package net.shibboleth.utilities.java.support.security;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.EOFException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyException;
import java.security.SecureRandom;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.SecretKey;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.AbstractInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.ConstraintViolationException;
import org.apache.commons.codec.BinaryDecoder;
import org.apache.commons.codec.BinaryEncoder;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Base64;
import org.apache.xalan.templates.Constants;
import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.modes.GCMBlockCipher;
import org.bouncycastle.crypto.params.AEADParameters;
import org.bouncycastle.crypto.params.KeyParameter;
import org.bouncycastle.util.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/java-support-7.3.0.jar:net/shibboleth/utilities/java/support/security/DataSealer.class */
public class DataSealer extends AbstractInitializableComponent {
    private static final int CHUNK_SIZE = 60000;

    @NonnullAfterInit
    private DataSealerKeyStrategy keyStrategy;

    @NonnullAfterInit
    private SecureRandom random;

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) DataSealer.class);

    @Nonnull
    private BinaryEncoder encoder = new Base64(0, new byte[]{10});

    @Nonnull
    private BinaryDecoder decoder = (Base64) this.encoder;

    public void setKeyStrategy(@Nonnull DataSealerKeyStrategy dataSealerKeyStrategy) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.keyStrategy = (DataSealerKeyStrategy) Constraint.isNotNull(dataSealerKeyStrategy, "DataSealerKeyStrategy cannot be null");
    }

    public void setRandom(@Nonnull SecureRandom secureRandom) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.random = (SecureRandom) Constraint.isNotNull(secureRandom, "SecureRandom cannot be null");
    }

    public void setEncoder(@Nonnull BinaryEncoder binaryEncoder) {
        this.encoder = (BinaryEncoder) Constraint.isNotNull(binaryEncoder, "Encoder cannot be null");
    }

    public void setDecoder(@Nonnull BinaryDecoder binaryDecoder) {
        this.decoder = (BinaryDecoder) Constraint.isNotNull(binaryDecoder, "Decoder cannot be null");
    }

    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        try {
            try {
                Constraint.isNotNull(this.keyStrategy, "DataSealerKeyStrategy cannot be null");
                if (this.random == null) {
                    this.random = new SecureRandom();
                }
                testEncryption(this.keyStrategy.getDefaultKey().getSecond());
            } catch (ConstraintViolationException e) {
                throw new ComponentInitializationException(e);
            }
        } catch (KeyException e2) {
            this.log.error(e2.getMessage());
            throw new ComponentInitializationException("Exception loading the keystore", e2);
        } catch (DataSealerException e3) {
            this.log.error(e3.getMessage());
            throw new ComponentInitializationException("Exception testing the encryption settings used", e3);
        }
    }

    @Nonnull
    public String unwrap(@NotEmpty @Nonnull String str) throws DataSealerException {
        return unwrap(str, null);
    }

    @Nonnull
    public String unwrap(@NotEmpty @Nonnull String str, @Nullable StringBuffer stringBuffer) throws DataSealerException {
        try {
            byte[] decode = this.decoder.decode(str.getBytes(StandardCharsets.UTF_8));
            DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(decode));
            String readUTF = dataInputStream.readUTF();
            this.log.trace("Data was encrypted by key named '{}'", readUTF);
            if (stringBuffer != null) {
                stringBuffer.append(readUTF);
            }
            SecretKey key = this.keyStrategy.getKey(readUTF);
            GCMBlockCipher gCMBlockCipher = new GCMBlockCipher(new AESEngine());
            int blockSize = gCMBlockCipher.getUnderlyingCipher().getBlockSize();
            byte[] bArr = new byte[blockSize];
            dataInputStream.readFully(bArr);
            gCMBlockCipher.init(false, new AEADParameters(new KeyParameter(key.getEncoded()), 128, bArr, readUTF.getBytes()));
            byte[] bArr2 = new byte[decode.length - blockSize];
            int read = dataInputStream.read(bArr2);
            byte[] bArr3 = new byte[gCMBlockCipher.getOutputSize(read)];
            gCMBlockCipher.doFinal(bArr3, gCMBlockCipher.processBytes(bArr2, 0, read, bArr3, 0));
            return extractAndCheckDecryptedData(bArr3);
        } catch (IOException | IllegalStateException | DecoderException | InvalidCipherTextException e) {
            this.log.error("Exception unwrapping data", (Throwable) e);
            throw new DataSealerException("Exception unwrapping data", e);
        } catch (KeyNotFoundException e2) {
            if (stringBuffer != null) {
                this.log.info("Data was wrapped with a key ({}) no longer available", stringBuffer.toString());
            } else {
                this.log.info("Data was wrapped with a key no longer available");
            }
            throw new DataExpiredException("Data wrapped with expired key");
        } catch (KeyException e3) {
            this.log.error(e3.getMessage());
            throw new DataSealerException("Exception loading key", e3);
        }
    }

    @Nonnull
    private String extractAndCheckDecryptedData(@NotEmpty @Nonnull byte[] bArr) throws DataSealerException {
        try {
            DataInputStream dataInputStream = new DataInputStream(new GZIPInputStream(new ByteArrayInputStream(bArr)));
            if (System.currentTimeMillis() > dataInputStream.readLong()) {
                this.log.debug("Unwrapped data has expired");
                throw new DataExpiredException("Unwrapped data has expired");
            }
            StringBuffer stringBuffer = new StringBuffer();
            int i = 0;
            while (true) {
                try {
                    stringBuffer.append(dataInputStream.readUTF());
                    i++;
                    this.log.trace("Read chunk #{} from output stream", Integer.valueOf(i));
                } catch (EOFException e) {
                    this.log.trace("Unwrapped data verified");
                    return stringBuffer.toString();
                }
            }
        } catch (IOException e2) {
            this.log.error(e2.getMessage());
            throw new DataSealerException("Caught IOException unwrapping data", e2);
        }
    }

    @Nonnull
    public String wrap(@NotEmpty @Nonnull String str, long j) throws DataSealerException {
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("Data must be supplied for the wrapping operation");
        }
        try {
            GCMBlockCipher gCMBlockCipher = new GCMBlockCipher(new AESEngine());
            byte[] bArr = new byte[gCMBlockCipher.getUnderlyingCipher().getBlockSize()];
            this.random.nextBytes(bArr);
            Pair<String, SecretKey> defaultKey = this.keyStrategy.getDefaultKey();
            gCMBlockCipher.init(true, new AEADParameters(new KeyParameter(defaultKey.getSecond().getEncoded()), 128, bArr, defaultKey.getFirst().getBytes()));
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
            DataOutputStream dataOutputStream = new DataOutputStream(gZIPOutputStream);
            dataOutputStream.writeLong(j);
            int i = 0;
            int i2 = 0;
            int length = str.length();
            while (i2 < length) {
                dataOutputStream.writeUTF(str.substring(i2, i2 + Math.min(length - i2, 60000)));
                i2 += Math.min(length - i2, 60000);
                i++;
                this.log.trace("Wrote chunk #{} to output stream", Integer.valueOf(i));
            }
            dataOutputStream.flush();
            gZIPOutputStream.flush();
            gZIPOutputStream.finish();
            byteArrayOutputStream.flush();
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            byte[] bArr2 = new byte[gCMBlockCipher.getOutputSize(byteArray.length)];
            int processBytes = gCMBlockCipher.processBytes(byteArray, 0, byteArray.length, bArr2, 0);
            int doFinal = processBytes + gCMBlockCipher.doFinal(bArr2, processBytes);
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            DataOutputStream dataOutputStream2 = new DataOutputStream(byteArrayOutputStream2);
            dataOutputStream2.writeUTF(defaultKey.getFirst());
            dataOutputStream2.write(bArr);
            dataOutputStream2.write(bArr2, 0, doFinal);
            dataOutputStream2.flush();
            byteArrayOutputStream2.flush();
            return new String(this.encoder.encode(byteArrayOutputStream2.toByteArray()), StandardCharsets.UTF_8);
        } catch (Exception e) {
            this.log.error("Exception wrapping data", (Throwable) e);
            throw new DataSealerException("Exception wrapping data", e);
        }
    }

    private void testEncryption(@Nonnull SecretKey secretKey) throws DataSealerException {
        try {
            GCMBlockCipher gCMBlockCipher = new GCMBlockCipher(new AESEngine());
            byte[] bArr = new byte[gCMBlockCipher.getUnderlyingCipher().getBlockSize()];
            this.random.nextBytes(bArr);
            AEADParameters aEADParameters = new AEADParameters(new KeyParameter(secretKey.getEncoded()), 128, bArr, "aad".getBytes(StandardCharsets.UTF_8));
            gCMBlockCipher.init(true, aEADParameters);
            byte[] bytes = Constants.ATTRNAME_TEST.getBytes(StandardCharsets.UTF_8);
            byte[] bArr2 = new byte[gCMBlockCipher.getOutputSize(bytes.length)];
            gCMBlockCipher.doFinal(bArr2, gCMBlockCipher.processBytes(bytes, 0, bytes.length, bArr2, 0));
            gCMBlockCipher.init(false, aEADParameters);
            byte[] bArr3 = new byte[gCMBlockCipher.getOutputSize(bArr2.length)];
            gCMBlockCipher.doFinal(bArr3, gCMBlockCipher.processBytes(bArr2, 0, bArr2.length, bArr3, 0));
            String fromUTF8ByteArray = Strings.fromUTF8ByteArray(bArr3);
            if (fromUTF8ByteArray == null || !Constants.ATTRNAME_TEST.equals(fromUTF8ByteArray)) {
                this.log.error("Round trip encryption/decryption test unsuccessful. Decrypted text did not match");
                throw new DataSealerException("Round trip encryption/decryption test unsuccessful");
            }
        } catch (IllegalStateException | InvalidCipherTextException e) {
            this.log.error("Round trip encryption/decryption test unsuccessful", (Throwable) e);
            throw new DataSealerException("Round trip encryption/decryption test unsuccessful", e);
        }
    }
}
