package org.wildfly.security.sasl.digest;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.function.Supplier;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.SaslException;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.password.TwoWayPassword;
import org.wildfly.security.password.interfaces.ClearPassword;
import org.wildfly.security.password.interfaces.DigestPassword;
import org.wildfly.security.sasl.digest._private.DigestUtil;
import org.wildfly.security.sasl.util.AbstractSaslParticipant;
import org.wildfly.security.sasl.util.SaslMechanismInformation;
import org.wildfly.security.sasl.util.SaslWrapper;
import org.wildfly.security.util.ByteIterator;
import org.wildfly.security.util.ByteStringBuilder;
import org.wildfly.security.util.DefaultTransformationMapper;
import org.wildfly.security.util.TransformationSpec;
import org.wildfly.security.util._private.Arrays2;

/* loaded from: input_file:org/wildfly/security/sasl/digest/AbstractDigestMechanism.class */
abstract class AbstractDigestMechanism extends AbstractSaslParticipant {
    public static final int DEFAULT_MAXBUF = 65536;
    public static final char DELIMITER = ',';
    private FORMAT format;
    protected String digestURI;
    protected Charset charset;
    protected MessageDigest digest;
    protected String cipher;
    protected String qop;
    protected int wrapSeqNum;
    protected int unwrapSeqNum;
    protected byte[] nonce;
    protected byte[] cnonce;
    protected String authzid;
    protected byte[] hA1;
    protected SecureRandom secureRandomGenerator;
    protected Mac hmacMD5;
    protected Cipher wrapCipher;
    protected Cipher unwrapCipher;
    protected byte[] wrapHmacKeyIntegrity;
    protected byte[] unwrapHmacKeyIntegrity;
    protected final MessageDigest messageDigest;
    private final Supplier<Provider[]> providers;
    private static final String CLIENT_MAGIC_INTEGRITY = "Digest session key to client-to-server signing key magic constant";
    private static final String SERVER_MAGIC_INTEGRITY = "Digest session key to server-to-client signing key magic constant";
    private static final String CLIENT_MAGIC_CONFIDENTIALITY = "Digest H(A1) to client-to-server sealing key magic constant";
    private static final String SERVER_MAGIC_CONFIDENTIALITY = "Digest H(A1) to server-to-client sealing key magic constant";
    private static int NONCE_SIZE = 36;
    public static final String[] CIPHER_OPTS = {"des", "3des", "rc4", "rc4-40", "rc4-56"};

    /* loaded from: input_file:org/wildfly/security/sasl/digest/AbstractDigestMechanism$DigestWrapper.class */
    protected class DigestWrapper implements SaslWrapper {
        private boolean confidential;

        /* JADX INFO: Access modifiers changed from: protected */
        public DigestWrapper(boolean z) {
            this.confidential = z;
        }

        @Override // org.wildfly.security.sasl.util.SaslWrapper
        public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
            return this.confidential ? AbstractDigestMechanism.this.wrapConfidentialityProtectedMessage(bArr, i, i2) : AbstractDigestMechanism.this.wrapIntegrityProtectedMessage(bArr, i, i2);
        }

        @Override // org.wildfly.security.sasl.util.SaslWrapper
        public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
            return this.confidential ? AbstractDigestMechanism.this.unwrapConfidentialityProtectedMessage(bArr, i, i2) : AbstractDigestMechanism.this.unwrapIntegrityProtectedMessage(bArr, i, i2);
        }
    }

    /* loaded from: input_file:org/wildfly/security/sasl/digest/AbstractDigestMechanism$FORMAT.class */
    public enum FORMAT {
        CLIENT,
        SERVER
    }

    public AbstractDigestMechanism(String str, String str2, String str3, CallbackHandler callbackHandler, FORMAT format, Charset charset, String[] strArr, Supplier<Provider[]> supplier) throws SaslException {
        super(str, str2, str3, callbackHandler);
        this.charset = StandardCharsets.ISO_8859_1;
        this.wrapCipher = null;
        this.unwrapCipher = null;
        this.secureRandomGenerator = new SecureRandom();
        this.hmacMD5 = getHmac();
        String messageDigestAlgorithm = DigestUtil.messageDigestAlgorithm(str);
        if (messageDigestAlgorithm == null) {
            throw ElytronMessages.log.mechMacAlgorithmNotSupported(getMechanismName(), null).toSaslException();
        }
        try {
            this.messageDigest = MessageDigest.getInstance(messageDigestAlgorithm);
            try {
                this.digest = MessageDigest.getInstance("MD5");
                this.format = format;
                this.digestURI = getProtocol() + "/" + getServerName();
                if (charset != null) {
                    this.charset = charset;
                } else {
                    this.charset = StandardCharsets.ISO_8859_1;
                }
                this.providers = supplier;
            } catch (NoSuchAlgorithmException e) {
                throw ElytronMessages.log.mechMacAlgorithmNotSupported(getMechanismName(), e).toSaslException();
            }
        } catch (NoSuchAlgorithmException e2) {
            throw ElytronMessages.log.mechMacAlgorithmNotSupported(getMechanismName(), e2).toSaslException();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getSupportedCiphers(String[] strArr) {
        DefaultTransformationMapper defaultTransformationMapper = new DefaultTransformationMapper();
        if (strArr == null) {
            strArr = CIPHER_OPTS;
        }
        StringBuilder sb = new StringBuilder();
        for (TransformationSpec transformationSpec : defaultTransformationMapper.getTransformationSpecByStrength(SaslMechanismInformation.Names.DIGEST_MD5, strArr)) {
            if (sb.length() > 0) {
                sb.append(',');
            }
            sb.append(transformationSpec.getToken());
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateNonce() {
        SecureRandom secureRandom = new SecureRandom();
        byte[] bArr = new byte[NONCE_SIZE];
        secureRandom.nextBytes(bArr);
        return ByteIterator.ofBytes(bArr).base64Encode().drainToString().getBytes(StandardCharsets.US_ASCII);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean arrayContains(String[] strArr, String str) {
        for (String str2 : strArr) {
            if (str.equals(str2)) {
                return true;
            }
        }
        return false;
    }

    public Charset getCharset() {
        return this.charset;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] wrapIntegrityProtectedMessage(byte[] bArr, int i, int i2) throws SaslException {
        byte[] computeHMAC = DigestUtil.computeHMAC(this.wrapHmacKeyIntegrity, this.wrapSeqNum, this.hmacMD5, bArr, i, i2);
        byte[] bArr2 = new byte[i2 + 16];
        System.arraycopy(bArr, i, bArr2, 0, i2);
        System.arraycopy(computeHMAC, 0, bArr2, i2, 10);
        DigestUtil.integerByteOrdered(1, bArr2, i2 + 10, 2);
        DigestUtil.integerByteOrdered(this.wrapSeqNum, bArr2, i2 + 12, 4);
        this.wrapSeqNum++;
        return bArr2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] unwrapIntegrityProtectedMessage(byte[] bArr, int i, int i2) throws SaslException {
        int decodeByteOrderedInteger = DigestUtil.decodeByteOrderedInteger(bArr, (i + i2) - 6, 2);
        int decodeByteOrderedInteger2 = DigestUtil.decodeByteOrderedInteger(bArr, (i + i2) - 4, 4);
        if (decodeByteOrderedInteger != 1) {
            throw ElytronMessages.log.mechMessageTypeMustEqual(getMechanismName(), 1, decodeByteOrderedInteger).toSaslException();
        }
        if (decodeByteOrderedInteger2 != this.unwrapSeqNum) {
            throw ElytronMessages.log.mechBadSequenceNumberWhileUnwrapping(getMechanismName(), this.unwrapSeqNum, decodeByteOrderedInteger2).toSaslException();
        }
        byte[] bArr2 = new byte[10];
        byte[] bArr3 = new byte[i2 - 16];
        System.arraycopy(bArr, i, bArr3, 0, i2 - 16);
        System.arraycopy(bArr, (i + i2) - 16, bArr2, 0, 10);
        if (!Arrays2.equals(DigestUtil.computeHMAC(this.unwrapHmacKeyIntegrity, decodeByteOrderedInteger2, this.hmacMD5, bArr3, 0, bArr3.length), 0, bArr2, 0, 10)) {
            return NO_BYTES;
        }
        this.unwrapSeqNum++;
        return bArr3;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] wrapConfidentialityProtectedMessage(byte[] bArr, int i, int i2) throws SaslException {
        byte[] computeHMAC = DigestUtil.computeHMAC(this.wrapHmacKeyIntegrity, this.wrapSeqNum, this.hmacMD5, bArr, i, i2);
        int i3 = 0;
        byte[] bArr2 = null;
        int blockSize = this.wrapCipher.getBlockSize();
        if (blockSize > 0) {
            i3 = blockSize - ((i2 + 10) % blockSize);
            bArr2 = new byte[i3];
            Arrays.fill(bArr2, (byte) i3);
        }
        byte[] bArr3 = new byte[i2 + i3 + 10];
        System.arraycopy(bArr, i, bArr3, 0, i2);
        if (i3 > 0) {
            System.arraycopy(bArr2, 0, bArr3, i2, i3);
        }
        System.arraycopy(computeHMAC, 0, bArr3, i2 + i3, 10);
        try {
            byte[] update = this.wrapCipher.update(bArr3);
            byte[] bArr4 = new byte[update.length + 6];
            System.arraycopy(update, 0, bArr4, 0, update.length);
            DigestUtil.integerByteOrdered(1, bArr4, update.length, 2);
            DigestUtil.integerByteOrdered(this.wrapSeqNum, bArr4, update.length + 2, 4);
            this.wrapSeqNum++;
            return bArr4;
        } catch (Exception e) {
            throw ElytronMessages.log.mechProblemDuringCrypt(getMechanismName(), e).toSaslException();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] unwrapConfidentialityProtectedMessage(byte[] bArr, int i, int i2) throws SaslException {
        byte[] bArr2;
        int decodeByteOrderedInteger = DigestUtil.decodeByteOrderedInteger(bArr, (i + i2) - 6, 2);
        int decodeByteOrderedInteger2 = DigestUtil.decodeByteOrderedInteger(bArr, (i + i2) - 4, 4);
        if (decodeByteOrderedInteger != 1) {
            throw ElytronMessages.log.mechMessageTypeMustEqual(getMechanismName(), 1, decodeByteOrderedInteger).toSaslException();
        }
        if (decodeByteOrderedInteger2 != this.unwrapSeqNum) {
            throw ElytronMessages.log.mechBadSequenceNumberWhileUnwrapping(getMechanismName(), this.unwrapSeqNum, decodeByteOrderedInteger2).toSaslException();
        }
        try {
            byte[] update = this.unwrapCipher.update(bArr, i, i2 - 6);
            byte[] bArr3 = new byte[10];
            System.arraycopy(update, update.length - 10, bArr3, 0, 10);
            if (this.unwrapCipher.getBlockSize() > 0) {
                byte b = update[(update.length - 10) - 1];
                int length = update.length - 10;
                if (b < 8) {
                    int length2 = (update.length - 10) - 1;
                    while (update[length2] == b) {
                        length2--;
                    }
                    length = length2 + 1;
                }
                bArr2 = new byte[length];
                System.arraycopy(update, 0, bArr2, 0, length);
            } else {
                bArr2 = new byte[update.length - 10];
                System.arraycopy(update, 0, bArr2, 0, update.length - 10);
            }
            if (!Arrays2.equals(DigestUtil.computeHMAC(this.unwrapHmacKeyIntegrity, decodeByteOrderedInteger2, this.hmacMD5, bArr2, 0, bArr2.length), 0, bArr3, 0, 10)) {
                return NO_BYTES;
            }
            this.unwrapSeqNum++;
            return bArr2;
        } catch (Exception e) {
            throw ElytronMessages.log.mechProblemDuringDecrypt(getMechanismName(), e).toSaslException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void createCiphersAndKeys() throws SaslException {
        this.wrapHmacKeyIntegrity = createIntegrityKey(true);
        this.unwrapHmacKeyIntegrity = createIntegrityKey(false);
        if (this.cipher == null || this.cipher.length() == 0) {
            return;
        }
        this.wrapCipher = createCipher(true);
        this.unwrapCipher = createCipher(false);
    }

    protected byte[] createIntegrityKey(boolean z) {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder(this.hA1);
        if (z) {
            byteStringBuilder.append(this.format == FORMAT.CLIENT ? CLIENT_MAGIC_INTEGRITY : SERVER_MAGIC_INTEGRITY);
        } else {
            byteStringBuilder.append(this.format == FORMAT.CLIENT ? SERVER_MAGIC_INTEGRITY : CLIENT_MAGIC_INTEGRITY);
        }
        this.digest.reset();
        return this.digest.digest(byteStringBuilder.toArray());
    }

    protected Cipher createCipher(boolean z) throws SaslException {
        byte[] digest;
        SecretKey create3desSecretKey;
        int i = gethA1PrefixLength(this.cipher);
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        byteStringBuilder.append(this.hA1, 0, i);
        if (z) {
            byteStringBuilder.append(this.format == FORMAT.CLIENT ? CLIENT_MAGIC_CONFIDENTIALITY : SERVER_MAGIC_CONFIDENTIALITY);
            digest = this.digest.digest(byteStringBuilder.toArray());
        } else {
            byteStringBuilder.append(this.format == FORMAT.CLIENT ? SERVER_MAGIC_CONFIDENTIALITY : CLIENT_MAGIC_CONFIDENTIALITY);
            digest = this.digest.digest(byteStringBuilder.toArray());
        }
        byte[] bArr = null;
        try {
            Cipher cipher = Cipher.getInstance(new DefaultTransformationMapper().getTransformationSpec(SaslMechanismInformation.Names.DIGEST_MD5, this.cipher).getTransformation());
            int indexOf = cipher.getAlgorithm().indexOf(47);
            String substring = indexOf > -1 ? cipher.getAlgorithm().substring(0, indexOf) : cipher.getAlgorithm();
            if (this.cipher.startsWith("rc")) {
                create3desSecretKey = new SecretKeySpec((byte[]) digest.clone(), substring);
            } else if (this.cipher.equals("des")) {
                byte[] copyOf = Arrays.copyOf(digest, 7);
                bArr = Arrays.copyOfRange(digest, 8, 16);
                create3desSecretKey = DigestUtil.createDesSecretKey(copyOf);
            } else {
                if (!this.cipher.equals("3des")) {
                    throw ElytronMessages.log.mechUnknownCipher(getMechanismName(), this.cipher).toSaslException();
                }
                byte[] copyOf2 = Arrays.copyOf(digest, 14);
                bArr = Arrays.copyOfRange(digest, 8, 16);
                create3desSecretKey = DigestUtil.create3desSecretKey(copyOf2);
            }
            if (bArr != null) {
                cipher.init(z ? 1 : 2, create3desSecretKey, new IvParameterSpec(bArr), this.secureRandomGenerator);
            } else {
                cipher.init(z ? 1 : 2, create3desSecretKey, this.secureRandomGenerator);
            }
            return cipher;
        } catch (Exception e) {
            throw ElytronMessages.log.mechProblemGettingRequiredCipher(getMechanismName(), e).toSaslException();
        }
    }

    private int gethA1PrefixLength(String str) {
        if (str.equals("rc4-40")) {
            return 5;
        }
        return str.equals("rc4-56") ? 7 : 16;
    }

    private Mac getHmac() throws SaslException {
        try {
            return Mac.getInstance(DigestUtil.HMAC_algorithm);
        } catch (NoSuchAlgorithmException e) {
            throw ElytronMessages.log.mechMacAlgorithmNotSupported(getMechanismName(), e).toSaslException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    public byte[] getPredigestedSaltedPassword(RealmCallback realmCallback, NameCallback nameCallback) throws SaslException {
        CredentialCallback credentialCallback = new CredentialCallback(PasswordCredential.class, passwordAlgorithm(getMechanismName()));
        try {
            tryHandleCallbacks(realmCallback, nameCallback, credentialCallback);
            return (byte[]) credentialCallback.applyToCredential(PasswordCredential.class, passwordCredential -> {
                return (byte[]) passwordCredential.getPassword().castAndApply(DigestPassword.class, (v0) -> {
                    return v0.getDigest();
                });
            });
        } catch (UnsupportedCallbackException e) {
            if (e.getCallback() == credentialCallback) {
                return null;
            }
            if (e.getCallback() == nameCallback) {
                throw ElytronMessages.log.mechCallbackHandlerDoesNotSupportUserName(getMechanismName(), e).toSaslException();
            }
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), e).toSaslException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    public byte[] getSaltedPasswordFromTwoWay(RealmCallback realmCallback, NameCallback nameCallback, boolean z) throws SaslException {
        CredentialCallback credentialCallback = new CredentialCallback(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR);
        try {
            tryHandleCallbacks(realmCallback, nameCallback, credentialCallback);
            TwoWayPassword twoWayPassword = (TwoWayPassword) credentialCallback.applyToCredential(PasswordCredential.class, passwordCredential -> {
                return (TwoWayPassword) passwordCredential.getPassword().castAs(TwoWayPassword.class);
            });
            try {
                char[] twoWayPasswordChars = org.wildfly.security.mechanism.digest.DigestUtil.getTwoWayPasswordChars(getMechanismName(), twoWayPassword, this.providers);
                try {
                    twoWayPassword.destroy();
                } catch (DestroyFailedException e) {
                    ElytronMessages.log.credentialDestroyingFailed(e);
                }
                byte[] userRealmPasswordDigest = org.wildfly.security.mechanism.digest.DigestUtil.userRealmPasswordDigest(this.messageDigest, z ? nameCallback.getDefaultName() : nameCallback.getName(), z ? realmCallback.getDefaultText() : realmCallback.getText(), twoWayPasswordChars);
                Arrays.fill(twoWayPasswordChars, (char) 0);
                return userRealmPasswordDigest;
            } catch (AuthenticationMechanismException e2) {
                throw e2.toSaslException();
            }
        } catch (UnsupportedCallbackException e3) {
            if (e3.getCallback() == credentialCallback) {
                return null;
            }
            if (e3.getCallback() == nameCallback) {
                throw ElytronMessages.log.mechCallbackHandlerDoesNotSupportUserName(getMechanismName(), e3).toSaslException();
            }
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), e3).toSaslException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    public byte[] getSaltedPasswordFromPasswordCallback(RealmCallback realmCallback, NameCallback nameCallback, boolean z) throws SaslException {
        PasswordCallback passwordCallback = new PasswordCallback("User password", false);
        try {
            tryHandleCallbacks(realmCallback, nameCallback, passwordCallback);
            char[] password = passwordCallback.getPassword();
            passwordCallback.clearPassword();
            if (password == null) {
                throw ElytronMessages.log.mechNoPasswordGiven(getMechanismName()).toSaslException();
            }
            if (!z && nameCallback.getName() == null) {
                throw ElytronMessages.log.mechNotProvidedUserName(getMechanismName()).toSaslException();
            }
            byte[] userRealmPasswordDigest = org.wildfly.security.mechanism.digest.DigestUtil.userRealmPasswordDigest(this.messageDigest, z ? nameCallback.getDefaultName() : nameCallback.getName(), z ? realmCallback.getDefaultText() : realmCallback.getText(), password);
            Arrays.fill(password, (char) 0);
            return userRealmPasswordDigest;
        } catch (UnsupportedCallbackException e) {
            if (e.getCallback() == passwordCallback) {
                return null;
            }
            if (e.getCallback() == nameCallback) {
                throw ElytronMessages.log.mechCallbackHandlerDoesNotSupportUserName(getMechanismName(), e).toSaslException();
            }
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), e).toSaslException();
        }
    }

    private String passwordAlgorithm(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -824267275:
                if (str.equals(SaslMechanismInformation.Names.DIGEST_MD5)) {
                    z = 4;
                    break;
                }
                break;
            case -824261373:
                if (str.equals(SaslMechanismInformation.Names.DIGEST_SHA)) {
                    z = false;
                    break;
                }
                break;
            case 137609865:
                if (str.equals(SaslMechanismInformation.Names.DIGEST_SHA_256)) {
                    z = true;
                    break;
                }
                break;
            case 137610917:
                if (str.equals(SaslMechanismInformation.Names.DIGEST_SHA_384)) {
                    z = 2;
                    break;
                }
                break;
            case 137612620:
                if (str.equals(SaslMechanismInformation.Names.DIGEST_SHA_512)) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return DigestPassword.ALGORITHM_DIGEST_SHA;
            case true:
                return DigestPassword.ALGORITHM_DIGEST_SHA_256;
            case true:
                return DigestPassword.ALGORITHM_DIGEST_SHA_384;
            case true:
                return DigestPassword.ALGORITHM_DIGEST_SHA_512;
            case true:
                return DigestPassword.ALGORITHM_DIGEST_MD5;
            default:
                throw Assert.impossibleSwitchCase(str);
        }
    }
}
