeMillis % 1000)));
        authenticator.setCusec(((int) (currentTimeMillis % 1000)) * 1000);
        if (this.flags.contains(ApOption.USE_SESSION_KEY)) {
            authenticator.setSubKey(this.sgtTicket.getSessionKey());
        }
        return authenticator;
    }

    public static void validate(EncryptionKey encryptionKey, ApReq apReq) throws KrbException {
        Ticket ticket = apReq.getTicket();
        if (encryptionKey == null) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY);
        }
        EncTicketPart unseal = EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encryptionKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
        ticket.setEncPart(unseal);
        unsealAuthenticator(unseal.getKey(), apReq);
        Authenticator authenticator = apReq.getAuthenticator();
        if (!authenticator.getCname().equals(ticket.getEncPart().getCname())) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH);
        }
        if (!authenticator.getCrealm().equals(ticket.getEncPart().getCrealm())) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH);
        }
    }

    public static void validate(EncryptionKey encryptionKey, ApReq apReq, InetAddress inetAddress, long j) throws KrbException {
        HostAddresses clientAddresses;
        validate(encryptionKey, apReq);
        EncTicketPart encPart = apReq.getTicket().getEncPart();
        Authenticator authenticator = apReq.getAuthenticator();
        if (inetAddress != null && (clientAddresses = encPart.getClientAddresses()) != null && !clientAddresses.contains(inetAddress)) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
        }
        if (j != 0) {
            if (!authenticator.getCtime().isInClockSkew(j)) {
                throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
            }
            KerberosTime now = KerberosTime.now();
            KerberosTime startTime = encPart.getStartTime();
            if (startTime != null && !startTime.lessThanWithSkew(now, j)) {
                throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
            }
            if (encPart.getEndTime().lessThanWithSkew(now, j)) {
                throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
            }
        }
    }

    public static void unsealAuthenticator(EncryptionKey encryptionKey, ApReq apReq) throws KrbException {
        apReq.setAuthenticator(EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(), encryptionKey, KeyUsage.AP_REQ_AUTH, Authenticator.class));
    }
}
