package org.apache.cxf.rs.security.jose.jwe;

import java.security.MessageDigest;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption;
import org.apache.cxf.rs.security.jose.jwe.JweException;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-516-01.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-rs-security-jose-3.1.5.redhat-630516-01.jar:org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.class */
public class AesCbcHmacJweDecryption extends JweDecryption {
    private String supportedAlgo;

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-516-01.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-rs-security-jose-3.1.5.redhat-630516-01.jar:org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption$AesCbcContentDecryptionAlgorithm.class */
    private static class AesCbcContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties implements ContentDecryptionProvider {
        AesCbcContentDecryptionAlgorithm(ContentAlgorithm contentAlgorithm) {
            super(contentAlgorithm);
        }

        @Override // org.apache.cxf.rs.security.jose.jwe.AbstractContentEncryptionCipherProperties, org.apache.cxf.rs.security.jose.jwe.ContentEncryptionCipherProperties
        public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] bArr) {
            return new IvParameterSpec(bArr);
        }

        @Override // org.apache.cxf.rs.security.jose.jwe.AbstractContentEncryptionCipherProperties, org.apache.cxf.rs.security.jose.jwe.ContentEncryptionCipherProperties
        public byte[] getAdditionalAuthenticationData(String str, byte[] bArr) {
            return null;
        }

        @Override // org.apache.cxf.rs.security.jose.jwe.ContentDecryptionProvider
        public byte[] getEncryptedSequence(JweHeaders jweHeaders, byte[] bArr, byte[] bArr2) {
            return bArr;
        }
    }

    public AesCbcHmacJweDecryption(KeyDecryptionProvider keyDecryptionProvider) {
        this(keyDecryptionProvider, null);
    }

    public AesCbcHmacJweDecryption(KeyDecryptionProvider keyDecryptionProvider, ContentAlgorithm contentAlgorithm) {
        super(keyDecryptionProvider, new AesCbcContentDecryptionAlgorithm(contentAlgorithm));
        this.supportedAlgo = contentAlgorithm == null ? null : contentAlgorithm.getJwaName();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.jose.jwe.AbstractJweDecryption
    public JweDecryptionOutput doDecrypt(JweDecryptionInput jweDecryptionInput, byte[] bArr) {
        validateAuthenticationTag(jweDecryptionInput, bArr);
        return super.doDecrypt(jweDecryptionInput, bArr);
    }

    @Override // org.apache.cxf.rs.security.jose.jwe.AbstractJweDecryption
    protected byte[] getActualCek(byte[] bArr, String str) {
        validateCekAlgorithm(str);
        return AesCbcHmacJweEncryption.doGetActualCek(bArr, str);
    }

    protected void validateAuthenticationTag(JweDecryptionInput jweDecryptionInput, byte[] bArr) {
        byte[] authTag = jweDecryptionInput.getAuthTag();
        AesCbcHmacJweEncryption.MacState initializedMacState = AesCbcHmacJweEncryption.getInitializedMacState(bArr, jweDecryptionInput.getInitVector(), jweDecryptionInput.getAad(), jweDecryptionInput.getJweHeaders(), jweDecryptionInput.getDecodedJsonHeaders());
        initializedMacState.mac.update(jweDecryptionInput.getEncryptedContent());
        if (MessageDigest.isEqual(authTag, AesCbcHmacJweEncryption.signAndGetTag(initializedMacState))) {
            return;
        }
        LOG.warning("Invalid authentication tag");
        throw new JweException(JweException.Error.CONTENT_DECRYPTION_FAILURE);
    }

    private String validateCekAlgorithm(String str) {
        if (AlgorithmUtils.isAesCbcHmac(str) && (this.supportedAlgo == null || this.supportedAlgo.equals(str))) {
            return str;
        }
        LOG.warning("Invalid content encryption algorithm");
        throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
    }
}
