package org.apache.directory.server.kerberos;

import java.net.UnknownHostException;
import java.security.InvalidKeyException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import javax.crypto.spec.DESKeySpec;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.ModificationItem;
import org.apache.directory.api.util.Network;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.annotations.SaslMechanism;
import org.apache.directory.server.core.annotations.ContextEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreateIndex;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.directory.server.integ.ServerIntegrationUtils;
import org.apache.directory.server.ldap.handlers.extended.StoredProcedureExtendedOperationHandler;
import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.ntlm.NtlmMechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.plain.PlainMechanismHandler;
import org.apache.directory.shared.kerberos.codec.KerberosDecoder;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")}, saslHost = "localhost", saslMechanisms = {@SaslMechanism(name = "PLAIN", implClass = PlainMechanismHandler.class), @SaslMechanism(name = "CRAM-MD5", implClass = CramMd5MechanismHandler.class), @SaslMechanism(name = "DIGEST-MD5", implClass = DigestMd5MechanismHandler.class), @SaslMechanism(name = "GSSAPI", implClass = GssapiMechanismHandler.class), @SaslMechanism(name = "NTLM", implClass = NtlmMechanismHandler.class), @SaslMechanism(name = "GSS-SPNEGO", implClass = NtlmMechanismHandler.class)}, extendedOpHandlers = {StoredProcedureExtendedOperationHandler.class})
@RunWith(FrameworkRunner.class)
@CreateDS(name = "KeyDerivationServiceIT-class", partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com", contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\ndc: example\nobjectClass: top\nobjectClass: domain\n\n"), indexes = {@CreateIndex(attribute = "objectClass"), @CreateIndex(attribute = "dc"), @CreateIndex(attribute = "ou")})}, additionalInterceptors = {KeyDerivationInterceptor.class})
/* loaded from: input_file:org/apache/directory/server/kerberos/KeyDerivationServiceIT.class */
public class KeyDerivationServiceIT extends AbstractLdapTestUnit {
    private static final String RDN = "uid=hnelson,ou=users,dc=example,dc=com";

    private void checkKeyNumber(Attributes attributes) {
        Attribute attribute = attributes.get("krb5key");
        String property = System.getProperty("java.vm.vendor");
        if (property.equalsIgnoreCase("IBM Corporation")) {
            Assert.assertTrue("Number of keys", attribute.size() > 1);
            return;
        }
        if (property.equalsIgnoreCase("Sun Microsystems Inc.")) {
            Assert.assertTrue("Number of keys", attribute.size() > 3);
            return;
        }
        if (property.equalsIgnoreCase("BEA Systems, Inc.")) {
            Assert.assertTrue("Number of keys", attribute.size() > 3);
            return;
        }
        if (property.equalsIgnoreCase("Oracle Corporation")) {
            Assert.assertTrue("Number of keys", attribute.size() > 3);
            return;
        }
        if (property.equalsIgnoreCase("Apple Inc.")) {
            Assert.assertTrue("Number of keys", attribute.size() > 3);
            return;
        }
        if (property.equalsIgnoreCase("Apple Inc.")) {
            Assert.assertTrue("Number of keys", attribute.size() > 3);
        } else if (property.equalsIgnoreCase("\"Apple Computer, Inc.\"")) {
            Assert.assertTrue("Number of keys", attribute.size() > 3);
        } else {
            Assert.fail("Unkown JVM");
        }
    }

    @Before
    public void setUp() throws Exception {
        DirContext dirContext = (DirContext) ServerIntegrationUtils.getWiredContext(getLdapServer()).lookup("ou=schema");
        Attributes attributes = dirContext.getAttributes("cn=Krb5kdc");
        boolean z = false;
        if (attributes.get("m-disabled") != null) {
            z = ((String) attributes.get("m-disabled").get()).equalsIgnoreCase("TRUE");
        }
        if (z) {
            dirContext.modifyAttributes("cn=Krb5kdc", new ModificationItem[]{new ModificationItem(3, new BasicAttribute("m-disabled"))});
        }
        DirContext dirContext2 = (DirContext) ServerIntegrationUtils.getWiredContext(getLdapServer()).lookup("dc=example,dc=com");
        dirContext2.createSubcontext("ou=users", getOrgUnitAttributes("users")).createSubcontext("uid=hnelson", getPersonAttributes("Nelson", "Horatio Nelson", "hnelson", "secret", "hnelson@EXAMPLE.COM"));
        dirContext2.close();
    }

    @Test
    public void testAddDerivedKeys() throws NamingException, KerberosException, UnknownHostException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", Network.ldapLoopbackUrl(getLdapServer().getPort()));
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", RDN);
        hashtable.put("java.naming.security.credentials", "secret");
        hashtable.put("java.naming.ldap.attributes.binary", "krb5key");
        InitialDirContext initialDirContext = new InitialDirContext(hashtable);
        Attributes attributes = initialDirContext.getAttributes(RDN, new String[]{"uid", "userPassword", "krb5Key", "krb5KeyVersionNumber"});
        String str = null;
        if (attributes.get("uid") != null) {
            str = (String) attributes.get("uid").get();
        }
        Assert.assertEquals(str, "hnelson");
        byte[] bArr = null;
        if (attributes.get("userPassword") != null) {
            bArr = (byte[]) attributes.get("userPassword").get();
        }
        checkKeyNumber(attributes);
        Assert.assertTrue(Arrays.equals(bArr, new byte[]{115, 101, 99, 114, 101, 116}));
        EncryptionKey encryptionKey = reconstituteKeyMap(attributes.get("krb5key")).get(EncryptionType.DES_CBC_MD5);
        Assert.assertTrue(Arrays.equals(encryptionKey.getKeyValue(), new byte[]{-12, -89, 19, 100, -118, 97, -50, 91}));
        Assert.assertEquals(EncryptionType.DES_CBC_MD5, encryptionKey.getKeyType());
        int i = -1;
        if (attributes.get("krb5KeyVersionNumber") != null) {
            i = Integer.valueOf((String) attributes.get("krb5KeyVersionNumber").get()).intValue();
        }
        Assert.assertEquals("Key version number", 0L, i);
        initialDirContext.close();
    }

    @Test
    public void testModifyDerivedKeys() throws NamingException, KerberosException, UnknownHostException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", Network.ldapLoopbackUrl(getLdapServer().getPort()));
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", RDN);
        hashtable.put("java.naming.security.credentials", "secret");
        hashtable.put("java.naming.ldap.attributes.binary", "krb5key");
        InitialDirContext initialDirContext = new InitialDirContext(hashtable);
        BasicAttributes basicAttributes = new BasicAttributes(true);
        basicAttributes.put(new BasicAttribute("userPassword", "secretsecret"));
        basicAttributes.put(new BasicAttribute("krb5PrincipalName", "hnelson@EXAMPLE.COM"));
        ((DirContext) initialDirContext.lookup(RDN)).modifyAttributes("", 2, basicAttributes);
        Attributes attributes = ((DirContext) initialDirContext.lookup(RDN)).getAttributes("");
        byte[] bArr = null;
        if (attributes.get("userPassword") != null) {
            bArr = (byte[]) attributes.get("userPassword").get();
        }
        checkKeyNumber(attributes);
        Assert.assertTrue(Arrays.equals(bArr, new byte[]{115, 101, 99, 114, 101, 116, 115, 101, 99, 114, 101, 116}));
        EncryptionKey encryptionKey = reconstituteKeyMap(attributes.get("krb5key")).get(EncryptionType.DES_CBC_MD5);
        Assert.assertTrue(Arrays.equals(encryptionKey.getKeyValue(), new byte[]{22, 74, 109, -119, 93, 118, 14, 35}));
        Assert.assertEquals(EncryptionType.DES_CBC_MD5, encryptionKey.getKeyType());
        int i = -1;
        if (attributes.get("krb5KeyVersionNumber") != null) {
            i = Integer.valueOf((String) attributes.get("krb5KeyVersionNumber").get()).intValue();
        }
        Assert.assertEquals("Key version number", 1L, i);
        BasicAttributes basicAttributes2 = new BasicAttributes(true);
        basicAttributes2.put(new BasicAttribute("userPassword", "secretsecretsecret"));
        basicAttributes2.put(new BasicAttribute("krb5PrincipalName", "hnelson@EXAMPLE.COM"));
        ((DirContext) initialDirContext.lookup(RDN)).modifyAttributes("", 2, basicAttributes2);
        Attributes attributes2 = ((DirContext) initialDirContext.lookup(RDN)).getAttributes("");
        if (attributes2.get("userPassword") != null) {
            bArr = (byte[]) attributes2.get("userPassword").get();
        }
        Assert.assertEquals("password length", 18L, bArr.length);
        if (attributes2.get("krb5KeyVersionNumber") != null) {
            i = Integer.valueOf((String) attributes2.get("krb5KeyVersionNumber").get()).intValue();
        }
        Assert.assertEquals("Key version number", 2L, i);
        BasicAttributes basicAttributes3 = new BasicAttributes(true);
        basicAttributes3.put(new BasicAttribute("userPassword", "secretsecretsecretsecret"));
        basicAttributes3.put(new BasicAttribute("krb5PrincipalName", "hnelson@EXAMPLE.COM"));
        ((DirContext) initialDirContext.lookup(RDN)).modifyAttributes("", 2, basicAttributes3);
        Attributes attributes3 = ((DirContext) initialDirContext.lookup(RDN)).getAttributes("");
        if (attributes3.get("userPassword") != null) {
            bArr = (byte[]) attributes3.get("userPassword").get();
        }
        Assert.assertEquals("password length", 24L, bArr.length);
        if (attributes3.get("krb5KeyVersionNumber") != null) {
            i = Integer.valueOf((String) attributes3.get("krb5KeyVersionNumber").get()).intValue();
        }
        Assert.assertEquals("Key version number", 3L, i);
        initialDirContext.close();
    }

    @Test
    public void testModifyDerivedKeysWithoutPrincipalName() throws NamingException, KerberosException, UnknownHostException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", Network.ldapLoopbackUrl(getLdapServer().getPort()));
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", RDN);
        hashtable.put("java.naming.security.credentials", "secret");
        hashtable.put("java.naming.ldap.attributes.binary", "krb5key");
        InitialDirContext initialDirContext = new InitialDirContext(hashtable);
        BasicAttributes basicAttributes = new BasicAttributes(true);
        basicAttributes.put(new BasicAttribute("userPassword", "secretsecret"));
        ((DirContext) initialDirContext.lookup(RDN)).modifyAttributes("", 2, basicAttributes);
        Attributes attributes = ((DirContext) initialDirContext.lookup(RDN)).getAttributes("");
        byte[] bArr = null;
        if (attributes.get("userPassword") != null) {
            bArr = (byte[]) attributes.get("userPassword").get();
        }
        checkKeyNumber(attributes);
        Assert.assertTrue(Arrays.equals(bArr, new byte[]{115, 101, 99, 114, 101, 116, 115, 101, 99, 114, 101, 116}));
        EncryptionKey encryptionKey = reconstituteKeyMap(attributes.get("krb5key")).get(EncryptionType.DES_CBC_MD5);
        Assert.assertTrue(Arrays.equals(encryptionKey.getKeyValue(), new byte[]{22, 74, 109, -119, 93, 118, 14, 35}));
        Assert.assertEquals(EncryptionType.DES_CBC_MD5, encryptionKey.getKeyType());
        int i = -1;
        if (attributes.get("krb5KeyVersionNumber") != null) {
            i = Integer.valueOf((String) attributes.get("krb5KeyVersionNumber").get()).intValue();
        }
        Assert.assertEquals("Key version number", 1L, i);
        BasicAttributes basicAttributes2 = new BasicAttributes(true);
        basicAttributes2.put(new BasicAttribute("userPassword", "secretsecretsecret"));
        ((DirContext) initialDirContext.lookup(RDN)).modifyAttributes("", 2, basicAttributes2);
        Attributes attributes2 = ((DirContext) initialDirContext.lookup(RDN)).getAttributes("");
        if (attributes2.get("userPassword") != null) {
            bArr = (byte[]) attributes2.get("userPassword").get();
        }
        Assert.assertEquals("password length", 18L, bArr.length);
        if (attributes2.get("krb5KeyVersionNumber") != null) {
            i = Integer.valueOf((String) attributes2.get("krb5KeyVersionNumber").get()).intValue();
        }
        Assert.assertEquals("Key version number", 2L, i);
        BasicAttributes basicAttributes3 = new BasicAttributes(true);
        basicAttributes3.put(new BasicAttribute("userPassword", "secretsecretsecretsecret"));
        ((DirContext) initialDirContext.lookup(RDN)).modifyAttributes("", 2, basicAttributes3);
        Attributes attributes3 = ((DirContext) initialDirContext.lookup(RDN)).getAttributes("");
        if (attributes3.get("userPassword") != null) {
            bArr = (byte[]) attributes3.get("userPassword").get();
        }
        Assert.assertEquals("password length", 24L, bArr.length);
        if (attributes3.get("krb5KeyVersionNumber") != null) {
            i = Integer.valueOf((String) attributes3.get("krb5KeyVersionNumber").get()).intValue();
        }
        Assert.assertEquals("Key version number", 3L, i);
        initialDirContext.close();
    }

    @Test
    public void testAddRandomKeys() throws NamingException, KerberosException, InvalidKeyException, UnknownHostException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", Network.ldapLoopbackUrl(getLdapServer().getPort()) + "/ou=users,dc=example,dc=com");
        hashtable.put("java.naming.security.principal", "uid=admin,ou=system");
        hashtable.put("java.naming.security.credentials", "secret");
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.ldap.attributes.binary", "krb5key");
        InitialDirContext initialDirContext = new InitialDirContext(hashtable);
        initialDirContext.createSubcontext("uid=tquist", getPersonAttributes("Quist", "Thomas Quist", "tquist", "randomKey", "tquist@EXAMPLE.COM"));
        initialDirContext.createSubcontext("uid=jfryer", getPersonAttributes("Fryer", "John Fryer", "jfryer", "randomKey", "jfryer@EXAMPLE.COM"));
        String[] strArr = {"uid", "userPassword", "krb5Key"};
        Attributes attributes = initialDirContext.getAttributes("uid=tquist", strArr);
        Attributes attributes2 = initialDirContext.getAttributes("uid=jfryer", strArr);
        String str = null;
        byte[] bArr = null;
        if (attributes.get("uid") != null) {
            str = (String) attributes.get("uid").get();
        }
        Assert.assertEquals("tquist", str);
        if (attributes.get("userPassword") != null) {
            bArr = (byte[]) attributes.get("userPassword").get();
        }
        byte[] bArr2 = {114, 97, 110, 100, 111, 109, 75, 101, 121};
        Assert.assertTrue(Arrays.equals(bArr2, bArr));
        if (attributes2.get("uid") != null) {
            str = (String) attributes2.get("uid").get();
        }
        Assert.assertEquals("jfryer", str);
        if (attributes2.get("userPassword") != null) {
            bArr = (byte[]) attributes2.get("userPassword").get();
        }
        Assert.assertTrue(Arrays.equals(bArr2, bArr));
        byte[] bArr3 = {-12, -89, 19, 100, -118, 97, -50, 91};
        EncryptionKey encryptionKey = reconstituteKeyMap(attributes.get("krb5key")).get(EncryptionType.DES_CBC_MD5);
        byte[] keyValue = encryptionKey.getKeyValue();
        Assert.assertEquals(EncryptionType.DES_CBC_MD5, encryptionKey.getKeyType());
        EncryptionKey encryptionKey2 = reconstituteKeyMap(attributes2.get("krb5key")).get(EncryptionType.DES_CBC_MD5);
        byte[] keyValue2 = encryptionKey2.getKeyValue();
        Assert.assertEquals(EncryptionType.DES_CBC_MD5, encryptionKey2.getKeyType());
        Assert.assertEquals("Key length", 8L, keyValue.length);
        Assert.assertEquals("Key length", 8L, keyValue2.length);
        Assert.assertFalse(Arrays.equals(bArr3, keyValue));
        Assert.assertFalse(Arrays.equals(bArr3, keyValue2));
        Assert.assertFalse(Arrays.equals(keyValue2, keyValue));
        Assert.assertFalse(Arrays.equals(new byte[]{-3, Byte.MAX_VALUE, 107, -125, -92, 118, -63, -22}, keyValue));
        Assert.assertFalse(Arrays.equals(new byte[]{-92, 16, 59, 73, -50, 11, -75, 7}, keyValue2));
        Assert.assertTrue(DESKeySpec.isParityAdjusted(keyValue, 0));
        Assert.assertTrue(DESKeySpec.isParityAdjusted(keyValue2, 0));
        initialDirContext.close();
    }

    protected Attributes getPersonAttributes(String str, String str2, String str3, String str4, String str5) {
        BasicAttributes basicAttributes = new BasicAttributes(true);
        BasicAttribute basicAttribute = new BasicAttribute("objectClass");
        basicAttribute.add("top");
        basicAttribute.add("person");
        basicAttribute.add("inetOrgPerson");
        basicAttribute.add("krb5principal");
        basicAttribute.add("krb5kdcentry");
        basicAttributes.put(basicAttribute);
        basicAttributes.put("cn", str2);
        basicAttributes.put("sn", str);
        basicAttributes.put("uid", str3);
        basicAttributes.put("userPassword", str4);
        basicAttributes.put("krb5PrincipalName", str5);
        basicAttributes.put("krb5KeyVersionNumber", "0");
        return basicAttributes;
    }

    protected Attributes getOrgUnitAttributes(String str) {
        BasicAttributes basicAttributes = new BasicAttributes(true);
        BasicAttribute basicAttribute = new BasicAttribute("objectClass");
        basicAttribute.add("top");
        basicAttribute.add("organizationalUnit");
        basicAttributes.put(basicAttribute);
        basicAttributes.put("ou", str);
        return basicAttributes;
    }

    private Map<EncryptionType, EncryptionKey> reconstituteKeyMap(Attribute attribute) throws NamingException, KerberosException {
        HashMap hashMap = new HashMap();
        for (int i = 0; i < attribute.size(); i++) {
            EncryptionKey decodeEncryptionKey = KerberosDecoder.decodeEncryptionKey((byte[]) attribute.get(i));
            hashMap.put(decodeEncryptionKey.getKeyType(), decodeEncryptionKey);
        }
        return hashMap;
    }
}
