package org.postgresql.core.v3;

import java.io.IOException;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import org.postgresql.core.PGStream;
import org.postgresql.shaded.com.ongres.scram.client.ScramClient;
import org.postgresql.shaded.com.ongres.scram.common.ClientFinalMessage;
import org.postgresql.shaded.com.ongres.scram.common.ClientFirstMessage;
import org.postgresql.shaded.com.ongres.scram.common.StringPreparation;
import org.postgresql.shaded.com.ongres.scram.common.exception.ScramException;
import org.postgresql.shaded.com.ongres.scram.common.util.TlsServerEndpoint;
import org.postgresql.util.GT;
import org.postgresql.util.PSQLException;
import org.postgresql.util.PSQLState;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/postgresql-42.7.6.jar:org/postgresql/core/v3/ScramAuthenticator.class */
public final class ScramAuthenticator {
    private static final Logger LOGGER;
    private final PGStream pgStream;
    private final ScramClient scramClient;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/postgresql-42.7.6.jar:org/postgresql/core/v3/ScramAuthenticator$BodySender.class */
    public interface BodySender {
        void sendBody(PGStream pGStream) throws IOException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ScramAuthenticator(char[] cArr, PGStream pGStream, Properties properties) throws PSQLException {
        this.pgStream = pGStream;
        this.scramClient = initializeScramClient(cArr, pGStream, properties);
    }

    private static ScramClient initializeScramClient(char[] cArr, PGStream pGStream, Properties properties) throws PSQLException {
        try {
            ChannelBindingOption of = ChannelBindingOption.of(properties);
            LOGGER.log(Level.FINEST, "channelBinding( {0} )", of);
            ScramClient build = ScramClient.builder().advertisedMechanisms(advertisedMechanisms(pGStream, of)).username("*").password(cArr).channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, getChannelBindingData(pGStream, of)).stringPreparation(StringPreparation.POSTGRESQL_PREPARATION).build();
            LOGGER.log(Level.FINEST, () -> {
                return " Using SCRAM mechanism: " + build.getScramMechanism().getName();
            });
            return build;
        } catch (IOException | IllegalArgumentException e) {
            throw new PSQLException(GT.tr("Invalid SCRAM client initialization", e), PSQLState.CONNECTION_REJECTED);
        }
    }

    private static List<String> advertisedMechanisms(PGStream pGStream, ChannelBindingOption channelBindingOption) throws PSQLException, IOException {
        ArrayList arrayList = new ArrayList();
        do {
            arrayList.add(pGStream.receiveString());
        } while (pGStream.peekChar() != 0);
        int receiveChar = pGStream.receiveChar();
        if (!$assertionsDisabled && receiveChar != 0) {
            throw new AssertionError();
        }
        if (arrayList.isEmpty()) {
            throw new PSQLException(GT.tr("Received AuthenticationSASL message with 0 mechanisms!", new Object[0]), PSQLState.CONNECTION_REJECTED);
        }
        LOGGER.log(Level.FINEST, " <=BE AuthenticationSASL( {0} )", arrayList);
        if (channelBindingOption != ChannelBindingOption.REQUIRE || arrayList.stream().anyMatch(str -> {
            return str.endsWith("-PLUS");
        })) {
            return arrayList;
        }
        throw new PSQLException(GT.tr("Channel Binding is required, but server did not offer an authentication method that supports channel binding", new Object[0]), PSQLState.CONNECTION_REJECTED);
    }

    private static byte[] getChannelBindingData(PGStream pGStream, ChannelBindingOption channelBindingOption) throws PSQLException {
        if (channelBindingOption == ChannelBindingOption.DISABLE) {
            return new byte[0];
        }
        Socket socket = pGStream.getSocket();
        if (socket instanceof SSLSocket) {
            try {
                Certificate[] peerCertificates = ((SSLSocket) socket).getSession().getPeerCertificates();
                if (peerCertificates != null && peerCertificates.length > 0) {
                    Certificate certificate = peerCertificates[0];
                    if (certificate instanceof X509Certificate) {
                        return TlsServerEndpoint.getChannelBindingData((X509Certificate) certificate);
                    }
                }
            } catch (CertificateEncodingException | SSLPeerUnverifiedException e) {
                LOGGER.log(Level.FINEST, "Error extracting channel binding data", e);
                if (channelBindingOption == ChannelBindingOption.REQUIRE) {
                    throw new PSQLException(GT.tr("Channel Binding is required, but could not extract channel binding data from SSL session", new Object[0]), PSQLState.CONNECTION_REJECTED);
                }
            }
        } else if (channelBindingOption == ChannelBindingOption.REQUIRE) {
            throw new PSQLException(GT.tr("Channel Binding is required, but SSL is not in use", new Object[0]), PSQLState.CONNECTION_REJECTED);
        }
        return new byte[0];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleAuthenticationSASL() throws IOException {
        ClientFirstMessage clientFirstMessage = this.scramClient.clientFirstMessage();
        LOGGER.log(Level.FINEST, " FE=> SASLInitialResponse( {0} )", clientFirstMessage);
        byte[] bytes = this.scramClient.getScramMechanism().getName().getBytes(StandardCharsets.UTF_8);
        byte[] bytes2 = clientFirstMessage.toString().getBytes(StandardCharsets.UTF_8);
        sendAuthenticationMessage(bytes.length + 1 + 4 + bytes2.length, pGStream -> {
            pGStream.send(bytes);
            pGStream.sendChar(0);
            pGStream.sendInteger4(bytes2.length);
            pGStream.send(bytes2);
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleAuthenticationSASLContinue(int i) throws IOException, PSQLException {
        String receiveString = this.pgStream.receiveString(i);
        LOGGER.log(Level.FINEST, " <=BE AuthenticationSASLContinue( {0} )", receiveString);
        try {
            this.scramClient.serverFirstMessage(receiveString);
            ClientFinalMessage clientFinalMessage = this.scramClient.clientFinalMessage();
            LOGGER.log(Level.FINEST, " FE=> SASLResponse( {0} )", clientFinalMessage);
            byte[] bytes = clientFinalMessage.toString().getBytes(StandardCharsets.UTF_8);
            sendAuthenticationMessage(bytes.length, pGStream -> {
                pGStream.send(bytes);
            });
        } catch (IllegalArgumentException | IllegalStateException | ScramException e) {
            throw new PSQLException(GT.tr("SCRAM authentication failed: {0}", e.getMessage()), PSQLState.CONNECTION_REJECTED, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleAuthenticationSASLFinal(int i) throws IOException, PSQLException {
        String receiveString = this.pgStream.receiveString(i);
        LOGGER.log(Level.FINEST, " <=BE AuthenticationSASLFinal( {0} )", receiveString);
        try {
            this.scramClient.serverFinalMessage(receiveString);
        } catch (IllegalArgumentException | IllegalStateException | ScramException e) {
            throw new PSQLException(GT.tr("SCRAM authentication failed: {0}", e.getMessage()), PSQLState.CONNECTION_REJECTED, e);
        }
    }

    private void sendAuthenticationMessage(int i, BodySender bodySender) throws IOException {
        this.pgStream.sendChar(112);
        this.pgStream.sendInteger4(4 + i);
        bodySender.sendBody(this.pgStream);
        this.pgStream.flush();
    }

    static {
        $assertionsDisabled = !ScramAuthenticator.class.desiredAssertionStatus();
        LOGGER = Logger.getLogger(ScramAuthenticator.class.getName());
    }
}
