package org.xipki.audit.services;

import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.StringTokenizer;
import java.util.concurrent.atomic.AtomicLong;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.audit.AuditEvent;
import org.xipki.audit.AuditLevel;
import org.xipki.audit.AuditService;
import org.xipki.audit.PciAuditEvent;
import org.xipki.ca.gateway.PasswordHash;
import org.xipki.password.PasswordResolver;
import org.xipki.password.PasswordResolverException;
import org.xipki.util.Base64;
import org.xipki.util.ConfPairs;
import org.xipki.util.StringUtil;

/* loaded from: input_file:WEB-INF/lib/audit-6.0.0.jar:org/xipki/audit/services/MacAuditService.class */
public abstract class MacAuditService implements AuditService {
    public static final String KEY_SHARD_ID = "shard-id";
    public static final String KEY_ALGO = "algo";
    public static final String KEY_PASSWORD = "password";
    public static final String KEY_KEYID = "keyid";
    public static final String KEY_OLD_PASSWORD = "old-password";
    public static final String KEY_OLD_KEYID = "old-keyid";
    public static final String KEY_ENC_INTERVAL = "enc-interval";
    private static final int ALGO_ID_HMAC_SHA256 = 1;
    private static final String VERSION_V1 = "v1";
    protected static final String DELIM = ";";
    private static final String INNER_DELIM = ":";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) MacAuditService.class);
    private static final DateTimeFormatter DTF = DateTimeFormatter.ofPattern("yyyy.MM.dd-HH:mm:ss.SSS");
    protected int shardId;
    protected String previousTag;
    private String algo;
    private String tagPrefix;
    private byte[] tagPrefixBytes;
    private String keyId;
    private SecureRandom rnd;
    private SecretKey macKey;
    private SecretKey encKey;
    private Mac mac;
    private Cipher cipher;
    private int encInterval;
    private final ZoneId timeZone = ZoneId.systemDefault();
    protected AtomicLong id = new AtomicLong(0);

    /* JADX INFO: Access modifiers changed from: protected */
    public String formatDate(Instant instant) {
        return DTF.format(instant.atZone(this.timeZone));
    }

    private String buildMacPayload(Instant instant, long j, int i, String str, long j2, String str2, String str3) {
        return formatDate(instant) + DELIM + str + DELIM + i + DELIM + this.shardId + DELIM + j + DELIM + j2 + INNER_DELIM + (str2 == null ? "" : str2) + DELIM + str3;
    }

    protected abstract void storeLog(Instant instant, long j, int i, String str, long j2, String str2, String str3);

    protected abstract void storeIntegrity(String str);

    protected abstract void doClose() throws Exception;

    protected void doExtraInit(ConfPairs confPairs, PasswordResolver passwordResolver) throws PasswordResolverException {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verify(long j, String str, String str2, ConfPairs confPairs) {
        SecretKey generateSecret;
        if (j == 0) {
            if (!StringUtil.isBlank(str2)) {
                throw new IllegalStateException("audit entry deleted unexpectedly");
            }
            return;
        }
        if (StringUtil.isBlank(str2)) {
            throw new IllegalStateException("integrityText deleted unexpectedly");
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str2, DELIM);
        String nextToken = stringTokenizer.nextToken();
        if (!VERSION_V1.equalsIgnoreCase(nextToken)) {
            throw new IllegalStateException("unknown version " + nextToken);
        }
        String nextToken2 = stringTokenizer.nextToken();
        byte[] decodeFast = Base64.decodeFast(stringTokenizer.nextToken());
        byte[] decodeFast2 = Base64.decodeFast(stringTokenizer.nextToken());
        if (this.keyId.equals(nextToken2)) {
            generateSecret = this.encKey;
        } else {
            if (!nextToken2.equals(confPairs.value(KEY_OLD_KEYID))) {
                throw new IllegalStateException("found no key to decrypt the integrityText");
            }
            try {
                generateSecret = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(new PBEKeySpec(confPairs.value(KEY_OLD_PASSWORD).toCharArray(), "ENC".getBytes(StandardCharsets.UTF_8), PasswordHash.PBKDF2_ITERATIONS, 256));
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                throw new IllegalStateException("error deriving key", e);
            }
        }
        try {
            this.cipher.init(2, generateSecret, new GCMParameterSpec(128, decodeFast));
            StringTokenizer stringTokenizer2 = new StringTokenizer(new String(this.cipher.doFinal(decodeFast2)), DELIM);
            String nextToken3 = stringTokenizer2.nextToken();
            if (!VERSION_V1.equalsIgnoreCase(nextToken3)) {
                throw new IllegalStateException("unknown version " + nextToken3);
            }
            int parseInt = Integer.parseInt(stringTokenizer2.nextToken());
            long parseLong = Long.parseLong(stringTokenizer2.nextToken());
            String nextToken4 = stringTokenizer2.nextToken();
            if (parseInt != this.shardId) {
                throw new IllegalStateException(String.format("shardId in integrityText (%d) != configured shardId (%d)", Integer.valueOf(parseInt), Integer.valueOf(this.shardId)));
            }
            if (parseLong == j) {
                if (!str.equals(nextToken4)) {
                    throw new IllegalStateException("tag in integrityText does not match the audit entry.");
                }
            } else {
                if (parseLong > j) {
                    throw new IllegalStateException(String.format("audit entries deleted unexpectedly, id in the latest entry is %d, but expected %d", Long.valueOf(j), Long.valueOf(parseLong)));
                }
                if (parseLong < j) {
                    LOG.warn("id in the last entry is{}, but in the integrityText is {}", Long.valueOf(j), Long.valueOf(parseLong));
                }
            }
        } catch (Exception e2) {
            throw new IllegalStateException("error while decrypting the integrityText");
        }
    }

    @Override // org.xipki.audit.AuditService
    public void init(String str) {
        try {
            init(str, null);
        } catch (PasswordResolverException e) {
            throw new IllegalStateException(e);
        }
    }

    @Override // org.xipki.audit.AuditService
    public void init(String str, PasswordResolver passwordResolver) throws PasswordResolverException {
        int i;
        ConfPairs confPairs = new ConfPairs(str);
        String value = confPairs.value(KEY_SHARD_ID);
        this.shardId = StringUtil.isBlank(value) ? 0 : Integer.parseInt(value);
        String value2 = confPairs.value(KEY_ENC_INTERVAL);
        this.encInterval = value2 == null ? 1 : Integer.parseInt(value2);
        this.algo = confPairs.value(KEY_ALGO);
        if (this.algo == null) {
            this.algo = "HmacSHA256";
            i = 1;
        } else {
            if (!"HmacSHA256".equalsIgnoreCase(this.algo.replace("-", ""))) {
                throw new IllegalArgumentException("unsupported algorithm " + this.algo);
            }
            this.algo = "HmacSHA256";
            i = 1;
        }
        this.keyId = confPairs.value(KEY_KEYID);
        if (StringUtil.isBlank(this.keyId)) {
            throw new IllegalArgumentException("property keyid not defined");
        }
        this.tagPrefix = "v1:" + i + INNER_DELIM + this.keyId + INNER_DELIM;
        this.tagPrefixBytes = this.tagPrefix.getBytes(StandardCharsets.UTF_8);
        String value3 = confPairs.value(KEY_PASSWORD);
        if (StringUtil.isBlank(value3)) {
            throw new IllegalArgumentException("property password not defined");
        }
        try {
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
            char[] charArray = value3.toCharArray();
            this.macKey = secretKeyFactory.generateSecret(new PBEKeySpec(charArray, "MAC".getBytes(StandardCharsets.UTF_8), PasswordHash.PBKDF2_ITERATIONS, 256));
            this.encKey = new SecretKeySpec(secretKeyFactory.generateSecret(new PBEKeySpec(charArray, "ENC".getBytes(StandardCharsets.UTF_8), PasswordHash.PBKDF2_ITERATIONS, 256)).getEncoded(), "AES");
            this.mac = Mac.getInstance(this.algo);
            this.mac.init(this.macKey);
            this.cipher = Cipher.getInstance("AES/GCM/NoPadding");
            this.rnd = new SecureRandom();
            doExtraInit(new ConfPairs(str), passwordResolver);
        } catch (Exception e) {
            throw new IllegalStateException("could not initialize Mac or Cipher", e);
        }
    }

    @Override // org.xipki.audit.AuditService
    public void logEvent(AuditEvent auditEvent) {
        log(1, auditEvent.getLevel(), auditEvent.toTextMessage());
    }

    @Override // org.xipki.audit.AuditService
    public void logEvent(PciAuditEvent pciAuditEvent) {
        log(2, pciAuditEvent.getLevel(), pciAuditEvent.toTextMessage());
    }

    private synchronized void log(int i, AuditLevel auditLevel, String str) {
        Instant now = Instant.now();
        long j = this.id.get();
        long incrementAndGet = this.id.incrementAndGet();
        String text = auditLevel.getText();
        String buildMacPayload = buildMacPayload(now, incrementAndGet, i, text, j, this.previousTag, str);
        this.mac.reset();
        this.mac.update(this.tagPrefixBytes);
        this.mac.update(buildMacPayload.getBytes(StandardCharsets.UTF_8));
        String str2 = this.tagPrefix + Base64.encodeToString(this.mac.doFinal());
        this.previousTag = str2;
        storeLog(now, incrementAndGet, i, text, j, str, str2);
        if (this.encInterval <= 1 || incrementAndGet % this.encInterval == 0) {
            storeIntegrity(buildIntegrityText());
        }
    }

    private String buildIntegrityText() {
        byte[] utf8Bytes = StringUtil.toUtf8Bytes("v1;" + this.shardId + DELIM + this.id.get() + DELIM + this.previousTag);
        byte[] bArr = new byte[12];
        this.rnd.nextBytes(bArr);
        try {
            this.cipher.init(1, this.encKey, new GCMParameterSpec(128, bArr));
            return "v1;" + this.keyId + DELIM + Base64.encodeToString(bArr) + DELIM + Base64.encodeToString(this.cipher.doFinal(utf8Bytes));
        } catch (Exception e) {
            throw new IllegalStateException("error encrypting thisId", e);
        }
    }

    @Override // java.lang.AutoCloseable
    public final void close() throws Exception {
        if (!((this.encInterval <= 1) | (this.id.get() % ((long) this.encInterval) == 0))) {
            storeIntegrity(buildIntegrityText());
        }
        doClose();
    }
}
