package com.orientechnologies.orient.core.security;

import com.orientechnologies.common.collection.OLRUCache;
import com.orientechnologies.common.exception.OException;
import com.orientechnologies.common.log.OLogManager;
import com.orientechnologies.orient.core.config.OGlobalConfiguration;
import com.orientechnologies.orient.core.exception.OConfigurationException;
import com.orientechnologies.orient.core.exception.OSecurityException;
import com.orientechnologies.orient.core.metadata.security.OSecurity;
import com.orientechnologies.orient.core.serialization.serializer.stream.OStreamSerializerHelper;
import com.tinkerpop.blueprints.util.StringFactory;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.tools.ant.util.JavaEnvUtils;

/* loaded from: input_file:WEB-INF/lib/orientdb-core-2.2.13.jar:com/orientechnologies/orient/core/security/OSecurityManager.class */
public class OSecurityManager {
    public static final String HASH_ALGORITHM = "SHA-256";
    public static final String HASH_ALGORITHM_PREFIX = "{SHA-256}";
    public static final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA1";
    public static final String PBKDF2_ALGORITHM_PREFIX = "{PBKDF2WithHmacSHA1}";
    public static final String PBKDF2_SHA256_ALGORITHM = "PBKDF2WithHmacSHA256";
    public static final String PBKDF2_SHA256_ALGORITHM_PREFIX = "{PBKDF2WithHmacSHA256}";
    public static final int SALT_SIZE = 24;
    public static final int HASH_SIZE = 24;
    private static final OSecurityManager instance = new OSecurityManager();
    private volatile OSecurityFactory securityFactory = new OSecuritySharedFactory();
    private MessageDigest md;
    private static Map<String, byte[]> SALT_CACHE;

    public OSecurityManager() {
        try {
            this.md = MessageDigest.getInstance(HASH_ALGORITHM);
        } catch (NoSuchAlgorithmException e) {
            OLogManager.instance().error(this, "Cannot use OSecurityManager", e, new Object[0]);
        }
    }

    public static String createHash(String str, String str2) throws NoSuchAlgorithmException, UnsupportedEncodingException {
        if (str2 == null) {
            str2 = HASH_ALGORITHM;
        }
        return byteArrayToHexStr(MessageDigest.getInstance(str2).digest(str.getBytes("UTF-8")));
    }

    public static OSecurityManager instance() {
        return instance;
    }

    public boolean checkPassword(String str, String str2) {
        if (str2.startsWith(HASH_ALGORITHM_PREFIX)) {
            return createSHA256(str).equals(str2.substring(HASH_ALGORITHM_PREFIX.length()));
        }
        return str2.startsWith(PBKDF2_ALGORITHM_PREFIX) ? checkPasswordWithSalt(str, str2.substring(PBKDF2_ALGORITHM_PREFIX.length()), PBKDF2_ALGORITHM) : str2.startsWith(PBKDF2_SHA256_ALGORITHM_PREFIX) ? checkPasswordWithSalt(str, str2.substring(PBKDF2_SHA256_ALGORITHM_PREFIX.length()), PBKDF2_SHA256_ALGORITHM) : MessageDigest.isEqual(digestSHA256(str), digestSHA256(str2));
    }

    public String createSHA256(String str) {
        return byteArrayToHexStr(digestSHA256(str));
    }

    public String createHash(String str, String str2, boolean z) {
        String createHashWithSalt;
        if (str == null) {
            throw new IllegalArgumentException("Input string is null");
        }
        if (str2 == null) {
            throw new IllegalArgumentException("Algorithm is null");
        }
        StringBuilder sb = new StringBuilder(128);
        String validateAlgorithm = validateAlgorithm(str2);
        if (z) {
            sb.append('{');
            sb.append(validateAlgorithm);
            sb.append('}');
        }
        if (HASH_ALGORITHM.equalsIgnoreCase(validateAlgorithm)) {
            createHashWithSalt = createSHA256(str);
        } else if (PBKDF2_ALGORITHM.equalsIgnoreCase(validateAlgorithm)) {
            createHashWithSalt = createHashWithSalt(str, OGlobalConfiguration.SECURITY_USER_PASSWORD_SALT_ITERATIONS.getValueAsInteger(), validateAlgorithm);
        } else {
            if (!PBKDF2_SHA256_ALGORITHM.equalsIgnoreCase(validateAlgorithm)) {
                throw new IllegalArgumentException("Algorithm '" + validateAlgorithm + "' is not supported");
            }
            createHashWithSalt = createHashWithSalt(str, OGlobalConfiguration.SECURITY_USER_PASSWORD_SALT_ITERATIONS.getValueAsInteger(), validateAlgorithm);
        }
        sb.append(createHashWithSalt);
        return sb.toString();
    }

    public synchronized byte[] digestSHA256(String str) {
        if (str == null) {
            return null;
        }
        try {
            return this.md.digest(str.getBytes("UTF-8"));
        } catch (UnsupportedEncodingException e) {
            OLogManager.instance().error(this, "The requested encoding is not supported: cannot execute security checks", e, new Object[0]);
            throw OException.wrapException(new OConfigurationException("The requested encoding is not supported: cannot execute security checks"), e);
        }
    }

    public String createHashWithSalt(String str) {
        return createHashWithSalt(str, OGlobalConfiguration.SECURITY_USER_PASSWORD_SALT_ITERATIONS.getValueAsInteger(), OGlobalConfiguration.SECURITY_USER_PASSWORD_DEFAULT_ALGORITHM.getValueAsString());
    }

    public String createHashWithSalt(String str, int i, String str2) {
        byte[] bArr = new byte[24];
        new SecureRandom().nextBytes(bArr);
        return byteArrayToHexStr(getPbkdf2(str, bArr, i, 24, validateAlgorithm(str2))) + StringFactory.COLON + byteArrayToHexStr(bArr) + StringFactory.COLON + i;
    }

    public boolean checkPasswordWithSalt(String str, String str2) {
        return checkPasswordWithSalt(str, str2, OGlobalConfiguration.SECURITY_USER_PASSWORD_DEFAULT_ALGORITHM.getValueAsString());
    }

    public boolean checkPasswordWithSalt(String str, String str2, String str3) {
        if (!isAlgorithmSupported(str3)) {
            OLogManager.instance().error(this, "The password hash algorithm is not supported: %s", str3);
            return false;
        }
        String[] split = str2.split(StringFactory.COLON);
        if (split.length != 3) {
            throw new IllegalArgumentException("Hash does not contain the requested parts: <hash>:<salt>:<iterations>");
        }
        byte[] hexToByteArray = hexToByteArray(split[0]);
        return MessageDigest.isEqual(hexToByteArray, getPbkdf2(str, hexToByteArray(split[1]), Integer.parseInt(split[2]), hexToByteArray.length, str3));
    }

    private byte[] getPbkdf2(String str, byte[] bArr, int i, int i2, String str2) {
        String str3 = null;
        String createSHA256 = createSHA256(str + new String(bArr));
        if (SALT_CACHE != null) {
            str3 = createSHA256 + OStreamSerializerHelper.SEPARATOR + Arrays.toString(bArr) + OStreamSerializerHelper.SEPARATOR + i + OStreamSerializerHelper.SEPARATOR + i2;
            byte[] bArr2 = SALT_CACHE.get(str3);
            if (bArr2 != null) {
                return bArr2;
            }
        }
        try {
            byte[] encoded = SecretKeyFactory.getInstance(str2).generateSecret(new PBEKeySpec(str.toCharArray(), bArr, i, i2 * 8)).getEncoded();
            if (SALT_CACHE != null) {
                SALT_CACHE.put(str3, encoded);
            }
            return encoded;
        } catch (Exception e) {
            throw OException.wrapException(new OSecurityException("Cannot create a key with '" + str2 + "' algorithm"), e);
        }
    }

    private static boolean isAlgorithmSupported(String str) {
        return Runtime.class.getPackage() == null || Runtime.class.getPackage().getImplementationVersion() == null || !Runtime.class.getPackage().getImplementationVersion().startsWith(JavaEnvUtils.JAVA_1_7) || str == null || !str.equals(PBKDF2_SHA256_ALGORITHM);
    }

    private String validateAlgorithm(String str) {
        String str2 = str;
        if (!isAlgorithmSupported(str)) {
            str2 = PBKDF2_ALGORITHM;
            OLogManager.instance().debug(this, "The %s algorithm is not supported, downgrading to %s", str, str2);
        }
        return str2;
    }

    public static String byteArrayToHexStr(byte[] bArr) {
        if (bArr == null) {
            return null;
        }
        char[] cArr = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            byte b = bArr[i];
            int i2 = (b & 240) >> 4;
            int i3 = b & 15;
            cArr[2 * i] = (char) (i2 < 10 ? 48 + i2 : (65 + i2) - 10);
            cArr[(2 * i) + 1] = (char) (i3 < 10 ? 48 + i3 : (65 + i3) - 10);
        }
        return new String(cArr);
    }

    private static byte[] hexToByteArray(String str) {
        byte[] bArr = new byte[str.length() / 2];
        for (int i = 0; i < bArr.length; i++) {
            bArr[i] = (byte) Integer.parseInt(str.substring(2 * i, (2 * i) + 2), 16);
        }
        return bArr;
    }

    public OCredentialInterceptor newCredentialInterceptor() {
        OCredentialInterceptor oCredentialInterceptor = null;
        try {
            String valueAsString = OGlobalConfiguration.CLIENT_CREDENTIAL_INTERCEPTOR.getValueAsString();
            if (valueAsString != null) {
                Class<?> cls = Class.forName(valueAsString);
                if (OCredentialInterceptor.class.isAssignableFrom(cls)) {
                    oCredentialInterceptor = (OCredentialInterceptor) cls.newInstance();
                }
            }
        } catch (Exception e) {
            OLogManager.instance().debug(this, "newCredentialInterceptor() Exception creating CredentialInterceptor", e, new Object[0]);
        }
        return oCredentialInterceptor;
    }

    public OSecurityFactory getSecurityFactory() {
        return this.securityFactory;
    }

    public void setSecurityFactory(OSecurityFactory oSecurityFactory) {
        if (oSecurityFactory != null) {
            this.securityFactory = oSecurityFactory;
        } else {
            this.securityFactory = new OSecuritySharedFactory();
        }
    }

    public OSecurity newSecurity() {
        if (this.securityFactory != null) {
            return this.securityFactory.newSecurity();
        }
        return null;
    }

    static {
        SALT_CACHE = null;
        int valueAsInteger = OGlobalConfiguration.SECURITY_USER_PASSWORD_SALT_CACHE_SIZE.getValueAsInteger();
        if (valueAsInteger > 0) {
            SALT_CACHE = Collections.synchronizedMap(new OLRUCache(valueAsInteger));
        }
    }
}
