package org.apache.qpid.server.security.auth.manager;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager;
import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.class */
public abstract class AbstractScramAuthenticationManager<X extends AbstractScramAuthenticationManager<X>> extends ConfigModelPasswordManagingAuthenticationProvider<X> implements PasswordCredentialManagingAuthenticationProvider<X> {
    public static final String PLAIN = "PLAIN";
    private final SecureRandom _random;
    private int _iterationCount;
    private static final byte[] INT_1 = {0, 0, 0, 1};

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractScramAuthenticationManager(Map<String, Object> map, Broker broker) {
        super(map, broker);
        this._random = new SecureRandom();
        this._iterationCount = 4096;
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public List<String> getMechanisms() {
        return Collections.unmodifiableList(Arrays.asList(getMechanismName(), "PLAIN"));
    }

    protected abstract String getMechanismName();

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public SaslServer createSaslServer(String str, String str2, Principal principal) throws SaslException {
        if (getMechanismName().equals(str)) {
            return new ScramSaslServer(this, getMechanismName(), getHmacName(), getDigestName());
        }
        if ("PLAIN".equals(str)) {
            return new PlainAdapterSaslServer(this);
        }
        throw new SaslException("Unknown mechanism: " + str);
    }

    protected abstract String getDigestName();

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public AuthenticationResult authenticate(String str, String str2) {
        ManagedUser user = getUser(str);
        if (user != null) {
            String[] split = user.getPassword().split(",");
            try {
                if (Arrays.equals(DatatypeConverter.parseBase64Binary(split[1]), createSaltedPassword(DatatypeConverter.parseBase64Binary(split[0]), str2))) {
                    return new AuthenticationResult(new UsernamePrincipal(str));
                }
            } catch (IllegalArgumentException e) {
                return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
            }
        }
        return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
    }

    public int getIterationCount() {
        return this._iterationCount;
    }

    public byte[] getSalt(String str) {
        ManagedUser user = getUser(str);
        if (user != null) {
            return DatatypeConverter.parseBase64Binary(user.getPassword().split(",")[0]);
        }
        byte[] bArr = new byte[32];
        this._random.nextBytes(bArr);
        return bArr;
    }

    public byte[] getSaltedPassword(String str) throws SaslException {
        ManagedUser user = getUser(str);
        if (user == null) {
            throw new SaslException("Authentication Failed");
        }
        return DatatypeConverter.parseBase64Binary(user.getPassword().split(",")[1]);
    }

    private byte[] createSaltedPassword(byte[] bArr, String str) {
        Mac createShaHmac = createShaHmac(str.getBytes(ASCII));
        createShaHmac.update(bArr);
        createShaHmac.update(INT_1);
        byte[] doFinal = createShaHmac.doFinal();
        byte[] bArr2 = null;
        for (int i = 1; i < getIterationCount(); i++) {
            createShaHmac.update(bArr2 != null ? bArr2 : doFinal);
            bArr2 = createShaHmac.doFinal();
            for (int i2 = 0; i2 < doFinal.length; i2++) {
                int i3 = i2;
                doFinal[i3] = (byte) (doFinal[i3] ^ bArr2[i2]);
            }
        }
        return doFinal;
    }

    private Mac createShaHmac(byte[] bArr) {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, getHmacName());
            Mac mac = Mac.getInstance(getHmacName());
            mac.init(secretKeySpec);
            return mac;
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e.getMessage(), e);
        }
    }

    protected abstract String getHmacName();

    @Override // org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider
    protected String createStoredPassword(String str) {
        byte[] bArr = new byte[32];
        this._random.nextBytes(bArr);
        return DatatypeConverter.printBase64Binary(bArr) + "," + DatatypeConverter.printBase64Binary(createSaltedPassword(bArr, str));
    }

    @Override // org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider
    void validateUser(ManagedUser managedUser) {
        if (!ASCII.newEncoder().canEncode(managedUser.getName())) {
            throw new IllegalArgumentException("User names are restricted to characters in the ASCII charset");
        }
    }
}
