package org.keycloak.crypto.hash;

import java.util.Collections;
import java.util.HashMap;
import java.util.concurrent.Semaphore;
import org.bouncycastle.crypto.generators.Argon2BytesGenerator;
import org.bouncycastle.crypto.params.Argon2Parameters;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.credential.hash.PasswordHashProvider;
import org.keycloak.credential.hash.Salt;
import org.keycloak.models.PasswordPolicy;
import org.keycloak.models.credential.PasswordCredentialModel;
import org.keycloak.models.credential.dto.PasswordCredentialData;
import org.keycloak.models.credential.dto.PasswordSecretData;
import org.keycloak.tracing.TracingProviderUtil;

/* loaded from: input_file:org/keycloak/crypto/hash/Argon2PasswordHashProvider.class */
public class Argon2PasswordHashProvider implements PasswordHashProvider {
    private static final Logger logger = Logger.getLogger(Argon2PasswordHashProvider.class);
    private final String version;
    private final String type;
    private final int hashLength;
    private final int memory;
    private final int iterations;
    private final int parallelism;
    private final Semaphore cpuCoreSemaphore;

    public Argon2PasswordHashProvider(String str, String str2, int i, int i2, int i3, int i4, Semaphore semaphore) {
        this.version = str;
        this.type = str2;
        this.hashLength = i;
        this.memory = i2;
        this.iterations = i3;
        this.parallelism = i4;
        this.cpuCoreSemaphore = semaphore;
    }

    public boolean policyCheck(PasswordPolicy passwordPolicy, PasswordCredentialModel passwordCredentialModel) {
        PasswordCredentialData passwordCredentialData = passwordCredentialModel.getPasswordCredentialData();
        return this.iterations == passwordCredentialData.getHashIterations() && checkCredData(Argon2PasswordHashProviderFactory.TYPE_KEY, this.type, passwordCredentialData) && checkCredData(Argon2PasswordHashProviderFactory.VERSION_KEY, this.version, passwordCredentialData) && checkCredData(Argon2PasswordHashProviderFactory.HASH_LENGTH_KEY, this.hashLength, passwordCredentialData) && checkCredData(Argon2PasswordHashProviderFactory.MEMORY_KEY, this.memory, passwordCredentialData) && checkCredData(Argon2PasswordHashProviderFactory.PARALLELISM_KEY, this.parallelism, passwordCredentialData);
    }

    public PasswordCredentialModel encodedCredential(String str, int i) {
        if (i == -1) {
            i = this.iterations;
        } else if (i > 100) {
            logger.warn("Iterations for Argon should be less than 100, using default");
            i = this.iterations;
        }
        byte[] generateSalt = Salt.generateSalt();
        String encode = encode(str, generateSalt, this.version, this.type, this.hashLength, this.parallelism, this.memory, i);
        HashMap hashMap = new HashMap();
        hashMap.put(Argon2PasswordHashProviderFactory.VERSION_KEY, Collections.singletonList(this.version));
        hashMap.put(Argon2PasswordHashProviderFactory.TYPE_KEY, Collections.singletonList(this.type));
        hashMap.put(Argon2PasswordHashProviderFactory.HASH_LENGTH_KEY, Collections.singletonList(Integer.toString(this.hashLength)));
        hashMap.put(Argon2PasswordHashProviderFactory.MEMORY_KEY, Collections.singletonList(Integer.toString(this.memory)));
        hashMap.put(Argon2PasswordHashProviderFactory.PARALLELISM_KEY, Collections.singletonList(Integer.toString(this.parallelism)));
        return PasswordCredentialModel.createFromValues(Argon2PasswordHashProviderFactory.ID, generateSalt, i, hashMap, encode);
    }

    public boolean verify(String str, PasswordCredentialModel passwordCredentialModel) {
        PasswordCredentialData passwordCredentialData = passwordCredentialModel.getPasswordCredentialData();
        MultivaluedHashMap additionalParameters = passwordCredentialData.getAdditionalParameters();
        PasswordSecretData passwordSecretData = passwordCredentialModel.getPasswordSecretData();
        return encode(str, passwordSecretData.getSalt(), (String) additionalParameters.getFirst(Argon2PasswordHashProviderFactory.VERSION_KEY), (String) additionalParameters.getFirst(Argon2PasswordHashProviderFactory.TYPE_KEY), Integer.parseInt((String) additionalParameters.getFirst(Argon2PasswordHashProviderFactory.HASH_LENGTH_KEY)), Integer.parseInt((String) additionalParameters.getFirst(Argon2PasswordHashProviderFactory.PARALLELISM_KEY)), Integer.parseInt((String) additionalParameters.getFirst(Argon2PasswordHashProviderFactory.MEMORY_KEY)), passwordCredentialData.getHashIterations()).equals(passwordSecretData.getValue());
    }

    private String encode(String str, byte[] bArr, String str2, String str3, int i, int i2, int i3, int i4) {
        try {
            String str4 = (String) TracingProviderUtil.getTracingProvider().trace(Argon2PasswordHashProvider.class, "encode", span -> {
                try {
                    this.cpuCoreSemaphore.acquire();
                    org.bouncycastle.crypto.params.Argon2Parameters build = new Argon2Parameters.Builder(Argon2Parameters.getTypeValue(str3)).withVersion(Argon2Parameters.getVersionValue(str2)).withSalt(bArr).withParallelism(i2).withMemoryAsKB(i3).withIterations(i4).build();
                    Argon2BytesGenerator argon2BytesGenerator = new Argon2BytesGenerator();
                    argon2BytesGenerator.init(build);
                    byte[] bArr2 = new byte[i];
                    argon2BytesGenerator.generateBytes(str.toCharArray(), bArr2);
                    return Base64.encodeBytes(bArr2);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    throw new RuntimeException(e);
                }
            });
            this.cpuCoreSemaphore.release();
            return str4;
        } catch (Throwable th) {
            this.cpuCoreSemaphore.release();
            throw th;
        }
    }

    private boolean checkCredData(String str, int i, PasswordCredentialData passwordCredentialData) {
        String str2 = (String) passwordCredentialData.getAdditionalParameters().getFirst(str);
        Integer valueOf = str2 != null ? Integer.valueOf(Integer.parseInt(str2)) : null;
        return valueOf != null && i == valueOf.intValue();
    }

    private boolean checkCredData(String str, String str2, PasswordCredentialData passwordCredentialData) {
        return str2.equals((String) passwordCredentialData.getAdditionalParameters().getFirst(str));
    }

    public void close() {
    }
}
