package org.apache.qpid.jms.sasl;

import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.sasl.SaslException;

/* loaded from: input_file:BOOT-INF/lib/qpid-jms-client-0.42.0.redhat-00002.jar:org/apache/qpid/jms/sasl/AbstractScramSHAMechanism.class */
abstract class AbstractScramSHAMechanism extends AbstractMechanism {
    private static final byte[] INT_1 = {0, 0, 0, 1};
    private static final String GS2_HEADER = "n,,";
    private final String clientNonce;
    private final String digestName;
    private final String hmacName;
    private String serverNonce;
    private byte[] salt;
    private int iterationCount;
    private String clientFirstMessageBare;
    private byte[] serverSignature;
    private State state = State.INITIAL;

    /* loaded from: input_file:BOOT-INF/lib/qpid-jms-client-0.42.0.redhat-00002.jar:org/apache/qpid/jms/sasl/AbstractScramSHAMechanism$State.class */
    private enum State {
        INITIAL,
        CLIENT_FIRST_SENT,
        CLIENT_PROOF_SENT,
        COMPLETE
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractScramSHAMechanism(String str, String str2, String str3) {
        this.digestName = str;
        this.hmacName = str2;
        this.clientNonce = str3;
    }

    @Override // org.apache.qpid.jms.sasl.Mechanism
    public boolean isApplicable(String str, String str2, Principal principal) {
        return str != null && str.length() > 0 && str2 != null && str2.length() > 0;
    }

    @Override // org.apache.qpid.jms.sasl.Mechanism
    public byte[] getInitialResponse() throws SaslException {
        if (this.state != State.INITIAL) {
            throw new SaslException("Request for initial response not expected in state " + this.state);
        }
        this.clientFirstMessageBare = "n=" + escapeUsername(saslPrep(getUsername())) + ",r=" + this.clientNonce;
        this.state = State.CLIENT_FIRST_SENT;
        return (GS2_HEADER + this.clientFirstMessageBare).getBytes(StandardCharsets.US_ASCII);
    }

    @Override // org.apache.qpid.jms.sasl.Mechanism
    public byte[] getChallengeResponse(byte[] bArr) throws SaslException {
        byte[] bArr2;
        switch (this.state) {
            case CLIENT_FIRST_SENT:
                bArr2 = calculateClientProof(bArr);
                this.state = State.CLIENT_PROOF_SENT;
                break;
            case CLIENT_PROOF_SENT:
                evaluateOutcome(bArr);
                bArr2 = new byte[0];
                this.state = State.COMPLETE;
                break;
            default:
                throw new SaslException("No challenge expected in state " + this.state);
        }
        return bArr2;
    }

    @Override // org.apache.qpid.jms.sasl.AbstractMechanism, org.apache.qpid.jms.sasl.Mechanism
    public void verifyCompletion() throws SaslException {
        super.verifyCompletion();
        if (this.state != State.COMPLETE) {
            throw new SaslException(String.format("SASL exchange was not fully completed. Expected state %s but actual state %s", State.COMPLETE, this.state));
        }
    }

    private byte[] calculateClientProof(byte[] bArr) throws SaslException {
        try {
            String str = new String(bArr, StandardCharsets.US_ASCII);
            String[] split = str.split(",");
            if (split.length < 3) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed");
            }
            if (split[0].startsWith("m=")) {
                throw new SaslException("Server requires mandatory extension which is not supported: " + split[0]);
            }
            if (!split[0].startsWith("r=")) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed, cannot find nonce");
            }
            String substring = split[0].substring(2);
            if (!substring.startsWith(this.clientNonce)) {
                throw new SaslException("Server challenge did not use correct client nonce");
            }
            this.serverNonce = substring;
            if (!split[1].startsWith("s=")) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed, cannot find salt");
            }
            this.salt = Base64.getDecoder().decode(split[1].substring(2));
            if (!split[2].startsWith("i=")) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed, cannot find iteration count");
            }
            this.iterationCount = Integer.parseInt(split[2].substring(2));
            if (this.iterationCount <= 0) {
                throw new SaslException("Iteration count " + this.iterationCount + " is not a positive integer");
            }
            byte[] generateSaltedPassword = generateSaltedPassword(saslPrep(new String(getPassword())).getBytes(StandardCharsets.UTF_8));
            String str2 = "c=" + Base64.getEncoder().encodeToString(GS2_HEADER.getBytes(StandardCharsets.US_ASCII)) + ",r=" + this.serverNonce;
            String str3 = this.clientFirstMessageBare + "," + str + "," + str2;
            byte[] computeHmac = computeHmac(generateSaltedPassword, "Client Key");
            byte[] computeHmac2 = computeHmac(MessageDigest.getInstance(this.digestName).digest(computeHmac), str3);
            byte[] bArr2 = (byte[]) computeHmac.clone();
            for (int i = 0; i < bArr2.length; i++) {
                int i2 = i;
                bArr2[i2] = (byte) (bArr2[i2] ^ computeHmac2[i]);
            }
            this.serverSignature = computeHmac(computeHmac(generateSaltedPassword, "Server Key"), str3);
            return (str2 + ",p=" + Base64.getEncoder().encodeToString(bArr2)).getBytes();
        } catch (NoSuchAlgorithmException e) {
            throw new SaslException(e.getMessage(), e);
        }
    }

    private void evaluateOutcome(byte[] bArr) throws SaslException {
        String[] split = new String(bArr, StandardCharsets.US_ASCII).split(",");
        if (!split[0].startsWith("v=")) {
            throw new SaslException("Server final message did not contain verifier");
        }
        if (!Arrays.equals(this.serverSignature, Base64.getDecoder().decode(split[0].substring(2)))) {
            throw new SaslException("Server signature did not match");
        }
    }

    private byte[] computeHmac(byte[] bArr, String str) throws SaslException {
        Mac createHmac = createHmac(bArr);
        createHmac.update(str.getBytes(StandardCharsets.US_ASCII));
        return createHmac.doFinal();
    }

    private byte[] generateSaltedPassword(byte[] bArr) throws SaslException {
        Mac createHmac = createHmac(bArr);
        createHmac.update(this.salt);
        createHmac.update(INT_1);
        byte[] doFinal = createHmac.doFinal();
        byte[] bArr2 = null;
        for (int i = 1; i < this.iterationCount; i++) {
            createHmac.update(bArr2 != null ? bArr2 : doFinal);
            bArr2 = createHmac.doFinal();
            for (int i2 = 0; i2 < doFinal.length; i2++) {
                int i3 = i2;
                doFinal[i3] = (byte) (doFinal[i3] ^ bArr2[i2]);
            }
        }
        return doFinal;
    }

    private Mac createHmac(byte[] bArr) throws SaslException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, this.hmacName);
            Mac mac = Mac.getInstance(this.hmacName);
            mac.init(secretKeySpec);
            return mac;
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new SaslException(e.getMessage(), e);
        }
    }

    private String saslPrep(String str) throws SaslException {
        if (StandardCharsets.US_ASCII.newEncoder().canEncode(str)) {
            return str;
        }
        throw new SaslException("Can only encode names and passwords which are restricted to ASCII characters");
    }

    private String escapeUsername(String str) {
        return str.replace("=", "=3D").replace(",", "=2C");
    }
}
