package org.wso2.carbon.core.encryption;

import com.hazelcast.config.replacer.AbstractPbeReplacer;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.crypto.api.CertificateInfo;
import org.wso2.carbon.crypto.api.CryptoContext;
import org.wso2.carbon.crypto.api.CryptoException;
import org.wso2.carbon.crypto.api.ExternalCryptoProvider;
import org.wso2.carbon.crypto.api.HybridEncryptionInput;
import org.wso2.carbon.crypto.api.HybridEncryptionOutput;
import org.wso2.carbon.crypto.api.PrivateKeyInfo;

/* loaded from: input_file:WEB-INF/lib/org.wso2.carbon.core-4.5.3.jar:org/wso2/carbon/core/encryption/KeyStoreBasedExternalCryptoProvider.class */
public class KeyStoreBasedExternalCryptoProvider implements ExternalCryptoProvider {
    private static Log log = LogFactory.getLog(KeyStoreBasedExternalCryptoProvider.class);
    private static SecureRandom random = new SecureRandom();

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public byte[] sign(byte[] bArr, String str, String str2, CryptoContext cryptoContext, PrivateKeyInfo privateKeyInfo) throws CryptoException {
        try {
            Signature signature = StringUtils.isBlank(str2) ? Signature.getInstance(str) : Signature.getInstance(str, str2);
            PrivateKey privateKey = getPrivateKey(cryptoContext, privateKeyInfo);
            if (privateKey == null) {
                String format = String.format("Could not retrieve the private key using '%s' and '%s'. ", privateKeyInfo, cryptoContext);
                log.error(format);
                throw new CryptoException(format);
            }
            signature.initSign(privateKey);
            signature.update(bArr);
            byte[] sign = signature.sign();
            if (log.isDebugEnabled()) {
                log.debug(String.format("Successfully signed data using the algorithm '%s' and the Java Security API provider '%s'; %s ; %s", str, str2, cryptoContext, privateKeyInfo));
            }
            return sign;
        } catch (Exception e) {
            String format2 = String.format("An error occurred while signing using the algorithm : '%s' and the Java Security API provider : '%s'; %s ; %s", str, str2, cryptoContext, privateKeyInfo);
            if (log.isDebugEnabled()) {
                log.debug(format2, e);
            }
            throw new CryptoException(format2, e);
        }
    }

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public byte[] decrypt(byte[] bArr, String str, String str2, CryptoContext cryptoContext, PrivateKeyInfo privateKeyInfo) throws CryptoException {
        try {
            Cipher cipher = StringUtils.isBlank(str2) ? Cipher.getInstance(str) : Cipher.getInstance(str, str2);
            PrivateKey privateKey = getPrivateKey(cryptoContext, privateKeyInfo);
            if (privateKey == null) {
                String format = String.format("Could not retrieve the private key using '%s' and '%s'. ", privateKeyInfo, cryptoContext);
                log.error(format);
                throw new CryptoException(format);
            }
            cipher.init(2, privateKey);
            byte[] doFinal = cipher.doFinal(bArr);
            if (log.isDebugEnabled()) {
                log.debug(String.format("Successfully decrypted data using the algorithm '%s' and the Java Security API provider '%s'; %s ; %s", str, str2, cryptoContext, privateKeyInfo));
            }
            return doFinal;
        } catch (Exception e) {
            String format2 = String.format("An error occurred while decrypting using the algorithm : '%s' and the Java Security API provider : '%s'; %s ; %s", str, str2, cryptoContext, privateKeyInfo);
            if (log.isDebugEnabled()) {
                log.debug(format2, e);
            }
            throw new CryptoException(format2, e);
        }
    }

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public byte[] encrypt(byte[] bArr, String str, String str2, CryptoContext cryptoContext, CertificateInfo certificateInfo) throws CryptoException {
        try {
            Cipher cipher = StringUtils.isBlank(str2) ? Cipher.getInstance(str) : Cipher.getInstance(str, str2);
            Certificate certificate = getCertificate(cryptoContext, certificateInfo);
            if (certificate == null) {
                String format = String.format("Could not retrieve the certificate using '%s' and '%s'. ", certificateInfo, cryptoContext);
                log.error(format);
                throw new CryptoException(format);
            }
            cipher.init(1, certificate);
            byte[] doFinal = cipher.doFinal(bArr);
            if (log.isDebugEnabled()) {
                log.debug(String.format("Successfully encrypted data using the algorithm '%s' and the Java Security API provider '%s'; %s ; %s", str, str2, cryptoContext, certificateInfo));
            }
            return doFinal;
        } catch (Exception e) {
            String format2 = String.format("An error occurred while encrypting using the algorithm '%s' and the Java Security API provider '%s'; %s ; %s", str, str2, cryptoContext, certificateInfo);
            if (log.isDebugEnabled()) {
                log.debug(format2, e);
            }
            throw new CryptoException(format2, e);
        }
    }

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public boolean verifySignature(byte[] bArr, byte[] bArr2, String str, String str2, CryptoContext cryptoContext, CertificateInfo certificateInfo) throws CryptoException {
        try {
            Signature signature = StringUtils.isBlank(str2) ? Signature.getInstance(str) : Signature.getInstance(str, str2);
            Certificate certificate = getCertificate(cryptoContext, certificateInfo);
            if (certificate == null) {
                String format = String.format("Could not retrieve the certificate using '%s' and '%s'. ", certificateInfo, cryptoContext);
                log.error(format);
                throw new CryptoException(format);
            }
            signature.initVerify(certificate);
            signature.update(bArr);
            boolean verify = signature.verify(bArr2);
            if (log.isDebugEnabled()) {
                log.debug(String.format("Successfully carried out the signature validation operation using the algorithm '%s' and the Java Security API provider '%s'; %s ; %s. Verification Result : '%s'", str, str2, cryptoContext, certificateInfo, Boolean.valueOf(verify)));
            }
            return verify;
        } catch (Exception e) {
            String format2 = String.format("An error occurred while verifying the signature using the algorithm '%s' and the Java Security API provider '%s'; %s ; %s ", str, str2, cryptoContext, certificateInfo);
            if (log.isDebugEnabled()) {
                log.debug(format2, e);
            }
            throw new CryptoException(format2, e);
        }
    }

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public Certificate getCertificate(CryptoContext cryptoContext, CertificateInfo certificateInfo) throws CryptoException {
        failIfContextInformationIsMissing(cryptoContext);
        if (certificateInfo.getCertificate() != null) {
            return certificateInfo.getCertificate();
        }
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(cryptoContext.getTenantId());
        try {
            if (-1234 == cryptoContext.getTenantId()) {
                if (log.isDebugEnabled()) {
                    log.debug("Looking for the certificate in the super tenant using " + certificateInfo);
                }
                return keyStoreManager.getPrimaryKeyStore().getCertificate(certificateInfo.getCertificateAlias());
            }
            if (log.isDebugEnabled()) {
                log.debug(String.format("Looking for the certificate in the tenant '%s' using %s", cryptoContext.getTenantDomain(), certificateInfo));
            }
            return keyStoreManager.getKeyStore(getTenantKeyStoreName(cryptoContext.getTenantDomain())).getCertificate(certificateInfo.getCertificateAlias());
        } catch (Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("An error occurred while retrieving the certificate from the key store.", e);
            }
            throw new CryptoException("An error occurred while retrieving the certificate from the key store.", e);
        }
    }

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public PrivateKey getPrivateKey(CryptoContext cryptoContext, PrivateKeyInfo privateKeyInfo) throws CryptoException {
        PrivateKey privateKey;
        failIfContextInformationIsMissing(cryptoContext);
        try {
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(cryptoContext.getTenantId());
            if (-1234 == cryptoContext.getTenantId()) {
                if (log.isDebugEnabled()) {
                    log.debug("Looking for the private key in the super tenant using " + privateKeyInfo);
                }
                privateKey = (PrivateKey) keyStoreManager.getPrimaryKeyStore().getKey(privateKeyInfo.getKeyAlias(), privateKeyInfo.getKeyPassword().toCharArray());
            } else {
                if (log.isDebugEnabled()) {
                    log.debug(String.format("Looking for the private key in the tenant '%s' using %s", cryptoContext.getTenantDomain(), privateKeyInfo));
                }
                String tenantKeyStoreName = getTenantKeyStoreName(cryptoContext.getTenantDomain());
                if (log.isDebugEnabled()) {
                    log.debug(String.format("Derived Key Store name of the the tenant '%s' is %s", cryptoContext.getTenantDomain(), tenantKeyStoreName));
                }
                privateKey = (PrivateKey) keyStoreManager.getPrivateKey(tenantKeyStoreName, privateKeyInfo.getKeyAlias());
            }
            return privateKey;
        } catch (Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("An error occurred while retrieving the private key from the key store.", e);
            }
            throw new CryptoException("An error occurred while retrieving the private key from the key store.", e);
        }
    }

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public HybridEncryptionOutput hybridEncrypt(HybridEncryptionInput hybridEncryptionInput, String str, String str2, String str3, CryptoContext cryptoContext, CertificateInfo certificateInfo) throws CryptoException {
        if (log.isDebugEnabled()) {
            log.debug(String.format("Hybrid encrypt initiated with '%s' symmetric algorithm, '%s' asymmetric algorithm using '%s' JCE provider related to '%s' crypto context.", str, str2, str3, cryptoContext));
        }
        String[] resolveSymmetricAlgorithm = resolveSymmetricAlgorithm(str);
        int parseInt = Integer.parseInt(resolveSymmetricAlgorithm[1]) / 8;
        String str4 = resolveSymmetricAlgorithm[2];
        byte[] bArr = new byte[parseInt];
        random.nextBytes(bArr);
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, resolveSymmetricAlgorithm[0]);
        if (log.isDebugEnabled()) {
            log.debug(String.format("A secret key of %s type was successfully generated for hybrid encryption.", resolveSymmetricAlgorithm[0]));
        }
        try {
            AlgorithmParameterSpec resolveSymmetricAlgorithmParameters = AlgorithmParameterResolver.resolveSymmetricAlgorithmParameters(str4);
            byte[] symmetricEncryptData = symmetricEncryptData(hybridEncryptionInput, str3, str4, secretKeySpec, resolveSymmetricAlgorithmParameters);
            byte[] encrypt = encrypt(bArr, str2, str3, cryptoContext, certificateInfo);
            if (log.isDebugEnabled()) {
                log.debug(String.format("Secret key value was successfully encrypted with %s asymmetric algorithm with public certificate : %s", str2, certificateInfo));
            }
            if (hybridEncryptionInput.getAuthData() == null) {
                return new HybridEncryptionOutput(symmetricEncryptData, encrypt, resolveSymmetricAlgorithmParameters);
            }
            int length = symmetricEncryptData.length - (((GCMParameterSpec) resolveSymmetricAlgorithmParameters).getTLen() / 8);
            return new HybridEncryptionOutput(subArray(symmetricEncryptData, 0, length), encrypt, hybridEncryptionInput.getAuthData(), subArray(symmetricEncryptData, length, ((GCMParameterSpec) resolveSymmetricAlgorithmParameters).getTLen() / 8), resolveSymmetricAlgorithmParameters);
        } catch (Exception e) {
            String format = String.format("An error occurred while hybrid encrypting data using the asymmetric algorithm '%s' and symmetric algorithm '%s' with the Java Security API provider '%s'; %s ; %s", str2, str4, str3, cryptoContext, certificateInfo);
            if (log.isDebugEnabled()) {
                log.debug(format, e);
            }
            throw new CryptoException(format, e);
        }
    }

    @Override // org.wso2.carbon.crypto.api.ExternalCryptoProvider
    public byte[] hybridDecrypt(HybridEncryptionOutput hybridEncryptionOutput, String str, String str2, String str3, CryptoContext cryptoContext, PrivateKeyInfo privateKeyInfo) throws CryptoException {
        if (log.isDebugEnabled()) {
            log.debug(String.format("Hybrid decrypt initiated with '%s' symmetric algorithm, '%s' asymmetric algorithm using '%s' JCE provider related to '%s' crypto context.", str, str2, str3, cryptoContext));
        }
        String[] resolveSymmetricAlgorithm = resolveSymmetricAlgorithm(str);
        String str4 = resolveSymmetricAlgorithm[2];
        byte[] decrypt = decrypt(hybridEncryptionOutput.getEncryptedSymmetricKey(), str2, str3, cryptoContext, privateKeyInfo);
        if (log.isDebugEnabled()) {
            log.debug(String.format("Symmetric key value was successfully decrypted with %s asymmetric algorithm and '%s' private key", str2, privateKeyInfo.getKeyAlias()));
        }
        try {
            byte[] symmetricDecryptData = symmetricDecryptData(hybridEncryptionOutput, str3, str4, new SecretKeySpec(decrypt, resolveSymmetricAlgorithm[0]));
            if (log.isDebugEnabled()) {
                log.debug(String.format("Successfully decrypted data with '%s' symmetric algorithm, '%s' asymmetric algorithm using '%s' JCE provider related to '%s' crypto context.", str4, str2, str3, cryptoContext));
            }
            return symmetricDecryptData;
        } catch (Exception e) {
            String format = String.format("An error occurred while hybrid decrypting using the symmetric algorithm : '%s' and asymmetric algorithm : '%s' with the Java Security API provider : '%s'; %s ; %s", str4, str2, str3, cryptoContext, privateKeyInfo);
            if (log.isDebugEnabled()) {
                log.debug(format, e);
            }
            throw new CryptoException(format, e);
        }
    }

    private void failIfContextInformationIsMissing(CryptoContext cryptoContext) throws CryptoException {
        if (cryptoContext.getTenantId() == 0 || StringUtils.isBlank(cryptoContext.getTenantDomain())) {
            throw new CryptoException("Tenant information is missing in the crypto context.");
        }
    }

    private String getTenantKeyStoreName(String str) {
        return str.trim().replace(".", HelpFormatter.DEFAULT_OPT_PREFIX) + ".jks";
    }

    protected byte[] symmetricEncryptData(HybridEncryptionInput hybridEncryptionInput, String str, String str2, SecretKeySpec secretKeySpec, AlgorithmParameterSpec algorithmParameterSpec) throws Exception {
        Cipher cipher = StringUtils.isBlank(str) ? Cipher.getInstance(str2) : Cipher.getInstance(str2, str);
        cipher.init(1, secretKeySpec, algorithmParameterSpec);
        if (hybridEncryptionInput.getAuthData() != null) {
            cipher.updateAAD(hybridEncryptionInput.getAuthData());
        }
        byte[] doFinal = cipher.doFinal(hybridEncryptionInput.getPlainData());
        if (log.isDebugEnabled()) {
            log.debug(String.format("Plain data was successfully encrypted with %s symmetric algorithm and %s secret key.", str2, secretKeySpec.getAlgorithm()));
        }
        return doFinal;
    }

    /* JADX WARN: Type inference failed for: r1v7, types: [byte[], byte[][]] */
    private byte[] symmetricDecryptData(HybridEncryptionOutput hybridEncryptionOutput, String str, String str2, SecretKeySpec secretKeySpec) throws Exception {
        Cipher cipher = StringUtils.isBlank(str) ? Cipher.getInstance(str2) : Cipher.getInstance(str2, str);
        if (hybridEncryptionOutput.getParameterSpec() == null) {
            cipher.init(2, secretKeySpec);
        } else {
            cipher.init(2, secretKeySpec, hybridEncryptionOutput.getParameterSpec());
        }
        if (hybridEncryptionOutput.getAuthData() == null || hybridEncryptionOutput.getAuthTag() == null) {
            return cipher.doFinal(hybridEncryptionOutput.getCipherData());
        }
        cipher.updateAAD(hybridEncryptionOutput.getAuthData());
        return cipher.doFinal(concatByteArrays(new byte[]{hybridEncryptionOutput.getCipherData(), hybridEncryptionOutput.getAuthTag()}));
    }

    private String[] resolveSymmetricAlgorithm(String str) throws CryptoException {
        String str2;
        String[] split = str.split("/");
        String[] split2 = split[0].split("_");
        if (str.contains(AbstractPbeReplacer.DEFAULT_CIPHER_ALGORITHM)) {
            str2 = "128";
        } else {
            if (!str.contains("DES")) {
                throw new CryptoException(String.format("'%s' symmetric algorithm is not supported for hybrid encryption/decryption.", str));
            }
            str2 = "64";
        }
        if (split2.length > 1) {
            str2 = split2[1];
        }
        split[0] = split2[0];
        return new String[]{split2[0], str2, String.join("/", split)};
    }

    private static byte[] subArray(byte[] bArr, int i, int i2) {
        byte[] bArr2 = new byte[i2];
        System.arraycopy(bArr, i, bArr2, 0, bArr2.length);
        return bArr2;
    }

    protected static byte[] concatByteArrays(byte[][] bArr) throws CryptoException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        for (byte[] bArr2 : bArr) {
            try {
                byteArrayOutputStream.write(bArr2);
            } catch (IOException e) {
                throw new CryptoException(String.format("Error occurred while concatenating byte arrays.", new Object[0]), e);
            }
        }
        return byteArrayOutputStream.toByteArray();
    }
}
