package org.apache.directory.server.kerberos.kdc.authentication;

import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.util.Date;
import java.util.List;
import java.util.Set;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.api.asn1.EncoderException;
import org.apache.directory.api.ldap.model.constants.Loggers;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcContext;
import org.apache.directory.server.kerberos.sam.SamException;
import org.apache.directory.server.kerberos.sam.SamSubsystem;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.directory.shared.kerberos.KerberosTime;
import org.apache.directory.shared.kerberos.KerberosUtils;
import org.apache.directory.shared.kerberos.codec.KerberosDecoder;
import org.apache.directory.shared.kerberos.codec.options.KdcOptions;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.codec.types.LastReqType;
import org.apache.directory.shared.kerberos.codec.types.PaDataType;
import org.apache.directory.shared.kerberos.components.ETypeInfo;
import org.apache.directory.shared.kerberos.components.ETypeInfo2;
import org.apache.directory.shared.kerberos.components.ETypeInfo2Entry;
import org.apache.directory.shared.kerberos.components.ETypeInfoEntry;
import org.apache.directory.shared.kerberos.components.EncKdcRepPart;
import org.apache.directory.shared.kerberos.components.EncTicketPart;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.components.KdcReq;
import org.apache.directory.shared.kerberos.components.KdcReqBody;
import org.apache.directory.shared.kerberos.components.LastReq;
import org.apache.directory.shared.kerberos.components.LastReqEntry;
import org.apache.directory.shared.kerberos.components.MethodData;
import org.apache.directory.shared.kerberos.components.PaData;
import org.apache.directory.shared.kerberos.components.PaEncTsEnc;
import org.apache.directory.shared.kerberos.components.PrincipalName;
import org.apache.directory.shared.kerberos.components.TransitedEncoding;
import org.apache.directory.shared.kerberos.exceptions.ErrorType;
import org.apache.directory.shared.kerberos.exceptions.InvalidTicketException;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
import org.apache.directory.shared.kerberos.flags.TicketFlag;
import org.apache.directory.shared.kerberos.flags.TicketFlags;
import org.apache.directory.shared.kerberos.messages.AsRep;
import org.apache.directory.shared.kerberos.messages.EncAsRepPart;
import org.apache.directory.shared.kerberos.messages.Ticket;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.class */
public final class AuthenticationService {
    private static final Logger LOG_KRB = LoggerFactory.getLogger(Loggers.KERBEROS_LOG.getName());
    private static final CipherTextHandler CIPHER_TEXT_HANDLER = new CipherTextHandler();
    private static final String SERVICE_NAME = "Authentication Service (AS)";

    private AuthenticationService() {
    }

    public static void execute(AuthenticationContext authenticationContext) throws Exception {
        if (LOG_KRB.isDebugEnabled()) {
            monitorRequest(authenticationContext);
        }
        authenticationContext.setCipherTextHandler(CIPHER_TEXT_HANDLER);
        int protocolVersionNumber = authenticationContext.getRequest().getProtocolVersionNumber();
        if (protocolVersionNumber != 5) {
            LOG_KRB.error("Kerberos V{} is not supported", Integer.valueOf(protocolVersionNumber));
            throw new KerberosException(ErrorType.KDC_ERR_BAD_PVNO);
        }
        selectEncryptionType(authenticationContext);
        getClientEntry(authenticationContext);
        verifyPolicy(authenticationContext);
        verifySam(authenticationContext);
        verifyEncryptedTimestamp(authenticationContext);
        getServerEntry(authenticationContext);
        generateTicket(authenticationContext);
        buildReply(authenticationContext);
    }

    private static void selectEncryptionType(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        LOG_KRB.debug("--> Selecting the EncryptionType");
        KerberosConfig config = authenticationContext.getConfig();
        Set eType = authenticationContext.getRequest().getKdcReqBody().getEType();
        LOG_KRB.debug("Encryption types requested by client {}.", eType);
        EncryptionType bestEncryptionType = KerberosUtils.getBestEncryptionType(eType, config.getEncryptionTypes());
        LOG_KRB.debug("Session will use encryption type {}.", bestEncryptionType);
        if (bestEncryptionType == null) {
            LOG_KRB.error("No encryptionType selected !");
            throw new KerberosException(ErrorType.KDC_ERR_ETYPE_NOSUPP);
        }
        authenticationContext.setEncryptionType(bestEncryptionType);
    }

    private static void getClientEntry(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        LOG_KRB.debug("--> Getting the client Entry");
        KdcReqBody kdcReqBody = authenticationContext.getRequest().getKdcReqBody();
        KerberosPrincipal kerberosPrincipal = KerberosUtils.getKerberosPrincipal(kdcReqBody.getCName(), kdcReqBody.getRealm());
        try {
            PrincipalStoreEntry entry = KerberosUtils.getEntry(kerberosPrincipal, authenticationContext.getStore(), ErrorType.KDC_ERR_C_PRINCIPAL_UNKNOWN);
            authenticationContext.setClientEntry(entry);
            LOG_KRB.debug("Found entry {} for principal {}", entry.getDistinguishedName(), kerberosPrincipal);
        } catch (KerberosException e) {
            LOG_KRB.error("Error while searching for client {} : {}", kerberosPrincipal, e.getMessage());
            throw e;
        }
    }

    private static void verifyPolicy(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        LOG_KRB.debug("--> Verifying the policy");
        PrincipalStoreEntry clientEntry = authenticationContext.getClientEntry();
        if (clientEntry.isDisabled()) {
            LOG_KRB.error("The entry {} is disabled", clientEntry.getDistinguishedName());
            throw new KerberosException(ErrorType.KDC_ERR_CLIENT_REVOKED);
        }
        if (clientEntry.isLockedOut()) {
            LOG_KRB.error("The entry {} is locked out", clientEntry.getDistinguishedName());
            throw new KerberosException(ErrorType.KDC_ERR_CLIENT_REVOKED);
        }
        if (clientEntry.getExpiration().getTime() < new Date().getTime()) {
            LOG_KRB.error("The entry {} has been revoked", clientEntry.getDistinguishedName());
            throw new KerberosException(ErrorType.KDC_ERR_CLIENT_REVOKED);
        }
    }

    private static void verifySam(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        LOG_KRB.debug("--> Verifying using SAM subsystem.");
        KdcReq request = authenticationContext.getRequest();
        KerberosConfig config = authenticationContext.getConfig();
        PrincipalStoreEntry clientEntry = authenticationContext.getClientEntry();
        String name = clientEntry.getPrincipal().getName();
        EncryptionKey encryptionKey = null;
        if (clientEntry.getSamType() != null) {
            if (LOG_KRB.isDebugEnabled()) {
                LOG_KRB.debug("Entry for client principal {} has a valid SAM type.  Invoking SAM subsystem for pre-authentication.", name);
            }
            List<PaData> paData = request.getPaData();
            if (paData == null || paData.size() == 0) {
                LOG_KRB.debug("No PreAuth Data");
                throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(authenticationContext.getEncryptionType(), config.getEncryptionTypes()));
            }
            try {
                for (PaData paData2 : paData) {
                    if (paData2.getPaDataType().equals(PaDataType.PA_ENC_TIMESTAMP)) {
                        KerberosKey verify = SamSubsystem.getInstance().verify(clientEntry, paData2.getPaDataValue());
                        encryptionKey = new EncryptionKey(EncryptionType.getTypeByValue(verify.getKeyType()), verify.getEncoded());
                    }
                }
                authenticationContext.setClientKey(encryptionKey);
                authenticationContext.setPreAuthenticated(true);
                if (LOG_KRB.isDebugEnabled()) {
                    LOG_KRB.debug("Pre-authentication using SAM subsystem successful for {}.", name);
                }
            } catch (SamException e) {
                LOG_KRB.error("Error : {}", e.getMessage());
                throw new KerberosException(ErrorType.KRB_ERR_GENERIC, e);
            }
        }
    }

    private static void verifyEncryptedTimestamp(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        LOG_KRB.debug("--> Verifying using encrypted timestamp.");
        KerberosConfig config = authenticationContext.getConfig();
        KdcReq request = authenticationContext.getRequest();
        CipherTextHandler cipherTextHandler = authenticationContext.getCipherTextHandler();
        PrincipalStoreEntry clientEntry = authenticationContext.getClientEntry();
        String name = clientEntry.getPrincipal().getName();
        EncryptionKey encryptionKey = null;
        if (clientEntry.getSamType() == null) {
            LOG_KRB.debug("Entry for client principal {} has no SAM type.  Proceeding with standard pre-authentication.", name);
            encryptionKey = (EncryptionKey) clientEntry.getKeyMap().get(authenticationContext.getEncryptionType());
            if (encryptionKey == null) {
                LOG_KRB.error("No key for client {}", clientEntry.getDistinguishedName());
                throw new KerberosException(ErrorType.KDC_ERR_NULL_KEY);
            }
            if (config.isPaEncTimestampRequired()) {
                List<PaData> paData = request.getPaData();
                if (paData == null) {
                    LOG_KRB.debug("PRE_AUTH required...");
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(authenticationContext.getEncryptionType(), config.getEncryptionTypes()));
                }
                PaEncTsEnc paEncTsEnc = null;
                for (PaData paData2 : paData) {
                    if (paData2.getPaDataType().equals(PaDataType.PA_ENC_TIMESTAMP)) {
                        paEncTsEnc = KerberosDecoder.decodePaEncTsEnc(cipherTextHandler.decrypt(encryptionKey, KerberosDecoder.decodeEncryptedData(paData2.getPaDataValue()), KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY));
                    }
                }
                if (paEncTsEnc == null) {
                    LOG_KRB.error("No timestamp found");
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(authenticationContext.getEncryptionType(), config.getEncryptionTypes()));
                }
                if (!paEncTsEnc.getPaTimestamp().isInClockSkew(config.getAllowableClockSkew())) {
                    LOG_KRB.error("Timestamp not in delay");
                    throw new KerberosException(ErrorType.KDC_ERR_PREAUTH_FAILED);
                }
            }
        }
        authenticationContext.setClientKey(encryptionKey);
        authenticationContext.setPreAuthenticated(true);
        if (LOG_KRB.isDebugEnabled()) {
            LOG_KRB.debug("Pre-authentication by encrypted timestamp successful for {}.", name);
        }
    }

    private static void getServerEntry(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        PrincipalName sName = authenticationContext.getRequest().getKdcReqBody().getSName();
        PrincipalStore store = authenticationContext.getStore();
        LOG_KRB.debug("--> Getting the server entry for {}" + sName);
        authenticationContext.setServerEntry(KerberosUtils.getEntry(new KerberosPrincipal(sName.getNameString() + "@" + authenticationContext.getRequest().getKdcReqBody().getRealm()), store, ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN));
    }

    private static void generateTicket(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        KdcReq request = authenticationContext.getRequest();
        CipherTextHandler cipherTextHandler = authenticationContext.getCipherTextHandler();
        PrincipalName sName = request.getKdcReqBody().getSName();
        LOG_KRB.debug("--> Generating ticket for {}", sName);
        EncryptionKey encryptionKey = (EncryptionKey) authenticationContext.getServerEntry().getKeyMap().get(authenticationContext.getEncryptionType());
        PrincipalName sName2 = request.getKdcReqBody().getSName();
        EncTicketPart encTicketPart = new EncTicketPart();
        KerberosConfig config = authenticationContext.getConfig();
        TicketFlags ticketFlags = new TicketFlags();
        encTicketPart.setFlags(ticketFlags);
        ticketFlags.setFlag(TicketFlag.INITIAL);
        if (authenticationContext.isPreAuthenticated()) {
            ticketFlags.setFlag(TicketFlag.PRE_AUTHENT);
        }
        if (request.getKdcReqBody().getKdcOptions().get(1)) {
            if (!config.isForwardableAllowed()) {
                LOG_KRB.error("Ticket cannot be generated, because Forwadable is not allowed");
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.FORWARDABLE);
        }
        if (request.getKdcReqBody().getKdcOptions().get(3)) {
            if (!config.isProxiableAllowed()) {
                LOG_KRB.error("Ticket cannot be generated, because proxyiable is not allowed");
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.PROXIABLE);
        }
        if (request.getKdcReqBody().getKdcOptions().get(5)) {
            if (!config.isPostdatedAllowed()) {
                LOG_KRB.error("Ticket cannot be generated, because Posdate is not allowed");
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.MAY_POSTDATE);
        }
        KdcOptions kdcOptions = request.getKdcReqBody().getKdcOptions();
        if (kdcOptions.get(30) || kdcOptions.get(31) || kdcOptions.get(4) || kdcOptions.get(2) || kdcOptions.get(28)) {
            String str = kdcOptions.get(30) ? "Ticket cannot be generated, as it's a renew" : "";
            if (kdcOptions.get(31)) {
                str = "Ticket cannot be generated, as it's a validate";
            }
            if (kdcOptions.get(4)) {
                str = "Ticket cannot be generated, as it's a proxy";
            }
            if (kdcOptions.get(2)) {
                str = "Ticket cannot be generated, as it's forwarded";
            }
            if (kdcOptions.get(28)) {
                str = "Ticket cannot be generated, as it's a user-to-user ";
            }
            if (LOG_KRB.isDebugEnabled()) {
                LOG_KRB.debug(str);
            }
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION, str);
        }
        encTicketPart.setKey(RandomKeyFactory.getRandomKey(authenticationContext.getEncryptionType()));
        encTicketPart.setCName(request.getKdcReqBody().getCName());
        encTicketPart.setCRealm(request.getKdcReqBody().getRealm());
        encTicketPart.setTransited(new TransitedEncoding());
        String realm = request.getKdcReqBody().getRealm();
        KerberosTime kerberosTime = new KerberosTime();
        encTicketPart.setAuthTime(kerberosTime);
        KerberosTime from = request.getKdcReqBody().getFrom();
        if (from == null || from.lessThan(kerberosTime) || (from.isInClockSkew(config.getAllowableClockSkew()) && !request.getKdcReqBody().getKdcOptions().get(6))) {
            from = kerberosTime;
        }
        if (from != null && from.greaterThan(kerberosTime) && !from.isInClockSkew(config.getAllowableClockSkew()) && !request.getKdcReqBody().getKdcOptions().get(6)) {
            LOG_KRB.error("Ticket cannot be generated, as it's in the future and the POSTDATED option is not set in the request");
            throw new KerberosException(ErrorType.KDC_ERR_CANNOT_POSTDATE, "Ticket cannot be generated, as it's in the future and the POSTDATED option is not set in the request");
        }
        if (request.getKdcReqBody().getKdcOptions().get(6)) {
            if (!config.isPostdatedAllowed()) {
                LOG_KRB.error("Ticket cannot be generated, cause issuing POSTDATED tickets is not allowed");
                throw new KerberosException(ErrorType.KDC_ERR_POLICY, "Ticket cannot be generated, cause issuing POSTDATED tickets is not allowed");
            }
            ticketFlags.setFlag(TicketFlag.POSTDATED);
            ticketFlags.setFlag(TicketFlag.INVALID);
        }
        encTicketPart.setStartTime(from);
        KerberosTime kerberosTime2 = new KerberosTime(Math.min(request.getKdcReqBody().getTill().getTime() == 0 ? Long.MAX_VALUE : request.getKdcReqBody().getTill().getTime(), from.getTime() + config.getMaximumTicketLifetime()));
        encTicketPart.setEndTime(kerberosTime2);
        if (kerberosTime2.lessThan(from)) {
            LOG_KRB.error("Ticket cannot be generated, as the endTime is below the startTime");
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID, "Ticket cannot be generated, as the endTime is below the startTime");
        }
        if (Math.abs(from.getTime() - kerberosTime2.getTime()) < config.getMinimumTicketLifetime()) {
            LOG_KRB.error("Ticket cannot be generated, as the Lifetime is too small");
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID, "Ticket cannot be generated, as the Lifetime is too small");
        }
        KerberosTime rTime = request.getKdcReqBody().getRTime();
        if (request.getKdcReqBody().getKdcOptions().get(27) && request.getKdcReqBody().getTill().greaterThan(kerberosTime2)) {
            if (!config.isRenewableAllowed()) {
                LOG_KRB.error("Ticket cannot be generated, as the renew date is exceeded");
                throw new KerberosException(ErrorType.KDC_ERR_POLICY, "Ticket cannot be generated, as the renew date is exceeded");
            }
            request.getKdcReqBody().getKdcOptions().set(8);
            rTime = request.getKdcReqBody().getTill();
        }
        if (request.getKdcReqBody().getKdcOptions().get(8)) {
            if (!config.isRenewableAllowed()) {
                LOG_KRB.error("Ticket cannot be generated, as Renewable is not allowed");
                throw new KerberosException(ErrorType.KDC_ERR_POLICY, "Ticket cannot be generated, as Renewable is not allowed");
            }
            ticketFlags.setFlag(TicketFlag.RENEWABLE);
            if (rTime == null || rTime.isZero()) {
                rTime = KerberosTime.INFINITY;
            }
            encTicketPart.setRenewTill(new KerberosTime(Math.min(rTime.getTime(), from.getTime() + config.getMaximumRenewableLifetime())));
        }
        if (request.getKdcReqBody().getAddresses() != null && request.getKdcReqBody().getAddresses().getAddresses() != null && request.getKdcReqBody().getAddresses().getAddresses().length > 0) {
            encTicketPart.setClientAddresses(request.getKdcReqBody().getAddresses());
        } else if (!config.isEmptyAddressesAllowed()) {
            LOG_KRB.error("Ticket cannot be generated, as the addresses are null, and it's not allowed");
            throw new KerberosException(ErrorType.KDC_ERR_POLICY, "Ticket cannot be generated, as the addresses are null, and it's not allowed");
        }
        Ticket ticket = new Ticket(sName2, cipherTextHandler.seal(encryptionKey, encTicketPart, KeyUsage.AS_OR_TGS_REP_TICKET_WITH_SRVKEY));
        ticket.setRealm(realm);
        ticket.setEncTicketPart(encTicketPart);
        LOG_KRB.debug("Ticket will be issued for access to {}.", sName.toString());
        authenticationContext.setTicket(ticket);
    }

    private static void buildReply(AuthenticationContext authenticationContext) throws KerberosException, InvalidTicketException {
        LOG_KRB.debug("--> Building reply");
        KdcReq request = authenticationContext.getRequest();
        Ticket ticket = authenticationContext.getTicket();
        AsRep asRep = new AsRep();
        asRep.setCName(request.getKdcReqBody().getCName());
        asRep.setCRealm(request.getKdcReqBody().getRealm());
        asRep.setTicket(ticket);
        EncKdcRepPart encKdcRepPart = new EncKdcRepPart();
        encKdcRepPart.setKey(ticket.getEncTicketPart().getKey());
        LastReq lastReq = new LastReq();
        lastReq.addEntry(new LastReqEntry(LastReqType.TIME_OF_INITIAL_REQ, new KerberosTime()));
        encKdcRepPart.setLastReq(lastReq);
        encKdcRepPart.setNonce(request.getKdcReqBody().getNonce());
        encKdcRepPart.setFlags(ticket.getEncTicketPart().getFlags());
        encKdcRepPart.setAuthTime(ticket.getEncTicketPart().getAuthTime());
        encKdcRepPart.setStartTime(ticket.getEncTicketPart().getStartTime());
        encKdcRepPart.setEndTime(ticket.getEncTicketPart().getEndTime());
        if (ticket.getEncTicketPart().getFlags().isRenewable()) {
            encKdcRepPart.setRenewTill(ticket.getEncTicketPart().getRenewTill());
        }
        encKdcRepPart.setSName(ticket.getSName());
        encKdcRepPart.setSRealm(ticket.getRealm());
        encKdcRepPart.setClientAddresses(ticket.getEncTicketPart().getClientAddresses());
        EncAsRepPart encAsRepPart = new EncAsRepPart();
        encAsRepPart.setEncKdcRepPart(encKdcRepPart);
        if (LOG_KRB.isDebugEnabled()) {
            monitorContext(authenticationContext);
            monitorReply(asRep, encKdcRepPart);
        }
        asRep.setEncPart(CIPHER_TEXT_HANDLER.seal(authenticationContext.getClientKey(), encAsRepPart, KeyUsage.AS_REP_ENC_PART_WITH_CKEY));
        asRep.setEncKdcRepPart(encKdcRepPart);
        authenticationContext.setReply(asRep);
    }

    private static void monitorRequest(KdcContext kdcContext) {
        KdcReq request = kdcContext.getRequest();
        if (LOG_KRB.isDebugEnabled()) {
            try {
                String hostAddress = kdcContext.getClientAddress().getHostAddress();
                StringBuffer stringBuffer = new StringBuffer();
                stringBuffer.append("Received Authentication Service (AS) request:");
                stringBuffer.append("\n\tmessageType:           " + request.getMessageType());
                stringBuffer.append("\n\tprotocolVersionNumber: " + request.getProtocolVersionNumber());
                stringBuffer.append("\n\tclientAddress:         " + hostAddress);
                stringBuffer.append("\n\tnonce:                 " + request.getKdcReqBody().getNonce());
                stringBuffer.append("\n\tkdcOptions:            " + request.getKdcReqBody().getKdcOptions());
                stringBuffer.append("\n\tclientPrincipal:       " + request.getKdcReqBody().getCName());
                stringBuffer.append("\n\tserverPrincipal:       " + request.getKdcReqBody().getSName());
                stringBuffer.append("\n\tencryptionType:        " + KerberosUtils.getEncryptionTypesString(request.getKdcReqBody().getEType()));
                stringBuffer.append("\n\trealm:                 " + request.getKdcReqBody().getRealm());
                stringBuffer.append("\n\tfrom time:             " + request.getKdcReqBody().getFrom());
                stringBuffer.append("\n\ttill time:             " + request.getKdcReqBody().getTill());
                stringBuffer.append("\n\trenew-till time:       " + request.getKdcReqBody().getRTime());
                stringBuffer.append("\n\thostAddresses:         " + request.getKdcReqBody().getAddresses());
                LOG_KRB.debug(stringBuffer.toString());
            } catch (Exception e) {
                LOG_KRB.error(I18n.err(I18n.ERR_153, new Object[0]), e);
            }
        }
    }

    private static void monitorContext(AuthenticationContext authenticationContext) {
        try {
            long allowableClockSkew = authenticationContext.getConfig().getAllowableClockSkew();
            InetAddress clientAddress = authenticationContext.getClientAddress();
            StringBuilder sb = new StringBuilder();
            sb.append("Monitoring Authentication Service (AS) context:");
            sb.append("\n\tclockSkew              " + allowableClockSkew);
            sb.append("\n\tclientAddress          " + clientAddress);
            KerberosPrincipal principal = authenticationContext.getClientEntry().getPrincipal();
            PrincipalStoreEntry clientEntry = authenticationContext.getClientEntry();
            sb.append("\n\tprincipal              " + principal);
            sb.append("\n\tcn                     " + clientEntry.getCommonName());
            sb.append("\n\trealm                  " + clientEntry.getRealmName());
            sb.append("\n\tprincipal              " + clientEntry.getPrincipal());
            sb.append("\n\tSAM type               " + clientEntry.getSamType());
            PrincipalName sName = authenticationContext.getRequest().getKdcReqBody().getSName();
            PrincipalStoreEntry serverEntry = authenticationContext.getServerEntry();
            sb.append("\n\tprincipal              " + sName);
            sb.append("\n\tcn                     " + serverEntry.getCommonName());
            sb.append("\n\trealm                  " + serverEntry.getRealmName());
            sb.append("\n\tprincipal              " + serverEntry.getPrincipal());
            sb.append("\n\tSAM type               " + serverEntry.getSamType());
            EncryptionType encryptionType = authenticationContext.getEncryptionType();
            int keyVersion = ((EncryptionKey) clientEntry.getKeyMap().get(encryptionType)).getKeyVersion();
            int keyVersion2 = ((EncryptionKey) serverEntry.getKeyMap().get(encryptionType)).getKeyVersion();
            sb.append("\n\tRequest key type       " + encryptionType);
            sb.append("\n\tClient key version     " + keyVersion);
            sb.append("\n\tServer key version     " + keyVersion2);
            LOG_KRB.debug(sb.toString());
        } catch (Exception e) {
            LOG_KRB.error(I18n.err(I18n.ERR_154, new Object[0]), e);
        }
    }

    private static void monitorReply(AsRep asRep, EncKdcRepPart encKdcRepPart) {
        if (LOG_KRB.isDebugEnabled()) {
            try {
                StringBuffer stringBuffer = new StringBuffer();
                stringBuffer.append("Responding with Authentication Service (AS) reply:");
                stringBuffer.append("\n\tmessageType:           " + asRep.getMessageType());
                stringBuffer.append("\n\tprotocolVersionNumber: " + asRep.getProtocolVersionNumber());
                stringBuffer.append("\n\tnonce:                 " + encKdcRepPart.getNonce());
                stringBuffer.append("\n\tclientPrincipal:       " + asRep.getCName());
                stringBuffer.append("\n\tclient realm:          " + asRep.getCRealm());
                stringBuffer.append("\n\tserverPrincipal:       " + encKdcRepPart.getSName());
                stringBuffer.append("\n\tserver realm:          " + encKdcRepPart.getSRealm());
                stringBuffer.append("\n\tauth time:             " + encKdcRepPart.getAuthTime());
                stringBuffer.append("\n\tstart time:            " + encKdcRepPart.getStartTime());
                stringBuffer.append("\n\tend time:              " + encKdcRepPart.getEndTime());
                stringBuffer.append("\n\trenew-till time:       " + encKdcRepPart.getRenewTill());
                stringBuffer.append("\n\thostAddresses:         " + encKdcRepPart.getClientAddresses());
                LOG_KRB.debug(stringBuffer.toString());
            } catch (Exception e) {
                LOG_KRB.error(I18n.err(I18n.ERR_155, new Object[0]), e);
            }
        }
    }

    private static byte[] preparePreAuthenticationError(EncryptionType encryptionType, Set<EncryptionType> set) {
        boolean isNewEncryptionType = KerberosUtils.isNewEncryptionType(encryptionType);
        ETypeInfo2 eTypeInfo2 = new ETypeInfo2();
        ETypeInfo eTypeInfo = new ETypeInfo();
        for (EncryptionType encryptionType2 : set) {
            if (!isNewEncryptionType) {
                eTypeInfo.addETypeInfoEntry(new ETypeInfoEntry(encryptionType2, (byte[]) null));
            }
            eTypeInfo2.addETypeInfo2Entry(new ETypeInfo2Entry(encryptionType2));
        }
        byte[] bArr = null;
        if (!isNewEncryptionType) {
            try {
                bArr = eTypeInfo.encode(ByteBuffer.allocate(eTypeInfo.computeLength())).array();
            } catch (EncoderException e) {
                return null;
            }
        }
        byte[] array = eTypeInfo2.encode(ByteBuffer.allocate(eTypeInfo2.computeLength())).array();
        MethodData methodData = new MethodData();
        methodData.addPaData(new PaData(PaDataType.PA_ENC_TIMESTAMP, (byte[]) null));
        if (!isNewEncryptionType) {
            methodData.addPaData(new PaData(PaDataType.PA_ENCTYPE_INFO, bArr));
        }
        methodData.addPaData(new PaData(PaDataType.PA_ENCTYPE_INFO2, array));
        try {
            return methodData.encode(ByteBuffer.allocate(methodData.computeLength())).array();
        } catch (EncoderException e2) {
            LOG_KRB.warn("Failed to encode the etype information", e2);
            return null;
        }
    }
}
