package org.apache.kerby.kerberos.kerb.server.preauth.builtin;

import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
import org.apache.kerby.kerberos.kerb.preauth.builtin.EncTsPreauthMeta;
import org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
import org.apache.kerby.kerberos.kerb.server.request.KdcRequest;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaEncTsEnc;

/* loaded from: input_file:WEB-INF/lib/kerb-server-2.0.3.jar:org/apache/kerby/kerberos/kerb/server/preauth/builtin/EncTsPreauth.class */
public class EncTsPreauth extends AbstractPreauthPlugin {
    public EncTsPreauth() {
        super(new EncTsPreauthMeta());
    }

    @Override // org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin, org.apache.kerby.kerberos.kerb.server.preauth.KdcPreauth
    public boolean verify(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext, PaDataEntry paDataEntry) throws KrbException {
        EncryptedData encryptedData = (EncryptedData) KrbCodec.decode(paDataEntry.getPaDataValue(), EncryptedData.class);
        EncryptionKey clientKey = kdcRequest.getClientKey(encryptedData.getEType());
        if (clientKey == null) {
            throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP);
        }
        PaEncTsEnc paEncTsEnc = (PaEncTsEnc) EncryptionUtil.unseal(encryptedData, clientKey, KeyUsage.AS_REQ_PA_ENC_TS, PaEncTsEnc.class);
        if (paEncTsEnc.getAllTime().isInClockSkew(kdcRequest.getKdcContext().getConfig().getAllowableClockSkew() * 1000)) {
            return true;
        }
        throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED);
    }
}
