package net.solarnetwork.node.setup.web.support;

import java.nio.charset.Charset;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.HmacAlgorithms;
import org.apache.commons.codec.digest.HmacUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

/* loaded from: input_file:WEB-INF/classes/net/solarnetwork/node/setup/web/support/LoginKeyHelper.class */
public class LoginKeyHelper {
    private final AtomicReference<Secret> SECRET = new AtomicReference<>();
    private static final int AES_IV_LENGTH = 16;
    private static final int SALT_LENGTH = 12;
    private static final int SECRET_DATA_LENGTH = 32;
    private static final long SECRET_EXPIRATION_MS = TimeUnit.MINUTES.toMillis(5);
    private static final HmacAlgorithms HMAC_ALG = HmacAlgorithms.HMAC_SHA_256;
    private static final SecureRandom RNG = new SecureRandom();
    private static final Charset UTF8 = Charset.forName("UTF-8");
    private static final Logger log = LoggerFactory.getLogger(LoginKeyHelper.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/classes/net/solarnetwork/node/setup/web/support/LoginKeyHelper$Secret.class */
    public static final class Secret {
        private final Secret previousSecret;
        private final byte[] iv;
        private final byte[] data;
        private final long expireDate;

        private Secret(Secret secret) {
            this.previousSecret = secret;
            this.data = new byte[LoginKeyHelper.SECRET_DATA_LENGTH];
            LoginKeyHelper.RNG.nextBytes(this.data);
            this.iv = new byte[LoginKeyHelper.AES_IV_LENGTH];
            LoginKeyHelper.RNG.nextBytes(this.iv);
            this.expireDate = System.currentTimeMillis() + LoginKeyHelper.SECRET_EXPIRATION_MS;
        }
    }

    private Secret secret() {
        return this.SECRET.updateAndGet(secret -> {
            return (secret == null || secret.expireDate < System.currentTimeMillis()) ? new Secret(secret) : secret;
        });
    }

    public LoginKey generateKey(String str, String str2) {
        log.debug("Generating login key for [{}] using salt [{}]", str, str2);
        byte[] decodeBase64 = str2 != null ? Base64.decodeBase64(str2) : null;
        if (decodeBase64 == null || decodeBase64.length != SALT_LENGTH) {
            throw new IllegalArgumentException("Salt must be exactly 12 bytes.");
        }
        byte[] bytes = str.getBytes(UTF8);
        byte[] bArr = new byte[decodeBase64.length + bytes.length];
        System.arraycopy(decodeBase64, 0, bArr, 0, decodeBase64.length);
        System.arraycopy(bytes, 0, bArr, decodeBase64.length, bytes.length);
        Secret secret = secret();
        LoginKey loginKey = new LoginKey(Base64.encodeBase64String(secret.iv), Base64.encodeBase64String(new HmacUtils(HMAC_ALG, secret.data).hmac(bArr)));
        if (log.isDebugEnabled()) {
            log.debug("Generated login key for [{}] using salt [{}]: secret = [{}], key = [{}]", new Object[]{str, str2, Base64.encodeBase64String(secret.data), loginKey.getKey()});
        }
        return loginKey;
    }

    private Cipher createCipher(boolean z, byte[] bArr, byte[] bArr2) throws InvalidKeyException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchPaddingException {
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(z ? 1 : 2, new SecretKeySpec(bArr2, "AES"), new IvParameterSpec(bArr));
        return cipher;
    }

    public UsernamePasswordAuthenticationToken decrypt(String str, String str2) {
        byte[] decodeBase64 = Base64.decodeBase64(str);
        if (decodeBase64.length <= SALT_LENGTH) {
            throw new BadCredentialsException("Salted username not long enough.");
        }
        byte[] bArr = new byte[decodeBase64.length - SALT_LENGTH];
        System.arraycopy(decodeBase64, SALT_LENGTH, bArr, 0, bArr.length);
        String str3 = new String(bArr, UTF8);
        Secret secret = secret();
        try {
            return decrypt(secret, decodeBase64, str3, str2);
        } catch (BadCredentialsException e) {
            if (secret.previousSecret != null) {
                return decrypt(secret.previousSecret, decodeBase64, str3, str2);
            }
            throw e;
        }
    }

    private UsernamePasswordAuthenticationToken decrypt(Secret secret, byte[] bArr, String str, String str2) {
        byte[] hmac = new HmacUtils(HMAC_ALG, secret.data).hmac(bArr);
        if (log.isDebugEnabled()) {
            log.debug("Decrypting login password [{}] for username [{}] with key = [{}], secret = [{}]", new Object[]{str2, str, Base64.encodeBase64String(hmac), Base64.encodeBase64String(secret.data)});
        }
        try {
            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, new String(createCipher(false, secret.iv, hmac).doFinal(Base64.decodeBase64(str2)), UTF8));
            if (log.isDebugEnabled()) {
                log.debug("Decrypted login password [{}] successfully for username [{}] with key = [{}], secret = [{}]", new Object[]{str2, str, Base64.encodeBase64String(hmac), Base64.encodeBase64String(secret.data)});
            }
            return usernamePasswordAuthenticationToken;
        } catch (Exception e) {
            log.info("Login password decryption error for {}: {}", str, e.toString());
            throw new BadCredentialsException("Invalid password.");
        }
    }
}
