package org.apache.kafka.common.security.scram;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.kafka.common.errors.IllegalSaslStateException;
import org.apache.kafka.common.security.scram.ScramMessages;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-0.10.2.1.jar:org/apache/kafka/common/security/scram/ScramSaslServer.class */
public class ScramSaslServer implements SaslServer {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ScramSaslServer.class);
    private final ScramMechanism mechanism;
    private final ScramFormatter formatter;
    private final CallbackHandler callbackHandler;
    private State state;
    private String username;
    private ScramMessages.ClientFirstMessage clientFirstMessage;
    private ScramMessages.ServerFirstMessage serverFirstMessage;
    private String serverNonce;
    private ScramCredential scramCredential;

    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-0.10.2.1.jar:org/apache/kafka/common/security/scram/ScramSaslServer$ScramSaslServerFactory.class */
    public static class ScramSaslServerFactory implements SaslServerFactory {
        public SaslServer createSaslServer(String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            if (!ScramMechanism.isScram(str)) {
                throw new SaslException(String.format("Requested mechanism '%s' is not supported. Supported mechanisms are '%s'.", str, ScramMechanism.mechanismNames()));
            }
            try {
                return new ScramSaslServer(ScramMechanism.forMechanismName(str), map, callbackHandler);
            } catch (NoSuchAlgorithmException e) {
                throw new SaslException("Hash algorithm not supported for mechanism " + str, e);
            }
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            Collection<String> mechanismNames = ScramMechanism.mechanismNames();
            return (String[]) mechanismNames.toArray(new String[mechanismNames.size()]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-0.10.2.1.jar:org/apache/kafka/common/security/scram/ScramSaslServer$State.class */
    public enum State {
        RECEIVE_CLIENT_FIRST_MESSAGE,
        RECEIVE_CLIENT_FINAL_MESSAGE,
        COMPLETE,
        FAILED
    }

    public ScramSaslServer(ScramMechanism scramMechanism, Map<String, ?> map, CallbackHandler callbackHandler) throws NoSuchAlgorithmException {
        this.mechanism = scramMechanism;
        this.formatter = new ScramFormatter(scramMechanism);
        this.callbackHandler = callbackHandler;
        setState(State.RECEIVE_CLIENT_FIRST_MESSAGE);
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        try {
            switch (this.state) {
                case RECEIVE_CLIENT_FIRST_MESSAGE:
                    this.clientFirstMessage = new ScramMessages.ClientFirstMessage(bArr);
                    this.serverNonce = this.formatter.secureRandomString();
                    try {
                        this.username = this.formatter.username(this.clientFirstMessage.saslName());
                        Callback nameCallback = new NameCallback("username", this.username);
                        ScramCredentialCallback scramCredentialCallback = new ScramCredentialCallback();
                        this.callbackHandler.handle(new Callback[]{nameCallback, scramCredentialCallback});
                        this.scramCredential = scramCredentialCallback.scramCredential();
                        if (this.scramCredential == null) {
                            throw new SaslException("Authentication failed: Invalid user credentials");
                        }
                        if (this.scramCredential.iterations() < this.mechanism.minIterations()) {
                            throw new SaslException("Iterations " + this.scramCredential.iterations() + " is less than the minimum " + this.mechanism.minIterations() + " for " + this.mechanism);
                        }
                        this.serverFirstMessage = new ScramMessages.ServerFirstMessage(this.clientFirstMessage.nonce(), this.serverNonce, this.scramCredential.salt(), this.scramCredential.iterations());
                        setState(State.RECEIVE_CLIENT_FINAL_MESSAGE);
                        return this.serverFirstMessage.toBytes();
                    } catch (IOException | NumberFormatException | UnsupportedCallbackException e) {
                        throw new SaslException("Authentication failed: Credentials could not be obtained", e);
                    }
                case RECEIVE_CLIENT_FINAL_MESSAGE:
                    try {
                        ScramMessages.ClientFinalMessage clientFinalMessage = new ScramMessages.ClientFinalMessage(bArr);
                        verifyClientProof(clientFinalMessage);
                        ScramMessages.ServerFinalMessage serverFinalMessage = new ScramMessages.ServerFinalMessage(null, this.formatter.serverSignature(this.scramCredential.serverKey(), this.clientFirstMessage, this.serverFirstMessage, clientFinalMessage));
                        setState(State.COMPLETE);
                        return serverFinalMessage.toBytes();
                    } catch (InvalidKeyException e2) {
                        throw new SaslException("Authentication failed: Invalid client final message", e2);
                    }
                default:
                    throw new IllegalSaslStateException("Unexpected challenge in Sasl server state " + this.state);
            }
        } catch (SaslException e3) {
            setState(State.FAILED);
            throw e3;
        }
        setState(State.FAILED);
        throw e3;
    }

    public String getAuthorizationID() {
        if (!isComplete()) {
            throw new IllegalStateException("Authentication exchange has not completed");
        }
        String authorizationId = this.clientFirstMessage.authorizationId();
        return (authorizationId == null || authorizationId.length() == 0) ? this.username : authorizationId;
    }

    public String getMechanismName() {
        return this.mechanism.mechanismName();
    }

    public Object getNegotiatedProperty(String str) {
        if (isComplete()) {
            return null;
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public boolean isComplete() {
        return this.state == State.COMPLETE;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public void dispose() throws SaslException {
    }

    private void setState(State state) {
        log.debug("Setting SASL/{} server state to {}", this.mechanism, state);
        this.state = state;
    }

    private void verifyClientProof(ScramMessages.ClientFinalMessage clientFinalMessage) throws SaslException {
        try {
            byte[] storedKey = this.scramCredential.storedKey();
            if (Arrays.equals(this.formatter.storedKey(this.formatter.clientSignature(storedKey, this.clientFirstMessage, this.serverFirstMessage, clientFinalMessage), clientFinalMessage.proof()), storedKey)) {
            } else {
                throw new SaslException("Invalid client credentials");
            }
        } catch (InvalidKeyException e) {
            throw new SaslException("Sasl client verification failed", e);
        }
    }
}
