package org.apache.qpid.client.security.scram;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.qpid.util.Base64;
import org.apache.qpid.util.Strings;

/* loaded from: input_file:org/apache/qpid/client/security/scram/AbstractScramSaslClient.class */
public abstract class AbstractScramSaslClient implements SaslClient {
    private static final String GS2_HEADER = "n,,";
    private final String _digestName;
    private final String _hmacName;
    private String _username;
    private final String _clientNonce;
    private String _serverNonce;
    private byte[] _salt;
    private int _iterationCount;
    private String _clientFirstMessageBare;
    private byte[] _serverSignature;
    public final String _mechanism;
    private final CallbackHandler _callbackHandler;
    private State _state = State.INITIAL;
    private static final byte[] INT_1 = {0, 0, 0, 1};
    private static final Charset ASCII = Charset.forName("ASCII");

    /* loaded from: input_file:org/apache/qpid/client/security/scram/AbstractScramSaslClient$State.class */
    enum State {
        INITIAL,
        CLIENT_FIRST_SENT,
        CLIENT_PROOF_SENT,
        COMPLETE
    }

    public AbstractScramSaslClient(CallbackHandler callbackHandler, String str, String str2, String str3, String str4) {
        this._callbackHandler = callbackHandler;
        this._mechanism = str;
        this._digestName = str2;
        this._hmacName = str3;
        this._clientNonce = str4;
    }

    public String getMechanismName() {
        return this._mechanism;
    }

    public boolean hasInitialResponse() {
        return true;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        byte[] bArr2;
        switch (this._state) {
            case INITIAL:
                bArr2 = initialResponse();
                this._state = State.CLIENT_FIRST_SENT;
                break;
            case CLIENT_FIRST_SENT:
                bArr2 = calculateClientProof(bArr);
                this._state = State.CLIENT_PROOF_SENT;
                break;
            case CLIENT_PROOF_SENT:
                evaluateOutcome(bArr);
                bArr2 = new byte[0];
                this._state = State.COMPLETE;
                break;
            default:
                throw new SaslException("No challenge expected in state " + this._state);
        }
        return bArr2;
    }

    private void evaluateOutcome(byte[] bArr) throws SaslException {
        String[] split = new String(bArr, ASCII).split(",");
        if (!split[0].startsWith("v=")) {
            throw new SaslException("Server final message did not contain verifier");
        }
        try {
            if (!Arrays.equals(this._serverSignature, Strings.decodeBase64(split[0].substring(2)))) {
                throw new SaslException("Server signature did not match");
            }
        } catch (IllegalArgumentException e) {
            throw new SaslException("Server signature did not match");
        }
    }

    private byte[] calculateClientProof(byte[] bArr) throws SaslException {
        try {
            String str = new String(bArr, ASCII);
            String[] split = str.split(",");
            if (split.length < 3) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed");
            }
            if (split[0].startsWith("m=")) {
                throw new SaslException("Server requires mandatory extension which is not supported: " + split[0]);
            }
            if (!split[0].startsWith("r=")) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed, cannot find nonce");
            }
            String substring = split[0].substring(2);
            if (!substring.startsWith(this._clientNonce)) {
                throw new SaslException("Server challenge did not use correct client nonce");
            }
            this._serverNonce = substring;
            if (!split[1].startsWith("s=")) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed, cannot find salt");
            }
            this._salt = Strings.decodeBase64(split[1].substring(2));
            if (!split[2].startsWith("i=")) {
                throw new SaslException("Server challenge '" + str + "' cannot be parsed, cannot find iteration count");
            }
            this._iterationCount = Integer.parseInt(split[2].substring(2));
            if (this._iterationCount <= 0) {
                throw new SaslException("Iteration count " + this._iterationCount + " is not a positive integer");
            }
            PasswordCallback passwordCallback = new PasswordCallback("Password", false);
            this._callbackHandler.handle(new Callback[]{passwordCallback});
            byte[] generateSaltedPassword = generateSaltedPassword(saslPrep(new String(passwordCallback.getPassword())).getBytes("UTF-8"));
            String str2 = "c=" + Base64.encode(GS2_HEADER.getBytes(ASCII)) + ",r=" + this._serverNonce;
            String str3 = this._clientFirstMessageBare + "," + str + "," + str2;
            byte[] computeHmac = computeHmac(generateSaltedPassword, "Client Key");
            byte[] computeHmac2 = computeHmac(MessageDigest.getInstance(this._digestName).digest(computeHmac), str3);
            byte[] bArr2 = (byte[]) computeHmac.clone();
            for (int i = 0; i < bArr2.length; i++) {
                int i2 = i;
                bArr2[i2] = (byte) (bArr2[i2] ^ computeHmac2[i]);
            }
            this._serverSignature = computeHmac(computeHmac(generateSaltedPassword, "Server Key"), str3);
            return (str2 + ",p=" + Base64.encode(bArr2)).getBytes();
        } catch (UnsupportedEncodingException e) {
            throw new SaslException(e.getMessage(), e);
        } catch (IOException e2) {
            throw new SaslException(e2.getMessage(), e2);
        } catch (IllegalArgumentException e3) {
            throw new SaslException(e3.getMessage(), e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new SaslException(e4.getMessage(), e4);
        } catch (UnsupportedCallbackException e5) {
            throw new SaslException(e5.getMessage(), e5);
        }
    }

    private byte[] computeHmac(byte[] bArr, String str) throws SaslException, UnsupportedEncodingException {
        Mac createHmac = createHmac(bArr);
        createHmac.update(str.getBytes(ASCII));
        return createHmac.doFinal();
    }

    private byte[] generateSaltedPassword(byte[] bArr) throws SaslException {
        Mac createHmac = createHmac(bArr);
        createHmac.update(this._salt);
        createHmac.update(INT_1);
        byte[] doFinal = createHmac.doFinal();
        byte[] bArr2 = null;
        for (int i = 1; i < this._iterationCount; i++) {
            createHmac.update(bArr2 != null ? bArr2 : doFinal);
            bArr2 = createHmac.doFinal();
            for (int i2 = 0; i2 < doFinal.length; i2++) {
                int i3 = i2;
                doFinal[i3] = (byte) (doFinal[i3] ^ bArr2[i2]);
            }
        }
        return doFinal;
    }

    private Mac createHmac(byte[] bArr) throws SaslException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, this._hmacName);
            Mac mac = Mac.getInstance(this._hmacName);
            mac.init(secretKeySpec);
            return mac;
        } catch (InvalidKeyException e) {
            throw new SaslException(e.getMessage(), e);
        } catch (NoSuchAlgorithmException e2) {
            throw new SaslException(e2.getMessage(), e2);
        }
    }

    private byte[] initialResponse() throws SaslException {
        try {
            StringBuffer stringBuffer = new StringBuffer("n=");
            Callback nameCallback = new NameCallback("Username?");
            this._callbackHandler.handle(new Callback[]{nameCallback});
            this._username = nameCallback.getName();
            stringBuffer.append(escapeUsername(saslPrep(this._username)));
            stringBuffer.append(",r=");
            stringBuffer.append(this._clientNonce);
            this._clientFirstMessageBare = stringBuffer.toString();
            return (GS2_HEADER + this._clientFirstMessageBare).getBytes(ASCII);
        } catch (IOException e) {
            throw new SaslException(e.getMessage(), e);
        } catch (UnsupportedCallbackException e2) {
            throw new SaslException(e2.getMessage(), e2);
        }
    }

    private String saslPrep(String str) throws SaslException {
        if (ASCII.newEncoder().canEncode(str)) {
            return str;
        }
        throw new SaslException("Can only encode names and passwords which are restricted to ASCII characters");
    }

    private String escapeUsername(String str) {
        return str.replace("=", "=3D").replace(",", "=2C");
    }

    public boolean isComplete() {
        return this._state == State.COMPLETE;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        throw new IllegalStateException("No security layer supported");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        throw new IllegalStateException("No security layer supported");
    }

    public Object getNegotiatedProperty(String str) {
        return null;
    }

    public void dispose() throws SaslException {
    }
}
