package org.opends.server.extensions;

import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.Base64;
import org.forgerock.opendj.ldap.ByteSequence;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.server.config.server.PKCS5S2PasswordStorageSchemeCfg;
import org.opends.messages.ExtensionMessages;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.core.DirectoryServer;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.InitializationException;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/PKCS5S2PasswordStorageScheme.class */
public class PKCS5S2PasswordStorageScheme extends PasswordStorageScheme<PKCS5S2PasswordStorageSchemeCfg> {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private static final String CLASS_NAME = "org.opends.server.extensions.PKCS5S2PasswordStorageScheme";
    private static final int NUM_SALT_BYTES = 16;
    private static final int SHA1_LENGTH = 32;
    private static final int iterations = 10000;
    private SecureRandom random;

    @Override // org.opends.server.api.PasswordStorageScheme
    public void initializePasswordStorageScheme(PKCS5S2PasswordStorageSchemeCfg pKCS5S2PasswordStorageSchemeCfg) throws InitializationException {
        try {
            this.random = SecureRandom.getInstance(ExtensionsConstants.SECURE_PRNG_SHA1);
            SecretKeyFactory.getInstance(ExtensionsConstants.MESSAGE_DIGEST_ALGORITHM_PBKDF2);
        } catch (NoSuchAlgorithmException e) {
            throw new InitializationException(null);
        }
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public String getStorageSchemeName() {
        return "PKCS5S2";
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public ByteString encodePassword(ByteSequence byteSequence) throws DirectoryException {
        byte[] bArr = new byte[16];
        return ByteString.valueOfUtf8(Base64.encode(concatenateSaltPlusHash(bArr, encodeWithRandomSalt(byteSequence, bArr, this.random))));
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public ByteString encodePasswordWithScheme(ByteSequence byteSequence) throws DirectoryException {
        return ByteString.valueOfUtf8("{PKCS5S2}" + encodePassword(byteSequence));
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public boolean passwordMatches(ByteSequence byteSequence, ByteSequence byteSequence2) {
        try {
            byte[] byteArray = Base64.decode(byteSequence2.toString()).toByteArray();
            if (byteArray.length != 48) {
                logger.error(ExtensionMessages.ERR_PWSCHEME_INVALID_BASE64_DECODED_STORED_PASSWORD.get(byteSequence2.toString()));
                return false;
            }
            byte[] bArr = new byte[32];
            byte[] bArr2 = new byte[16];
            System.arraycopy(byteArray, 0, bArr2, 0, 16);
            System.arraycopy(byteArray, 16, bArr, 0, 32);
            return encodeAndMatch(byteSequence, bArr2, bArr, iterations);
        } catch (Exception e) {
            logger.traceException(e);
            logger.error(ExtensionMessages.ERR_PWSCHEME_CANNOT_BASE64_DECODE_STORED_PASSWORD.get(byteSequence2.toString(), String.valueOf(e)));
            return false;
        }
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public boolean supportsAuthPasswordSyntax() {
        return true;
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public String getAuthPasswordSchemeName() {
        return "PKCS5S2";
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public ByteString encodeAuthPassword(ByteSequence byteSequence) throws DirectoryException {
        byte[] bArr = new byte[16];
        return ByteString.valueOfUtf8("PKCS5S2$10000:" + Base64.encode(bArr) + '$' + Base64.encode(encodeWithRandomSalt(byteSequence, bArr, this.random)));
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public boolean authPasswordMatches(ByteSequence byteSequence, String str, String str2) {
        try {
            int indexOf = str.indexOf(58);
            if (indexOf == -1) {
                throw new Exception();
            }
            return encodeAndMatch(byteSequence, Base64.decode(str.substring(indexOf + 1)).toByteArray(), Base64.decode(str2).toByteArray(), Integer.parseInt(str.substring(0, indexOf)));
        } catch (Exception e) {
            logger.traceException(e);
            return false;
        }
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public boolean isReversible() {
        return false;
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public ByteString getPlaintextValue(ByteSequence byteSequence) throws DirectoryException {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION, ExtensionMessages.ERR_PWSCHEME_NOT_REVERSIBLE.get("PKCS5S2"));
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public ByteString getAuthPasswordPlaintextValue(String str, String str2) throws DirectoryException {
        throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION, ExtensionMessages.ERR_PWSCHEME_NOT_REVERSIBLE.get("PKCS5S2"));
    }

    @Override // org.opends.server.api.PasswordStorageScheme
    public boolean isStorageSchemeSecure() {
        return true;
    }

    public static String encodeOffline(byte[] bArr) throws DirectoryException {
        byte[] bArr2 = new byte[16];
        return "{PKCS5S2}" + Base64.encode(concatenateSaltPlusHash(bArr2, encodeWithRandomSalt(ByteString.wrap(bArr), bArr2)));
    }

    private static byte[] encodeWithRandomSalt(ByteString byteString, byte[] bArr) throws DirectoryException {
        try {
            return encodeWithRandomSalt(byteString, bArr, SecureRandom.getInstance(ExtensionsConstants.SECURE_PRNG_SHA1));
        } catch (DirectoryException e) {
            throw e;
        } catch (Exception e2) {
            throw cannotEncodePassword(e2);
        }
    }

    private static byte[] encodeWithSalt(ByteSequence byteSequence, byte[] bArr, int i) throws DirectoryException {
        char[] charArray = byteSequence.toString().toCharArray();
        try {
            try {
                byte[] encoded = SecretKeyFactory.getInstance(ExtensionsConstants.MESSAGE_DIGEST_ALGORITHM_PBKDF2).generateSecret(new PBEKeySpec(charArray, bArr, i, 256)).getEncoded();
                Arrays.fill(charArray, '0');
                return encoded;
            } catch (Exception e) {
                throw cannotEncodePassword(e);
            }
        } catch (Throwable th) {
            Arrays.fill(charArray, '0');
            throw th;
        }
    }

    private boolean encodeAndMatch(ByteSequence byteSequence, byte[] bArr, byte[] bArr2, int i) {
        try {
            return Arrays.equals(bArr2, encodeWithSalt(byteSequence, bArr, i));
        } catch (Exception e) {
            return false;
        }
    }

    private static byte[] encodeWithRandomSalt(ByteSequence byteSequence, byte[] bArr, SecureRandom secureRandom) throws DirectoryException {
        secureRandom.nextBytes(bArr);
        return encodeWithSalt(byteSequence, bArr, iterations);
    }

    private static DirectoryException cannotEncodePassword(Exception exc) {
        logger.traceException(exc);
        return new DirectoryException(DirectoryServer.getCoreConfigManager().getServerErrorResultCode(), ExtensionMessages.ERR_PWSCHEME_CANNOT_ENCODE_PASSWORD.get(CLASS_NAME, StaticUtils.getExceptionMessage(exc)), exc);
    }

    private static byte[] concatenateSaltPlusHash(byte[] bArr, byte[] bArr2) {
        byte[] bArr3 = new byte[bArr2.length + 16];
        System.arraycopy(bArr, 0, bArr3, 0, 16);
        System.arraycopy(bArr2, 0, bArr3, 16, bArr2.length);
        return bArr3;
    }
}
