package com.fortanix.sdkms.jce.provider.ciphers;

import com.fortanix.sdkms.jce.provider.ciphers.SdkmsCipher;
import com.fortanix.sdkms.jce.provider.config.Configuration;
import com.fortanix.sdkms.jce.provider.constants.ProviderConstants;
import com.fortanix.sdkms.jce.provider.keys.SdkmsCipherKey;
import com.fortanix.sdkms.jce.provider.paddings.IPadding;
import com.fortanix.sdkms.jce.provider.paddings.NoPadding;
import com.fortanix.sdkms.jce.provider.paddings.PKCS5Padding;
import com.fortanix.sdkms.jce.provider.service.SDKMSLogger;
import com.fortanix.sdkms.jce.provider.service.SdkmsKeyService;
import com.fortanix.sdkms.v1.model.CipherMode;
import com.fortanix.sdkms.v1.model.CryptMode;
import com.fortanix.sdkms.v1.model.DecryptFinalRequestEx;
import com.fortanix.sdkms.v1.model.DecryptInitRequestEx;
import com.fortanix.sdkms.v1.model.DecryptRequestEx;
import com.fortanix.sdkms.v1.model.DecryptUpdateRequestEx;
import com.fortanix.sdkms.v1.model.DecryptUpdateResponse;
import com.fortanix.sdkms.v1.model.EncryptFinalRequestEx;
import com.fortanix.sdkms.v1.model.EncryptInitRequestEx;
import com.fortanix.sdkms.v1.model.EncryptRequestEx;
import com.fortanix.sdkms.v1.model.EncryptUpdateRequestEx;
import com.fortanix.sdkms.v1.model.EncryptUpdateResponse;
import com.fortanix.sdkms.v1.model.ObjectType;
import com.fortanix.sdkms.v1.model.SobjectDescriptor;
import com.fortanix.sdkms.v1.model.UnwrapKeyRequestEx;
import com.fortanix.sdkms.v1.model.WrapKeyRequestEx;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.AlgorithmParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidParameterSpecException;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/fortanix/sdkms/jce/provider/ciphers/CipherCore.class */
public class CipherCore {
    private static final SDKMSLogger LOGGER = new SDKMSLogger(LoggerFactory.getLogger(CipherCore.class));
    private static final List<String> supportedPadding = Arrays.asList(ProviderConstants.NOPADDING, ProviderConstants.PKCS5PADDING, ProviderConstants.OAEPPADDING);
    private static final List<Integer> supportedOperation = Arrays.asList(1, 2, 4, 3);
    private static final List<CryptMode> clientSideNoPaddSupport = Arrays.asList(CryptMode.CBCNOPAD, CryptMode.ECB);
    private CryptMode cryptMode;
    private String paddingRaw;
    private IPadding padding;
    private int blockSize;
    private byte[] ivBytes;
    private byte[] lastIvBytes;
    private SdkmsCipherKey lastKeyUsed;
    private Integer tagLength;
    private ObjectType alg;
    private SdkmsCipherKey sdkmsKey;
    private CipherType cipherType;
    private byte[] state;
    private ByteArrayOutputStream accumulatedAAD = new ByteArrayOutputStream();
    private ByteArrayOutputStream accumulatedBytes = new ByteArrayOutputStream();
    private boolean requireReInit = false;
    private boolean decrypting = false;
    private boolean isMultipartInitialized = false;
    private boolean isUpdateStarted = false;

    /* loaded from: input_file:com/fortanix/sdkms/jce/provider/ciphers/CipherCore$CipherType.class */
    public enum CipherType {
        ONLY_SINGLE_PART,
        SUPPORTS_MULTIPART
    }

    public CipherCore(ObjectType objectType, int i, CipherType cipherType) {
        this.blockSize = i;
        this.alg = objectType;
        this.cipherType = cipherType;
    }

    public void init(int i, Key key, AlgorithmParameterSpec algorithmParameterSpec) throws InvalidKeyException, InvalidAlgorithmParameterException {
        if (!supportedOperation.contains(Integer.valueOf(i))) {
            throw new InvalidAlgorithmParameterException(String.format("Unsupported Operation: %d. Supported Operation are %s", Integer.valueOf(i), supportedOperation.toString()));
        }
        if (!(key instanceof SdkmsCipherKey)) {
            throw new InvalidKeyException("The key provided is not a valid SDKMS Key which supports Cipher");
        }
        switchCryptMode();
        resetFields();
        this.sdkmsKey = (SdkmsCipherKey) key;
        this.decrypting = i == 2 || i == 4;
        if (algorithmParameterSpec == null) {
            return;
        }
        if (!(algorithmParameterSpec instanceof GCMParameterSpec) && !(algorithmParameterSpec instanceof IvParameterSpec)) {
            throw new InvalidAlgorithmParameterException("Unsupported parameters: " + algorithmParameterSpec);
        }
        if (!(algorithmParameterSpec instanceof GCMParameterSpec)) {
            this.ivBytes = ((IvParameterSpec) algorithmParameterSpec).getIV();
            if (this.ivBytes == null || this.ivBytes.length != this.blockSize) {
                throw new InvalidAlgorithmParameterException("Wrong IV length: must be " + this.blockSize + " bytes long");
            }
            this.requireReInit = false;
            return;
        }
        this.ivBytes = ((GCMParameterSpec) algorithmParameterSpec).getIV();
        this.tagLength = Integer.valueOf(((GCMParameterSpec) algorithmParameterSpec).getTLen());
        if (!SdkmsCipher.isValidTagLength(this.tagLength)) {
            throw new InvalidAlgorithmParameterException("Unsupported Tag Length value. It must be one of " + SdkmsCipher.supportedGcmTagLength());
        }
        this.requireReInit = Arrays.equals(this.ivBytes, this.lastIvBytes) && this.sdkmsKey.getKeyDescriptor().equals(this.lastKeyUsed.getKeyDescriptor()) && !this.decrypting;
        if (this.requireReInit) {
            throw new InvalidAlgorithmParameterException("Cannot reuse iv for GCM encryption");
        }
        this.lastIvBytes = this.ivBytes;
        this.lastKeyUsed = this.sdkmsKey;
    }

    public void init(int i, Key key) throws InvalidKeyException {
        try {
            init(i, key, (AlgorithmParameterSpec) null);
        } catch (InvalidAlgorithmParameterException e) {
            LOGGER.logAndRaiseProviderException(e.getMessage(), e);
        }
    }

    public void init(int i, Key key, AlgorithmParameters algorithmParameters) throws InvalidKeyException, InvalidAlgorithmParameterException {
        if (algorithmParameters == null) {
            init(i, key);
        } else {
            try {
                init(i, key, (this.cryptMode == CryptMode.GCM || this.cryptMode == CryptMode.CCM) ? algorithmParameters.getParameterSpec(GCMParameterSpec.class) : algorithmParameters.getParameterSpec(IvParameterSpec.class));
            } catch (InvalidParameterSpecException e) {
                throw new InvalidAlgorithmParameterException("Invalid Algorithm parameter type expected GCM or IV");
            }
        }
    }

    public void initMultiCore() {
        LOGGER.info(String.format("Initializing multi part cipher for Algorithm: %s and mode: %s", this.alg, this.cryptMode));
        this.isMultipartInitialized = true;
        if (this.decrypting) {
            DecryptInitRequestEx decryptInitRequestEx = new DecryptInitRequestEx();
            decryptInitRequestEx.iv(this.ivBytes).mode(CipherMode.fromValue(this.cryptMode.getValue())).alg(this.alg).key(this.sdkmsKey.getKeyDescriptor());
            if (SdkmsCipher.isGCM(this.cryptMode)) {
                decryptInitRequestEx.ad(this.accumulatedAAD.toByteArray());
            }
            setState(SdkmsCipher.decryptInit(decryptInitRequestEx).getState());
            return;
        }
        EncryptInitRequestEx encryptInitRequestEx = new EncryptInitRequestEx();
        encryptInitRequestEx.iv(this.ivBytes).mode(CipherMode.fromValue(this.cryptMode.getValue())).alg(this.alg).key(this.sdkmsKey.getKeyDescriptor());
        if (SdkmsCipher.isGCM(this.cryptMode)) {
            encryptInitRequestEx.ad(this.accumulatedAAD.toByteArray());
        }
        setState(SdkmsCipher.encryptInit(encryptInitRequestEx).getState());
    }

    public byte[] update(byte[] bArr, int i, int i2) {
        if (this.requireReInit) {
            throw new IllegalStateException("Must use either different key or iv for GCM encryption");
        }
        validateParameters();
        switch (this.cipherType) {
            case ONLY_SINGLE_PART:
                return doSinglePartUpdate(bArr, i, i2);
            case SUPPORTS_MULTIPART:
                return doMultiPartUpdate(bArr, i, i2);
            default:
                return new byte[0];
        }
    }

    public int update(byte[] bArr, int i, int i2, byte[] bArr2, int i3) throws ShortBufferException {
        byte[] update = update(bArr, i, i2);
        if (update == null || update.length == 0) {
            return 0;
        }
        if (update.length > bArr2.length - i3) {
            throw new ShortBufferException(String.format("output buffer is too small. Expected size:%d, Actual Size:%d", Integer.valueOf(update.length), Integer.valueOf(bArr2.length - i3)));
        }
        System.arraycopy(update, 0, bArr2, i3, update.length);
        return update.length;
    }

    private byte[] doSinglePartUpdate(byte[] bArr, int i, int i2) {
        this.accumulatedBytes.write(bArr, i, i2);
        return new byte[0];
    }

    private byte[] doMultiPartUpdate(byte[] bArr, int i, int i2) {
        if (!this.isMultipartInitialized) {
            initMultiCore();
        }
        this.isUpdateStarted = true;
        byte[] copyOfRange = Arrays.copyOfRange(bArr, i, i + i2);
        if (this.decrypting) {
            DecryptUpdateRequestEx decryptUpdateRequestEx = new DecryptUpdateRequestEx();
            decryptUpdateRequestEx.cipher(copyOfRange).state(this.state).key(this.sdkmsKey.getKeyDescriptor());
            DecryptUpdateResponse decryptUpdate = SdkmsCipher.decryptUpdate(decryptUpdateRequestEx);
            setState(decryptUpdate.getState());
            return decryptUpdate.getPlain();
        }
        EncryptUpdateRequestEx encryptUpdateRequestEx = new EncryptUpdateRequestEx();
        encryptUpdateRequestEx.plain(copyOfRange).state(this.state).key(this.sdkmsKey.getKeyDescriptor());
        EncryptUpdateResponse encryptUpdate = SdkmsCipher.encryptUpdate(encryptUpdateRequestEx);
        setState(encryptUpdate.getState());
        return encryptUpdate.getCipher();
    }

    public byte[] doFinal(byte[] bArr, int i, int i2) {
        prepareDoFinal();
        try {
            try {
                switch (this.cipherType) {
                    case ONLY_SINGLE_PART:
                        if (bArr != null && bArr.length > 0) {
                            update(bArr, i, i2);
                        }
                        byte[] doSinglePartFinal = doSinglePartFinal();
                        this.requireReInit = this.cryptMode == CryptMode.GCM;
                        resetFields();
                        return doSinglePartFinal;
                    case SUPPORTS_MULTIPART:
                        if (this.isUpdateStarted) {
                            byte[] doMultiPartFinal = doMultiPartFinal(bArr, i, i2);
                            this.requireReInit = this.cryptMode == CryptMode.GCM;
                            resetFields();
                            return doMultiPartFinal;
                        }
                        doSinglePartUpdate(bArr, i, i2);
                        byte[] doSinglePartFinal2 = doSinglePartFinal();
                        this.requireReInit = this.cryptMode == CryptMode.GCM;
                        resetFields();
                        return doSinglePartFinal2;
                    default:
                        this.requireReInit = this.cryptMode == CryptMode.GCM;
                        resetFields();
                        break;
                }
            } catch (Exception e) {
                LOGGER.logAndRaiseProviderException("Failed in Cipher.doFinal", e);
                this.requireReInit = this.cryptMode == CryptMode.GCM;
                resetFields();
            }
            return new byte[0];
        } catch (Throwable th) {
            this.requireReInit = this.cryptMode == CryptMode.GCM;
            resetFields();
            throw th;
        }
    }

    public int doFinal(byte[] bArr, int i, int i2, byte[] bArr2, int i3) throws ShortBufferException {
        byte[] doFinal = doFinal(bArr, i, i2);
        if (bArr2.length - (i3 + 1) < doFinal.length) {
            throw new ShortBufferException("output buffer is too short");
        }
        System.arraycopy(doFinal, 0, bArr2, i3, doFinal.length);
        return doFinal.length;
    }

    protected void prepareDoFinal() {
        if (this.requireReInit) {
            throw new IllegalStateException("Must use either different key or iv for GCM encryption");
        }
        validateParameters();
    }

    private byte[] doSinglePartFinal() {
        if (this.accumulatedBytes.size() == 0) {
            return new byte[0];
        }
        if (this.decrypting) {
            DecryptRequestEx decryptRequestEx = new DecryptRequestEx();
            decryptRequestEx.iv(this.ivBytes).mode(this.cryptMode).cipher(this.accumulatedBytes.toByteArray()).alg(this.alg).key(this.sdkmsKey.getKeyDescriptor());
            if (SdkmsCipher.isGCM(this.cryptMode)) {
                decryptRequestEx.ad(this.accumulatedAAD.toByteArray());
            }
            byte[] decrypt = Configuration.getInstance().isDSMAccelerator() ? DSMACipher.decrypt(this.tagLength, decryptRequestEx) : SdkmsCipher.decrypt(this.tagLength, decryptRequestEx);
            return !isPaddingRequired() ? decrypt : this.padding.unpad(decrypt);
        }
        if (isPaddingRequired()) {
            this.padding.pad(this.accumulatedBytes);
        }
        EncryptRequestEx encryptRequestEx = new EncryptRequestEx();
        encryptRequestEx.iv(this.ivBytes).tagLen(this.tagLength).mode(this.cryptMode).plain(this.accumulatedBytes.toByteArray()).alg(this.alg).key(this.sdkmsKey.getKeyDescriptor());
        if (SdkmsCipher.isGCM(this.cryptMode)) {
            encryptRequestEx.ad(this.accumulatedAAD.toByteArray());
        }
        return Configuration.getInstance().isDSMAccelerator() ? DSMACipher.encrypt(encryptRequestEx) : SdkmsCipher.encrypt(encryptRequestEx);
    }

    private byte[] doMultiPartFinal(byte[] bArr, int i, int i2) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        if (this.decrypting) {
            SdkmsCipher.CipherAndTag cipherAndTag = new SdkmsCipher.CipherAndTag(bArr, i, i2, null);
            if (SdkmsCipher.isGCM(this.cryptMode)) {
                if (bArr == null || bArr.length == 0) {
                    LOGGER.logAndRaiseProviderException("Input cannot be empty in final for GCM Mode, since tag is required", null);
                }
                cipherAndTag = SdkmsCipher.extractGCMTag(this.tagLength.intValue(), bArr, i, i2);
            }
            if (cipherAndTag.cipherLen != 0) {
                byteArrayOutputStream.write(update(cipherAndTag.cipher, cipherAndTag.cipherOffset, cipherAndTag.cipherLen));
            }
            DecryptFinalRequestEx decryptFinalRequestEx = new DecryptFinalRequestEx();
            decryptFinalRequestEx.state(this.state).tag(cipherAndTag.tag).key(this.sdkmsKey.getKeyDescriptor());
            byteArrayOutputStream.write(SdkmsCipher.decryptFinal(decryptFinalRequestEx));
        } else {
            if (bArr != null && bArr.length != 0) {
                byteArrayOutputStream.write(update(bArr, i, i2));
            }
            EncryptFinalRequestEx encryptFinalRequestEx = new EncryptFinalRequestEx();
            encryptFinalRequestEx.state(this.state).tagLen(this.tagLength).key(this.sdkmsKey.getKeyDescriptor());
            byteArrayOutputStream.write(SdkmsCipher.encryptFinal(encryptFinalRequestEx, this.cryptMode));
        }
        return byteArrayOutputStream.toByteArray();
    }

    public void setCryptMode(CryptMode cryptMode) {
        this.cryptMode = cryptMode;
    }

    public void setPadding(String str) {
        if (str == null) {
            return;
        }
        if (!supportedPadding.contains(str.toUpperCase())) {
            throw new ProviderException(String.format("Unsupported padding %s. Supported paddings are %s", str, supportedPadding.toString()));
        }
        this.paddingRaw = str;
        this.padding = new PKCS5Padding(this.blockSize);
        if (ProviderConstants.NOPADDING.equalsIgnoreCase(this.paddingRaw)) {
            this.padding = new NoPadding(this.blockSize);
        }
    }

    public int getOutputSize(int i) {
        return this.decrypting ? i + this.blockSize : i + (this.tagLength == null ? 0 : this.tagLength.intValue()) + this.blockSize;
    }

    public void updateAAD(byte[] bArr, int i, int i2) {
        this.accumulatedAAD.write(bArr, i, i2);
        if (this.isMultipartInitialized) {
            throw new IllegalStateException("The Cipher is already initialized. Cannot set the AAD now");
        }
        if (this.isUpdateStarted) {
            throw new IllegalStateException("The Cipher is already activated with update methods. Cannot set the AAD now");
        }
    }

    public byte[] wrap(Key key) throws InvalidKeyException {
        validateParameters();
        SobjectDescriptor sobjectDescriptor = new SobjectDescriptor();
        sobjectDescriptor.setKid(SdkmsKeyService.toKeyObject(key).getKid());
        WrapKeyRequestEx wrapKeyRequestEx = new WrapKeyRequestEx();
        wrapKeyRequestEx.iv(this.ivBytes).tagLen(this.tagLength).mode(this.cryptMode).subject(sobjectDescriptor).alg(this.alg).key(this.sdkmsKey.getKeyDescriptor());
        if (SdkmsCipher.isGCM(this.cryptMode)) {
            wrapKeyRequestEx.ad(this.accumulatedAAD.toByteArray());
        }
        return SdkmsCipher.wrapKey(wrapKeyRequestEx);
    }

    public Key unwrap(byte[] bArr, String str, int i) throws InvalidKeyException {
        validateParameters();
        UnwrapKeyRequestEx unwrapKeyRequestEx = new UnwrapKeyRequestEx();
        unwrapKeyRequestEx.iv(this.ivBytes).mode(this.cryptMode).wrappedKey(bArr).objType(SdkmsKeyService.toSDKMSAlgorithm(str)).name(UUID.randomUUID().toString()).alg(this.alg).key(this.sdkmsKey.getKeyDescriptor());
        if (SdkmsCipher.isGCM(this.cryptMode)) {
            unwrapKeyRequestEx.ad(this.accumulatedAAD.toByteArray());
        }
        return SdkmsKeyService.getKeyFromKeyObject(SdkmsCipher.unwrapKey(this.tagLength, unwrapKeyRequestEx), i == 1);
    }

    public byte[] getIv() {
        return this.ivBytes;
    }

    public String getPadding() {
        return this.paddingRaw;
    }

    public String getOperation() {
        return this.decrypting ? "Decryption" : "Encryption";
    }

    public CryptMode getCryptMode() {
        return this.cryptMode;
    }

    public int getBlockSize() {
        return this.blockSize;
    }

    public void setBlockSize(int i) {
        this.blockSize = i;
    }

    public SdkmsCipherKey getKey() {
        return this.sdkmsKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AlgorithmParameters getParameters(String str) {
        if (this.cryptMode == CryptMode.ECB) {
            return null;
        }
        byte[] bArr = this.ivBytes;
        if (bArr == null) {
            SecureRandom secureRandom = new SecureRandom();
            bArr = new byte[this.blockSize];
            if (SdkmsCipher.isGCM(this.cryptMode)) {
                bArr = new byte[ProviderConstants.GCM_IV_LEN];
            }
            secureRandom.nextBytes(bArr);
        }
        AlgorithmParameters algorithmParameters = null;
        AlgorithmParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
        if (SdkmsCipher.isGCM(this.cryptMode)) {
            int intValue = this.tagLength == null ? 128 : this.tagLength.intValue();
            str = CryptMode.GCM.toString();
            ivParameterSpec = new GCMParameterSpec(intValue, bArr);
        }
        try {
            algorithmParameters = AlgorithmParameters.getInstance(str);
            algorithmParameters.init(ivParameterSpec);
        } catch (NoSuchAlgorithmException e) {
            LOGGER.logAndRaiseProviderException(String.format("Cannot find %s AlgorithmParameters implementation", str), e);
        } catch (InvalidParameterSpecException e2) {
            LOGGER.logAndRaiseProviderException(e2.getMessage(), e2);
        }
        return algorithmParameters;
    }

    protected void validateParameters() {
        if (ObjectType.RSA.equals(this.alg)) {
            return;
        }
        if (this.cryptMode == null) {
            throw new ProviderException("Cipher mode is null");
        }
        if (this.sdkmsKey == null) {
            throw new ProviderException("Sdkms key info is null");
        }
        if (this.cryptMode == CryptMode.ECB) {
            return;
        }
        if (SdkmsCipher.isGCM(this.cryptMode)) {
            if (this.ivBytes == null || this.accumulatedAAD.size() == 0) {
                throw new ProviderException("IV, AAD are mandatory parameters for crypt mode " + this.cryptMode);
            }
            if (!this.decrypting && this.tagLength == null) {
                throw new ProviderException("tag length is mandatory field " + this.cryptMode);
            }
        }
        if (this.ivBytes == null) {
            throw new ProviderException("IV is mandatory parameter for crypt mode " + this.cryptMode);
        }
    }

    protected void switchCryptMode() {
        if (ProviderConstants.PKCS5PADDING.equalsIgnoreCase(this.paddingRaw) || this.cryptMode != CryptMode.CBC) {
            return;
        }
        setCryptMode(CryptMode.CBCNOPAD);
    }

    protected boolean isPaddingRequired() {
        if (ObjectType.RSA.equals(this.alg)) {
            return false;
        }
        return clientSideNoPaddSupport.contains(this.cryptMode);
    }

    public void setState(byte[] bArr) {
        if (bArr == null) {
            throw new ProviderException("Multi part cipher state is null");
        }
        this.state = bArr;
    }

    protected void resetFields() {
        this.accumulatedAAD.reset();
        this.ivBytes = null;
        this.tagLength = null;
        this.requireReInit = false;
        this.sdkmsKey = null;
        this.state = null;
        this.isUpdateStarted = false;
        this.isMultipartInitialized = false;
        this.accumulatedBytes.reset();
    }
}
