package com.ibm.ws.security.oauth20.util;

import com.google.gson.JsonObject;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import java.security.SecureRandom;
import java.util.HashMap;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/oauth20/util/HashSecretUtils.class */
public class HashSecretUtils {
    private static final TraceComponent tc = Tr.register(HashSecretUtils.class, (String) null, (String) null);
    public static final String PBKDF2WithHmacSHA512 = "PBKDF2WithHmacSHA512";
    public static final String DEFAULT_HASH = "PBKDF2WithHmacSHA512";
    public static final int DEFAULT_SALTSIZE = 32;
    public static final int DEFAULT_ITERATIONS = 2048;
    public static final int DEFAULT_KEYSIZE = 32;
    private static final int generateSaltSize = 32;
    static final long serialVersionUID = 8690420941482694302L;

    @Sensitive
    public static String hashSecret(@Sensitive String str, String str2, boolean z, @Sensitive JsonObject jsonObject) {
        return hashSecret(str, str2, z, jsonObject.get(OAuth20Constants.SALT).getAsString(), jsonObject.get(OAuth20Constants.HASH_ALGORITHM).getAsString(), jsonObject.get(OAuth20Constants.HASH_ITERATIONS).getAsInt(), jsonObject.get(OAuth20Constants.HASH_LENGTH).getAsInt());
    }

    @Sensitive
    public static String hashSecret(@Sensitive String str, String str2, boolean z, @Sensitive String str3, @Sensitive String str4, int i, int i2) {
        if (str != null && !str.isEmpty()) {
            if (str3 == null) {
                throw new IllegalArgumentException("A null salt was provided for clientId " + str2 + ". Cannot hash secret.");
            }
            String str5 = str;
            String cryptoAlgorithm = PasswordUtil.getCryptoAlgorithm(str);
            if (cryptoAlgorithm != null && cryptoAlgorithm.equals(OAuth20Constants.XOR)) {
                if (!z) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Client secret for " + str2 + " is stored as XOR, not converting to hash", new Object[0]);
                    }
                    return str;
                }
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Client secret for " + str2 + " is stored as XOR, convert to hash", new Object[0]);
                }
                str5 = PasswordUtil.passwordDecode(str);
            }
            if (cryptoAlgorithm == null || !cryptoAlgorithm.equals("hash")) {
                HashMap hashMap = new HashMap();
                hashMap.put("hash.algorithm", str4 == null ? "PBKDF2WithHmacSHA512" : str4);
                hashMap.put("hash.salt", str3);
                hashMap.put("hash.iteration", i == 0 ? String.valueOf(DEFAULT_ITERATIONS) : String.valueOf(i));
                hashMap.put("hash.length", i2 == 0 ? String.valueOf(32) : String.valueOf(i2));
                return PasswordUtil.encode_password(str5, "hash", hashMap);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Client secret for " + str2 + " is already hashed.", new Object[0]);
            }
        }
        return str;
    }

    public static void hashClientMetaTypeSecret(@Sensitive JsonObject jsonObject, String str, boolean z) {
        String asString;
        if (jsonObject == null || !jsonObject.has("client_secret") || (asString = jsonObject.get("client_secret").getAsString()) == null || asString.isEmpty()) {
            return;
        }
        jsonObject.addProperty("client_secret", hashSecret(asString, str, z, jsonObject.get(OAuth20Constants.SALT).getAsString(), jsonObject.get(OAuth20Constants.HASH_ALGORITHM).getAsString(), jsonObject.get(OAuth20Constants.HASH_ITERATIONS).getAsInt(), jsonObject.get(OAuth20Constants.HASH_LENGTH).getAsInt()));
    }

    @Sensitive
    public static String generateSalt() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return Base64Coder.base64EncodeToString(bArr);
    }

    @Sensitive
    public static JsonObject processMetatypeForHashInfo(@Sensitive JsonObject jsonObject, String str, String str2, int i, int i2) {
        if (jsonObject.get(OAuth20Constants.HASH_ALGORITHM) == null) {
            jsonObject.addProperty(OAuth20Constants.HASH_ALGORITHM, str2);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Added default hash algorithm for " + str + ": " + str2, new Object[0]);
            }
        }
        if (jsonObject.get(OAuth20Constants.SALT) == null) {
            jsonObject.addProperty(OAuth20Constants.SALT, generateSalt());
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Salt added for " + str, new Object[0]);
            }
        }
        if (jsonObject.get(OAuth20Constants.HASH_ITERATIONS) == null || jsonObject.get(OAuth20Constants.HASH_ITERATIONS).getAsInt() == 0) {
            jsonObject.addProperty(OAuth20Constants.HASH_ITERATIONS, Integer.valueOf(i));
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Added default hash iterations for " + str + ": " + i, new Object[0]);
            }
        }
        if (jsonObject.get(OAuth20Constants.HASH_LENGTH) == null || jsonObject.get(OAuth20Constants.HASH_LENGTH).getAsInt() == 0) {
            jsonObject.addProperty(OAuth20Constants.HASH_LENGTH, 32);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Added default hash key size for " + str + ": " + i, new Object[0]);
            }
        }
        return jsonObject;
    }
}
