package org.apache.cxf.rs.security.jose.jwe;

import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweException;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.digests.SHA384Digest;
import org.bouncycastle.crypto.digests.SHA512Digest;
import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator;
import org.bouncycastle.crypto.params.KeyParameter;
import org.codehaus.janino.Opcode;
import org.jose4j.jwx.HeaderParameterNames;

/* loaded from: input_file:BOOT-INF/lib/cxf-rt-rs-security-jose-3.2.4.jar:org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.class */
public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider {
    protected static final Logger LOG = LogUtils.getL7dLogger(PbesHmacAesWrapKeyEncryptionAlgorithm.class);
    private static final Map<String, Integer> PBES_HMAC_MAP = new HashMap();
    private static final Map<String, String> PBES_AES_MAP;
    private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP;
    private byte[] password;
    private int pbesCount;
    private KeyAlgorithm keyAlgoJwt;

    public PbesHmacAesWrapKeyEncryptionAlgorithm(String str, KeyAlgorithm keyAlgorithm) {
        this(stringToBytes(str), keyAlgorithm);
    }

    public PbesHmacAesWrapKeyEncryptionAlgorithm(String str, int i, KeyAlgorithm keyAlgorithm, boolean z) {
        this(stringToBytes(str), i, keyAlgorithm, z);
    }

    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] cArr, KeyAlgorithm keyAlgorithm) {
        this(cArr, 4096, keyAlgorithm, false);
    }

    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] cArr, int i, KeyAlgorithm keyAlgorithm, boolean z) {
        this(charsToBytes(cArr), i, keyAlgorithm, z);
    }

    public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] bArr, KeyAlgorithm keyAlgorithm) {
        this(bArr, 4096, keyAlgorithm, false);
    }

    public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] bArr, int i, KeyAlgorithm keyAlgorithm, boolean z) {
        this.keyAlgoJwt = validateKeyAlgorithm(keyAlgorithm);
        this.password = validatePassword(bArr, keyAlgorithm.getJwaName(), z);
        this.pbesCount = validatePbesCount(i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] validatePassword(byte[] bArr, String str, boolean z) {
        int intValue = DERIVED_KEY_SIZE_MAP.get(str).intValue();
        if (bArr.length < intValue || bArr.length > 128) {
            LOG.warning("Invalid password length: " + bArr.length);
            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
        }
        if (bArr.length <= intValue || !z) {
            return bArr;
        }
        try {
            return MessageDigestUtils.createDigest(bArr, "SHA-256");
        } catch (Exception e) {
            LOG.warning("Password hash calculation error");
            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE, e);
        }
    }

    @Override // org.apache.cxf.rs.security.jose.jwe.KeyEncryptionProvider
    public byte[] getEncryptedContentEncryptionKey(JweHeaders jweHeaders, byte[] bArr) {
        int keySize = getKeySize(this.keyAlgoJwt.getJwaName());
        byte[] generateSecureRandomBytes = CryptoUtils.generateSecureRandomBytes(keySize);
        byte[] createDerivedKey = createDerivedKey(this.keyAlgoJwt.getJwaName(), keySize, this.password, generateSecureRandomBytes, this.pbesCount);
        jweHeaders.setHeader(HeaderParameterNames.PBES2_SALT_INPUT, Base64UrlUtility.encode(generateSecureRandomBytes));
        jweHeaders.setIntegerHeader(HeaderParameterNames.PBES2_ITERATION_COUNT, Integer.valueOf(this.pbesCount));
        return new AesWrapKeyEncryptionAlgorithm(createDerivedKey, this.keyAlgoJwt) { // from class: org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm.1
            @Override // org.apache.cxf.rs.security.jose.jwe.AbstractWrapKeyEncryptionAlgorithm
            protected void checkAlgorithms(JweHeaders jweHeaders2) {
            }

            @Override // org.apache.cxf.rs.security.jose.jwe.AbstractWrapKeyEncryptionAlgorithm
            protected String getKeyEncryptionAlgoJava(JweHeaders jweHeaders2) {
                return "AESWrap";
            }
        }.getEncryptedContentEncryptionKey(jweHeaders, bArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int getKeySize(String str) {
        return DERIVED_KEY_SIZE_MAP.get(str).intValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] createDerivedKey(String str, int i, byte[] bArr, byte[] bArr2, int i2) {
        byte[] createSaltValue = createSaltValue(str, bArr2);
        int intValue = PBES_HMAC_MAP.get(str).intValue();
        PKCS5S2ParametersGenerator pKCS5S2ParametersGenerator = new PKCS5S2ParametersGenerator(intValue == 256 ? new SHA256Digest() : intValue == 384 ? new SHA384Digest() : new SHA512Digest());
        pKCS5S2ParametersGenerator.init(bArr, createSaltValue, i2);
        return ((KeyParameter) pKCS5S2ParametersGenerator.generateDerivedParameters(i * 8)).getKey();
    }

    private static byte[] createSaltValue(String str, byte[] bArr) {
        byte[] stringToBytes = stringToBytes(str);
        byte[] bArr2 = new byte[stringToBytes.length + 1 + bArr.length];
        System.arraycopy(stringToBytes, 0, bArr2, 0, stringToBytes.length);
        bArr2[stringToBytes.length] = 0;
        System.arraycopy(bArr, 0, bArr2, stringToBytes.length + 1, bArr.length);
        return bArr2;
    }

    static KeyAlgorithm validateKeyAlgorithm(KeyAlgorithm keyAlgorithm) {
        if (AlgorithmUtils.isPbesHsWrap(keyAlgorithm.getJwaName())) {
            return keyAlgorithm;
        }
        LOG.warning("Invalid key encryption algorithm");
        throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
    }

    static int validatePbesCount(int i) {
        if (i >= 1000) {
            return i;
        }
        LOG.warning("Iteration count is too low");
        throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] stringToBytes(String str) {
        return StringUtils.toBytesUTF8(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] charsToBytes(char[] cArr) {
        ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(cArr));
        byte[] bArr = new byte[encode.remaining()];
        encode.get(bArr);
        return bArr;
    }

    @Override // org.apache.cxf.rs.security.jose.jwe.KeyEncryptionProvider
    public KeyAlgorithm getAlgorithm() {
        return this.keyAlgoJwt;
    }

    static {
        PBES_HMAC_MAP.put(KeyAlgorithm.PBES2_HS256_A128KW.getJwaName(), 256);
        PBES_HMAC_MAP.put(KeyAlgorithm.PBES2_HS384_A192KW.getJwaName(), Integer.valueOf(Opcode.OP1_JSR));
        PBES_HMAC_MAP.put(KeyAlgorithm.PBES2_HS512_A256KW.getJwaName(), 512);
        PBES_AES_MAP = new HashMap();
        PBES_AES_MAP.put(KeyAlgorithm.PBES2_HS256_A128KW.getJwaName(), KeyAlgorithm.A128KW.getJwaName());
        PBES_AES_MAP.put(KeyAlgorithm.PBES2_HS384_A192KW.getJwaName(), KeyAlgorithm.A192KW.getJwaName());
        PBES_AES_MAP.put(KeyAlgorithm.PBES2_HS512_A256KW.getJwaName(), KeyAlgorithm.A256KW.getJwaName());
        DERIVED_KEY_SIZE_MAP = new HashMap();
        DERIVED_KEY_SIZE_MAP.put(KeyAlgorithm.PBES2_HS256_A128KW.getJwaName(), 16);
        DERIVED_KEY_SIZE_MAP.put(KeyAlgorithm.PBES2_HS384_A192KW.getJwaName(), 24);
        DERIVED_KEY_SIZE_MAP.put(KeyAlgorithm.PBES2_HS512_A256KW.getJwaName(), 32);
    }
}
