package org.forgerock.openam.authentication.modules.fr.oath;

import com.google.inject.Key;
import com.google.inject.TypeLiteral;
import com.google.inject.name.Names;
import com.iplanet.dpro.session.service.InternalSession;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.callbacks.ScriptTextOutputCallback;
import com.sun.identity.authentication.modules.hotp.HOTPAlgorithm;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.InvalidPasswordException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSException;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.codec.DecoderException;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.core.rest.devices.oath.OathDeviceSettings;
import org.forgerock.openam.core.rest.devices.services.AuthenticatorDeviceServiceFactory;
import org.forgerock.openam.core.rest.devices.services.oath.AuthenticatorOathService;
import org.forgerock.openam.utils.Alphabet;
import org.forgerock.openam.utils.CodeException;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.RecoveryCodeGenerator;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.openam.utils.qr.GenerationUtils;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/fr/oath/AuthenticatorOATH.class */
public class AuthenticatorOATH extends AMLoginModule {
    protected Debug debug;
    private static final int NUM_CODES = 10;
    private static final String AUTHLEVEL = "iplanet-am-auth-authenticatoroath-auth-level";
    private static final String PASSWORD_LENGTH = "iplanet-am-auth-fr-oath-password-length";
    private static final String WINDOW_SIZE = "iplanet-am-auth-fr-oath-hotp-window-size";
    private static final String TRUNCATION_OFFSET = "iplanet-am-auth-fr-oath-truncation-offset";
    private static final String CHECKSUM = "iplanet-am-auth-fr-oath-add-checksum";
    private static final String TOTP_TIME_STEP = "iplanet-am-auth-fr-oath-size-of-time-step";
    private static final String TOTP_STEPS_IN_WINDOW = "iplanet-am-auth-fr-oath-steps-in-window";
    private static final String ALGORITHM = "iplanet-am-auth-fr-oath-algorithm";
    private static final String MIN_SECRET_KEY_LENGTH = "iplanet-am-auth-fr-oath-min-secret-key-length";
    private static final String MAXIMUM_CLOCK_DRIFT = "openam-auth-fr-oath-maximum-clock-drift";
    private static final String ISSUER_NAME = "openam-auth-fr-oath-issuer-name";
    private static final int TOTAL_ATTEMPTS = 3;
    private static final String MODULE_NAME = "ForgeRock Authenticator (OATH)";
    private String issuerName;
    private boolean isOptional;
    private static final int HOTP = 0;
    private static final int TOTP = 1;
    private static final int ERROR = 2;
    protected String amAuthOATH;
    private static final int LOGIN_START = 1;
    private static final int LOGIN_OPTIONAL = 2;
    private static final int LOGIN_NO_DEVICE = 3;
    private static final int LOGIN_SAVED_DEVICE = 4;
    private static final int REGISTER_DEVICE = 5;
    private static final int RECOVERY_USED = 6;
    private static final int LOGIN_OPT_DEVICE = 7;
    private static final int REGISTER_DEVICE_OPTION_VALUE_INDEX = 0;
    private static final int OPT_DEVICE_SKIP_INDEX = 1;
    private static final int SKIP_OATH_INDEX = 1;
    private static final int SCRIPT_OUTPUT_CALLBACK_INDEX = 1;
    private AuthenticatorOathService realmOathService;
    private AMIdentity id;
    private String userId = null;
    private String userName = null;
    private int userConfiguredSkippable = 0;
    private int passLen = 0;
    private int minSecretKeyLength = 0;
    private int windowSize = 0;
    private String authLevel = null;
    private int truncationOffset = -1;
    private boolean checksum = false;
    private int totpTimeStep = 0;
    private int totpStepsInWindow = 0;
    private long time = 0;
    private int totpMaxClockDrift = 0;
    private int attempt = 0;
    private int algorithm = 0;
    private boolean outOfSync = false;
    private final OathMaker oathDevices = (OathMaker) InjectorHolder.getInstance(OathMaker.class);
    private final AuthenticatorDeviceServiceFactory<AuthenticatorOathService> oathServiceFactory = (AuthenticatorDeviceServiceFactory) InjectorHolder.getInstance(Key.get(new TypeLiteral<AuthenticatorDeviceServiceFactory<AuthenticatorOathService>>() { // from class: org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH.1
    }, Names.named("AuthenticatorOathServiceFactory")));
    private final RecoveryCodeGenerator recoveryCodeGenerator = (RecoveryCodeGenerator) InjectorHolder.getInstance(RecoveryCodeGenerator.class);
    private OathDeviceSettings newDevice = null;

    public AuthenticatorOATH() {
        this.debug = null;
        this.amAuthOATH = null;
        this.amAuthOATH = "amAuthAuthenticatorOATH";
        this.debug = Debug.getInstance(this.amAuthOATH);
    }

    public Principal getPrincipal() {
        if (this.userId != null) {
            return new OATHPrincipal(this.userId);
        }
        if (this.userName != null) {
            return new OATHPrincipal(this.userName);
        }
        return null;
    }

    public void init(Subject subject, Map map, Map map2) {
        if (this.debug.messageEnabled()) {
            this.debug.message("OATH::init");
        }
        this.userName = (String) map.get(getUserKey());
        try {
            checkForSessionAndGetUsernameAndUUID();
            try {
                this.id = IdUtils.getIdentity(this.userName, DNMapper.orgNameToRealmName(getRequestOrg()));
                this.realmOathService = this.oathServiceFactory.create(this.id.getRealm());
                this.authLevel = CollectionHelper.getMapAttr(map2, AUTHLEVEL);
                try {
                    this.passLen = CollectionHelper.getIntMapAttr(map2, PASSWORD_LENGTH, 0, this.debug);
                } catch (NumberFormatException e) {
                    this.passLen = 0;
                }
                try {
                    this.minSecretKeyLength = CollectionHelper.getIntMapAttr(map2, MIN_SECRET_KEY_LENGTH, 0, this.debug);
                } catch (NumberFormatException e2) {
                    this.minSecretKeyLength = 0;
                }
                this.windowSize = CollectionHelper.getIntMapAttr(map2, WINDOW_SIZE, 0, this.debug);
                this.truncationOffset = CollectionHelper.getIntMapAttr(map2, TRUNCATION_OFFSET, -1, this.debug);
                this.isOptional = !getLoginState("authenticatorOATH").is2faMandatory();
                this.totpTimeStep = CollectionHelper.getIntMapAttr(map2, TOTP_TIME_STEP, 1, this.debug);
                this.totpStepsInWindow = CollectionHelper.getIntMapAttr(map2, TOTP_STEPS_IN_WINDOW, 1, this.debug);
                this.checksum = CollectionHelper.getBooleanMapAttr(map2, CHECKSUM, false);
                this.totpMaxClockDrift = CollectionHelper.getIntMapAttr(map2, MAXIMUM_CLOCK_DRIFT, 0, this.debug);
                this.issuerName = CollectionHelper.getMapAttr(map2, ISSUER_NAME);
                String mapAttr = CollectionHelper.getMapAttr(map2, ALGORITHM);
                if ("HOTP".equalsIgnoreCase(mapAttr)) {
                    this.algorithm = 0;
                } else if ("TOTP".equalsIgnoreCase(mapAttr)) {
                    this.algorithm = 1;
                } else {
                    this.algorithm = 2;
                }
                if (this.authLevel != null) {
                    try {
                        setAuthLevel(Integer.parseInt(this.authLevel));
                    } catch (Exception e3) {
                        if (this.debug.errorEnabled()) {
                            this.debug.error("OATH :: init() : Unable to set auth level " + this.authLevel, e3);
                        }
                    }
                }
            } catch (SMSException | SSOException | AuthLoginException e4) {
                if (this.debug.errorEnabled()) {
                    this.debug.error("OATH :: init() : Unable to configure basic module properties " + this.authLevel, e4);
                }
            }
        } catch (AuthLoginException | SSOException e5) {
            if (this.debug.messageEnabled()) {
                this.debug.message("AuthenticatorOATH :: init() : Unable to get userName ", e5);
            }
        }
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:17:0x0081. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:26:0x00e1 A[Catch: SSOException | IdRepoException | IOException -> 0x0170, SSOException | IdRepoException | IOException -> 0x0170, SSOException | IdRepoException | IOException -> 0x0170, TryCatch #0 {SSOException | IdRepoException | IOException -> 0x0170, blocks: (B:2:0x0000, B:2:0x0000, B:2:0x0000, B:4:0x000a, B:4:0x000a, B:4:0x000a, B:5:0x0016, B:5:0x0016, B:5:0x0016, B:7:0x0017, B:7:0x0017, B:7:0x0017, B:9:0x002a, B:9:0x002a, B:9:0x002a, B:11:0x0047, B:11:0x0047, B:11:0x0047, B:14:0x0071, B:14:0x0071, B:14:0x0071, B:15:0x007f, B:15:0x007f, B:15:0x007f, B:17:0x0081, B:17:0x0081, B:17:0x0081, B:18:0x00ac, B:18:0x00ac, B:18:0x00ac, B:20:0x00b2, B:22:0x00c3, B:24:0x00d1, B:24:0x00d1, B:24:0x00d1, B:26:0x00e1, B:26:0x00e1, B:26:0x00e1, B:28:0x00f7, B:28:0x00f7, B:28:0x00f7, B:30:0x0108, B:30:0x0108, B:30:0x0108, B:32:0x0121, B:32:0x0121, B:32:0x0121, B:34:0x0129, B:34:0x0129, B:34:0x0129, B:36:0x0130, B:36:0x0130, B:36:0x0130, B:38:0x013b, B:38:0x013b, B:38:0x013b, B:40:0x0144, B:40:0x0144, B:40:0x0144, B:42:0x014b, B:42:0x014b, B:42:0x014b, B:45:0x0159, B:45:0x0159, B:45:0x0159, B:46:0x016f, B:46:0x016f, B:46:0x016f, B:49:0x0037, B:49:0x0037, B:49:0x0037, B:50:0x0045, B:50:0x0045, B:50:0x0045), top: B:1:0x0000 }] */
    /* JADX WARN: Removed duplicated region for block: B:30:0x0108 A[Catch: SSOException | IdRepoException | IOException -> 0x0170, SSOException | IdRepoException | IOException -> 0x0170, SSOException | IdRepoException | IOException -> 0x0170, TryCatch #0 {SSOException | IdRepoException | IOException -> 0x0170, blocks: (B:2:0x0000, B:2:0x0000, B:2:0x0000, B:4:0x000a, B:4:0x000a, B:4:0x000a, B:5:0x0016, B:5:0x0016, B:5:0x0016, B:7:0x0017, B:7:0x0017, B:7:0x0017, B:9:0x002a, B:9:0x002a, B:9:0x002a, B:11:0x0047, B:11:0x0047, B:11:0x0047, B:14:0x0071, B:14:0x0071, B:14:0x0071, B:15:0x007f, B:15:0x007f, B:15:0x007f, B:17:0x0081, B:17:0x0081, B:17:0x0081, B:18:0x00ac, B:18:0x00ac, B:18:0x00ac, B:20:0x00b2, B:22:0x00c3, B:24:0x00d1, B:24:0x00d1, B:24:0x00d1, B:26:0x00e1, B:26:0x00e1, B:26:0x00e1, B:28:0x00f7, B:28:0x00f7, B:28:0x00f7, B:30:0x0108, B:30:0x0108, B:30:0x0108, B:32:0x0121, B:32:0x0121, B:32:0x0121, B:34:0x0129, B:34:0x0129, B:34:0x0129, B:36:0x0130, B:36:0x0130, B:36:0x0130, B:38:0x013b, B:38:0x013b, B:38:0x013b, B:40:0x0144, B:40:0x0144, B:40:0x0144, B:42:0x014b, B:42:0x014b, B:42:0x014b, B:45:0x0159, B:45:0x0159, B:45:0x0159, B:46:0x016f, B:46:0x016f, B:46:0x016f, B:49:0x0037, B:49:0x0037, B:49:0x0037, B:50:0x0045, B:50:0x0045, B:50:0x0045), top: B:1:0x0000 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public int process(javax.security.auth.callback.Callback[] r10, int r11) throws com.sun.identity.authentication.spi.AuthLoginException {
        /*
            Method dump skipped, instructions count: 394
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH.process(javax.security.auth.callback.Callback[], int):int");
    }

    private void checkForSessionAndGetUsernameAndUUID() throws SSOException, AuthLoginException {
        if (StringUtils.isEmpty(this.userName)) {
            SSOTokenManager sSOTokenManager = SSOTokenManager.getInstance();
            InternalSession oldSession = getLoginState("OATH").getOldSession();
            if (oldSession == null) {
                throw new AuthLoginException("amAuth", "noInternalSession", (Object[]) null);
            }
            SSOToken createSSOToken = sSOTokenManager.createSSOToken(oldSession.getID().toString());
            this.userId = createSSOToken.getPrincipal().getName();
            this.userName = createSSOToken.getProperty("UserToken");
            if (this.debug.messageEnabled()) {
                this.debug.message("OATH.process() : Username from SSOToken : " + this.userName);
            }
            if (StringUtils.isEmpty(this.userName)) {
                throw new AuthLoginException("amAuth", "noUserName", (Object[]) null);
            }
        }
    }

    private int beginLogin(OathDeviceSettings oathDeviceSettings) throws AuthLoginException {
        if (this.isOptional && this.userConfiguredSkippable == 1) {
            return -1;
        }
        if (this.isOptional && this.userConfiguredSkippable == 0) {
            return 2;
        }
        if (this.isOptional && this.userConfiguredSkippable != 2) {
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        if (oathDeviceSettings == null) {
            return this.isOptional ? 2 : 3;
        }
        replaceHeader(LOGIN_SAVED_DEVICE, MODULE_NAME);
        return LOGIN_SAVED_DEVICE;
    }

    private int doLoginSavedDevice(Callback[] callbackArr, int i, OathDeviceSettings oathDeviceSettings) throws AuthLoginException, IOException, IdRepoException, SSOException {
        OathDeviceSettings oathDeviceSettings2 = oathDeviceSettings;
        if (null == oathDeviceSettings2 && null != this.newDevice) {
            oathDeviceSettings2 = this.newDevice;
        }
        String name = ((NameCallback) callbackArr[0]).getName();
        if (name.length() == 0) {
            this.debug.error("OATH.process() : invalid OTP code");
            int i2 = this.attempt + 1;
            this.attempt = i2;
            if (i2 >= 3) {
                setFailureID(this.userName);
                throw new InvalidPasswordException("amAuth", "invalidPasswd", (Object[]) null);
            }
            replaceHeader(i, "ForgeRock Authenticator (OATH)Attempt " + (this.attempt + 1) + " of 3");
            return i;
        }
        this.time = Time.currentTimeMillis() / 1000;
        if (isRecoveryCode(name, oathDeviceSettings2, this.id)) {
            return 6;
        }
        if (checkOTP(name, this.id, oathDeviceSettings2)) {
            if (this.isOptional) {
                this.realmOathService.setUserSkipOath(this.id, 2);
            }
            if (null != oathDeviceSettings) {
                return -1;
            }
            this.oathDevices.saveDeviceProfile(this.id.getName(), this.id.getRealm(), oathDeviceSettings2);
            return -1;
        }
        int i3 = this.attempt + 1;
        this.attempt = i3;
        if (i3 < 3) {
            replaceHeader(i, "ForgeRock Authenticator (OATH) Attempt " + (this.attempt + 1) + " of 3");
            return i;
        }
        setFailureID(this.userName);
        if (this.outOfSync) {
            throw new InvalidPasswordException(this.amAuthOATH, "outOfSync", (Object[]) null);
        }
        throw new InvalidPasswordException("amAuth", "invalidPasswd", (Object[]) null);
    }

    private OathDeviceSettings createBasicDevice() throws AuthLoginException {
        OathDeviceSettings createDeviceProfile = this.oathDevices.createDeviceProfile(this.minSecretKeyLength);
        createDeviceProfile.setChecksumDigit(this.checksum);
        try {
            createDeviceProfile.setRecoveryCodes(this.recoveryCodeGenerator.generateCodes(NUM_CODES, Alphabet.ALPHANUMERIC, false));
            return createDeviceProfile;
        } catch (CodeException e) {
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
    }

    private boolean isRecoveryCode(String str, OathDeviceSettings oathDeviceSettings, AMIdentity aMIdentity) throws IOException, AuthLoginException {
        if (oathDeviceSettings == null) {
            this.debug.error("OATH.checkOTP() : Invalid stored settings.");
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        ArrayList arrayList = new ArrayList(Arrays.asList(oathDeviceSettings.getRecoveryCodes()));
        if (!arrayList.contains(str)) {
            return false;
        }
        arrayList.remove(str);
        oathDeviceSettings.setRecoveryCodes((String[]) arrayList.toArray(new String[arrayList.size()]));
        this.oathDevices.saveDeviceProfile(aMIdentity.getName(), aMIdentity.getRealm(), oathDeviceSettings);
        return true;
    }

    private void detectNecessity(AMIdentity aMIdentity) throws AuthLoginException, IdRepoException, SSOException {
        Set attribute;
        if (this.isOptional && StringUtils.isBlank(this.realmOathService.getSkippableAttributeName())) {
            this.isOptional = false;
        }
        if (!this.isOptional || (attribute = aMIdentity.getAttribute(this.realmOathService.getSkippableAttributeName())) == null || attribute.isEmpty()) {
            return;
        }
        this.userConfiguredSkippable = Integer.valueOf((String) attribute.iterator().next()).intValue();
    }

    private void paintRegisterDeviceCallback(AMIdentity aMIdentity, OathDeviceSettings oathDeviceSettings) throws AuthLoginException {
        replaceCallback(REGISTER_DEVICE, 1, createQRCodeCallback(oathDeviceSettings, aMIdentity, 1));
    }

    private Callback createQRCodeCallback(OathDeviceSettings oathDeviceSettings, AMIdentity aMIdentity, int i) throws AuthLoginException {
        try {
            return new ScriptTextOutputCallback(GenerationUtils.getQRCodeGenerationJavascriptForAuthenticatorAppRegistration("callback_" + i, getAuthenticatorAppRegistrationUri(oathDeviceSettings, aMIdentity)));
        } catch (IOException e) {
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
    }

    private String getAuthenticatorAppRegistrationUri(OathDeviceSettings oathDeviceSettings, AMIdentity aMIdentity) throws AuthLoginException, IOException {
        if (oathDeviceSettings == null) {
            this.debug.error("OATH.checkOTP() : Invalid settings discovered.");
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        AuthenticatorAppRegistrationURIBuilder authenticatorAppRegistrationURIBuilder = new AuthenticatorAppRegistrationURIBuilder(aMIdentity, oathDeviceSettings.getSharedSecret(), this.passLen, this.issuerName);
        int i = this.algorithm;
        try {
            if (i == 0) {
                return authenticatorAppRegistrationURIBuilder.getAuthenticatorAppRegistrationUriForHOTP(oathDeviceSettings.getCounter());
            }
            if (i == 1) {
                return authenticatorAppRegistrationURIBuilder.getAuthenticatorAppRegistrationUriForTOTP(this.totpTimeStep);
            }
            this.debug.error("OATH .checkOTP() : No OTP algorithm selected");
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        } catch (DecoderException e) {
            this.debug.error("OATH .getCreateQRDomElementJS() : Could not decode secret key from hex to plain text", e);
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
    }

    public void destroyModuleState() {
        this.userId = null;
        this.userName = null;
    }

    public void nullifyUsedVars() {
        this.authLevel = null;
        this.amAuthOATH = null;
    }

    private boolean checkOTP(String str, AMIdentity aMIdentity, OathDeviceSettings oathDeviceSettings) throws AuthLoginException {
        if (oathDeviceSettings == null) {
            this.debug.error("OATH.checkOTP() : Invalid stored settings.");
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        String parseSecretKey = parseSecretKey(oathDeviceSettings.getSharedSecret());
        if (this.minSecretKeyLength <= 0) {
            this.debug.error("OATH.checkOTP() : Min Secret Key Length is not a valid value");
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        if (parseSecretKey == null || parseSecretKey.isEmpty()) {
            this.debug.error("OATH.checkOTP() : Secret key is not a valid value");
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        if (parseSecretKey.length() < this.minSecretKeyLength) {
            if (this.debug.errorEnabled()) {
                this.debug.error("OATH.checkOTP() : Secret key of length " + parseSecretKey.length() + " is less than the minimum secret key length");
            }
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        byte[] parseHexBinary = DatatypeConverter.parseHexBinary(parseSecretKey);
        if (this.passLen < 6) {
            this.debug.error("OATH.checkOTP() : Password length is smaller than 6");
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        }
        try {
            if (this.algorithm == 0) {
                int counter = oathDeviceSettings.getCounter();
                for (int i = 0; i <= this.windowSize; i++) {
                    if (isEqual(HOTPAlgorithm.generateOTP(parseHexBinary, counter + i, this.passLen, this.checksum, this.truncationOffset), str)) {
                        setCounterAttr(aMIdentity, counter + i + 1, oathDeviceSettings);
                        return true;
                    }
                }
            } else {
                if (this.algorithm != 1) {
                    this.debug.error("OATH.checkOTP() : No OTP algorithm selected");
                    throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
                }
                long lastLogin = oathDeviceSettings.getLastLogin() / this.totpTimeStep;
                if (lastLogin < 0) {
                    this.debug.error("OATH.checkOTP() : invalid login time value : ");
                    throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
                }
                if (this.totpTimeStep <= 0) {
                    this.debug.error("OATH.checkOTP() : invalid TOTP time step interval : ");
                    throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
                }
                if (this.totpStepsInWindow < 0) {
                    this.debug.error("OATH.checkOTP() : invalid TOTP steps in window value : ");
                    throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
                }
                long clockDriftSeconds = (this.time / this.totpTimeStep) + (oathDeviceSettings.getClockDriftSeconds() / this.totpTimeStep);
                if (lastLogin == clockDriftSeconds) {
                    this.debug.error("OATH.checkOTP(): Login failed attempting to use the same OTP in same Time Step: " + clockDriftSeconds);
                    return false;
                }
                boolean z = false;
                if (lastLogin >= clockDriftSeconds - this.totpStepsInWindow && lastLogin <= clockDriftSeconds + this.totpStepsInWindow) {
                    if (this.debug.messageEnabled()) {
                        this.debug.message("OATH.checkOTP() : Logging in in the same TOTP window");
                    }
                    z = true;
                }
                String num = Integer.toString(this.passLen);
                if (isEqual(TOTPAlgorithm.generateTOTP(parseSecretKey, Long.toHexString(clockDriftSeconds), num), str)) {
                    return setLoginTime(aMIdentity, clockDriftSeconds, oathDeviceSettings);
                }
                for (int i2 = 1; i2 <= this.totpStepsInWindow; i2++) {
                    long j = clockDriftSeconds + i2;
                    long j2 = clockDriftSeconds - i2;
                    if (isEqual(TOTPAlgorithm.generateTOTP(parseSecretKey, Long.toHexString(j), num), str)) {
                        return setLoginTime(aMIdentity, j, oathDeviceSettings);
                    }
                    String generateTOTP = TOTPAlgorithm.generateTOTP(parseSecretKey, Long.toHexString(j2), num);
                    if (isEqual(generateTOTP, str) && z) {
                        this.debug.error("OATH.checkOTP() : Logging in in the same window with a OTP that is older than the current times OTP");
                        return false;
                    }
                    if (isEqual(generateTOTP, str) && !z) {
                        return setLoginTime(aMIdentity, j2, oathDeviceSettings);
                    }
                }
            }
            return false;
        } catch (Exception e) {
            this.debug.error("OATH.checkOTP() : checkOTP process failed : ", e);
            throw new AuthLoginException(this.amAuthOATH, "authFailed", (Object[]) null);
        } catch (AuthLoginException e2) {
            throw e2;
        }
    }

    private OathDeviceSettings getOathDeviceSettings(String str, String str2) throws IOException, AuthLoginException {
        return (OathDeviceSettings) CollectionUtils.getFirstItem(this.oathDevices.getDeviceProfiles(str, str2), (Object) null);
    }

    private String parseSecretKey(String str) {
        String lowerCase = str.replaceAll("\\s+", "").toLowerCase();
        if (lowerCase.length() % 2 != 0) {
            lowerCase = "0" + lowerCase;
        }
        return lowerCase;
    }

    private void setCounterAttr(AMIdentity aMIdentity, int i, OathDeviceSettings oathDeviceSettings) throws AuthLoginException, IOException {
        oathDeviceSettings.setCounter(i);
        this.oathDevices.saveDeviceProfile(aMIdentity.getName(), aMIdentity.getRealm(), oathDeviceSettings);
    }

    private boolean setLoginTime(AMIdentity aMIdentity, long j, OathDeviceSettings oathDeviceSettings) throws AuthLoginException, IOException {
        long j2 = j - (this.time / this.totpTimeStep);
        if (Math.abs(j2) > this.totpMaxClockDrift) {
            this.outOfSync = true;
            return false;
        }
        oathDeviceSettings.setLastLogin(j * this.totpTimeStep, TimeUnit.SECONDS);
        oathDeviceSettings.setClockDriftSeconds(((int) j2) * this.totpTimeStep);
        this.oathDevices.saveDeviceProfile(aMIdentity.getName(), aMIdentity.getRealm(), oathDeviceSettings);
        return true;
    }

    private boolean isEqual(String str, String str2) {
        return MessageDigest.isEqual(str.getBytes(), str2.getBytes());
    }
}
