package org.picketlink.json.jose.crypto;

import java.io.IOException;
import java.nio.charset.Charset;
import java.security.SecureRandom;
import java.security.interfaces.RSAPrivateKey;
import javax.crypto.SecretKey;
import org.picketlink.json.JsonConstants;
import org.picketlink.json.jose.JWE;
import org.picketlink.json.util.JsonUtil;

/* loaded from: input_file:WEB-INF/lib/picketlink-json-2.7.0.Beta1-20140731.jar:org/picketlink/json/jose/crypto/JWEDecrypter.class */
public class JWEDecrypter {
    private final RSAPrivateKey privateKey;

    public JWEDecrypter(RSAPrivateKey rSAPrivateKey) {
        if (rSAPrivateKey == null) {
            throw new IllegalArgumentException("The private RSA key must not be null");
        }
        this.privateKey = rSAPrivateKey;
    }

    public RSAPrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public byte[] decrypt(JWE jwe, String str, String str2, String str3, String str4) {
        SecretKey decryptCEK;
        byte[] decryptAuthenticated;
        if (str == null) {
            throw new RuntimeException("The encrypted key must not be null");
        }
        if (str2 == null) {
            throw new RuntimeException("The initialization vector (IV) must not be null");
        }
        if (str4 == null) {
            throw new RuntimeException("The authentication tag must not be null");
        }
        String algorithm = jwe.getAlgorithm();
        if (algorithm.equals(JsonConstants.JWE.ALG_RSA1_5)) {
            int parseInt = Integer.parseInt(jwe.getCEKBitLength());
            SecretKey generateKey = AES.generateKey(parseInt, new SecureRandom());
            try {
                decryptCEK = RSA1_5.decryptCEK(this.privateKey, JsonUtil.b64Decode(str), parseInt);
                if (decryptCEK == null) {
                    decryptCEK = generateKey;
                }
            } catch (Exception e) {
                decryptCEK = generateKey;
            }
        } else if (algorithm.equals(JsonConstants.JWE.ALG_RSA_OAEP)) {
            decryptCEK = RSA_OAEP.decryptCEK(this.privateKey, JsonUtil.b64Decode(str));
        } else {
            if (!algorithm.equals(JsonConstants.JWE.ALG_RSA_OAEP_256)) {
                throw new RuntimeException("Unsupported JWE algorithm, must be RSA1_5 or RSA_OAEP");
            }
            decryptCEK = RSA_OAEP_256.decryptCEK(this.privateKey, JsonUtil.b64Decode(str));
        }
        byte[] bytes = JsonUtil.b64Encode(jwe.toString()).getBytes(Charset.forName("UTF-8"));
        String encryptionAlgorithm = jwe.getEncryptionAlgorithm();
        if (encryptionAlgorithm.equals(JsonConstants.JWE.ENC_A128CBC_HS256) || encryptionAlgorithm.equals(JsonConstants.JWE.ENC_A192CBC_HS384) || encryptionAlgorithm.equals(JsonConstants.JWE.ENC_A256CBC_HS512)) {
            decryptAuthenticated = AESCBC.decryptAuthenticated(decryptCEK, JsonUtil.b64Decode(str2), JsonUtil.b64Decode(str3), bytes, JsonUtil.b64Decode(str4));
        } else {
            if (!encryptionAlgorithm.equals(JsonConstants.JWE.ENC_A128GCM) && !encryptionAlgorithm.equals(JsonConstants.JWE.ENC_A192GCM) && !encryptionAlgorithm.equals(JsonConstants.JWE.ENC_A256GCM)) {
                throw new RuntimeException("Unsupported encryption method, must be A128CBC_HS256, A192CBC_HS384, A256CBC_HS512, A128GCM, A192GCM or A256GCM");
            }
            decryptAuthenticated = AESGCM.decrypt(decryptCEK, JsonUtil.b64Decode(str2), JsonUtil.b64Decode(str3), bytes, JsonUtil.b64Decode(str4));
        }
        try {
            return DeflateUtils.decompress(decryptAuthenticated);
        } catch (IOException e2) {
            throw new RuntimeException("Failed to decompress plainText");
        }
    }
}
