package org.wso2.carbon.identity.application.authenticator.totp.util;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Logger;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base32;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.wso2.carbon.core.util.CryptoException;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticatorConstants;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/totp/util/TOTPAuthenticatorCredentials.class */
public final class TOTPAuthenticatorCredentials {
    public static final String RNG_ALGORITHM = "com.wso2.rng.algorithm";
    public static final String RNG_ALGORITHM_PROVIDER = "com.wso2.rng.algorithmProvider";
    private static final Logger LOGGER = Logger.getLogger(TOTPAuthenticatorCredentials.class.getName());
    private static final int SECRET_BITS = 80;
    private static final int SCRATCH_CODES = 5;
    private static final int SCRATCH_CODE_LENGTH = 8;
    private static final int BYTES_PER_SCRATCH_CODE = 4;
    private static final String DEFAULT_RANDOM_NUMBER_ALGORITHM = "SHA1PRNG";
    private static final String DEFAULT_RANDOM_NUMBER_ALGORITHM_PROVIDER = "SUN";
    private static final String HMAC_HASH_FUNCTION = "HmacSHA1";
    private final TOTPAuthenticatorConfig config;
    private TOTPReseedingSecureRandom secureRandom = new TOTPReseedingSecureRandom(getRandomNumberAlgorithm(), getRandomNumberAlgorithmProvider());

    public TOTPAuthenticatorCredentials(TOTPAuthenticatorConfig tOTPAuthenticatorConfig) {
        if (tOTPAuthenticatorConfig == null) {
            throw new TOTPAuthenticatorException("Configuration cannot be null.");
        }
        this.config = tOTPAuthenticatorConfig;
    }

    private String getRandomNumberAlgorithm() {
        return System.getProperty(RNG_ALGORITHM, DEFAULT_RANDOM_NUMBER_ALGORITHM);
    }

    private String getRandomNumberAlgorithmProvider() {
        return System.getProperty(RNG_ALGORITHM_PROVIDER, DEFAULT_RANDOM_NUMBER_ALGORITHM_PROVIDER);
    }

    private int calculateCode(byte[] bArr, long j) {
        byte[] bArr2 = new byte[SCRATCH_CODE_LENGTH];
        long j2 = j;
        int i = SCRATCH_CODE_LENGTH;
        while (true) {
            int i2 = i;
            i--;
            if (i2 <= 0) {
                break;
            }
            bArr2[i] = (byte) j2;
            j2 >>>= 8;
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, "HmacSHA1");
        try {
            Mac mac = Mac.getInstance("HmacSHA1");
            mac.init(secretKeySpec);
            byte[] doFinal = mac.doFinal(bArr2);
            int i3 = doFinal[doFinal.length - 1] & 15;
            long j3 = 0;
            for (int i4 = 0; i4 < BYTES_PER_SCRATCH_CODE; i4++) {
                j3 = (j3 << 8) | (doFinal[i3 + i4] & 255);
            }
            return (int) ((j3 & 2147483647L) % this.config.getKeyModulus());
        } catch (InvalidKeyException e) {
            throw new TOTPAuthenticatorException("Error while initializing the MAC algorithm.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new TOTPAuthenticatorException("Could not find algorithm to generate code", e2);
        }
    }

    private long getTimeWindowFromTime(long j) {
        return j / this.config.getTimeStepSizeInMillis();
    }

    private boolean checkCode(String str, long j, long j2, int i) {
        byte[] decodeSecret = decodeSecret(str);
        long timeWindowFromTime = getTimeWindowFromTime(j2);
        for (int i2 = -((i - 1) / 2); i2 <= i / 2; i2++) {
            if (calculateCode(decodeSecret, timeWindowFromTime + i2) == j) {
                return true;
            }
        }
        return false;
    }

    private byte[] decodeSecret(String str) {
        switch (this.config.getKeyRepresentation()) {
            case BASE32:
                return new Base32().decode(str);
            case BASE64:
                return new Base64().decode(str);
            default:
                throw new TOTPAuthenticatorException("Unknown key representation type.");
        }
    }

    public TOTPAuthenticatorKey createCredentials() {
        byte[] bArr = new byte[30];
        this.secureRandom.nextBytes(bArr);
        byte[] copyOf = Arrays.copyOf(bArr, 10);
        return new TOTPAuthenticatorKey(calculateSecretKey(copyOf), calculateValidationCode(copyOf));
    }

    private int calculateValidationCode(byte[] bArr) {
        return calculateCode(bArr, 0L);
    }

    private String calculateSecretKey(byte[] bArr) {
        switch (this.config.getKeyRepresentation()) {
            case BASE32:
                return new Base32().encodeToString(bArr);
            case BASE64:
                return new Base64().encodeToString(bArr);
            default:
                throw new TOTPAuthenticatorException("Unknown key representation type.");
        }
    }

    public boolean authorize(String str, int i) {
        return authorize(str, i, new Date().getTime());
    }

    private boolean authorize(String str, int i, long j) {
        if (str == null) {
            throw new IllegalArgumentException("Secret key cannot be null.");
        }
        if (i <= 0 || i >= this.config.getKeyModulus()) {
            return false;
        }
        return checkCode(str, i, j, this.config.getWindowSize());
    }

    public boolean authorizeAndStoreSecret(int i, String str) {
        try {
            UserRealm userRealm = TOTPUtil.getUserRealm(str);
            String tenantDomain = MultitenantUtils.getTenantDomain(str);
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            if (userRealm == null) {
                return false;
            }
            Map userClaimValues = userRealm.getUserStoreManager().getUserClaimValues(tenantAwareUsername, new String[]{TOTPAuthenticatorConstants.VERIFY_SECRET_KEY_CLAIM_URL, TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL}, (String) null);
            String str2 = (String) userClaimValues.get(TOTPAuthenticatorConstants.VERIFY_SECRET_KEY_CLAIM_URL);
            if (StringUtils.isBlank(str2)) {
                String str3 = (String) userClaimValues.get(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL);
                if (StringUtils.isBlank(str3)) {
                    return false;
                }
                return authorize(TOTPUtil.decrypt(str3), i, new Date().getTime());
            }
            String decrypt = TOTPUtil.decrypt(str2);
            if (!authorize(decrypt, i, new Date().getTime())) {
                return false;
            }
            storeSecretKey(decrypt, tenantAwareUsername, tenantDomain, userRealm);
            return true;
        } catch (AuthenticationFailedException e) {
            throw new TOTPAuthenticatorException("Verification code validation cannot get the user realm for the user: " + ((String) null), e);
        } catch (UserStoreException e2) {
            throw new TOTPAuthenticatorException("Verification code validation failed while trying to access user store manager for the user: " + ((String) null), e2);
        } catch (CryptoException e3) {
            throw new TOTPAuthenticatorException("Verification code validation failed while decrypt the stored SecretKey ", e3);
        }
    }

    private void storeSecretKey(String str, String str2, String str3, UserRealm userRealm) {
        HashMap hashMap = new HashMap();
        try {
            hashMap.put(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, TOTPUtil.getProcessedClaimValue(TOTPAuthenticatorConstants.SECRET_KEY_CLAIM_URL, str, str3));
            hashMap.put(TOTPAuthenticatorConstants.TOTP_ENABLED_CLAIM_URI, "true");
            userRealm.getUserStoreManager().setUserClaimValues(str2, hashMap, (String) null);
        } catch (UserStoreException e) {
            throw new TOTPAuthenticatorException("TOTPKeyGenerator failed while trying to access user store manager for the user: " + str2, e);
        }
    }
}
