package org.wso2.carbon.is.migration.util;

import com.google.gson.Gson;
import com.google.gson.JsonSyntaxException;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
import org.apache.axiom.om.util.Base64;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.carbon.core.util.CryptoException;
import org.wso2.carbon.core.util.CryptoUtil;
import org.wso2.carbon.crypto.api.CipherMetaDataHolder;
import org.wso2.carbon.identity.core.migrate.MigrationClientException;
import org.wso2.carbon.is.migration.config.Config;
import org.wso2.carbon.is.migration.service.Migrator;

/* loaded from: input_file:org/wso2/carbon/is/migration/util/EncryptionUtil.class */
public class EncryptionUtil {
    private static final Logger log = LoggerFactory.getLogger(EncryptionUtil.class);
    private static String oldEncryptionAlgorithmConfigured = null;
    private static String migratingEncryptionAlgorithmConfigured = null;
    static Map<String, String> algorithmAndProviderMap = new HashMap();

    public static String getNewEncryptedValue(String str) throws CryptoException {
        if (!StringUtils.isNotEmpty(str) || isNewlyEncrypted(str)) {
            return null;
        }
        return CryptoUtil.getDefaultCryptoUtil().encryptAndBase64Encode(CryptoUtil.getDefaultCryptoUtil().base64DecodeAndDecrypt(str, "RSA"));
    }

    public static boolean isNewlyEncrypted(String str) throws CryptoException {
        return CryptoUtil.getDefaultCryptoUtil().base64DecodeAndIsSelfContainedCipherText(str);
    }

    public static String getNewEncryptedUserstorePassword(String str) throws CryptoException {
        if (!StringUtils.isNotEmpty(str) || isNewlyEncryptedUserstorePassword(str)) {
            return null;
        }
        return SecondaryUserstoreCryptoUtil.getInstance().encryptAndBase64Encode(SecondaryUserstoreCryptoUtil.getInstance().base64DecodeAndDecrypt(str, "RSA"));
    }

    public static boolean isNewlyEncryptedUserstorePassword(String str) throws CryptoException {
        return SecondaryUserstoreCryptoUtil.getInstance().base64DecodeAndIsSelfContainedCipherText(str);
    }

    public static String transformToSymmetric(String str) throws MigrationClientException {
        try {
            if (StringUtils.isNotEmpty(str) && isMigrationNeeded(Base64.decode(str))) {
                return CryptoUtil.getDefaultCryptoUtil().encryptAndBase64Encode(CryptoUtil.getDefaultCryptoUtil().base64DecodeAndDecrypt(str, oldEncryptionAlgorithmConfigured, getInternalCryptoProviderFromAlgorithm(oldEncryptionAlgorithmConfigured)));
            }
        } catch (CryptoException e) {
            log.warn(String.format("Error while decrypting using '%s'. The provided algorithm may be incorrect.Please check if your system have data encrypted with different algorithm.", oldEncryptionAlgorithmConfigured));
            log.warn("Retrying decryption with self contained ciphe");
            retryDecryptionWithSuitableAlgorithm(str);
        }
        return str;
    }

    public static String retryDecryptionWithSuitableAlgorithm(String str) throws MigrationClientException {
        CipherMetaDataHolder cipherTextToCipherMetaDataHolder = CryptoUtil.getDefaultCryptoUtil().cipherTextToCipherMetaDataHolder(Base64.decode(str));
        String transformation = cipherTextToCipherMetaDataHolder != null ? cipherTextToCipherMetaDataHolder.getTransformation() : "RSA";
        log.info(String.format("Retrying decryption with '%s'. ", transformation));
        try {
            return CryptoUtil.getDefaultCryptoUtil().encryptAndBase64Encode(CryptoUtil.getDefaultCryptoUtil().base64DecodeAndDecrypt(str, transformation, getInternalCryptoProviderFromAlgorithm(transformation)));
        } catch (CryptoException e) {
            throw new MigrationClientException(String.format("Error while decrypting using '%s'. The provided algorithm may be incorrect.Please check if your system have data encrypted with different algorithm.", transformation), e);
        }
    }

    private static String getInternalCryptoProviderFromAlgorithm(String str) {
        for (Map.Entry<String, String> entry : algorithmAndProviderMap.entrySet()) {
            if (entry.getKey().equals(str)) {
                return entry.getValue();
            }
        }
        return null;
    }

    public static void setCurrentEncryptionAlgorithm(Migrator migrator) {
        oldEncryptionAlgorithmConfigured = migrator.getMigratorConfig().getParameterValue("currentEncryptionAlgorithm");
        if (StringUtils.isBlank(oldEncryptionAlgorithmConfigured)) {
            oldEncryptionAlgorithmConfigured = Config.getInstance().getCurrentEncryptionAlgorithm();
        }
    }

    public static String setMigratedEncryptionAlgorithm(Migrator migrator) {
        migratingEncryptionAlgorithmConfigured = migrator.getMigratorConfig().getParameterValue("migratedEncryptionAlgorithm");
        return StringUtils.isBlank(migratingEncryptionAlgorithmConfigured) ? Config.getInstance().getMigratedEncryptionAlgorithm() : migratingEncryptionAlgorithmConfigured;
    }

    public static boolean isMigrationNeeded(byte[] bArr) {
        try {
            CipherMetaDataHolder cipherMetaDataHolder = (CipherMetaDataHolder) new Gson().fromJson(new String(bArr, Charset.defaultCharset()), CipherMetaDataHolder.class);
            if (cipherMetaDataHolder == null) {
                return true;
            }
            if (log.isDebugEnabled()) {
                log.debug(String.format("Cipher text is in self contained format. Retrieving the actual cipher from the self contained cipher text.", new Object[0]));
            }
            return !migratingEncryptionAlgorithmConfigured.equals(cipherMetaDataHolder.getTransformation());
        } catch (JsonSyntaxException e) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Deserialization failed since cipher string is not representing cipher with metadata");
            return true;
        }
    }

    static {
        algorithmAndProviderMap.put("RSA", "org.wso2.carbon.crypto.provider.KeyStoreBasedInternalCryptoProvider");
        algorithmAndProviderMap.put("RSA/ECB/OAEPwithSHA1andMGF1Padding", "org.wso2.carbon.crypto.provider.KeyStoreBasedInternalCryptoProvider");
        algorithmAndProviderMap.put("AES", Constant.SYMMETRIC_KEY_CRYPTO_PROVIDER);
        algorithmAndProviderMap.put("AES/GCM/NoPadding", Constant.SYMMETRIC_KEY_CRYPTO_PROVIDER);
    }
}
