package org.apache.activemq.artemis.protocol.amqp.sasl.scram;

import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Mac;
import liquibase.sqlgenerator.core.MarkChangeSetRanGenerator;
import org.apache.activemq.artemis.protocol.amqp.sasl.scram.ScramClientFunctionality;
import org.apache.activemq.artemis.spi.core.security.scram.ScramException;
import org.apache.activemq.artemis.spi.core.security.scram.ScramUtils;
import org.apache.activemq.artemis.spi.core.security.scram.StringPrep;

/* loaded from: input_file:org/apache/activemq/artemis/protocol/amqp/sasl/scram/ScramClientFunctionalityImpl.class */
public class ScramClientFunctionalityImpl implements ScramClientFunctionality {
    private static final String GS2_HEADER = "n,,";
    private final String mDigestName;
    private final String mHmacName;
    private final String mClientNonce;
    private String mClientFirstMessageBare;
    private final boolean mIsSuccessful = false;
    private byte[] mSaltedPassword;
    private String mAuthMessage;
    private ScramClientFunctionality.State mState;
    private static final Pattern SERVER_FIRST_MESSAGE = Pattern.compile("r=([^,]*),s=([^,]*),i=(.*)$");
    private static final Pattern SERVER_FINAL_MESSAGE = Pattern.compile("v=([^,]*)$");
    private static final Charset ASCII = Charset.forName("ASCII");

    public ScramClientFunctionalityImpl(String str, String str2) {
        this(str, str2, UUID.randomUUID().toString());
    }

    public ScramClientFunctionalityImpl(String str, String str2, String str3) {
        this.mIsSuccessful = false;
        this.mState = ScramClientFunctionality.State.INITIAL;
        if (ScramUtils.isNullOrEmpty(str)) {
            throw new NullPointerException("digestName cannot be null or empty");
        }
        if (ScramUtils.isNullOrEmpty(str2)) {
            throw new NullPointerException("hmacName cannot be null or empty");
        }
        if (ScramUtils.isNullOrEmpty(str3)) {
            throw new NullPointerException("clientNonce cannot be null or empty");
        }
        this.mDigestName = str;
        this.mHmacName = str2;
        this.mClientNonce = str3;
    }

    @Override // org.apache.activemq.artemis.protocol.amqp.sasl.scram.ScramClientFunctionality
    public String prepareFirstMessage(String str) throws ScramException {
        if (this.mState != ScramClientFunctionality.State.INITIAL) {
            throw new IllegalStateException("You can call this method only once");
        }
        try {
            this.mClientFirstMessageBare = "n=" + StringPrep.prepAsQueryString(str) + ",r=" + this.mClientNonce;
            this.mState = ScramClientFunctionality.State.FIRST_PREPARED;
            return GS2_HEADER + this.mClientFirstMessageBare;
        } catch (StringPrep.StringPrepError e) {
            this.mState = ScramClientFunctionality.State.ENDED;
            throw new ScramException("Username contains prohibited character");
        }
    }

    @Override // org.apache.activemq.artemis.protocol.amqp.sasl.scram.ScramClientFunctionality
    public String prepareFinalMessage(String str, String str2) throws ScramException {
        if (this.mState != ScramClientFunctionality.State.FIRST_PREPARED) {
            throw new IllegalStateException("You can call this method once only after calling prepareFirstMessage()");
        }
        Matcher matcher = SERVER_FIRST_MESSAGE.matcher(str2);
        if (!matcher.matches()) {
            this.mState = ScramClientFunctionality.State.ENDED;
            return null;
        }
        String group = matcher.group(1);
        if (!group.startsWith(this.mClientNonce)) {
            this.mState = ScramClientFunctionality.State.ENDED;
            return null;
        }
        String group2 = matcher.group(2);
        int parseInt = Integer.parseInt(matcher.group(3));
        if (parseInt <= 0) {
            this.mState = ScramClientFunctionality.State.ENDED;
            return null;
        }
        try {
            this.mSaltedPassword = ScramUtils.generateSaltedPassword(str, Base64.getDecoder().decode(group2), parseInt, Mac.getInstance(this.mHmacName));
            String str3 = "c=" + Base64.getEncoder().encodeToString(GS2_HEADER.getBytes(ASCII)) + ",r=" + group;
            this.mAuthMessage = this.mClientFirstMessageBare + MarkChangeSetRanGenerator.COMMA + str2 + MarkChangeSetRanGenerator.COMMA + str3;
            byte[] computeHmac = ScramUtils.computeHmac(this.mSaltedPassword, this.mHmacName, "Client Key");
            byte[] computeHmac2 = ScramUtils.computeHmac(MessageDigest.getInstance(this.mDigestName).digest(computeHmac), this.mHmacName, this.mAuthMessage);
            byte[] bArr = (byte[]) computeHmac.clone();
            for (int i = 0; i < bArr.length; i++) {
                int i2 = i;
                bArr[i2] = (byte) (bArr[i2] ^ computeHmac2[i]);
            }
            this.mState = ScramClientFunctionality.State.FINAL_PREPARED;
            return str3 + ",p=" + Base64.getEncoder().encodeToString(bArr);
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            this.mState = ScramClientFunctionality.State.ENDED;
            throw new ScramException(e);
        }
    }

    @Override // org.apache.activemq.artemis.protocol.amqp.sasl.scram.ScramClientFunctionality
    public void checkServerFinalMessage(String str) throws ScramException {
        if (this.mState != ScramClientFunctionality.State.FINAL_PREPARED) {
            throw new IllegalStateException("You can call this method only once after calling prepareFinalMessage()");
        }
        Matcher matcher = SERVER_FINAL_MESSAGE.matcher(str);
        if (!matcher.matches()) {
            this.mState = ScramClientFunctionality.State.ENDED;
            throw new ScramException("invalid message format");
        }
        byte[] decode = Base64.getDecoder().decode(matcher.group(1));
        this.mState = ScramClientFunctionality.State.ENDED;
        if (!Arrays.equals(decode, getExpectedServerSignature())) {
            throw new ScramException("Server signature missmatch");
        }
    }

    @Override // org.apache.activemq.artemis.protocol.amqp.sasl.scram.ScramClientFunctionality
    public boolean isSuccessful() {
        if (this.mState == ScramClientFunctionality.State.ENDED) {
            return false;
        }
        throw new IllegalStateException("You cannot call this method before authentication is ended. Use isEnded() to check that");
    }

    @Override // org.apache.activemq.artemis.protocol.amqp.sasl.scram.ScramClientFunctionality
    public boolean isEnded() {
        return this.mState == ScramClientFunctionality.State.ENDED;
    }

    @Override // org.apache.activemq.artemis.protocol.amqp.sasl.scram.ScramClientFunctionality
    public ScramClientFunctionality.State getState() {
        return this.mState;
    }

    private byte[] getExpectedServerSignature() throws ScramException {
        try {
            return ScramUtils.computeHmac(ScramUtils.computeHmac(this.mSaltedPassword, this.mHmacName, "Server Key"), this.mHmacName, this.mAuthMessage);
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            this.mState = ScramClientFunctionality.State.ENDED;
            throw new ScramException(e);
        }
    }
}
