package org.opends.server.extensions;

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.DigestMD5SASLMechanismHandlerCfg;
import org.opends.server.api.Backend;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.config.ConfigException;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PasswordPolicyState;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.messages.ExtensionsMessages;
import org.opends.server.messages.MessageHandler;
import org.opends.server.protocols.asn1.ASN1OctetString;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.tools.ToolConstants;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.ByteString;
import org.opends.server.types.ConfigChangeResult;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.DisconnectReason;
import org.opends.server.types.Entry;
import org.opends.server.types.ErrorLogCategory;
import org.opends.server.types.ErrorLogSeverity;
import org.opends.server.types.InitializationException;
import org.opends.server.types.LockManager;
import org.opends.server.types.Privilege;
import org.opends.server.types.ResultCode;
import org.opends.server.util.Base64;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/DigestMD5SASLMechanismHandler.class */
public class DigestMD5SASLMechanismHandler extends SASLMechanismHandler<DigestMD5SASLMechanismHandlerCfg> implements ConfigurationChangeListener<DigestMD5SASLMechanismHandlerCfg> {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private DigestMD5SASLMechanismHandlerCfg currentConfig;
    private DN configEntryDN;
    private IdentityMapper identityMapper;
    private MessageDigest md5Digest;
    private ReentrantLock digestLock;
    private SecureRandom randomGenerator;

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(DigestMD5SASLMechanismHandlerCfg digestMD5SASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        digestMD5SASLMechanismHandlerCfg.addDigestMD5ChangeListener(this);
        this.currentConfig = digestMD5SASLMechanismHandlerCfg;
        this.configEntryDN = digestMD5SASLMechanismHandlerCfg.dn();
        this.digestLock = new ReentrantLock();
        this.randomGenerator = new SecureRandom();
        try {
            this.md5Digest = MessageDigest.getInstance("MD5");
            DN identityMapperDN = digestMD5SASLMechanismHandlerCfg.getIdentityMapperDN();
            this.identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
            if (this.identityMapper == null) {
                throw new ConfigException(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_SUCH_IDENTITY_MAPPER, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_SUCH_IDENTITY_MAPPER, String.valueOf(identityMapperDN), String.valueOf(this.configEntryDN)));
            }
            DirectoryServer.registerSASLMechanismHandler(ServerConstants.SASL_MECHANISM_DIGEST_MD5, this);
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            throw new InitializationException(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GET_MESSAGE_DIGEST, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GET_MESSAGE_DIGEST, StaticUtils.getExceptionMessage(e)), e);
        }
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        this.currentConfig.removeDigestMD5ChangeListener(this);
        DirectoryServer.deregisterSASLMechanismHandler(ServerConstants.SASL_MECHANISM_DIGEST_MD5);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        Entry entry;
        DigestMD5SASLMechanismHandlerCfg digestMD5SASLMechanismHandlerCfg = this.currentConfig;
        IdentityMapper identityMapper = this.identityMapper;
        String realm = digestMD5SASLMechanismHandlerCfg.getRealm();
        ASN1OctetString sASLCredentials = bindOperation.getSASLCredentials();
        ClientConnection clientConnection = bindOperation.getClientConnection();
        if (sASLCredentials == null || sASLCredentials.value().length == 0) {
            StringBuilder sb = new StringBuilder();
            if (realm == null) {
                Map<DN, Backend> publicNamingContexts = DirectoryServer.getPublicNamingContexts();
                if (!publicNamingContexts.isEmpty()) {
                    Iterator<DN> it = publicNamingContexts.keySet().iterator();
                    sb.append("realm=\"");
                    sb.append(it.next().toNormalizedString());
                    sb.append("\"");
                    while (it.hasNext()) {
                        sb.append(",realm=\"");
                        sb.append(it.next().toNormalizedString());
                        sb.append("\"");
                    }
                }
            } else {
                sb.append("realm=\"");
                sb.append(realm);
                sb.append("\"");
            }
            String generateNonce = generateNonce();
            if (sb.length() > 0) {
                sb.append(",");
            }
            sb.append("nonce=\"");
            sb.append(generateNonce);
            sb.append("\"");
            sb.append(",qop=\"auth\"");
            sb.append(",charset=utf-8");
            sb.append(",algorithm=md5-sess");
            ASN1OctetString aSN1OctetString = new ASN1OctetString(sb.toString());
            if (aSN1OctetString.value().length < 2048) {
                clientConnection.setSASLAuthStateInfo(new DigestMD5StateInfo(generateNonce, "00000000"));
                bindOperation.setResultCode(ResultCode.SASL_BIND_IN_PROGRESS);
                bindOperation.setServerSASLCredentials(aSN1OctetString);
                return;
            } else {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                String message = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CHALLENGE_TOO_LONG, Integer.valueOf(aSN1OctetString.value().length));
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CHALLENGE_TOO_LONG, message);
                ErrorLogger.logError(ErrorLogCategory.EXTENSIONS, ErrorLogSeverity.SEVERE_WARNING, message, ExtensionsMessages.MSGID_SASLDIGESTMD5_CHALLENGE_TOO_LONG);
                return;
            }
        }
        Object sASLAuthStateInfo = clientConnection.getSASLAuthStateInfo();
        if (sASLAuthStateInfo == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_STORED_STATE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_STORED_STATE));
            return;
        }
        if (!(sASLAuthStateInfo instanceof DigestMD5StateInfo)) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_STORED_STATE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_STORED_STATE));
            return;
        }
        DigestMD5StateInfo digestMD5StateInfo = (DigestMD5StateInfo) sASLAuthStateInfo;
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        int i = -1;
        String str5 = null;
        String str6 = "auth";
        String str7 = null;
        byte[] bArr = null;
        String str8 = null;
        byte[] value = sASLCredentials.value();
        String str9 = null;
        String str10 = null;
        try {
            str9 = new String(value, "ISO-8859-1");
            str10 = StaticUtils.toLowerCase(str9);
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            ErrorLogger.logError(ErrorLogCategory.EXTENSIONS, ErrorLogSeverity.SEVERE_WARNING, ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_PARSE_ISO_CREDENTIALS, "ISO-8859-1", StaticUtils.getExceptionMessage(e));
        }
        if (str9 == null || str10.indexOf("charset=utf-8") >= 0) {
            try {
                str9 = new String(value, "UTF-8");
                str10 = StaticUtils.toLowerCase(str9);
            } catch (Exception e2) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                }
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_PARSE_UTF8_CREDENTIALS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_PARSE_UTF8_CREDENTIALS, StaticUtils.getExceptionMessage(e2)));
                return;
            }
        }
        int i2 = 0;
        int length = str9.length();
        while (i2 < length) {
            int indexOf = str9.indexOf(61, i2 + 1);
            if (indexOf < 0) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_TOKEN_IN_CREDENTIALS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_TOKEN_IN_CREDENTIALS, Integer.valueOf(i2)));
                return;
            }
            String substring = str10.substring(i2, indexOf);
            try {
                StringBuilder sb2 = new StringBuilder();
                i2 = readToken(str9, indexOf + 1, length, sb2);
                String sb3 = sb2.toString();
                if (substring.equals("charset")) {
                    if (!sb3.equalsIgnoreCase("utf-8")) {
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_CHARSET, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_CHARSET, sb3));
                        return;
                    }
                } else if (substring.equals("username")) {
                    str = sb3;
                } else if (substring.equals(ToolConstants.SASL_PROPERTY_REALM)) {
                    str2 = sb3;
                    if (realm != null && !str2.equals(realm)) {
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_REALM, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_REALM, str2));
                        return;
                    }
                } else if (substring.equals("nonce")) {
                    str3 = sb3;
                    if (!str3.equals(digestMD5StateInfo.getNonce())) {
                        clientConnection.disconnect(DisconnectReason.SECURITY_PROBLEM, false, ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_NONCE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_NONCE));
                        return;
                    }
                } else if (substring.equals("cnonce")) {
                    str4 = sb3;
                } else if (substring.equals("nc")) {
                    try {
                        str5 = sb3;
                        i = Integer.parseInt(str5, 16);
                        try {
                            if (i != Integer.parseInt(digestMD5StateInfo.getNonceCount(), 16) + 1) {
                                clientConnection.disconnect(DisconnectReason.SECURITY_PROBLEM, false, ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_NONCE_COUNT, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_NONCE_COUNT));
                                return;
                            }
                        } catch (Exception e3) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugCaught(DebugLogLevel.ERROR, e3);
                            }
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_DECODE_STORED_NONCE_COUNT, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_DECODE_STORED_NONCE_COUNT, StaticUtils.getExceptionMessage(e3)));
                            return;
                        }
                    } catch (Exception e4) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e4);
                        }
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_DECODE_NONCE_COUNT, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_DECODE_NONCE_COUNT, sb3));
                        return;
                    }
                } else if (substring.equals(ToolConstants.SASL_PROPERTY_QOP)) {
                    str6 = sb3;
                    if (!str6.equals("auth")) {
                        if (str6.equals("auth-int")) {
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INTEGRITY_NOT_SUPPORTED, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INTEGRITY_NOT_SUPPORTED));
                            return;
                        } else if (str6.equals("auth-conf")) {
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CONFIDENTIALITY_NOT_SUPPORTED, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CONFIDENTIALITY_NOT_SUPPORTED));
                            return;
                        } else {
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_QOP, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_QOP, str6));
                            return;
                        }
                    }
                } else if (substring.equals(ToolConstants.SASL_PROPERTY_DIGEST_URI)) {
                    str7 = sb3;
                } else if (substring.equals("response")) {
                    try {
                        bArr = StaticUtils.hexStringToByteArray(sb3);
                    } catch (ParseException e5) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e5);
                        }
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_PARSE_RESPONSE_DIGEST, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_PARSE_RESPONSE_DIGEST, StaticUtils.getExceptionMessage(e5)));
                        return;
                    }
                } else if (substring.equals(ToolConstants.SASL_PROPERTY_AUTHZID)) {
                    str8 = sb3;
                } else if (!substring.equals("maxbuf") && !substring.equals("cipher")) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_RESPONSE_TOKEN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_RESPONSE_TOKEN, substring));
                    return;
                }
            } catch (DirectoryException e6) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(e6.getMessageID(), e6.getErrorMessage());
                return;
            }
        }
        if (str == null || str.length() == 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_USERNAME_IN_RESPONSE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_USERNAME_IN_RESPONSE));
            return;
        }
        if (str3 == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_NONCE_IN_RESPONSE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_NONCE_IN_RESPONSE));
            return;
        }
        if (str4 == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_CNONCE_IN_RESPONSE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_CNONCE_IN_RESPONSE));
            return;
        }
        if (i < 0) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_NONCE_COUNT_IN_RESPONSE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_NONCE_COUNT_IN_RESPONSE));
            return;
        }
        if (str7 == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_DIGEST_URI_IN_RESPONSE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_DIGEST_URI_IN_RESPONSE));
            return;
        }
        if (bArr == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_DIGEST_IN_RESPONSE, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_DIGEST_IN_RESPONSE));
            return;
        }
        if (str2 == null) {
            str2 = "";
        }
        String lowerCase = StaticUtils.toLowerCase(str);
        if (lowerCase.startsWith("dn:")) {
            try {
                DN decode = DN.decode(str.substring(3));
                if (decode.isNullDN()) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_USERNAME_IS_NULL_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_USERNAME_IS_NULL_DN));
                    return;
                }
                DN actualRootBindDN = DirectoryServer.getActualRootBindDN(decode);
                if (actualRootBindDN != null) {
                    decode = actualRootBindDN;
                }
                Lock lock = null;
                for (int i3 = 0; i3 < 3; i3++) {
                    lock = LockManager.lockRead(decode);
                    if (lock != null) {
                        break;
                    }
                }
                if (lock == null) {
                    bindOperation.setResultCode(DirectoryServer.getServerErrorResultCode());
                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_LOCK_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_LOCK_ENTRY, String.valueOf(decode)));
                    return;
                }
                try {
                    try {
                        entry = DirectoryServer.getEntry(decode);
                        LockManager.unlock(decode, lock);
                    } catch (DirectoryException e7) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e7);
                        }
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GET_ENTRY_BY_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GET_ENTRY_BY_DN, String.valueOf(decode), e7.getErrorMessage()));
                        LockManager.unlock(decode, lock);
                        return;
                    }
                } catch (Throwable th) {
                    LockManager.unlock(decode, lock);
                    throw th;
                }
            } catch (DirectoryException e8) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e8);
                }
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_DECODE_USERNAME_AS_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_DECODE_USERNAME_AS_DN, str, e8.getErrorMessage()));
                return;
            }
        } else {
            String str11 = str;
            if (lowerCase.startsWith("u:")) {
                if (lowerCase.equals("u:")) {
                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_ZERO_LENGTH_USERNAME, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_ZERO_LENGTH_USERNAME));
                    return;
                }
                str11 = str.substring(2);
            }
            try {
                entry = identityMapper.getEntryForID(str11);
            } catch (DirectoryException e9) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e9);
                }
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_MAP_USERNAME, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_MAP_USERNAME, String.valueOf(str), e9.getErrorMessage()));
                return;
            }
        }
        if (entry == null) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_MATCHING_ENTRIES, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_MATCHING_ENTRIES, str));
            return;
        }
        bindOperation.setSASLAuthUserEntry(entry);
        Entry entry2 = entry;
        if (str8 != null) {
            if (str8.length() == 0) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_EMPTY_AUTHZID, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_EMPTY_AUTHZID));
                return;
            }
            if (!str8.equals(str)) {
                String lowerCase2 = StaticUtils.toLowerCase(str8);
                if (lowerCase2.startsWith("dn:")) {
                    try {
                        DN decode2 = DN.decode(str8.substring(3));
                        DN actualRootBindDN2 = DirectoryServer.getActualRootBindDN(decode2);
                        if (actualRootBindDN2 != null) {
                            decode2 = actualRootBindDN2;
                        }
                        if (!decode2.equals(entry.getDN())) {
                            if (!new InternalClientConnection(new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getDN()))).hasPrivilege(Privilege.PROXIED_AUTH, bindOperation)) {
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_INSUFFICIENT_PRIVILEGES, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_INSUFFICIENT_PRIVILEGES, String.valueOf(entry.getDN())));
                                return;
                            }
                            if (decode2.isNullDN()) {
                                entry2 = null;
                            } else {
                                try {
                                    entry2 = DirectoryServer.getEntry(decode2);
                                    if (entry2 == null) {
                                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_NO_SUCH_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_NO_SUCH_ENTRY, String.valueOf(decode2)));
                                        return;
                                    }
                                } catch (DirectoryException e10) {
                                    if (DebugLogger.debugEnabled()) {
                                        TRACER.debugCaught(DebugLogLevel.ERROR, e10);
                                    }
                                    bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                    bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_CANNOT_GET_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_CANNOT_GET_ENTRY, String.valueOf(decode2), e10.getErrorMessage()));
                                    return;
                                }
                            }
                        }
                    } catch (DirectoryException e11) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e11);
                        }
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_INVALID_DN, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_INVALID_DN, str8, e11.getErrorMessage()));
                        return;
                    }
                } else {
                    String substring2 = lowerCase2.startsWith("u:") ? str8.substring(2) : str8;
                    if (substring2.length() == 0) {
                        entry2 = null;
                    } else {
                        try {
                            entry2 = identityMapper.getEntryForID(substring2);
                            if (entry2 == null) {
                                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_NO_MAPPED_ENTRY, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_NO_MAPPED_ENTRY, str8));
                                return;
                            }
                        } catch (DirectoryException e12) {
                            if (DebugLogger.debugEnabled()) {
                                TRACER.debugCaught(DebugLogLevel.ERROR, e12);
                            }
                            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_MAP_AUTHZID, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_MAP_AUTHZID, str8, e12.getErrorMessage()));
                            return;
                        }
                    }
                    if ((entry2 == null || !entry2.getDN().equals(entry.getDN())) && !new InternalClientConnection(new AuthenticationInfo(entry, DirectoryServer.isRootDN(entry.getDN()))).hasPrivilege(Privilege.PROXIED_AUTH, bindOperation)) {
                        bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                        bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_INSUFFICIENT_PRIVILEGES, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_AUTHZID_INSUFFICIENT_PRIVILEGES, String.valueOf(entry.getDN())));
                        return;
                    }
                }
            }
        }
        try {
            List<ByteString> clearPasswords = new PasswordPolicyState(entry, false, false).getClearPasswords();
            if (clearPasswords == null || clearPasswords.isEmpty()) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_REVERSIBLE_PASSWORDS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_REVERSIBLE_PASSWORDS, String.valueOf(entry.getDN())));
                return;
            }
            boolean z = false;
            byte[] bArr2 = null;
            Iterator<ByteString> it2 = clearPasswords.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                ByteString next = it2.next();
                try {
                } catch (Exception e13) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e13);
                    }
                    ErrorLogger.logError(ErrorLogCategory.EXTENSIONS, ErrorLogSeverity.SEVERE_WARNING, ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GENERATE_RESPONSE_DIGEST, StaticUtils.getExceptionMessage(e13));
                }
                if (Arrays.equals(bArr, generateResponseDigest(str, str8, next.value(), str2, str3, str4, str5, str7, str6, "ISO-8859-1"))) {
                    z = true;
                    bArr2 = next.value();
                    break;
                }
            }
            if (!z) {
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_CREDENTIALS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_CREDENTIALS));
                return;
            }
            try {
                ASN1OctetString aSN1OctetString2 = new ASN1OctetString("rspauth=" + getHexString(generateResponseAuthDigest(str, str8, bArr2, str2, str3, str4, str5, str7, str6, "ISO-8859-1")));
                digestMD5StateInfo.setNonceCount(str5);
                bindOperation.setResultCode(ResultCode.SUCCESS);
                bindOperation.setServerSASLCredentials(aSN1OctetString2);
                bindOperation.setAuthenticationInfo(new AuthenticationInfo(entry, entry2, ServerConstants.SASL_MECHANISM_DIGEST_MD5, DirectoryServer.isRootDN(entry.getDN())));
            } catch (Exception e14) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e14);
                }
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GENERATE_RESPONSE_AUTH_DIGEST, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GENERATE_RESPONSE_AUTH_DIGEST, StaticUtils.getExceptionMessage(e14)));
            }
        } catch (Exception e15) {
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GET_REVERSIBLE_PASSWORDS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_CANNOT_GET_REVERSIBLE_PASSWORDS, String.valueOf(entry.getDN()), String.valueOf(e15)));
        }
    }

    private String generateNonce() {
        byte[] bArr = new byte[16];
        this.digestLock.lock();
        try {
            this.randomGenerator.nextBytes(bArr);
            this.digestLock.unlock();
            return Base64.encode(bArr);
        } catch (Throwable th) {
            this.digestLock.unlock();
            throw th;
        }
    }

    private int readToken(String str, int i, int i2, StringBuilder sb) throws DirectoryException {
        if (i >= i2) {
            return i;
        }
        boolean z = false;
        boolean z2 = false;
        int i3 = i + 1;
        char charAt = str.charAt(i);
        if (charAt == ',') {
            return i3;
        }
        if (charAt == '\"') {
            z2 = true;
        } else if (charAt == '\\') {
            z = true;
        } else {
            sb.append(charAt);
        }
        while (true) {
            if (i3 >= i2) {
                break;
            }
            int i4 = i3;
            i3++;
            char charAt2 = str.charAt(i4);
            if (z) {
                sb.append(charAt2);
                z = false;
            } else if (charAt2 == ',') {
                if (!z2) {
                    break;
                }
                sb.append(charAt2);
            } else if (charAt2 == '\"') {
                if (!z2) {
                    sb.append(charAt2);
                } else if (i3 < i2) {
                    i3++;
                    if (str.charAt(i3) != ',') {
                        throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_CLOSING_QUOTE_POS, Integer.valueOf(i3 - 2)), ExtensionsMessages.MSGID_SASLDIGESTMD5_INVALID_CLOSING_QUOTE_POS);
                    }
                }
            } else if (charAt2 == '\\') {
                z = true;
            } else {
                sb.append(charAt2);
            }
        }
        return i3;
    }

    public byte[] generateResponseDigest(String str, String str2, byte[] bArr, String str3, String str4, String str5, String str6, String str7, String str8, String str9) throws UnsupportedEncodingException {
        this.digestLock.lock();
        try {
            byte[] bytes = (str + ':' + str3 + ':').getBytes(str9);
            byte[] bArr2 = new byte[bytes.length + bArr.length];
            System.arraycopy(bytes, 0, bArr2, 0, bytes.length);
            System.arraycopy(bArr, 0, bArr2, bytes.length, bArr.length);
            byte[] digest = this.md5Digest.digest(bArr2);
            StringBuilder sb = new StringBuilder();
            sb.append(':');
            sb.append(str4);
            sb.append(':');
            sb.append(str5);
            if (str2 != null) {
                sb.append(':');
                sb.append(str2);
            }
            byte[] bytes2 = sb.toString().getBytes(str9);
            byte[] bArr3 = new byte[digest.length + bytes2.length];
            System.arraycopy(digest, 0, bArr3, 0, digest.length);
            System.arraycopy(bytes2, 0, bArr3, digest.length, bytes2.length);
            byte[] digest2 = this.md5Digest.digest(bArr3);
            byte[] digest3 = this.md5Digest.digest(("AUTHENTICATE:" + str7).getBytes(str9));
            byte[] digest4 = this.md5Digest.digest((getHexString(digest2) + ':' + str4 + ':' + str6 + ':' + str5 + ':' + str8 + ':' + getHexString(digest3)).getBytes(str9));
            this.digestLock.unlock();
            return digest4;
        } catch (Throwable th) {
            this.digestLock.unlock();
            throw th;
        }
    }

    public byte[] generateResponseAuthDigest(String str, String str2, byte[] bArr, String str3, String str4, String str5, String str6, String str7, String str8, String str9) throws UnsupportedEncodingException {
        this.digestLock.lock();
        try {
            byte[] bytes = (str + ':' + str3 + ':').getBytes(str9);
            byte[] bArr2 = new byte[bytes.length + bArr.length];
            System.arraycopy(bytes, 0, bArr2, 0, bytes.length);
            System.arraycopy(bArr, 0, bArr2, bytes.length, bArr.length);
            byte[] digest = this.md5Digest.digest(bArr2);
            StringBuilder sb = new StringBuilder();
            sb.append(':');
            sb.append(str4);
            sb.append(':');
            sb.append(str5);
            if (str2 != null) {
                sb.append(':');
                sb.append(str2);
            }
            byte[] bytes2 = sb.toString().getBytes(str9);
            byte[] bArr3 = new byte[digest.length + bytes2.length];
            System.arraycopy(digest, 0, bArr3, 0, digest.length);
            System.arraycopy(bytes2, 0, bArr3, digest.length, bytes2.length);
            byte[] digest2 = this.md5Digest.digest(bArr3);
            String str10 = ":" + str7;
            if (str8.equals("auth-int") || str8.equals("auth-conf")) {
                str10 = str10 + ":00000000000000000000000000000000";
            }
            byte[] digest3 = this.md5Digest.digest(str10.getBytes(str9));
            byte[] digest4 = this.md5Digest.digest((getHexString(digest2) + ':' + str4 + ':' + str6 + ':' + str5 + ':' + str8 + ':' + getHexString(digest3)).getBytes(str9));
            this.digestLock.unlock();
            return digest4;
        } catch (Throwable th) {
            this.digestLock.unlock();
            throw th;
        }
    }

    private String getHexString(byte[] bArr) {
        StringBuilder sb = new StringBuilder(2 * bArr.length);
        for (byte b : bArr) {
            sb.append(StaticUtils.byteToLowerHex(b));
        }
        return sb.toString();
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return true;
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(DigestMD5SASLMechanismHandlerCfg digestMD5SASLMechanismHandlerCfg, List<String> list) {
        boolean z = true;
        DN identityMapperDN = digestMD5SASLMechanismHandlerCfg.getIdentityMapperDN();
        if (DirectoryServer.getIdentityMapper(identityMapperDN) == null) {
            list.add(MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_SUCH_IDENTITY_MAPPER, String.valueOf(identityMapperDN), String.valueOf(this.configEntryDN)));
            z = false;
        }
        return z;
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(DigestMD5SASLMechanismHandlerCfg digestMD5SASLMechanismHandlerCfg) {
        ResultCode resultCode = ResultCode.SUCCESS;
        ArrayList arrayList = new ArrayList();
        DN identityMapperDN = digestMD5SASLMechanismHandlerCfg.getIdentityMapperDN();
        IdentityMapper identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
        if (identityMapper == null) {
            if (resultCode == ResultCode.SUCCESS) {
                resultCode = ResultCode.CONSTRAINT_VIOLATION;
            }
            arrayList.add(MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLDIGESTMD5_NO_SUCH_IDENTITY_MAPPER, String.valueOf(identityMapperDN), String.valueOf(this.configEntryDN)));
        }
        if (resultCode == ResultCode.SUCCESS) {
            this.identityMapper = identityMapper;
            this.currentConfig = digestMD5SASLMechanismHandlerCfg;
        }
        return new ConfigChangeResult(resultCode, false, arrayList);
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(DigestMD5SASLMechanismHandlerCfg digestMD5SASLMechanismHandlerCfg, List list) {
        return isConfigurationChangeAcceptable2(digestMD5SASLMechanismHandlerCfg, (List<String>) list);
    }
}
