package org.apache.pdfbox.pdmodel.encryption;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameterGenerator;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import org.apache.pdfbox.cos.COSArray;
import org.apache.pdfbox.cos.COSBase;
import org.apache.pdfbox.cos.COSName;
import org.apache.pdfbox.cos.COSString;
import org.apache.pdfbox.pdmodel.PDDocument;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.EncryptedContentInfo;
import org.bouncycastle.asn1.cms.EnvelopedData;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.KeyTransRecipientInfo;
import org.bouncycastle.asn1.cms.OriginatorInfo;
import org.bouncycastle.asn1.cms.RecipientIdentifier;
import org.bouncycastle.asn1.cms.RecipientInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.KeyTransRecipientId;
import org.bouncycastle.cms.RecipientId;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;

/* loaded from: input_file:pdfbox-2.0.16.jar:org/apache/pdfbox/pdmodel/encryption/PublicKeySecurityHandler.class */
public final class PublicKeySecurityHandler extends SecurityHandler {
    public static final String FILTER = "Adobe.PubSec";
    private static final String SUBFILTER4 = "adbe.pkcs7.s4";
    private static final String SUBFILTER5 = "adbe.pkcs7.s5";
    private PublicKeyProtectionPolicy policy;

    public PublicKeySecurityHandler() {
        this.policy = null;
    }

    public PublicKeySecurityHandler(PublicKeyProtectionPolicy publicKeyProtectionPolicy) {
        this.policy = null;
        this.policy = publicKeyProtectionPolicy;
        this.keyLength = this.policy.getEncryptionKeyLength();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.apache.pdfbox.pdmodel.encryption.SecurityHandler
    public void prepareForDecryption(PDEncryption pDEncryption, COSArray cOSArray, DecryptionMaterial decryptionMaterial) throws IOException {
        byte[] digest;
        if (!(decryptionMaterial instanceof PublicKeyDecryptionMaterial)) {
            throw new IOException("Provided decryption material is not compatible with the document");
        }
        setDecryptMetadata(pDEncryption.isEncryptMetaData());
        if (pDEncryption.getLength() != 0) {
            this.keyLength = pDEncryption.getLength();
        }
        PublicKeyDecryptionMaterial publicKeyDecryptionMaterial = (PublicKeyDecryptionMaterial) decryptionMaterial;
        try {
            boolean z = false;
            X509Certificate certificate = publicKeyDecryptionMaterial.getCertificate();
            X509CertificateHolder x509CertificateHolder = certificate != null ? new X509CertificateHolder(certificate.getEncoded()) : null;
            byte[] bArr = null;
            COSArray cOSArray2 = (COSArray) pDEncryption.getCOSObject().getItem(COSName.RECIPIENTS);
            if (cOSArray2 == null) {
                cOSArray2 = (COSArray) pDEncryption.getDefaultCryptFilterDictionary().getCOSObject().getItem(COSName.RECIPIENTS);
            }
            byte[] bArr2 = new byte[cOSArray2.size()];
            int i = 0;
            StringBuilder sb = new StringBuilder();
            for (int i2 = 0; i2 < cOSArray2.size(); i2++) {
                byte[] bytes = ((COSString) cOSArray2.getObject(i2)).getBytes();
                int i3 = 0;
                Iterator<RecipientInformation> it = new CMSEnvelopedData(bytes).getRecipientInfos().getRecipients().iterator();
                while (true) {
                    if (it.hasNext()) {
                        RecipientInformation next = it.next();
                        RecipientId rid = next.getRID();
                        if (!z && rid.match(x509CertificateHolder)) {
                            z = true;
                            bArr = next.getContent(new JceKeyTransEnvelopedRecipient((PrivateKey) publicKeyDecryptionMaterial.getPrivateKey()));
                            break;
                        }
                        i3++;
                        if (certificate != null) {
                            sb.append('\n');
                            sb.append(i3);
                            sb.append(": ");
                            if (rid instanceof KeyTransRecipientId) {
                                appendCertInfo(sb, (KeyTransRecipientId) rid, certificate, x509CertificateHolder);
                            }
                        }
                    }
                }
                bArr2[i2] = bytes;
                i += bytes.length;
            }
            if (!z || bArr == null) {
                throw new IOException("The certificate matches none of " + cOSArray2.size() + " recipient entries" + sb.toString());
            }
            if (bArr.length != 24) {
                throw new IOException("The enveloped data does not contain 24 bytes");
            }
            byte[] bArr3 = new byte[4];
            System.arraycopy(bArr, 20, bArr3, 0, 4);
            AccessPermission accessPermission = new AccessPermission(bArr3);
            accessPermission.setReadOnly();
            setCurrentAccessPermission(accessPermission);
            byte[] bArr4 = new byte[i + 20];
            System.arraycopy(bArr, 0, bArr4, 0, 20);
            int i4 = 20;
            for (Object[] objArr : bArr2) {
                System.arraycopy(objArr, 0, bArr4, i4, objArr.length);
                i4 += objArr.length;
            }
            if (pDEncryption.getVersion() == 4 || pDEncryption.getVersion() == 5) {
                digest = MessageDigests.getSHA256().digest(bArr4);
                PDCryptFilterDictionary defaultCryptFilterDictionary = pDEncryption.getDefaultCryptFilterDictionary();
                if (defaultCryptFilterDictionary != null) {
                    COSName cryptFilterMethod = defaultCryptFilterDictionary.getCryptFilterMethod();
                    setAES(COSName.AESV2.equals(cryptFilterMethod) || COSName.AESV3.equals(cryptFilterMethod));
                }
            } else {
                digest = MessageDigests.getSHA1().digest(bArr4);
            }
            this.encryptionKey = new byte[this.keyLength / 8];
            System.arraycopy(digest, 0, this.encryptionKey, 0, this.keyLength / 8);
        } catch (KeyStoreException e) {
            throw new IOException(e);
        } catch (CertificateEncodingException e2) {
            throw new IOException(e2);
        } catch (CMSException e3) {
            throw new IOException(e3);
        }
    }

    private void appendCertInfo(StringBuilder sb, KeyTransRecipientId keyTransRecipientId, X509Certificate x509Certificate, X509CertificateHolder x509CertificateHolder) {
        BigInteger serialNumber = keyTransRecipientId.getSerialNumber();
        if (serialNumber != null) {
            BigInteger serialNumber2 = x509Certificate.getSerialNumber();
            String bigInteger = serialNumber2 != null ? serialNumber2.toString(16) : "unknown";
            sb.append("serial-#: rid ");
            sb.append(serialNumber.toString(16));
            sb.append(" vs. cert ");
            sb.append(bigInteger);
            sb.append(" issuer: rid '");
            sb.append(keyTransRecipientId.getIssuer());
            sb.append("' vs. cert '");
            sb.append(x509CertificateHolder == null ? "null" : x509CertificateHolder.getIssuer());
            sb.append("' ");
        }
    }

    @Override // org.apache.pdfbox.pdmodel.encryption.SecurityHandler
    public void prepareDocumentForEncryption(PDDocument pDDocument) throws IOException {
        byte[] digest;
        try {
            PDEncryption encryption = pDDocument.getEncryption();
            if (encryption == null) {
                encryption = new PDEncryption();
            }
            encryption.setFilter(FILTER);
            encryption.setLength(this.keyLength);
            int computeVersionNumber = computeVersionNumber();
            encryption.setVersion(computeVersionNumber);
            encryption.removeV45filters();
            byte[] bArr = new byte[20];
            try {
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
                keyGenerator.init(192, new SecureRandom());
                System.arraycopy(keyGenerator.generateKey().getEncoded(), 0, bArr, 0, 20);
                byte[][] computeRecipientsField = computeRecipientsField(bArr);
                int length = bArr.length;
                for (byte[] bArr2 : computeRecipientsField) {
                    length += bArr2.length;
                }
                byte[] bArr3 = new byte[length];
                System.arraycopy(bArr, 0, bArr3, 0, 20);
                int i = 20;
                for (byte[] bArr4 : computeRecipientsField) {
                    System.arraycopy(bArr4, 0, bArr3, i, bArr4.length);
                    i += bArr4.length;
                }
                if (computeVersionNumber == 4 || computeVersionNumber == 5) {
                    encryption.setSubFilter(SUBFILTER5);
                    digest = MessageDigests.getSHA256().digest(bArr3);
                    prepareEncryptionDictAES(encryption, computeVersionNumber == 5 ? COSName.AESV3 : COSName.AESV2, computeRecipientsField);
                } else {
                    encryption.setSubFilter(SUBFILTER4);
                    digest = MessageDigests.getSHA1().digest(bArr3);
                    encryption.setRecipients(computeRecipientsField);
                }
                this.encryptionKey = new byte[this.keyLength / 8];
                System.arraycopy(digest, 0, this.encryptionKey, 0, this.keyLength / 8);
                pDDocument.setEncryptionDictionary(encryption);
                pDDocument.getDocument().setEncryptionDictionary(encryption.getCOSObject());
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException(e);
            }
        } catch (GeneralSecurityException e2) {
            throw new IOException(e2);
        }
    }

    private int computeVersionNumber() {
        switch (this.keyLength) {
            case 40:
                return 1;
            case 128:
                return 2;
            case 256:
                return 5;
            default:
                throw new IllegalArgumentException("key length must be 40, 128 or 256");
        }
    }

    private void prepareEncryptionDictAES(PDEncryption pDEncryption, COSName cOSName, byte[][] bArr) {
        PDCryptFilterDictionary pDCryptFilterDictionary = new PDCryptFilterDictionary();
        pDCryptFilterDictionary.setCryptFilterMethod(cOSName);
        pDCryptFilterDictionary.setLength(this.keyLength);
        COSArray cOSArray = new COSArray();
        for (byte[] bArr2 : bArr) {
            cOSArray.add((COSBase) new COSString(bArr2));
        }
        pDCryptFilterDictionary.getCOSObject().setItem(COSName.RECIPIENTS, (COSBase) cOSArray);
        cOSArray.setDirect(true);
        pDEncryption.setDefaultCryptFilterDictionary(pDCryptFilterDictionary);
        pDEncryption.setStreamFilterName(COSName.DEFAULT_CRYPT_FILTER);
        pDEncryption.setStringFilterName(COSName.DEFAULT_CRYPT_FILTER);
        pDCryptFilterDictionary.getCOSObject().setDirect(true);
        setAES(true);
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [byte[], byte[][]] */
    private byte[][] computeRecipientsField(byte[] bArr) throws GeneralSecurityException, IOException {
        ?? r0 = new byte[this.policy.getNumberOfRecipients()];
        Iterator<PublicKeyRecipient> recipientsIterator = this.policy.getRecipientsIterator();
        int i = 0;
        while (recipientsIterator.hasNext()) {
            PublicKeyRecipient next = recipientsIterator.next();
            X509Certificate x509 = next.getX509();
            int permissionBytesForPublicKey = next.getPermission().getPermissionBytesForPublicKey();
            byte[] bArr2 = new byte[24];
            byte b = (byte) permissionBytesForPublicKey;
            System.arraycopy(bArr, 0, bArr2, 0, 20);
            bArr2[20] = (byte) (permissionBytesForPublicKey >>> 24);
            bArr2[21] = (byte) (permissionBytesForPublicKey >>> 16);
            bArr2[22] = (byte) (permissionBytesForPublicKey >>> 8);
            bArr2[23] = b;
            ASN1Primitive createDERForRecipient = createDERForRecipient(bArr2, x509);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new DEROutputStream(byteArrayOutputStream).writeObject(createDERForRecipient);
            r0[i] = byteArrayOutputStream.toByteArray();
            i++;
        }
        return r0;
    }

    private ASN1Primitive createDERForRecipient(byte[] bArr, X509Certificate x509Certificate) throws IOException, GeneralSecurityException {
        String id = PKCSObjectIdentifiers.RC2_CBC.getId();
        try {
            AlgorithmParameterGenerator algorithmParameterGenerator = AlgorithmParameterGenerator.getInstance(id, SecurityProvider.getProvider());
            KeyGenerator keyGenerator = KeyGenerator.getInstance(id, SecurityProvider.getProvider());
            Cipher cipher = Cipher.getInstance(id, SecurityProvider.getProvider());
            AlgorithmParameters generateParameters = algorithmParameterGenerator.generateParameters();
            ASN1InputStream aSN1InputStream = new ASN1InputStream(generateParameters.getEncoded("ASN.1"));
            ASN1Primitive readObject = aSN1InputStream.readObject();
            aSN1InputStream.close();
            keyGenerator.init(128);
            SecretKey generateKey = keyGenerator.generateKey();
            cipher.init(1, generateKey, generateParameters);
            return new ContentInfo(PKCSObjectIdentifiers.envelopedData, new EnvelopedData((OriginatorInfo) null, new DERSet(new RecipientInfo(computeRecipientInfo(x509Certificate, generateKey.getEncoded()))), new EncryptedContentInfo(PKCSObjectIdentifiers.data, new AlgorithmIdentifier(new ASN1ObjectIdentifier(id), readObject), new DEROctetString(cipher.doFinal(bArr))), (ASN1Set) null)).toASN1Primitive();
        } catch (NoSuchAlgorithmException e) {
            throw new IOException("Could not find a suitable javax.crypto provider for algorithm " + id + "; possible reason: using an unsigned .jar file", e);
        } catch (NoSuchPaddingException e2) {
            throw new RuntimeException("Could not find a suitable javax.crypto provider", e2);
        }
    }

    private KeyTransRecipientInfo computeRecipientInfo(X509Certificate x509Certificate, byte[] bArr) throws IOException, CertificateEncodingException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(x509Certificate.getTBSCertificate());
        TBSCertificate tBSCertificate = TBSCertificate.getInstance(aSN1InputStream.readObject());
        aSN1InputStream.close();
        AlgorithmIdentifier algorithm = tBSCertificate.getSubjectPublicKeyInfo().getAlgorithm();
        IssuerAndSerialNumber issuerAndSerialNumber = new IssuerAndSerialNumber(tBSCertificate.getIssuer(), tBSCertificate.getSerialNumber().getValue());
        try {
            Cipher cipher = Cipher.getInstance(algorithm.getAlgorithm().getId(), SecurityProvider.getProvider());
            cipher.init(1, x509Certificate.getPublicKey());
            return new KeyTransRecipientInfo(new RecipientIdentifier(issuerAndSerialNumber), algorithm, new DEROctetString(cipher.doFinal(bArr)));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Could not find a suitable javax.crypto provider", e);
        } catch (NoSuchPaddingException e2) {
            throw new RuntimeException("Could not find a suitable javax.crypto provider", e2);
        }
    }

    @Override // org.apache.pdfbox.pdmodel.encryption.SecurityHandler
    public boolean hasProtectionPolicy() {
        return this.policy != null;
    }
}
