package org.sonatype.nexus.security.internal;

import com.google.common.base.Preconditions;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Set;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.shiro.authc.credential.DefaultPasswordService;
import org.apache.shiro.authc.credential.HashingPasswordService;
import org.apache.shiro.authc.credential.PasswordService;
import org.apache.shiro.crypto.hash.DefaultHashService;
import org.apache.shiro.crypto.hash.Hash;
import org.bouncycastle.crypto.fips.FipsUnapprovedOperationError;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sonatype.nexus.crypto.CryptoHelper;
import org.sonatype.nexus.security.authc.AuthenticationFailureReason;
import org.sonatype.nexus.security.authc.NexusAuthenticationException;
import org.springframework.beans.factory.annotation.Value;

@Singleton
@Named("default")
/* loaded from: input_file:org/sonatype/nexus/security/internal/DefaultSecurityPasswordService.class */
public class DefaultSecurityPasswordService implements HashingPasswordService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultSecurityPasswordService.class);
    private static final String SHIRO_PASSWORD_ALGORITHM = "shiro1";
    private static final String DEFAULT_HASH_ALGORITHM = "SHA-512";
    private static final int DEFAULT_HASH_ITERATIONS = 1024;
    private static final String FIPS_COMPLIANT_ALGORITHM = "$pbkdf2-sha256$";
    private static final String PBKDF2_SHA256 = "PBKDF2WithHmacSHA256";
    private static final int FIPS_ITERATIONS = 10000;
    private static final int SALT_LENGTH = 16;
    private static final int KEY_LENGTH = 256;
    private final DefaultPasswordService passwordService = new DefaultPasswordService();
    private final PasswordService legacyPasswordService;
    private final String nexusPasswordAlgorithm;
    private final CryptoHelper crypto;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonatype/nexus/security/internal/DefaultSecurityPasswordService$FipsHash.class */
    public static class FipsHash {
        String algorithm;
        int iterations;
        byte[] salt;
        byte[] hash;
        String fullHash;

        private FipsHash() {
        }

        void clear() {
            if (this.salt != null) {
                Arrays.fill(this.salt, (byte) 0);
            }
            if (this.hash != null) {
                Arrays.fill(this.hash, (byte) 0);
            }
        }
    }

    @Inject
    public DefaultSecurityPasswordService(@Named("legacy") PasswordService passwordService, @Value("${nexus.security.password.algorithm:shiro1}") @Named("${nexus.security.password.algorithm:-shiro1}") String str, CryptoHelper cryptoHelper) {
        this.legacyPasswordService = (PasswordService) Preconditions.checkNotNull(passwordService);
        this.nexusPasswordAlgorithm = (String) Preconditions.checkNotNull(str);
        DefaultHashService defaultHashService = new DefaultHashService();
        defaultHashService.setHashAlgorithmName("SHA-512");
        defaultHashService.setHashIterations(1024);
        defaultHashService.setGeneratePublicSalt(true);
        this.passwordService.setHashService(defaultHashService);
        this.crypto = (CryptoHelper) Preconditions.checkNotNull(cryptoHelper);
    }

    public String encryptPassword(Object obj) {
        if (this.nexusPasswordAlgorithm.equals(SHIRO_PASSWORD_ALGORITHM)) {
            return this.passwordService.encryptPassword(obj);
        }
        byte[] bArr = new byte[16];
        this.crypto.createSecureRandom().nextBytes(bArr);
        PBEKeySpec pBEKeySpec = new PBEKeySpec(convertToCharArray(obj), bArr, 10000, 256);
        try {
            try {
                byte[] encoded = SecretKeyFactory.getInstance(PBKDF2_SHA256).generateSecret(pBEKeySpec).getEncoded();
                pBEKeySpec.clearPassword();
                String format = String.format("%si=%d$%s$%s", FIPS_COMPLIANT_ALGORITHM, 10000, Base64.getEncoder().encodeToString(bArr), Base64.getEncoder().encodeToString(encoded));
                pBEKeySpec.clearPassword();
                return format;
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                log.error("Failed to encrypt password due to algorithm issue", e);
                throw new NexusAuthenticationException("Password is not strong enough", Set.of(AuthenticationFailureReason.UNKNOWN));
            } catch (FipsUnapprovedOperationError e2) {
                log.error("Failed to encrypt password", (Throwable) e2);
                throw new NexusAuthenticationException("Password is not strong enough", Set.of(AuthenticationFailureReason.INCORRECT_CREDENTIALS));
            }
        } catch (Throwable th) {
            pBEKeySpec.clearPassword();
            throw th;
        }
    }

    public boolean passwordsMatch(Object obj, String str) {
        if (str == null || obj == null) {
            return false;
        }
        if (!isFipsPassword(str)) {
            return this.passwordService.passwordsMatch(obj, str) || this.legacyPasswordService.passwordsMatch(obj, str);
        }
        try {
            FipsHash parseFipsHash = parseFipsHash(str);
            char[] convertToCharArray = convertToCharArray(obj);
            boolean verifyFipsHash = verifyFipsHash(convertToCharArray, parseFipsHash);
            Arrays.fill(convertToCharArray, (char) 0);
            parseFipsHash.clear();
            return verifyFipsHash;
        } catch (Exception e) {
            log.warn("FIPS password verification failed", (Throwable) e);
            return false;
        }
    }

    public Hash hashPassword(Object obj) {
        return this.passwordService.hashPassword(obj);
    }

    public boolean passwordsMatch(Object obj, Hash hash) {
        return this.passwordService.passwordsMatch(obj, hash);
    }

    private static char[] convertToCharArray(Object obj) {
        return obj == null ? new char[0] : obj instanceof char[] ? (char[]) ((char[]) obj).clone() : obj instanceof String ? ((String) obj).toCharArray() : obj.toString().toCharArray();
    }

    public static boolean isFipsPassword(String str) {
        return str != null && str.startsWith(FIPS_COMPLIANT_ALGORITHM);
    }

    private static FipsHash parseFipsHash(String str) throws IllegalArgumentException {
        String[] split = str.split("\\$");
        if (split.length < 5) {
            throw new IllegalArgumentException("Invalid FIPS hash format");
        }
        FipsHash fipsHash = new FipsHash();
        fipsHash.algorithm = split[1];
        try {
            fipsHash.iterations = Integer.parseInt(split[2].substring(2));
            fipsHash.salt = Base64.getDecoder().decode(split[3]);
            fipsHash.hash = Base64.getDecoder().decode(split[4]);
            fipsHash.fullHash = str;
            return fipsHash;
        } catch (Exception e) {
            throw new IllegalArgumentException("Failed to parse FIPS hash", e);
        }
    }

    private static boolean verifyFipsHash(char[] cArr, FipsHash fipsHash) {
        PBEKeySpec pBEKeySpec = new PBEKeySpec(cArr, fipsHash.salt, fipsHash.iterations, 256);
        try {
            try {
                boolean isEqual = MessageDigest.isEqual(SecretKeyFactory.getInstance(PBKDF2_SHA256).generateSecret(pBEKeySpec).getEncoded(), fipsHash.hash);
                pBEKeySpec.clearPassword();
                return isEqual;
            } catch (Exception e) {
                log.warn("FIPS verification failed", (Throwable) e);
                pBEKeySpec.clearPassword();
                return false;
            }
        } catch (Throwable th) {
            pBEKeySpec.clearPassword();
            throw th;
        }
    }
}
