package org.wildfly.security.sasl.otp;

import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Locale;
import java.util.function.Supplier;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import org.wildfly.common.Assert;
import org.wildfly.common.bytes.ByteStringBuilder;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.CredentialUpdateCallback;
import org.wildfly.security.auth.callback.ExclusiveNameCallback;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.interfaces.OneTimePassword;
import org.wildfly.security.password.spec.OneTimePasswordSpec;
import org.wildfly.security.sasl.util.AbstractSaslServer;

/* loaded from: input_file:org/wildfly/security/sasl/otp/OTPSaslServer.class */
final class OTPSaslServer extends AbstractSaslServer {
    private static final int ST_CHALLENGE = 1;
    private static final int ST_PROCESS_RESPONSE = 2;
    private final Supplier<Provider[]> providers;
    private String previousAlgorithm;
    private String previousSeed;
    private int previousSequenceNumber;
    private byte[] previousHash;
    private ExclusiveNameCallback exclusiveNameCallback;
    private String userName;
    private String authorizationID;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OTPSaslServer(String str, String str2, String str3, CallbackHandler callbackHandler, Supplier<Provider[]> supplier) {
        super(str, str2, str3, callbackHandler, ElytronMessages.saslOTP);
        this.providers = supplier;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public String getAuthorizationID() {
        if (isComplete()) {
            return this.authorizationID;
        }
        throw ElytronMessages.saslOTP.mechAuthenticationNotComplete();
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        byte[] convertFromHex;
        OneTimePasswordSpec oneTimePasswordSpec;
        String str;
        switch (i) {
            case 0:
                if (bArr == null || bArr.length == 0) {
                    return null;
                }
                throw ElytronMessages.saslOTP.mechMessageAfterComplete().toSaslException();
            case 1:
                CodePointIterator ofUtf8Bytes = CodePointIterator.ofUtf8Bytes(bArr);
                CodePointIterator delimitedBy = ofUtf8Bytes.delimitedBy(new int[]{0});
                this.authorizationID = delimitedBy.hasNext() ? delimitedBy.drainToString() : null;
                ofUtf8Bytes.next();
                this.userName = delimitedBy.drainToString();
                OTPUtil.validateUserName(this.userName);
                if (this.authorizationID == null || this.authorizationID.isEmpty()) {
                    this.authorizationID = this.userName;
                }
                OTPUtil.validateAuthorizationId(this.authorizationID);
                this.exclusiveNameCallback = new ExclusiveNameCallback("Remote authentication name", this.userName, true, true);
                CredentialCallback credentialCallback = new CredentialCallback(PasswordCredential.class);
                handleCallbacks(this.exclusiveNameCallback, credentialCallback);
                if (!this.exclusiveNameCallback.hasExclusiveAccess()) {
                    throw ElytronMessages.saslOTP.mechUnableToObtainExclusiveAccess(this.userName).toSaslException();
                }
                OneTimePassword oneTimePassword = (OneTimePassword) credentialCallback.applyToCredential(PasswordCredential.class, passwordCredential -> {
                    return (OneTimePassword) passwordCredential.getPassword().castAs(OneTimePassword.class);
                });
                if (oneTimePassword == null) {
                    throw ElytronMessages.saslOTP.mechUnableToRetrievePassword(this.userName).toSaslException();
                }
                this.previousAlgorithm = oneTimePassword.getAlgorithm();
                OTPUtil.validateAlgorithm(this.previousAlgorithm);
                this.previousSeed = oneTimePassword.getSeed();
                OTPUtil.validateSeed(this.previousSeed);
                this.previousSequenceNumber = oneTimePassword.getSequenceNumber();
                OTPUtil.validateSequenceNumber(this.previousSequenceNumber);
                this.previousHash = oneTimePassword.getHash();
                ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
                byteStringBuilder.append(this.previousAlgorithm);
                byteStringBuilder.append(' ');
                byteStringBuilder.appendNumber(this.previousSequenceNumber - 1);
                byteStringBuilder.append(' ');
                byteStringBuilder.append(this.previousSeed);
                byteStringBuilder.append(' ');
                byteStringBuilder.append(OTP.EXT);
                setNegotiationState(2);
                return byteStringBuilder.toArray();
            case 2:
                CodePointIterator ofUtf8Bytes2 = CodePointIterator.ofUtf8Bytes(bArr);
                CodePointIterator delimitedBy2 = ofUtf8Bytes2.delimitedBy(new int[]{58});
                String lowerCase = delimitedBy2.drainToString().toLowerCase(Locale.ENGLISH);
                OTPUtil.skipDelims(delimitedBy2, ofUtf8Bytes2, 58);
                boolean z = -1;
                switch (lowerCase.hashCode()) {
                    case -303747673:
                        if (lowerCase.equals(OTP.INIT_WORD_RESPONSE)) {
                            z = 3;
                            break;
                        }
                        break;
                    case 103195:
                        if (lowerCase.equals(OTP.HEX_RESPONSE)) {
                            z = false;
                            break;
                        }
                        break;
                    case 3655434:
                        if (lowerCase.equals(OTP.WORD_RESPONSE)) {
                            z = true;
                            break;
                        }
                        break;
                    case 267281630:
                        if (lowerCase.equals(OTP.INIT_HEX_RESPONSE)) {
                            z = 2;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                    case true:
                        convertFromHex = lowerCase.equals(OTP.HEX_RESPONSE) ? OTPUtil.convertFromHex(delimitedBy2.drainToString()) : OTPUtil.convertFromWords(delimitedBy2.drainToString(), this.previousAlgorithm);
                        oneTimePasswordSpec = new OneTimePasswordSpec(convertFromHex, this.previousSeed, this.previousSequenceNumber - 1);
                        str = this.previousAlgorithm;
                        break;
                    case true:
                    case true:
                        convertFromHex = lowerCase.equals(OTP.INIT_HEX_RESPONSE) ? OTPUtil.convertFromHex(delimitedBy2.drainToString()) : OTPUtil.convertFromWords(delimitedBy2.drainToString(), this.previousAlgorithm);
                        try {
                            OTPUtil.skipDelims(delimitedBy2, ofUtf8Bytes2, 58);
                            CodePointIterator delimitedBy3 = delimitedBy2.delimitedBy(new int[]{32});
                            String str2 = OTP.OTP_PREFIX + delimitedBy3.drainToString();
                            OTPUtil.validateAlgorithm(str2);
                            OTPUtil.skipDelims(delimitedBy3, delimitedBy2, 32);
                            int parseInt = Integer.parseInt(delimitedBy3.drainToString());
                            OTPUtil.validateSequenceNumber(parseInt);
                            OTPUtil.skipDelims(delimitedBy3, delimitedBy2, 32);
                            String drainToString = delimitedBy3.drainToString();
                            OTPUtil.validateSeed(drainToString);
                            OTPUtil.skipDelims(delimitedBy2, ofUtf8Bytes2, 58);
                            oneTimePasswordSpec = new OneTimePasswordSpec(lowerCase.equals(OTP.INIT_HEX_RESPONSE) ? OTPUtil.convertFromHex(delimitedBy2.drainToString()) : OTPUtil.convertFromWords(delimitedBy2.drainToString(), str2), drainToString, parseInt);
                            str = str2;
                            break;
                        } catch (SaslException e) {
                            verifyAndUpdateCredential(convertFromHex, this.previousAlgorithm, new OneTimePasswordSpec(convertFromHex, this.previousSeed, this.previousSequenceNumber - 1));
                            throw ElytronMessages.saslOTP.mechOTPReinitializationFailed(e).toSaslException();
                        }
                    default:
                        throw ElytronMessages.saslOTP.mechInvalidOTPResponseType().toSaslException();
                }
                if (ofUtf8Bytes2.hasNext()) {
                    throw ElytronMessages.saslOTP.mechInvalidMessageReceived().toSaslException();
                }
                verifyAndUpdateCredential(convertFromHex, str, oneTimePasswordSpec);
                if (this.authorizationID == null || this.authorizationID.isEmpty()) {
                    this.authorizationID = this.userName;
                }
                Callback authorizeCallback = new AuthorizeCallback(this.userName, this.authorizationID);
                handleCallbacks(authorizeCallback);
                if (!authorizeCallback.isAuthorized()) {
                    throw ElytronMessages.saslOTP.mechAuthorizationFailed(this.userName, this.authorizationID).toSaslException();
                }
                negotiationComplete();
                return null;
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        this.previousHash = null;
        this.previousSeed = null;
    }

    private void verifyAndUpdateCredential(byte[] bArr, String str, OneTimePasswordSpec oneTimePasswordSpec) throws SaslException {
        if (!Arrays.equals(this.previousHash, OTPUtil.hashAndFold(this.previousAlgorithm, bArr))) {
            throw ElytronMessages.saslOTP.mechPasswordNotVerified().toSaslException();
        }
        updateCredential(str, oneTimePasswordSpec);
    }

    private void updateCredential(String str, OneTimePasswordSpec oneTimePasswordSpec) throws SaslException {
        try {
            handleCallbacks(this.exclusiveNameCallback, new CredentialUpdateCallback(new PasswordCredential((OneTimePassword) PasswordFactory.getInstance(str, this.providers).generatePassword(oneTimePasswordSpec))));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw ElytronMessages.saslOTP.mechUnableToUpdatePassword(this.userName).toSaslException();
        }
    }
}
