package org.apache.hadoop.security.authentication.util;

import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;

/* loaded from: input_file:META-INF/bundled-dependencies/hadoop-auth-3.3.5.jar:org/apache/hadoop/security/authentication/util/Signer.class */
public class Signer {
    private static final String SIGNATURE = "&s=";
    private static final String SIGNING_ALGORITHM = "HmacSHA256";
    private SignerSecretProvider secretProvider;

    public Signer(SignerSecretProvider signerSecretProvider) {
        if (signerSecretProvider == null) {
            throw new IllegalArgumentException("secretProvider cannot be NULL");
        }
        this.secretProvider = signerSecretProvider;
    }

    public synchronized String sign(String str) {
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("NULL or empty string to sign");
        }
        return str + SIGNATURE + computeSignature(this.secretProvider.getCurrentSecret(), str);
    }

    public String verifyAndExtract(String str) throws SignerException {
        int lastIndexOf = str.lastIndexOf(SIGNATURE);
        if (lastIndexOf == -1) {
            throw new SignerException("Invalid signed text: " + str);
        }
        String substring = str.substring(lastIndexOf + SIGNATURE.length());
        String substring2 = str.substring(0, lastIndexOf);
        checkSignatures(substring2, substring);
        return substring2;
    }

    protected String computeSignature(byte[] bArr, String str) {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, SIGNING_ALGORITHM);
            Mac mac = Mac.getInstance(SIGNING_ALGORITHM);
            mac.init(secretKeySpec);
            return new Base64(0).encodeToString(mac.doFinal(StringUtils.getBytesUtf8(str)));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new RuntimeException("It should not happen, " + e.getMessage(), e);
        }
    }

    protected void checkSignatures(String str, String str2) throws SignerException {
        byte[] bytesUtf8 = StringUtils.getBytesUtf8(str2);
        boolean z = false;
        byte[][] allSecrets = this.secretProvider.getAllSecrets();
        int i = 0;
        while (true) {
            if (i < allSecrets.length) {
                byte[] bArr = allSecrets[i];
                if (bArr != null && MessageDigest.isEqual(bytesUtf8, StringUtils.getBytesUtf8(computeSignature(bArr, str)))) {
                    z = true;
                    break;
                }
                i++;
            } else {
                break;
            }
        }
        if (!z) {
            throw new SignerException("Invalid signature");
        }
    }
}
