package org.wildfly.security.sasl.scram;

import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.ThreadLocalRandom;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import org.jboss.marshalling.river.Protocol;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.FastUnsupportedCallbackException;
import org.wildfly.security.auth.callback.ParameterCallback;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.TwoWayPassword;
import org.wildfly.security.password.interfaces.ScramDigestPassword;
import org.wildfly.security.password.spec.HashedPasswordAlgorithmSpec;
import org.wildfly.security.sasl.WildFlySasl;
import org.wildfly.security.sasl.util.AbstractSaslServer;
import org.wildfly.security.sasl.util.StringPrep;
import org.wildfly.security.util.ByteIterator;
import org.wildfly.security.util.ByteStringBuilder;
import org.wildfly.security.util.CodePointIterator;

/* loaded from: input_file:org/wildfly/security/sasl/scram/ScramSaslServer.class */
final class ScramSaslServer extends AbstractSaslServer {
    private static final int S_NO_MESSAGE = 1;
    private static final int S_FIRST_MESSAGE = 2;
    private static final int S_FINAL_MESSAGE = 3;
    private final boolean plus;
    private final MessageDigest messageDigest;
    private final Mac mac;
    private final SecureRandom secureRandom;
    private final int minimumIterationCount;
    private final int maximumIterationCount;
    private final String bindingType;
    private final byte[] bindingData;
    private String userName;
    private String authorizationID;
    private byte[] clientFirstMessage;
    private byte[] serverFirstMessage;
    private byte[] saltedPassword;
    private byte[] salt;
    private HashedPasswordAlgorithmSpec algorithmSpec;
    private int iterationCount;
    private final boolean sendErrors = false;
    private int clientFirstMessageBareStart;
    private int cbindFlag;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ScramSaslServer(String str, String str2, String str3, CallbackHandler callbackHandler, boolean z, Map<String, ?> map, MessageDigest messageDigest, Mac mac, SecureRandom secureRandom, String str4, byte[] bArr) {
        super(str, str2, str3, callbackHandler);
        this.sendErrors = false;
        this.messageDigest = messageDigest;
        this.mac = mac;
        this.minimumIterationCount = getIntProperty(map, WildFlySasl.SCRAM_MIN_ITERATION_COUNT, 4096);
        this.maximumIterationCount = getIntProperty(map, WildFlySasl.SCRAM_MAX_ITERATION_COUNT, 32768);
        this.secureRandom = secureRandom;
        this.plus = z;
        this.bindingType = str4;
        this.bindingData = bArr;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public String getAuthorizationID() {
        return this.authorizationID;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        boolean isTraceEnabled = ElytronMessages.log.isTraceEnabled();
        try {
            try {
                switch (i) {
                    case -1:
                        throw ElytronMessages.log.saslAuthenticationFailed(getMechanismName());
                    case 0:
                        if (bArr != null && bArr.length != 0) {
                            throw ElytronMessages.log.saslClientSentExtraMessage(getMechanismName());
                        }
                        if (1 == 0) {
                            setNegotiationState(-1);
                        }
                        return null;
                    case 1:
                        if (bArr == null || bArr.length == 0) {
                            setNegotiationState(2);
                            byte[] bArr2 = NO_BYTES;
                            if (1 == 0) {
                                setNegotiationState(-1);
                            }
                            return bArr2;
                        }
                        break;
                    case 2:
                        break;
                    case 3:
                        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
                        ByteIterator ofBytes = ByteIterator.ofBytes(bArr);
                        ByteIterator delimitedBy = ofBytes.delimitedBy(44);
                        if (ofBytes.next() != 99 || ofBytes.next() != 61) {
                            throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                        }
                        ByteIterator base64Decode = delimitedBy.base64Decode();
                        if (base64Decode.next() != this.cbindFlag) {
                            throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                        }
                        switch (this.cbindFlag) {
                            case Protocol.ID_ABSTRACT_SET /* 110 */:
                            case 121:
                                if (this.plus) {
                                    throw ElytronMessages.log.saslChannelBindingNotProvided(getMechanismName());
                                }
                                parseAuthorizationId(base64Decode);
                                if (base64Decode.hasNext()) {
                                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                                }
                                break;
                            case 112:
                                if (!this.plus) {
                                    throw ElytronMessages.log.saslChannelBindingNotSupported(getMechanismName());
                                }
                                if (base64Decode.next() != 61) {
                                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                                }
                                if (!this.bindingType.equals(base64Decode.delimitedBy(44).asUtf8String().drainToString())) {
                                    throw ElytronMessages.log.saslChannelBindingTypeMismatch(getMechanismName());
                                }
                                parseAuthorizationId(base64Decode);
                                if (!base64Decode.contentEquals(ByteIterator.ofBytes(this.bindingData))) {
                                    throw ElytronMessages.log.saslChannelBindingTypeMismatch(getMechanismName());
                                }
                                if (base64Decode.hasNext()) {
                                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                                }
                                break;
                        }
                        ofBytes.next();
                        if (ofBytes.next() != 114 || ofBytes.next() != 61) {
                            throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                        }
                        while (delimitedBy.hasNext()) {
                            delimitedBy.next();
                        }
                        int offset = ofBytes.offset();
                        ofBytes.next();
                        if (ofBytes.next() != 112 || ofBytes.next() != 61) {
                            throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                        }
                        byte[] drain = delimitedBy.drain();
                        if (ofBytes.hasNext()) {
                            throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                        }
                        this.mac.reset();
                        this.mac.init(new SecretKeySpec(this.saltedPassword, this.mac.getAlgorithm()));
                        this.mac.update(Scram.CLIENT_KEY_BYTES);
                        byte[] doFinal = this.mac.doFinal();
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Client key: %s%n", ByteIterator.ofBytes(doFinal).hexEncode().drainToString());
                        }
                        this.messageDigest.reset();
                        this.messageDigest.update(doFinal);
                        byte[] digest = this.messageDigest.digest();
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Stored key: %s%n", ByteIterator.ofBytes(digest).hexEncode().drainToString());
                        }
                        this.mac.reset();
                        this.mac.init(new SecretKeySpec(digest, this.mac.getAlgorithm()));
                        this.mac.update(this.clientFirstMessage, this.clientFirstMessageBareStart, this.clientFirstMessage.length - this.clientFirstMessageBareStart);
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Using client first message: %s%n", ByteIterator.ofBytes(Arrays.copyOfRange(this.clientFirstMessage, this.clientFirstMessageBareStart, this.clientFirstMessage.length)).hexEncode().drainToString());
                        }
                        this.mac.update((byte) 44);
                        this.mac.update(this.serverFirstMessage);
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Using server first message: %s%n", ByteIterator.ofBytes(this.serverFirstMessage).hexEncode().drainToString());
                        }
                        this.mac.update((byte) 44);
                        this.mac.update(bArr, 0, offset);
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Using client final message without proof: %s%n", ByteIterator.ofBytes(Arrays.copyOfRange(bArr, 0, offset)).hexEncode().drainToString());
                        }
                        byte[] doFinal2 = this.mac.doFinal();
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Client signature: %s%n", ByteIterator.ofBytes(doFinal2).hexEncode().drainToString());
                        }
                        this.mac.reset();
                        this.mac.init(new SecretKeySpec(this.saltedPassword, this.mac.getAlgorithm()));
                        this.mac.update(Scram.SERVER_KEY_BYTES);
                        byte[] doFinal3 = this.mac.doFinal();
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Server key: %s%n", ByteIterator.ofBytes(doFinal3).hexEncode().drainToString());
                        }
                        this.mac.reset();
                        this.mac.init(new SecretKeySpec(doFinal3, this.mac.getAlgorithm()));
                        this.mac.update(this.clientFirstMessage, this.clientFirstMessageBareStart, this.clientFirstMessage.length - this.clientFirstMessageBareStart);
                        this.mac.update((byte) 44);
                        this.mac.update(this.serverFirstMessage);
                        this.mac.update((byte) 44);
                        this.mac.update(bArr, 0, offset);
                        byte[] doFinal4 = this.mac.doFinal();
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Server signature: %s%n", ByteIterator.ofBytes(doFinal4).hexEncode().drainToString());
                        }
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Client proof string: %s%n", CodePointIterator.ofUtf8Bytes(drain).drainToString());
                        }
                        byteStringBuilder.setLength(0);
                        byte[] drain2 = ByteIterator.ofBytes(drain).base64Decode().drain();
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Client proof: %s%n", ByteIterator.ofBytes(drain2).hexEncode().drainToString());
                        }
                        byte[] bArr3 = (byte[]) doFinal2.clone();
                        ScramUtil.xor(bArr3, drain2);
                        if (isTraceEnabled) {
                            ElytronMessages.log.tracef("[S] Recovered client key: %s%n", ByteIterator.ofBytes(bArr3).hexEncode().drainToString());
                        }
                        if (!Arrays.equals(bArr3, doFinal)) {
                            throw ElytronMessages.log.saslAuthenticationRejectedInvalidProof(getMechanismName());
                        }
                        if (this.authorizationID == null) {
                            this.authorizationID = this.userName;
                        } else {
                            ByteStringBuilder byteStringBuilder2 = new ByteStringBuilder();
                            StringPrep.encode(this.authorizationID, byteStringBuilder2, 268443647L);
                            this.authorizationID = new String(byteStringBuilder2.toArray(), StandardCharsets.UTF_8);
                        }
                        AuthorizeCallback authorizeCallback = new AuthorizeCallback(this.userName, this.authorizationID);
                        try {
                            tryHandleCallbacks(authorizeCallback);
                            if (!authorizeCallback.isAuthorized()) {
                                throw ElytronMessages.log.saslAuthorizationFailed(getMechanismName(), this.userName, this.authorizationID);
                            }
                            byteStringBuilder.setLength(0);
                            byteStringBuilder.append('v').append('=');
                            byteStringBuilder.appendUtf8(ByteIterator.ofBytes(doFinal4).base64Encode());
                            setNegotiationState(0);
                            byte[] array = byteStringBuilder.toArray();
                            if (1 == 0) {
                                setNegotiationState(-1);
                            }
                            return array;
                        } catch (UnsupportedCallbackException e) {
                            throw ElytronMessages.log.saslAuthorizationUnsupported(getMechanismName(), e);
                        }
                    default:
                        throw Assert.impossibleSwitchCase(i);
                }
                if (bArr == null || bArr.length == 0) {
                    throw ElytronMessages.log.saslClientRefusesToInitiateAuthentication(getMechanismName());
                }
                if (isTraceEnabled) {
                    ElytronMessages.log.tracef("[S] Client first message: %s%n", ByteIterator.ofBytes(bArr).hexEncode().drainToString());
                }
                ByteStringBuilder byteStringBuilder3 = new ByteStringBuilder();
                ByteIterator ofBytes2 = ByteIterator.ofBytes(bArr);
                ByteIterator delimitedBy2 = ofBytes2.delimitedBy(44);
                CodePointIterator asUtf8String = delimitedBy2.asUtf8String();
                this.cbindFlag = ofBytes2.next();
                if (this.cbindFlag == 112 && this.plus) {
                    if (!$assertionsDisabled && this.bindingType == null) {
                        throw new AssertionError();
                    }
                    if (!$assertionsDisabled && this.bindingData == null) {
                        throw new AssertionError();
                    }
                    if (ofBytes2.next() != 61) {
                        throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                    }
                    if (!this.bindingType.equals(asUtf8String.drainToString())) {
                        throw ElytronMessages.log.saslChannelBindingTypeMismatch(getMechanismName());
                    }
                    ofBytes2.next();
                } else {
                    if ((this.cbindFlag != 121 && this.cbindFlag != 110) || this.plus) {
                        throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                    }
                    if (ofBytes2.next() != 44) {
                        throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                    }
                }
                int next = ofBytes2.next();
                if (next == 97) {
                    if (ofBytes2.next() != 61) {
                        throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                    }
                    this.authorizationID = asUtf8String.drainToString();
                    ofBytes2.next();
                } else if (next != 44) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                this.clientFirstMessageBareStart = ofBytes2.offset();
                if (ofBytes2.next() != 110) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                if (ofBytes2.next() != 61) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                ByteStringBuilder byteStringBuilder4 = new ByteStringBuilder();
                StringPrep.encode(asUtf8String.drainToString(), byteStringBuilder4, 268443647L);
                this.userName = new String(byteStringBuilder4.toArray(), StandardCharsets.UTF_8);
                ofBytes2.next();
                if (ofBytes2.next() != 114 || ofBytes2.next() != 61) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                byte[] drain3 = delimitedBy2.drain();
                if (isTraceEnabled) {
                    ElytronMessages.log.tracef("[S] Client nonce: %s%n", ByteIterator.ofBytes(drain3).hexEncode().drainToString());
                }
                if (ofBytes2.hasNext()) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                this.clientFirstMessage = bArr;
                NameCallback nameCallback = new NameCallback("Remote authentication name", this.userName);
                this.saltedPassword = null;
                getPredigestedSaltedPassword(nameCallback);
                if (this.saltedPassword == null) {
                    getSaltedPasswordFromTwoWay(nameCallback, byteStringBuilder3);
                }
                if (this.saltedPassword == null) {
                    getSaltedPasswordFromPasswordCallback(nameCallback, byteStringBuilder3);
                }
                if (this.saltedPassword == null) {
                    throw ElytronMessages.log.saslCallbackHandlerDoesNotSupportCredentialAcquisition(getMechanismName(), null);
                }
                if (isTraceEnabled) {
                    ElytronMessages.log.tracef("[S] Salt: %s%n", ByteIterator.ofBytes(this.salt).hexEncode().drainToString());
                }
                if (isTraceEnabled) {
                    ElytronMessages.log.tracef("[S] Salted password: %s%n", ByteIterator.ofBytes(this.saltedPassword).hexEncode().drainToString());
                }
                byteStringBuilder3.append('r').append('=');
                byteStringBuilder3.append(drain3);
                byteStringBuilder3.append(ScramUtil.generateNonce(28, getRandom()));
                byteStringBuilder3.append(',');
                byteStringBuilder3.append('s').append('=');
                byteStringBuilder3.appendLatin1(ByteIterator.ofBytes(this.salt).base64Encode());
                byteStringBuilder3.append(',');
                byteStringBuilder3.append('i').append('=');
                byteStringBuilder3.append(Integer.toString(this.iterationCount));
                setNegotiationState(3);
                byte[] array2 = byteStringBuilder3.toArray();
                this.serverFirstMessage = array2;
                if (1 == 0) {
                    setNegotiationState(-1);
                }
                return array2;
            } catch (ArrayIndexOutOfBoundsException | InvalidKeyException e2) {
                throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
            }
        } catch (Throwable th) {
            if (0 == 0) {
                setNegotiationState(-1);
            }
            throw th;
        }
    }

    private void parseAuthorizationId(ByteIterator byteIterator) throws SaslException {
        if (byteIterator.next() != 44) {
            throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
        }
        switch (byteIterator.next()) {
            case 44:
                if (this.authorizationID != null) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                return;
            case 97:
                if (byteIterator.next() != 61) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                if (!byteIterator.delimitedBy(44).asUtf8String().drainToString().equals(this.authorizationID)) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                if (byteIterator.next() != 44) {
                    throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
                }
                return;
            default:
                throw ElytronMessages.log.saslInvalidClientMessage(getMechanismName());
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void getPredigestedSaltedPassword(NameCallback nameCallback) throws SaslException {
        CredentialCallback credentialCallback = new CredentialCallback(ScramDigestPassword.class);
        try {
            tryHandleCallbacks(nameCallback, credentialCallback);
            Password password = (Password) credentialCallback.getCredential();
            if (password != null) {
                this.iterationCount = ((ScramDigestPassword) password).getIterationCount();
                this.salt = ((ScramDigestPassword) password).getSalt();
                if (this.iterationCount < this.minimumIterationCount) {
                    throw ElytronMessages.log.saslIterationCountIsTooLow(getMechanismName(), this.iterationCount, this.minimumIterationCount);
                }
                if (this.iterationCount > this.maximumIterationCount) {
                    throw ElytronMessages.log.saslIterationCountIsTooHigh(getMechanismName(), this.iterationCount, this.maximumIterationCount);
                }
                if (this.salt == null) {
                    throw ElytronMessages.log.saslSaltMustBeSpecified(getMechanismName());
                }
                this.saltedPassword = ((ScramDigestPassword) password).getDigest();
            }
        } catch (UnsupportedCallbackException e) {
            Callback callback = e.getCallback();
            if (callback == nameCallback) {
                throw ElytronMessages.log.saslCallbackHandlerDoesNotSupportUserName(getMechanismName(), e);
            }
            if (callback != credentialCallback) {
                throw ElytronMessages.log.saslCallbackHandlerFailedForUnknownReason(getMechanismName(), e);
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void getSaltedPasswordFromTwoWay(NameCallback nameCallback, ByteStringBuilder byteStringBuilder) throws SaslException {
        CredentialCallback credentialCallback = new CredentialCallback(TwoWayPassword.class);
        ParameterCallback parameterCallback = new ParameterCallback(HashedPasswordAlgorithmSpec.class);
        try {
            tryHandleCallbacks(nameCallback, parameterCallback, credentialCallback);
            this.algorithmSpec = (HashedPasswordAlgorithmSpec) parameterCallback.getParameterSpec();
        } catch (UnsupportedCallbackException e) {
            Callback callback = e.getCallback();
            if (callback == nameCallback) {
                throw ElytronMessages.log.saslCallbackHandlerDoesNotSupportUserName(getMechanismName(), e);
            }
            if (callback == credentialCallback) {
                return;
            }
            if (callback != parameterCallback) {
                throw ElytronMessages.log.saslCallbackHandlerDoesNotSupportCredentialAcquisition(getMechanismName(), e);
            }
            this.salt = ScramUtil.generateSalt(16, getRandom());
            this.algorithmSpec = new HashedPasswordAlgorithmSpec(this.minimumIterationCount, this.salt);
            try {
                tryHandleCallbacks(nameCallback, credentialCallback);
            } catch (UnsupportedCallbackException e2) {
                Callback callback2 = e2.getCallback();
                if (callback2 == nameCallback) {
                    throw ElytronMessages.log.saslCallbackHandlerDoesNotSupportUserName(getMechanismName(), e2);
                }
                if (callback2 != credentialCallback) {
                    throw ElytronMessages.log.saslCallbackHandlerFailedForUnknownReason(getMechanismName(), e2);
                }
                return;
            }
        }
        if (this.algorithmSpec == null) {
            throw new FastUnsupportedCallbackException(parameterCallback);
        }
        getSaltedPasswordFromPasswordChars(ScramUtil.getTwoWayPasswordChars(getMechanismName(), (TwoWayPassword) credentialCallback.getCredential()), byteStringBuilder);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void getSaltedPasswordFromPasswordCallback(NameCallback nameCallback, ByteStringBuilder byteStringBuilder) throws SaslException {
        PasswordCallback passwordCallback = new PasswordCallback("User password", false);
        try {
            tryHandleCallbacks(nameCallback, passwordCallback);
            this.salt = ScramUtil.generateSalt(16, getRandom());
            this.algorithmSpec = new HashedPasswordAlgorithmSpec(this.minimumIterationCount, this.salt);
            char[] password = passwordCallback.getPassword();
            passwordCallback.clearPassword();
            getSaltedPasswordFromPasswordChars(password, byteStringBuilder);
        } catch (UnsupportedCallbackException e) {
            Callback callback = e.getCallback();
            if (callback == nameCallback) {
                throw ElytronMessages.log.saslCallbackHandlerDoesNotSupportUserName(getMechanismName(), e);
            }
            if (callback != passwordCallback) {
                throw ElytronMessages.log.saslCallbackHandlerFailedForUnknownReason(getMechanismName(), e);
            }
        }
    }

    private void getSaltedPasswordFromPasswordChars(char[] cArr, ByteStringBuilder byteStringBuilder) throws SaslException {
        StringPrep.encode(cArr, byteStringBuilder, StringPrep.PROFILE_SASL_STORED);
        Arrays.fill(cArr, (char) 0);
        char[] charArray = new String(byteStringBuilder.toArray(), StandardCharsets.UTF_8).toCharArray();
        byteStringBuilder.setLength(0);
        this.iterationCount = this.algorithmSpec.getIterationCount();
        this.salt = this.algorithmSpec.getSalt();
        if (this.iterationCount < this.minimumIterationCount) {
            throw ElytronMessages.log.saslIterationCountIsTooLow(getMechanismName(), this.iterationCount, this.minimumIterationCount);
        }
        if (this.iterationCount > this.maximumIterationCount) {
            throw ElytronMessages.log.saslIterationCountIsTooHigh(getMechanismName(), this.iterationCount, this.maximumIterationCount);
        }
        if (this.salt == null) {
            throw ElytronMessages.log.saslSaltMustBeSpecified(getMechanismName());
        }
        try {
            this.saltedPassword = ScramUtil.calculateHi(this.mac, charArray, this.salt, 0, this.salt.length, this.iterationCount);
            Arrays.fill(charArray, (char) 0);
        } catch (InvalidKeyException e) {
            throw ElytronMessages.log.saslInvalidMacInitializationKey(getMechanismName());
        }
    }

    private Random getRandom() {
        return this.secureRandom != null ? this.secureRandom : ThreadLocalRandom.current();
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        this.clientFirstMessage = null;
        this.serverFirstMessage = null;
        this.saltedPassword = null;
        setNegotiationState(-1);
        this.mac.reset();
        this.messageDigest.reset();
    }

    static {
        $assertionsDisabled = !ScramSaslServer.class.desiredAssertionStatus();
    }
}
