package org.jivesoftware.openfire.sasl;

import java.nio.charset.StandardCharsets;
import javax.annotation.Nonnull;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.jivesoftware.openfire.net.SASLAuthentication;
import org.jivesoftware.openfire.session.LocalIncomingServerSession;
import org.jivesoftware.util.SystemProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/sasl/ExternalServerSaslServer.class */
public class ExternalServerSaslServer implements SaslServer {
    private static final Logger Log = LoggerFactory.getLogger(ExternalServerSaslServer.class);
    public static final SystemProperty<Boolean> PROPERTY_SASL_EXTERNAL_SERVER_REQUIRE_AUTHZID = SystemProperty.Builder.ofType(Boolean.class).setKey("xmpp.auth.sasl.external.server.require-authzid").setDefaultValue(false).setDynamic(true).build();
    public static final String NAME = "EXTERNAL";
    private boolean complete = false;
    private String authorizationID = null;
    private LocalIncomingServerSession session;

    public ExternalServerSaslServer(LocalIncomingServerSession localIncomingServerSession) throws SaslException {
        this.session = localIncomingServerSession;
    }

    public String getMechanismName() {
        return "EXTERNAL";
    }

    public byte[] evaluateResponse(@Nonnull byte[] bArr) throws SaslException {
        String str;
        if (isComplete()) {
            throw new IllegalStateException("Authentication exchange already completed.");
        }
        String defaultIdentity = this.session.getDefaultIdentity();
        if (defaultIdentity == null || defaultIdentity.isEmpty()) {
            throw new SaslFailureException(Failure.NOT_AUTHORIZED, "Peer does not provide 'from' attribute value on stream.");
        }
        if (bArr.length != 0 || this.session.getSessionData(SASLAuthentication.SASL_LAST_RESPONSE_WAS_PROVIDED_BUT_EMPTY) != null) {
            str = new String(bArr, StandardCharsets.UTF_8);
        } else {
            if (PROPERTY_SASL_EXTERNAL_SERVER_REQUIRE_AUTHZID.getValue().booleanValue()) {
                return new byte[0];
            }
            str = defaultIdentity;
        }
        this.complete = true;
        Log.trace("Completing handshake with '{}' using authzid value: '{}'", defaultIdentity, str);
        if (SASLAuthentication.EXTERNAL_S2S_REQUIRE_AUTHZID.getValue().booleanValue() && str.isEmpty()) {
            throw new SaslFailureException(Failure.INVALID_AUTHZID, "Peer does not provide authzid, which is required by configuration.");
        }
        if (!str.isEmpty() && !str.equals(defaultIdentity)) {
            throw new SaslFailureException(Failure.INVALID_AUTHZID, "Stream 'from' attribute value '" + defaultIdentity + "' does not equal SASL authzid '" + str + "'");
        }
        if (!SASLAuthentication.verifyCertificates(this.session.getConnection().getPeerCertificates(), defaultIdentity, true)) {
            throw new SaslFailureException(Failure.NOT_AUTHORIZED, "Server-to-Server certificate verification failed.");
        }
        this.authorizationID = defaultIdentity;
        Log.trace("Successfully authenticated '{}'", this.authorizationID);
        return null;
    }

    public boolean isComplete() {
        return this.complete;
    }

    public String getAuthorizationID() {
        if (isComplete()) {
            return this.authorizationID;
        }
        throw new IllegalStateException("Authentication exchange not completed.");
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            throw new IllegalStateException("SASL Mechanism '" + getMechanismName() + " does not support integrity nor privacy.");
        }
        throw new IllegalStateException("Authentication exchange not completed.");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            throw new IllegalStateException("SASL Mechanism '" + getMechanismName() + " does not support integrity nor privacy.");
        }
        throw new IllegalStateException("Authentication exchange not completed.");
    }

    public Object getNegotiatedProperty(String str) {
        if (!isComplete()) {
            throw new IllegalStateException("Authentication exchange not completed.");
        }
        if (str.equals("javax.security.sasl.qop")) {
            return "auth";
        }
        return null;
    }

    public void dispose() throws SaslException {
        this.complete = false;
        this.authorizationID = null;
        this.session = null;
    }
}
