package org.wildfly.security.sasl.digest;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.Provider;
import java.util.Arrays;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.function.Supplier;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.digest.DigestQuote;
import org.wildfly.security.sasl.digest.AbstractDigestMechanism;
import org.wildfly.security.sasl.digest._private.DigestUtil;
import org.wildfly.security.sasl.util.SaslMechanismInformation;
import org.wildfly.security.util.ByteStringBuilder;
import org.wildfly.security.util.DefaultTransformationMapper;
import org.wildfly.security.util.TransformationSpec;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.2.1.Final.jar:org/wildfly/security/sasl/digest/DigestSaslClient.class */
final class DigestSaslClient extends AbstractDigestMechanism implements SaslClient {
    private static final byte STEP_TWO = 2;
    private static final byte STEP_FOUR = 4;
    private String[] realms;
    private String[] clientQops;
    private boolean stale;
    private int maxbuf;
    private String cipher_opts;
    private final boolean hasInitialResponse;
    private final String[] demandedCiphers;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DigestSaslClient(String str, String str2, String str3, CallbackHandler callbackHandler, String str4, boolean z, Charset charset, String[] strArr, String[] strArr2, Supplier<Provider[]> supplier) throws SaslException {
        super(str, str2, str3, callbackHandler, AbstractDigestMechanism.FORMAT.CLIENT, charset, strArr2, supplier);
        this.stale = false;
        this.maxbuf = AbstractDigestMechanism.DEFAULT_MAXBUF;
        this.hasInitialResponse = z;
        this.authorizationId = str4;
        this.clientQops = strArr == null ? DigestUtil.QOP_VALUES : strArr;
        this.demandedCiphers = strArr2 == null ? new String[0] : strArr2;
    }

    private void noteChallengeData(HashMap<String, byte[]> hashMap) throws SaslException {
        LinkedList linkedList = new LinkedList();
        for (String str : hashMap.keySet()) {
            if (str.startsWith("realm")) {
                linkedList.add(new String(hashMap.get(str), StandardCharsets.UTF_8));
            } else if (str.equals(HttpConstants.QOP)) {
                this.qop = selectQop(new String(hashMap.get(str), StandardCharsets.UTF_8).split(String.valueOf(',')), this.clientQops);
            } else if (str.equals(HttpConstants.STALE)) {
                this.stale = Boolean.parseBoolean(new String(hashMap.get(str), StandardCharsets.UTF_8));
            } else if (str.equals("maxbuf")) {
                int parseInt = Integer.parseInt(new String(hashMap.get(str), StandardCharsets.UTF_8));
                if (parseInt > 0) {
                    this.maxbuf = parseInt;
                }
            } else if (str.equals(HttpConstants.NONCE)) {
                this.nonce = hashMap.get(str);
            } else if (str.equals("cipher")) {
                this.cipher_opts = new String(hashMap.get(str), StandardCharsets.UTF_8);
                this.cipher = selectCipher(this.cipher_opts);
            }
        }
        if (this.qop != null && !this.qop.equals("auth")) {
            setWrapper(new AbstractDigestMechanism.DigestWrapper(this.qop.equals(DigestUtil.QOP_AUTH_CONF)));
        }
        this.realms = new String[linkedList.size()];
        linkedList.toArray(this.realms);
    }

    private String selectQop(String[] strArr, String[] strArr2) throws SaslException {
        for (String str : strArr2) {
            if (arrayContains(strArr, str)) {
                return str;
            }
        }
        throw ElytronMessages.saslDigest.mechNoCommonProtectionLayer().toSaslException();
    }

    private String selectCipher(String str) throws SaslException {
        if (str == null) {
            throw ElytronMessages.saslDigest.mechNoCiphersOfferedByServer().toSaslException();
        }
        for (TransformationSpec transformationSpec : new DefaultTransformationMapper().getTransformationSpecByStrength(SaslMechanismInformation.Names.DIGEST_MD5, str.split(String.valueOf(',')))) {
            for (String str2 : this.demandedCiphers) {
                if (str2.equals(transformationSpec.getToken())) {
                    return transformationSpec.getToken();
                }
            }
        }
        throw ElytronMessages.saslDigest.mechNoCommonCipher().toSaslException();
    }

    private byte[] createResponse(HashMap<String, byte[]> hashMap) throws SaslException {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        byte[] bArr = hashMap.get("charset");
        Charset charset = bArr != null ? "utf-8".equals(new String(bArr, StandardCharsets.UTF_8)) ? StandardCharsets.UTF_8 : StandardCharsets.ISO_8859_1 : StandardCharsets.ISO_8859_1;
        if (StandardCharsets.UTF_8.equals(charset)) {
            byteStringBuilder.append("charset=");
            byteStringBuilder.append("utf-8");
            byteStringBuilder.append(',');
        }
        this.username = this.authorizationId;
        if (this.realms != null && this.realms.length >= 1) {
            this.realm = this.realms[0];
        }
        byte[] handleUserRealmPasswordCallbacks = handleUserRealmPasswordCallbacks(this.realms, false, false);
        byteStringBuilder.append("username=\"");
        byteStringBuilder.append(DigestQuote.quote(this.username).getBytes(charset));
        byteStringBuilder.append("\"").append(',');
        if (this.realm != null) {
            byteStringBuilder.append("realm=\"");
            byteStringBuilder.append(DigestQuote.quote(this.realm).getBytes(charset));
            byteStringBuilder.append("\"").append(',');
        }
        if (this.nonce == null) {
            throw ElytronMessages.saslDigest.mechMissingDirective(HttpConstants.NONCE).toSaslException();
        }
        byteStringBuilder.append("nonce=\"");
        byteStringBuilder.append(this.nonce);
        byteStringBuilder.append("\"").append(',');
        byteStringBuilder.append("nc=");
        int nonceCount = getNonceCount();
        byteStringBuilder.append(DigestUtil.convertToHexBytesWithLeftPadding(nonceCount, 8));
        byteStringBuilder.append(',');
        byteStringBuilder.append("cnonce=\"");
        this.cnonce = generateNonce();
        byteStringBuilder.append(this.cnonce);
        byteStringBuilder.append("\"").append(',');
        byteStringBuilder.append("digest-uri=\"");
        byteStringBuilder.append(this.digestURI);
        byteStringBuilder.append("\"").append(',');
        byteStringBuilder.append("maxbuf=");
        byteStringBuilder.append(String.valueOf(this.maxbuf));
        byteStringBuilder.append(',');
        this.hA1 = DigestUtil.H_A1(this.messageDigest, handleUserRealmPasswordCallbacks, this.nonce, this.cnonce, this.authorizationId, charset);
        byte[] digestResponse = DigestUtil.digestResponse(this.messageDigest, this.hA1, this.nonce, nonceCount, this.cnonce, this.authorizationId, this.qop, this.digestURI, true);
        byteStringBuilder.append("response=");
        byteStringBuilder.append(digestResponse);
        byteStringBuilder.append(',');
        byteStringBuilder.append("qop=");
        byteStringBuilder.append(this.qop != null ? this.qop : "auth");
        if (this.cipher != null && this.cipher.length() != 0) {
            byteStringBuilder.append(',');
            byteStringBuilder.append("cipher=\"");
            byteStringBuilder.append(this.cipher);
            byteStringBuilder.append("\"");
        }
        if (this.authorizationId != null) {
            byteStringBuilder.append(',');
            byteStringBuilder.append("authzid=\"");
            byteStringBuilder.append(DigestQuote.quote(this.authorizationId).getBytes(charset));
            byteStringBuilder.append("\"");
        }
        createCiphersAndKeys();
        return byteStringBuilder.toArray();
    }

    private int getNonceCount() {
        return 1;
    }

    private void checkResponseAuth(HashMap<String, byte[]> hashMap) throws SaslException {
        if (!Arrays.equals(DigestUtil.digestResponse(this.messageDigest, this.hA1, this.nonce, getNonceCount(), this.cnonce, this.authorizationId, this.qop, this.digestURI, false), hashMap.get(HttpConstants.RSPAUTH))) {
            throw ElytronMessages.saslDigest.mechServerAuthenticityCannotBeVerified().toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(2);
    }

    public boolean hasInitialResponse() {
        return this.hasInitialResponse;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        return evaluateMessage(bArr);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        try {
            HashMap<String, byte[]> parseResponse = org.wildfly.security.mechanism.digest.DigestUtil.parseResponse(bArr, this.charset, true, ElytronMessages.saslDigest);
            switch (i) {
                case 2:
                    noteChallengeData(parseResponse);
                    setNegotiationState(4);
                    return createResponse(parseResponse);
                case 4:
                    checkResponseAuth(parseResponse);
                    negotiationComplete();
                    return null;
                default:
                    throw Assert.impossibleSwitchCase(i);
            }
        } catch (AuthenticationMechanismException e) {
            throw e.toSaslException();
        }
    }
}
