package net.croz.nrich.security.csrf.core.service;

import java.beans.ConstructorProperties;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.SecureRandom;
import java.time.Duration;
import java.time.Instant;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.spec.GCMParameterSpec;
import lombok.Generated;
import net.croz.nrich.security.csrf.api.holder.CsrfTokenKeyHolder;
import net.croz.nrich.security.csrf.api.service.CsrfTokenManagerService;
import net.croz.nrich.security.csrf.core.constants.AesCsrfTokenConstants;
import net.croz.nrich.security.csrf.core.exception.CsrfTokenException;

/* loaded from: input_file:net/croz/nrich/security/csrf/core/service/AesCsrfTokenManagerService.class */
public class AesCsrfTokenManagerService implements CsrfTokenManagerService {
    private static final SecureRandom INITIALIZATION_VECTOR_RANDOM = new SecureRandom();
    private final Duration tokenExpirationInterval;
    private final Duration tokenFutureThreshold;
    private final Integer cryptoKeyLength;

    public void validateAndRefreshToken(CsrfTokenKeyHolder csrfTokenKeyHolder) {
        String token = csrfTokenKeyHolder.getToken();
        if (token == null) {
            throw new CsrfTokenException("Csrf token is not available!");
        }
        Key fetchCryptoKey = fetchCryptoKey(csrfTokenKeyHolder);
        validateToken(token, fetchCryptoKey);
        csrfTokenKeyHolder.storeToken(generateToken(fetchCryptoKey));
    }

    public String generateToken(CsrfTokenKeyHolder csrfTokenKeyHolder) {
        return generateToken(fetchCryptoKey(csrfTokenKeyHolder));
    }

    private Key fetchCryptoKey(CsrfTokenKeyHolder csrfTokenKeyHolder) {
        Key cryptoKey = csrfTokenKeyHolder.getCryptoKey();
        if (cryptoKey == null) {
            cryptoKey = generateCryptoKey();
            csrfTokenKeyHolder.storeCryptoKey(cryptoKey);
        }
        return cryptoKey;
    }

    private Key generateCryptoKey() {
        KeyGenerator keyGenerator = getKeyGenerator();
        keyGenerator.init(this.cryptoKeyLength.intValue());
        return keyGenerator.generateKey();
    }

    private void validateToken(String str, Key key) {
        byte[] decode = Base64.getUrlDecoder().decode(str);
        if (decode.length != 34) {
            throw new CsrfTokenException("Csrf token is not valid.");
        }
        Long valueOf = Long.valueOf(new BigInteger(decryptedCurrentTimeBytes(key, decode)).longValue());
        Long valueOf2 = Long.valueOf(Instant.now().toEpochMilli());
        if (valueOf2.longValue() < valueOf.longValue()) {
            if (valueOf.longValue() - valueOf2.longValue() > this.tokenFutureThreshold.toMillis()) {
                throw new CsrfTokenException("Csrf token is too far in the future.");
            }
        } else if (valueOf2.longValue() - valueOf.longValue() > this.tokenExpirationInterval.toMillis()) {
            throw new CsrfTokenException("Csrf token is too old.");
        }
    }

    private byte[] decryptedCurrentTimeBytes(Key key, byte[] bArr) {
        try {
            return initCipher(key, 2, new GCMParameterSpec(AesCsrfTokenConstants.AUTHENTICATION_TAG_LENGTH, bArr, 0, 12)).doFinal(bArr, 12, bArr.length - 12);
        } catch (Exception e) {
            throw new CsrfTokenException("Csrf token can't be decrypted.", e);
        }
    }

    private String generateToken(Key key) {
        return new String(Base64.getUrlEncoder().encode(encryptedCurrentTimeBytes(key, BigInteger.valueOf(Instant.now().toEpochMilli()).toByteArray())), StandardCharsets.ISO_8859_1);
    }

    private KeyGenerator getKeyGenerator() {
        return KeyGenerator.getInstance(AesCsrfTokenConstants.ENCRYPTION_ALGORITHM);
    }

    private byte[] encryptedCurrentTimeBytes(Key key, byte[] bArr) {
        Cipher initCipher = initCipher(key, 1, new GCMParameterSpec(AesCsrfTokenConstants.AUTHENTICATION_TAG_LENGTH, generateInitializationVector()));
        byte[] doFinal = initCipher.doFinal(bArr);
        byte[] iv = initCipher.getIV();
        return ByteBuffer.allocate(iv.length + doFinal.length).put(iv).put(doFinal).array();
    }

    private Cipher initCipher(Key key, Integer num, GCMParameterSpec gCMParameterSpec) {
        Cipher cipher = Cipher.getInstance(AesCsrfTokenConstants.CIPHER_TRANSFORMATION);
        cipher.init(num.intValue(), key, gCMParameterSpec);
        return cipher;
    }

    private byte[] generateInitializationVector() {
        byte[] bArr = new byte[12];
        INITIALIZATION_VECTOR_RANDOM.nextBytes(bArr);
        return bArr;
    }

    @Generated
    @ConstructorProperties({"tokenExpirationInterval", "tokenFutureThreshold", "cryptoKeyLength"})
    public AesCsrfTokenManagerService(Duration duration, Duration duration2, Integer num) {
        this.tokenExpirationInterval = duration;
        this.tokenFutureThreshold = duration2;
        this.cryptoKeyLength = num;
    }
}
