package org.apache.kafka.common.security.scram;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslClientFactory;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.errors.IllegalSaslStateException;
import org.apache.kafka.common.security.scram.ScramMessages;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/kafka-clients-1.1.0.jar:org/apache/kafka/common/security/scram/ScramSaslClient.class */
public class ScramSaslClient implements SaslClient {
    private static final Logger log = LoggerFactory.getLogger(ScramSaslClient.class);
    private final ScramMechanism mechanism;
    private final CallbackHandler callbackHandler;
    private final ScramFormatter formatter;
    private String clientNonce;
    private State state;
    private byte[] saltedPassword;
    private ScramMessages.ClientFirstMessage clientFirstMessage;
    private ScramMessages.ServerFirstMessage serverFirstMessage;
    private ScramMessages.ClientFinalMessage clientFinalMessage;

    /* loaded from: input_file:BOOT-INF/lib/kafka-clients-1.1.0.jar:org/apache/kafka/common/security/scram/ScramSaslClient$ScramSaslClientFactory.class */
    public static class ScramSaslClientFactory implements SaslClientFactory {
        public SaslClient createSaslClient(String[] strArr, String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            ScramMechanism scramMechanism = null;
            for (String str4 : strArr) {
                scramMechanism = ScramMechanism.forMechanismName(str4);
                if (scramMechanism != null) {
                    break;
                }
            }
            if (scramMechanism == null) {
                throw new SaslException(String.format("Requested mechanisms '%s' not supported. Supported mechanisms are '%s'.", Arrays.asList(strArr), ScramMechanism.mechanismNames()));
            }
            try {
                return new ScramSaslClient(scramMechanism, callbackHandler);
            } catch (NoSuchAlgorithmException e) {
                throw new SaslException("Hash algorithm not supported for mechanism " + scramMechanism, e);
            }
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            Collection<String> mechanismNames = ScramMechanism.mechanismNames();
            return (String[]) mechanismNames.toArray(new String[mechanismNames.size()]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/kafka-clients-1.1.0.jar:org/apache/kafka/common/security/scram/ScramSaslClient$State.class */
    public enum State {
        SEND_CLIENT_FIRST_MESSAGE,
        RECEIVE_SERVER_FIRST_MESSAGE,
        RECEIVE_SERVER_FINAL_MESSAGE,
        COMPLETE,
        FAILED
    }

    public ScramSaslClient(ScramMechanism scramMechanism, CallbackHandler callbackHandler) throws NoSuchAlgorithmException {
        this.mechanism = scramMechanism;
        this.callbackHandler = callbackHandler;
        this.formatter = new ScramFormatter(scramMechanism);
        setState(State.SEND_CLIENT_FIRST_MESSAGE);
    }

    public String getMechanismName() {
        return this.mechanism.mechanismName();
    }

    public boolean hasInitialResponse() {
        return true;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        try {
            switch (this.state) {
                case SEND_CLIENT_FIRST_MESSAGE:
                    if (bArr != null && bArr.length != 0) {
                        throw new SaslException("Expected empty challenge");
                    }
                    this.clientNonce = this.formatter.secureRandomString();
                    Callback nameCallback = new NameCallback("Name:");
                    ScramExtensionsCallback scramExtensionsCallback = new ScramExtensionsCallback();
                    try {
                        this.callbackHandler.handle(new Callback[]{nameCallback, scramExtensionsCallback});
                        this.clientFirstMessage = new ScramMessages.ClientFirstMessage(this.formatter.saslName(nameCallback.getName()), this.clientNonce, scramExtensionsCallback.extensions());
                        setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
                        return this.clientFirstMessage.toBytes();
                    } catch (IOException | UnsupportedCallbackException e) {
                        throw new SaslException("User name could not be obtained", e);
                    }
                case RECEIVE_SERVER_FIRST_MESSAGE:
                    this.serverFirstMessage = new ScramMessages.ServerFirstMessage(bArr);
                    if (!this.serverFirstMessage.nonce().startsWith(this.clientNonce)) {
                        throw new SaslException("Invalid server nonce: does not start with client nonce");
                    }
                    if (this.serverFirstMessage.iterations() < this.mechanism.minIterations()) {
                        throw new SaslException("Requested iterations " + this.serverFirstMessage.iterations() + " is less than the minimum " + this.mechanism.minIterations() + " for " + this.mechanism);
                    }
                    PasswordCallback passwordCallback = new PasswordCallback("Password:", false);
                    try {
                        this.callbackHandler.handle(new Callback[]{passwordCallback});
                        this.clientFinalMessage = handleServerFirstMessage(passwordCallback.getPassword());
                        setState(State.RECEIVE_SERVER_FINAL_MESSAGE);
                        return this.clientFinalMessage.toBytes();
                    } catch (IOException | UnsupportedCallbackException e2) {
                        throw new SaslException("User name could not be obtained", e2);
                    }
                case RECEIVE_SERVER_FINAL_MESSAGE:
                    ScramMessages.ServerFinalMessage serverFinalMessage = new ScramMessages.ServerFinalMessage(bArr);
                    if (serverFinalMessage.error() != null) {
                        throw new SaslException("Sasl authentication using " + this.mechanism + " failed with error: " + serverFinalMessage.error());
                    }
                    handleServerFinalMessage(serverFinalMessage.serverSignature());
                    setState(State.COMPLETE);
                    return null;
                default:
                    throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + this.state);
            }
        } catch (SaslException e3) {
            setState(State.FAILED);
            throw e3;
        }
        setState(State.FAILED);
        throw e3;
    }

    public boolean isComplete() {
        return this.state == State.COMPLETE;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public Object getNegotiatedProperty(String str) {
        if (isComplete()) {
            return null;
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public void dispose() throws SaslException {
    }

    private void setState(State state) {
        log.debug("Setting SASL/{} client state to {}", this.mechanism, state);
        this.state = state;
    }

    private ScramMessages.ClientFinalMessage handleServerFirstMessage(char[] cArr) throws SaslException {
        try {
            this.saltedPassword = this.formatter.hi(this.formatter.normalize(new String(cArr)), this.serverFirstMessage.salt(), this.serverFirstMessage.iterations());
            ScramMessages.ClientFinalMessage clientFinalMessage = new ScramMessages.ClientFinalMessage("n,,".getBytes(StandardCharsets.UTF_8), this.serverFirstMessage.nonce());
            clientFinalMessage.proof(this.formatter.clientProof(this.saltedPassword, this.clientFirstMessage, this.serverFirstMessage, clientFinalMessage));
            return clientFinalMessage;
        } catch (InvalidKeyException e) {
            throw new SaslException("Client final message could not be created", e);
        }
    }

    private void handleServerFinalMessage(byte[] bArr) throws SaslException {
        try {
            if (Arrays.equals(bArr, this.formatter.serverSignature(this.formatter.serverKey(this.saltedPassword), this.clientFirstMessage, this.serverFirstMessage, this.clientFinalMessage))) {
            } else {
                throw new SaslException("Invalid server signature in server final message");
            }
        } catch (InvalidKeyException e) {
            throw new SaslException("Sasl server signature verification failed", e);
        }
    }
}
