package org.postgresql.core.v3;

import java.io.IOException;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import org.postgresql.core.PGStream;
import org.postgresql.shaded.com.ongres.scram.client.ScramClient;
import org.postgresql.shaded.com.ongres.scram.common.ClientFinalMessage;
import org.postgresql.shaded.com.ongres.scram.common.ClientFirstMessage;
import org.postgresql.shaded.com.ongres.scram.common.StringPreparation;
import org.postgresql.shaded.com.ongres.scram.common.exception.ScramException;
import org.postgresql.shaded.com.ongres.scram.common.util.TlsServerEndpoint;
import org.postgresql.util.GT;
import org.postgresql.util.PSQLException;
import org.postgresql.util.PSQLState;
import org.slf4j.Marker;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public final class ScramAuthenticator {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private static final Logger LOGGER = Logger.getLogger(ScramAuthenticator.class.getName());
    private final PGStream pgStream;
    private final ScramClient scramClient;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes5.dex */
    public interface BodySender {
        void sendBody(PGStream pGStream) throws IOException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ScramAuthenticator(char[] cArr, PGStream pGStream, Properties properties) throws PSQLException {
        this.pgStream = pGStream;
        this.scramClient = initializeScramClient(cArr, pGStream, properties);
    }

    private static List<String> advertisedMechanisms(PGStream pGStream, ChannelBindingOption channelBindingOption) throws PSQLException, IOException {
        ArrayList arrayList = new ArrayList();
        do {
            arrayList.add(pGStream.receiveString());
        } while (pGStream.peekChar() != 0);
        pGStream.receiveChar();
        if (arrayList.isEmpty()) {
            throw new PSQLException(GT.tr("Received AuthenticationSASL message with 0 mechanisms!", new Object[0]), PSQLState.CONNECTION_REJECTED);
        }
        LOGGER.log(Level.FINEST, " <=BE AuthenticationSASL( {0} )", arrayList);
        if (channelBindingOption != ChannelBindingOption.REQUIRE || arrayList.stream().anyMatch(new Predicate() { // from class: org.postgresql.core.v3.ScramAuthenticator$$ExternalSyntheticLambda2
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                boolean endsWith;
                endsWith = ((String) obj).endsWith("-PLUS");
                return endsWith;
            }
        })) {
            return arrayList;
        }
        throw new PSQLException(GT.tr("Channel Binding is required, but server did not offer an authentication method that supports channel binding", new Object[0]), PSQLState.CONNECTION_REJECTED);
    }

    private static byte[] getChannelBindingData(PGStream pGStream, ChannelBindingOption channelBindingOption) throws PSQLException {
        if (channelBindingOption == ChannelBindingOption.DISABLE) {
            return new byte[0];
        }
        Socket socket = pGStream.getSocket();
        if (socket instanceof SSLSocket) {
            try {
                Certificate[] peerCertificates = ((SSLSocket) socket).getSession().getPeerCertificates();
                if (peerCertificates != null && peerCertificates.length > 0) {
                    Certificate certificate = peerCertificates[0];
                    if (certificate instanceof X509Certificate) {
                        return TlsServerEndpoint.getChannelBindingData((X509Certificate) certificate);
                    }
                }
            } catch (CertificateEncodingException | SSLPeerUnverifiedException e) {
                LOGGER.log(Level.FINEST, "Error extracting channel binding data", e);
                if (channelBindingOption == ChannelBindingOption.REQUIRE) {
                    throw new PSQLException(GT.tr("Channel Binding is required, but could not extract channel binding data from SSL session", new Object[0]), PSQLState.CONNECTION_REJECTED);
                }
            }
        } else if (channelBindingOption == ChannelBindingOption.REQUIRE) {
            throw new PSQLException(GT.tr("Channel Binding is required, but SSL is not in use", new Object[0]), PSQLState.CONNECTION_REJECTED);
        }
        return new byte[0];
    }

    private static ScramClient initializeScramClient(char[] cArr, PGStream pGStream, Properties properties) throws PSQLException {
        try {
            ChannelBindingOption of = ChannelBindingOption.of(properties);
            Logger logger = LOGGER;
            logger.log(Level.FINEST, "channelBinding( {0} )", of);
            final ScramClient build = ScramClient.builder().advertisedMechanisms(advertisedMechanisms(pGStream, of)).username(Marker.ANY_MARKER).password(cArr).channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, getChannelBindingData(pGStream, of)).stringPreparation(StringPreparation.POSTGRESQL_PREPARATION).build();
            logger.log(Level.FINEST, new Supplier() { // from class: org.postgresql.core.v3.ScramAuthenticator$$ExternalSyntheticLambda3
                @Override // java.util.function.Supplier
                public final Object get() {
                    return ScramAuthenticator.lambda$initializeScramClient$0(ScramClient.this);
                }
            });
            return build;
        } catch (IOException | IllegalArgumentException e) {
            throw new PSQLException(GT.tr("Invalid SCRAM client initialization", e), PSQLState.CONNECTION_REJECTED);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ void lambda$handleAuthenticationSASL$2(byte[] bArr, byte[] bArr2, PGStream pGStream) throws IOException {
        pGStream.send(bArr);
        pGStream.sendChar(0);
        pGStream.sendInteger4(bArr2.length);
        pGStream.send(bArr2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ String lambda$initializeScramClient$0(ScramClient scramClient) {
        return " Using SCRAM mechanism: " + scramClient.getScramMechanism().getName();
    }

    private void sendAuthenticationMessage(int i, BodySender bodySender) throws IOException {
        this.pgStream.sendChar(112);
        this.pgStream.sendInteger4(i + 4);
        bodySender.sendBody(this.pgStream);
        this.pgStream.flush();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleAuthenticationSASL() throws IOException {
        ClientFirstMessage clientFirstMessage = this.scramClient.clientFirstMessage();
        LOGGER.log(Level.FINEST, " FE=> SASLInitialResponse( {0} )", clientFirstMessage);
        final byte[] bytes = this.scramClient.getScramMechanism().getName().getBytes(StandardCharsets.UTF_8);
        final byte[] bytes2 = clientFirstMessage.toString().getBytes(StandardCharsets.UTF_8);
        sendAuthenticationMessage(bytes.length + 5 + bytes2.length, new BodySender() { // from class: org.postgresql.core.v3.ScramAuthenticator$$ExternalSyntheticLambda0
            @Override // org.postgresql.core.v3.ScramAuthenticator.BodySender
            public final void sendBody(PGStream pGStream) {
                ScramAuthenticator.lambda$handleAuthenticationSASL$2(bytes, bytes2, pGStream);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleAuthenticationSASLContinue(int i) throws IOException, PSQLException {
        String receiveString = this.pgStream.receiveString(i);
        Logger logger = LOGGER;
        logger.log(Level.FINEST, " <=BE AuthenticationSASLContinue( {0} )", receiveString);
        try {
            this.scramClient.serverFirstMessage(receiveString);
            ClientFinalMessage clientFinalMessage = this.scramClient.clientFinalMessage();
            logger.log(Level.FINEST, " FE=> SASLResponse( {0} )", clientFinalMessage);
            final byte[] bytes = clientFinalMessage.toString().getBytes(StandardCharsets.UTF_8);
            sendAuthenticationMessage(bytes.length, new BodySender() { // from class: org.postgresql.core.v3.ScramAuthenticator$$ExternalSyntheticLambda1
                @Override // org.postgresql.core.v3.ScramAuthenticator.BodySender
                public final void sendBody(PGStream pGStream) {
                    pGStream.send(bytes);
                }
            });
        } catch (IllegalArgumentException | IllegalStateException | ScramException e) {
            throw new PSQLException(GT.tr("SCRAM authentication failed: {0}", e.getMessage()), PSQLState.CONNECTION_REJECTED, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void handleAuthenticationSASLFinal(int i) throws IOException, PSQLException {
        String receiveString = this.pgStream.receiveString(i);
        LOGGER.log(Level.FINEST, " <=BE AuthenticationSASLFinal( {0} )", receiveString);
        try {
            this.scramClient.serverFinalMessage(receiveString);
        } catch (IllegalArgumentException | IllegalStateException | ScramException e) {
            throw new PSQLException(GT.tr("SCRAM authentication failed: {0}", e.getMessage()), PSQLState.CONNECTION_REJECTED, e);
        }
    }
}
