package com.microsoft.sqlserver.jdbc;

import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.KeyVaultClientImpl;
import com.microsoft.azure.keyvault.models.KeyBundle;
import com.microsoft.azure.keyvault.models.KeyOperationResult;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.text.MessageFormat;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.apache.http.impl.client.HttpClientBuilder;

/* loaded from: input_file:META-INF/bundled-dependencies/mssql-jdbc-6.2.1.jre7.jar:com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionAzureKeyVaultProvider.class */
public class SQLServerColumnEncryptionAzureKeyVaultProvider extends SQLServerColumnEncryptionKeyStoreProvider {
    String name = "AZURE_KEY_VAULT";
    private final String azureKeyVaultDomainName = "vault.azure.net";
    private final String rsaEncryptionAlgorithmWithOAEPForAKV = "RSA-OAEP";
    private final byte[] firstVersion = {1};
    private KeyVaultClient keyVaultClient;
    private KeyVaultCredential credential;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public void setName(String str) {
        this.name = str;
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public String getName() {
        return this.name;
    }

    public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback sQLServerKeyVaultAuthenticationCallback, ExecutorService executorService) throws SQLServerException {
        if (null == sQLServerKeyVaultAuthenticationCallback) {
            throw new SQLServerException(new MessageFormat(SQLServerException.getErrString("R_NullValue")).format(new Object[]{"SQLServerKeyVaultAuthenticationCallback"}), null);
        }
        this.credential = new KeyVaultCredential(sQLServerKeyVaultAuthenticationCallback);
        this.keyVaultClient = new KeyVaultClientImpl(HttpClientBuilder.create(), executorService, this.credential);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public byte[] decryptColumnEncryptionKey(String str, String str2, byte[] bArr) throws SQLServerException {
        ValidateNonEmptyAKVPath(str);
        if (null == bArr) {
            throw new SQLServerException(SQLServerException.getErrString("R_NullEncryptedColumnEncryptionKey"), null);
        }
        if (0 == bArr.length) {
            throw new SQLServerException(SQLServerException.getErrString("R_EmptyEncryptedColumnEncryptionKey"), null);
        }
        String validateEncryptionAlgorithm = validateEncryptionAlgorithm(str2);
        int aKVKeySize = getAKVKeySize(str);
        if (bArr[0] != this.firstVersion[0]) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_InvalidEcryptionAlgorithmVersion")).format(new Object[]{String.format("%02X ", Byte.valueOf(bArr[0])), String.format("%02X ", Byte.valueOf(this.firstVersion[0]))}), (String) null, 0, false);
        }
        int length = this.firstVersion.length;
        short convertTwoBytesToShort = convertTwoBytesToShort(bArr, length);
        int i = length + 2;
        int convertTwoBytesToShort2 = convertTwoBytesToShort(bArr, i);
        int i2 = i + 2 + convertTwoBytesToShort;
        if (convertTwoBytesToShort2 != aKVKeySize) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_AKVKeyLengthError")).format(new Object[]{Short.valueOf((short) convertTwoBytesToShort2), Integer.valueOf(aKVKeySize), str}), (String) null, 0, false);
        }
        int length2 = (bArr.length - i2) - convertTwoBytesToShort2;
        if (length2 != aKVKeySize) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_AKVSignatureLengthError")).format(new Object[]{Integer.valueOf(length2), Integer.valueOf(aKVKeySize), str}), (String) null, 0, false);
        }
        byte[] bArr2 = new byte[convertTwoBytesToShort2];
        System.arraycopy(bArr, i2, bArr2, 0, convertTwoBytesToShort2);
        int i3 = i2 + convertTwoBytesToShort2;
        byte[] bArr3 = new byte[length2];
        System.arraycopy(bArr, i3, bArr3, 0, length2);
        byte[] bArr4 = new byte[bArr.length - bArr3.length];
        System.arraycopy(bArr, 0, bArr4, 0, bArr.length - bArr3.length);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256);
            messageDigest.update(bArr4);
            byte[] digest = messageDigest.digest();
            if (null == digest) {
                throw new SQLServerException(SQLServerException.getErrString("R_HashNull"), null);
            }
            if (AzureKeyVaultVerifySignature(digest, bArr3, str)) {
                return AzureKeyVaultUnWrap(str, validateEncryptionAlgorithm, bArr2);
            }
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CEKSignatureNotMatchCMK")).format(new Object[]{str}), (String) null, 0, false);
        } catch (NoSuchAlgorithmException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_NoSHA256Algorithm"), e);
        }
    }

    private short convertTwoBytesToShort(byte[] bArr, int i) throws SQLServerException {
        if (i + 1 >= bArr.length) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_ByteToShortConversion"), (String) null, 0, false);
        }
        ByteBuffer allocate = ByteBuffer.allocate(2);
        allocate.order(ByteOrder.LITTLE_ENDIAN);
        allocate.put(bArr[i]);
        allocate.put(bArr[i + 1]);
        return allocate.getShort(0);
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public byte[] encryptColumnEncryptionKey(String str, String str2, byte[] bArr) throws SQLServerException {
        ValidateNonEmptyAKVPath(str);
        if (null == bArr) {
            throw new SQLServerException(SQLServerException.getErrString("R_NullColumnEncryptionKey"), null);
        }
        if (0 == bArr.length) {
            throw new SQLServerException(SQLServerException.getErrString("R_EmptyCEK"), null);
        }
        String validateEncryptionAlgorithm = validateEncryptionAlgorithm(str2);
        int aKVKeySize = getAKVKeySize(str);
        byte[] bArr2 = {this.firstVersion[0]};
        byte[] bytes = str.toLowerCase().getBytes(StandardCharsets.UTF_16LE);
        byte[] bArr3 = {(byte) (((short) bytes.length) & 255), (byte) ((((short) bytes.length) >> 8) & 255)};
        byte[] AzureKeyVaultWrap = AzureKeyVaultWrap(str, validateEncryptionAlgorithm, bArr);
        byte[] bArr4 = {(byte) (((short) AzureKeyVaultWrap.length) & 255), (byte) ((((short) AzureKeyVaultWrap.length) >> 8) & 255)};
        if (AzureKeyVaultWrap.length != aKVKeySize) {
            throw new SQLServerException(SQLServerException.getErrString("R_CipherTextLengthNotMatchRSASize"), null);
        }
        byte[] bArr5 = new byte[bArr2.length + bArr3.length + bArr4.length + bytes.length + AzureKeyVaultWrap.length];
        int length = bArr2.length;
        System.arraycopy(bArr2, 0, bArr5, 0, bArr2.length);
        System.arraycopy(bArr3, 0, bArr5, length, bArr3.length);
        int length2 = length + bArr3.length;
        System.arraycopy(bArr4, 0, bArr5, length2, bArr4.length);
        int length3 = length2 + bArr4.length;
        System.arraycopy(bytes, 0, bArr5, length3, bytes.length);
        System.arraycopy(AzureKeyVaultWrap, 0, bArr5, length3 + bytes.length, AzureKeyVaultWrap.length);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256);
            messageDigest.update(bArr5);
            byte[] digest = messageDigest.digest();
            byte[] AzureKeyVaultSignHashedData = AzureKeyVaultSignHashedData(digest, str);
            if (AzureKeyVaultSignHashedData.length != aKVKeySize) {
                throw new SQLServerException(SQLServerException.getErrString("R_SignedHashLengthError"), null);
            }
            if (!AzureKeyVaultVerifySignature(digest, AzureKeyVaultSignHashedData, str)) {
                throw new SQLServerException(SQLServerException.getErrString("R_InvalidSignatureComputed"), null);
            }
            byte[] bArr6 = new byte[bArr2.length + bArr4.length + bArr3.length + AzureKeyVaultWrap.length + bytes.length + AzureKeyVaultSignHashedData.length];
            System.arraycopy(bArr2, 0, bArr6, 0, bArr2.length);
            int length4 = 0 + bArr2.length;
            System.arraycopy(bArr3, 0, bArr6, length4, bArr3.length);
            int length5 = length4 + bArr3.length;
            System.arraycopy(bArr4, 0, bArr6, length5, bArr4.length);
            int length6 = length5 + bArr4.length;
            System.arraycopy(bytes, 0, bArr6, length6, bytes.length);
            int length7 = length6 + bytes.length;
            System.arraycopy(AzureKeyVaultWrap, 0, bArr6, length7, AzureKeyVaultWrap.length);
            System.arraycopy(AzureKeyVaultSignHashedData, 0, bArr6, length7 + AzureKeyVaultWrap.length, AzureKeyVaultSignHashedData.length);
            return bArr6;
        } catch (NoSuchAlgorithmException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_NoSHA256Algorithm"), e);
        }
    }

    private String validateEncryptionAlgorithm(String str) throws SQLServerException {
        if (null == str) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_NullKeyEncryptionAlgorithm"), (String) null, 0, false);
        }
        if ("RSA_OAEP".equalsIgnoreCase(str)) {
            str = "RSA-OAEP";
        }
        if ("RSA-OAEP".equalsIgnoreCase(str.trim())) {
            return str;
        }
        throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_InvalidKeyEncryptionAlgorithm")).format(new Object[]{str, "RSA-OAEP"}), (String) null, 0, false);
    }

    private void ValidateNonEmptyAKVPath(String str) throws SQLServerException {
        if (null == str || str.trim().isEmpty()) {
            throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_AKVPathNull")).format(new Object[]{str}), (String) null, 0, false);
        }
        try {
            if (!new URI(str).getHost().toLowerCase().endsWith("vault.azure.net")) {
                throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_AKVMasterKeyPathInvalid")).format(new Object[]{str}), (String) null, 0, false);
            }
        } catch (URISyntaxException e) {
            throw new SQLServerException(new MessageFormat(SQLServerException.getErrString("R_AKVURLInvalid")).format(new Object[]{str}), (String) null, 0, e);
        }
    }

    private byte[] AzureKeyVaultWrap(String str, String str2, byte[] bArr) throws SQLServerException {
        if (null == bArr) {
            throw new SQLServerException(SQLServerException.getErrString("R_CEKNull"), null);
        }
        try {
            return ((KeyOperationResult) this.keyVaultClient.wrapKeyAsync(str, str2, bArr).get()).getResult();
        } catch (InterruptedException | ExecutionException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_EncryptCEKError"), e);
        }
    }

    private byte[] AzureKeyVaultUnWrap(String str, String str2, byte[] bArr) throws SQLServerException {
        if (null == bArr) {
            throw new SQLServerException(SQLServerException.getErrString("R_EncryptedCEKNull"), null);
        }
        if (0 == bArr.length) {
            throw new SQLServerException(SQLServerException.getErrString("R_EmptyEncryptedCEK"), null);
        }
        try {
            return ((KeyOperationResult) this.keyVaultClient.unwrapKeyAsync(str, str2, bArr).get()).getResult();
        } catch (InterruptedException | ExecutionException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_DecryptCEKError"), e);
        }
    }

    private byte[] AzureKeyVaultSignHashedData(byte[] bArr, String str) throws SQLServerException {
        if (!$assertionsDisabled && (null == bArr || 0 == bArr.length)) {
            throw new AssertionError();
        }
        try {
            return ((KeyOperationResult) this.keyVaultClient.signAsync(str, "RS256", bArr).get()).getResult();
        } catch (InterruptedException | ExecutionException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_GenerateSignature"), e);
        }
    }

    private boolean AzureKeyVaultVerifySignature(byte[] bArr, byte[] bArr2, String str) throws SQLServerException {
        if (!$assertionsDisabled && (null == bArr || 0 == bArr.length)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && (null == bArr2 || 0 == bArr2.length)) {
            throw new AssertionError();
        }
        try {
            return ((Boolean) this.keyVaultClient.verifyAsync(str, "RS256", bArr, bArr2).get()).booleanValue();
        } catch (InterruptedException | ExecutionException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_VerifySignature"), e);
        }
    }

    private int getAKVKeySize(String str) throws SQLServerException {
        try {
            KeyBundle keyBundle = (KeyBundle) this.keyVaultClient.getKeyAsync(str).get();
            if ("RSA".equalsIgnoreCase(keyBundle.getKey().getKty()) || "RSA-HSM".equalsIgnoreCase(keyBundle.getKey().getKty())) {
                return keyBundle.getKey().getN().length;
            }
            throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_NonRSAKey")).format(new Object[]{keyBundle.getKey().getKty()}), (String) null, 0, false);
        } catch (InterruptedException | ExecutionException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_GetAKVKeySize"), e);
        }
    }

    static {
        $assertionsDisabled = !SQLServerColumnEncryptionAzureKeyVaultProvider.class.desiredAssertionStatus();
    }
}
