package net.wedjaa.ansible.vault.crypto.decoders.implementation;

import java.io.IOException;
import java.io.OutputStream;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import net.wedjaa.ansible.vault.crypto.data.Util;
import net.wedjaa.ansible.vault.crypto.data.VaultContent;
import net.wedjaa.ansible.vault.crypto.data.VaultInfo;
import net.wedjaa.ansible.vault.crypto.decoders.inter.CypherInterface;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;

/* loaded from: input_file:net/wedjaa/ansible/vault/crypto/decoders/implementation/CypherAES256.class */
public class CypherAES256 implements CypherInterface {
    private static final Log logger = LogFactory.getLog(CypherAES256.class);
    public static final String CYPHER_ID = "AES256";
    public static final int AES_KEYLEN = 256;
    public static final String CHAR_ENCODING = "UTF-8";
    public static final String KEYGEN_ALGO = "HmacSHA256";
    public static final String CYPHER_KEY_ALGO = "AES";
    public static final String CYPHER_ALGO = "AES/CTR/NoPadding";
    private static final int SALT_LENGTH = 32;
    public static final int KEYLEN = 32;
    public static final int IVLEN = 16;
    public static final int ITERATIONS = 10000;

    private boolean hasValidAESProvider() {
        boolean z = false;
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength(CYPHER_ALGO);
            if (logger.isDebugEnabled()) {
                logger.debug(String.format("Available keylen: %d", Integer.valueOf(maxAllowedKeyLength)));
            }
            if (maxAllowedKeyLength >= 256) {
                z = true;
            } else {
                logger.warn(String.format("JRE doesn't support %d keylength for %s. Install unrestricted policy files", Integer.valueOf(AES_KEYLEN), "AES"));
            }
        } catch (Exception e) {
            logger.warn(String.format("Failed to check for proper cypher algorithms: %s", e.getMessage()));
        }
        return z;
    }

    public byte[] calculateHMAC(byte[] bArr, byte[] bArr2) throws IOException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, KEYGEN_ALGO);
            Mac mac = Mac.getInstance(KEYGEN_ALGO);
            mac.init(secretKeySpec);
            return mac.doFinal(bArr2);
        } catch (Exception e) {
            throw new IOException("Error decrypting HMAC hash: " + e.getMessage());
        }
    }

    public boolean verifyHMAC(byte[] bArr, byte[] bArr2, byte[] bArr3) throws IOException {
        return Arrays.equals(bArr, calculateHMAC(bArr2, bArr3));
    }

    public int paddingLength(byte[] bArr) {
        if (bArr.length != 0) {
            if (logger.isDebugEnabled()) {
                logger.debug(String.format("Padding length: %s", Byte.valueOf(bArr[bArr.length - 1])));
            }
            return bArr[bArr.length - 1];
        }
        if (!logger.isDebugEnabled()) {
            return 0;
        }
        logger.debug(String.format("Empty decoded text has no padding.", new Object[0]));
        return 0;
    }

    public byte[] unpad(byte[] bArr) {
        return Arrays.copyOfRange(bArr, 0, bArr.length - paddingLength(bArr));
    }

    public byte[] pad(byte[] bArr) throws IOException {
        byte[] bArr2 = null;
        try {
            int blockSize = Cipher.getInstance(CYPHER_ALGO).getBlockSize();
            if (logger.isDebugEnabled()) {
                logger.debug(String.format("Padding to block size: %d", Integer.valueOf(blockSize)));
            }
            int length = blockSize - (bArr.length % blockSize);
            if (length == 0) {
                length = blockSize;
            }
            bArr2 = Arrays.copyOf(bArr, bArr.length + length);
            bArr2[bArr2.length - 1] = (byte) length;
        } catch (Exception e) {
            new IOException("Error calculating padding for AES/CTR/NoPadding: " + e.getMessage());
        }
        return bArr2;
    }

    public byte[] decryptAES(byte[] bArr, byte[] bArr2, byte[] bArr3) throws IOException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr2, "AES");
        IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr3);
        try {
            Cipher cipher = Cipher.getInstance(CYPHER_ALGO);
            cipher.init(2, secretKeySpec, ivParameterSpec);
            return unpad(cipher.doFinal(bArr));
        } catch (Exception e) {
            throw new IOException("Failed to decrypt data: " + e.getMessage());
        }
    }

    public byte[] encryptAES(byte[] bArr, byte[] bArr2, byte[] bArr3) throws IOException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr2, "AES");
        IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr3);
        try {
            Cipher cipher = Cipher.getInstance(CYPHER_ALGO);
            cipher.init(1, secretKeySpec, ivParameterSpec);
            return cipher.doFinal(bArr);
        } catch (Exception e) {
            throw new IOException("Failed to encrypt data: " + e.getMessage());
        }
    }

    @Override // net.wedjaa.ansible.vault.crypto.decoders.inter.CypherInterface
    public byte[] decrypt(byte[] bArr, String str) throws IOException {
        if (!hasValidAESProvider()) {
            throw new IOException("Missing valid AES256 provider - install unrestricted policy profiles.");
        }
        VaultContent vaultContent = new VaultContent(bArr);
        byte[] salt = vaultContent.getSalt();
        byte[] hmac = vaultContent.getHmac();
        byte[] data = vaultContent.getData();
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Salt: %d - %s", Integer.valueOf(salt.length), Util.hexit(salt, 100)));
            logger.debug(String.format("HMAC: %d - %s", Integer.valueOf(hmac.length), Util.hexit(hmac, 100)));
            logger.debug(String.format("Data: %d - %s", Integer.valueOf(data.length), Util.hexit(data, 100)));
        }
        EncryptionKeychain encryptionKeychain = new EncryptionKeychain(salt, str, 32, 16, 10000, KEYGEN_ALGO);
        encryptionKeychain.createKeys();
        byte[] encryptionKey = encryptionKeychain.getEncryptionKey();
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Key 1: %d - %s", Integer.valueOf(encryptionKey.length), Util.hexit(encryptionKey, 100)));
        }
        byte[] hmacKey = encryptionKeychain.getHmacKey();
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Key 2: %d - %s", Integer.valueOf(hmacKey.length), Util.hexit(hmacKey, 100)));
        }
        byte[] iv = encryptionKeychain.getIv();
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("IV: %d - %s", Integer.valueOf(iv.length), Util.hexit(iv, 100)));
        }
        if (!verifyHMAC(hmac, hmacKey, data)) {
            throw new IOException("HMAC Digest doesn't match - possibly it's the wrong password.");
        }
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Signature matches - decrypting", new Object[0]));
        }
        byte[] decryptAES = decryptAES(data, encryptionKey, iv);
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Decoded: %s", new String(decryptAES, "UTF-8")));
        }
        return decryptAES;
    }

    @Override // net.wedjaa.ansible.vault.crypto.decoders.inter.CypherInterface
    public void decrypt(OutputStream outputStream, byte[] bArr, String str) throws IOException {
        outputStream.write(decrypt(bArr, str));
    }

    @Override // net.wedjaa.ansible.vault.crypto.decoders.inter.CypherInterface
    public void encrypt(OutputStream outputStream, byte[] bArr, String str) throws IOException {
        outputStream.write(encrypt(bArr, str));
    }

    @Override // net.wedjaa.ansible.vault.crypto.decoders.inter.CypherInterface
    public String infoLine() {
        return VaultInfo.vaultInfoForCypher("AES256");
    }

    @Override // net.wedjaa.ansible.vault.crypto.decoders.inter.CypherInterface
    public byte[] encrypt(byte[] bArr, String str) throws IOException {
        EncryptionKeychain encryptionKeychain = new EncryptionKeychain(32, str, 32, 16, 10000, KEYGEN_ALGO);
        encryptionKeychain.createKeys();
        byte[] encryptionKey = encryptionKeychain.getEncryptionKey();
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Key 1: %d - %s", Integer.valueOf(encryptionKey.length), Util.hexit(encryptionKey, 100)));
        }
        byte[] hmacKey = encryptionKeychain.getHmacKey();
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Key 2: %d - %s", Integer.valueOf(hmacKey.length), Util.hexit(hmacKey, 100)));
        }
        byte[] iv = encryptionKeychain.getIv();
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("IV: %d - %s", Integer.valueOf(iv.length), Util.hexit(iv, 100)));
            logger.debug(String.format("Original data length: %d", Integer.valueOf(bArr.length)));
        }
        byte[] pad = pad(bArr);
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Padded data length: %d", Integer.valueOf(pad.length)));
        }
        byte[] encryptAES = encryptAES(pad, encryptionKeychain.getEncryptionKey(), encryptionKeychain.getIv());
        return new VaultContent(encryptionKeychain.getSalt(), calculateHMAC(encryptionKeychain.getHmacKey(), encryptAES), encryptAES).toByteArray();
    }
}
