package org.opends.server.tools;

import com.forgerock.opendj.cli.ClientException;
import com.forgerock.opendj.cli.ConsoleApplication;
import com.forgerock.opendj.cli.ReturnCode;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.PrivilegedExceptionAction;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.concurrent.atomic.AtomicInteger;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageDescriptor;
import org.forgerock.opendj.ldap.Base64;
import org.forgerock.opendj.ldap.ByteSequence;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.DecodeException;
import org.opends.messages.ToolMessages;
import org.opends.server.protocols.ldap.BindRequestProtocolOp;
import org.opends.server.protocols.ldap.BindResponseProtocolOp;
import org.opends.server.protocols.ldap.ExtendedRequestProtocolOp;
import org.opends.server.protocols.ldap.ExtendedResponseProtocolOp;
import org.opends.server.protocols.ldap.LDAPConstants;
import org.opends.server.protocols.ldap.LDAPMessage;
import org.opends.server.types.Control;
import org.opends.server.types.LDAPException;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/tools/LDAPAuthenticationHandler.class */
public class LDAPAuthenticationHandler implements PrivilegedExceptionAction<Object>, CallbackHandler {
    private final LDAPReader reader;
    private final LDAPWriter writer;
    private final AtomicInteger nextMessageID;
    private ByteSequence gssapiBindDN;
    private String gssapiAuthID;
    private String gssapiAuthzID;
    private char[] gssapiAuthPW;
    private String gssapiQoP;
    private final String hostName;
    private String saslMechanism;
    private MessageDigest md5Digest = null;
    private SecureRandom secureRandom = null;
    private byte[] iPad = null;
    private byte[] oPad = null;

    public LDAPAuthenticationHandler(LDAPReader lDAPReader, LDAPWriter lDAPWriter, String str, AtomicInteger atomicInteger) {
        this.reader = lDAPReader;
        this.writer = lDAPWriter;
        this.hostName = str;
        this.nextMessageID = atomicInteger;
    }

    public static String[] getSupportedSASLMechanisms() {
        return new String[]{ServerConstants.SASL_MECHANISM_ANONYMOUS, ServerConstants.SASL_MECHANISM_CRAM_MD5, ServerConstants.SASL_MECHANISM_DIGEST_MD5, ServerConstants.SASL_MECHANISM_EXTERNAL, ServerConstants.SASL_MECHANISM_GSSAPI, ServerConstants.SASL_MECHANISM_PLAIN};
    }

    public static Map<String, LocalizableMessage> getSASLProperties(String str) {
        String upperCase = StaticUtils.toUpperCase(str);
        boolean z = -1;
        switch (upperCase.hashCode()) {
            case -1796511348:
                if (upperCase.equals(ServerConstants.SASL_MECHANISM_CRAM_MD5)) {
                    z = true;
                    break;
                }
                break;
            case -1038134325:
                if (upperCase.equals(ServerConstants.SASL_MECHANISM_EXTERNAL)) {
                    z = 3;
                    break;
                }
                break;
            case -824267275:
                if (upperCase.equals(ServerConstants.SASL_MECHANISM_DIGEST_MD5)) {
                    z = 2;
                    break;
                }
                break;
            case 76210602:
                if (upperCase.equals(ServerConstants.SASL_MECHANISM_PLAIN)) {
                    z = 5;
                    break;
                }
                break;
            case 690783309:
                if (upperCase.equals(ServerConstants.SASL_MECHANISM_ANONYMOUS)) {
                    z = false;
                    break;
                }
                break;
            case 2111859635:
                if (upperCase.equals(ServerConstants.SASL_MECHANISM_GSSAPI)) {
                    z = 4;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return getSASLAnonymousProperties();
            case true:
                return getSASLCRAMMD5Properties();
            case true:
                return getSASLDigestMD5Properties();
            case true:
                return getSASLExternalProperties();
            case true:
                return getSASLGSSAPIProperties();
            case true:
                return getSASLPlainProperties();
            default:
                return null;
        }
    }

    public String doSimpleBind(int i, ByteSequence byteSequence, ByteSequence byteSequence2, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        if (byteSequence2 == null) {
            byteSequence2 = ByteString.empty();
        }
        if (byteSequence == null) {
            byteSequence = ByteString.empty();
        }
        sendSimpleBindRequest(i, byteSequence, byteSequence2, list);
        LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_BIND_RESPONSE);
        list2.addAll(readBindResponse.getControls());
        checkConnected(readBindResponse);
        return checkSuccessfulSimpleBind(readBindResponse);
    }

    private void sendSimpleBindRequest(int i, ByteSequence byteSequence, ByteSequence byteSequence2, List<Control> list) throws ClientException {
        try {
            this.writer.writeMessage(new LDAPMessage(this.nextMessageID.getAndIncrement(), new BindRequestProtocolOp(byteSequence.toByteString(), i, byteSequence2.toByteString()), list));
        } catch (IOException e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_SIMPLE_BIND.get(StaticUtils.getExceptionMessage(e)), e);
        } catch (Exception e2) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_ENCODING_ERROR, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_SIMPLE_BIND.get(StaticUtils.getExceptionMessage(e2)), e2);
        }
    }

    private BindResponseProtocolOp checkSuccessfulBind(LDAPMessage lDAPMessage, String str) throws LDAPException {
        BindResponseProtocolOp bindResponseProtocolOp = lDAPMessage.getBindResponseProtocolOp();
        int resultCode = bindResponseProtocolOp.getResultCode();
        if (resultCode == ReturnCode.SUCCESS.get()) {
            return bindResponseProtocolOp;
        }
        throw new LDAPException(resultCode, bindResponseProtocolOp.getErrorMessage(), ToolMessages.ERR_LDAPAUTH_SASL_BIND_FAILED.get(str), bindResponseProtocolOp.getMatchedDN(), null);
    }

    private String checkSuccessfulSimpleBind(LDAPMessage lDAPMessage) throws LDAPException {
        BindResponseProtocolOp bindResponseProtocolOp = lDAPMessage.getBindResponseProtocolOp();
        int resultCode = bindResponseProtocolOp.getResultCode();
        if (resultCode == ReturnCode.SUCCESS.get()) {
            return null;
        }
        throw new LDAPException(resultCode, bindResponseProtocolOp.getErrorMessage(), ToolMessages.ERR_LDAPAUTH_SIMPLE_BIND_FAILED.get(), bindResponseProtocolOp.getMatchedDN(), null);
    }

    public String doSASLBind(ByteSequence byteSequence, ByteSequence byteSequence2, String str, Map<String, List<String>> map, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        if (byteSequence == null) {
            byteSequence = ByteString.empty();
        }
        if (str == null || str.length() == 0) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_NO_SASL_MECHANISM.get());
        }
        this.saslMechanism = StaticUtils.toUpperCase(str);
        String str2 = this.saslMechanism;
        boolean z = -1;
        switch (str2.hashCode()) {
            case -1796511348:
                if (str2.equals(ServerConstants.SASL_MECHANISM_CRAM_MD5)) {
                    z = true;
                    break;
                }
                break;
            case -1038134325:
                if (str2.equals(ServerConstants.SASL_MECHANISM_EXTERNAL)) {
                    z = 3;
                    break;
                }
                break;
            case -824267275:
                if (str2.equals(ServerConstants.SASL_MECHANISM_DIGEST_MD5)) {
                    z = 2;
                    break;
                }
                break;
            case 76210602:
                if (str2.equals(ServerConstants.SASL_MECHANISM_PLAIN)) {
                    z = 5;
                    break;
                }
                break;
            case 690783309:
                if (str2.equals(ServerConstants.SASL_MECHANISM_ANONYMOUS)) {
                    z = false;
                    break;
                }
                break;
            case 2111859635:
                if (str2.equals(ServerConstants.SASL_MECHANISM_GSSAPI)) {
                    z = 4;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return doSASLAnonymous(byteSequence, map, list, list2);
            case true:
                return doSASLCRAMMD5(byteSequence, byteSequence2, map, list, list2);
            case true:
                return doSASLDigestMD5(byteSequence, byteSequence2, map, list, list2);
            case true:
                return doSASLExternal(byteSequence, map, list, list2);
            case true:
                return doSASLGSSAPI(byteSequence, byteSequence2, map, list, list2);
            case true:
                return doSASLPlain(byteSequence, byteSequence2, map, list, list2);
            default:
                throw new ClientException(ReturnCode.CLIENT_SIDE_AUTH_UNKNOWN, ToolMessages.ERR_LDAPAUTH_UNSUPPORTED_SASL_MECHANISM.get(str));
        }
    }

    private String doSASLAnonymous(ByteSequence byteSequence, Map<String, List<String>> map, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        String str = null;
        if (map != null) {
            for (Map.Entry<String, List<String>> entry : map.entrySet()) {
                String key = entry.getKey();
                List<String> value = entry.getValue();
                if (!key.equalsIgnoreCase("trace")) {
                    throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_INVALID_SASL_PROPERTY.get(key, ServerConstants.SASL_MECHANISM_ANONYMOUS));
                }
                str = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_TRACE_SINGLE_VALUED);
            }
        }
        sendBindRequest(ServerConstants.SASL_MECHANISM_ANONYMOUS, byteSequence, str != null ? ByteString.valueOfUtf8(str) : null, list);
        LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_BIND_RESPONSE);
        list2.addAll(readBindResponse.getControls());
        checkConnected(readBindResponse);
        checkSuccessfulBind(readBindResponse, ServerConstants.SASL_MECHANISM_ANONYMOUS);
        return null;
    }

    private static LinkedHashMap<String, LocalizableMessage> getSASLAnonymousProperties() {
        LinkedHashMap<String, LocalizableMessage> linkedHashMap = new LinkedHashMap<>(1);
        linkedHashMap.put("trace", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_TRACE.get());
        return linkedHashMap;
    }

    private String doSASLCRAMMD5(ByteSequence byteSequence, ByteSequence byteSequence2, Map<String, List<String>> map, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        String str = null;
        if (map == null || map.isEmpty()) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_NO_SASL_PROPERTIES.get(ServerConstants.SASL_MECHANISM_CRAM_MD5));
        }
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            List<String> value = entry.getValue();
            if (!StaticUtils.toLowerCase(key).equals("authid")) {
                throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_INVALID_SASL_PROPERTY.get(key, ServerConstants.SASL_MECHANISM_CRAM_MD5));
            }
            str = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_AUTHID_SINGLE_VALUED);
        }
        if (str == null || str.length() == 0) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_SASL_AUTHID_REQUIRED.get(ServerConstants.SASL_MECHANISM_CRAM_MD5));
        }
        if (byteSequence2 == null) {
            byteSequence2 = ByteString.empty();
        }
        sendInitialBindRequest(ServerConstants.SASL_MECHANISM_CRAM_MD5, byteSequence);
        LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_INITIAL_BIND_RESPONSE, ServerConstants.SASL_MECHANISM_CRAM_MD5);
        checkConnected(readBindResponse);
        BindResponseProtocolOp bindResponseProtocolOp = readBindResponse.getBindResponseProtocolOp();
        int resultCode = bindResponseProtocolOp.getResultCode();
        if (resultCode != ReturnCode.SASL_BIND_IN_PROGRESS.get()) {
            LocalizableMessage errorMessage = bindResponseProtocolOp.getErrorMessage();
            if (errorMessage == null) {
                errorMessage = LocalizableMessage.EMPTY;
            }
            throw new LDAPException(resultCode, errorMessage, ToolMessages.ERR_LDAPAUTH_UNEXPECTED_INITIAL_BIND_RESPONSE.get(ServerConstants.SASL_MECHANISM_CRAM_MD5, Integer.valueOf(resultCode), ReturnCode.get(resultCode), errorMessage), bindResponseProtocolOp.getMatchedDN(), null);
        }
        ByteString serverSASLCredentials = bindResponseProtocolOp.getServerSASLCredentials();
        if (serverSASLCredentials == null) {
            throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_NO_CRAMMD5_SERVER_CREDENTIALS.get());
        }
        sendSecondBindRequest(ServerConstants.SASL_MECHANISM_CRAM_MD5, byteSequence, str + ' ' + generateCRAMMD5Digest(byteSequence2, serverSASLCredentials), list);
        LDAPMessage readBindResponse2 = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_SECOND_BIND_RESPONSE, ServerConstants.SASL_MECHANISM_CRAM_MD5);
        list2.addAll(readBindResponse2.getControls());
        checkConnected(readBindResponse2);
        checkSuccessfulBind(readBindResponse2, ServerConstants.SASL_MECHANISM_CRAM_MD5);
        return null;
    }

    private void sendInitialBindRequest(String str, ByteSequence byteSequence) throws ClientException {
        try {
            this.writer.writeMessage(new LDAPMessage(this.nextMessageID.getAndIncrement(), new BindRequestProtocolOp(byteSequence.toByteString(), str, (ByteString) null)));
        } catch (IOException e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_INITIAL_SASL_BIND.get(str, StaticUtils.getExceptionMessage(e)), e);
        } catch (Exception e2) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_ENCODING_ERROR, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_INITIAL_SASL_BIND.get(str, StaticUtils.getExceptionMessage(e2)), e2);
        }
    }

    private LDAPMessage readBindResponse(LocalizableMessageDescriptor.Arg2<Object, Object> arg2, String str) throws ClientException {
        try {
            try {
                LDAPMessage readMessage = this.reader.readMessage();
                if (readMessage != null) {
                    return readMessage;
                }
                throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, ToolMessages.ERR_LDAPAUTH_CONNECTION_CLOSED_WITHOUT_BIND_RESPONSE.get());
            } catch (DecodeException | LDAPException e) {
                throw new ClientException(ReturnCode.CLIENT_SIDE_DECODING_ERROR, arg2.get(str, StaticUtils.getExceptionMessage(e)), e);
            }
        } catch (IOException e2) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, arg2.get(str, StaticUtils.getExceptionMessage(e2)), e2);
        } catch (Exception e3) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, arg2.get(str, StaticUtils.getExceptionMessage(e3)), e3);
        }
    }

    private String generateCRAMMD5Digest(ByteSequence byteSequence, ByteSequence byteSequence2) throws ClientException {
        if (this.md5Digest == null) {
            try {
                this.md5Digest = MessageDigest.getInstance("MD5");
            } catch (Exception e) {
                throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_CANNOT_INITIALIZE_MD5_DIGEST.get(StaticUtils.getExceptionMessage(e)), e);
            }
        }
        if (this.iPad == null) {
            this.iPad = new byte[64];
            this.oPad = new byte[64];
            Arrays.fill(this.iPad, (byte) 54);
            Arrays.fill(this.oPad, (byte) 92);
        }
        byte[] byteArray = byteSequence.toByteArray();
        byte[] byteArray2 = byteSequence2.toByteArray();
        if (byteSequence.length() > 64) {
            byteArray = this.md5Digest.digest(byteArray);
        }
        byte[] bArr = new byte[64 + byteArray2.length];
        System.arraycopy(this.iPad, 0, bArr, 0, 64);
        System.arraycopy(byteArray2, 0, bArr, 64, byteArray2.length);
        byte[] bArr2 = new byte[80];
        System.arraycopy(this.oPad, 0, bArr2, 0, 64);
        for (int i = 0; i < byteArray.length; i++) {
            int i2 = i;
            bArr[i2] = (byte) (bArr[i2] ^ byteArray[i]);
            int i3 = i;
            bArr2[i3] = (byte) (bArr2[i3] ^ byteArray[i]);
        }
        System.arraycopy(this.md5Digest.digest(bArr), 0, bArr2, 64, 16);
        byte[] digest = this.md5Digest.digest(bArr2);
        StringBuilder sb = new StringBuilder(2 * digest.length);
        for (byte b : digest) {
            sb.append(StaticUtils.byteToLowerHex(b));
        }
        return sb.toString();
    }

    private static LinkedHashMap<String, LocalizableMessage> getSASLCRAMMD5Properties() {
        LinkedHashMap<String, LocalizableMessage> linkedHashMap = new LinkedHashMap<>(1);
        linkedHashMap.put("authid", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_AUTHID.get());
        return linkedHashMap;
    }

    private String doSASLDigestMD5(ByteSequence byteSequence, ByteSequence byteSequence2, Map<String, List<String>> map, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        String str = null;
        String str2 = null;
        String str3 = "auth";
        String str4 = "ldap/" + this.hostName;
        String str5 = null;
        boolean z = false;
        if (map == null || map.isEmpty()) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_NO_SASL_PROPERTIES.get(ServerConstants.SASL_MECHANISM_DIGEST_MD5));
        }
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            List<String> value = entry.getValue();
            String lowerCase = StaticUtils.toLowerCase(key);
            if (lowerCase.equals("authid")) {
                str = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_AUTHID_SINGLE_VALUED);
            } else if (lowerCase.equals("realm")) {
                Iterator<String> it = value.iterator();
                if (it.hasNext()) {
                    str2 = it.next();
                    z = true;
                    if (it.hasNext()) {
                        throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_REALM_SINGLE_VALUED.get());
                    }
                } else {
                    continue;
                }
            } else if (lowerCase.equals("qop")) {
                Iterator<String> it2 = value.iterator();
                if (it2.hasNext()) {
                    str3 = StaticUtils.toLowerCase(it2.next());
                    if (it2.hasNext()) {
                        throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_QOP_SINGLE_VALUED.get());
                    }
                    if (!str3.equals("auth")) {
                        if (str3.equals("auth-int") || str3.equals("auth-conf")) {
                            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_DIGESTMD5_QOP_NOT_SUPPORTED.get(str3));
                        }
                        throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_DIGESTMD5_INVALID_QOP.get(str3));
                    }
                } else {
                    continue;
                }
            } else if (lowerCase.equals("digest-uri")) {
                str4 = StaticUtils.toLowerCase(getSingleValue(value, ToolMessages.ERR_LDAPAUTH_DIGEST_URI_SINGLE_VALUED));
            } else {
                if (!lowerCase.equals("authzid")) {
                    throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_INVALID_SASL_PROPERTY.get(key, ServerConstants.SASL_MECHANISM_DIGEST_MD5));
                }
                str5 = StaticUtils.toLowerCase(getSingleValue(value, ToolMessages.ERR_LDAPAUTH_AUTHZID_SINGLE_VALUED));
            }
        }
        if (str == null || str.length() == 0) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_SASL_AUTHID_REQUIRED.get(ServerConstants.SASL_MECHANISM_DIGEST_MD5));
        }
        if (byteSequence2 == null) {
            byteSequence2 = ByteString.empty();
        }
        sendInitialBindRequest(ServerConstants.SASL_MECHANISM_DIGEST_MD5, byteSequence);
        LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_INITIAL_BIND_RESPONSE, ServerConstants.SASL_MECHANISM_DIGEST_MD5);
        checkConnected(readBindResponse);
        BindResponseProtocolOp bindResponseProtocolOp = readBindResponse.getBindResponseProtocolOp();
        int resultCode = bindResponseProtocolOp.getResultCode();
        if (resultCode != ReturnCode.SASL_BIND_IN_PROGRESS.get()) {
            LocalizableMessage errorMessage = bindResponseProtocolOp.getErrorMessage();
            if (errorMessage == null) {
                errorMessage = LocalizableMessage.EMPTY;
            }
            throw new LDAPException(resultCode, errorMessage, ToolMessages.ERR_LDAPAUTH_UNEXPECTED_INITIAL_BIND_RESPONSE.get(ServerConstants.SASL_MECHANISM_DIGEST_MD5, Integer.valueOf(resultCode), ReturnCode.get(resultCode), errorMessage), bindResponseProtocolOp.getMatchedDN(), null);
        }
        ByteString serverSASLCredentials = bindResponseProtocolOp.getServerSASLCredentials();
        if (serverSASLCredentials == null) {
            throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_NO_DIGESTMD5_SERVER_CREDENTIALS.get());
        }
        String byteString = serverSASLCredentials.toString();
        String lowerCase2 = StaticUtils.toLowerCase(byteString);
        String str6 = null;
        boolean z2 = false;
        int i = 0;
        int length = byteString.length();
        while (i < length) {
            int indexOf = byteString.indexOf(61, i + 1);
            if (indexOf < 0) {
                throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_DIGESTMD5_INVALID_TOKEN_IN_CREDENTIALS.get(byteString, Integer.valueOf(i)));
            }
            String substring = lowerCase2.substring(i, indexOf);
            StringBuilder sb = new StringBuilder();
            i = readToken(byteString, indexOf + 1, length, sb);
            String sb2 = sb.toString();
            if (substring.equals("charset")) {
                if (!sb2.equalsIgnoreCase("utf-8")) {
                    throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_DIGESTMD5_INVALID_CHARSET.get(sb2));
                }
                z2 = true;
            } else if (substring.equals("realm")) {
                if (!z) {
                    if (str2 == null) {
                        str2 = sb2;
                    } else {
                        str2 = null;
                        z = true;
                    }
                }
            } else if (substring.equals("nonce")) {
                str6 = sb2;
            } else if (substring.equals("qop")) {
                StringTokenizer stringTokenizer = new StringTokenizer(sb2, ",");
                LinkedList linkedList = new LinkedList();
                while (stringTokenizer.hasMoreTokens()) {
                    linkedList.add(StaticUtils.toLowerCase(stringTokenizer.nextToken().trim()));
                }
                if (!linkedList.contains(str3)) {
                    throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_REQUESTED_QOP_NOT_SUPPORTED_BY_SERVER.get(str3, sb2));
                }
            } else {
                continue;
            }
        }
        if (str6 == null) {
            throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_DIGESTMD5_NO_NONCE.get());
        }
        String generateCNonce = generateCNonce();
        String str7 = z2 ? "UTF-8" : "ISO-8859-1";
        try {
            String generateDigestMD5Response = generateDigestMD5Response(str, str5, byteSequence2, str2, str6, generateCNonce, "00000001", str4, str3, str7);
            StringBuilder sb3 = new StringBuilder();
            sb3.append("username=\"").append(str).append("\"");
            if (str2 != null) {
                sb3.append(",realm=\"").append(str2).append("\"");
            }
            sb3.append(",nonce=\"").append(str6);
            sb3.append("\",cnonce=\"").append(generateCNonce);
            sb3.append("\",nc=").append("00000001");
            sb3.append(",qop=").append(str3);
            sb3.append(",digest-uri=\"").append(str4);
            sb3.append("\",response=").append(generateDigestMD5Response);
            if (z2) {
                sb3.append(",charset=utf-8");
            }
            if (str5 != null) {
                sb3.append(",authzid=\"").append(str5).append("\"");
            }
            sendSecondBindRequest(ServerConstants.SASL_MECHANISM_DIGEST_MD5, byteSequence, sb3.toString(), list);
            LDAPMessage readBindResponse2 = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_SECOND_BIND_RESPONSE, ServerConstants.SASL_MECHANISM_DIGEST_MD5);
            list2.addAll(readBindResponse2.getControls());
            checkConnected(readBindResponse2);
            ByteString serverSASLCredentials2 = checkSuccessfulBind(readBindResponse2, ServerConstants.SASL_MECHANISM_DIGEST_MD5).getServerSASLCredentials();
            if (serverSASLCredentials2 == null) {
                throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_DIGESTMD5_NO_RSPAUTH_CREDS.get());
            }
            String lowerCase3 = StaticUtils.toLowerCase(serverSASLCredentials2.toString());
            if (!lowerCase3.startsWith("rspauth=")) {
                throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_DIGESTMD5_NO_RSPAUTH_CREDS.get());
            }
            try {
                try {
                    if (Arrays.equals(StaticUtils.hexStringToByteArray(lowerCase3.substring(8)), generateDigestMD5RspAuth(str, str5, byteSequence2, str2, str6, generateCNonce, "00000001", str4, str3, str7))) {
                        return null;
                    }
                    throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_DIGESTMD5_RSPAUTH_MISMATCH.get());
                } catch (Exception e) {
                    throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_DIGESTMD5_COULD_NOT_CALCULATE_RSPAUTH.get(StaticUtils.getExceptionMessage(e)));
                }
            } catch (Exception e2) {
                throw new LDAPException(ReturnCode.PROTOCOL_ERROR.get(), ToolMessages.ERR_LDAPAUTH_DIGESTMD5_COULD_NOT_DECODE_RSPAUTH.get(StaticUtils.getExceptionMessage(e2)));
            }
        } catch (ClientException e3) {
            throw e3;
        } catch (Exception e4) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_DIGESTMD5_CANNOT_CREATE_RESPONSE_DIGEST.get(StaticUtils.getExceptionMessage(e4)), e4);
        }
    }

    private void sendSecondBindRequest(String str, ByteSequence byteSequence, String str2, List<Control> list) throws ClientException {
        try {
            this.writer.writeMessage(new LDAPMessage(this.nextMessageID.getAndIncrement(), new BindRequestProtocolOp(byteSequence.toByteString(), str, ByteString.valueOfUtf8(str2)), list));
        } catch (IOException e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_SECOND_SASL_BIND.get(str, StaticUtils.getExceptionMessage(e)), e);
        } catch (Exception e2) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_ENCODING_ERROR, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_SECOND_SASL_BIND.get(str, StaticUtils.getExceptionMessage(e2)), e2);
        }
    }

    private int readToken(String str, int i, int i2, StringBuilder sb) throws LDAPException {
        if (i >= i2) {
            return i;
        }
        boolean z = false;
        boolean z2 = false;
        int i3 = i + 1;
        char charAt = str.charAt(i);
        if (charAt == ',') {
            return i3;
        }
        if (charAt == '\"') {
            z2 = true;
        } else if (charAt == '\\') {
            z = true;
        } else {
            sb.append(charAt);
        }
        while (true) {
            if (i3 >= i2) {
                break;
            }
            int i4 = i3;
            i3++;
            char charAt2 = str.charAt(i4);
            if (z) {
                sb.append(charAt2);
                z = false;
            } else if (charAt2 == ',') {
                if (!z2) {
                    break;
                }
                sb.append(charAt2);
            } else if (charAt2 == '\"') {
                if (!z2) {
                    sb.append(charAt2);
                } else if (i3 < i2) {
                    i3++;
                    if (str.charAt(i3) != ',') {
                        throw new LDAPException(ReturnCode.INVALID_CREDENTIALS.get(), ToolMessages.ERR_LDAPAUTH_DIGESTMD5_INVALID_CLOSING_QUOTE_POS.get(Integer.valueOf(i3 - 2)));
                    }
                }
            } else if (charAt2 == '\\') {
                z = true;
            } else {
                sb.append(charAt2);
            }
        }
        return i3;
    }

    private String generateCNonce() {
        if (this.secureRandom == null) {
            this.secureRandom = new SecureRandom();
        }
        byte[] bArr = new byte[16];
        this.secureRandom.nextBytes(bArr);
        return Base64.encode(bArr);
    }

    private String generateDigestMD5Response(String str, String str2, ByteSequence byteSequence, String str3, String str4, String str5, String str6, String str7, String str8, String str9) throws ClientException, UnsupportedEncodingException {
        if (this.md5Digest == null) {
            try {
                this.md5Digest = MessageDigest.getInstance("MD5");
            } catch (Exception e) {
                throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_CANNOT_INITIALIZE_MD5_DIGEST.get(StaticUtils.getExceptionMessage(e)), e);
            }
        }
        byte[] bytes = (str + ':' + (str3 == null ? "" : str3) + ':').getBytes(str9);
        byte[] bArr = new byte[bytes.length + byteSequence.length()];
        System.arraycopy(bytes, 0, bArr, 0, bytes.length);
        byteSequence.copyTo(bArr, bytes.length);
        byte[] digest = this.md5Digest.digest(bArr);
        StringBuilder sb = new StringBuilder();
        sb.append(':');
        sb.append(str4);
        sb.append(':');
        sb.append(str5);
        if (str2 != null) {
            sb.append(':');
            sb.append(str2);
        }
        byte[] bytes2 = sb.toString().getBytes(str9);
        byte[] bArr2 = new byte[digest.length + bytes2.length];
        System.arraycopy(digest, 0, bArr2, 0, digest.length);
        System.arraycopy(bytes2, 0, bArr2, digest.length, bytes2.length);
        return getHexString(this.md5Digest.digest((getHexString(this.md5Digest.digest(bArr2)) + ':' + str4 + ':' + str6 + ':' + str5 + ':' + str8 + ':' + getHexString(this.md5Digest.digest(("AUTHENTICATE:" + str7).getBytes(str9)))).getBytes(str9)));
    }

    private byte[] generateDigestMD5RspAuth(String str, String str2, ByteSequence byteSequence, String str3, String str4, String str5, String str6, String str7, String str8, String str9) throws UnsupportedEncodingException {
        byte[] bytes = (str + ':' + str3 + ':').getBytes(str9);
        byte[] bArr = new byte[bytes.length + byteSequence.length()];
        System.arraycopy(bytes, 0, bArr, 0, bytes.length);
        byteSequence.copyTo(bArr, bytes.length);
        byte[] digest = this.md5Digest.digest(bArr);
        StringBuilder sb = new StringBuilder();
        sb.append(':');
        sb.append(str4);
        sb.append(':');
        sb.append(str5);
        if (str2 != null) {
            sb.append(':');
            sb.append(str2);
        }
        byte[] bytes2 = sb.toString().getBytes(str9);
        byte[] bArr2 = new byte[digest.length + bytes2.length];
        System.arraycopy(digest, 0, bArr2, 0, digest.length);
        System.arraycopy(bytes2, 0, bArr2, digest.length, bytes2.length);
        byte[] digest2 = this.md5Digest.digest(bArr2);
        String str10 = ":" + str7;
        if (str8.equals("auth-int") || str8.equals("auth-conf")) {
            str10 = str10 + ":00000000000000000000000000000000";
        }
        byte[] digest3 = this.md5Digest.digest(str10.getBytes(str9));
        return this.md5Digest.digest((getHexString(digest2) + ':' + str4 + ':' + str6 + ':' + str5 + ':' + str8 + ':' + getHexString(digest3)).getBytes(str9));
    }

    private String getHexString(byte[] bArr) {
        StringBuilder sb = new StringBuilder(2 * bArr.length);
        for (byte b : bArr) {
            sb.append(StaticUtils.byteToLowerHex(b));
        }
        return sb.toString();
    }

    private static LinkedHashMap<String, LocalizableMessage> getSASLDigestMD5Properties() {
        LinkedHashMap<String, LocalizableMessage> linkedHashMap = new LinkedHashMap<>(5);
        linkedHashMap.put("authid", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_AUTHID.get());
        linkedHashMap.put("realm", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_REALM.get());
        linkedHashMap.put("qop", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_QOP.get());
        linkedHashMap.put("digest-uri", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_DIGEST_URI.get());
        linkedHashMap.put("authzid", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_AUTHZID.get());
        return linkedHashMap;
    }

    public String doSASLExternal(ByteSequence byteSequence, Map<String, List<String>> map, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        if (map != null && !map.isEmpty()) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_NO_ALLOWED_SASL_PROPERTIES.get(ServerConstants.SASL_MECHANISM_EXTERNAL));
        }
        sendBindRequest(ServerConstants.SASL_MECHANISM_EXTERNAL, byteSequence, null, list);
        LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_BIND_RESPONSE);
        list2.addAll(readBindResponse.getControls());
        checkConnected(readBindResponse);
        BindResponseProtocolOp bindResponseProtocolOp = readBindResponse.getBindResponseProtocolOp();
        int resultCode = bindResponseProtocolOp.getResultCode();
        if (resultCode == ReturnCode.SUCCESS.get()) {
            return null;
        }
        throw new LDAPException(resultCode, bindResponseProtocolOp.getErrorMessage(), ToolMessages.ERR_LDAPAUTH_SASL_BIND_FAILED.get(ServerConstants.SASL_MECHANISM_EXTERNAL), bindResponseProtocolOp.getMatchedDN(), null);
    }

    private void sendBindRequest(String str, ByteSequence byteSequence, ByteString byteString, List<Control> list) throws ClientException {
        try {
            this.writer.writeMessage(new LDAPMessage(this.nextMessageID.getAndIncrement(), new BindRequestProtocolOp(byteSequence.toByteString(), str, byteString), list));
        } catch (IOException e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_SASL_BIND.get(str, StaticUtils.getExceptionMessage(e)), e);
        } catch (Exception e2) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_ENCODING_ERROR, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_SASL_BIND.get(str, StaticUtils.getExceptionMessage(e2)), e2);
        }
    }

    private LDAPMessage readBindResponse(LocalizableMessageDescriptor.Arg1<Object> arg1) throws ClientException {
        try {
            try {
                LDAPMessage readMessage = this.reader.readMessage();
                if (readMessage != null) {
                    return readMessage;
                }
                throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, ToolMessages.ERR_LDAPAUTH_CONNECTION_CLOSED_WITHOUT_BIND_RESPONSE.get());
            } catch (DecodeException | LDAPException e) {
                throw new ClientException(ReturnCode.CLIENT_SIDE_DECODING_ERROR, arg1.get(StaticUtils.getExceptionMessage(e)), e);
            }
        } catch (IOException e2) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, arg1.get(StaticUtils.getExceptionMessage(e2)), e2);
        } catch (Exception e3) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, arg1.get(StaticUtils.getExceptionMessage(e3)), e3);
        }
    }

    private static LinkedHashMap<String, LocalizableMessage> getSASLExternalProperties() {
        return new LinkedHashMap<>(0);
    }

    private String doSASLGSSAPI(ByteSequence byteSequence, ByteSequence byteSequence2, Map<String, List<String>> map, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        String str = null;
        String str2 = null;
        this.gssapiBindDN = byteSequence;
        this.gssapiAuthID = null;
        this.gssapiAuthzID = null;
        this.gssapiQoP = "auth";
        this.gssapiAuthPW = byteSequence2 != null ? byteSequence2.toString().toCharArray() : null;
        if (map == null || map.isEmpty()) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_NO_SASL_PROPERTIES.get(ServerConstants.SASL_MECHANISM_GSSAPI));
        }
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            String lowerCase = StaticUtils.toLowerCase(key);
            List<String> value = entry.getValue();
            if (lowerCase.equals("authid")) {
                this.gssapiAuthID = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_AUTHID_SINGLE_VALUED);
            } else if (lowerCase.equals("authzid")) {
                this.gssapiAuthzID = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_AUTHZID_SINGLE_VALUED);
            } else if (lowerCase.equals("kdc")) {
                str = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_KDC_SINGLE_VALUED);
            } else if (lowerCase.equals("qop")) {
                Iterator<String> it = value.iterator();
                if (it.hasNext()) {
                    this.gssapiQoP = StaticUtils.toLowerCase(it.next());
                    if (it.hasNext()) {
                        throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_QOP_SINGLE_VALUED.get());
                    }
                    if (!this.gssapiQoP.equals("auth")) {
                        if (this.gssapiQoP.equals("auth-int") || this.gssapiQoP.equals("auth-conf")) {
                            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_DIGESTMD5_QOP_NOT_SUPPORTED.get(this.gssapiQoP));
                        }
                        throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_INVALID_QOP.get(this.gssapiQoP));
                    }
                } else {
                    continue;
                }
            } else {
                if (!lowerCase.equals("realm")) {
                    throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_INVALID_SASL_PROPERTY.get(key, ServerConstants.SASL_MECHANISM_GSSAPI));
                }
                str2 = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_REALM_SINGLE_VALUED);
            }
        }
        if (this.gssapiAuthID == null || this.gssapiAuthID.length() == 0) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_SASL_AUTHID_REQUIRED.get(ServerConstants.SASL_MECHANISM_GSSAPI));
        }
        if (this.gssapiAuthzID == null) {
            this.gssapiAuthzID = this.gssapiAuthID;
        }
        if (str2 != null) {
            System.setProperty(ServerConstants.KRBV_PROPERTY_REALM, str2);
        }
        if (str != null) {
            System.setProperty(ServerConstants.KRBV_PROPERTY_KDC, str);
        }
        try {
            File createTempFile = File.createTempFile("login", "conf");
            String absolutePath = createTempFile.getAbsolutePath();
            createTempFile.deleteOnExit();
            BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(createTempFile, false));
            try {
                bufferedWriter.write(getClass().getName() + " {");
                bufferedWriter.newLine();
                bufferedWriter.write("  com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=TRUE;");
                bufferedWriter.newLine();
                bufferedWriter.write("};");
                bufferedWriter.newLine();
                bufferedWriter.close();
                System.setProperty(ServerConstants.JAAS_PROPERTY_CONFIG_FILE, absolutePath);
                System.setProperty(ServerConstants.JAAS_PROPERTY_SUBJECT_CREDS_ONLY, ServerConstants.CONFIG_VALUE_TRUE);
                try {
                    LoginContext loginContext = new LoginContext(getClass().getName(), this);
                    loginContext.login();
                    try {
                        Subject.doAs(loginContext.getSubject(), this);
                        return null;
                    } catch (Exception e) {
                        if (e instanceof ClientException) {
                            throw e;
                        }
                        if (e instanceof LDAPException) {
                            throw ((LDAPException) e);
                        }
                        throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_REMOTE_AUTHENTICATION_FAILED.get(StaticUtils.getExceptionMessage(e)), e);
                    }
                } catch (Exception e2) {
                    throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_LOCAL_AUTHENTICATION_FAILED.get(StaticUtils.getExceptionMessage(e2)), e2);
                }
            } finally {
            }
        } catch (Exception e3) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_CANNOT_CREATE_JAAS_CONFIG.get(StaticUtils.getExceptionMessage(e3)), e3);
        }
    }

    private String getSingleValue(List<String> list, LocalizableMessageDescriptor.Arg0 arg0) throws ClientException {
        Iterator<String> it = list.iterator();
        if (!it.hasNext()) {
            return null;
        }
        String next = it.next();
        if (it.hasNext()) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, arg0.get());
        }
        return next;
    }

    private static LinkedHashMap<String, LocalizableMessage> getSASLGSSAPIProperties() {
        LinkedHashMap<String, LocalizableMessage> linkedHashMap = new LinkedHashMap<>(4);
        linkedHashMap.put("authid", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_AUTHID.get());
        linkedHashMap.put("authzid", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_AUTHZID.get());
        linkedHashMap.put("kdc", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_KDC.get());
        linkedHashMap.put("realm", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_REALM.get());
        return linkedHashMap;
    }

    public String doSASLPlain(ByteSequence byteSequence, ByteSequence byteSequence2, Map<String, List<String>> map, List<Control> list, List<Control> list2) throws ClientException, LDAPException {
        String str = null;
        String str2 = null;
        if (map == null || map.isEmpty()) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_NO_SASL_PROPERTIES.get(ServerConstants.SASL_MECHANISM_PLAIN));
        }
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            List<String> value = entry.getValue();
            String lowerCase = StaticUtils.toLowerCase(key);
            if (lowerCase.equals("authid")) {
                str = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_AUTHID_SINGLE_VALUED);
            } else {
                if (!lowerCase.equals("authzid")) {
                    throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_INVALID_SASL_PROPERTY.get(key, ServerConstants.SASL_MECHANISM_PLAIN));
                }
                str2 = getSingleValue(value, ToolMessages.ERR_LDAPAUTH_AUTHZID_SINGLE_VALUED);
            }
        }
        if (str == null || str.length() == 0) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_PARAM_ERROR, ToolMessages.ERR_LDAPAUTH_SASL_AUTHID_REQUIRED.get(ServerConstants.SASL_MECHANISM_PLAIN));
        }
        if (byteSequence2 == null) {
            byteSequence2 = ByteString.empty();
        }
        sendBindRequest(ServerConstants.SASL_MECHANISM_PLAIN, byteSequence, ByteString.valueOfUtf8((str2 != null ? str2 : "") + (char) 0 + str + (char) 0 + byteSequence2), list);
        LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_BIND_RESPONSE);
        list2.addAll(readBindResponse.getControls());
        checkConnected(readBindResponse);
        checkSuccessfulBind(readBindResponse, ServerConstants.SASL_MECHANISM_PLAIN);
        return null;
    }

    private static LinkedHashMap<String, LocalizableMessage> getSASLPlainProperties() {
        LinkedHashMap<String, LocalizableMessage> linkedHashMap = new LinkedHashMap<>(2);
        linkedHashMap.put("authid", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_AUTHID.get());
        linkedHashMap.put("authzid", ToolMessages.INFO_LDAPAUTH_PROPERTY_DESCRIPTION_AUTHZID.get());
        return linkedHashMap;
    }

    @Override // java.security.PrivilegedExceptionAction
    public Object run() throws ClientException, LDAPException {
        if (this.saslMechanism == null) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_NONSASL_RUN_INVOCATION.get(StaticUtils.getBacktrace()));
        }
        if (this.saslMechanism.equals(ServerConstants.SASL_MECHANISM_GSSAPI)) {
            doSASLGSSAPI2();
            return null;
        }
        throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_UNEXPECTED_RUN_INVOCATION.get(this.saslMechanism, StaticUtils.getBacktrace()));
    }

    private void doSASLGSSAPI2() throws ClientException, LDAPException {
        HashMap hashMap = new HashMap();
        hashMap.put("javax.security.sasl.qop", this.gssapiQoP);
        hashMap.put("javax.security.sasl.server.authentication", ServerConstants.CONFIG_VALUE_TRUE);
        try {
            SaslClient createSaslClient = Sasl.createSaslClient(new String[]{ServerConstants.SASL_MECHANISM_GSSAPI}, this.gssapiAuthzID, "ldap", this.hostName, hashMap, this);
            sendBindRequest(ServerConstants.SASL_MECHANISM_GSSAPI, this.gssapiBindDN, getSaslCredentialsForInitialBind(createSaslClient), null);
            LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_BIND_RESPONSE);
            checkConnected(readBindResponse);
            while (true) {
                BindResponseProtocolOp bindResponseProtocolOp = readBindResponse.getBindResponseProtocolOp();
                int resultCode = bindResponseProtocolOp.getResultCode();
                if (resultCode == ReturnCode.SUCCESS.get()) {
                    evaluateGSSAPIChallenge(createSaslClient, bindResponseProtocolOp);
                    return;
                } else {
                    if (resultCode != ReturnCode.SASL_BIND_IN_PROGRESS.get()) {
                        throw new LDAPException(resultCode, bindResponseProtocolOp.getErrorMessage(), ToolMessages.ERR_LDAPAUTH_GSSAPI_BIND_FAILED.get(), bindResponseProtocolOp.getMatchedDN(), null);
                    }
                    sendBindRequest(ServerConstants.SASL_MECHANISM_GSSAPI, this.gssapiBindDN, evaluateSaslChallenge(createSaslClient, bindResponseProtocolOp), null);
                    readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_BIND_RESPONSE);
                    checkConnected(readBindResponse);
                }
            }
        } catch (Exception e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_CANNOT_CREATE_SASL_CLIENT.get(StaticUtils.getExceptionMessage(e)), e);
        }
    }

    private void evaluateGSSAPIChallenge(SaslClient saslClient, BindResponseProtocolOp bindResponseProtocolOp) throws ClientException {
        ByteString serverSASLCredentials = bindResponseProtocolOp.getServerSASLCredentials();
        if (serverSASLCredentials != null) {
            try {
                saslClient.evaluateChallenge(serverSASLCredentials.toByteArray());
            } catch (Exception e) {
                throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_CANNOT_VALIDATE_SERVER_CREDS.get(StaticUtils.getExceptionMessage(e)), e);
            }
        }
        if (saslClient.isComplete()) {
            return;
        }
        throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_UNEXPECTED_SUCCESS_RESPONSE.get());
    }

    private ByteString evaluateSaslChallenge(SaslClient saslClient, BindResponseProtocolOp bindResponseProtocolOp) throws ClientException {
        try {
            ByteString serverSASLCredentials = bindResponseProtocolOp.getServerSASLCredentials();
            return ByteString.wrap(saslClient.evaluateChallenge(serverSASLCredentials != null ? serverSASLCredentials.toByteArray() : new byte[0]));
        } catch (Exception e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_CANNOT_VALIDATE_SERVER_CREDS.get(StaticUtils.getExceptionMessage(e)), e);
        }
    }

    private ByteString getSaslCredentialsForInitialBind(SaslClient saslClient) throws ClientException {
        if (!saslClient.hasInitialResponse()) {
            return null;
        }
        try {
            return ByteString.wrap(saslClient.evaluateChallenge(new byte[0]));
        } catch (Exception e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_GSSAPI_CANNOT_CREATE_INITIAL_CHALLENGE.get(StaticUtils.getExceptionMessage(e)), e);
        }
    }

    private void checkConnected(LDAPMessage lDAPMessage) throws LDAPException, ClientException {
        switch (lDAPMessage.getProtocolOpType()) {
            case 97:
                return;
            case 120:
                ExtendedResponseProtocolOp extendedResponseProtocolOp = lDAPMessage.getExtendedResponseProtocolOp();
                if (LDAPConstants.OID_NOTICE_OF_DISCONNECTION.equals(extendedResponseProtocolOp.getOID())) {
                    throw new LDAPException(extendedResponseProtocolOp.getResultCode(), ToolMessages.ERR_LDAPAUTH_SERVER_DISCONNECT.get(Integer.valueOf(extendedResponseProtocolOp.getResultCode()), extendedResponseProtocolOp.getErrorMessage()));
                }
                throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_UNEXPECTED_EXTENDED_RESPONSE.get(extendedResponseProtocolOp));
            default:
                throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_UNEXPECTED_RESPONSE.get(lDAPMessage.getProtocolOp()));
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        if (this.saslMechanism == null) {
            throw new UnsupportedCallbackException(callbackArr[0], ToolMessages.ERR_LDAPAUTH_NONSASL_CALLBACK_INVOCATION.get(StaticUtils.getBacktrace()).toString());
        }
        if (!this.saslMechanism.equals(ServerConstants.SASL_MECHANISM_GSSAPI)) {
            throw new UnsupportedCallbackException(callbackArr[0], ToolMessages.ERR_LDAPAUTH_UNEXPECTED_CALLBACK_INVOCATION.get(this.saslMechanism, StaticUtils.getBacktrace()).toString());
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName(this.gssapiAuthID);
            } else {
                if (!(callback instanceof PasswordCallback)) {
                    throw new UnsupportedCallbackException(callback, ToolMessages.ERR_LDAPAUTH_UNEXPECTED_GSSAPI_CALLBACK.get(callback).toString());
                }
                if (this.gssapiAuthPW == null) {
                    System.out.print(ToolMessages.INFO_LDAPAUTH_PASSWORD_PROMPT.get(this.gssapiAuthID));
                    try {
                        this.gssapiAuthPW = ConsoleApplication.readPassword();
                    } catch (ClientException e) {
                        throw new UnsupportedCallbackException(callback, e.getLocalizedMessage());
                    }
                }
                ((PasswordCallback) callback).setPassword(this.gssapiAuthPW);
            }
        }
    }

    public ByteString requestAuthorizationIdentity() throws ClientException, LDAPException {
        try {
            this.writer.writeMessage(new LDAPMessage(this.nextMessageID.getAndIncrement(), new ExtendedRequestProtocolOp(ServerConstants.OID_WHO_AM_I_REQUEST)));
            LDAPMessage readBindResponse = readBindResponse(ToolMessages.ERR_LDAPAUTH_CANNOT_READ_WHOAMI_RESPONSE);
            if (readBindResponse.getProtocolOpType() != 120) {
                throw new ClientException(ReturnCode.CLIENT_SIDE_LOCAL_ERROR, ToolMessages.ERR_LDAPAUTH_UNEXPECTED_RESPONSE.get(readBindResponse.getProtocolOp()));
            }
            ExtendedResponseProtocolOp extendedResponseProtocolOp = readBindResponse.getExtendedResponseProtocolOp();
            if (LDAPConstants.OID_NOTICE_OF_DISCONNECTION.equals(extendedResponseProtocolOp.getOID())) {
                throw new LDAPException(extendedResponseProtocolOp.getResultCode(), ToolMessages.ERR_LDAPAUTH_SERVER_DISCONNECT.get(Integer.valueOf(extendedResponseProtocolOp.getResultCode()), extendedResponseProtocolOp.getErrorMessage()));
            }
            int resultCode = extendedResponseProtocolOp.getResultCode();
            if (resultCode != ReturnCode.SUCCESS.get()) {
                throw new LDAPException(resultCode, extendedResponseProtocolOp.getErrorMessage(), ToolMessages.ERR_LDAPAUTH_WHOAMI_FAILED.get(), extendedResponseProtocolOp.getMatchedDN(), null);
            }
            ByteString value = extendedResponseProtocolOp.getValue();
            if (value == null || value.length() == 0 || "dn:".equalsIgnoreCase(value.toString())) {
                return null;
            }
            return value;
        } catch (IOException e) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_SERVER_DOWN, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_WHOAMI_REQUEST.get(StaticUtils.getExceptionMessage(e)), e);
        } catch (Exception e2) {
            throw new ClientException(ReturnCode.CLIENT_SIDE_ENCODING_ERROR, ToolMessages.ERR_LDAPAUTH_CANNOT_SEND_WHOAMI_REQUEST.get(StaticUtils.getExceptionMessage(e2)), e2);
        }
    }
}
