package edu.internet2.middleware.shibboleth.common.util;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/common/util/DataSealer.class */
public class DataSealer {
    private static Logger log = LoggerFactory.getLogger(DataSealer.class.getName());
    private SecretKey cipherKey;
    private SecretKey macKey;
    private SecureRandom random;
    private String keystorePath;
    private String keystorePassword;
    private String cipherKeyAlias;
    private String cipherKeyPassword;
    private String macKeyAlias;
    private String macKeyPassword;
    private String keystoreType = "JCEKS";
    private String cipherAlgorithm = "AES/CBC/PKCS5Padding";
    private String macAlgorithm = "HmacSHA256";

    public void init() throws DataSealerException {
        try {
            if (this.cipherKey == null && (this.keystoreType == null || this.keystorePath == null || this.keystorePassword == null || this.cipherKeyAlias == null || this.cipherKeyPassword == null)) {
                throw new IllegalArgumentException("Missing a required configuration property.");
            }
            if (this.random == null) {
                this.random = new SecureRandom();
            }
            loadKeys();
            testEncryption();
        } catch (IOException e) {
            log.error(e.getMessage());
            throw new DataSealerException("Caught IOException loading the java keystore.", e);
        } catch (GeneralSecurityException e2) {
            log.error(e2.getMessage());
            throw new DataSealerException("Caught NoSuchAlgorithmException loading the java keystore.", e2);
        }
    }

    public SecretKey getCipherKey() {
        return this.cipherKey;
    }

    public SecretKey getMacKey() {
        return this.macKey;
    }

    public SecureRandom getRandom() {
        return this.random;
    }

    public String getKeystoreType() {
        return this.keystoreType;
    }

    public String getKeystorePath() {
        return this.keystorePath;
    }

    public String getKeystorePassword() {
        return this.keystorePassword;
    }

    public String getCipherKeyAlias() {
        return this.cipherKeyAlias;
    }

    public String getCipherKeyPassword() {
        return this.cipherKeyPassword;
    }

    public String getCipherAlgorithm() {
        return this.cipherAlgorithm;
    }

    public String getMacKeyAlias() {
        return this.macKeyAlias;
    }

    public String getMacKeyPassword() {
        return this.macKeyPassword;
    }

    public String getMacAlgorithm() {
        return this.macAlgorithm;
    }

    public void setCipherKey(SecretKey secretKey) {
        this.cipherKey = secretKey;
    }

    public void setMacKey(SecretKey secretKey) {
        this.macKey = secretKey;
    }

    public void setRandom(SecureRandom secureRandom) {
        this.random = secureRandom;
    }

    public void setKeystoreType(String str) {
        this.keystoreType = str;
    }

    public void setKeystorePath(String str) {
        this.keystorePath = str;
    }

    public void setKeystorePassword(String str) {
        this.keystorePassword = str;
    }

    public void setCipherKeyAlias(String str) {
        this.cipherKeyAlias = str;
    }

    public void setCipherKeyPassword(String str) {
        this.cipherKeyPassword = str;
    }

    public void setCipherAlgorithm(String str) {
        this.cipherAlgorithm = str;
    }

    public void setMacKeyAlias(String str) {
        this.macKeyAlias = str;
    }

    public void setMacKeyPassword(String str) {
        this.macKeyPassword = str;
    }

    public void setMacAlgorithm(String str) {
        this.macAlgorithm = str;
    }

    public String unwrap(String str) throws DataSealerException {
        try {
            byte[] decode = Base32.decode(str);
            Cipher cipher = Cipher.getInstance(this.cipherAlgorithm);
            int blockSize = cipher.getBlockSize();
            byte[] bArr = new byte[blockSize];
            Mac mac = Mac.getInstance(this.macAlgorithm);
            mac.init(this.macKey);
            int macLength = mac.getMacLength();
            if (decode.length < blockSize) {
                log.error("Wrapped data is malformed (not enough bytes).");
                throw new DataSealerException("Wrapped data is malformed (not enough bytes).");
            }
            System.arraycopy(decode, 0, bArr, 0, blockSize);
            cipher.init(2, this.cipherKey, new IvParameterSpec(bArr));
            byte[] bArr2 = new byte[decode.length - bArr.length];
            System.arraycopy(decode, blockSize, bArr2, 0, decode.length - bArr.length);
            DataInputStream dataInputStream = new DataInputStream(new GZIPInputStream(new ByteArrayInputStream(cipher.doFinal(bArr2))));
            byte[] bArr3 = new byte[macLength];
            if (dataInputStream.read(bArr3) != macLength) {
                log.error("Error parsing unwrapped data, unable to extract HMAC.");
                throw new DataSealerException("Error parsing unwrapped data, unable to extract HMAC.");
            }
            long readLong = dataInputStream.readLong();
            String readUTF = dataInputStream.readUTF();
            if (System.currentTimeMillis() > readLong) {
                log.info("Unwrapped data has expired.");
                throw new DataExpiredException("Unwrapped data has expired.");
            }
            if (Arrays.equals(bArr3, getMAC(mac, readUTF, readLong))) {
                log.debug("Unwrapped data verified.");
                return readUTF;
            }
            log.warn("Unwrapped data failed integrity check.");
            throw new DataSealerException("Unwrapped data failed integrity check.");
        } catch (IOException e) {
            log.error(e.getMessage());
            throw new DataSealerException("Caught IOException unwrapping data.", e);
        } catch (GeneralSecurityException e2) {
            log.error(e2.getMessage());
            throw new DataSealerException("Caught GeneralSecurityException unwrapping data.", e2);
        }
    }

    public String wrap(String str, long j) throws DataSealerException {
        if (str == null) {
            throw new IllegalArgumentException("Data must be supplied for the wrapping operation.");
        }
        try {
            Mac mac = Mac.getInstance(this.macAlgorithm);
            mac.init(this.macKey);
            Cipher cipher = Cipher.getInstance(this.cipherAlgorithm);
            byte[] bArr = new byte[cipher.getBlockSize()];
            this.random.nextBytes(bArr);
            cipher.init(1, this.cipherKey, new IvParameterSpec(bArr));
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
            DataOutputStream dataOutputStream = new DataOutputStream(gZIPOutputStream);
            dataOutputStream.write(getMAC(mac, str, j));
            dataOutputStream.writeLong(j);
            dataOutputStream.writeUTF(str);
            dataOutputStream.flush();
            gZIPOutputStream.flush();
            gZIPOutputStream.finish();
            byteArrayOutputStream.flush();
            byte[] doFinal = cipher.doFinal(byteArrayOutputStream.toByteArray());
            byte[] bArr2 = new byte[bArr.length + doFinal.length];
            System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
            System.arraycopy(doFinal, 0, bArr2, bArr.length, doFinal.length);
            return Base32.encode(bArr2);
        } catch (IOException e) {
            log.error(e.getMessage());
            throw new DataSealerException("Caught IOException wrapping data.", e);
        } catch (KeyException e2) {
            log.error(e2.getMessage());
            throw new DataSealerException("Caught KeyException wrapping data.", e2);
        } catch (GeneralSecurityException e3) {
            log.error(e3.getMessage());
            throw new DataSealerException("Caught GeneralSecurityException wrapping data.", e3);
        }
    }

    private void testEncryption() throws DataSealerException {
        try {
            Cipher cipher = Cipher.getInstance(this.cipherAlgorithm);
            byte[] bArr = new byte[cipher.getBlockSize()];
            this.random.nextBytes(bArr);
            IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
            cipher.init(1, this.cipherKey, ivParameterSpec);
            byte[] doFinal = cipher.doFinal("test".getBytes());
            Cipher cipher2 = Cipher.getInstance(this.cipherAlgorithm);
            cipher2.init(2, this.cipherKey, ivParameterSpec);
            String str = new String(cipher2.doFinal(doFinal));
            if (str == null || !"test".equals(str)) {
                log.error("Round trip encryption/decryption test unsuccessful. Decrypted text did not match.");
                throw new DataSealerException("Round trip encryption/decryption test unsuccessful.");
            }
            try {
                Mac mac = Mac.getInstance(this.macAlgorithm);
                mac.init(this.macKey);
                mac.update("foo".getBytes());
                if (mac.doFinal() == null) {
                    log.error("Message Authentication test unsuccessful.");
                    throw new DataSealerException("Message Authentication test unsuccessful.");
                }
            } catch (GeneralSecurityException e) {
                log.error("Message Authentication test unsuccessful: " + e);
                throw new DataSealerException("Message Authentication test unsuccessful.", e);
            }
        } catch (GeneralSecurityException e2) {
            log.error("Round trip encryption/decryption test unsuccessful: " + e2);
            throw new DataSealerException("Round trip encryption/decryption test unsuccessful.", e2);
        }
    }

    private static byte[] getMAC(Mac mac, String str, long j) {
        mac.update(getLongBytes(j));
        mac.update(str.getBytes());
        return mac.doFinal();
    }

    private static byte[] getLongBytes(long j) {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
            dataOutputStream.writeLong(j);
            dataOutputStream.flush();
            byteArrayOutputStream.flush();
            return byteArrayOutputStream.toByteArray();
        } catch (IOException e) {
            return null;
        }
    }

    private void loadKeys() throws GeneralSecurityException, IOException {
        if (this.cipherKey == null || this.macKey == null) {
            KeyStore keyStore = KeyStore.getInstance(this.keystoreType);
            FileInputStream fileInputStream = null;
            try {
                fileInputStream = new FileInputStream(this.keystorePath);
                keyStore.load(fileInputStream, this.keystorePassword.toCharArray());
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                if (this.cipherKey == null) {
                    Key key = keyStore.getKey(this.cipherKeyAlias, this.cipherKeyPassword.toCharArray());
                    if (!(key instanceof SecretKey)) {
                        log.error("Cipher key {} is not a symmetric key.", this.cipherKeyAlias);
                    }
                    this.cipherKey = (SecretKey) key;
                }
                if (this.macKey != null || this.macKeyAlias == null) {
                    if (this.macKey == null) {
                        this.macKey = this.cipherKey;
                    }
                } else {
                    Key key2 = keyStore.getKey(this.macKeyAlias, this.macKeyPassword.toCharArray());
                    if (!(key2 instanceof SecretKey)) {
                        log.error("MAC key {} is not a symmetric key.", this.macKeyAlias);
                    }
                    this.macKey = (SecretKey) key2;
                }
            } catch (Throwable th) {
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                throw th;
            }
        }
    }
}
