package org.wildfly.security.sasl.otp;

import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.concurrent.ThreadLocalRandom;
import java.util.function.Supplier;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.sasl.SaslException;
import org.wildfly.common.Assert;
import org.wildfly.common.bytes.ByteStringBuilder;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.auth.callback.ExtendedChoiceCallback;
import org.wildfly.security.auth.callback.ParameterCallback;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.interfaces.OneTimePassword;
import org.wildfly.security.password.spec.EncryptablePasswordSpec;
import org.wildfly.security.password.spec.OneTimePasswordAlgorithmSpec;
import org.wildfly.security.sasl.util.AbstractSaslClient;
import org.wildfly.security.sasl.util.StringPrep;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-1.10.4.Final.jar:org/wildfly/security/sasl/otp/OTPSaslClient.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-sasl-otp-1.10.4.Final.jar:org/wildfly/security/sasl/otp/OTPSaslClient.class */
final class OTPSaslClient extends AbstractSaslClient {
    private static final int ST_NEW = 1;
    private static final int ST_CHALLENGE_RESPONSE = 2;
    private final SecureRandom secureRandom;
    private final String[] alternateDictionary;
    private NameCallback nameCallback;
    private String userName;
    private Supplier<Provider[]> providers;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OTPSaslClient(String str, SecureRandom secureRandom, String[] strArr, String str2, String str3, CallbackHandler callbackHandler, String str4, Supplier<Provider[]> supplier) {
        super(str, str2, str3, callbackHandler, str4, true, ElytronMessages.saslOTP);
        this.secureRandom = secureRandom;
        this.alternateDictionary = strArr;
        this.providers = supplier;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        String otp;
        switch (i) {
            case 1:
                if (bArr != null && bArr.length != 0) {
                    throw ElytronMessages.saslOTP.mechInitialChallengeMustBeEmpty().toSaslException();
                }
                ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
                String authorizationId = getAuthorizationId();
                OTPUtil.validateAuthorizationId(authorizationId);
                this.nameCallback = (authorizationId == null || authorizationId.isEmpty()) ? new NameCallback("User name") : new NameCallback("User name", authorizationId);
                handleCallbacks(this.nameCallback);
                this.userName = this.nameCallback.getName();
                OTPUtil.validateUserName(this.userName);
                if (authorizationId != null) {
                    StringPrep.encode(authorizationId, byteStringBuilder, StringPrep.PROFILE_SASL_STORED);
                }
                byteStringBuilder.append((byte) 0);
                StringPrep.encode(this.userName, byteStringBuilder, StringPrep.PROFILE_SASL_STORED);
                setNegotiationState(2);
                return byteStringBuilder.toArray();
            case 2:
                CodePointIterator ofUtf8Bytes = CodePointIterator.ofUtf8Bytes(bArr);
                CodePointIterator delimitedBy = ofUtf8Bytes.delimitedBy(32);
                String drainToString = delimitedBy.drainToString();
                OTPUtil.validateAlgorithm(drainToString);
                OTPUtil.skipDelims(delimitedBy, ofUtf8Bytes);
                int parseInt = Integer.parseInt(delimitedBy.drainToString());
                OTPUtil.validateSequenceNumber(parseInt);
                OTPUtil.skipDelims(delimitedBy, ofUtf8Bytes);
                String drainToString2 = delimitedBy.drainToString();
                OTPUtil.validateSeed(drainToString2);
                OTPUtil.skipDelims(delimitedBy, ofUtf8Bytes);
                if (!delimitedBy.drainToString().startsWith("ext")) {
                    throw ElytronMessages.saslOTP.mechInvalidMessageReceived().toSaslException();
                }
                if (ofUtf8Bytes.hasNext()) {
                    OTPUtil.skipDelims(delimitedBy, ofUtf8Bytes);
                    if (ofUtf8Bytes.hasNext()) {
                        throw ElytronMessages.saslOTP.mechInvalidMessageReceived().toSaslException();
                    }
                }
                ExtendedChoiceCallback extendedChoiceCallback = new ExtendedChoiceCallback(OTP.RESPONSE_TYPE_PROMPT, OTPUtil.RESPONSE_TYPES, parseInt < 10 ? OTPUtil.getResponseTypeChoiceIndex(OTP.INIT_WORD_RESPONSE) : OTPUtil.getResponseTypeChoiceIndex("word"), false, true);
                ExtendedChoiceCallback extendedChoiceCallback2 = new ExtendedChoiceCallback(OTP.PASSWORD_FORMAT_TYPE_PROMPT, OTPUtil.PASSWORD_FORMAT_TYPES, OTPUtil.getPasswordFormatTypeChoiceIndex(OTP.PASS_PHRASE), false, true);
                handleCallbacks(this.nameCallback, extendedChoiceCallback, extendedChoiceCallback2);
                String str = extendedChoiceCallback.getSelectedIndexes() != null ? OTPUtil.RESPONSE_TYPES[extendedChoiceCallback.getSelectedIndexes()[0]] : OTPUtil.RESPONSE_TYPES[extendedChoiceCallback.getDefaultChoice()];
                String str2 = extendedChoiceCallback2.getSelectedIndexes() != null ? OTPUtil.PASSWORD_FORMAT_TYPES[extendedChoiceCallback2.getSelectedIndexes()[0]] : OTPUtil.PASSWORD_FORMAT_TYPES[extendedChoiceCallback2.getDefaultChoice()];
                PasswordCallback passwordCallback = new PasswordCallback(OTP.PASSWORD_PROMPT, false);
                boolean z = -1;
                switch (str2.hashCode()) {
                    case 172826613:
                        if (str2.equals(OTP.PASS_PHRASE)) {
                            z = false;
                            break;
                        }
                        break;
                    case 222667591:
                        if (str2.equals(OTP.DIRECT_OTP)) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        handleCallbacks(this.nameCallback, passwordCallback);
                        char[] password = passwordCallback.getPassword();
                        passwordCallback.clearPassword();
                        if (password == null) {
                            throw ElytronMessages.saslOTP.mechNoPasswordGiven().toSaslException();
                        }
                        String passwordFromPasswordChars = getPasswordFromPasswordChars(password);
                        OTPUtil.validatePassPhrase(passwordFromPasswordChars);
                        if (drainToString2.equals(passwordFromPasswordChars)) {
                            throw ElytronMessages.saslOTP.mechOTPPassPhraseAndSeedMustNotMatch().toSaslException();
                        }
                        try {
                            otp = OTPUtil.formatOTP(generateOtpHash(drainToString, passwordFromPasswordChars, drainToString2, parseInt), str, this.alternateDictionary);
                            break;
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                            throw ElytronMessages.saslOTP.mechUnableToRetrievePassword(this.userName).toSaslException();
                        }
                    case true:
                        ParameterCallback parameterCallback = new ParameterCallback(OneTimePasswordAlgorithmSpec.class);
                        parameterCallback.setParameterSpec(new OneTimePasswordAlgorithmSpec(drainToString, drainToString2, parseInt));
                        handleCallbacks(this.nameCallback, parameterCallback, passwordCallback);
                        otp = getOTP(passwordCallback);
                        break;
                    default:
                        throw ElytronMessages.saslOTP.mechInvalidOTPPasswordFormatType().toSaslException();
                }
                negotiationComplete();
                return createOTPResponse(drainToString, drainToString2, otp, str);
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
    }

    private byte[] createOTPResponse(String str, String str2, String str3, String str4) throws SaslException {
        String generateRandomAlphanumericString;
        String otp;
        String algorithm;
        int sequenceNumber;
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        byteStringBuilder.append(str4);
        byteStringBuilder.append(':');
        boolean z = -1;
        switch (str4.hashCode()) {
            case -303747673:
                if (str4.equals(OTP.INIT_WORD_RESPONSE)) {
                    z = 3;
                    break;
                }
                break;
            case 103195:
                if (str4.equals(OTP.HEX_RESPONSE)) {
                    z = false;
                    break;
                }
                break;
            case 3655434:
                if (str4.equals("word")) {
                    z = true;
                    break;
                }
                break;
            case 267281630:
                if (str4.equals(OTP.INIT_HEX_RESPONSE)) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                byteStringBuilder.append(str3);
                break;
            case true:
            case true:
                byteStringBuilder.append(str3);
                byteStringBuilder.append(':');
                do {
                    generateRandomAlphanumericString = OTPUtil.generateRandomAlphanumericString(10, this.secureRandom != null ? this.secureRandom : ThreadLocalRandom.current());
                } while (generateRandomAlphanumericString.equals(str2));
                ExtendedChoiceCallback extendedChoiceCallback = new ExtendedChoiceCallback(OTP.NEW_PASSWORD_FORMAT_TYPE_PROMPT, OTPUtil.PASSWORD_FORMAT_TYPES, OTPUtil.getPasswordFormatTypeChoiceIndex(OTP.PASS_PHRASE), false, true);
                handleCallbacks(this.nameCallback, extendedChoiceCallback);
                String str5 = extendedChoiceCallback.getSelectedIndexes() != null ? OTPUtil.PASSWORD_FORMAT_TYPES[extendedChoiceCallback.getSelectedIndexes()[0]] : OTPUtil.PASSWORD_FORMAT_TYPES[extendedChoiceCallback.getDefaultChoice()];
                PasswordCallback passwordCallback = new PasswordCallback(OTP.NEW_PASSWORD_PROMPT, false);
                boolean z2 = -1;
                switch (str5.hashCode()) {
                    case 172826613:
                        if (str5.equals(OTP.PASS_PHRASE)) {
                            z2 = false;
                            break;
                        }
                        break;
                    case 222667591:
                        if (str5.equals(OTP.DIRECT_OTP)) {
                            z2 = true;
                            break;
                        }
                        break;
                }
                switch (z2) {
                    case false:
                        handleCallbacks(this.nameCallback, passwordCallback);
                        char[] password = passwordCallback.getPassword();
                        passwordCallback.clearPassword();
                        if (password == null) {
                            throw ElytronMessages.saslOTP.mechNoPasswordGiven().toSaslException();
                        }
                        sequenceNumber = 499;
                        algorithm = str;
                        String passwordFromPasswordChars = getPasswordFromPasswordChars(password);
                        OTPUtil.validatePassPhrase(passwordFromPasswordChars);
                        if (generateRandomAlphanumericString.equals(passwordFromPasswordChars)) {
                            throw ElytronMessages.saslOTP.mechOTPPassPhraseAndSeedMustNotMatch().toSaslException();
                        }
                        try {
                            otp = OTPUtil.formatOTP(generateOtpHash(algorithm, passwordFromPasswordChars, generateRandomAlphanumericString, OTP.DEFAULT_SEQUENCE_NUMBER), str4, this.alternateDictionary);
                            break;
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                            throw ElytronMessages.saslOTP.mechUnableToUpdatePassword(this.userName).toSaslException();
                        }
                    case true:
                        ParameterCallback parameterCallback = new ParameterCallback(OneTimePasswordAlgorithmSpec.class);
                        handleCallbacks(this.nameCallback, parameterCallback, passwordCallback);
                        otp = getOTP(passwordCallback);
                        OneTimePasswordAlgorithmSpec oneTimePasswordAlgorithmSpec = (OneTimePasswordAlgorithmSpec) parameterCallback.getParameterSpec();
                        if (oneTimePasswordAlgorithmSpec != null) {
                            algorithm = oneTimePasswordAlgorithmSpec.getAlgorithm();
                            OTPUtil.validateAlgorithm(algorithm);
                            sequenceNumber = oneTimePasswordAlgorithmSpec.getSequenceNumber();
                            OTPUtil.validateSequenceNumber(sequenceNumber);
                            generateRandomAlphanumericString = oneTimePasswordAlgorithmSpec.getSeed();
                            OTPUtil.validateSeed(generateRandomAlphanumericString);
                            break;
                        } else {
                            throw ElytronMessages.saslOTP.mechNoPasswordGiven().toSaslException();
                        }
                    default:
                        throw ElytronMessages.saslOTP.mechInvalidOTPPasswordFormatType().toSaslException();
                }
                byteStringBuilder.append(createInitResponse(algorithm, generateRandomAlphanumericString, sequenceNumber, otp));
                break;
            default:
                throw ElytronMessages.saslOTP.mechInvalidOTPResponseType().toSaslException();
        }
        return byteStringBuilder.toArray();
    }

    private ByteStringBuilder createInitResponse(String str, String str2, int i, String str3) throws SaslException {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        try {
            byteStringBuilder.append(OTPUtil.messageDigestAlgorithm(str));
            byteStringBuilder.append(' ');
            byteStringBuilder.appendNumber(i);
            byteStringBuilder.append(' ');
            byteStringBuilder.append(str2);
            byteStringBuilder.append(':');
            byteStringBuilder.append(str3);
            return byteStringBuilder;
        } catch (NoSuchAlgorithmException e) {
            throw ElytronMessages.saslOTP.mechInvalidOTPAlgorithm(str).toSaslException();
        }
    }

    private String getOTP(PasswordCallback passwordCallback) throws SaslException {
        char[] password = passwordCallback.getPassword();
        passwordCallback.clearPassword();
        if (password != null) {
            return getPasswordFromPasswordChars(password);
        }
        throw ElytronMessages.saslOTP.mechNoPasswordGiven().toSaslException();
    }

    private String getPasswordFromPasswordChars(char[] cArr) {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        StringPrep.encode(cArr, byteStringBuilder, StringPrep.PROFILE_SASL_STORED);
        Arrays.fill(cArr, (char) 0);
        return new String(byteStringBuilder.toArray(), StandardCharsets.UTF_8);
    }

    private byte[] generateOtpHash(String str, String str2, String str3, int i) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return ((OneTimePassword) PasswordFactory.getInstance(str, this.providers).generatePassword(new EncryptablePasswordSpec(str2.toCharArray(), new OneTimePasswordAlgorithmSpec(str, str3, i)))).getHash();
    }
}
