package com.mongodb.internal.connection;

import com.mongodb.AuthenticationMechanism;
import com.mongodb.MongoCredential;
import com.mongodb.ServerAddress;
import com.mongodb.ServerApi;
import com.mongodb.connection.ClusterConnectionMode;
import com.mongodb.internal.authentication.NativeAuthenticationHelper;
import com.mongodb.internal.authentication.SaslPrep;
import com.mongodb.lang.Nullable;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.HashMap;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.bson.BsonBoolean;
import org.bson.BsonDocument;
import org.bson.BsonString;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:META-INF/jars/mongodb-driver-core-4.7.2.jar:com/mongodb/internal/connection/ScramShaAuthenticator.class */
public class ScramShaAuthenticator extends SaslAuthenticator {
    private final RandomStringGenerator randomStringGenerator;
    private final AuthenticationHashGenerator authenticationHashGenerator;
    private SaslClient speculativeSaslClient;
    private BsonDocument speculativeAuthenticateResponse;
    private static final int MINIMUM_ITERATION_COUNT = 4096;
    private static final String GS2_HEADER = "n,,";
    private static final int RANDOM_LENGTH = 24;
    private static final byte[] INT_1 = {0, 0, 0, 1};
    private static final AuthenticationHashGenerator DEFAULT_AUTHENTICATION_HASH_GENERATOR = new AuthenticationHashGenerator() { // from class: com.mongodb.internal.connection.ScramShaAuthenticator.1
        @Override // com.mongodb.internal.connection.ScramShaAuthenticator.AuthenticationHashGenerator
        public String generate(MongoCredential mongoCredential) {
            char[] password = mongoCredential.getPassword();
            if (password == null) {
                throw new IllegalArgumentException("Password must not be null");
            }
            return new String(password);
        }
    };
    private static final AuthenticationHashGenerator LEGACY_AUTHENTICATION_HASH_GENERATOR = new AuthenticationHashGenerator() { // from class: com.mongodb.internal.connection.ScramShaAuthenticator.2
        @Override // com.mongodb.internal.connection.ScramShaAuthenticator.AuthenticationHashGenerator
        public String generate(MongoCredential mongoCredential) {
            String userName = mongoCredential.getUserName();
            char[] password = mongoCredential.getPassword();
            if (userName == null || password == null) {
                throw new IllegalArgumentException("Username and password must not be null");
            }
            return NativeAuthenticationHelper.createAuthenticationHash(userName, password);
        }
    };

    /* loaded from: input_file:META-INF/jars/mongodb-driver-core-4.7.2.jar:com/mongodb/internal/connection/ScramShaAuthenticator$AuthenticationHashGenerator.class */
    public interface AuthenticationHashGenerator {
        String generate(MongoCredential mongoCredential);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/jars/mongodb-driver-core-4.7.2.jar:com/mongodb/internal/connection/ScramShaAuthenticator$CacheKey.class */
    public static class CacheKey {
        private final String hashedPasswordAndSalt;
        private final String salt;
        private final int iterationCount;

        CacheKey(String str, String str2, int i) {
            this.hashedPasswordAndSalt = str;
            this.salt = str2;
            this.iterationCount = i;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            CacheKey cacheKey = (CacheKey) obj;
            if (this.iterationCount == cacheKey.iterationCount && this.hashedPasswordAndSalt.equals(cacheKey.hashedPasswordAndSalt)) {
                return this.salt.equals(cacheKey.salt);
            }
            return false;
        }

        public int hashCode() {
            return (31 * ((31 * this.hashedPasswordAndSalt.hashCode()) + this.salt.hashCode())) + this.iterationCount;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/jars/mongodb-driver-core-4.7.2.jar:com/mongodb/internal/connection/ScramShaAuthenticator$CacheValue.class */
    public static class CacheValue {
        private final byte[] clientKey;
        private final byte[] serverKey;

        CacheValue(byte[] bArr, byte[] bArr2) {
            this.clientKey = bArr;
            this.serverKey = bArr2;
        }
    }

    /* loaded from: input_file:META-INF/jars/mongodb-driver-core-4.7.2.jar:com/mongodb/internal/connection/ScramShaAuthenticator$DefaultRandomStringGenerator.class */
    private static class DefaultRandomStringGenerator implements RandomStringGenerator {
        private DefaultRandomStringGenerator() {
        }

        @Override // com.mongodb.internal.connection.ScramShaAuthenticator.RandomStringGenerator
        public String generate(int i) {
            int i2;
            SecureRandom secureRandom = new SecureRandom();
            int i3 = 126 - 33;
            char[] cArr = new char[i];
            for (int i4 = 0; i4 < i; i4++) {
                int nextInt = secureRandom.nextInt(i3);
                while (true) {
                    i2 = nextInt + 33;
                    if (i2 == 44) {
                        nextInt = secureRandom.nextInt(i3);
                    }
                }
                cArr[i4] = (char) i2;
            }
            return new String(cArr);
        }
    }

    /* loaded from: input_file:META-INF/jars/mongodb-driver-core-4.7.2.jar:com/mongodb/internal/connection/ScramShaAuthenticator$RandomStringGenerator.class */
    public interface RandomStringGenerator {
        String generate(int i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/jars/mongodb-driver-core-4.7.2.jar:com/mongodb/internal/connection/ScramShaAuthenticator$ScramShaSaslClient.class */
    public class ScramShaSaslClient implements SaslClient {
        private final MongoCredentialWithCache credential;
        private final RandomStringGenerator randomStringGenerator;
        private final AuthenticationHashGenerator authenticationHashGenerator;
        private final String hAlgorithm;
        private final String hmacAlgorithm;
        private String clientFirstMessageBare;
        private String clientNonce;
        private byte[] serverSignature;
        private int step = -1;

        ScramShaSaslClient(MongoCredentialWithCache mongoCredentialWithCache, RandomStringGenerator randomStringGenerator, AuthenticationHashGenerator authenticationHashGenerator) {
            this.credential = mongoCredentialWithCache;
            this.randomStringGenerator = randomStringGenerator;
            this.authenticationHashGenerator = authenticationHashGenerator;
            if (mongoCredentialWithCache.getAuthenticationMechanism().equals(AuthenticationMechanism.SCRAM_SHA_1)) {
                this.hAlgorithm = "SHA-1";
                this.hmacAlgorithm = "HmacSHA1";
            } else {
                this.hAlgorithm = "SHA-256";
                this.hmacAlgorithm = "HmacSHA256";
            }
        }

        public String getMechanismName() {
            return this.credential.getAuthenticationMechanism().getMechanismName();
        }

        public boolean hasInitialResponse() {
            return true;
        }

        public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
            this.step++;
            if (this.step == 0) {
                return computeClientFirstMessage();
            }
            if (this.step == 1) {
                return computeClientFinalMessage(bArr);
            }
            if (this.step == 2) {
                return validateServerSignature(bArr);
            }
            throw new SaslException(String.format("Too many steps involved in the %s negotiation.", getMechanismName()));
        }

        private byte[] validateServerSignature(byte[] bArr) throws SaslException {
            if (MessageDigest.isEqual(Base64.getDecoder().decode(parseServerResponse(new String(bArr, StandardCharsets.UTF_8)).get("v")), this.serverSignature)) {
                return new byte[0];
            }
            throw new SaslException("Server signature was invalid.");
        }

        public boolean isComplete() {
            return this.step == 2;
        }

        public byte[] unwrap(byte[] bArr, int i, int i2) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public byte[] wrap(byte[] bArr, int i, int i2) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public Object getNegotiatedProperty(String str) {
            throw new UnsupportedOperationException("Not implemented yet!");
        }

        public void dispose() {
        }

        private byte[] computeClientFirstMessage() {
            this.clientNonce = this.randomStringGenerator.generate(24);
            String str = "n=" + getUserName() + ",r=" + this.clientNonce;
            this.clientFirstMessageBare = str;
            return (ScramShaAuthenticator.GS2_HEADER + str).getBytes(StandardCharsets.UTF_8);
        }

        private byte[] computeClientFinalMessage(byte[] bArr) throws SaslException {
            String str = new String(bArr, StandardCharsets.UTF_8);
            HashMap<String, String> parseServerResponse = parseServerResponse(str);
            String str2 = parseServerResponse.get("r");
            if (!str2.startsWith(this.clientNonce)) {
                throw new SaslException("Server sent an invalid nonce.");
            }
            String str3 = parseServerResponse.get("s");
            int parseInt = Integer.parseInt(parseServerResponse.get("i"));
            if (parseInt < 4096) {
                throw new SaslException("Invalid iteration count.");
            }
            String str4 = "c=" + Base64.getEncoder().encodeToString(ScramShaAuthenticator.GS2_HEADER.getBytes(StandardCharsets.UTF_8)) + ",r=" + str2;
            return (str4 + ",p=" + getClientProof(getAuthenicationHash(), str3, parseInt, this.clientFirstMessageBare + "," + str + "," + str4)).getBytes(StandardCharsets.UTF_8);
        }

        String getClientProof(String str, String str2, int i, String str3) throws SaslException {
            CacheKey cacheKey = new CacheKey(new String(h((str + str2).getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8), str2, i);
            CacheValue cacheValue = (CacheValue) ScramShaAuthenticator.this.getMongoCredentialWithCache().getFromCache(cacheKey, CacheValue.class);
            if (cacheValue == null) {
                byte[] hi = hi(str.getBytes(StandardCharsets.UTF_8), Base64.getDecoder().decode(str2), i);
                byte[] hmac = hmac(hi, "Client Key");
                byte[] hmac2 = hmac(hi, "Server Key");
                cacheValue = new CacheValue(hmac, hmac2);
                ScramShaAuthenticator.this.getMongoCredentialWithCache().putInCache(cacheKey, new CacheValue(hmac, hmac2));
            }
            this.serverSignature = hmac(cacheValue.serverKey, str3);
            return Base64.getEncoder().encodeToString(xor(cacheValue.clientKey, hmac(h(cacheValue.clientKey), str3)));
        }

        private byte[] h(byte[] bArr) throws SaslException {
            try {
                return MessageDigest.getInstance(this.hAlgorithm).digest(bArr);
            } catch (NoSuchAlgorithmException e) {
                throw new SaslException(String.format("Algorithm for '%s' could not be found.", this.hAlgorithm), e);
            }
        }

        private byte[] hi(byte[] bArr, byte[] bArr2, int i) throws SaslException {
            try {
                SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, this.hmacAlgorithm);
                Mac mac = Mac.getInstance(this.hmacAlgorithm);
                mac.init(secretKeySpec);
                mac.update(bArr2);
                mac.update(ScramShaAuthenticator.INT_1);
                byte[] doFinal = mac.doFinal();
                byte[] bArr3 = null;
                for (int i2 = 1; i2 < i; i2++) {
                    mac.update(bArr3 != null ? bArr3 : doFinal);
                    bArr3 = mac.doFinal();
                    xorInPlace(doFinal, bArr3);
                }
                return doFinal;
            } catch (InvalidKeyException e) {
                throw new SaslException(String.format("Invalid key for %s", this.hmacAlgorithm), e);
            } catch (NoSuchAlgorithmException e2) {
                throw new SaslException(String.format("Algorithm for '%s' could not be found.", this.hmacAlgorithm), e2);
            }
        }

        private byte[] hmac(byte[] bArr, String str) throws SaslException {
            try {
                Mac mac = Mac.getInstance(this.hmacAlgorithm);
                mac.init(new SecretKeySpec(bArr, this.hmacAlgorithm));
                return mac.doFinal(str.getBytes(StandardCharsets.UTF_8));
            } catch (InvalidKeyException e) {
                throw new SaslException("Could not initialize mac.", e);
            } catch (NoSuchAlgorithmException e2) {
                throw new SaslException(String.format("Algorithm for '%s' could not be found.", this.hmacAlgorithm), e2);
            }
        }

        private HashMap<String, String> parseServerResponse(String str) {
            HashMap<String, String> hashMap = new HashMap<>();
            for (String str2 : str.split(",")) {
                String[] split = str2.split("=", 2);
                hashMap.put(split[0], split[1]);
            }
            return hashMap;
        }

        private String getUserName() {
            String userName = this.credential.getCredential().getUserName();
            if (userName == null) {
                throw new IllegalArgumentException("Username can not be null");
            }
            return userName.replace("=", "=3D").replace(",", "=2C");
        }

        private String getAuthenicationHash() {
            String generate = this.authenticationHashGenerator.generate(this.credential.getCredential());
            if (this.credential.getAuthenticationMechanism() == AuthenticationMechanism.SCRAM_SHA_256) {
                generate = SaslPrep.saslPrepStored(generate);
            }
            return generate;
        }

        private byte[] xorInPlace(byte[] bArr, byte[] bArr2) {
            for (int i = 0; i < bArr.length; i++) {
                int i2 = i;
                bArr[i2] = (byte) (bArr[i2] ^ bArr2[i]);
            }
            return bArr;
        }

        private byte[] xor(byte[] bArr, byte[] bArr2) {
            byte[] bArr3 = new byte[bArr.length];
            System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
            return xorInPlace(bArr3, bArr2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ScramShaAuthenticator(MongoCredentialWithCache mongoCredentialWithCache, ClusterConnectionMode clusterConnectionMode, @Nullable ServerApi serverApi) {
        this(mongoCredentialWithCache, new DefaultRandomStringGenerator(), getAuthenicationHashGenerator(mongoCredentialWithCache.getAuthenticationMechanism()), clusterConnectionMode, serverApi);
    }

    ScramShaAuthenticator(MongoCredentialWithCache mongoCredentialWithCache, RandomStringGenerator randomStringGenerator, AuthenticationHashGenerator authenticationHashGenerator, ClusterConnectionMode clusterConnectionMode, @Nullable ServerApi serverApi) {
        super(mongoCredentialWithCache, clusterConnectionMode, serverApi);
        this.randomStringGenerator = randomStringGenerator;
        this.authenticationHashGenerator = authenticationHashGenerator;
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    public String getMechanismName() {
        AuthenticationMechanism authenticationMechanism = getMongoCredential().getAuthenticationMechanism();
        if (authenticationMechanism == null) {
            throw new IllegalArgumentException("Authentication mechanism cannot be null");
        }
        return authenticationMechanism.getMechanismName();
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    protected void appendSaslStartOptions(BsonDocument bsonDocument) {
        bsonDocument.append("options", new BsonDocument("skipEmptyExchange", new BsonBoolean(true)));
    }

    @Override // com.mongodb.internal.connection.SaslAuthenticator
    protected SaslClient createSaslClient(ServerAddress serverAddress) {
        return this.speculativeSaslClient != null ? this.speculativeSaslClient : new ScramShaSaslClient(getMongoCredentialWithCache(), this.randomStringGenerator, this.authenticationHashGenerator);
    }

    @Override // com.mongodb.internal.connection.SpeculativeAuthenticator
    public BsonDocument createSpeculativeAuthenticateCommand(InternalConnection internalConnection) {
        try {
            this.speculativeSaslClient = createSaslClient(internalConnection.getDescription().getServerAddress());
            BsonDocument append = createSaslStartCommandDocument(this.speculativeSaslClient.evaluateChallenge(new byte[0])).append("db", new BsonString(getMongoCredential().getSource()));
            appendSaslStartOptions(append);
            return append;
        } catch (Exception e) {
            throw wrapException(e);
        }
    }

    @Override // com.mongodb.internal.connection.SpeculativeAuthenticator
    public BsonDocument getSpeculativeAuthenticateResponse() {
        return this.speculativeAuthenticateResponse;
    }

    @Override // com.mongodb.internal.connection.SpeculativeAuthenticator
    public void setSpeculativeAuthenticateResponse(BsonDocument bsonDocument) {
        if (bsonDocument == null) {
            this.speculativeSaslClient = null;
        } else {
            this.speculativeAuthenticateResponse = bsonDocument;
        }
    }

    private static AuthenticationHashGenerator getAuthenicationHashGenerator(AuthenticationMechanism authenticationMechanism) {
        return authenticationMechanism == AuthenticationMechanism.SCRAM_SHA_1 ? LEGACY_AUTHENTICATION_HASH_GENERATOR : DEFAULT_AUTHENTICATION_HASH_GENERATOR;
    }
}
