package org.apache.qpid.server.security.auth.sasl.scram;

import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.UUID;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.configuration.BrokerProperties;
import org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager;

/* loaded from: input_file:org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer.class */
public class ScramSaslServer implements SaslServer {
    public final String _mechanism;
    public final String _hmacName;
    public final String _digestName;
    private static final Charset ASCII = Charset.forName("ASCII");
    private final AbstractScramAuthenticationManager _authManager;
    private State _state = State.INITIAL;
    private String _nonce;
    private String _username;
    private byte[] _gs2Header;
    private String _serverFirstMessage;
    private String _clientFirstMessageBare;
    private byte[] _serverSignature;

    /* renamed from: org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$qpid$server$security$auth$sasl$scram$ScramSaslServer$State = new int[State.values().length];

        static {
            try {
                $SwitchMap$org$apache$qpid$server$security$auth$sasl$scram$ScramSaslServer$State[State.INITIAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$qpid$server$security$auth$sasl$scram$ScramSaslServer$State[State.SERVER_FIRST_MESSAGE_SENT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$qpid$server$security$auth$sasl$scram$ScramSaslServer$State[State.COMPLETE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/auth/sasl/scram/ScramSaslServer$State.class */
    enum State {
        INITIAL,
        SERVER_FIRST_MESSAGE_SENT,
        COMPLETE
    }

    public ScramSaslServer(AbstractScramAuthenticationManager abstractScramAuthenticationManager, String str, String str2, String str3) {
        this._authManager = abstractScramAuthenticationManager;
        this._mechanism = str;
        this._hmacName = str2;
        this._digestName = str3;
    }

    public String getMechanismName() {
        return this._mechanism;
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        byte[] bArr2;
        switch (AnonymousClass1.$SwitchMap$org$apache$qpid$server$security$auth$sasl$scram$ScramSaslServer$State[this._state.ordinal()]) {
            case 1:
                bArr2 = generateServerFirstMessage(bArr);
                this._state = State.SERVER_FIRST_MESSAGE_SENT;
                break;
            case BrokerProperties.DEFAULT_HEARTBEAT_TIMEOUT_FACTOR /* 2 */:
                bArr2 = generateServerFinalMessage(bArr);
                this._state = State.COMPLETE;
                break;
            case 3:
                if (bArr == null || bArr.length == 0) {
                    bArr2 = new byte[0];
                    break;
                }
                break;
            default:
                throw new SaslException("No response expected in state " + this._state);
        }
        return bArr2;
    }

    private byte[] generateServerFirstMessage(byte[] bArr) throws SaslException {
        String str = new String(bArr, ASCII);
        if (!str.startsWith("n")) {
            throw new SaslException("Cannot parse gs2-header");
        }
        String[] split = str.split(",");
        if (split.length < 4) {
            throw new SaslException("Cannot parse client first message");
        }
        this._gs2Header = ("n," + split[1] + ",").getBytes(ASCII);
        this._clientFirstMessageBare = str.substring(this._gs2Header.length);
        if (!split[2].startsWith("n=")) {
            throw new SaslException("Cannot parse client first message");
        }
        this._username = decodeUsername(split[2].substring(2));
        if (!split[3].startsWith("r=")) {
            throw new SaslException("Cannot parse client first message");
        }
        this._nonce = split[3].substring(2) + UUID.randomUUID().toString();
        this._serverFirstMessage = "r=" + this._nonce + ",s=" + DatatypeConverter.printBase64Binary(this._authManager.getSalt(this._username)) + ",i=" + this._authManager.getIterationCount();
        return this._serverFirstMessage.getBytes(ASCII);
    }

    private String decodeUsername(String str) throws SaslException {
        if (str.contains("=")) {
            String str2 = str;
            while (str2.contains("=")) {
                str2 = str2.substring(str2.indexOf(61) + 1);
                if (!str2.startsWith("2C") && !str2.startsWith("3D")) {
                    throw new SaslException("Invalid username");
                }
            }
            str = str.replace("=2C", ",").replace("=3D", "=");
        }
        return str;
    }

    private byte[] generateServerFinalMessage(byte[] bArr) throws SaslException {
        try {
            String str = new String(bArr, ASCII);
            String[] split = str.split(",");
            if (!split[0].startsWith("c=")) {
                throw new SaslException("Cannot parse client final message");
            }
            if (!Arrays.equals(this._gs2Header, DatatypeConverter.parseBase64Binary(split[0].substring(2)))) {
                throw new SaslException("Client final message channel bind data invalid");
            }
            if (!split[1].startsWith("r=")) {
                throw new SaslException("Cannot parse client final message");
            }
            if (!split[1].substring(2).equals(this._nonce)) {
                throw new SaslException("Client final message has incorrect nonce value");
            }
            if (!split[split.length - 1].startsWith("p=")) {
                throw new SaslException("Client final message does not have proof");
            }
            String substring = str.substring(0, str.length() - (1 + split[split.length - 1].length()));
            byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(split[split.length - 1].substring(2));
            String str2 = this._clientFirstMessageBare + "," + this._serverFirstMessage + "," + substring;
            byte[] saltedPassword = this._authManager.getSaltedPassword(this._username);
            byte[] computeHmac = computeHmac(saltedPassword, "Client Key");
            byte[] computeHmac2 = computeHmac(MessageDigest.getInstance(this._digestName).digest(computeHmac), str2);
            byte[] bArr2 = (byte[]) computeHmac.clone();
            for (int i = 0; i < bArr2.length; i++) {
                int i2 = i;
                bArr2[i2] = (byte) (bArr2[i2] ^ computeHmac2[i]);
            }
            if (!Arrays.equals(bArr2, parseBase64Binary)) {
                throw new SaslException("Authentication failed");
            }
            return ("v=" + DatatypeConverter.printBase64Binary(computeHmac(computeHmac(saltedPassword, "Server Key"), str2))).getBytes(ASCII);
        } catch (UnsupportedEncodingException e) {
            throw new SaslException(e.getMessage(), e);
        } catch (NoSuchAlgorithmException e2) {
            throw new SaslException(e2.getMessage(), e2);
        }
    }

    public boolean isComplete() {
        return this._state == State.COMPLETE;
    }

    public String getAuthorizationID() {
        return this._username;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        throw new IllegalStateException("No security layer supported");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        throw new IllegalStateException("No security layer supported");
    }

    public Object getNegotiatedProperty(String str) {
        return null;
    }

    public void dispose() throws SaslException {
    }

    private byte[] computeHmac(byte[] bArr, String str) throws SaslException, UnsupportedEncodingException {
        Mac createSha1Hmac = createSha1Hmac(bArr);
        createSha1Hmac.update(str.getBytes(ASCII));
        return createSha1Hmac.doFinal();
    }

    private Mac createSha1Hmac(byte[] bArr) throws SaslException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, this._hmacName);
            Mac mac = Mac.getInstance(this._hmacName);
            mac.init(secretKeySpec);
            return mac;
        } catch (InvalidKeyException e) {
            throw new SaslException(e.getMessage(), e);
        } catch (NoSuchAlgorithmException e2) {
            throw new SaslException(e2.getMessage(), e2);
        }
    }
}
