package io.undertow.security.impl;

import io.undertow.UndertowLogger;
import io.undertow.UndertowMessages;
import io.undertow.httpcore.HttpHeaderNames;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMechanismFactory;
import io.undertow.security.api.NonceManager;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.DigestAlgorithm;
import io.undertow.security.idm.DigestCredential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.form.FormParserFactory;
import io.undertow.util.AttachmentKey;
import io.undertow.util.HexConverter;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.log4j.spi.LocationInfo;

/* loaded from: input_file:io/undertow/security/impl/DigestAuthenticationMechanism.class */
public class DigestAuthenticationMechanism implements AuthenticationMechanism {
    private static final String DEFAULT_NAME = "DIGEST";
    private static final String OPAQUE_VALUE = "00000000000000000000000000000000";
    private static final byte COLON = 58;
    private final String mechanismName;
    private final IdentityManager identityManager;
    private static final Set<DigestAuthorizationToken> MANDATORY_REQUEST_TOKENS;
    private final List<DigestAlgorithm> supportedAlgorithms;
    private final List<DigestQop> supportedQops;
    private final String qopString;
    private final String realmName;
    private final String domain;
    private final NonceManager nonceManager;
    public static final AuthenticationMechanismFactory FACTORY = new Factory();
    private static final String DIGEST_PREFIX = "Digest ";
    private static final int PREFIX_LENGTH = DIGEST_PREFIX.length();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/undertow/security/impl/DigestAuthenticationMechanism$DigestContext.class */
    public static class DigestContext {
        static final AttachmentKey<DigestContext> ATTACHMENT_KEY = AttachmentKey.create(DigestContext.class);
        private String method;
        private String nonce;
        private DigestQop qop;
        private byte[] ha1;
        private DigestAlgorithm algorithm;
        private MessageDigest digest;
        private boolean stale;
        Map<DigestAuthorizationToken, String> parsedHeader;

        private DigestContext() {
            this.stale = false;
        }

        String getMethod() {
            return this.method;
        }

        void setMethod(String str) {
            this.method = str;
        }

        boolean isStale() {
            return this.stale;
        }

        void markStale() {
            this.stale = true;
        }

        String getNonce() {
            return this.nonce;
        }

        void setNonce(String str) {
            this.nonce = str;
        }

        DigestQop getQop() {
            return this.qop;
        }

        void setQop(DigestQop digestQop) {
            this.qop = digestQop;
        }

        byte[] getHa1() {
            return this.ha1;
        }

        void setHa1(byte[] bArr) {
            this.ha1 = bArr;
        }

        DigestAlgorithm getAlgorithm() {
            return this.algorithm;
        }

        void setAlgorithm(DigestAlgorithm digestAlgorithm) throws NoSuchAlgorithmException {
            this.algorithm = digestAlgorithm;
            this.digest = digestAlgorithm.getMessageDigest();
        }

        MessageDigest getDigest() {
            return this.digest;
        }

        Map<DigestAuthorizationToken, String> getParsedHeader() {
            return this.parsedHeader;
        }

        void setParsedHeader(Map<DigestAuthorizationToken, String> map) {
            this.parsedHeader = map;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/undertow/security/impl/DigestAuthenticationMechanism$DigestCredentialImpl.class */
    public class DigestCredentialImpl implements DigestCredential {
        private final DigestContext context;

        private DigestCredentialImpl(DigestContext digestContext) {
            this.context = digestContext;
        }

        @Override // io.undertow.security.idm.DigestCredential
        public DigestAlgorithm getAlgorithm() {
            return this.context.getAlgorithm();
        }

        @Override // io.undertow.security.idm.DigestCredential
        public boolean verifyHA1(byte[] bArr) {
            this.context.setHa1(bArr);
            return DigestAuthenticationMechanism.this.validateRequest(this.context, bArr);
        }

        @Override // io.undertow.security.idm.DigestCredential
        public String getRealm() {
            return DigestAuthenticationMechanism.this.realmName;
        }

        @Override // io.undertow.security.idm.DigestCredential
        public byte[] getSessionData() {
            if (!this.context.getAlgorithm().isSession()) {
                throw UndertowMessages.MESSAGES.noSessionData();
            }
            byte[] bytes = this.context.getParsedHeader().get(DigestAuthorizationToken.NONCE).getBytes(StandardCharsets.UTF_8);
            byte[] bytes2 = this.context.getParsedHeader().get(DigestAuthorizationToken.CNONCE).getBytes(StandardCharsets.UTF_8);
            byte[] bArr = new byte[bytes.length + bytes2.length + 1];
            System.arraycopy(bytes, 0, bArr, 0, bytes.length);
            bArr[bytes.length] = 58;
            System.arraycopy(bytes2, 0, bArr, bytes.length + 1, bytes2.length);
            return bArr;
        }
    }

    /* loaded from: input_file:io/undertow/security/impl/DigestAuthenticationMechanism$Factory.class */
    public static final class Factory implements AuthenticationMechanismFactory {
        @Deprecated
        public Factory(IdentityManager identityManager) {
        }

        public Factory() {
        }

        @Override // io.undertow.security.api.AuthenticationMechanismFactory
        public AuthenticationMechanism create(String str, IdentityManager identityManager, FormParserFactory formParserFactory, Map<String, String> map) {
            return new DigestAuthenticationMechanism(map.get("realm"), map.get(AuthenticationMechanismFactory.CONTEXT_PATH), str, identityManager);
        }
    }

    public DigestAuthenticationMechanism(List<DigestAlgorithm> list, List<DigestQop> list2, String str, String str2, NonceManager nonceManager) {
        this(list, list2, str, str2, nonceManager, "DIGEST");
    }

    public DigestAuthenticationMechanism(List<DigestAlgorithm> list, List<DigestQop> list2, String str, String str2, NonceManager nonceManager, String str3) {
        this(list, list2, str, str2, nonceManager, str3, null);
    }

    public DigestAuthenticationMechanism(List<DigestAlgorithm> list, List<DigestQop> list2, String str, String str2, NonceManager nonceManager, String str3, IdentityManager identityManager) {
        this.supportedAlgorithms = list;
        this.supportedQops = list2;
        this.realmName = str;
        this.domain = str2;
        this.nonceManager = nonceManager;
        this.mechanismName = str3;
        this.identityManager = identityManager;
        if (list2.isEmpty()) {
            this.qopString = null;
            return;
        }
        StringBuilder sb = new StringBuilder();
        Iterator<DigestQop> it = list2.iterator();
        sb.append(it.next().getToken());
        while (it.hasNext()) {
            sb.append(",").append(it.next().getToken());
        }
        this.qopString = sb.toString();
    }

    public DigestAuthenticationMechanism(String str, String str2, String str3) {
        this(str, str2, str3, null);
    }

    public DigestAuthenticationMechanism(String str, String str2, String str3, IdentityManager identityManager) {
        this(Collections.singletonList(DigestAlgorithm.MD5), Collections.singletonList(DigestQop.AUTH), str, str2, new SimpleNonceManager(), "DIGEST", identityManager);
    }

    private IdentityManager getIdentityManager(SecurityContext securityContext) {
        return this.identityManager != null ? this.identityManager : securityContext.getIdentityManager();
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        List<String> requestHeaders = httpServerExchange.getRequestHeaders("Authorization");
        if (requestHeaders != null) {
            Iterator<String> it = requestHeaders.iterator();
            if (it.hasNext()) {
                String next = it.next();
                if (next.startsWith(DIGEST_PREFIX)) {
                    String substring = next.substring(PREFIX_LENGTH);
                    try {
                        DigestContext digestContext = new DigestContext();
                        Map<DigestAuthorizationToken, String> parseHeader = DigestAuthorizationToken.parseHeader(substring);
                        digestContext.setMethod(httpServerExchange.getRequestMethod());
                        digestContext.setParsedHeader(parseHeader);
                        httpServerExchange.putAttachment(DigestContext.ATTACHMENT_KEY, digestContext);
                        UndertowLogger.SECURITY_LOGGER.debugf("Found digest header %s in %s", next, httpServerExchange);
                        return handleDigestHeader(httpServerExchange, securityContext);
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                }
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
        }
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    private AuthenticationMechanism.AuthenticationMechanismOutcome handleDigestHeader(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        DigestAlgorithm digestAlgorithm;
        DigestContext digestContext = (DigestContext) httpServerExchange.getAttachment(DigestContext.ATTACHMENT_KEY);
        Map<DigestAuthorizationToken, String> parsedHeader = digestContext.getParsedHeader();
        EnumSet copyOf = EnumSet.copyOf((Collection) MANDATORY_REQUEST_TOKENS);
        if (!this.supportedAlgorithms.contains(DigestAlgorithm.MD5)) {
            copyOf.add(DigestAuthorizationToken.ALGORITHM);
        }
        if (!this.supportedQops.isEmpty() && !this.supportedQops.contains(DigestQop.AUTH)) {
            copyOf.add(DigestAuthorizationToken.MESSAGE_QOP);
        }
        if (parsedHeader.containsKey(DigestAuthorizationToken.MESSAGE_QOP)) {
            DigestQop forName = DigestQop.forName(parsedHeader.get(DigestAuthorizationToken.MESSAGE_QOP));
            if (forName == null || !this.supportedQops.contains(forName)) {
                UndertowLogger.REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.MESSAGE_QOP.getName(), parsedHeader.get(DigestAuthorizationToken.MESSAGE_QOP));
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            digestContext.setQop(forName);
            copyOf.add(DigestAuthorizationToken.CNONCE);
            copyOf.add(DigestAuthorizationToken.NONCE_COUNT);
        }
        copyOf.removeAll(parsedHeader.keySet());
        if (copyOf.size() > 0) {
            Iterator it = copyOf.iterator();
            while (it.hasNext()) {
                UndertowLogger.REQUEST_LOGGER.missingAuthorizationToken(((DigestAuthorizationToken) it.next()).getName());
            }
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        if (!this.realmName.equals(parsedHeader.get(DigestAuthorizationToken.REALM))) {
            UndertowLogger.REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.REALM.getName(), parsedHeader.get(DigestAuthorizationToken.REALM));
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        if (!parsedHeader.containsKey(DigestAuthorizationToken.DIGEST_URI)) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        String str = parsedHeader.get(DigestAuthorizationToken.DIGEST_URI);
        String requestURI = httpServerExchange.getRequestURI();
        if (!httpServerExchange.getQueryString().isEmpty()) {
            requestURI = requestURI + LocationInfo.NA + httpServerExchange.getQueryString();
        }
        if (!str.equals(requestURI)) {
            String requestURL = httpServerExchange.getRequestURL();
            if (!httpServerExchange.getQueryString().isEmpty()) {
                requestURL = requestURL + LocationInfo.NA + httpServerExchange.getQueryString();
            }
            if (!str.equals(requestURL)) {
                httpServerExchange.setStatusCode(400);
                httpServerExchange.endExchange();
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
        }
        if (parsedHeader.containsKey(DigestAuthorizationToken.OPAQUE) && !OPAQUE_VALUE.equals(parsedHeader.get(DigestAuthorizationToken.OPAQUE))) {
            UndertowLogger.REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.OPAQUE.getName(), parsedHeader.get(DigestAuthorizationToken.OPAQUE));
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        if (parsedHeader.containsKey(DigestAuthorizationToken.ALGORITHM)) {
            digestAlgorithm = DigestAlgorithm.forName(parsedHeader.get(DigestAuthorizationToken.ALGORITHM));
            if (digestAlgorithm == null || !this.supportedAlgorithms.contains(digestAlgorithm)) {
                UndertowLogger.REQUEST_LOGGER.invalidTokenReceived(DigestAuthorizationToken.ALGORITHM.getName(), parsedHeader.get(DigestAuthorizationToken.ALGORITHM));
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
        } else {
            digestAlgorithm = DigestAlgorithm.MD5;
        }
        try {
            digestContext.setAlgorithm(digestAlgorithm);
            String str2 = parsedHeader.get(DigestAuthorizationToken.USERNAME);
            IdentityManager identityManager = getIdentityManager(securityContext);
            if (digestAlgorithm.isSession()) {
                throw new IllegalStateException("Not yet implemented.");
            }
            Account verify = identityManager.verify(str2, new DigestCredentialImpl(digestContext));
            if (verify == null) {
                securityContext.authenticationFailed(UndertowMessages.MESSAGES.authenticationFailed(str2), this.mechanismName);
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            if (!validateNonceUse(digestContext, parsedHeader, httpServerExchange)) {
                digestContext.markStale();
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            sendAuthenticationInfoHeader(httpServerExchange);
            securityContext.authenticationComplete(verify, this.mechanismName, false);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        } catch (NoSuchAlgorithmException e) {
            UndertowLogger.REQUEST_LOGGER.exceptionProcessingRequest(e);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean validateRequest(DigestContext digestContext, byte[] bArr) {
        DigestQop qop = digestContext.getQop();
        byte[] createHA2Auth = (qop == null || qop.equals(DigestQop.AUTH)) ? createHA2Auth(digestContext, digestContext.getParsedHeader()) : createHA2AuthInt();
        return MessageDigest.isEqual(qop == null ? createRFC2069RequestDigest(bArr, createHA2Auth, digestContext) : createRFC2617RequestDigest(bArr, createHA2Auth, digestContext), digestContext.getParsedHeader().get(DigestAuthorizationToken.RESPONSE).getBytes(StandardCharsets.UTF_8));
    }

    private boolean validateNonceUse(DigestContext digestContext, Map<DigestAuthorizationToken, String> map, HttpServerExchange httpServerExchange) {
        String str = map.get(DigestAuthorizationToken.NONCE);
        int i = -1;
        if (map.containsKey(DigestAuthorizationToken.NONCE_COUNT)) {
            i = Integer.parseInt(map.get(DigestAuthorizationToken.NONCE_COUNT), 16);
        }
        digestContext.setNonce(str);
        return this.nonceManager.validateNonce(str, i, httpServerExchange);
    }

    private byte[] createHA2Auth(DigestContext digestContext, Map<DigestAuthorizationToken, String> map) {
        byte[] bytes = digestContext.getMethod().getBytes(StandardCharsets.UTF_8);
        byte[] bytes2 = map.get(DigestAuthorizationToken.DIGEST_URI).getBytes(StandardCharsets.UTF_8);
        MessageDigest digest = digestContext.getDigest();
        try {
            digest.update(bytes);
            digest.update((byte) 58);
            digest.update(bytes2);
            byte[] convertToHexBytes = HexConverter.convertToHexBytes(digest.digest());
            digest.reset();
            return convertToHexBytes;
        } catch (Throwable th) {
            digest.reset();
            throw th;
        }
    }

    private byte[] createHA2AuthInt() {
        throw new IllegalStateException("Method not implemented.");
    }

    private byte[] createRFC2069RequestDigest(byte[] bArr, byte[] bArr2, DigestContext digestContext) {
        MessageDigest digest = digestContext.getDigest();
        byte[] bytes = digestContext.getParsedHeader().get(DigestAuthorizationToken.NONCE).getBytes(StandardCharsets.UTF_8);
        try {
            digest.update(bArr);
            digest.update((byte) 58);
            digest.update(bytes);
            digest.update((byte) 58);
            digest.update(bArr2);
            byte[] convertToHexBytes = HexConverter.convertToHexBytes(digest.digest());
            digest.reset();
            return convertToHexBytes;
        } catch (Throwable th) {
            digest.reset();
            throw th;
        }
    }

    private byte[] createRFC2617RequestDigest(byte[] bArr, byte[] bArr2, DigestContext digestContext) {
        MessageDigest digest = digestContext.getDigest();
        Map<DigestAuthorizationToken, String> parsedHeader = digestContext.getParsedHeader();
        byte[] bytes = parsedHeader.get(DigestAuthorizationToken.NONCE).getBytes(StandardCharsets.UTF_8);
        byte[] bytes2 = parsedHeader.get(DigestAuthorizationToken.NONCE_COUNT).getBytes(StandardCharsets.UTF_8);
        byte[] bytes3 = parsedHeader.get(DigestAuthorizationToken.CNONCE).getBytes(StandardCharsets.UTF_8);
        byte[] bytes4 = parsedHeader.get(DigestAuthorizationToken.MESSAGE_QOP).getBytes(StandardCharsets.UTF_8);
        try {
            digest.update(bArr);
            digest.update((byte) 58);
            digest.update(bytes);
            digest.update((byte) 58);
            digest.update(bytes2);
            digest.update((byte) 58);
            digest.update(bytes3);
            digest.update((byte) 58);
            digest.update(bytes4);
            digest.update((byte) 58);
            digest.update(bArr2);
            byte[] convertToHexBytes = HexConverter.convertToHexBytes(digest.digest());
            digest.reset();
            return convertToHexBytes;
        } catch (Throwable th) {
            digest.reset();
            throw th;
        }
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        DigestContext digestContext = (DigestContext) httpServerExchange.getAttachment(DigestContext.ATTACHMENT_KEY);
        boolean isStale = digestContext == null ? false : digestContext.isStale();
        StringBuilder sb = new StringBuilder(DIGEST_PREFIX);
        sb.append("realm".toString()).append("=\"").append(this.realmName).append("\",");
        sb.append("domain".toString()).append("=\"").append(this.domain).append("\",");
        sb.append("nonce".toString()).append("=\"").append(this.nonceManager.nextNonce(null, httpServerExchange)).append("\",");
        sb.append(HttpHeaderNames.OPAQUE.toString()).append("=\"00000000000000000000000000000000\"");
        if (isStale) {
            sb.append(",stale=true");
        }
        if (this.supportedAlgorithms.size() > 0) {
            sb.append(",").append(HttpHeaderNames.ALGORITHM.toString()).append("=%s");
        }
        if (this.qopString != null) {
            sb.append(",").append("qop".toString()).append("=\"").append(this.qopString).append("\"");
        }
        String sb2 = sb.toString();
        if (this.supportedAlgorithms.isEmpty()) {
            httpServerExchange.addResponseHeader("WWW-Authenticate", sb2);
        } else {
            Iterator<DigestAlgorithm> it = this.supportedAlgorithms.iterator();
            while (it.hasNext()) {
                httpServerExchange.addResponseHeader("WWW-Authenticate", String.format(sb2, it.next().getToken()));
            }
        }
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }

    public void sendAuthenticationInfoHeader(HttpServerExchange httpServerExchange) {
        DigestContext digestContext = (DigestContext) httpServerExchange.getAttachment(DigestContext.ATTACHMENT_KEY);
        DigestQop qop = digestContext.getQop();
        String nonce = digestContext.getNonce();
        String nextNonce = this.nonceManager.nextNonce(nonce, httpServerExchange);
        if (qop != null || !nextNonce.equals(nonce)) {
            StringBuilder sb = new StringBuilder();
            sb.append(HttpHeaderNames.NEXT_NONCE).append("=\"").append(nextNonce).append("\"");
            if (qop != null) {
                Map<DigestAuthorizationToken, String> parsedHeader = digestContext.getParsedHeader();
                sb.append(",").append("qop".toString()).append("=\"").append(qop.getToken()).append("\"");
                sb.append(",").append(HttpHeaderNames.RESPONSE_AUTH.toString()).append("=\"").append(new String(createRFC2617RequestDigest(digestContext.getHa1(), qop == DigestQop.AUTH ? createHA2Auth(digestContext) : createHA2AuthInt(), digestContext), StandardCharsets.UTF_8)).append("\"");
                sb.append(",").append(HttpHeaderNames.CNONCE.toString()).append("=\"").append(parsedHeader.get(DigestAuthorizationToken.CNONCE)).append("\"");
                sb.append(",").append(HttpHeaderNames.NONCE_COUNT.toString()).append("=").append(parsedHeader.get(DigestAuthorizationToken.NONCE_COUNT));
            }
            httpServerExchange.addResponseHeader("Authentication-Info", sb.toString());
        }
        httpServerExchange.removeAttachment(DigestContext.ATTACHMENT_KEY);
    }

    private byte[] createHA2Auth(DigestContext digestContext) {
        byte[] bytes = digestContext.getParsedHeader().get(DigestAuthorizationToken.DIGEST_URI).getBytes(StandardCharsets.UTF_8);
        MessageDigest digest = digestContext.getDigest();
        try {
            digest.update((byte) 58);
            digest.update(bytes);
            byte[] convertToHexBytes = HexConverter.convertToHexBytes(digest.digest());
            digest.reset();
            return convertToHexBytes;
        } catch (Throwable th) {
            digest.reset();
            throw th;
        }
    }

    static {
        EnumSet noneOf = EnumSet.noneOf(DigestAuthorizationToken.class);
        noneOf.add(DigestAuthorizationToken.USERNAME);
        noneOf.add(DigestAuthorizationToken.REALM);
        noneOf.add(DigestAuthorizationToken.NONCE);
        noneOf.add(DigestAuthorizationToken.DIGEST_URI);
        noneOf.add(DigestAuthorizationToken.RESPONSE);
        MANDATORY_REQUEST_TOKENS = Collections.unmodifiableSet(noneOf);
    }
}
