package org.wildfly.security.sasl.entity;

import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslException;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.asn1.ASN1Exception;
import org.wildfly.security.asn1.DERDecoder;
import org.wildfly.security.asn1.DEREncoder;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.callback.TrustedAuthoritiesCallback;
import org.wildfly.security.credential.X509CertificateChainPrivateCredential;
import org.wildfly.security.evidence.X509PeerCertificateChainEvidence;
import org.wildfly.security.sasl.util.AbstractSaslClient;
import org.wildfly.security.x500.GeneralName;
import org.wildfly.security.x500.TrustedAuthority;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.2.4.Final.jar:org/wildfly/security/sasl/entity/EntitySaslClient.class */
final class EntitySaslClient extends AbstractSaslClient {
    private static final int ST_CHALLENGE_RESPONSE = 1;
    private static final int ST_RESPONSE_SENT = 2;
    private final SecureRandom secureRandom;
    private final Signature signature;
    private final boolean mutual;
    private final String serverName;
    private byte[] randomA;
    private byte[] randomB;
    private X509Certificate[] clientCertChain;

    /* JADX INFO: Access modifiers changed from: package-private */
    public EntitySaslClient(String str, boolean z, Signature signature, SecureRandom secureRandom, String str2, String str3, CallbackHandler callbackHandler, String str4) {
        super(str, str2, str3, callbackHandler, str4, false, ElytronMessages.saslEntity);
        this.signature = signature;
        this.secureRandom = secureRandom;
        this.mutual = z;
        this.serverName = str3;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        switch (i) {
            case 1:
                DERDecoder dERDecoder = new DERDecoder(bArr);
                List<TrustedAuthority> list = null;
                ArrayList arrayList = null;
                try {
                    dERDecoder.startSequence();
                    this.randomB = dERDecoder.decodeOctetString();
                    if (this.serverName != null && !this.serverName.isEmpty()) {
                        arrayList = new ArrayList(1);
                        arrayList.add(new GeneralName.DNSName(this.serverName));
                    }
                    if (dERDecoder.isNextType(128, 0, true)) {
                        dERDecoder.decodeImplicit(0);
                        List<GeneralName> decodeGeneralNames = EntityUtil.decodeGeneralNames(dERDecoder);
                        if (arrayList != null && !EntityUtil.matchGeneralNames(decodeGeneralNames, arrayList)) {
                            throw ElytronMessages.saslEntity.mechServerIdentifierMismatch().toSaslException();
                        }
                    }
                    if (dERDecoder.isNextType(128, 1, true)) {
                        dERDecoder.decodeImplicit(1);
                        list = EntityUtil.decodeTrustedAuthorities(dERDecoder);
                    }
                    dERDecoder.endSequence();
                    DEREncoder dEREncoder = new DEREncoder();
                    try {
                        dEREncoder.startSequence();
                        this.randomA = EntityUtil.encodeRandomNumber(dEREncoder, this.secureRandom);
                        if (arrayList != null) {
                            dEREncoder.encodeImplicit(0);
                            EntityUtil.encodeGeneralNames(dEREncoder, arrayList);
                        }
                        dEREncoder.startExplicit(1);
                        TrustedAuthoritiesCallback trustedAuthoritiesCallback = new TrustedAuthoritiesCallback();
                        trustedAuthoritiesCallback.setTrustedAuthorities(list);
                        CredentialCallback credentialCallback = new CredentialCallback(X509CertificateChainPrivateCredential.class, Entity.keyType(this.signature.getAlgorithm()));
                        try {
                            tryHandleCallbacks(trustedAuthoritiesCallback, credentialCallback);
                            X509CertificateChainPrivateCredential x509CertificateChainPrivateCredential = (X509CertificateChainPrivateCredential) credentialCallback.getCredential(X509CertificateChainPrivateCredential.class);
                            if (x509CertificateChainPrivateCredential == null) {
                                throw ElytronMessages.saslEntity.mechCallbackHandlerNotProvidedClientCertificate().toSaslException();
                            }
                            this.clientCertChain = x509CertificateChainPrivateCredential.getCertificateChain();
                            if (this.clientCertChain == null || this.clientCertChain.length <= 0) {
                                throw ElytronMessages.saslEntity.mechCallbackHandlerNotProvidedClientCertificate().toSaslException();
                            }
                            EntityUtil.encodeX509CertificateChain(dEREncoder, this.clientCertChain);
                            PrivateKey privateKey = x509CertificateChainPrivateCredential.getPrivateKey();
                            dEREncoder.endExplicit();
                            String authorizationId = getAuthorizationId();
                            ArrayList arrayList2 = null;
                            if (authorizationId != null) {
                                dEREncoder.encodeImplicit(2);
                                arrayList2 = new ArrayList(1);
                                arrayList2.add(new GeneralName.DirectoryName(authorizationId));
                                EntityUtil.encodeGeneralNames(dEREncoder, arrayList2);
                            }
                            if (privateKey == null) {
                                throw ElytronMessages.saslEntity.mechCallbackHandlerNotProvidedPrivateKey().toSaslException();
                            }
                            DEREncoder dEREncoder2 = new DEREncoder();
                            dEREncoder2.startSequence();
                            dEREncoder2.encodeOctetString(this.randomA);
                            dEREncoder2.encodeOctetString(this.randomB);
                            if (arrayList != null) {
                                dEREncoder2.encodeImplicit(0);
                                EntityUtil.encodeGeneralNames(dEREncoder2, arrayList);
                            }
                            if (arrayList2 != null) {
                                dEREncoder2.encodeImplicit(1);
                                EntityUtil.encodeGeneralNames(dEREncoder2, arrayList2);
                            }
                            dEREncoder2.endSequence();
                            try {
                                this.signature.initSign(privateKey);
                                this.signature.update(dEREncoder2.getEncoded());
                                byte[] sign = this.signature.sign();
                                dEREncoder.startSequence();
                                EntityUtil.encodeAlgorithmIdentifier(dEREncoder, this.signature.getAlgorithm());
                                dEREncoder.encodeBitString(sign);
                                dEREncoder.endSequence();
                                dEREncoder.endSequence();
                                setNegotiationState(2);
                                return dEREncoder.getEncoded();
                            } catch (InvalidKeyException | SignatureException e) {
                                throw ElytronMessages.saslEntity.mechUnableToCreateSignature(e).toSaslException();
                            }
                        } catch (UnsupportedCallbackException e2) {
                            throw ElytronMessages.saslEntity.mechCallbackHandlerNotProvidedClientCertificate().toSaslException();
                        }
                    } catch (ASN1Exception e3) {
                        throw ElytronMessages.saslEntity.mechUnableToCreateResponseToken(e3).toSaslException();
                    }
                } catch (ASN1Exception e4) {
                    throw ElytronMessages.saslEntity.mechInvalidServerMessageWithCause(e4).toSaslException();
                }
            case 2:
                if (this.mutual) {
                    DERDecoder dERDecoder2 = new DERDecoder(bArr);
                    List<GeneralName> list2 = null;
                    try {
                        dERDecoder2.startSequence();
                        byte[] decodeOctetString = dERDecoder2.decodeOctetString();
                        if (dERDecoder2.isNextType(128, 0, true)) {
                            dERDecoder2.decodeImplicit(0);
                            list2 = EntityUtil.decodeGeneralNames(dERDecoder2);
                            if (!EntityUtil.matchGeneralNames(list2, getClientCertificate())) {
                                throw ElytronMessages.saslEntity.mechClientIdentifierMismatch().toSaslException();
                            }
                        }
                        dERDecoder2.startExplicit(1);
                        X509PeerCertificateChainEvidence x509PeerCertificateChainEvidence = new X509PeerCertificateChainEvidence(EntityUtil.decodeCertificateData(dERDecoder2));
                        dERDecoder2.endExplicit();
                        X509Certificate firstCertificate = x509PeerCertificateChainEvidence.getFirstCertificate();
                        EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(x509PeerCertificateChainEvidence);
                        handleCallbacks(evidenceVerifyCallback);
                        if (!evidenceVerifyCallback.isVerified()) {
                            throw ElytronMessages.saslEntity.mechServerAuthenticityCannotBeVerified().toSaslException();
                        }
                        dERDecoder2.startSequence();
                        dERDecoder2.skipElement();
                        byte[] decodeBitString = dERDecoder2.decodeBitString();
                        dERDecoder2.endSequence();
                        DEREncoder dEREncoder3 = new DEREncoder();
                        dEREncoder3.startSequence();
                        dEREncoder3.encodeOctetString(this.randomB);
                        dEREncoder3.encodeOctetString(this.randomA);
                        dEREncoder3.encodeOctetString(decodeOctetString);
                        if (list2 != null) {
                            EntityUtil.encodeGeneralNames(dEREncoder3, list2);
                        }
                        dEREncoder3.endSequence();
                        try {
                            this.signature.initVerify(firstCertificate);
                            this.signature.update(dEREncoder3.getEncoded());
                            if (!this.signature.verify(decodeBitString)) {
                                setNegotiationState(-1);
                                throw ElytronMessages.saslEntity.mechServerAuthenticityCannotBeVerified().toSaslException();
                            }
                            dERDecoder2.endSequence();
                        } catch (InvalidKeyException | SignatureException e5) {
                            throw ElytronMessages.saslEntity.mechUnableToVerifyServerSignature(e5).toSaslException();
                        }
                    } catch (ASN1Exception e6) {
                        throw ElytronMessages.saslEntity.mechInvalidServerMessageWithCause(e6).toSaslException();
                    }
                } else if (bArr != null && bArr.length != 0) {
                    throw ElytronMessages.saslEntity.mechServerSentExtraMessage().toSaslException();
                }
                negotiationComplete();
                return null;
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        this.clientCertChain = null;
    }

    private X509Certificate getClientCertificate() throws SaslException {
        if (this.clientCertChain == null || this.clientCertChain.length == 0) {
            throw ElytronMessages.saslEntity.mechCallbackHandlerNotProvidedServerCertificate().toSaslException();
        }
        return this.clientCertChain[0];
    }
}
