package org.keycloak.jose.jwe.enc;

import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEKeyStorage;
import org.keycloak.jose.jwe.JWEUtils;

/* loaded from: input_file:WEB-INF/lib/keycloak-core-13.0.1.jar:org/keycloak/jose/jwe/enc/AesGcmEncryptionProvider.class */
public abstract class AesGcmEncryptionProvider implements JWEEncryptionProvider {
    private static final int AUTH_TAG_SIZE_BYTE = 16;
    private static final int IV_SIZE_BYTE = 12;

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public void encodeJwe(JWE jwe) throws Exception {
        byte[] content = jwe.getContent();
        byte[] generateSecret = JWEUtils.generateSecret(12);
        Key cEKKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
        if (cEKKey == null) {
            throw new IllegalArgumentException("AES CEK key not present");
        }
        int expectedAesKeyLength = getExpectedAesKeyLength();
        if (expectedAesKeyLength != cEKKey.getEncoded().length) {
            throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength + ", but was " + cEKKey.getEncoded().length);
        }
        byte[] encryptBytes = encryptBytes(content, generateSecret, cEKKey, jwe.getBase64Header().getBytes(StandardCharsets.UTF_8));
        jwe.setEncryptedContentInfo(generateSecret, getEncryptedContent(encryptBytes), getAuthenticationTag(encryptBytes));
    }

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public void verifyAndDecodeJwe(JWE jwe) throws Exception {
        Key cEKKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
        if (cEKKey == null) {
            throw new IllegalArgumentException("AES CEK key not present");
        }
        int expectedAesKeyLength = getExpectedAesKeyLength();
        if (expectedAesKeyLength != cEKKey.getEncoded().length) {
            throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength + ", but was " + cEKKey.getEncoded().length);
        }
        jwe.content(decryptBytes(getAeadDecryptedTargetContent(jwe), jwe.getInitializationVector(), cEKKey, jwe.getBase64Header().getBytes(StandardCharsets.UTF_8)));
    }

    private byte[] encryptBytes(byte[] bArr, byte[] bArr2, Key key, byte[] bArr3) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
        cipher.init(1, key, new GCMParameterSpec(128, bArr2));
        cipher.updateAAD(bArr3);
        byte[] bArr4 = new byte[cipher.getOutputSize(bArr.length)];
        cipher.doFinal(bArr, 0, bArr.length, bArr4);
        return bArr4;
    }

    private byte[] decryptBytes(byte[] bArr, byte[] bArr2, Key key, byte[] bArr3) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
        cipher.init(2, key, new GCMParameterSpec(128, bArr2));
        cipher.updateAAD(bArr3);
        return cipher.doFinal(bArr);
    }

    private byte[] getAuthenticationTag(byte[] bArr) {
        byte[] bArr2 = new byte[16];
        System.arraycopy(bArr, bArr.length - bArr2.length, bArr2, 0, bArr2.length);
        return bArr2;
    }

    private byte[] getEncryptedContent(byte[] bArr) throws NoSuchAlgorithmException, InvalidKeyException {
        byte[] bArr2 = new byte[bArr.length - 16];
        System.arraycopy(bArr, 0, bArr2, 0, bArr2.length);
        return bArr2;
    }

    private byte[] getAeadDecryptedTargetContent(JWE jwe) {
        byte[] encryptedContent = jwe.getEncryptedContent();
        byte[] authenticationTag = jwe.getAuthenticationTag();
        byte[] bArr = new byte[authenticationTag.length + encryptedContent.length];
        System.arraycopy(encryptedContent, 0, bArr, 0, encryptedContent.length);
        System.arraycopy(authenticationTag, 0, bArr, encryptedContent.length, authenticationTag.length);
        return bArr;
    }

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public byte[] serializeCEK(JWEKeyStorage jWEKeyStorage) {
        Key cEKKey = jWEKeyStorage.getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
        if (cEKKey == null) {
            throw new IllegalArgumentException("AES CEK key not present");
        }
        return cEKKey.getEncoded();
    }

    @Override // org.keycloak.jose.jwe.enc.JWEEncryptionProvider
    public void deserializeCEK(JWEKeyStorage jWEKeyStorage) {
        jWEKeyStorage.setCEKKey(new SecretKeySpec(jWEKeyStorage.getCekBytes(), "AES"), JWEKeyStorage.KeyUse.ENCRYPTION);
    }

    protected abstract int getExpectedAesKeyLength();
}
