package com.sun.identity.liberty.ws.authnsvc.mechanism;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.common.PeriodicCleanUpMap;
import com.sun.identity.common.SystemTimerPool;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdType;
import com.sun.identity.liberty.ws.authnsvc.AuthnSvcService;
import com.sun.identity.liberty.ws.authnsvc.AuthnSvcUtils;
import com.sun.identity.liberty.ws.authnsvc.protocol.SASLRequest;
import com.sun.identity.liberty.ws.authnsvc.protocol.SASLResponse;
import com.sun.identity.liberty.ws.soapbinding.Message;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.SMSEntry;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import org.forgerock.openam.utils.Time;

/* loaded from: input_file:com/sun/identity/liberty/ws/authnsvc/mechanism/CramMD5MechanismHandler.class */
public class CramMD5MechanismHandler implements MechanismHandler {
    private static final String ATTR_USER_PASSWORD = "userPassword";
    private static final String COMP_AUTHN_SVC = "authnsvc";
    private static final int BLOCK_LENGTH = 64;
    private static final byte IPAD_BYTE = 54;
    private static final byte OPAD_BYTE = 92;
    static final String CHALLENGE_CLEANUP_INTERVAL_PROP = "com.sun.identity.liberty.ws.authnsvc.challengeCleanupInterval";
    static int challenge_cleanup_interval;
    static final String STALE_TIME_LIMIT_PROP = "com.sun.identity.liberty.ws.soap.staleTimeLimit";
    static int stale_time_limit;
    private static Map challengeMap;
    private static Debug debug = Debug.getInstance("libIDWSF");
    private static final String PROP_SERVER_HOST = "com.iplanet.am.server.host";
    private static final String serverHost = SystemPropertiesManager.get(PROP_SERVER_HOST, "localhost");
    private static final int MAX_RANDOM_NUM = 9999;
    private static final int NUM_RANDOM_DIGITS = Integer.toString(MAX_RANDOM_NUM).length();
    private static char[] hexChar = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
    private static SecureRandom secureRandom = new SecureRandom();

    public SASLResponse processSASLRequest(SASLRequest sASLRequest, Message message, String str) {
        SASLResponse sASLResponse;
        if (debug.messageEnabled()) {
            debug.message("CramMD5MechanismHandler.processSASLRequest: ");
        }
        String refToMessageID = sASLRequest.getRefToMessageID();
        boolean z = refToMessageID == null || refToMessageID.length() == 0;
        if (debug.messageEnabled()) {
            debug.message("CramMD5MechanismHandler.processSASLRequest: refToMessageID = " + refToMessageID);
        }
        byte[] data = sASLRequest.getData();
        if (data != null) {
            String str2 = null;
            try {
                str2 = new String(data, "UTF-8");
            } catch (Exception e) {
                debug.error("CramMD5MechanismHandler.processSASLRequest: ", e);
            }
            sASLResponse = str2 == null ? new SASLResponse("abort") : authenticate(str2, message);
            if (z) {
                sASLResponse.setServerMechanism("PLAIN");
            }
        } else if (z) {
            sASLResponse = new SASLResponse("continue");
            sASLResponse.setServerMechanism("CRAM-MD5");
            byte[] generateChallenge = generateChallenge();
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.processSASLRequest: add respMessageID: " + str);
            }
            challengeMap.put(str, generateChallenge);
            sASLResponse.setData(generateChallenge);
        } else {
            sASLResponse = new SASLResponse("abort");
        }
        return sASLResponse;
    }

    private SASLResponse authenticate(String str, Message message) {
        Callback[] requirements;
        int indexOf = str.indexOf(32);
        if (indexOf == -1) {
            return new SASLResponse("abort");
        }
        String substring = str.substring(0, indexOf);
        String substring2 = str.substring(indexOf + 1);
        String userPassword = getUserPassword(substring);
        if (userPassword == null) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.authenticate: can't get password");
            }
            return new SASLResponse("abort");
        }
        String refToMessageID = message.getCorrelationHeader().getRefToMessageID();
        if (refToMessageID == null || refToMessageID.length() == 0) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.authenticate: no refToMessageID");
            }
            return new SASLResponse("abort");
        }
        if (debug.messageEnabled()) {
            debug.message("CramMD5MechanismHandler.authenticate: remove refToMessageID: " + refToMessageID);
        }
        byte[] bArr = (byte[]) challengeMap.remove(refToMessageID);
        if (bArr == null) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.authenticate: no challenge found");
            }
            return new SASLResponse("abort");
        }
        try {
            try {
                if (!substring2.equals(generateHMACMD5(userPassword.getBytes("UTF-8"), bArr))) {
                    if (debug.messageEnabled()) {
                        debug.message("CramMD5MechanismHandler.authenticate: digests not equal");
                    }
                    return new SASLResponse("abort");
                }
                if (debug.messageEnabled()) {
                    debug.message("CramMD5MechanismHandler.authenticate: digests equal");
                }
                String cramMD5MechanismAuthenticationModule = AuthnSvcService.getCramMD5MechanismAuthenticationModule();
                if (debug.messageEnabled()) {
                    debug.message("PlainMechanismHandler.authenticate: authModule = " + cramMD5MechanismAuthenticationModule);
                }
                try {
                    AuthContext authContext = new AuthContext(SMSEntry.getRootSuffix());
                    authContext.login(AuthContext.IndexType.MODULE_INSTANCE, cramMD5MechanismAuthenticationModule);
                    if (authContext.hasMoreRequirements() && (requirements = authContext.getRequirements()) != null) {
                        fillInCallbacks(requirements, substring, userPassword);
                        authContext.submitRequirements(requirements);
                    }
                    AuthContext.Status status = authContext.getStatus();
                    if (debug.messageEnabled()) {
                        debug.message("CramMD5MechanismHandler.authenticate: login status = " + status);
                    }
                    if (status != AuthContext.Status.SUCCESS) {
                        return new SASLResponse("abort");
                    }
                    try {
                        SSOToken sSOToken = authContext.getSSOToken();
                        String name = sSOToken.getPrincipal().getName();
                        try {
                            SSOTokenManager.getInstance().destroyToken(sSOToken);
                        } catch (SSOException e) {
                            if (AuthnSvcUtils.debug.warningEnabled()) {
                                AuthnSvcUtils.debug.warning("PlainMechanismHandler.authenticate:", e);
                            }
                        }
                        SASLResponse sASLResponse = new SASLResponse("OK");
                        return !AuthnSvcUtils.setResourceOfferingAndCredentials(sASLResponse, message, name) ? new SASLResponse("abort") : sASLResponse;
                    } catch (Exception e2) {
                        debug.error("CramMD5MechanismHandler.authenticate: ", e2);
                        return new SASLResponse("abort");
                    }
                } catch (AuthLoginException e3) {
                    debug.error("CramMD5MechanismHandler.authenticate: ", e3);
                    return new SASLResponse("abort");
                }
            } catch (NoSuchAlgorithmException e4) {
                debug.error("CramMD5MechanismHandler.authenticate:", e4);
                return new SASLResponse("abort");
            }
        } catch (UnsupportedEncodingException e5) {
            debug.error("CramMD5MechanismHandler.authenticate:", e5);
            return new SASLResponse("abort");
        }
    }

    private static void fillInCallbacks(Callback[] callbackArr, String str, String str2) {
        if (debug.messageEnabled()) {
            debug.message("CramMD5MechanismHandler.fillInCallbacks:");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName(str);
            } else if (callback instanceof PasswordCallback) {
                ((PasswordCallback) callback).setPassword(str2.toCharArray());
            }
        }
    }

    private static byte[] generateChallenge() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("<");
        String num = Integer.toString(secureRandom.nextInt(MAX_RANDOM_NUM));
        for (int length = num.length(); length < NUM_RANDOM_DIGITS; length++) {
            stringBuffer.append("0");
        }
        stringBuffer.append(num).append(".");
        stringBuffer.append(Time.currentTimeMillis()).append("@");
        stringBuffer.append(serverHost).append(">");
        try {
            return stringBuffer.toString().getBytes("UTF-8");
        } catch (UnsupportedEncodingException e) {
            return stringBuffer.toString().getBytes();
        }
    }

    private static String getUserPassword(String str) {
        try {
            AMIdentityRepository aMIdentityRepository = new AMIdentityRepository((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), SMSEntry.getRootSuffix());
            IdSearchControl idSearchControl = new IdSearchControl();
            idSearchControl.setTimeOut(0);
            idSearchControl.setMaxResults(0);
            idSearchControl.setAllReturnAttributes(false);
            Set searchResults = aMIdentityRepository.searchIdentities(IdType.USER, str, idSearchControl).getSearchResults();
            if (searchResults == null || searchResults.isEmpty()) {
                if (!debug.messageEnabled()) {
                    return null;
                }
                debug.message("CramMD5MechanismHandler.getUserPassword: no user found");
                return null;
            }
            if (searchResults.size() > 1) {
                if (!debug.messageEnabled()) {
                    return null;
                }
                debug.message("CramMD5MechanismHandler.getUserPassword: more than 1 user found");
                return null;
            }
            Set attribute = ((AMIdentity) searchResults.iterator().next()).getAttribute(ATTR_USER_PASSWORD);
            if (attribute == null || attribute.isEmpty()) {
                if (!debug.messageEnabled()) {
                    return null;
                }
                debug.message("CramMD5MechanismHandler.getUserPassword: user has no password");
                return null;
            }
            if (attribute.size() > 1) {
                if (!debug.messageEnabled()) {
                    return null;
                }
                debug.message("CramMD5MechanismHandler.getUserPassword: user has more than 1 passwords");
                return null;
            }
            String str2 = (String) attribute.iterator().next();
            if (str2.startsWith("{CLEAR}")) {
                str2 = str2.substring(7);
            }
            return str2;
        } catch (Exception e) {
            AuthnSvcUtils.debug.error("CramMD5MechanismHandler.getUserPassword: ", e);
            return null;
        }
    }

    private static String generateHMACMD5(byte[] bArr, byte[] bArr2) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("MD5");
        if (bArr.length > BLOCK_LENGTH) {
            bArr = messageDigest.digest(bArr);
        }
        byte[] bArr3 = new byte[BLOCK_LENGTH];
        byte[] bArr4 = new byte[BLOCK_LENGTH];
        for (int i = 0; i < bArr.length; i++) {
            bArr3[i] = (byte) (bArr[i] ^ IPAD_BYTE);
            bArr4[i] = (byte) (bArr[i] ^ OPAD_BYTE);
        }
        for (int length = bArr.length; length < BLOCK_LENGTH; length++) {
            bArr3[length] = IPAD_BYTE;
            bArr4[length] = OPAD_BYTE;
        }
        messageDigest.update(bArr3);
        messageDigest.update(bArr2);
        byte[] digest = messageDigest.digest();
        messageDigest.update(bArr4);
        messageDigest.update(digest);
        return toHexString(messageDigest.digest());
    }

    private static String toHexString(byte[] bArr) {
        StringBuffer stringBuffer = new StringBuffer(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            stringBuffer.append(hexChar[(bArr[i] & 240) >>> 4]);
            stringBuffer.append(hexChar[bArr[i] & 15]);
        }
        return stringBuffer.toString();
    }

    static {
        challenge_cleanup_interval = 60000;
        stale_time_limit = 300000;
        challengeMap = new PeriodicCleanUpMap(challenge_cleanup_interval, stale_time_limit);
        String str = SystemPropertiesManager.get(CHALLENGE_CLEANUP_INTERVAL_PROP);
        if (str != null) {
            try {
                challenge_cleanup_interval = Integer.parseInt(str);
            } catch (Exception e) {
                if (debug.warningEnabled()) {
                    debug.warning("CramMD5MechanismHandler.static: Unable to get stale time limit. Default value will be used", e);
                }
            }
        }
        String str2 = SystemPropertiesManager.get(STALE_TIME_LIMIT_PROP);
        if (str2 != null) {
            try {
                stale_time_limit = Integer.parseInt(str2);
            } catch (Exception e2) {
                if (debug.warningEnabled()) {
                    debug.warning("CramMD5MechanismHandler.static: Unable to get stale time limit. Default value will be used");
                }
            }
        }
        SystemTimerPool.getTimerPool().schedule(challengeMap, new Date(((Time.currentTimeMillis() + challenge_cleanup_interval) / 1000) * 1000));
    }
}
