package org.globus.gsi.gssapi;

import COM.claymoresystems.cert.X509Cert;
import COM.claymoresystems.ptls.SSLCipherState;
import COM.claymoresystems.ptls.SSLCipherSuite;
import COM.claymoresystems.ptls.SSLConn;
import COM.claymoresystems.ptls.SSLDebug;
import COM.claymoresystems.ptls.SSLHandshake;
import COM.claymoresystems.ptls.SSLRecord;
import COM.claymoresystems.ptls.SSLSocket;
import COM.claymoresystems.sslg.CertVerifyPolicyInt;
import COM.claymoresystems.sslg.SSLPolicyInt;
import COM.claymoresystems.util.Util;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.Map;
import java.util.Vector;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.globus.gram.internal.GRAMConstants;
import org.globus.gsi.CertUtil;
import org.globus.gsi.CertificateRevocationLists;
import org.globus.gsi.GSIConstants;
import org.globus.gsi.GlobusCredential;
import org.globus.gsi.TrustedCertificates;
import org.globus.gsi.bc.BouncyCastleCertProcessingFactory;
import org.globus.gsi.bc.BouncyCastleUtil;
import org.globus.gsi.proxy.ProxyPathValidator;
import org.globus.gsi.proxy.ProxyPathValidatorException;
import org.globus.gsi.proxy.ProxyPolicyHandler;
import org.globus.gsi.ptls.PureTLSContext;
import org.globus.gsi.ptls.PureTLSTrustedCertificates;
import org.globus.gsi.ptls.PureTLSUtil;
import org.globus.util.I18n;
import org.gridforum.jgss.ExtendedGSSContext;
import org.gridforum.jgss.ExtendedGSSCredential;
import org.ietf.jgss.ChannelBinding;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/globus/gsi/gssapi/GlobusGSSContextImpl.class */
public class GlobusGSSContextImpl implements ExtendedGSSContext {
    public static final int GSI_WRAP = 26;
    private static final int GSI_SEQUENCE_SIZE = 8;
    private static final int GSI_MESSAGE_DIGEST_PADDING = 12;
    private static final int UNDEFINED = 0;
    private static final int INITIATE = 1;
    private static final int ACCEPT = 2;
    private static final int HANDSHAKE = 0;
    private static final int CLIENT_START_DEL = 2;
    private static final int CLIENT_END_DEL = 3;
    private static final int SERVER_START_DEL = 4;
    private static final int SERVER_END_DEL = 5;
    private static final int DELEGATION_START = 0;
    private static final int DELEGATION_SIGN_CERT = 1;
    private static final int DELEGATION_COMPLETE_CRED = 2;
    protected ExtendedGSSCredential delegatedCred;
    protected ExtendedGSSCredential delegCred;
    protected GlobusGSSCredentialImpl ctxCred;
    protected GSSName expectedTargetName;
    protected SSLConn conn;
    protected PureTLSContext context;
    protected SSLPolicyInt policy;
    protected TokenInputStream in;
    protected ByteArrayOutputStream out;
    protected BouncyCastleCertProcessingFactory certFactory;
    protected KeyPair keyPair;
    protected TrustedCertificates tc;
    protected Map proxyPolicyHandlers;
    private static Log logger = LogFactory.getLog(GlobusGSSContextImpl.class.getName());
    private static I18n i18n = I18n.getI18n("org.globus.gsi.gssapi.errors", GlobusGSSContextImpl.class.getClassLoader());
    private static Log sslLogger = LogFactory.getLog(SSLDebug.class.getName());
    private static final short[] NO_ENCRYPTION = {1};
    private static final byte[] DELEGATION_TOKEN = {68};
    private KeyPairCache keyPairCache = KeyPairCache.getKeyPairCache();
    protected int state = 0;
    protected int delegationState = 0;
    protected boolean delegationFinished = false;
    protected boolean credentialDelegation = false;
    protected boolean anonymity = false;
    protected boolean encryption = true;
    protected boolean established = false;
    protected GSSName sourceName = null;
    protected GSSName targetName = null;
    protected int role = 0;
    protected Integer delegationType = GSIConstants.DELEGATION_TYPE_LIMITED;
    protected Integer gssMode = GSIConstants.MODE_GSI;
    protected Boolean checkContextExpiration = Boolean.FALSE;
    protected Boolean rejectLimitedProxy = Boolean.FALSE;
    protected Boolean requireClientAuth = Boolean.TRUE;
    protected Boolean acceptNoClientCerts = Boolean.FALSE;
    protected Boolean requireAuthzWithDelegation = Boolean.TRUE;
    protected Date goodUntil = null;
    protected Boolean peerLimited = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/globus/gsi/gssapi/GlobusGSSContextImpl$GSSProxyPathValidator.class */
    public static class GSSProxyPathValidator extends ProxyPathValidator {
        GSSProxyPathValidator() {
        }

        @Override // org.globus.gsi.proxy.ProxyPathValidator
        public void validate(X509Certificate[] x509CertificateArr, TrustedCertificates trustedCertificates, CertificateRevocationLists certificateRevocationLists) throws ProxyPathValidatorException {
            super.validate(x509CertificateArr, trustedCertificates, certificateRevocationLists);
        }
    }

    public GlobusGSSContextImpl(GSSName gSSName, GlobusGSSCredentialImpl globusGSSCredentialImpl) throws GSSException {
        this.expectedTargetName = null;
        if (globusGSSCredentialImpl == null) {
            throw new GSSException(13);
        }
        this.expectedTargetName = gSSName;
        this.ctxCred = globusGSSCredentialImpl;
        this.context = new PureTLSContext();
        CertVerifyPolicyInt defaultCertVerifyPolicy = PureTLSUtil.getDefaultCertVerifyPolicy();
        this.policy = new SSLPolicyInt();
        this.policy.negotiateTLS(false);
        this.policy.waitOnClose(false);
        this.policy.setCertVerifyPolicy(defaultCertVerifyPolicy);
        this.context.setPolicy(this.policy);
        setSSLDebugging();
    }

    private void setSSLDebugging() {
        if (sslLogger.isTraceEnabled()) {
            SSLDebug.setDebug(GRAMConstants.STATUS_ALL);
        } else if (sslLogger.isDebugEnabled()) {
            SSLDebug.setDebug(32);
        }
    }

    public byte[] acceptSecContext(byte[] bArr, int i, int i2) throws GSSException {
        logger.debug("enter acceptSecContext");
        if (this.conn == null) {
            this.role = 2;
            if (this.ctxCred.getName().isAnonymous()) {
                throw new GlobusGSSException(9, 102, "acceptCtx00");
            }
            if (this.ctxCred.getUsage() != 2 && this.ctxCred.getUsage() != 0) {
                throw new GlobusGSSException(9, 102, "badCredUsage");
            }
            setCredential();
            init(2);
        }
        this.out.reset();
        this.in.putToken(bArr, i, i2);
        switch (this.state) {
            case 0:
                try {
                    this.conn.getHandshake().processHandshake();
                    if (this.conn.getHandshake().finishedP()) {
                        logger.debug("acceptSecContext handshake finished");
                        handshakeFinished();
                        setGoodUntil(this.ctxCred.getCertificateChain()[0].getNotAfter());
                        this.targetName = this.ctxCred.getName();
                        Vector certificateChain = this.conn.getCertificateChain();
                        if (certificateChain == null || certificateChain.size() == 0) {
                            this.sourceName = new GlobusGSSName();
                            this.anonymity = true;
                        } else {
                            setGoodUntil(((X509Cert) certificateChain.elementAt(certificateChain.size() - 1)).getValidityNotAfter());
                            this.sourceName = new GlobusGSSName(verifyChain(certificateChain));
                            this.anonymity = false;
                        }
                        if (this.gssMode == GSIConstants.MODE_GSI) {
                            this.state = 4;
                        } else {
                            setDone();
                        }
                    }
                    break;
                } catch (IOException e) {
                    throw new GlobusGSSException(11, e);
                }
                break;
            case 4:
                try {
                    if (this.in.available() <= 0) {
                        return null;
                    }
                    if (this.conn.getInStream().read() != 68) {
                        setDone();
                        break;
                    } else {
                        Vector certificateChain2 = this.conn.getCertificateChain();
                        if (certificateChain2 != null && certificateChain2.size() != 0) {
                            byte[] generateCertRequest = generateCertRequest(PureTLSUtil.convertCert((X509Cert) certificateChain2.lastElement()));
                            this.conn.getOutStream().write(generateCertRequest, 0, generateCertRequest.length);
                            this.state = 5;
                            break;
                        } else {
                            throw new GlobusGSSException(11, 30, "noClientCert");
                        }
                    }
                } catch (IOException e2) {
                    throw new GlobusGSSException(11, e2);
                } catch (GeneralSecurityException e3) {
                    throw new GlobusGSSException(11, e3);
                }
                break;
            case 5:
                try {
                    if (this.in.available() <= 0) {
                        return null;
                    }
                    X509Certificate loadCertificate = CertUtil.loadCertificate(this.conn.getInStream());
                    if (logger.isTraceEnabled()) {
                        logger.trace("Received delegated cert: " + loadCertificate.toString());
                    }
                    verifyDelegatedCert(loadCertificate);
                    Vector certificateChain3 = this.conn.getCertificateChain();
                    int size = certificateChain3.size();
                    X509Certificate[] x509CertificateArr = new X509Certificate[size + 1];
                    x509CertificateArr[0] = loadCertificate;
                    for (int i3 = 0; i3 < size; i3++) {
                        x509CertificateArr[i3 + 1] = PureTLSUtil.convertCert((X509Cert) certificateChain3.elementAt((size - 1) - i3));
                    }
                    this.delegCred = new GlobusGSSCredentialImpl(new GlobusCredential(this.keyPair.getPrivate(), x509CertificateArr), 0);
                    setDone();
                    break;
                } catch (IOException e4) {
                    throw new GlobusGSSException(11, e4);
                } catch (GeneralSecurityException e5) {
                    throw new GlobusGSSException(11, e5);
                }
            default:
                throw new GSSException(11);
        }
        logger.debug("exit acceptSeContext");
        if (this.out.size() > 0) {
            return this.out.toByteArray();
        }
        return null;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:35:0x00f5. Please report as an issue. */
    public byte[] initSecContext(byte[] bArr, int i, int i2) throws GSSException {
        logger.debug("enter iniSecContext");
        if (this.conn == null) {
            this.role = 1;
            if (this.credentialDelegation) {
                if (this.gssMode == GSIConstants.MODE_SSL) {
                    throw new GlobusGSSException(11, 7, "initCtx00");
                }
                if (this.anonymity) {
                    throw new GlobusGSSException(11, 7, "initCtx01");
                }
            }
            if (this.anonymity || this.ctxCred.getName().isAnonymous()) {
                this.anonymity = true;
            } else {
                this.anonymity = false;
                setCredential();
                if (this.ctxCred.getUsage() != 1 && this.ctxCred.getUsage() != 0) {
                    throw new GlobusGSSException(9, 102, "badCredUsage");
                }
            }
            init(1);
        }
        logger.debug("Require authz with delegation" + this.requireAuthzWithDelegation);
        if (!Boolean.FALSE.equals(this.requireAuthzWithDelegation) && this.expectedTargetName == null && this.credentialDelegation) {
            throw new GlobusGSSException(11, 7, "initCtx02");
        }
        this.out.reset();
        this.in.putToken(bArr, i, i2);
        switch (this.state) {
            case 0:
                try {
                    this.conn.getHandshake().processHandshake();
                    if (this.conn.getHandshake().finishedP()) {
                        logger.debug("iniSecContext handshake finished");
                        handshakeFinished();
                        Vector certificateChain = this.conn.getCertificateChain();
                        setGoodUntil(((X509Cert) certificateChain.elementAt(certificateChain.size() - 1)).getValidityNotAfter());
                        this.targetName = new GlobusGSSName(verifyChain(certificateChain));
                        if (this.anonymity) {
                            this.sourceName = new GlobusGSSName();
                        } else {
                            setGoodUntil(this.ctxCred.getCertificateChain()[0].getNotAfter());
                            this.sourceName = this.ctxCred.getName();
                        }
                        if (this.expectedTargetName != null && !this.expectedTargetName.equals(this.targetName)) {
                            throw new GlobusGSSException(15, 25, "authFailed00", new Object[]{this.expectedTargetName, this.targetName});
                        }
                        if (this.gssMode == GSIConstants.MODE_GSI) {
                            this.state = 2;
                            if (this.out.size() <= 0) {
                                if (this.state == 2 || this.out.size() > 0) {
                                    throw new GSSException(11);
                                }
                                try {
                                    if (getCredDelegState()) {
                                        this.conn.getOutStream().write(68);
                                        this.state = 3;
                                    } else {
                                        this.conn.getOutStream().write(48);
                                        setDone();
                                    }
                                } catch (IOException e) {
                                    throw new GlobusGSSException(11, e);
                                }
                            }
                        } else {
                            setDone();
                        }
                    }
                    logger.debug("exit initSecContext");
                    if (this.out.size() <= 0 || this.state == 2) {
                        return this.out.toByteArray();
                    }
                    return null;
                } catch (IOException e2) {
                    throw new GlobusGSSException(11, e2);
                }
            case 1:
            default:
                throw new GSSException(11);
            case 2:
                if (this.state == 2) {
                    break;
                }
                throw new GSSException(11);
            case 3:
                try {
                    if (this.in.available() <= 0) {
                        return null;
                    }
                    X509Certificate[] certificateChain2 = this.ctxCred.getCertificateChain();
                    byte[] encoded = this.certFactory.createCertificate(this.conn.getInStream(), certificateChain2[0], this.ctxCred.getPrivateKey(), -1, getDelegationType(certificateChain2[0])).getEncoded();
                    this.conn.getOutStream().write(encoded, 0, encoded.length);
                    setDone();
                    logger.debug("exit initSecContext");
                    if (this.out.size() <= 0) {
                        break;
                    }
                    return this.out.toByteArray();
                } catch (IOException e3) {
                    throw new GlobusGSSException(11, e3);
                } catch (GeneralSecurityException e4) {
                    throw new GlobusGSSException(11, e4);
                }
        }
    }

    private void setDone() {
        this.established = true;
    }

    private void setGoodUntil(Date date) {
        if (this.goodUntil == null) {
            this.goodUntil = date;
        } else if (date.before(this.goodUntil)) {
            this.goodUntil = date;
        }
    }

    private void init(int i) throws GSSException {
        short[] sArr;
        if (this.encryption) {
            short[] cipherSuites = this.policy.getCipherSuites();
            short[] sArr2 = new short[cipherSuites.length + 1];
            System.arraycopy(cipherSuites, 0, sArr2, 0, cipherSuites.length);
            sArr2[cipherSuites.length] = 1;
            sArr = sArr2;
        } else {
            sArr = NO_ENCRYPTION;
        }
        this.policy.setCipherSuites(sArr);
        this.policy.requireClientAuth(this.requireClientAuth.booleanValue());
        this.policy.setAcceptNoClientCert(this.acceptNoClientCerts.booleanValue());
        setTrustedCertificates();
        this.in = new TokenInputStream();
        this.out = new ByteArrayOutputStream();
        try {
            this.conn = new SSLConn((SSLSocket) null, this.in, this.out, this.context, i);
            this.conn.init();
            this.certFactory = BouncyCastleCertProcessingFactory.getDefault();
            this.state = 0;
        } catch (IOException e) {
            throw new GlobusGSSException(11, e);
        }
    }

    private void handshakeFinished() throws IOException {
        this.conn.finishHandshake();
        SSLCipherSuite findCipherSuite = SSLCipherSuite.findCipherSuite(this.conn.getCipherSuite());
        this.encryption = !findCipherSuite.getCipherAlg().equals("NULL");
        logger.debug("encryption alg: " + findCipherSuite.getCipherAlg());
    }

    private String verifyChain(Vector vector) throws GSSException {
        try {
            X509Certificate[] certificateChainToArray = PureTLSUtil.certificateChainToArray(vector);
            GSSProxyPathValidator gSSProxyPathValidator = new GSSProxyPathValidator();
            if (this.proxyPolicyHandlers != null) {
                for (String str : this.proxyPolicyHandlers.keySet()) {
                    gSSProxyPathValidator.setProxyPolicyHandler(str, (ProxyPolicyHandler) this.proxyPolicyHandlers.get(str));
                }
            }
            CertificateRevocationLists defaultCertificateRevocationLists = CertificateRevocationLists.getDefaultCertificateRevocationLists();
            gSSProxyPathValidator.setRejectLimitedProxyCheck(this.rejectLimitedProxy.booleanValue());
            try {
                gSSProxyPathValidator.validate(certificateChainToArray, this.tc, defaultCertificateRevocationLists);
                this.peerLimited = gSSProxyPathValidator.isLimited() ? Boolean.TRUE : Boolean.FALSE;
                return gSSProxyPathValidator.getIdentity();
            } catch (ProxyPathValidatorException e) {
                if (e.getErrorCode() == 7) {
                    throw new GlobusGSSException(15, e);
                }
                throw new GlobusGSSException(9, e);
            }
        } catch (GeneralSecurityException e2) {
            throw new GlobusGSSException(9, e2);
        }
    }

    private void setCredential() throws GSSException {
        try {
            this.context.setCredential(this.ctxCred.getGlobusCredential());
        } catch (GeneralSecurityException e) {
            throw new GlobusGSSException(9, e);
        }
    }

    private void setTrustedCertificates() throws GSSException {
        if (this.tc == null) {
            this.tc = PureTLSTrustedCertificates.getDefaultPureTLSTrustedCertificates();
        }
        if (this.tc == null) {
            throw new GlobusGSSException(9, 102, "noCaCerts");
        }
        try {
            this.context.setRootList(this.tc.getX509CertList());
        } catch (GeneralSecurityException e) {
            throw new GlobusGSSException(11, e);
        }
    }

    public byte[] wrap(byte[] bArr, int i, int i2, MessageProp messageProp) throws GSSException {
        byte[] wrap;
        checkContext();
        logger.debug("enter wrap");
        boolean z = false;
        if (messageProp != null) {
            if (messageProp.getQOP() != 0 && messageProp.getQOP() != 1) {
                throw new GSSException(14);
            }
            z = !messageProp.getPrivacy() && messageProp.getQOP() == 1;
        }
        if (z) {
            byte[] mic = getMIC(bArr, i, i2, null);
            byte[] bArr2 = new byte[5 + i2 + mic.length];
            bArr2[0] = 26;
            bArr2[1] = 3;
            bArr2[2] = 0;
            bArr2[3] = (byte) (mic.length >>> 8);
            bArr2[4] = (byte) (mic.length >>> 0);
            System.arraycopy(mic, 0, bArr2, 5, mic.length);
            System.arraycopy(bArr, i, bArr2, 5 + mic.length, i2);
            wrap = bArr2;
        } else {
            wrap = wrap(bArr, i, i2);
            if (messageProp != null) {
                messageProp.setPrivacy(this.encryption);
                messageProp.setQOP(0);
            }
        }
        logger.debug("exit wrap");
        return wrap;
    }

    private byte[] wrap(byte[] bArr, int i, int i2) throws GSSException {
        this.out.reset();
        try {
            this.conn.getOutStream().write(bArr, i, i2);
            return this.out.toByteArray();
        } catch (IOException e) {
            throw new GlobusGSSException(11, e);
        }
    }

    public byte[] unwrap(byte[] bArr, int i, int i2, MessageProp messageProp) throws GSSException {
        byte[] unwrap;
        checkContext();
        logger.debug("enter unwrap");
        if (bArr[i] == 26 && bArr[i + 1] == 3 && bArr[i + 2] == 0) {
            short s = SSLUtil.toShort(bArr[i + 3], bArr[i + 4]);
            int i3 = (i2 - 5) - s;
            if (s > i2 - 5 || i3 < 0) {
                throw new GSSException(10);
            }
            verifyMIC(bArr, i + 5, s, bArr, i + 5 + s, i3, null);
            if (messageProp != null) {
                messageProp.setPrivacy(false);
                messageProp.setQOP(1);
            }
            unwrap = new byte[i3];
            System.arraycopy(bArr, i + 5 + s, unwrap, 0, i3);
        } else {
            unwrap = unwrap(bArr, i, i2);
            if (messageProp != null) {
                messageProp.setPrivacy(this.encryption);
                messageProp.setQOP(0);
            }
        }
        logger.debug("exit unwrap");
        return unwrap;
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:6:0x003b. Please report as an issue. */
    private byte[] unwrap(byte[] bArr, int i, int i2) throws GSSException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr, i, i2);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        while (byteArrayInputStream.available() > 0) {
            try {
                SSLRecord sSLRecord = new SSLRecord((SSLConn) null);
                sSLRecord.decode(this.conn, byteArrayInputStream);
                switch (sSLRecord.getType().getValue()) {
                    case 21:
                        this.conn.getRecordReader().processAlert(sSLRecord.getData().getValue());
                    case 23:
                        byteArrayOutputStream.write(sSLRecord.getData().getValue());
                    default:
                        throw new Exception(i18n.getMessage("tokenFail03"));
                }
            } catch (IOException e) {
                throw new GlobusGSSException(6, e);
            } catch (Exception e2) {
                throw new GlobusGSSException(10, e2);
            }
        }
        return byteArrayOutputStream.toByteArray();
    }

    public void dispose() throws GSSException {
        logger.debug("dipose");
    }

    public boolean isEstablished() {
        return this.established;
    }

    public void requestCredDeleg(boolean z) throws GSSException {
        this.credentialDelegation = z;
    }

    public boolean getCredDelegState() {
        return this.credentialDelegation;
    }

    public boolean isInitiator() throws GSSException {
        if (this.role == 0) {
            throw new GSSException(11);
        }
        return this.role == 1;
    }

    public boolean isProtReady() {
        return isEstablished();
    }

    public void requestLifetime(int i) throws GSSException {
        if (i == Integer.MAX_VALUE) {
            throw new GlobusGSSException(11, 102, "badLifetime00");
        }
        if (i != 0) {
            Calendar calendar = Calendar.getInstance();
            calendar.add(13, i);
            setGoodUntil(calendar.getTime());
        }
    }

    public int getLifetime() {
        if (this.goodUntil != null) {
            return (int) ((this.goodUntil.getTime() - System.currentTimeMillis()) / 1000);
        }
        return -1;
    }

    public Oid getMech() throws GSSException {
        return GSSConstants.MECH_OID;
    }

    public GSSCredential getDelegCred() throws GSSException {
        return this.delegCred;
    }

    public void requestConf(boolean z) throws GSSException {
        this.encryption = z;
    }

    public boolean getConfState() {
        return this.encryption;
    }

    public byte[] getMIC(byte[] bArr, int i, int i2, MessageProp messageProp) throws GSSException {
        checkContext();
        logger.debug("enter getMic");
        if (messageProp != null && (messageProp.getQOP() != 0 || messageProp.getPrivacy())) {
            throw new GSSException(14);
        }
        SSLCipherState writeCipherState = this.conn.getWriteCipherState();
        SSLCipherSuite cipherSuite = writeCipherState.getCipherSuite();
        long writeSequence = this.conn.getWriteSequence();
        byte[] bArr2 = new byte[12 + cipherSuite.getDigestOutputLength()];
        System.arraycopy(Util.toBytes(writeSequence), 0, bArr2, 0, 8);
        System.arraycopy(Util.toBytes(i2, 4), 0, bArr2, 8, 4);
        this.conn.incrementWriteSequence();
        int i3 = cipherSuite.getDigestOutputLength() == 16 ? 48 : 40;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(cipherSuite.getDigestAlg());
            messageDigest.update(writeCipherState.getMacKey());
            for (int i4 = 0; i4 < i3; i4++) {
                messageDigest.update(SSLHandshake.pad_1);
            }
            messageDigest.update(bArr2, 0, 12);
            messageDigest.update(bArr, i, i2);
            byte[] digest = messageDigest.digest();
            System.arraycopy(digest, 0, bArr2, 12, digest.length);
            if (messageProp != null) {
                messageProp.setPrivacy(false);
                messageProp.setQOP(0);
            }
            logger.debug("exit getMic");
            return bArr2;
        } catch (NoSuchAlgorithmException e) {
            throw new GlobusGSSException(11, e);
        }
    }

    public void verifyMIC(byte[] bArr, int i, int i2, byte[] bArr2, int i3, int i4, MessageProp messageProp) throws GSSException {
        checkContext();
        logger.debug("enter verifyMic");
        SSLCipherState readCipherState = this.conn.getReadCipherState();
        SSLCipherSuite cipherSuite = readCipherState.getCipherSuite();
        logger.debug("digest algorithm: " + cipherSuite.getDigestAlg());
        if (i2 != 12 + cipherSuite.getDigestOutputLength()) {
            throw new GlobusGSSException(10, 29, "tokenFail00", new Object[]{new Integer(i2), new Integer(12 + cipherSuite.getDigestOutputLength())});
        }
        int i5 = SSLUtil.toInt(bArr, i + 8);
        if (i5 != i4) {
            throw new GlobusGSSException(10, 29, "tokenFail01", new Object[]{new Integer(i4), new Integer(i5)});
        }
        int i6 = cipherSuite.getDigestOutputLength() == 16 ? 48 : 40;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(cipherSuite.getDigestAlg());
            messageDigest.update(readCipherState.getMacKey());
            for (int i7 = 0; i7 < i6; i7++) {
                messageDigest.update(SSLHandshake.pad_1);
            }
            messageDigest.update(bArr, i, 12);
            messageDigest.update(bArr2, i3, i4);
            byte[] digest = messageDigest.digest();
            byte[] bArr3 = new byte[i2 - 12];
            System.arraycopy(bArr, i + 12, bArr3, 0, bArr3.length);
            if (!Arrays.equals(digest, bArr3)) {
                throw new GlobusGSSException(6, 33, "tokenFail02");
            }
            long j = SSLUtil.toLong(bArr, i);
            long readSequence = this.conn.getReadSequence();
            long j2 = j - readSequence;
            logger.debug("Token seq#   : " + j);
            logger.debug("Current seq# : " + readSequence);
            if (j2 > 0) {
                throw new GSSException(22);
            }
            if (j2 < 0) {
                throw new GSSException(20);
            }
            this.conn.incrementReadSequence();
            if (messageProp != null) {
                messageProp.setPrivacy(false);
                messageProp.setQOP(0);
            }
            logger.debug("exit verifyMic");
        } catch (NoSuchAlgorithmException e) {
            throw new GlobusGSSException(11, e);
        }
    }

    public int initSecContext(InputStream inputStream, OutputStream outputStream) throws GSSException {
        try {
            byte[] readSslMessage = this.conn == null ? new byte[0] : SSLUtil.readSslMessage(inputStream);
            byte[] initSecContext = initSecContext(readSslMessage, 0, readSslMessage.length);
            if (initSecContext == null) {
                return 0;
            }
            outputStream.write(initSecContext);
            return initSecContext.length;
        } catch (IOException e) {
            throw new GlobusGSSException(11, e);
        }
    }

    public void acceptSecContext(InputStream inputStream, OutputStream outputStream) throws GSSException {
        try {
            byte[] readSslMessage = SSLUtil.readSslMessage(inputStream);
            byte[] acceptSecContext = acceptSecContext(readSslMessage, 0, readSslMessage.length);
            if (acceptSecContext != null) {
                outputStream.write(acceptSecContext);
            }
        } catch (IOException e) {
            throw new GlobusGSSException(11, e);
        }
    }

    public GSSName getSrcName() throws GSSException {
        return this.sourceName;
    }

    public GSSName getTargName() throws GSSException {
        return this.targetName;
    }

    public void requestInteg(boolean z) throws GSSException {
        if (!z) {
            throw new GlobusGSSException(11, GlobusGSSException.BAD_OPTION, "integOn");
        }
    }

    public boolean getIntegState() {
        return true;
    }

    public void requestSequenceDet(boolean z) throws GSSException {
        if (!z) {
            throw new GlobusGSSException(11, GlobusGSSException.BAD_OPTION, "seqDet");
        }
    }

    public boolean getSequenceDetState() {
        return true;
    }

    public void requestReplayDet(boolean z) throws GSSException {
        if (!z) {
            throw new GlobusGSSException(11, GlobusGSSException.BAD_OPTION, "replayDet");
        }
    }

    public boolean getReplayDetState() {
        return true;
    }

    public void requestAnonymity(boolean z) throws GSSException {
        this.anonymity = z;
    }

    public boolean getAnonymityState() {
        return this.anonymity;
    }

    public void requestMutualAuth(boolean z) throws GSSException {
        if (!z) {
            throw new GlobusGSSException(11, GlobusGSSException.BAD_OPTION, "mutualAuthOn");
        }
    }

    public boolean getMutualAuthState() {
        return true;
    }

    protected byte[] generateCertRequest(X509Certificate x509Certificate) throws GeneralSecurityException {
        this.keyPair = this.keyPairCache.getKeyPair(((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength());
        return this.certFactory.createCertificateRequest(x509Certificate, this.keyPair);
    }

    protected void verifyDelegatedCert(X509Certificate x509Certificate) throws GeneralSecurityException {
        if (!((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().equals(((RSAPrivateKey) this.keyPair.getPrivate()).getModulus())) {
            throw new GeneralSecurityException(i18n.getMessage("keyMismatch"));
        }
    }

    protected void checkContext() throws GSSException {
        if (this.conn == null || !isEstablished()) {
            throw new GSSException(12);
        }
        if (this.checkContextExpiration.booleanValue() && getLifetime() <= 0) {
            throw new GSSException(7);
        }
    }

    protected int getDelegationType(X509Certificate x509Certificate) throws GeneralSecurityException, GSSException {
        int certificateType = BouncyCastleUtil.getCertificateType(x509Certificate, this.tc);
        int intValue = this.delegationType.intValue();
        if (logger.isDebugEnabled()) {
            logger.debug("Issuer type: " + certificateType + " delg. type requested: " + intValue);
        }
        if (certificateType == 3) {
            if (intValue == 2) {
                if (CertUtil.isGsi2Enabled()) {
                    return 11;
                }
                return CertUtil.isGsi3Enabled() ? 15 : 19;
            }
            if (intValue == 3) {
                if (CertUtil.isGsi2Enabled()) {
                    return 10;
                }
                return CertUtil.isGsi3Enabled() ? 14 : 18;
            }
            if (CertUtil.isProxy(intValue)) {
                return intValue;
            }
        } else if (CertUtil.isGsi2Proxy(certificateType)) {
            if (intValue == 2) {
                return 11;
            }
            if (intValue == 3) {
                return 10;
            }
            if (CertUtil.isGsi2Proxy(intValue)) {
                return intValue;
            }
        } else if (CertUtil.isGsi3Proxy(certificateType)) {
            if (intValue == 2) {
                return 15;
            }
            if (intValue == 3) {
                return 14;
            }
            if (CertUtil.isGsi3Proxy(intValue)) {
                return intValue;
            }
        } else if (CertUtil.isGsi4Proxy(certificateType)) {
            if (intValue == 2) {
                return 19;
            }
            if (intValue == 3) {
                return 18;
            }
            if (CertUtil.isGsi4Proxy(intValue)) {
                return intValue;
            }
        }
        throw new GSSException(11);
    }

    protected void setGssMode(Object obj) throws GSSException {
        if (!(obj instanceof Integer)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"GSS mode", Integer.class});
        }
        Integer num = (Integer) obj;
        if (num != GSIConstants.MODE_GSI && num != GSIConstants.MODE_SSL) {
            throw new GlobusGSSException(11, GlobusGSSException.BAD_OPTION, "badGssMode");
        }
        this.gssMode = num;
    }

    protected void setDelegationType(Object obj) throws GSSException {
        if (!(obj instanceof Integer)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"delegation type", Integer.class});
        }
        Integer num = (Integer) obj;
        if (num != GSIConstants.DELEGATION_TYPE_FULL && num != GSIConstants.DELEGATION_TYPE_LIMITED) {
            throw new GlobusGSSException(11, GlobusGSSException.BAD_OPTION, "badDelegType");
        }
        this.delegationType = num;
    }

    protected void setCheckContextExpired(Object obj) throws GSSException {
        if (!(obj instanceof Boolean)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"check context expired", Boolean.class});
        }
        this.checkContextExpiration = (Boolean) obj;
    }

    protected void setRejectLimitedProxy(Object obj) throws GSSException {
        if (!(obj instanceof Boolean)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"reject limited proxy", Boolean.class});
        }
        this.rejectLimitedProxy = (Boolean) obj;
    }

    protected void setRequireClientAuth(Object obj) throws GSSException {
        if (!(obj instanceof Boolean)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"require client auth", Boolean.class});
        }
        this.requireClientAuth = (Boolean) obj;
    }

    protected void setRequireAuthzWithDelegation(Object obj) throws GSSException {
        if (!(obj instanceof Boolean)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"require authz with delehation", Boolean.class});
        }
        this.requireAuthzWithDelegation = (Boolean) obj;
    }

    protected void setAcceptNoClientCerts(Object obj) throws GSSException {
        if (!(obj instanceof Boolean)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"accept no client certs", Boolean.class});
        }
        this.acceptNoClientCerts = (Boolean) obj;
    }

    protected void setGrimPolicyHandler(Object obj) throws GSSException {
        if (!(obj instanceof ProxyPolicyHandler)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"GRIM policy handler", ProxyPolicyHandler.class});
        }
        if (this.proxyPolicyHandlers == null) {
            this.proxyPolicyHandlers = new HashMap();
        }
        this.proxyPolicyHandlers.put("1.3.6.1.4.1.3536.1.1.1.7", obj);
    }

    protected void setProxyPolicyHandlers(Object obj) throws GSSException {
        if (!(obj instanceof Map)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"Proxy policy handlers", Map.class});
        }
        this.proxyPolicyHandlers = (Map) obj;
    }

    protected void setTrustedCertificates(Object obj) throws GSSException {
        if (!(obj instanceof TrustedCertificates)) {
            throw new GlobusGSSException(11, 100, "badType", new Object[]{"Trusted certificates", TrustedCertificates.class});
        }
        this.tc = (TrustedCertificates) obj;
    }

    @Override // org.gridforum.jgss.ExtendedGSSContext
    public void setOption(Oid oid, Object obj) throws GSSException {
        if (oid == null) {
            throw new GlobusGSSException(11, 7, "nullOption");
        }
        if (obj == null) {
            throw new GlobusGSSException(11, 7, "nullOptionValue");
        }
        if (oid.equals(GSSConstants.GSS_MODE)) {
            setGssMode(obj);
            return;
        }
        if (oid.equals(GSSConstants.DELEGATION_TYPE)) {
            setDelegationType(obj);
            return;
        }
        if (oid.equals(GSSConstants.CHECK_CONTEXT_EXPIRATION)) {
            setCheckContextExpired(obj);
            return;
        }
        if (oid.equals(GSSConstants.REJECT_LIMITED_PROXY)) {
            setRejectLimitedProxy(obj);
            return;
        }
        if (oid.equals(GSSConstants.REQUIRE_CLIENT_AUTH)) {
            setRequireClientAuth(obj);
            return;
        }
        if (oid.equals(GSSConstants.GRIM_POLICY_HANDLER)) {
            setGrimPolicyHandler(obj);
            return;
        }
        if (oid.equals(GSSConstants.TRUSTED_CERTIFICATES)) {
            setTrustedCertificates(obj);
            return;
        }
        if (oid.equals(GSSConstants.PROXY_POLICY_HANDLERS)) {
            setProxyPolicyHandlers(obj);
        } else if (oid.equals(GSSConstants.ACCEPT_NO_CLIENT_CERTS)) {
            setAcceptNoClientCerts(obj);
        } else {
            if (!oid.equals(GSSConstants.AUTHZ_REQUIRED_WITH_DELEGATION)) {
                throw new GlobusGSSException(11, 37, "unknownOption", new Object[]{oid});
            }
            setRequireAuthzWithDelegation(obj);
        }
    }

    @Override // org.gridforum.jgss.ExtendedGSSContext
    public Object getOption(Oid oid) throws GSSException {
        if (oid == null) {
            throw new GlobusGSSException(11, 7, "nullOption");
        }
        if (oid.equals(GSSConstants.GSS_MODE)) {
            return this.gssMode;
        }
        if (oid.equals(GSSConstants.DELEGATION_TYPE)) {
            return this.delegationType;
        }
        if (oid.equals(GSSConstants.CHECK_CONTEXT_EXPIRATION)) {
            return this.checkContextExpiration;
        }
        if (oid.equals(GSSConstants.REJECT_LIMITED_PROXY)) {
            return this.rejectLimitedProxy;
        }
        if (oid.equals(GSSConstants.REQUIRE_CLIENT_AUTH)) {
            return this.requireClientAuth;
        }
        if (oid.equals(GSSConstants.TRUSTED_CERTIFICATES)) {
            return this.tc;
        }
        if (oid.equals(GSSConstants.PROXY_POLICY_HANDLERS)) {
            return this.proxyPolicyHandlers;
        }
        if (oid.equals(GSSConstants.ACCEPT_NO_CLIENT_CERTS)) {
            return this.acceptNoClientCerts;
        }
        return null;
    }

    @Override // org.gridforum.jgss.ExtendedGSSContext
    public byte[] initDelegation(GSSCredential gSSCredential, Oid oid, int i, byte[] bArr, int i2, int i3) throws GSSException {
        byte[] byteArray;
        logger.debug("Enter initDelegation: " + this.delegationState);
        if (oid != null && !oid.equals(getMech())) {
            throw new GSSException(2);
        }
        if (this.gssMode != GSIConstants.MODE_SSL && bArr != null && i3 > 0) {
            bArr = unwrap(bArr, i2, i3);
            i2 = 0;
            i3 = bArr.length;
        }
        switch (this.delegationState) {
            case 0:
                this.delegationFinished = false;
                byteArray = DELEGATION_TOKEN;
                this.delegationState = 1;
                break;
            case 1:
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr, i2, i3);
                if (gSSCredential == null) {
                    gSSCredential = new GlobusGSSManagerImpl().createCredential(0);
                }
                if (!(gSSCredential instanceof GlobusGSSCredentialImpl)) {
                    throw new GSSException(9);
                }
                GlobusCredential globusCredential = ((GlobusGSSCredentialImpl) gSSCredential).getGlobusCredential();
                X509Certificate[] certificateChain = globusCredential.getCertificateChain();
                try {
                    X509Certificate createCertificate = this.certFactory.createCertificate(byteArrayInputStream, certificateChain[0], globusCredential.getPrivateKey(), i == 0 ? -1 : i, getDelegationType(certificateChain[0]));
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    byteArrayOutputStream.write(createCertificate.getEncoded());
                    for (X509Certificate x509Certificate : certificateChain) {
                        byteArrayOutputStream.write(x509Certificate.getEncoded());
                    }
                    byteArray = byteArrayOutputStream.toByteArray();
                    this.delegationState = 0;
                    this.delegationFinished = true;
                    break;
                } catch (Exception e) {
                    throw new GlobusGSSException(11, e);
                }
            default:
                throw new GSSException(11);
        }
        logger.debug("Exit initDelegation");
        return (this.gssMode == GSIConstants.MODE_SSL || byteArray == null) ? byteArray : wrap(byteArray, 0, byteArray.length);
    }

    @Override // org.gridforum.jgss.ExtendedGSSContext
    public byte[] acceptDelegation(int i, byte[] bArr, int i2, int i3) throws GSSException {
        logger.debug("Enter acceptDelegation: " + this.delegationState);
        if (this.gssMode != GSIConstants.MODE_SSL && bArr != null && i3 > 0) {
            bArr = unwrap(bArr, i2, i3);
            i2 = 0;
            i3 = bArr.length;
        }
        byte[] bArr2 = null;
        switch (this.delegationState) {
            case 0:
                this.delegationFinished = false;
                if (i3 != 1 && bArr[i2] != 68) {
                    throw new GlobusGSSException(11, 30, "delegError00", new Object[]{new Character((char) bArr[i2])});
                }
                try {
                    Vector certificateChain = this.conn.getCertificateChain();
                    if (certificateChain != null && certificateChain.size() != 0) {
                        bArr2 = generateCertRequest(PureTLSUtil.convertCert((X509Cert) certificateChain.lastElement()));
                        this.delegationState = 2;
                        break;
                    } else {
                        throw new GlobusGSSException(11, 30, "noClientCert");
                    }
                } catch (IOException e) {
                    throw new GlobusGSSException(11, e);
                } catch (GeneralSecurityException e2) {
                    throw new GlobusGSSException(11, e2);
                }
                break;
            case 2:
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr, i2, i3);
                LinkedList linkedList = new LinkedList();
                while (byteArrayInputStream.available() > 0) {
                    try {
                        linkedList.add(CertUtil.loadCertificate(byteArrayInputStream));
                    } catch (GeneralSecurityException e3) {
                        throw new GlobusGSSException(11, e3);
                    }
                }
                X509Certificate[] x509CertificateArr = (X509Certificate[]) linkedList.toArray(new X509Certificate[linkedList.size()]);
                verifyDelegatedCert(x509CertificateArr[0]);
                this.delegatedCred = new GlobusGSSCredentialImpl(new GlobusCredential(this.keyPair.getPrivate(), x509CertificateArr), 0);
                this.delegationState = 0;
                this.delegationFinished = true;
                break;
            default:
                throw new GSSException(11);
        }
        logger.debug("Exit initDelegation");
        return (this.gssMode == GSIConstants.MODE_SSL || bArr2 == null) ? bArr2 : wrap(bArr2, 0, bArr2.length);
    }

    @Override // org.gridforum.jgss.ExtendedGSSContext
    public GSSCredential getDelegatedCredential() {
        return this.delegatedCred;
    }

    @Override // org.gridforum.jgss.ExtendedGSSContext
    public boolean isDelegationFinished() {
        return this.delegationFinished;
    }

    @Override // org.gridforum.jgss.ExtendedGSSContext
    public Object inquireByOid(Oid oid) throws GSSException {
        if (oid == null) {
            throw new GlobusGSSException(11, 7, "nullOption");
        }
        if (!oid.equals(GSSConstants.X509_CERT_CHAIN)) {
            if (oid.equals(GSSConstants.RECEIVED_LIMITED_PROXY)) {
                return this.peerLimited;
            }
            return null;
        }
        if (!isEstablished()) {
            return null;
        }
        try {
            Vector certificateChain = this.conn.getCertificateChain();
            if (certificateChain == null || certificateChain.size() <= 0) {
                return null;
            }
            return PureTLSUtil.certificateChainToArray(certificateChain);
        } catch (Exception e) {
            throw new GlobusGSSException(9, e);
        }
    }

    public int getWrapSizeLimit(int i, boolean z, int i2) throws GSSException {
        throw new GSSException(16);
    }

    public void wrap(InputStream inputStream, OutputStream outputStream, MessageProp messageProp) throws GSSException {
        throw new GSSException(16);
    }

    public void unwrap(InputStream inputStream, OutputStream outputStream, MessageProp messageProp) throws GSSException {
        throw new GSSException(16);
    }

    public void getMIC(InputStream inputStream, OutputStream outputStream, MessageProp messageProp) throws GSSException {
        throw new GSSException(16);
    }

    public void verifyMIC(InputStream inputStream, InputStream inputStream2, MessageProp messageProp) throws GSSException {
        throw new GSSException(16);
    }

    public void setChannelBinding(ChannelBinding channelBinding) throws GSSException {
        throw new GSSException(16);
    }

    public boolean isTransferable() throws GSSException {
        throw new GSSException(16);
    }

    public byte[] export() throws GSSException {
        throw new GSSException(16);
    }
}
