package org.wildfly.security.sasl.digest;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashMap;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.jboss.logmanager.handlers.SyslogHandler;
import org.jboss.modules.xml.XmlPullParser;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.digest.DigestQuote;
import org.wildfly.security.sasl.digest.AbstractDigestMechanism;
import org.wildfly.security.sasl.digest._private.DigestUtil;
import org.wildfly.security.util.ByteStringBuilder;

/* loaded from: input_file:org/wildfly/security/sasl/digest/DigestSaslServer.class */
class DigestSaslServer extends AbstractDigestMechanism implements SaslServer {
    private static final byte STEP_ONE = 1;
    private static final byte STEP_THREE = 3;
    private String[] realms;
    private String supportedCiphers;
    private int receivingMaxBuffSize;
    private String[] qops;
    private int nonceCount;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DigestSaslServer(String[] strArr, String str, String str2, String str3, CallbackHandler callbackHandler, Charset charset, String[] strArr2, String[] strArr3) throws SaslException {
        super(str, str2, str3, callbackHandler, AbstractDigestMechanism.FORMAT.SERVER, charset, strArr3);
        this.receivingMaxBuffSize = 65536;
        this.nonceCount = -1;
        this.realms = strArr;
        this.supportedCiphers = getSupportedCiphers(strArr3);
        this.qops = strArr2;
    }

    private byte[] generateChallenge() {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        StringBuilder sb = new StringBuilder();
        for (String str : this.realms) {
            sb.append("realm=\"").append(DigestQuote.quote(str)).append("\"").append(',');
        }
        byteStringBuilder.append(sb.toString().getBytes(getCharset()));
        if (!$assertionsDisabled && this.nonce != null) {
            throw new AssertionError();
        }
        this.nonce = generateNonce();
        byteStringBuilder.append("nonce=\"");
        byteStringBuilder.append(DigestQuote.quote(this.nonce));
        byteStringBuilder.append("\"").append(',');
        if (this.qops != null) {
            byteStringBuilder.append("qop=\"");
            boolean z = true;
            for (String str2 : this.qops) {
                if (!z) {
                    byteStringBuilder.append(',');
                }
                z = false;
                byteStringBuilder.append(DigestQuote.quote(str2));
            }
            byteStringBuilder.append("\"").append(',');
        }
        if (this.receivingMaxBuffSize != 65536) {
            byteStringBuilder.append("maxbuf=");
            byteStringBuilder.append(String.valueOf(this.receivingMaxBuffSize));
            byteStringBuilder.append(',');
        }
        if (StandardCharsets.UTF_8.equals(getCharset())) {
            byteStringBuilder.append("charset=");
            byteStringBuilder.append("utf-8");
            byteStringBuilder.append(',');
        }
        if (this.supportedCiphers != null && this.qops != null && arrayContains(this.qops, DigestUtil.QOP_AUTH_CONF)) {
            byteStringBuilder.append("cipher=\"");
            byteStringBuilder.append(this.supportedCiphers);
            byteStringBuilder.append("\"").append(',');
        }
        byteStringBuilder.append("algorithm=md5-sess");
        return byteStringBuilder.toArray();
    }

    private void noteDigestResponseData(HashMap<String, byte[]> hashMap) {
        byte[] bArr = hashMap.get("nc");
        if (bArr != null) {
            this.nonceCount = Integer.parseInt(new String(bArr, StandardCharsets.UTF_8));
        } else {
            this.nonceCount = -1;
        }
        byte[] bArr2 = hashMap.get("cipher");
        if (bArr2 != null) {
            this.cipher = new String(bArr2, StandardCharsets.UTF_8);
        } else {
            this.cipher = XmlPullParser.NO_NAMESPACE;
        }
        byte[] bArr3 = hashMap.get("authzid");
        if (bArr3 != null) {
            this.authzid = new String(bArr3, StandardCharsets.UTF_8);
        } else {
            this.authzid = null;
        }
    }

    private byte[] validateDigestResponse(HashMap<String, byte[]> hashMap) throws SaslException {
        if (this.nonceCount != 1) {
            throw ElytronMessages.log.mechNonceCountMustEqual(getMechanismName(), 1, this.nonceCount).toSaslException();
        }
        Charset charset = StandardCharsets.ISO_8859_1;
        if (hashMap.get(HttpConstants.CHARSET) != null) {
            if (!new String(hashMap.get(HttpConstants.CHARSET), StandardCharsets.UTF_8).equals("utf-8")) {
                throw ElytronMessages.log.mechUnknownCharset(getMechanismName()).toSaslException();
            }
            if (!StandardCharsets.UTF_8.equals(getCharset())) {
                throw ElytronMessages.log.mechUnsupportedCharset(getMechanismName(), SyslogHandler.DEFAULT_ENCODING).toSaslException();
            }
            charset = StandardCharsets.UTF_8;
        }
        if (hashMap.get(HttpConstants.USERNAME) == null) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), HttpConstants.USERNAME).toSaslException();
        }
        String str = new String(hashMap.get(HttpConstants.USERNAME), charset);
        String str2 = hashMap.get(HttpConstants.REALM) != null ? new String(hashMap.get(HttpConstants.REALM), charset) : XmlPullParser.NO_NAMESPACE;
        if (!arrayContains(this.realms, str2)) {
            throw ElytronMessages.log.mechDisallowedClientRealm(getMechanismName(), str2).toSaslException();
        }
        if (hashMap.get(HttpConstants.NONCE) == null) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), HttpConstants.NONCE).toSaslException();
        }
        if (!Arrays.equals(this.nonce, hashMap.get(HttpConstants.NONCE))) {
            throw ElytronMessages.log.mechNoncesDoNotMatch(getMechanismName()).toSaslException();
        }
        if (hashMap.get("cnonce") == null) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), "cnonce").toSaslException();
        }
        this.cnonce = hashMap.get("cnonce");
        if (hashMap.get("nc") == null) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), "nc").toSaslException();
        }
        if (hashMap.get("digest-uri") == null) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), "digest-uri").toSaslException();
        }
        String str3 = new String(hashMap.get("digest-uri"), charset);
        if (!str3.equalsIgnoreCase(this.digestURI)) {
            throw ElytronMessages.log.mechMismatchedWrongDigestUri(getMechanismName(), str3, this.digestURI).toSaslException();
        }
        this.qop = DigestUtil.QOP_AUTH;
        if (hashMap.get("qop") != null) {
            this.qop = new String(hashMap.get("qop"), charset);
            if (!arrayContains(DigestUtil.QOP_VALUES, this.qop)) {
                throw ElytronMessages.log.mechUnexpectedQop(getMechanismName(), this.qop).toSaslException();
            }
            if (this.qop != null && !this.qop.equals(DigestUtil.QOP_AUTH)) {
                setWrapper(new AbstractDigestMechanism.DigestWrapper(this.qop.equals(DigestUtil.QOP_AUTH_CONF)));
            }
        }
        NameCallback nameCallback = new NameCallback("User name", str);
        RealmCallback realmCallback = new RealmCallback("User realm", str2);
        byte[] predigestedSaltedPassword = getPredigestedSaltedPassword(realmCallback, nameCallback);
        if (predigestedSaltedPassword == null) {
            predigestedSaltedPassword = getSaltedPasswordFromTwoWay(realmCallback, nameCallback, true);
        }
        if (predigestedSaltedPassword == null) {
            predigestedSaltedPassword = getSaltedPasswordFromPasswordCallback(realmCallback, nameCallback, true);
        }
        if (predigestedSaltedPassword == null) {
            throw ElytronMessages.log.mechCallbackHandlerDoesNotSupportCredentialAcquisition(getMechanismName(), null).toSaslException();
        }
        this.hA1 = DigestUtil.H_A1(this.messageDigest, predigestedSaltedPassword, this.nonce, this.cnonce, this.authzid, charset);
        byte[] digestResponse = DigestUtil.digestResponse(this.messageDigest, this.hA1, this.nonce, this.nonceCount, this.cnonce, this.authzid, this.qop, this.digestURI, true);
        if (hashMap.get(HttpConstants.RESPONSE) == null) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), HttpConstants.RESPONSE).toSaslException();
        }
        if (!Arrays.equals(digestResponse, hashMap.get(HttpConstants.RESPONSE))) {
            throw ElytronMessages.log.mechAuthenticationRejectedInvalidProof(getMechanismName()).toSaslException();
        }
        createCiphersAndKeys();
        AuthorizeCallback authorizeCallback = new AuthorizeCallback(str, this.authzid == null ? str : this.authzid);
        try {
            tryHandleCallbacks(authorizeCallback);
            if (!authorizeCallback.isAuthorized()) {
                throw ElytronMessages.log.mechAuthorizationFailed(getMechanismName(), str, this.authzid).toSaslException();
            }
            this.authzid = authorizeCallback.getAuthorizedID();
            return createResponseAuth(hashMap);
        } catch (UnsupportedCallbackException e) {
            throw ElytronMessages.log.mechAuthorizationUnsupported(getMechanismName(), e).toSaslException();
        }
    }

    private byte[] createResponseAuth(HashMap<String, byte[]> hashMap) {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        byteStringBuilder.append("rspauth=");
        byteStringBuilder.append(DigestUtil.digestResponse(this.messageDigest, this.hA1, this.nonce, this.nonceCount, this.cnonce, this.authzid, this.qop, this.digestURI, false));
        return byteStringBuilder.toArray();
    }

    public String getAuthorizationID() {
        return this.authzid;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        return evaluateMessage(bArr);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        switch (i) {
            case 1:
                if (bArr != null && bArr.length != 0) {
                    throw ElytronMessages.log.mechInitialChallengeMustBeEmpty(getMechanismName()).toSaslException();
                }
                setNegotiationState(3);
                return generateChallenge();
            case 3:
                if (bArr == null || bArr.length == 0) {
                    throw ElytronMessages.log.mechClientRefusesToInitiateAuthentication(getMechanismName()).toSaslException();
                }
                try {
                    HashMap<String, byte[]> parseResponse = org.wildfly.security.mechanism.digest.DigestUtil.parseResponse(bArr, this.charset, false, getMechanismName());
                    noteDigestResponseData(parseResponse);
                    byte[] validateDigestResponse = validateDigestResponse(parseResponse);
                    negotiationComplete();
                    return validateDigestResponse;
                } catch (AuthenticationMechanismException e) {
                    throw e.toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    static {
        $assertionsDisabled = !DigestSaslServer.class.desiredAssertionStatus();
    }
}
