package org.ejbca.core.ejb.authentication.cli;

import java.security.Principal;
import java.util.HashSet;
import java.util.Set;
import org.cesecore.authentication.AuthenticationFailedException;
import org.cesecore.authentication.tokens.AuthenticationToken;
import org.cesecore.authentication.tokens.UsernamePrincipal;
import org.cesecore.authorization.user.AccessUserAspect;
import org.cesecore.authorization.user.matchvalues.AccessMatchValue;
import org.ejbca.core.ejb.authentication.cli.exception.UninitializedCliAuthenticationTokenException;
import org.ejbca.util.crypto.BCrypt;
import org.ejbca.util.crypto.CryptoTools;
import org.ejbca.util.crypto.SupportedPasswordHashAlgorithm;

/* loaded from: input_file:org/ejbca/core/ejb/authentication/cli/CliAuthenticationToken.class */
public class CliAuthenticationToken extends AuthenticationToken {
    public static final String TOKEN_TYPE = "CliAuthenticationToken";
    private static final long serialVersionUID = -3942437717641924829L;
    private final long referenceNumber;
    private final String userName;
    private final SupportedPasswordHashAlgorithm hashAlgorithm;
    private String passwordSalt;
    private final String sha1Salt;
    private String sha1Hash;
    private transient boolean isVerified;

    public CliAuthenticationToken(final UsernamePrincipal usernamePrincipal, String str, String str2, long j, SupportedPasswordHashAlgorithm supportedPasswordHashAlgorithm) {
        super(new HashSet<Principal>() { // from class: org.ejbca.core.ejb.authentication.cli.CliAuthenticationToken.1
            private static final long serialVersionUID = 5868667272584423392L;

            {
                add(usernamePrincipal);
            }
        }, (Set) null);
        this.isVerified = false;
        this.referenceNumber = j;
        this.userName = usernamePrincipal.getName();
        this.hashAlgorithm = supportedPasswordHashAlgorithm;
        this.sha1Salt = str2;
        if (str == null) {
            this.sha1Hash = null;
            this.passwordSalt = null;
            return;
        }
        this.sha1Hash = generateSha1Hash(str, Long.valueOf(j));
        switch (supportedPasswordHashAlgorithm) {
            case SHA1_BCRYPT:
                this.passwordSalt = CryptoTools.extractSaltFromPasswordHash(str);
                return;
            case SHA1_OLD:
            default:
                this.passwordSalt = null;
                return;
        }
    }

    private String generateSha1Hash(String str, Long l) {
        String concat = str.concat(l.toString());
        switch (this.hashAlgorithm) {
            case SHA1_BCRYPT:
                return BCrypt.hashpw(concat, this.sha1Salt);
            case SHA1_OLD:
            default:
                return CryptoTools.makeOldPasswordHash(concat);
        }
    }

    public boolean matches(AccessUserAspect accessUserAspect) throws AuthenticationFailedException {
        if (this.sha1Hash == null) {
            throw new UninitializedCliAuthenticationTokenException("CliAuthenticationToken was matched without shared secret being set.");
        }
        if (this.isVerified) {
            return true;
        }
        if (!matchTokenType(accessUserAspect.getTokenType()) || !this.userName.equals(accessUserAspect.getMatchValue())) {
            return false;
        }
        if (!CliAuthenticationTokenReferenceRegistry.INSTANCE.verifySha1Hash(Long.valueOf(this.referenceNumber), this.sha1Hash)) {
            throw new AuthenticationFailedException("Incorrect one-time hash was passed with CLI token, most likely due to an incorrect password.");
        }
        if (!CliAuthenticationTokenReferenceRegistry.INSTANCE.unregisterToken(Long.valueOf(this.referenceNumber))) {
            throw new AuthenticationFailedException("The same CLI authentication token was apparently used twice. This is either an implementation error or a replay attack.");
        }
        this.isVerified = true;
        return true;
    }

    public long getReferenceNumber() {
        return this.referenceNumber;
    }

    public String getSha1Hash() {
        return this.sha1Hash;
    }

    public void setSha1HashFromHashedPassword(String str) {
        this.sha1Hash = generateSha1Hash(str, Long.valueOf(this.referenceNumber));
    }

    public void setSha1HashFromCleartextPassword(String str) {
        String makeOldPasswordHash;
        switch (this.hashAlgorithm) {
            case SHA1_BCRYPT:
                makeOldPasswordHash = BCrypt.hashpw(str, this.passwordSalt);
                break;
            case SHA1_OLD:
            default:
                makeOldPasswordHash = CryptoTools.makeOldPasswordHash(str);
                break;
        }
        setSha1HashFromHashedPassword(makeOldPasswordHash);
    }

    public void setSha1Hash(String str) {
        this.sha1Hash = str;
    }

    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public CliAuthenticationToken m7clone() {
        CliAuthenticationToken cliAuthenticationToken = new CliAuthenticationToken(new UsernamePrincipal(this.userName), null, this.sha1Salt, this.referenceNumber, this.hashAlgorithm);
        cliAuthenticationToken.setPasswordSalt(this.passwordSalt);
        return cliAuthenticationToken;
    }

    public int hashCode() {
        return (1337 * ((1337 * ((1337 * ((1337 * 1) + (this.isVerified ? 1231 : 1237))) + ((int) (this.referenceNumber ^ (this.referenceNumber >>> 32))))) + (this.sha1Hash == null ? 0 : this.sha1Hash.hashCode()))) + (this.userName == null ? 0 : this.userName.hashCode());
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        CliAuthenticationToken cliAuthenticationToken = (CliAuthenticationToken) obj;
        if (this.isVerified != cliAuthenticationToken.isVerified || this.referenceNumber != cliAuthenticationToken.referenceNumber) {
            return false;
        }
        if (this.sha1Hash == null) {
            if (cliAuthenticationToken.sha1Hash != null) {
                return false;
            }
        } else if (!this.sha1Hash.equals(cliAuthenticationToken.sha1Hash)) {
            return false;
        }
        return this.userName == null ? cliAuthenticationToken.userName == null : this.userName.equals(cliAuthenticationToken.userName);
    }

    public SupportedPasswordHashAlgorithm getHashAlgorithm() {
        return this.hashAlgorithm;
    }

    public String getPasswordSalt() {
        return this.passwordSalt;
    }

    public void setPasswordSalt(String str) {
        this.passwordSalt = str;
    }

    public boolean matchTokenType(String str) {
        return str.equals(TOKEN_TYPE);
    }

    public AccessMatchValue getDefaultMatchValue() {
        return CliUserAccessMatchValue.USERNAME;
    }

    public AccessMatchValue getMatchValueFromDatabaseValue(Integer num) {
        if (num.intValue() != CliUserAccessMatchValue.USERNAME.getNumericValue()) {
            return null;
        }
        return CliUserAccessMatchValue.USERNAME;
    }
}
