package com.google.cloud.recaptcha.passwordcheck;

import com.google.cloud.recaptcha.passwordcheck.utils.BCScryptGenerator;
import com.google.cloud.recaptcha.passwordcheck.utils.CryptoHelper;
import com.google.cloud.recaptcha.passwordcheck.utils.ScryptGenerator;
import com.google.cloud.recaptcha.passwordcheck.utils.SensitiveString;
import com.google.common.hash.Hashing;
import com.google.privacy.encryption.commutative.EcCommutativeCipher;
import com.google.privacy.encryption.commutative.SupportedCurve;
import java.util.Collection;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutorService;
import java.util.function.Supplier;

/* loaded from: input_file:com/google/cloud/recaptcha/passwordcheck/PasswordCheckVerification.class */
public final class PasswordCheckVerification {
    static final ScryptGenerator SCRYPT_GENERATOR = new BCScryptGenerator();
    static final SupportedCurve EC_CURVE = SupportedCurve.SECP256R1;
    static final int USERNAME_HASH_PREFIX_LENGTH = 26;
    private final String username;
    private final EcCommutativeCipher cipher = EcCommutativeCipher.createWithNewKey(EC_CURVE);
    private byte[] encryptedUserCredentialsHash;
    private byte[] lookupHashPrefix;

    private PasswordCheckVerification(String str) {
        this.username = str;
    }

    public byte[] getEncryptedUserCredentialsHash() {
        return this.encryptedUserCredentialsHash;
    }

    @Deprecated
    public byte[] getEncryptedLookupHash() {
        return this.encryptedUserCredentialsHash;
    }

    public byte[] getLookupHashPrefix() {
        return this.lookupHashPrefix;
    }

    EcCommutativeCipher getCipher() {
        return this.cipher;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static CompletableFuture<PasswordCheckVerification> create(String str, SensitiveString sensitiveString, ExecutorService executorService) {
        return CompletableFuture.supplyAsync(getCreatorSupplier(str, sensitiveString), executorService);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompletableFuture<PasswordCheckResult> verify(byte[] bArr, Collection<byte[]> collection, ExecutorService executorService) {
        if (bArr == null) {
            throw new IllegalArgumentException("reEncryptedLookupHash cannot be null");
        }
        if (collection == null) {
            throw new IllegalArgumentException("encryptedLeakMatchPrefixList cannot be null");
        }
        return CompletableFuture.supplyAsync(() -> {
            byte[] decrypt = this.cipher.decrypt(bArr);
            return new PasswordCheckResult(this, this.username, collection.stream().anyMatch(bArr2 -> {
                return isPrefixMatch(decrypt, bArr2);
            }));
        }, executorService);
    }

    private static Supplier<PasswordCheckVerification> getCreatorSupplier(String str, SensitiveString sensitiveString) {
        return () -> {
            PasswordCheckVerification passwordCheckVerification = new PasswordCheckVerification(str);
            String canonicalizeUsername = CryptoHelper.canonicalizeUsername(str);
            passwordCheckVerification.encryptedUserCredentialsHash = passwordCheckVerification.cipher.encrypt(CryptoHelper.hashUsernamePasswordPair(canonicalizeUsername, sensitiveString, SCRYPT_GENERATOR));
            passwordCheckVerification.lookupHashPrefix = CryptoHelper.bucketizeUsername(canonicalizeUsername, USERNAME_HASH_PREFIX_LENGTH);
            return passwordCheckVerification;
        };
    }

    private boolean isPrefixMatch(byte[] bArr, byte[] bArr2) {
        if (bArr2.length == 0 || bArr2.length > bArr.length) {
            return false;
        }
        byte[] asBytes = Hashing.sha256().hashBytes(bArr).asBytes();
        for (int i = 0; i < bArr2.length; i++) {
            if (asBytes[i] != bArr2[i]) {
                return false;
            }
        }
        return true;
    }
}
