package org.apache.http.impl.auth;

import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.KeyManagementException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.Header;
import org.apache.http.HttpRequest;
import org.apache.http.auth.AUTH;
import org.apache.http.auth.AuthenticationException;
import org.apache.http.auth.Credentials;
import org.apache.http.auth.InvalidCredentialsException;
import org.apache.http.auth.MalformedChallengeException;
import org.apache.http.auth.NTCredentials;
import org.apache.http.impl.auth.ntlm.AuthenticateMessage;
import org.apache.http.impl.auth.ntlm.ChallengeMessage;
import org.apache.http.impl.auth.ntlm.NTLMEngineImpl;
import org.apache.http.impl.auth.ntlm.NTLMHandle;
import org.apache.http.impl.auth.ntlm.NegotiateMessage;
import org.apache.http.message.BufferedHeader;
import org.apache.http.protocol.HttpContext;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.CharArrayBuffer;
import org.apache.http.util.CharsetUtils;

/* loaded from: input_file:org/apache/http/impl/auth/CredSspScheme.class */
public class CredSspScheme extends AuthSchemeBase {
    public static final String SCHEME_NAME = "CredSSP";
    private static final SecureRandom RND_GEN;
    private final Log log = LogFactory.getLog(CredSspScheme.class);
    private State state = State.UNINITIATED;
    private SSLEngine sslEngine;
    private org.apache.http.impl.auth.ntlm.NTLMEngine ntlmEngine;
    private CredSspTsRequest lastReceivedTsRequest;
    private NTLMHandle ntlmOutgoingHandle;
    private NTLMHandle ntlmIncomingHandle;
    private byte[] peerPublicKey;
    private byte[] clientNonce;
    private static boolean develTrace;
    private static final Charset UNICODE_LITTLE_UNMARKED = CharsetUtils.lookup("UnicodeLittleUnmarked");
    private static final byte[] CLIENT_SERVER_MAGIC_HASH = DerUtil.nullTerminatedAsciiString("CredSSP Client-To-Server Binding Hash");
    private static final byte[] SERVER_CLIENT_MAGIC_HASH = DerUtil.nullTerminatedAsciiString("CredSSP Server-To-Client Binding Hash");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/http/impl/auth/CredSspScheme$State.class */
    public enum State {
        UNINITIATED,
        TLS_HANDSHAKE,
        TLS_HANDSHAKE_FINISHED,
        NEGO_TOKEN_SENT,
        NEGO_TOKEN_RECEIVED,
        PUB_KEY_AUTH_SENT,
        PUB_KEY_AUTH_RECEIVED,
        CREDENTIALS_SENT
    }

    @Override // org.apache.http.auth.AuthScheme
    public String getSchemeName() {
        return "CredSSP";
    }

    @Override // org.apache.http.auth.AuthScheme
    public String getParameter(String str) {
        return null;
    }

    @Override // org.apache.http.auth.AuthScheme
    public String getRealm() {
        return null;
    }

    @Override // org.apache.http.auth.AuthScheme
    public boolean isConnectionBased() {
        return true;
    }

    private SSLEngine getSSLEngine() {
        if (this.sslEngine == null) {
            this.sslEngine = createSSLEngine();
        }
        return this.sslEngine;
    }

    private SSLEngine createSSLEngine() {
        try {
            SSLContext build = SSLContexts.custom().build();
            try {
                build.init(null, new TrustManager[]{new X509TrustManager() { // from class: org.apache.http.impl.auth.CredSspScheme.1
                    @Override // javax.net.ssl.X509TrustManager
                    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                    }

                    @Override // javax.net.ssl.X509TrustManager
                    public X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }
                }}, null);
                if (develTrace) {
                    this.log.debug("Created SSL Context with provider " + build.getProvider());
                }
                SSLEngine createSSLEngine = build.createSSLEngine();
                createSSLEngine.setUseClientMode(true);
                if (develTrace) {
                    this.log.trace("Created SSL engine:\n    supported protocols: " + Arrays.toString(createSSLEngine.getSupportedProtocols()) + "\n    enabled protocols: " + Arrays.toString(createSSLEngine.getEnabledProtocols()) + "\n    supported ciphers: " + Arrays.toString(createSSLEngine.getSupportedCipherSuites()) + "\n    enabled ciphers: " + Arrays.toString(createSSLEngine.getEnabledCipherSuites()));
                }
                return createSSLEngine;
            } catch (KeyManagementException e) {
                throw new RuntimeException("SSL Context initialization error: " + e.getMessage(), e);
            }
        } catch (KeyManagementException e2) {
            throw new RuntimeException("Error creating SSL Context: " + e2.getMessage(), e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException("Error creating SSL Context: " + e3.getMessage(), e3);
        }
    }

    private byte[] encodeUnicode(String str) {
        return str.getBytes(UNICODE_LITTLE_UNMARKED);
    }

    @Override // org.apache.http.impl.auth.AuthSchemeBase
    protected void parseChallenge(CharArrayBuffer charArrayBuffer, int i, int i2) throws MalformedChallengeException {
        String substringTrimmed = charArrayBuffer.substringTrimmed(i, i2);
        if (develTrace) {
            this.log.trace("<< Received: " + substringTrimmed);
        }
        if (substringTrimmed.isEmpty() && this.state != State.UNINITIATED) {
            String str = "Received unexpected empty input in state " + this.state;
            this.log.error(str);
            throw new MalformedChallengeException(str);
        }
        if (this.state == State.TLS_HANDSHAKE) {
            unwrapHandshake(substringTrimmed);
            if (develTrace) {
                this.log.trace("TLS handshake status: " + getSSLEngine().getHandshakeStatus());
            }
            if (getSSLEngine().getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
                this.log.trace("TLS handshake finished (" + getSSLEngine().getSession().getProtocol() + ")");
                if (develTrace) {
                    this.log.trace("SSL connection parameters:\n    protocol: " + getSSLEngine().getSession().getProtocol() + "\n    cipher: " + getSSLEngine().getSession().getCipherSuite());
                }
                this.state = State.TLS_HANDSHAKE_FINISHED;
            }
        }
        if (this.state == State.NEGO_TOKEN_SENT) {
            ByteBuffer unwrap = unwrap(substringTrimmed);
            this.state = State.NEGO_TOKEN_RECEIVED;
            this.lastReceivedTsRequest = CredSspTsRequest.createDecoded(unwrap);
            if (develTrace) {
                this.log.trace("Received tsrequest(negotoken:CHALLENGE):\n" + this.lastReceivedTsRequest.debugDump());
            }
        }
        if (this.state == State.PUB_KEY_AUTH_SENT) {
            ByteBuffer unwrap2 = unwrap(substringTrimmed);
            this.state = State.PUB_KEY_AUTH_RECEIVED;
            this.lastReceivedTsRequest = CredSspTsRequest.createDecoded(unwrap2);
            if (develTrace) {
                this.log.trace("Received tsrequest(pubKeyAuth):\n" + this.lastReceivedTsRequest.debugDump());
            }
        }
    }

    @Override // org.apache.http.auth.AuthScheme
    @Deprecated
    public Header authenticate(Credentials credentials, HttpRequest httpRequest) throws AuthenticationException {
        return authenticate(credentials, httpRequest, null);
    }

    @Override // org.apache.http.impl.auth.AuthSchemeBase, org.apache.http.auth.ContextAwareAuthScheme
    public Header authenticate(Credentials credentials, HttpRequest httpRequest, HttpContext httpContext) throws AuthenticationException {
        String wrap;
        try {
            NTCredentials nTCredentials = (NTCredentials) credentials;
            if (this.ntlmEngine == null) {
                this.ntlmEngine = new NTLMEngineImpl(nTCredentials, true);
            }
            if (this.state == State.UNINITIATED) {
                beginTlsHandshake();
                wrap = wrapHandshake();
                this.state = State.TLS_HANDSHAKE;
            } else if (this.state == State.TLS_HANDSHAKE) {
                wrap = wrapHandshake();
            } else if (this.state == State.TLS_HANDSHAKE_FINISHED) {
                int ntlmFlags = getNtlmFlags();
                ByteBuffer allocateOutBuffer = allocateOutBuffer();
                NegotiateMessage generateNegotiateMessage = this.ntlmEngine.generateNegotiateMessage(Integer.valueOf(ntlmFlags));
                if (develTrace) {
                    this.log.trace("Prepared NTLM NEGOTIATE message:\n" + generateNegotiateMessage.debugDump());
                }
                byte[] bytes = generateNegotiateMessage.getBytes();
                if (develTrace) {
                    this.log.trace("Prepared NTLM NEGOTIATE message (encoded):\n" + DebugUtil.dump(bytes));
                }
                CredSspTsRequest.createNegoToken(bytes).encode(allocateOutBuffer);
                allocateOutBuffer.flip();
                if (develTrace) {
                    this.log.trace("Prepared CredSSP TsRequest (NTLM negotiate):\n" + DebugUtil.dump(allocateOutBuffer));
                }
                wrap = wrap(allocateOutBuffer);
                this.state = State.NEGO_TOKEN_SENT;
            } else if (this.state == State.NEGO_TOKEN_RECEIVED) {
                ByteBuffer allocateOutBuffer2 = allocateOutBuffer();
                ChallengeMessage parseChallengeMessage = this.ntlmEngine.parseChallengeMessage(this.lastReceivedTsRequest.getNegoToken());
                if (develTrace) {
                    this.log.trace("Received NTLM CHALLENGE message:\n" + parseChallengeMessage.debugDump());
                }
                X509Certificate peerServerCertificate = getPeerServerCertificate();
                AuthenticateMessage generateAuthenticateMessage = this.ntlmEngine.generateAuthenticateMessage(peerServerCertificate);
                if (develTrace) {
                    this.log.trace("Prepared NTLM AUTHENTICATE message:\n" + generateAuthenticateMessage.debugDump());
                }
                byte[] bytes2 = generateAuthenticateMessage.getBytes();
                if (develTrace) {
                    this.log.trace("Prepared NTLM AUTHENTICATE message (encoded):\n" + DebugUtil.dump(bytes2));
                }
                this.ntlmOutgoingHandle = this.ntlmEngine.createClientHandle();
                this.ntlmIncomingHandle = this.ntlmEngine.createServerHandle();
                CredSspTsRequest createNegoToken = CredSspTsRequest.createNegoToken(this.lastReceivedTsRequest.getVersion(), bytes2);
                this.peerPublicKey = getSubjectPublicKeyDer(peerServerCertificate.getPublicKey());
                setPubKeyAuth(createNegoToken, this.lastReceivedTsRequest.getVersion());
                createNegoToken.encode(allocateOutBuffer2);
                allocateOutBuffer2.flip();
                if (develTrace) {
                    this.log.trace("Prepared CredSSP TsRequest (NTLM authenticate + pubKeyAuth):\n" + DebugUtil.dump(allocateOutBuffer2));
                }
                wrap = wrap(allocateOutBuffer2);
                this.state = State.PUB_KEY_AUTH_SENT;
            } else {
                if (this.state != State.PUB_KEY_AUTH_RECEIVED) {
                    throw new AuthenticationException("Wrong state " + this.state);
                }
                verifyPubKeyAuthResponse();
                CredSspTsRequest createAuthInfo = CredSspTsRequest.createAuthInfo(this.lastReceivedTsRequest.getVersion(), createAuthInfo(nTCredentials));
                ByteBuffer allocateOutBuffer3 = allocateOutBuffer();
                createAuthInfo.encode(allocateOutBuffer3);
                allocateOutBuffer3.flip();
                if (develTrace) {
                    this.log.trace("Prepared CredSSP TsRequest (authInfo):\n" + DebugUtil.dump(allocateOutBuffer3));
                }
                wrap = wrap(allocateOutBuffer3);
                this.state = State.CREDENTIALS_SENT;
            }
            if (develTrace) {
                this.log.trace(">> Seding: " + wrap);
            }
            CharArrayBuffer charArrayBuffer = new CharArrayBuffer(32);
            if (isProxy()) {
                charArrayBuffer.append(AUTH.PROXY_AUTH_RESP);
            } else {
                charArrayBuffer.append(AUTH.WWW_AUTH_RESP);
            }
            charArrayBuffer.append(": CredSSP ");
            charArrayBuffer.append(wrap);
            return new BufferedHeader(charArrayBuffer);
        } catch (ClassCastException e) {
            throw new InvalidCredentialsException("Credentials cannot be used for CredSSP authentication: " + credentials.getClass().getName());
        }
    }

    private void setPubKeyAuth(CredSspTsRequest credSspTsRequest, int i) throws AuthenticationException {
        if (i <= 4) {
            byte[] createPubKeyAuth = createPubKeyAuth();
            if (develTrace) {
                this.log.trace("pubKeyAuth: " + DebugUtil.dump(createPubKeyAuth));
            }
            credSspTsRequest.setPubKeyAuth(createPubKeyAuth);
            return;
        }
        this.clientNonce = createClientNonce();
        byte[] createPubKeyHash = createPubKeyHash(CLIENT_SERVER_MAGIC_HASH, this.clientNonce);
        if (develTrace) {
            this.log.trace("clientNonce: " + DebugUtil.dump(this.clientNonce) + "\npubKeyAuth(hash): " + DebugUtil.dump(createPubKeyHash));
        }
        credSspTsRequest.setClientNonce(this.clientNonce);
        credSspTsRequest.setPubKeyAuth(this.ntlmOutgoingHandle.signAndEcryptMessage(createPubKeyHash));
    }

    private byte[] createClientNonce() throws AuthenticationException {
        if (RND_GEN == null) {
            throw new AuthenticationException("Random generator not available");
        }
        byte[] bArr = new byte[32];
        synchronized (RND_GEN) {
            RND_GEN.nextBytes(bArr);
        }
        return bArr;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
    private byte[] createPubKeyHash(byte[] bArr, byte[] bArr2) throws AuthenticationException {
        byte[] sha256 = sha256(new byte[]{bArr, bArr2, this.peerPublicKey});
        if (develTrace) {
            this.log.trace("magic: " + DebugUtil.dump(CLIENT_SERVER_MAGIC_HASH) + "\nclientNonce: " + DebugUtil.dump(bArr2) + "\npeerPublicKey: " + DebugUtil.dump(this.peerPublicKey) + "\nhash: " + DebugUtil.dump(sha256));
        }
        return sha256;
    }

    private byte[] sha256(byte[]... bArr) throws AuthenticationException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            for (byte[] bArr2 : bArr) {
                messageDigest.update(bArr2);
            }
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            throw new AuthenticationException("Error initializing SHA-256", e);
        }
    }

    private int getNtlmFlags() {
        return -494366670;
    }

    private X509Certificate getPeerServerCertificate() throws AuthenticationException {
        try {
            for (Certificate certificate : this.sslEngine.getSession().getPeerCertificates()) {
                if (certificate instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    if (x509Certificate.getBasicConstraints() == -1) {
                        return x509Certificate;
                    }
                    if (develTrace) {
                        this.log.trace("Skipping CA certificate " + ((X509Certificate) certificate).getSubjectDN());
                    }
                }
            }
            return null;
        } catch (SSLPeerUnverifiedException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    private byte[] createPubKeyAuth() throws AuthenticationException {
        return this.ntlmOutgoingHandle.signAndEcryptMessage(this.peerPublicKey);
    }

    private void verifyPubKeyAuthResponse() throws AuthenticationException {
        byte[] decryptAndVerifySignedMessage = this.ntlmIncomingHandle.decryptAndVerifySignedMessage(this.lastReceivedTsRequest.getPubKeyAuth());
        if (this.lastReceivedTsRequest.getVersion() > 4) {
            byte[] createPubKeyHash = createPubKeyHash(SERVER_CLIENT_MAGIC_HASH, this.clientNonce);
            if (develTrace) {
                this.log.trace("verification(version " + ((int) this.lastReceivedTsRequest.getVersion()) + ")\nexpected: " + DebugUtil.dump(createPubKeyHash) + "\nreceived: " + DebugUtil.dump(decryptAndVerifySignedMessage));
            }
            if (Arrays.equals(createPubKeyHash, decryptAndVerifySignedMessage)) {
                this.log.trace("Received public key response is valid (version>=5)");
                return;
            } else {
                this.log.error("Public key mismatch in pubKeyAuth response (version>=5)");
                throw new AuthenticationException("Public key mismatch in pubKeyAuth response (version>=5)");
            }
        }
        if (this.peerPublicKey.length != decryptAndVerifySignedMessage.length) {
            this.log.error("Public key mismatch in pubKeyAuth response (version<=4)");
            throw new AuthenticationException("Public key mismatch in pubKeyAuth response (version<=4)");
        }
        if (this.peerPublicKey[0] + 1 != decryptAndVerifySignedMessage[0]) {
            this.log.error("Public key mismatch in pubKeyAuth response (version<=4)");
            throw new AuthenticationException("Public key mismatch in pubKeyAuth response (version<=4)");
        }
        for (int i = 1; i < this.peerPublicKey.length; i++) {
            if (this.peerPublicKey[i] != decryptAndVerifySignedMessage[i]) {
                this.log.error("Public key mismatch in pubKeyAuth response (version<=4)");
                throw new AuthenticationException("Public key mismatch in pubKeyAuth response (version<=4)");
            }
        }
        this.log.trace("Received public key response is valid (version<=4)");
    }

    private byte[] createAuthInfo(NTCredentials nTCredentials) throws AuthenticationException {
        byte[] encodeUnicode = encodeUnicode(nTCredentials.getDomain());
        byte[] encodeLength = DerUtil.encodeLength(encodeUnicode.length);
        int length = 1 + encodeLength.length + encodeUnicode.length;
        byte[] encodeLength2 = DerUtil.encodeLength(length);
        byte[] encodeUnicode2 = encodeUnicode(nTCredentials.getUserName());
        byte[] encodeLength3 = DerUtil.encodeLength(encodeUnicode2.length);
        int length2 = 1 + encodeLength3.length + encodeUnicode2.length;
        byte[] encodeLength4 = DerUtil.encodeLength(length2);
        byte[] encodeUnicode3 = encodeUnicode(nTCredentials.getPassword());
        byte[] encodeLength5 = DerUtil.encodeLength(encodeUnicode3.length);
        int length3 = 1 + encodeLength5.length + encodeUnicode3.length;
        byte[] encodeLength6 = DerUtil.encodeLength(length3);
        int length4 = 1 + encodeLength2.length + length + 1 + encodeLength4.length + length2 + 1 + encodeLength6.length + length3;
        byte[] encodeLength7 = DerUtil.encodeLength(length4);
        int length5 = 1 + encodeLength7.length + length4;
        byte[] encodeLength8 = DerUtil.encodeLength(length5);
        int length6 = 1 + encodeLength8.length + length5;
        byte[] encodeLength9 = DerUtil.encodeLength(length6);
        int length7 = 6 + encodeLength9.length + length6;
        byte[] encodeLength10 = DerUtil.encodeLength(length7);
        ByteBuffer allocate = ByteBuffer.allocate(1 + encodeLength10.length + length7);
        allocate.put((byte) 48);
        allocate.put(encodeLength10);
        allocate.put((byte) -96);
        allocate.put((byte) 3);
        allocate.put((byte) 2);
        allocate.put((byte) 1);
        allocate.put((byte) 1);
        allocate.put((byte) -95);
        allocate.put(encodeLength9);
        allocate.put((byte) 4);
        allocate.put(encodeLength8);
        allocate.put((byte) 48);
        allocate.put(encodeLength7);
        allocate.put((byte) -96);
        allocate.put(encodeLength2);
        allocate.put((byte) 4);
        allocate.put(encodeLength);
        allocate.put(encodeUnicode);
        allocate.put((byte) -95);
        allocate.put(encodeLength4);
        allocate.put((byte) 4);
        allocate.put(encodeLength3);
        allocate.put(encodeUnicode2);
        allocate.put((byte) -94);
        allocate.put(encodeLength6);
        allocate.put((byte) 4);
        allocate.put(encodeLength5);
        allocate.put(encodeUnicode3);
        try {
            return this.ntlmOutgoingHandle.signAndEcryptMessage(allocate.array());
        } catch (org.apache.http.impl.auth.ntlm.NTLMEngineException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    private byte[] getSubjectPublicKeyDer(PublicKey publicKey) throws AuthenticationException {
        try {
            byte[] encoded = publicKey.getEncoded();
            if (develTrace) {
                this.log.trace("encodedPubKeyInfo: " + DebugUtil.dump(encoded));
            }
            ByteBuffer wrap = ByteBuffer.wrap(encoded);
            DerUtil.getByteAndAssert(wrap, 48, "initial sequence");
            DerUtil.parseLength(wrap);
            DerUtil.getByteAndAssert(wrap, 48, "AlgorithmIdentifier sequence");
            wrap.position(wrap.position() + DerUtil.parseLength(wrap));
            DerUtil.getByteAndAssert(wrap, 3, "subjectPublicKey type");
            int parseLength = DerUtil.parseLength(wrap);
            if (wrap.get() == 0) {
                parseLength--;
            } else {
                wrap.position(wrap.position() - 1);
            }
            byte[] bArr = new byte[parseLength];
            wrap.get(bArr);
            if (develTrace) {
                this.log.trace("subjectPublicKey DER: " + DebugUtil.dump(bArr));
            }
            return bArr;
        } catch (MalformedChallengeException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    private void beginTlsHandshake() throws AuthenticationException {
        try {
            getSSLEngine().beginHandshake();
        } catch (SSLException e) {
            throw new AuthenticationException("SSL Engine error: " + e.getMessage(), e);
        }
    }

    private ByteBuffer allocateOutBuffer() {
        return ByteBuffer.allocate(getSSLEngine().getSession().getApplicationBufferSize());
    }

    private String wrapHandshake() throws AuthenticationException {
        ByteBuffer allocateOutBuffer = allocateOutBuffer();
        allocateOutBuffer.flip();
        SSLEngine sSLEngine = getSSLEngine();
        ByteBuffer allocate = ByteBuffer.allocate(sSLEngine.getSession().getPacketBufferSize() * 2);
        while (sSLEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
            wrap(allocateOutBuffer, allocate);
        }
        allocate.flip();
        return encodeBase64(allocate);
    }

    private String wrap(ByteBuffer byteBuffer) throws AuthenticationException {
        ByteBuffer allocate = ByteBuffer.allocate(getSSLEngine().getSession().getPacketBufferSize());
        wrap(byteBuffer, allocate);
        allocate.flip();
        return encodeBase64(allocate);
    }

    private void wrap(ByteBuffer byteBuffer, ByteBuffer byteBuffer2) throws AuthenticationException {
        try {
            SSLEngineResult wrap = getSSLEngine().wrap(byteBuffer, byteBuffer2);
            if (wrap.getStatus() != SSLEngineResult.Status.OK) {
                throw new AuthenticationException("SSL Engine error status: " + wrap.getStatus());
            }
        } catch (SSLException e) {
            throw new AuthenticationException("SSL Engine wrap error: " + e.getMessage(), e);
        }
    }

    private void unwrapHandshake(String str) throws MalformedChallengeException {
        SSLEngine sSLEngine = getSSLEngine();
        SSLSession session = sSLEngine.getSession();
        ByteBuffer decodeBase64 = decodeBase64(str);
        ByteBuffer allocate = ByteBuffer.allocate(session.getApplicationBufferSize());
        while (sSLEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
            unwrap(decodeBase64, allocate);
        }
    }

    private ByteBuffer unwrap(String str) throws MalformedChallengeException {
        SSLSession session = getSSLEngine().getSession();
        ByteBuffer decodeBase64 = decodeBase64(str);
        ByteBuffer allocate = ByteBuffer.allocate(session.getApplicationBufferSize());
        unwrap(decodeBase64, allocate);
        allocate.flip();
        return allocate;
    }

    private void unwrap(ByteBuffer byteBuffer, ByteBuffer byteBuffer2) throws MalformedChallengeException {
        try {
            SSLEngineResult unwrap = this.sslEngine.unwrap(byteBuffer, byteBuffer2);
            if (unwrap.getStatus() != SSLEngineResult.Status.OK) {
                throw new MalformedChallengeException("SSL Engine error status: " + unwrap.getStatus());
            }
            if (this.sslEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                this.sslEngine.getDelegatedTask().run();
            }
        } catch (SSLException e) {
            throw new MalformedChallengeException("SSL Engine unwrap error: " + e.getMessage(), e);
        }
    }

    private String encodeBase64(ByteBuffer byteBuffer) {
        byte[] bArr = new byte[byteBuffer.limit()];
        byteBuffer.get(bArr);
        return Base64.getEncoder().encodeToString(bArr);
    }

    private ByteBuffer decodeBase64(String str) {
        return ByteBuffer.wrap(Base64.getDecoder().decode(str));
    }

    @Override // org.apache.http.auth.AuthScheme
    public boolean isComplete() {
        return this.state == State.CREDENTIALS_SENT;
    }

    static {
        SecureRandom secureRandom = null;
        try {
            secureRandom = SecureRandom.getInstance("SHA1PRNG");
        } catch (Exception e) {
        }
        RND_GEN = secureRandom;
        develTrace = true;
    }
}
