package org.keycloak.jose.jwe.enc;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.crypto.JavaAlgorithm;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEKeyStorage;
import org.keycloak.jose.jwe.JWEUtils;

/* loaded from: input_file:org/keycloak/jose/jwe/enc/AesCbcHmacShaEncryptionProvider.class */
public abstract class AesCbcHmacShaEncryptionProvider implements JWEEncryptionProvider {

    /* loaded from: input_file:org/keycloak/jose/jwe/enc/AesCbcHmacShaEncryptionProvider$Aes128CbcHmacSha256Provider.class */
    public static class Aes128CbcHmacSha256Provider extends AesCbcHmacShaEncryptionProvider {
        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected int getExpectedAesKeyLength() {
            return 16;
        }

        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected String getHmacShaAlgorithm() {
            return JavaAlgorithm.HS256;
        }

        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected int getAuthenticationTagLength() {
            return 16;
        }

        @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
        public int getExpectedCEKLength() {
            return 32;
        }
    }

    /* loaded from: input_file:org/keycloak/jose/jwe/enc/AesCbcHmacShaEncryptionProvider$Aes192CbcHmacSha384Provider.class */
    public static class Aes192CbcHmacSha384Provider extends AesCbcHmacShaEncryptionProvider {
        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected int getExpectedAesKeyLength() {
            return 24;
        }

        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected String getHmacShaAlgorithm() {
            return JavaAlgorithm.HS384;
        }

        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected int getAuthenticationTagLength() {
            return 24;
        }

        @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
        public int getExpectedCEKLength() {
            return 48;
        }
    }

    /* loaded from: input_file:org/keycloak/jose/jwe/enc/AesCbcHmacShaEncryptionProvider$Aes256CbcHmacSha512Provider.class */
    public static class Aes256CbcHmacSha512Provider extends AesCbcHmacShaEncryptionProvider {
        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected int getExpectedAesKeyLength() {
            return 32;
        }

        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected String getHmacShaAlgorithm() {
            return JavaAlgorithm.HS512;
        }

        @Override // org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider
        protected int getAuthenticationTagLength() {
            return 32;
        }

        @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
        public int getExpectedCEKLength() {
            return 64;
        }
    }

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public void encodeJwe(JWE jwe) throws IOException, GeneralSecurityException {
        byte[] content = jwe.getContent();
        byte[] generateSecret = JWEUtils.generateSecret(16);
        Key cEKKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
        if (cEKKey == null) {
            throw new IllegalArgumentException("AES CEK key not present");
        }
        Key cEKKey2 = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
        if (cEKKey2 == null) {
            throw new IllegalArgumentException("HMAC CEK key not present");
        }
        int expectedAesKeyLength = getExpectedAesKeyLength();
        if (expectedAesKeyLength != cEKKey.getEncoded().length) {
            throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength + ", but was " + cEKKey.getEncoded().length);
        }
        byte[] encryptBytes = encryptBytes(content, generateSecret, cEKKey);
        jwe.setEncryptedContentInfo(generateSecret, encryptBytes, computeAuthenticationTag(jwe.getBase64Header().getBytes(StandardCharsets.UTF_8), generateSecret, encryptBytes, cEKKey2));
    }

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public void verifyAndDecodeJwe(JWE jwe) throws IOException, GeneralSecurityException {
        Key cEKKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
        if (cEKKey == null) {
            throw new IllegalArgumentException("AES CEK key not present");
        }
        Key cEKKey2 = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
        if (cEKKey2 == null) {
            throw new IllegalArgumentException("HMAC CEK key not present");
        }
        int expectedAesKeyLength = getExpectedAesKeyLength();
        if (expectedAesKeyLength != cEKKey.getEncoded().length) {
            throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength + ", but was " + cEKKey.getEncoded().length);
        }
        if (!MessageDigest.isEqual(jwe.getAuthenticationTag(), computeAuthenticationTag(jwe.getBase64Header().getBytes(StandardCharsets.UTF_8), jwe.getInitializationVector(), jwe.getEncryptedContent(), cEKKey2))) {
            throw new IllegalArgumentException("Signature validations failed");
        }
        jwe.content(decryptBytes(jwe.getEncryptedContent(), jwe.getInitializationVector(), cEKKey));
    }

    protected abstract int getExpectedAesKeyLength();

    protected abstract String getHmacShaAlgorithm();

    protected abstract int getAuthenticationTagLength();

    private byte[] encryptBytes(byte[] bArr, byte[] bArr2, Key key) throws GeneralSecurityException {
        Cipher aesCbcCipher = CryptoIntegration.getProvider().getAesCbcCipher();
        aesCbcCipher.init(1, key, new IvParameterSpec(bArr2));
        return aesCbcCipher.doFinal(bArr);
    }

    private byte[] decryptBytes(byte[] bArr, byte[] bArr2, Key key) throws GeneralSecurityException {
        Cipher aesCbcCipher = CryptoIntegration.getProvider().getAesCbcCipher();
        aesCbcCipher.init(2, key, new IvParameterSpec(bArr2));
        return aesCbcCipher.doFinal(bArr);
    }

    private byte[] computeAuthenticationTag(byte[] bArr, byte[] bArr2, byte[] bArr3, Key key) throws NoSuchAlgorithmException, InvalidKeyException {
        ByteBuffer allocate = ByteBuffer.allocate(4);
        allocate.order(ByteOrder.BIG_ENDIAN);
        allocate.putInt(bArr.length * 8);
        byte[] array = allocate.array();
        byte[] bArr4 = new byte[8];
        System.arraycopy(array, 0, bArr4, 4, 4);
        byte[] bArr5 = new byte[bArr.length + bArr2.length + bArr3.length + bArr4.length];
        System.arraycopy(bArr, 0, bArr5, 0, bArr.length);
        System.arraycopy(bArr2, 0, bArr5, bArr.length, bArr2.length);
        System.arraycopy(bArr3, 0, bArr5, bArr.length + bArr2.length, bArr3.length);
        System.arraycopy(bArr4, 0, bArr5, bArr.length + bArr2.length + bArr3.length, bArr4.length);
        Mac mac = Mac.getInstance(getHmacShaAlgorithm());
        mac.init(key);
        mac.update(bArr5);
        return Arrays.copyOf(mac.doFinal(), getAuthenticationTagLength());
    }

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public void deserializeCEK(JWEKeyStorage jWEKeyStorage) {
        byte[] cekBytes = jWEKeyStorage.getCekBytes();
        int expectedCEKLength = getExpectedCEKLength();
        byte[] copyOf = Arrays.copyOf(cekBytes, expectedCEKLength / 2);
        SecretKeySpec secretKeySpec = new SecretKeySpec(Arrays.copyOfRange(cekBytes, expectedCEKLength / 2, expectedCEKLength), "AES");
        SecretKeySpec secretKeySpec2 = new SecretKeySpec(copyOf, "HMACSHA2");
        jWEKeyStorage.setCEKKey(secretKeySpec, JWEKeyStorage.KeyUse.ENCRYPTION);
        jWEKeyStorage.setCEKKey(secretKeySpec2, JWEKeyStorage.KeyUse.SIGNATURE);
    }

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public byte[] serializeCEK(JWEKeyStorage jWEKeyStorage) {
        Key cEKKey = jWEKeyStorage.getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
        if (cEKKey == null) {
            throw new IllegalArgumentException("AES CEK key not present");
        }
        Key cEKKey2 = jWEKeyStorage.getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
        if (cEKKey2 == null) {
            throw new IllegalArgumentException("HMAC CEK key not present");
        }
        byte[] encoded = cEKKey2.getEncoded();
        byte[] encoded2 = cEKKey.getEncoded();
        byte[] bArr = new byte[encoded.length + encoded2.length];
        System.arraycopy(encoded, 0, bArr, 0, encoded.length);
        System.arraycopy(encoded2, 0, bArr, encoded.length, encoded2.length);
        return bArr;
    }
}
