package net.shibboleth.utilities.java.support.security;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.EOFException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyException;
import java.security.SecureRandom;
import java.time.Instant;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.AbstractInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.ConstraintViolationException;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.apache.commons.codec.BinaryDecoder;
import org.apache.commons.codec.BinaryEncoder;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/utilities/java/support/security/DataSealer.class */
public class DataSealer extends AbstractInitializableComponent {

    @NotEmpty
    @Nonnull
    public static final String MAGIC_STRING = "PXR5";
    private static final int PREFIX_LEN = 10;
    private static final int CHUNK_SIZE = 60000;
    private boolean lockedAtStartup;

    @NonnullAfterInit
    private DataSealerKeyStrategy keyStrategy;

    @NonnullAfterInit
    private SecureRandom random;

    @Nullable
    private String nodePrefix;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(DataSealer.class);

    @Nonnull
    private BinaryEncoder encoder = new Base64(0, new byte[]{10});

    @Nonnull
    private BinaryDecoder decoder = (Base64) this.encoder;

    public void setLockedAtStartup(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.lockedAtStartup = z;
    }

    public void setKeyStrategy(@Nonnull DataSealerKeyStrategy dataSealerKeyStrategy) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.keyStrategy = (DataSealerKeyStrategy) Constraint.isNotNull(dataSealerKeyStrategy, "DataSealerKeyStrategy cannot be null");
    }

    public void setRandom(@Nonnull SecureRandom secureRandom) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.random = (SecureRandom) Constraint.isNotNull(secureRandom, "SecureRandom cannot be null");
    }

    public void setEncoder(@Nonnull BinaryEncoder binaryEncoder) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.encoder = (BinaryEncoder) Constraint.isNotNull(binaryEncoder, "Encoder cannot be null");
    }

    public void setDecoder(@Nonnull BinaryDecoder binaryDecoder) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.decoder = (BinaryDecoder) Constraint.isNotNull(binaryDecoder, "Decoder cannot be null");
    }

    public void setNodePrefix(@NotEmpty @Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.nodePrefix = StringSupport.trimOrNull(str);
        if (this.nodePrefix != null) {
            if (this.nodePrefix.length() > 10) {
                throw new ConstraintViolationException("DataSealer nodePrefix cannot be longer than " + Integer.toString(10) + " characters");
            }
            if (this.nodePrefix.length() < 10) {
                this.nodePrefix = this.nodePrefix.concat(new String("X").repeat(10 - this.nodePrefix.length()));
            }
        }
    }

    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        try {
            try {
                Constraint.isNotNull(this.keyStrategy, "DataSealerKeyStrategy cannot be null");
                if (this.random == null) {
                    this.random = new SecureRandom();
                }
                if (!this.lockedAtStartup) {
                    testEncryption(this.keyStrategy.getDefaultKey().getSecond());
                }
                if (this.nodePrefix != null) {
                    this.log.info("DataSealer will attach prefix of {} + {} to wrapped values", MAGIC_STRING, this.nodePrefix);
                }
            } catch (ConstraintViolationException e) {
                throw new ComponentInitializationException(e);
            }
        } catch (KeyException e2) {
            this.log.error(e2.getMessage());
            throw new ComponentInitializationException("Exception loading the keystore", e2);
        } catch (DataSealerException e3) {
            this.log.error(e3.getMessage());
            throw new ComponentInitializationException("Exception testing the encryption settings used", e3);
        }
    }

    @Nonnull
    public String unwrap(@NotEmpty @Nonnull String str) throws DataSealerException {
        return unwrap(str, null);
    }

    @Nonnull
    public String unwrap(@NotEmpty @Nonnull String str, @Nullable StringBuffer stringBuffer) throws DataSealerException {
        byte[] decode;
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        int length = MAGIC_STRING.length();
        try {
            try {
                if (str.startsWith(MAGIC_STRING)) {
                    if (this.nodePrefix == null) {
                        this.log.warn("Data was prefixed but no node prefix is configured");
                    } else if (!str.regionMatches(length, this.nodePrefix, 0, 10)) {
                        this.log.warn("Data was prefixed with {} but configured prefix is {}", str.substring(length, length + 10), this.nodePrefix);
                    }
                    decode = this.decoder.decode(str.substring(length + 10).getBytes(StandardCharsets.UTF_8));
                } else {
                    decode = this.decoder.decode(str.getBytes(StandardCharsets.UTF_8));
                }
                DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(decode));
                try {
                    String readUTF = dataInputStream.readUTF();
                    this.log.trace("Data was encrypted by key named '{}'", readUTF);
                    if (stringBuffer != null) {
                        stringBuffer.append(readUTF);
                    }
                    SecretKey key = this.keyStrategy.getKey(readUTF);
                    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                    int blockSize = cipher.getBlockSize();
                    byte[] bArr = new byte[blockSize];
                    dataInputStream.readFully(bArr);
                    cipher.init(2, key, new GCMParameterSpec(128, bArr));
                    cipher.updateAAD(readUTF.getBytes());
                    byte[] bArr2 = new byte[decode.length - blockSize];
                    int read = dataInputStream.read(bArr2);
                    byte[] bArr3 = new byte[cipher.getOutputSize(read)];
                    cipher.doFinal(bArr3, cipher.update(bArr2, 0, read, bArr3, 0));
                    String extractAndCheckDecryptedData = extractAndCheckDecryptedData(bArr3);
                    dataInputStream.close();
                    return extractAndCheckDecryptedData;
                } catch (Throwable th) {
                    try {
                        dataInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (IOException | IllegalArgumentException | GeneralSecurityException | DecoderException e) {
                this.log.error("Exception unwrapping data: {}", e.getMessage());
                throw new DataSealerException("Exception unwrapping data", e);
            }
        } catch (KeyNotFoundException e2) {
            if (stringBuffer != null) {
                this.log.info("Data was wrapped with a key ({}) no longer available", stringBuffer.toString());
            } else {
                this.log.info("Data was wrapped with a key no longer available");
            }
            throw new DataExpiredException("Data wrapped with expired key");
        } catch (KeyException e3) {
            this.log.error(e3.getMessage());
            throw new DataSealerException("Exception loading key", e3);
        }
    }

    @Nonnull
    private String extractAndCheckDecryptedData(@NotEmpty @Nonnull byte[] bArr) throws DataSealerException {
        try {
            DataInputStream dataInputStream = new DataInputStream(new GZIPInputStream(new ByteArrayInputStream(bArr)));
            try {
                long readLong = dataInputStream.readLong();
                if (readLong > 0 && System.currentTimeMillis() > readLong) {
                    this.log.debug("Unwrapped data has expired");
                    throw new DataExpiredException("Unwrapped data has expired");
                }
                StringBuffer stringBuffer = new StringBuffer();
                int i = 0;
                while (true) {
                    try {
                        stringBuffer.append(dataInputStream.readUTF());
                        i++;
                        this.log.trace("Read chunk #{} from output stream", Integer.valueOf(i));
                    } catch (EOFException e) {
                        this.log.trace("Unwrapped data verified");
                        String stringBuffer2 = stringBuffer.toString();
                        dataInputStream.close();
                        return stringBuffer2;
                    }
                }
            } finally {
            }
        } catch (IOException e2) {
            this.log.error(e2.getMessage());
            throw new DataSealerException("Caught IOException unwrapping data", e2);
        }
    }

    @Nonnull
    public String wrap(@NotEmpty @Nonnull String str) throws DataSealerException {
        return wrap(str, null);
    }

    @Nonnull
    public String wrap(@NotEmpty @Nonnull String str, @Nullable Instant instant) throws DataSealerException {
        long epochMilli;
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("Data must be supplied for the wrapping operation");
        }
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            byte[] bArr = new byte[cipher.getBlockSize()];
            this.random.nextBytes(bArr);
            GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, bArr);
            Pair<String, SecretKey> defaultKey = this.keyStrategy.getDefaultKey();
            cipher.init(1, defaultKey.getSecond(), gCMParameterSpec);
            cipher.updateAAD(defaultKey.getFirst().getBytes());
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
                try {
                    DataOutputStream dataOutputStream = new DataOutputStream(gZIPOutputStream);
                    if (instant != null) {
                        try {
                            epochMilli = instant.toEpochMilli();
                        } catch (Throwable th) {
                            throw th;
                        }
                    } else {
                        epochMilli = 0;
                    }
                    dataOutputStream.writeLong(epochMilli);
                    int i = 0;
                    int i2 = 0;
                    int length = str.length();
                    while (i2 < length) {
                        dataOutputStream.writeUTF(str.substring(i2, i2 + Math.min(length - i2, CHUNK_SIZE)));
                        i2 += Math.min(length - i2, CHUNK_SIZE);
                        i++;
                        this.log.trace("Wrote chunk #{} to output stream", Integer.valueOf(i));
                    }
                    dataOutputStream.flush();
                    gZIPOutputStream.flush();
                    gZIPOutputStream.finish();
                    byteArrayOutputStream.flush();
                    byte[] byteArray = byteArrayOutputStream.toByteArray();
                    byte[] bArr2 = new byte[cipher.getOutputSize(byteArray.length)];
                    int update = cipher.update(byteArray, 0, byteArray.length, bArr2, 0);
                    int doFinal = update + cipher.doFinal(bArr2, update);
                    ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
                    try {
                        dataOutputStream = new DataOutputStream(byteArrayOutputStream2);
                        try {
                            dataOutputStream.writeUTF(defaultKey.getFirst());
                            dataOutputStream.write(bArr);
                            dataOutputStream.write(bArr2, 0, doFinal);
                            dataOutputStream.flush();
                            byteArrayOutputStream2.flush();
                            if (this.nodePrefix != null) {
                                String str2 = MAGIC_STRING + this.nodePrefix + new String(this.encoder.encode(byteArrayOutputStream2.toByteArray()), StandardCharsets.UTF_8);
                                dataOutputStream.close();
                                byteArrayOutputStream2.close();
                                dataOutputStream.close();
                                gZIPOutputStream.close();
                                byteArrayOutputStream.close();
                                return str2;
                            }
                            String str3 = new String(this.encoder.encode(byteArrayOutputStream2.toByteArray()), StandardCharsets.UTF_8);
                            dataOutputStream.close();
                            byteArrayOutputStream2.close();
                            dataOutputStream.close();
                            gZIPOutputStream.close();
                            byteArrayOutputStream.close();
                            return str3;
                        } finally {
                            try {
                                dataOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                    } catch (Throwable th3) {
                        try {
                            byteArrayOutputStream2.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                        throw th3;
                    }
                } catch (Throwable th5) {
                    try {
                        gZIPOutputStream.close();
                    } catch (Throwable th6) {
                        th5.addSuppressed(th6);
                    }
                    throw th5;
                }
            } finally {
            }
        } catch (Exception e) {
            this.log.error("Exception wrapping data: {}", e.getMessage());
            throw new DataSealerException("Exception wrapping data", e);
        }
    }

    private void testEncryption(@Nullable SecretKey secretKey) throws DataSealerException {
        if (secretKey == null) {
            throw new DataSealerException("Secret key was null");
        }
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            byte[] bArr = new byte[cipher.getBlockSize()];
            this.random.nextBytes(bArr);
            GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, bArr);
            cipher.init(1, secretKey, gCMParameterSpec);
            cipher.updateAAD("aad".getBytes(StandardCharsets.UTF_8));
            byte[] bytes = "test".getBytes(StandardCharsets.UTF_8);
            byte[] bArr2 = new byte[cipher.getOutputSize(bytes.length)];
            cipher.doFinal(bArr2, cipher.update(bytes, 0, bytes.length, bArr2, 0));
            cipher.init(2, secretKey, gCMParameterSpec);
            cipher.updateAAD("aad".getBytes(StandardCharsets.UTF_8));
            byte[] bArr3 = new byte[cipher.getOutputSize(bArr2.length)];
            cipher.doFinal(bArr3, cipher.update(bArr2, 0, bArr2.length, bArr3, 0));
            String str = new String(bArr3, StandardCharsets.UTF_8);
            if (str == null || !"test".equals(str)) {
                this.log.error("Round trip encryption/decryption test unsuccessful. Decrypted text did not match");
                throw new DataSealerException("Round trip encryption/decryption test unsuccessful");
            }
        } catch (IllegalStateException | GeneralSecurityException e) {
            this.log.error("Round trip encryption/decryption test unsuccessful: {}", e.getMessage());
            throw new DataSealerException("Round trip encryption/decryption test unsuccessful", e);
        }
    }
}
