package org.wildfly.security.sasl.entity;

import java.net.URL;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.asn1.ASN1;
import org.wildfly.security.asn1.ASN1Exception;
import org.wildfly.security.asn1.DERDecoder;
import org.wildfly.security.asn1.DEREncoder;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.TrustedAuthoritiesCallback;
import org.wildfly.security.auth.callback.VerifyPeerTrustedCallback;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.X509CertificateChainPrivateCredential;
import org.wildfly.security.credential.X509CertificateChainPublicCredential;
import org.wildfly.security.sasl.entity.GeneralName;
import org.wildfly.security.sasl.util.AbstractSaslServer;
import org.wildfly.security.util.ByteStringBuilder;
import org.wildfly.security.x500.X509CertificateCredentialDecoder;

/* loaded from: input_file:org/wildfly/security/sasl/entity/EntitySaslServer.class */
final class EntitySaslServer extends AbstractSaslServer {
    private static final int ST_CHALLENGE = 1;
    private static final int ST_PROCESS_RESPONSE = 2;
    private final SecureRandom secureRandom;
    private final Signature signature;
    private final boolean mutual;
    private final String serverName;
    private String authorizationID;
    private byte[] randomB;

    /* JADX INFO: Access modifiers changed from: package-private */
    public EntitySaslServer(String str, String str2, String str3, CallbackHandler callbackHandler, Map<String, ?> map, boolean z, Signature signature, SecureRandom secureRandom) {
        super(str, str2, str3, callbackHandler);
        this.signature = signature;
        this.secureRandom = secureRandom;
        this.mutual = z;
        this.serverName = str3;
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public String getAuthorizationID() {
        if (isComplete()) {
            return this.authorizationID;
        }
        throw ElytronMessages.log.mechAuthenticationNotComplete(getMechanismName());
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        switch (i) {
            case 0:
                if (bArr == null || bArr.length == 0) {
                    return null;
                }
                throw ElytronMessages.log.mechClientSentExtraMessage(getMechanismName()).toSaslException();
            case 1:
                if (bArr != null && bArr.length != 0) {
                    throw ElytronMessages.log.mechInitialChallengeMustBeEmpty(getMechanismName()).toSaslException();
                }
                ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
                DEREncoder dEREncoder = new DEREncoder(byteStringBuilder);
                try {
                    dEREncoder.startSequence();
                    this.randomB = EntityUtil.encodeRandomNumber(dEREncoder, this.secureRandom);
                    if (this.serverName != null && !this.serverName.isEmpty()) {
                        dEREncoder.encodeImplicit(0);
                        EntityUtil.encodeGeneralNames(dEREncoder, new GeneralName.DNSName(this.serverName));
                    }
                    TrustedAuthoritiesCallback trustedAuthoritiesCallback = new TrustedAuthoritiesCallback();
                    handleCallbacks(trustedAuthoritiesCallback);
                    List<TrustedAuthority> trustedAuthorities = trustedAuthoritiesCallback.getTrustedAuthorities();
                    if (trustedAuthorities != null && !trustedAuthorities.isEmpty()) {
                        dEREncoder.encodeImplicit(1);
                        EntityUtil.encodeTrustedAuthorities(dEREncoder, trustedAuthorities);
                    }
                    dEREncoder.endSequence();
                    setNegotiationState(2);
                    return byteStringBuilder.toArray();
                } catch (ASN1Exception e) {
                    throw ElytronMessages.log.mechUnableToCreateResponseTokenWithCause(getMechanismName(), e).toSaslException();
                }
            case 2:
                DERDecoder dERDecoder = new DERDecoder(bArr);
                X509Certificate[] x509CertificateArr = null;
                X509Certificate x509Certificate = null;
                URL url = null;
                PrivateKey privateKey = null;
                List<GeneralName> list = null;
                List<GeneralName> list2 = null;
                try {
                    dERDecoder.startSequence();
                    byte[] decodeOctetString = dERDecoder.decodeOctetString();
                    if (dERDecoder.isNextType(ASN1.CONTEXT_SPECIFIC_MASK, 0, true)) {
                        dERDecoder.decodeImplicit(0);
                        list = EntityUtil.decodeGeneralNames(dERDecoder);
                    }
                    dERDecoder.startExplicit(1);
                    X509Certificate[] decodeCertificateData = EntityUtil.decodeCertificateData(dERDecoder);
                    dERDecoder.endExplicit();
                    X509Certificate x509Certificate2 = decodeCertificateData[0];
                    VerifyPeerTrustedCallback verifyPeerTrustedCallback = new VerifyPeerTrustedCallback(decodeCertificateData, x509Certificate2.getPublicKey().getAlgorithm());
                    handleCallbacks(verifyPeerTrustedCallback);
                    if (!verifyPeerTrustedCallback.isVerified()) {
                        throw ElytronMessages.log.mechAuthenticationFailed(getMechanismName()).toSaslException();
                    }
                    String name = X509CertificateCredentialDecoder.getInstance().getPrincipalFromCredential((Credential) new X509CertificateChainPublicCredential(x509Certificate2)).getName("CANONICAL");
                    if (dERDecoder.isNextType(ASN1.CONTEXT_SPECIFIC_MASK, 2, true)) {
                        dERDecoder.decodeImplicit(2);
                        list2 = EntityUtil.decodeGeneralNames(dERDecoder);
                        this.authorizationID = EntityUtil.getDistinguishedNameFromGeneralNames(list2);
                    } else {
                        this.authorizationID = name;
                    }
                    dERDecoder.startSequence();
                    dERDecoder.skipElement();
                    byte[] decodeBitString = dERDecoder.decodeBitString();
                    dERDecoder.endSequence();
                    ByteStringBuilder byteStringBuilder2 = new ByteStringBuilder();
                    DEREncoder dEREncoder2 = new DEREncoder(byteStringBuilder2);
                    dEREncoder2.startSequence();
                    dEREncoder2.encodeOctetString(decodeOctetString);
                    dEREncoder2.encodeOctetString(this.randomB);
                    if (list != null) {
                        dEREncoder2.encodeImplicit(0);
                        EntityUtil.encodeGeneralNames(dEREncoder2, list);
                    }
                    if (list2 != null) {
                        dEREncoder2.encodeImplicit(1);
                        EntityUtil.encodeGeneralNames(dEREncoder2, list2);
                    }
                    dEREncoder2.endSequence();
                    try {
                        this.signature.initVerify(x509Certificate2);
                        this.signature.update(byteStringBuilder2.toArray());
                        if (!this.signature.verify(decodeBitString)) {
                            setNegotiationState(-1);
                            throw ElytronMessages.log.mechAuthenticationFailed(getMechanismName()).toSaslException();
                        }
                        dERDecoder.endSequence();
                        if (list != null || this.mutual) {
                            CredentialCallback build = CredentialCallback.builder().addSupportedCredentialType(X509CertificateChainPrivateCredential.class, Entity.keyType(this.signature.getAlgorithm())).build();
                            try {
                                tryHandleCallbacks(build);
                                X509CertificateChainPrivateCredential x509CertificateChainPrivateCredential = (X509CertificateChainPrivateCredential) build.getCredential();
                                if (x509CertificateChainPrivateCredential == null) {
                                    throw ElytronMessages.log.mechCallbackHandlerNotProvidedServerCertificate(getMechanismName()).toSaslException();
                                }
                                x509CertificateArr = x509CertificateChainPrivateCredential.getCertificateChain();
                                if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
                                    throw ElytronMessages.log.mechCallbackHandlerNotProvidedServerCertificate(getMechanismName()).toSaslException();
                                }
                                x509Certificate = x509CertificateArr[0];
                                privateKey = x509CertificateChainPrivateCredential.getPrivateKey();
                            } catch (UnsupportedCallbackException e2) {
                                throw ElytronMessages.log.mechCallbackHandlerNotProvidedServerCertificate(getMechanismName()).toSaslException();
                            }
                        }
                        if (list != null && !EntityUtil.matchGeneralNames(list, x509Certificate)) {
                            throw ElytronMessages.log.mechServerIdentifierMismatch(getMechanismName()).toSaslException();
                        }
                        Callback authorizeCallback = new AuthorizeCallback(name, this.authorizationID);
                        handleCallbacks(authorizeCallback);
                        if (!authorizeCallback.isAuthorized()) {
                            throw ElytronMessages.log.mechAuthorizationFailed(getMechanismName(), name, this.authorizationID).toSaslException();
                        }
                        if (!this.mutual) {
                            negotiationComplete();
                            return null;
                        }
                        ByteStringBuilder byteStringBuilder3 = new ByteStringBuilder();
                        DEREncoder dEREncoder3 = new DEREncoder(byteStringBuilder3);
                        try {
                            dEREncoder3.startSequence();
                            byte[] encodeRandomNumber = EntityUtil.encodeRandomNumber(dEREncoder3, this.secureRandom);
                            Collection<List<?>> collection = null;
                            try {
                                collection = x509Certificate2.getSubjectAlternativeNames();
                            } catch (CertificateParsingException e3) {
                                if (name.isEmpty()) {
                                    throw ElytronMessages.log.mechUnableToDetermineClientName(getMechanismName(), e3).toSaslException();
                                }
                            }
                            dEREncoder3.encodeImplicit(0);
                            EntityUtil.encodeGeneralNames(dEREncoder3, name, collection);
                            dEREncoder3.startExplicit(1);
                            if (x509CertificateArr != null && x509CertificateArr.length > 0) {
                                EntityUtil.encodeX509CertificateChain(dEREncoder3, x509CertificateArr);
                            } else {
                                if (0 == 0) {
                                    throw ElytronMessages.log.mechCallbackHandlerNotProvidedServerCertificate(getMechanismName()).toSaslException();
                                }
                                dEREncoder3.encodeIA5String(url.toString());
                            }
                            dEREncoder3.endExplicit();
                            if (privateKey == null) {
                                throw ElytronMessages.log.mechCallbackHandlerNotProvidedPrivateKey(getMechanismName()).toSaslException();
                            }
                            ByteStringBuilder byteStringBuilder4 = new ByteStringBuilder();
                            DEREncoder dEREncoder4 = new DEREncoder(byteStringBuilder4);
                            dEREncoder4.startSequence();
                            dEREncoder4.encodeOctetString(this.randomB);
                            dEREncoder4.encodeOctetString(decodeOctetString);
                            dEREncoder4.encodeOctetString(encodeRandomNumber);
                            EntityUtil.encodeGeneralNames(dEREncoder4, name, collection);
                            dEREncoder4.endSequence();
                            try {
                                this.signature.initSign(privateKey);
                                this.signature.update(byteStringBuilder4.toArray());
                                byte[] sign = this.signature.sign();
                                dEREncoder3.startSequence();
                                EntityUtil.encodeAlgorithmIdentifier(dEREncoder3, this.signature.getAlgorithm());
                                dEREncoder3.encodeBitString(sign);
                                dEREncoder3.endSequence();
                                dEREncoder3.endSequence();
                                negotiationComplete();
                                return byteStringBuilder3.toArray();
                            } catch (InvalidKeyException | SignatureException e4) {
                                throw ElytronMessages.log.mechUnableToCreateSignature(getMechanismName(), e4).toSaslException();
                            }
                        } catch (ASN1Exception e5) {
                            throw ElytronMessages.log.mechUnableToCreateResponseTokenWithCause(getMechanismName(), e5).toSaslException();
                        }
                    } catch (InvalidKeyException | SignatureException e6) {
                        throw ElytronMessages.log.mechUnableToVerifyClientSignature(getMechanismName(), e6).toSaslException();
                    }
                } catch (ASN1Exception e7) {
                    throw ElytronMessages.log.mechInvalidClientMessageWithCause(getMechanismName(), e7).toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }
}
