package org.keycloak.credential.hash;

import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.util.Base64;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.credential.PasswordCredentialModel;

/* loaded from: input_file:org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.class */
public class Pbkdf2PasswordHashProvider implements PasswordHashProvider {
    private final String providerId;
    private final String pbkdf2Algorithm;
    private final int defaultIterations;
    private final int derivedKeySize;
    public static final int DEFAULT_DERIVED_KEY_SIZE = 512;

    public Pbkdf2PasswordHashProvider(String str, String str2, int i) {
        this(str, str2, i, 512);
    }

    public Pbkdf2PasswordHashProvider(String str, String str2, int i, int i2) {
        this.providerId = str;
        this.pbkdf2Algorithm = str2;
        this.defaultIterations = i;
        this.derivedKeySize = i2;
    }

    @Override // org.keycloak.credential.hash.PasswordHashProvider
    public boolean policyCheck(PasswordPolicy passwordPolicy, PasswordCredentialModel passwordCredentialModel) {
        int hashIterations = passwordPolicy.getHashIterations();
        if (hashIterations == -1) {
            hashIterations = this.defaultIterations;
        }
        return passwordCredentialModel.getPasswordCredentialData().getHashIterations() == hashIterations && this.providerId.equals(passwordCredentialModel.getPasswordCredentialData().getAlgorithm()) && this.derivedKeySize == keySize(passwordCredentialModel);
    }

    @Override // org.keycloak.credential.hash.PasswordHashProvider
    public PasswordCredentialModel encodedCredential(String str, int i) {
        if (i == -1) {
            i = this.defaultIterations;
        }
        byte[] salt = getSalt();
        return PasswordCredentialModel.createFromValues(this.providerId, salt, i, encodedCredential(str, i, salt, this.derivedKeySize));
    }

    @Override // org.keycloak.credential.hash.PasswordHashProvider
    public String encode(String str, int i) {
        if (i == -1) {
            i = this.defaultIterations;
        }
        return encodedCredential(str, i, getSalt(), this.derivedKeySize);
    }

    @Override // org.keycloak.credential.hash.PasswordHashProvider
    public boolean verify(String str, PasswordCredentialModel passwordCredentialModel) {
        return encodedCredential(str, passwordCredentialModel.getPasswordCredentialData().getHashIterations(), passwordCredentialModel.getPasswordSecretData().getSalt(), keySize(passwordCredentialModel)).equals(passwordCredentialModel.getPasswordSecretData().getValue());
    }

    private int keySize(PasswordCredentialModel passwordCredentialModel) {
        try {
            return Base64.decode(passwordCredentialModel.getPasswordSecretData().getValue()).length * 8;
        } catch (IOException e) {
            throw new RuntimeException("Credential could not be decoded", e);
        }
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }

    private String encodedCredential(String str, int i, byte[] bArr, int i2) {
        try {
            return Base64.encodeBytes(getSecretKeyFactory().generateSecret(new PBEKeySpec(str.toCharArray(), bArr, i, i2)).getEncoded());
        } catch (InvalidKeySpecException e) {
            throw new RuntimeException("Credential could not be encoded", e);
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    private byte[] getSalt() {
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    private SecretKeyFactory getSecretKeyFactory() {
        try {
            return CryptoIntegration.getProvider().getSecretKeyFact(this.pbkdf2Algorithm);
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new RuntimeException("PBKDF2 algorithm not found", e);
        }
    }
}
