package org.opends.server.types;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Random;
import java.util.SortedSet;
import java.util.UUID;
import java.util.zip.DataFormatException;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import org.opends.messages.CoreMessages;
import org.opends.messages.Message;
import org.opends.server.admin.std.server.CryptoManagerCfg;
import org.opends.server.api.Backend;
import org.opends.server.backends.TrustStoreBackend;
import org.opends.server.config.ConfigConstants;
import org.opends.server.config.ConfigException;
import org.opends.server.core.DirectoryServer;
import org.opends.server.extensions.ExtensionsConstants;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.util.SelectableCertificateKeyManager;
import org.opends.server.util.StaticUtils;
import org.opends.server.util.Validator;

@PublicAPI(stability = StabilityLevel.VOLATILE, mayInstantiate = false, mayExtend = false, mayInvoke = true)
/* loaded from: input_file:org/opends/server/types/CryptoManager.class */
public class CryptoManager {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private static final SecureRandom secureRandom = new SecureRandom();
    private static final Random pseudoRandom = new Random(secureRandom.nextLong());
    private final String sslCertNickname;
    private final boolean sslEncryption;
    private final SortedSet<String> sslProtocols;
    private final SortedSet<String> sslCipherSuites;
    private final HashMap<ByteArray, SecretKeyEntry> secretKeyEntryMap = new HashMap<>();
    private final String preferredDigestAlgorithm = ExtensionsConstants.MESSAGE_DIGEST_ALGORITHM_SHA_1;
    private final String preferredMACAlgorithm = "HmacSHA1";
    private final String preferredCipherTransformation = "AES/CBC/PKCS5Padding";
    private final int preferredCipherTransformationKeyLength = 128;

    /* loaded from: input_file:org/opends/server/types/CryptoManager$CryptoManagerException.class */
    public static class CryptoManagerException extends OpenDsException {
        static final long serialVersionUID = -5890763923778143774L;

        public CryptoManagerException(Message message) {
            super(message);
        }

        public CryptoManagerException(Message message, Exception exc) {
            super(message, exc);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opends/server/types/CryptoManager$SecretKeyEntry.class */
    public static class SecretKeyEntry {
        private final byte[] fKeyID;
        private final String fTransformation;
        private final SecretKeySpec fKeySpec;
        private final int fKeyLengthBits;
        private int fIVLengthBits;
        private boolean fIsCompromised;
        static final /* synthetic */ boolean $assertionsDisabled;

        public static SecretKeyEntry generateKeyEntry(Map<ByteArray, SecretKeyEntry> map, String str, int i) throws CryptoManagerException {
            SecretKeyEntry keyEntry;
            if (null != map && null != (keyEntry = getKeyEntry(map, str, i))) {
                return keyEntry;
            }
            if (0 != i % 8) {
                throw new CryptoManagerException(Message.raw("keyLengthBits argument must be evenly divisible by %d.", 8));
            }
            int indexOf = str.indexOf(47);
            String substring = 0 < indexOf ? str.substring(0, indexOf) : str;
            try {
                KeyGenerator keyGenerator = KeyGenerator.getInstance(substring);
                keyGenerator.init(i, CryptoManager.secureRandom);
                byte[] encoded = keyGenerator.generateKey().getEncoded();
                byte[] uuidToBytes = CryptoManager.uuidToBytes(UUID.randomUUID());
                SecretKeyEntry secretKeyEntry = new SecretKeyEntry(uuidToBytes, str, substring, encoded, -1, false);
                byte[] iv = CryptoManager.getCipher(secretKeyEntry, 1, null).getIV();
                secretKeyEntry.setIVLengthBits(null == iv ? 0 : iv.length * 8);
                if (null != map) {
                    map.put(new ByteArray(uuidToBytes), secretKeyEntry);
                }
                return secretKeyEntry;
            } catch (NoSuchAlgorithmException e) {
                throw new CryptoManagerException(Message.raw("Unable to produce key generator from cipher transformation argument %s", str), e);
            }
        }

        public static SecretKeyEntry setKeyEntry(Map<ByteArray, SecretKeyEntry> map, byte[] bArr, String str, String str2, byte[] bArr2, int i, boolean z) throws CryptoManagerException {
            Validator.ensureNotNull(bArr, str, str2, bArr2);
            Validator.ensureTrue(16 == bArr.length);
            Validator.ensureTrue(0 <= i);
            SecretKeyEntry keyEntry = getKeyEntry(map, bArr);
            if (null != keyEntry) {
                return keyEntry;
            }
            SecretKeyEntry secretKeyEntry = new SecretKeyEntry(bArr, str, str2, bArr2, i, z);
            byte[] bArr3 = null;
            if (0 < i) {
                bArr3 = new byte[i * 8];
                CryptoManager.pseudoRandom.nextBytes(bArr3);
            }
            CryptoManager.getCipher(secretKeyEntry, 2, bArr3);
            map.put(new ByteArray(bArr), secretKeyEntry);
            return secretKeyEntry;
        }

        public static SecretKeyEntry getKeyEntry(Map<ByteArray, SecretKeyEntry> map, String str, int i) {
            Validator.ensureNotNull(map, str);
            Validator.ensureTrue(0 < i);
            SecretKeyEntry secretKeyEntry = null;
            Iterator<Map.Entry<ByteArray, SecretKeyEntry>> it = map.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map.Entry<ByteArray, SecretKeyEntry> next = it.next();
                SecretKeyEntry value = next.getValue();
                if (!value.fIsCompromised && value.getTransformation().equals(str) && value.fKeyLengthBits == i) {
                    if (!$assertionsDisabled && !Arrays.equals(next.getKey().array(), value.fKeyID)) {
                        throw new AssertionError();
                    }
                    secretKeyEntry = value;
                }
            }
            if (null != secretKeyEntry) {
                Validator.ensureTrue(0 <= secretKeyEntry.getIVLength(), "SecretKeyEntry initialization is not complete.");
            }
            return secretKeyEntry;
        }

        public static SecretKeyEntry getKeyEntry(Map<ByteArray, SecretKeyEntry> map, byte[] bArr) {
            return map.get(new ByteArray(bArr));
        }

        private SecretKeyEntry(byte[] bArr, String str, String str2, byte[] bArr2, int i, boolean z) throws CryptoManagerException {
            this.fIsCompromised = false;
            Validator.ensureNotNull(bArr, str, bArr2);
            Validator.ensureTrue(16 == bArr.length);
            this.fKeyID = new byte[bArr.length];
            System.arraycopy(bArr, 0, this.fKeyID, 0, bArr.length);
            this.fTransformation = new String(str);
            this.fKeySpec = new SecretKeySpec(bArr2, str2);
            this.fKeyLengthBits = bArr2.length * 8;
            this.fIVLengthBits = i;
            this.fIsCompromised = z;
        }

        public String getTransformation() {
            return this.fTransformation;
        }

        public byte[] getKeyID() {
            return this.fKeyID;
        }

        public SecretKeySpec getKeySpec() {
            return this.fKeySpec;
        }

        public int getIVLength() {
            return this.fIVLengthBits;
        }

        private void setIVLengthBits(int i) {
            Validator.ensureTrue(-1 == this.fIVLengthBits && 0 <= i);
            this.fIVLengthBits = i;
        }

        public void setIsCompromised() {
            this.fIsCompromised = true;
        }

        static {
            $assertionsDisabled = !CryptoManager.class.desiredAssertionStatus();
        }
    }

    public CryptoManager(CryptoManagerCfg cryptoManagerCfg) throws ConfigException, InitializationException {
        this.sslCertNickname = cryptoManagerCfg.getSSLCertNickname();
        this.sslEncryption = cryptoManagerCfg.isSSLEncryption();
        this.sslProtocols = cryptoManagerCfg.getSSLProtocols();
        this.sslCipherSuites = cryptoManagerCfg.getSSLCipherSuites();
        try {
            MessageDigest.getInstance(this.preferredDigestAlgorithm);
            try {
                byte[] bArr = new byte[16];
                secureRandom.nextBytes(bArr);
                Mac.getInstance(this.preferredMACAlgorithm).init(new SecretKeySpec(bArr, this.preferredMACAlgorithm));
                try {
                    SecretKeyEntry.generateKeyEntry(null, this.preferredCipherTransformation, this.preferredCipherTransformationKeyLength);
                } catch (Exception e) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e);
                    }
                    throw new InitializationException(Message.raw("Can't get preferred cipher:  " + StaticUtils.getExceptionMessage(e).toString(), new Object[0]), e);
                }
            } catch (Exception e2) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                }
                throw new InitializationException(Message.raw("Can't get preferred MAC provider:  " + StaticUtils.getExceptionMessage(e2).toString(), new Object[0]), e2);
            }
        } catch (Exception e3) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e3);
            }
            throw new InitializationException(Message.raw("Can't get preferred digest:  " + StaticUtils.getExceptionMessage(e3).toString(), new Object[0]), e3);
        }
    }

    private static byte[] uuidToBytes(String str) throws CryptoManagerException {
        try {
            return uuidToBytes(UUID.fromString(str));
        } catch (Exception e) {
            throw new CryptoManagerException(Message.raw("Invalid string representation of a UUID.", new Object[0]), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] uuidToBytes(UUID uuid) {
        byte[] bArr = new byte[16];
        long mostSignificantBits = uuid.getMostSignificantBits();
        long leastSignificantBits = uuid.getLeastSignificantBits();
        for (int i = 7; i >= 0; i--) {
            bArr[i] = (byte) mostSignificantBits;
            mostSignificantBits >>>= 8;
            bArr[8 + i] = (byte) leastSignificantBits;
            leastSignificantBits >>>= 8;
        }
        return bArr;
    }

    public String getPreferredMessageDigestAlgorithm() {
        return this.preferredDigestAlgorithm;
    }

    public MessageDigest getPreferredMessageDigest() throws NoSuchAlgorithmException {
        return MessageDigest.getInstance(this.preferredDigestAlgorithm);
    }

    public MessageDigest getMessageDigest(String str) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance(str);
    }

    public byte[] digest(byte[] bArr) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance(this.preferredDigestAlgorithm).digest(bArr);
    }

    public byte[] digest(String str, byte[] bArr) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance(str).digest(bArr);
    }

    public byte[] digest(InputStream inputStream) throws IOException, NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance(this.preferredDigestAlgorithm);
        byte[] bArr = new byte[8192];
        while (true) {
            int read = inputStream.read(bArr);
            if (read < 0) {
                return messageDigest.digest();
            }
            messageDigest.update(bArr, 0, read);
        }
    }

    public byte[] digest(String str, InputStream inputStream) throws IOException, NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance(str);
        byte[] bArr = new byte[8192];
        while (true) {
            int read = inputStream.read(bArr);
            if (read < 0) {
                return messageDigest.digest();
            }
            messageDigest.update(bArr, 0, read);
        }
    }

    public String getPreferredMACAlgorithm() {
        return this.preferredMACAlgorithm;
    }

    public Mac getPreferredMACProvider() throws NoSuchAlgorithmException, InvalidKeyException {
        return getMACProvider(getPreferredMACAlgorithm());
    }

    public Mac getMACProvider(String str) throws NoSuchAlgorithmException, InvalidKeyException {
        Mac mac = Mac.getInstance(str);
        byte[] bArr = new byte[16];
        secureRandom.nextBytes(bArr);
        mac.init(new SecretKeySpec(bArr, str));
        return mac;
    }

    public byte[] mac(byte[] bArr) throws NoSuchAlgorithmException {
        return Mac.getInstance(this.preferredMACAlgorithm).doFinal(bArr);
    }

    public byte[] mac(String str, byte[] bArr) throws NoSuchAlgorithmException {
        return Mac.getInstance(str).doFinal(bArr);
    }

    public byte[] mac(InputStream inputStream) throws IOException, NoSuchAlgorithmException {
        Mac mac = Mac.getInstance(this.preferredMACAlgorithm);
        byte[] bArr = new byte[8192];
        while (true) {
            int read = inputStream.read(bArr);
            if (read < 0) {
                return mac.doFinal();
            }
            mac.update(bArr, 0, read);
        }
    }

    public byte[] mac(String str, InputStream inputStream) throws IOException, NoSuchAlgorithmException {
        Mac mac = Mac.getInstance(str);
        byte[] bArr = new byte[8192];
        while (true) {
            int read = inputStream.read(bArr);
            if (read < 0) {
                return mac.doFinal();
            }
            mac.update(bArr, 0, read);
        }
    }

    public String getPreferredCipherTransformation() {
        return this.preferredCipherTransformation;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Cipher getCipher(SecretKeyEntry secretKeyEntry, int i, byte[] bArr) throws CryptoManagerException {
        byte[] bArr2;
        Validator.ensureTrue(1 == i || 2 == i);
        Validator.ensureTrue(1 != i || null == bArr);
        Validator.ensureTrue(-1 != secretKeyEntry.getIVLength() || 1 == i);
        Validator.ensureTrue(null == bArr || bArr.length * 8 == secretKeyEntry.getIVLength());
        try {
            Cipher cipher = Cipher.getInstance(secretKeyEntry.getTransformation());
            try {
                if (0 < secretKeyEntry.getIVLength()) {
                    if (1 == i && null == bArr) {
                        bArr2 = new byte[secretKeyEntry.getIVLength() / 8];
                        pseudoRandom.nextBytes(bArr2);
                    } else {
                        bArr2 = bArr;
                    }
                    cipher.init(i, secretKeyEntry.getKeySpec(), new IvParameterSpec(bArr2));
                } else {
                    cipher.init(i, secretKeyEntry.getKeySpec());
                }
                return cipher;
            } catch (GeneralSecurityException e) {
                throw new CryptoManagerException(Message.raw("Error initializing cipher.", new Object[0]), e);
            }
        } catch (GeneralSecurityException e2) {
            throw new CryptoManagerException(Message.raw("Invalid cipher transformation specified %s.", secretKeyEntry.getTransformation()), e2);
        }
    }

    public byte[] encrypt(byte[] bArr) throws GeneralSecurityException, CryptoManagerException {
        return encrypt(this.preferredCipherTransformation, this.preferredCipherTransformationKeyLength, bArr);
    }

    public byte[] encrypt(String str, int i, byte[] bArr) throws GeneralSecurityException, CryptoManagerException {
        Validator.ensureNotNull(str, bArr);
        SecretKeyEntry keyEntry = SecretKeyEntry.getKeyEntry(this.secretKeyEntryMap, str, i);
        if (null == keyEntry) {
            keyEntry = SecretKeyEntry.generateKeyEntry(this.secretKeyEntryMap, str, i);
        }
        Cipher cipher = getCipher(keyEntry, 1, null);
        byte[] keyID = keyEntry.getKeyID();
        byte[] iv = cipher.getIV();
        int length = keyID.length + (null == iv ? 0 : iv.length);
        int outputSize = cipher.getOutputSize(bArr.length);
        byte[] bArr2 = new byte[length + outputSize];
        System.arraycopy(keyID, 0, bArr2, 0, keyID.length);
        if (null != iv) {
            System.arraycopy(iv, 0, bArr2, keyID.length, iv.length);
        }
        System.arraycopy(cipher.doFinal(bArr), 0, bArr2, length, outputSize);
        return bArr2;
    }

    public CipherOutputStream getCipherOutputStream(OutputStream outputStream) throws CryptoManagerException {
        return getCipherOutputStream(this.preferredCipherTransformation, this.preferredCipherTransformationKeyLength, outputStream);
    }

    public CipherOutputStream getCipherOutputStream(String str, int i, OutputStream outputStream) throws CryptoManagerException {
        Validator.ensureNotNull(str, outputStream);
        SecretKeyEntry keyEntry = SecretKeyEntry.getKeyEntry(this.secretKeyEntryMap, str, i);
        if (null == keyEntry) {
            keyEntry = SecretKeyEntry.generateKeyEntry(this.secretKeyEntryMap, str, i);
        }
        Cipher cipher = getCipher(keyEntry, 1, null);
        try {
            outputStream.write(keyEntry.getKeyID());
            if (null != cipher.getIV()) {
                outputStream.write(cipher.getIV());
            }
            return new CipherOutputStream(outputStream, cipher);
        } catch (IOException e) {
            throw new CryptoManagerException(Message.raw("Exception when writing CryptoManager prologue.", new Object[0]), e);
        }
    }

    public byte[] decrypt(byte[] bArr) throws GeneralSecurityException, CryptoManagerException {
        byte[] bArr2 = new byte[16];
        try {
            System.arraycopy(bArr, 0, bArr2, 0, bArr2.length);
            SecretKeyEntry keyEntry = SecretKeyEntry.getKeyEntry(this.secretKeyEntryMap, bArr2);
            if (null == keyEntry) {
                throw new CryptoManagerException(Message.raw("Invalid key identifier in data prologue.", new Object[0]));
            }
            byte[] bArr3 = null;
            if (0 < keyEntry.getIVLength()) {
                bArr3 = new byte[keyEntry.getIVLength() / 8];
                try {
                    System.arraycopy(bArr, bArr2.length, bArr3, 0, bArr3.length);
                } catch (Exception e) {
                    throw new CryptoManagerException(Message.raw("Exception when reading initialization vector from data prologue.", new Object[0]), e);
                }
            }
            Cipher cipher = getCipher(keyEntry, 2, bArr3);
            int length = bArr2.length + (null == bArr3 ? 0 : bArr3.length);
            return cipher.doFinal(bArr, length, bArr.length - length);
        } catch (Exception e2) {
            throw new CryptoManagerException(Message.raw("Exception when reading key identifier from data prologue.", new Object[0]), e2);
        }
    }

    public CipherInputStream getCipherInputStream(InputStream inputStream) throws CryptoManagerException {
        byte[] bArr = null;
        try {
            byte[] bArr2 = new byte[16];
            if (bArr2.length != inputStream.read(bArr2)) {
                throw new CryptoManagerException(Message.raw("Stream underflow when reading key identifier from data prologue.", new Object[0]));
            }
            SecretKeyEntry keyEntry = SecretKeyEntry.getKeyEntry(this.secretKeyEntryMap, bArr2);
            if (null == keyEntry) {
                throw new CryptoManagerException(Message.raw("Invalid key identifier in data prologue.", new Object[0]));
            }
            if (0 < keyEntry.getIVLength()) {
                bArr = new byte[keyEntry.getIVLength() / 8];
                if (bArr.length != inputStream.read(bArr)) {
                    throw new CryptoManagerException(Message.raw("Stream underflow when reading initialization vector from data prologue.", new Object[0]));
                }
            }
            return new CipherInputStream(inputStream, getCipher(keyEntry, 2, bArr));
        } catch (IOException e) {
            throw new CryptoManagerException(Message.raw("IO exception when reading CryptoManager prologue.", new Object[0]), e);
        }
    }

    public int compress(byte[] bArr, byte[] bArr2) {
        Deflater deflater = new Deflater();
        try {
            deflater.setInput(bArr);
            deflater.finish();
            int deflate = deflater.deflate(bArr2);
            if (deflater.finished()) {
                return deflate;
            }
            deflater.end();
            return -1;
        } finally {
            deflater.end();
        }
    }

    public int uncompress(byte[] bArr, byte[] bArr2) throws DataFormatException {
        Inflater inflater = new Inflater();
        try {
            inflater.setInput(bArr);
            int inflate = inflater.inflate(bArr2);
            if (inflater.finished()) {
                return inflate;
            }
            int i = inflate;
            while (!inflater.finished()) {
                i += inflater.inflate(bArr2);
            }
            int i2 = -i;
            inflater.end();
            return i2;
        } finally {
            inflater.end();
        }
    }

    private TrustStoreBackend getTrustStoreBackend() throws ConfigException {
        Backend backend = DirectoryServer.getBackend(ConfigConstants.ID_ADS_TRUST_STORE_BACKEND);
        if (backend == null) {
            throw new ConfigException(CoreMessages.ERR_CRYPTOMGR_ADS_TRUST_STORE_BACKEND_NOT_ENABLED.get(ConfigConstants.ID_ADS_TRUST_STORE_BACKEND));
        }
        if (backend instanceof TrustStoreBackend) {
            return (TrustStoreBackend) backend;
        }
        throw new ConfigException(CoreMessages.ERR_CRYPTOMGR_ADS_TRUST_STORE_BACKEND_WRONG_CLASS.get(ConfigConstants.ID_ADS_TRUST_STORE_BACKEND));
    }

    public SSLContext getSslContext(String str) throws ConfigException {
        try {
            TrustStoreBackend trustStoreBackend = getTrustStoreBackend();
            KeyManager[] keyManagers = trustStoreBackend.getKeyManagers();
            TrustManager[] trustManagers = trustStoreBackend.getTrustManagers();
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            if (str == null) {
                sSLContext.init(keyManagers, trustManagers, null);
            } else {
                sSLContext.init(SelectableCertificateKeyManager.wrap(keyManagers, str), trustManagers, null);
            }
            return sSLContext;
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            throw new ConfigException(CoreMessages.ERR_CRYPTOMGR_SSL_CONTEXT_CANNOT_INITIALIZE.get(StaticUtils.getExceptionMessage(e)), e);
        }
    }

    public String getSslCertNickname() {
        return this.sslCertNickname;
    }

    public boolean isSslEncryption() {
        return this.sslEncryption;
    }

    public SortedSet<String> getSslProtocols() {
        return this.sslProtocols;
    }

    public SortedSet<String> getSslCipherSuites() {
        return this.sslCipherSuites;
    }
}
