package com.couchbase.client.core.io.netty.kv.sasl;

import com.couchbase.client.core.deps.com.fasterxml.jackson.module.afterburner.asm.Opcodes;
import com.couchbase.client.core.error.InvalidArgumentException;
import com.couchbase.client.core.io.netty.kv.sasl.ScramSaslClientFactory;
import com.couchbase.client.core.util.Bytes;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.camel.util.URISupport;

/* loaded from: input_file:com/couchbase/client/core/io/netty/kv/sasl/ScramSaslClient.class */
class ScramSaslClient implements SaslClient {
    private static final byte[] CLIENT_KEY = "Client Key".getBytes(StandardCharsets.UTF_8);
    private static final byte[] SERVER_KEY = "Server Key".getBytes(StandardCharsets.UTF_8);
    private final String name;
    private final String hmacAlgorithm;
    private final CallbackHandler callbacks;
    private final MessageDigest digest;
    private String clientNonce;
    private byte[] salt;
    private byte[] saltedPassword;
    private int iterationCount;
    private String clientFirstMessage;
    private String clientFirstMessageBare;
    private String clientFinalMessageNoProof;
    private String serverFirstMessage;
    private String serverFinalMessage;
    private String nonce;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/couchbase/client/core/io/netty/kv/sasl/ScramSaslClient$EmptySecretKey.class */
    public static class EmptySecretKey implements SecretKey {
        private final String algorithm;

        public EmptySecretKey(String str) {
            this.algorithm = str;
        }

        @Override // java.security.Key
        public String getAlgorithm() {
            return this.algorithm;
        }

        @Override // java.security.Key
        public String getFormat() {
            return URISupport.RAW_TOKEN_PREFIX;
        }

        @Override // java.security.Key
        public byte[] getEncoded() {
            return Bytes.EMPTY_BYTE_ARRAY;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ScramSaslClient(ScramSaslClientFactory.Mode mode, CallbackHandler callbackHandler) throws NoSuchAlgorithmException {
        this.callbacks = callbackHandler;
        switch (mode) {
            case SCRAM_SHA512:
                this.digest = MessageDigest.getInstance("SHA-512");
                this.name = ScramSaslClientFactory.Mode.SCRAM_SHA512.mech();
                this.hmacAlgorithm = "HmacSHA512";
                break;
            case SCRAM_SHA256:
                this.digest = MessageDigest.getInstance("SHA-256");
                this.name = ScramSaslClientFactory.Mode.SCRAM_SHA256.mech();
                this.hmacAlgorithm = "HmacSHA256";
                break;
            case SCRAM_SHA1:
                this.digest = MessageDigest.getInstance("SHA-1");
                this.name = ScramSaslClientFactory.Mode.SCRAM_SHA1.mech();
                this.hmacAlgorithm = "HmacSHA1";
                break;
            default:
                throw new RuntimeException("Unsupported SHA version specified");
        }
        byte[] bArr = new byte[21];
        new SecureRandom().nextBytes(bArr);
        this.clientNonce = Base64.getEncoder().encodeToString(bArr);
    }

    public String getMechanismName() {
        return this.name;
    }

    public boolean hasInitialResponse() {
        return true;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        if (this.clientFirstMessage == null) {
            if (bArr.length != 0) {
                throw new SaslException("Initial challenge should be without input data");
            }
            this.clientFirstMessage = "n,,n=" + getUserName() + ",r=" + this.clientNonce;
            this.clientFirstMessageBare = this.clientFirstMessage.substring(3);
            return this.clientFirstMessage.getBytes(StandardCharsets.UTF_8);
        }
        if (this.serverFirstMessage != null) {
            if (this.serverFinalMessage != null) {
                throw new SaslException("Can't evaluate challenge on a session which is complete");
            }
            this.serverFinalMessage = new String(bArr, StandardCharsets.UTF_8);
            HashMap hashMap = new HashMap();
            try {
                decodeAttributes(hashMap, this.serverFinalMessage);
                if (hashMap.containsKey("e")) {
                    throw new SaslException("Authentication failure: " + ((String) hashMap.get("e")));
                }
                if (!hashMap.containsKey("v")) {
                    throw new SaslException("Syntax error from the server");
                }
                if (Base64.getEncoder().encodeToString(getServerSignature()).equals(hashMap.get("v"))) {
                    return Bytes.EMPTY_BYTE_ARRAY;
                }
                throw new SaslException("Server signature is incorrect");
            } catch (Exception e) {
                throw new SaslException("Could not decode attributes from server message \"" + this.serverFinalMessage + "\"", e);
            }
        }
        this.serverFirstMessage = new String(bArr, StandardCharsets.UTF_8);
        HashMap hashMap2 = new HashMap();
        try {
            decodeAttributes(hashMap2, this.serverFirstMessage);
            for (Map.Entry entry : hashMap2.entrySet()) {
                switch (((String) entry.getKey()).charAt(0)) {
                    case Opcodes.LMUL /* 105 */:
                        this.iterationCount = Integer.parseInt((String) entry.getValue());
                        break;
                    case Opcodes.FREM /* 114 */:
                        this.nonce = (String) entry.getValue();
                        break;
                    case Opcodes.DREM /* 115 */:
                        this.salt = Base64.getDecoder().decode((String) entry.getValue());
                        break;
                    default:
                        throw InvalidArgumentException.fromMessage("Invalid key supplied in the serverFirstMessage");
                }
            }
            if (!hashMap2.containsKey("r") || !hashMap2.containsKey("s") || !hashMap2.containsKey("i")) {
                throw InvalidArgumentException.fromMessage("missing mandatory key in serverFirstMessage");
            }
            generateSaltedPassword();
            this.clientFinalMessageNoProof = "c=biws,r=" + this.nonce;
            return (this.clientFinalMessageNoProof + ",p=" + Base64.getEncoder().encodeToString(getClientProof())).getBytes(StandardCharsets.UTF_8);
        } catch (Exception e2) {
            throw new SaslException("Could not decode attributes from server message \"" + this.serverFirstMessage + "\"", e2);
        }
    }

    public boolean isComplete() {
        return this.serverFinalMessage != null;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) {
        return Bytes.EMPTY_BYTE_ARRAY;
    }

    public byte[] wrap(byte[] bArr, int i, int i2) {
        return Bytes.EMPTY_BYTE_ARRAY;
    }

    public Object getNegotiatedProperty(String str) {
        return null;
    }

    public void dispose() {
    }

    private String getUserName() throws SaslException {
        Callback nameCallback = new NameCallback("Username");
        try {
            this.callbacks.handle(new Callback[]{nameCallback});
            String name = nameCallback.getName();
            if (name == null || name.isEmpty()) {
                throw new SaslException("Missing username");
            }
            return name;
        } catch (IOException | UnsupportedCallbackException e) {
            throw new SaslException("Missing callback fetch username", e);
        }
    }

    private byte[] hmac(byte[] bArr, byte[] bArr2) {
        try {
            Mac mac = Mac.getInstance(this.hmacAlgorithm);
            mac.init(new SecretKeySpec(bArr, mac.getAlgorithm()));
            return mac.doFinal(bArr2);
        } catch (InvalidKeyException e) {
            if (bArr.length == 0) {
                throw new UnsupportedOperationException("This JVM does not support empty HMAC keys (empty passwords). Please set a bucket password or upgrade your JVM.");
            }
            throw new RuntimeException("Failed to generate HMAC hash for password", e);
        } catch (Throwable th) {
            throw new RuntimeException(th);
        }
    }

    private byte[] pbkdf2(String str, byte[] bArr, int i) {
        try {
            Mac mac = Mac.getInstance(this.hmacAlgorithm);
            mac.init((str == null || str.isEmpty()) ? new EmptySecretKey(this.hmacAlgorithm) : new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), this.hmacAlgorithm));
            mac.update(bArr);
            mac.update("������\u0001".getBytes(StandardCharsets.UTF_8));
            byte[] doFinal = mac.doFinal();
            mac.update(doFinal);
            byte[] doFinal2 = mac.doFinal();
            xor(doFinal, doFinal2);
            for (int i2 = 2; i2 < i; i2++) {
                mac.update(doFinal2);
                doFinal2 = mac.doFinal();
                xor(doFinal, doFinal2);
            }
            return doFinal;
        } catch (InvalidKeyException e) {
            if (str == null || str.isEmpty()) {
                throw new UnsupportedOperationException("This JVM does not support empty HMAC keys (empty passwords). Please set a bucket password or upgrade your JVM.");
            }
            throw new RuntimeException("Failed to generate HMAC hash for password", e);
        } catch (Throwable th) {
            throw new RuntimeException(th);
        }
    }

    private static void xor(byte[] bArr, byte[] bArr2) {
        for (int i = 0; i < bArr.length; i++) {
            bArr[i] = (byte) (bArr[i] ^ bArr2[i]);
        }
    }

    private void generateSaltedPassword() throws SaslException {
        PasswordCallback passwordCallback = new PasswordCallback("Password", false);
        try {
            this.callbacks.handle(new Callback[]{passwordCallback});
            char[] password = passwordCallback.getPassword();
            if (password == null) {
                throw new SaslException("Password can't be null");
            }
            this.saltedPassword = pbkdf2(new String(password), this.salt, this.iterationCount);
            passwordCallback.clearPassword();
        } catch (IOException | UnsupportedCallbackException e) {
            throw new SaslException("Missing callback fetch password", e);
        }
    }

    private byte[] getServerSignature() {
        return hmac(hmac(this.saltedPassword, SERVER_KEY), getAuthMessage().getBytes(StandardCharsets.UTF_8));
    }

    private byte[] getClientProof() {
        byte[] hmac = hmac(this.saltedPassword, CLIENT_KEY);
        xor(hmac, hmac(this.digest.digest(hmac), getAuthMessage().getBytes(StandardCharsets.UTF_8)));
        return hmac;
    }

    private static void decodeAttributes(HashMap<String, String> hashMap, String str) {
        for (String str2 : str.split(",")) {
            if (str2.indexOf(61) != 1) {
                throw InvalidArgumentException.fromMessage("the input string is not according to the spec");
            }
            String substring = str2.substring(0, 1);
            if (hashMap.containsKey(substring)) {
                throw InvalidArgumentException.fromMessage("The key " + substring + " is specified multiple times");
            }
            hashMap.put(substring, str2.substring(2));
        }
    }

    private String getAuthMessage() {
        if (this.clientFirstMessageBare == null) {
            throw new RuntimeException("can't call getAuthMessage without clientFirstMessageBare is set");
        }
        if (this.serverFirstMessage == null) {
            throw new RuntimeException("can't call getAuthMessage without serverFirstMessage is set");
        }
        if (this.clientFinalMessageNoProof == null) {
            throw new RuntimeException("can't call getAuthMessage without clientFinalMessageNoProof is set");
        }
        return this.clientFirstMessageBare + "," + this.serverFirstMessage + "," + this.clientFinalMessageNoProof;
    }
}
