package org.wildfly.security.sasl.digest;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.Provider;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Locale;
import java.util.function.Predicate;
import java.util.function.Supplier;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.digest.DigestQuote;
import org.wildfly.security.sasl.digest.AbstractDigestMechanism;
import org.wildfly.security.sasl.digest._private.DigestUtil;
import org.wildfly.security.util.ByteStringBuilder;

/* loaded from: input_file:org/wildfly/security/sasl/digest/DigestSaslServer.class */
final class DigestSaslServer extends AbstractDigestMechanism implements SaslServer {
    private final Predicate<String> digestUriProtocolAccepted;
    private final boolean defaultRealm;
    private static final byte STEP_ONE = 1;
    private static final byte STEP_THREE = 3;
    private String[] realms;
    private String supportedCiphers;
    private int receivingMaxBuffSize;
    private String[] qops;
    private int nonceCount;
    private String receivedClientUri;
    private String boundServerName;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DigestSaslServer(String[] strArr, boolean z, String str, String str2, String str3, CallbackHandler callbackHandler, Charset charset, String[] strArr2, String[] strArr3, Predicate<String> predicate, Supplier<Provider[]> supplier) throws SaslException {
        super(str, str2, str3, callbackHandler, AbstractDigestMechanism.FORMAT.SERVER, charset, strArr3, supplier);
        this.receivingMaxBuffSize = AbstractDigestMechanism.DEFAULT_MAXBUF;
        this.nonceCount = -1;
        this.boundServerName = null;
        this.realms = strArr;
        this.defaultRealm = z;
        this.supportedCiphers = getSupportedCiphers(strArr3);
        this.qops = strArr2;
        this.digestUriProtocolAccepted = predicate;
    }

    private byte[] generateChallenge() {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        StringBuilder sb = new StringBuilder();
        for (String str : this.realms) {
            sb.append("realm=\"").append(DigestQuote.quote(str)).append("\"").append(',');
        }
        byteStringBuilder.append(sb.toString().getBytes(getCharset()));
        if (!$assertionsDisabled && this.nonce != null) {
            throw new AssertionError();
        }
        this.nonce = generateNonce();
        byteStringBuilder.append("nonce=\"");
        byteStringBuilder.append(DigestQuote.quote(this.nonce));
        byteStringBuilder.append("\"").append(',');
        if (this.qops != null) {
            byteStringBuilder.append("qop=\"");
            boolean z = true;
            for (String str2 : this.qops) {
                if (!z) {
                    byteStringBuilder.append(',');
                }
                z = false;
                byteStringBuilder.append(DigestQuote.quote(str2));
            }
            byteStringBuilder.append("\"").append(',');
        }
        if (this.receivingMaxBuffSize != 65536) {
            byteStringBuilder.append("maxbuf=");
            byteStringBuilder.append(String.valueOf(this.receivingMaxBuffSize));
            byteStringBuilder.append(',');
        }
        if (StandardCharsets.UTF_8.equals(getCharset())) {
            byteStringBuilder.append("charset=");
            byteStringBuilder.append("utf-8");
            byteStringBuilder.append(',');
        }
        if (this.supportedCiphers != null && this.qops != null && arrayContains(this.qops, DigestUtil.QOP_AUTH_CONF)) {
            byteStringBuilder.append("cipher=\"");
            byteStringBuilder.append(this.supportedCiphers);
            byteStringBuilder.append("\"").append(',');
        }
        byteStringBuilder.append("algorithm=md5-sess");
        return byteStringBuilder.toArray();
    }

    private void noteDigestResponseData(HashMap<String, byte[]> hashMap) {
        byte[] bArr = hashMap.get(HttpConstants.NC);
        if (bArr != null) {
            this.nonceCount = Integer.parseInt(new String(bArr, StandardCharsets.UTF_8));
        } else {
            this.nonceCount = -1;
        }
        byte[] bArr2 = hashMap.get("cipher");
        if (bArr2 != null) {
            this.cipher = new String(bArr2, StandardCharsets.UTF_8);
        } else {
            this.cipher = "";
        }
        byte[] bArr3 = hashMap.get("authzid");
        if (bArr3 != null) {
            this.authorizationId = new String(bArr3, StandardCharsets.UTF_8);
        } else {
            this.authorizationId = null;
        }
    }

    private byte[] validateDigestResponse(HashMap<String, byte[]> hashMap) throws SaslException {
        if (this.nonceCount != 1) {
            throw ElytronMessages.saslDigest.mechNonceCountMustEqual(1, this.nonceCount).toSaslException();
        }
        Charset charset = StandardCharsets.ISO_8859_1;
        if (hashMap.get(HttpConstants.CHARSET) != null) {
            if (!new String(hashMap.get(HttpConstants.CHARSET), StandardCharsets.UTF_8).equals("utf-8")) {
                throw ElytronMessages.saslDigest.mechUnknownCharset().toSaslException();
            }
            if (!StandardCharsets.UTF_8.equals(getCharset())) {
                throw ElytronMessages.saslDigest.mechUnsupportedCharset("UTF-8").toSaslException();
            }
            charset = StandardCharsets.UTF_8;
        }
        if (hashMap.get(HttpConstants.USERNAME) == null) {
            throw ElytronMessages.saslDigest.mechMissingDirective(HttpConstants.USERNAME).toSaslException();
        }
        this.username = new String(hashMap.get(HttpConstants.USERNAME), charset);
        if (hashMap.get(HttpConstants.REALM) != null) {
            this.realm = new String(hashMap.get(HttpConstants.REALM), charset);
        } else {
            this.realm = "";
        }
        if (!arrayContains(this.realms, this.realm)) {
            throw ElytronMessages.saslDigest.mechDisallowedClientRealm(this.realm).toSaslException();
        }
        if (hashMap.get(HttpConstants.NONCE) == null) {
            throw ElytronMessages.saslDigest.mechMissingDirective(HttpConstants.NONCE).toSaslException();
        }
        if (!Arrays.equals(this.nonce, hashMap.get(HttpConstants.NONCE))) {
            throw ElytronMessages.saslDigest.mechNoncesDoNotMatch().toSaslException();
        }
        if (hashMap.get(HttpConstants.CNONCE) == null) {
            throw ElytronMessages.saslDigest.mechMissingDirective(HttpConstants.CNONCE).toSaslException();
        }
        this.cnonce = hashMap.get(HttpConstants.CNONCE);
        if (hashMap.get(HttpConstants.NC) == null) {
            throw ElytronMessages.saslDigest.mechMissingDirective(HttpConstants.NC).toSaslException();
        }
        if (hashMap.get("digest-uri") == null) {
            throw ElytronMessages.saslDigest.mechMissingDirective("digest-uri").toSaslException();
        }
        this.receivedClientUri = new String(hashMap.get("digest-uri"), charset);
        String[] split = this.receivedClientUri.split("/", 2);
        String serverName = getServerName();
        if (!this.digestUriProtocolAccepted.test(split[0].toLowerCase(Locale.ROOT)) || (serverName != null && !serverName.toLowerCase(Locale.ROOT).equals(split[1].toLowerCase(Locale.ROOT)))) {
            throw ElytronMessages.saslDigest.mechMismatchedWrongDigestUri(this.receivedClientUri).toSaslException();
        }
        this.boundServerName = split[1];
        this.qop = "auth";
        if (hashMap.get(HttpConstants.QOP) != null) {
            this.qop = new String(hashMap.get(HttpConstants.QOP), charset);
            if (!arrayContains(DigestUtil.QOP_VALUES, this.qop)) {
                throw ElytronMessages.saslDigest.mechUnexpectedQop(this.qop).toSaslException();
            }
            if (this.qop != null && !this.qop.equals("auth")) {
                setWrapper(new AbstractDigestMechanism.DigestWrapper(this.qop.equals(DigestUtil.QOP_AUTH_CONF)));
            }
        }
        this.hA1 = DigestUtil.H_A1(this.messageDigest, handleUserRealmPasswordCallbacks(null, true, this.defaultRealm), this.nonce, this.cnonce, this.authorizationId, charset);
        byte[] digestResponse = DigestUtil.digestResponse(this.messageDigest, this.hA1, this.nonce, this.nonceCount, this.cnonce, this.authorizationId, this.qop, this.receivedClientUri, true);
        if (hashMap.get(HttpConstants.RESPONSE) == null) {
            throw ElytronMessages.saslDigest.mechMissingDirective(HttpConstants.RESPONSE).toSaslException();
        }
        if (!Arrays.equals(digestResponse, hashMap.get(HttpConstants.RESPONSE))) {
            throw ElytronMessages.saslDigest.mechAuthenticationRejectedInvalidProof().toSaslException();
        }
        createCiphersAndKeys();
        String str = (this.authorizationId == null || this.authorizationId.isEmpty()) ? this.username : this.authorizationId;
        AuthorizeCallback authorizeCallback = new AuthorizeCallback(this.username, str);
        try {
            tryHandleCallbacks(authorizeCallback);
            if (!authorizeCallback.isAuthorized()) {
                throw ElytronMessages.saslDigest.mechAuthorizationFailed(this.username, str).toSaslException();
            }
            this.authorizationId = authorizeCallback.getAuthorizedID();
            return createResponseAuth(hashMap);
        } catch (UnsupportedCallbackException e) {
            throw ElytronMessages.saslDigest.mechAuthorizationUnsupported(e).toSaslException();
        }
    }

    private byte[] createResponseAuth(HashMap<String, byte[]> hashMap) {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        byteStringBuilder.append("rspauth=");
        byteStringBuilder.append(DigestUtil.digestResponse(this.messageDigest, this.hA1, this.nonce, this.nonceCount, this.cnonce, this.authorizationId, this.qop, this.receivedClientUri != null ? this.receivedClientUri : this.digestURI, false));
        return byteStringBuilder.toArray();
    }

    public String getAuthorizationID() {
        return this.authorizationId;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public Object getNegotiatedProperty(String str) {
        assertComplete();
        return "javax.security.sasl.bound.server.name".equals(str) ? this.boundServerName : super.getNegotiatedProperty(str);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        return evaluateMessage(bArr);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        switch (i) {
            case 1:
                if (bArr != null && bArr.length != 0) {
                    throw ElytronMessages.saslDigest.mechInitialChallengeMustBeEmpty().toSaslException();
                }
                setNegotiationState(3);
                return generateChallenge();
            case 3:
                if (bArr == null || bArr.length == 0) {
                    throw ElytronMessages.saslDigest.mechClientRefusesToInitiateAuthentication().toSaslException();
                }
                try {
                    HashMap<String, byte[]> parseResponse = org.wildfly.security.mechanism.digest.DigestUtil.parseResponse(bArr, this.charset, false, ElytronMessages.saslDigest);
                    noteDigestResponseData(parseResponse);
                    byte[] validateDigestResponse = validateDigestResponse(parseResponse);
                    negotiationComplete();
                    return validateDigestResponse;
                } catch (AuthenticationMechanismException e) {
                    throw e.toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    static {
        $assertionsDisabled = !DigestSaslServer.class.desiredAssertionStatus();
    }
}
