package org.opends.server.extensions;

import java.security.MessageDigest;
import java.security.SecureRandom;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.locks.Lock;
import org.opends.messages.ExtensionMessages;
import org.opends.messages.Message;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.CramMD5SASLMechanismHandlerCfg;
import org.opends.server.admin.std.server.SASLMechanismHandlerCfg;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.config.ConfigException;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.asn1.ASN1OctetString;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.ByteString;
import org.opends.server.types.ConfigChangeResult;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.LockManager;
import org.opends.server.types.ResultCode;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/CRAMMD5SASLMechanismHandler.class */
public class CRAMMD5SASLMechanismHandler extends SASLMechanismHandler<CramMD5SASLMechanismHandlerCfg> implements ConfigurationChangeListener<CramMD5SASLMechanismHandlerCfg> {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private byte[] iPad;
    private byte[] oPad;
    private CramMD5SASLMechanismHandlerCfg currentConfig;
    private IdentityMapper<?> identityMapper;
    private MessageDigest md5Digest;
    private Object digestLock;
    private SecureRandom randomGenerator;

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(CramMD5SASLMechanismHandlerCfg cramMD5SASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        cramMD5SASLMechanismHandlerCfg.addCramMD5ChangeListener(this);
        this.currentConfig = cramMD5SASLMechanismHandlerCfg;
        this.digestLock = new Object();
        this.randomGenerator = new SecureRandom();
        try {
            this.md5Digest = MessageDigest.getInstance("MD5");
            this.iPad = new byte[64];
            this.oPad = new byte[64];
            Arrays.fill(this.iPad, (byte) 54);
            Arrays.fill(this.oPad, (byte) 92);
            this.identityMapper = DirectoryServer.getIdentityMapper(cramMD5SASLMechanismHandlerCfg.getIdentityMapperDN());
            DirectoryServer.registerSASLMechanismHandler(ServerConstants.SASL_MECHANISM_CRAM_MD5, this);
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            throw new InitializationException(ExtensionMessages.ERR_SASLCRAMMD5_CANNOT_GET_MESSAGE_DIGEST.get(StaticUtils.getExceptionMessage(e)), e);
        }
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        this.currentConfig.removeCramMD5ChangeListener(this);
        DirectoryServer.deregisterSASLMechanismHandler(ServerConstants.SASL_MECHANISM_CRAM_MD5);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        Entry entry;
        ASN1OctetString sASLCredentials = bindOperation.getSASLCredentials();
        ClientConnection clientConnection = bindOperation.getClientConnection();
        if (sASLCredentials == null) {
            byte[] bArr = new byte[16];
            this.randomGenerator.nextBytes(bArr);
            StringBuilder sb = new StringBuilder(18);
            sb.append('<');
            for (byte b : bArr) {
                sb.append(StaticUtils.byteToLowerHex(b));
            }
            sb.append('>');
            ASN1OctetString aSN1OctetString = new ASN1OctetString(sb.toString());
            clientConnection.setSASLAuthStateInfo(aSN1OctetString);
            bindOperation.setServerSASLCredentials(aSN1OctetString);
            bindOperation.setResultCode(ResultCode.SASL_BIND_IN_PROGRESS);
            return;
        }
        Object sASLAuthStateInfo = clientConnection.getSASLAuthStateInfo();
        if (sASLAuthStateInfo == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_NO_STORED_CHALLENGE.get());
            return;
        }
        if (!(sASLAuthStateInfo instanceof ASN1OctetString)) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_INVALID_STORED_CHALLENGE.get());
            return;
        }
        ASN1OctetString aSN1OctetString2 = (ASN1OctetString) sASLAuthStateInfo;
        clientConnection.setSASLAuthStateInfo(null);
        String stringValue = sASLCredentials.stringValue();
        int lastIndexOf = stringValue.lastIndexOf(32);
        if (lastIndexOf < 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_NO_SPACE_IN_CREDENTIALS.get());
            return;
        }
        String substring = stringValue.substring(0, lastIndexOf);
        String substring2 = stringValue.substring(lastIndexOf + 1);
        if (substring2.length() != 32) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_INVALID_DIGEST_LENGTH.get(Integer.valueOf(substring2.length()), 32));
            return;
        }
        try {
            byte[] hexStringToByteArray = StaticUtils.hexStringToByteArray(substring2);
            String lowerCase = StaticUtils.toLowerCase(substring);
            if (lowerCase.startsWith("dn:")) {
                try {
                    DN decode = DN.decode(substring.substring(3));
                    if (decode.isNullDN()) {
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_USERNAME_IS_NULL_DN.get());
                        return;
                    }
                    DN actualRootBindDN = DirectoryServer.getActualRootBindDN(decode);
                    if (actualRootBindDN != null) {
                        decode = actualRootBindDN;
                    }
                    Lock lock = null;
                    for (int i = 0; i < 3; i++) {
                        lock = LockManager.lockRead(decode);
                        if (lock != null) {
                            break;
                        }
                    }
                    if (lock == null) {
                        bindOperation.setResultCode(DirectoryServer.getServerErrorResultCode());
                        bindOperation.setAuthFailureReason(ExtensionMessages.INFO_SASLCRAMMD5_CANNOT_LOCK_ENTRY.get(String.valueOf(decode)));
                        return;
                    }
                    try {
                        try {
                            entry = DirectoryServer.getEntry(decode);
                            LockManager.unlock(decode, lock);
                        } catch (DirectoryException e) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugCaught(DebugLogLevel.ERROR, e);
                            }
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_CANNOT_GET_ENTRY_BY_DN.get(String.valueOf(decode), e.getMessageObject()));
                            LockManager.unlock(decode, lock);
                            return;
                        }
                    } catch (Throwable th) {
                        LockManager.unlock(decode, lock);
                        throw th;
                    }
                } catch (DirectoryException e2) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                    }
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_CANNOT_DECODE_USERNAME_AS_DN.get(substring, e2.getMessageObject()));
                    return;
                }
            } else {
                if (lowerCase.startsWith("u:")) {
                    substring = substring.substring(2);
                }
                try {
                    entry = this.identityMapper.getEntryForID(substring);
                } catch (DirectoryException e3) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e3);
                    }
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_CANNOT_MAP_USERNAME.get(String.valueOf(substring), e3.getMessageObject()));
                    return;
                }
            }
            if (entry == null) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_NO_MATCHING_ENTRIES.get(substring));
                return;
            }
            bindOperation.setSASLAuthUserEntry(entry);
            try {
                List<ByteString> clearPasswords = new PasswordPolicyState(entry, false).getClearPasswords();
                if (clearPasswords == null || clearPasswords.isEmpty()) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_NO_REVERSIBLE_PASSWORDS.get(String.valueOf(entry.getDN())));
                    return;
                }
                boolean z = false;
                Iterator<ByteString> it = clearPasswords.iterator();
                while (true) {
                    if (it.hasNext()) {
                        if (Arrays.equals(hexStringToByteArray, generateDigest(it.next(), aSN1OctetString2))) {
                            z = true;
                            break;
                        }
                    } else {
                        break;
                    }
                }
                if (z) {
                    bindOperation.setResultCode(ResultCode.SUCCESS);
                    bindOperation.setAuthenticationInfo(new AuthenticationInfo(entry, ServerConstants.SASL_MECHANISM_CRAM_MD5, DirectoryServer.isRootDN(entry.getDN())));
                } else {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_INVALID_PASSWORD.get());
                }
            } catch (Exception e4) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_CANNOT_GET_REVERSIBLE_PASSWORDS.get(String.valueOf(entry.getDN()), String.valueOf(e4)));
            }
        } catch (ParseException e5) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e5);
            }
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLCRAMMD5_INVALID_DIGEST_CONTENT.get(e5.getMessage()));
        }
    }

    private byte[] generateDigest(ByteString byteString, ByteString byteString2) {
        byte[] digest;
        byte[] value = byteString.value();
        byte[] value2 = byteString2.value();
        synchronized (this.digestLock) {
            if (value.length > 64) {
                value = this.md5Digest.digest(value);
            }
            byte[] bArr = new byte[64 + value2.length];
            System.arraycopy(this.iPad, 0, bArr, 0, 64);
            System.arraycopy(value2, 0, bArr, 64, value2.length);
            byte[] bArr2 = new byte[80];
            System.arraycopy(this.oPad, 0, bArr2, 0, 64);
            for (int i = 0; i < value.length; i++) {
                int i2 = i;
                bArr[i2] = (byte) (bArr[i2] ^ value[i]);
                int i3 = i;
                bArr2[i3] = (byte) (bArr2[i3] ^ value[i]);
            }
            System.arraycopy(this.md5Digest.digest(bArr), 0, bArr2, 64, 16);
            digest = this.md5Digest.digest(bArr2);
        }
        return digest;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isConfigurationAcceptable(SASLMechanismHandlerCfg sASLMechanismHandlerCfg, List<Message> list) {
        return isConfigurationChangeAcceptable2((CramMD5SASLMechanismHandlerCfg) sASLMechanismHandlerCfg, list);
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(CramMD5SASLMechanismHandlerCfg cramMD5SASLMechanismHandlerCfg, List<Message> list) {
        return true;
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(CramMD5SASLMechanismHandlerCfg cramMD5SASLMechanismHandlerCfg) {
        ResultCode resultCode = ResultCode.SUCCESS;
        ArrayList arrayList = new ArrayList();
        this.identityMapper = DirectoryServer.getIdentityMapper(cramMD5SASLMechanismHandlerCfg.getIdentityMapperDN());
        this.currentConfig = cramMD5SASLMechanismHandlerCfg;
        return new ConfigChangeResult(resultCode, false, arrayList);
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(CramMD5SASLMechanismHandlerCfg cramMD5SASLMechanismHandlerCfg, List list) {
        return isConfigurationChangeAcceptable2(cramMD5SASLMechanismHandlerCfg, (List<Message>) list);
    }
}
