package org.forgerock.opendj.security;

import com.forgerock.opendj.security.KeystoreMessages;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.forgerock.opendj.io.ASN1;
import org.forgerock.opendj.io.ASN1Reader;
import org.forgerock.opendj.io.ASN1Writer;
import org.forgerock.opendj.ldap.ByteSequence;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ByteStringBuilder;
import org.forgerock.util.Factory;
import org.forgerock.util.Options;

/* loaded from: input_file:org/forgerock/opendj/security/KeyProtector.class */
final class KeyProtector {
    private static final int ENCODING_VERSION_V1 = 1;
    private static final byte PLAIN_KEY = -96;
    private static final byte KEYSTORE_WRAPPED_KEY = -95;
    private static final byte EXTERNALLY_WRAPPED_KEY = -94;
    private static final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA1";
    private static final int PBKDF2_KEY_SIZE = 128;
    private static final String CIPHER_ALGORITHM = "AESWrap";
    private static final String DUMMY_KEY_ALGORITHM = "PADDED";
    private final SecureRandom prng = new SecureRandom();
    private final Options options;

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyProtector(Options options) {
        this.options = options;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ByteString encodeKey(Key key, char[] cArr) throws LocalizedKeyStoreException {
        char[] cArr2 = (char[]) ((Factory) this.options.get(KeyStoreParameters.GLOBAL_PASSWORD)).newInstance();
        char[] concatenate = concatenate(cArr2, cArr);
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        try {
            try {
                ASN1Writer writer = ASN1.getWriter(byteStringBuilder);
                try {
                    writer.writeStartSequence();
                    writer.writeInteger(1);
                    ExternalKeyWrappingStrategy externalKeyWrappingStrategy = (ExternalKeyWrappingStrategy) this.options.get(KeyStoreParameters.EXTERNAL_KEY_WRAPPING_STRATEGY);
                    if (externalKeyWrappingStrategy == null) {
                        encodePlainOrWrappedKey(key, concatenate, writer);
                    } else {
                        ByteStringBuilder byteStringBuilder2 = new ByteStringBuilder();
                        writer = ASN1.getWriter(byteStringBuilder2);
                        try {
                            encodePlainOrWrappedKey(key, concatenate, writer);
                            if (writer != null) {
                                writer.close();
                            }
                            writer.writeOctetString((byte) -94, externalKeyWrappingStrategy.wrapKey(byteStringBuilder2.toByteString()));
                        } finally {
                            if (writer != null) {
                                try {
                                    writer.close();
                                } catch (Throwable th) {
                                    th.addSuppressed(th);
                                }
                            }
                        }
                    }
                    writer.writeEndSequence();
                    if (writer != null) {
                        writer.close();
                    }
                    return byteStringBuilder.toByteString();
                } catch (Throwable th2) {
                    throw th2;
                }
            } finally {
                destroyCharArray(concatenate);
                destroyCharArray(cArr2);
            }
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    private void encodePlainOrWrappedKey(Key key, char[] cArr, ASN1Writer aSN1Writer) throws IOException, LocalizedKeyStoreException {
        if (cArr == null) {
            aSN1Writer.writeOctetString((byte) -96, key.getEncoded());
            return;
        }
        aSN1Writer.writeStartSequence((byte) -95);
        byte[] bArr = new byte[((Integer) this.options.get(KeyStoreParameters.PBKDF2_SALT_SIZE)).intValue()];
        this.prng.nextBytes(bArr);
        aSN1Writer.writeOctetString(bArr);
        try {
            aSN1Writer.writeOctetString(getCipher(3, createAESSecretKey(cArr, bArr, (Integer) this.options.get(KeyStoreParameters.PBKDF2_ITERATIONS))).wrap(pad(key)));
            aSN1Writer.writeEndSequence();
        } catch (InvalidKeyException | IllegalBlockSizeException e) {
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Key decodeSecretKey(ByteSequence byteSequence, String str, char[] cArr) throws LocalizedKeyStoreException {
        return decodeKey(byteSequence, str, cArr, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Key decodePrivateKey(ByteSequence byteSequence, String str, char[] cArr) throws LocalizedKeyStoreException {
        return decodeKey(byteSequence, str, cArr, true);
    }

    private Key decodeKey(ByteSequence byteSequence, String str, char[] cArr, boolean z) throws LocalizedKeyStoreException {
        try {
            ASN1Reader reader = ASN1.getReader(byteSequence);
            try {
                reader.readStartSequence();
                int readInteger = (int) reader.readInteger();
                switch (readInteger) {
                    case 1:
                        Key decodeKeyV1 = decodeKeyV1(reader, str, cArr, z);
                        reader.readEndSequence();
                        if (reader != null) {
                            reader.close();
                        }
                        return decodeKeyV1;
                    default:
                        throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_UNSUPPORTED_VERSION.get(Integer.valueOf(readInteger)));
                }
            } finally {
            }
        } catch (IOException e) {
            throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_MALFORMED.get(), e);
        }
    }

    private Key decodeKeyV1(ASN1Reader aSN1Reader, String str, char[] cArr, boolean z) throws IOException, LocalizedKeyStoreException {
        switch (aSN1Reader.peekType()) {
            case -96:
                return newKeyFromBytes(aSN1Reader.readOctetString((byte) -96).toByteArray(), str, z);
            case -95:
                char[] cArr2 = (char[]) ((Factory) this.options.get(KeyStoreParameters.GLOBAL_PASSWORD)).newInstance();
                char[] concatenate = concatenate(cArr2, cArr);
                if (concatenate == null) {
                    throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_KEY_MISSING_PWD.get());
                }
                aSN1Reader.readStartSequence((byte) -95);
                try {
                    try {
                        byte[] byteArray = aSN1Reader.readOctetString().toByteArray();
                        Key unpad = unpad(getCipher(4, createAESSecretKey(concatenate, byteArray, (Integer) this.options.get(KeyStoreParameters.PBKDF2_ITERATIONS))).unwrap(aSN1Reader.readOctetString().toByteArray(), DUMMY_KEY_ALGORITHM, 3), str, z);
                        destroyCharArray(concatenate);
                        destroyCharArray(cArr2);
                        aSN1Reader.readEndSequence();
                        return unpad;
                    } catch (InvalidKeyException e) {
                        throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_KEYSTORE_DECRYPT_FAILURE.get(), e);
                    } catch (NoSuchAlgorithmException e2) {
                        throw new IllegalStateException(e2);
                    }
                } catch (Throwable th) {
                    destroyCharArray(concatenate);
                    destroyCharArray(cArr2);
                    aSN1Reader.readEndSequence();
                    throw th;
                }
            case -94:
                ExternalKeyWrappingStrategy externalKeyWrappingStrategy = (ExternalKeyWrappingStrategy) this.options.get(KeyStoreParameters.EXTERNAL_KEY_WRAPPING_STRATEGY);
                if (externalKeyWrappingStrategy == null) {
                    throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_KEY_MISSING_KEYSTORE_EXT.get());
                }
                ASN1Reader reader = ASN1.getReader(externalKeyWrappingStrategy.unwrapKey(aSN1Reader.readOctetString((byte) -94)));
                try {
                    Key decodeKeyV1 = decodeKeyV1(reader, str, cArr, z);
                    if (reader != null) {
                        reader.close();
                    }
                    return decodeKeyV1;
                } catch (Throwable th2) {
                    if (reader != null) {
                        try {
                            reader.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    }
                    throw th2;
                }
            default:
                throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_MALFORMED.get());
        }
    }

    private static char[] concatenate(char[] cArr, char[] cArr2) {
        if (cArr == null && cArr2 == null) {
            return null;
        }
        if (cArr == null) {
            return (char[]) cArr2.clone();
        }
        if (cArr2 == null) {
            return (char[]) cArr.clone();
        }
        char[] cArr3 = new char[cArr.length + cArr2.length];
        System.arraycopy(cArr, 0, cArr3, 0, cArr.length);
        System.arraycopy(cArr2, 0, cArr3, cArr.length, cArr2.length);
        return cArr3;
    }

    private static Cipher getCipher(int i, SecretKey secretKey) throws LocalizedKeyStoreException {
        try {
            Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
            cipher.init(i, secretKey);
            return cipher;
        } catch (InvalidKeyException e) {
            throw new IllegalStateException("key is incompatible with the cipher", e);
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e2) {
            throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_UNSUPPORTED_CIPHER.get(CIPHER_ALGORITHM), e2);
        }
    }

    private static SecretKey createAESSecretKey(char[] cArr, byte[] bArr, Integer num) throws LocalizedKeyStoreException {
        try {
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBKDF2_ALGORITHM);
            PBEKeySpec pBEKeySpec = new PBEKeySpec(cArr, bArr, num.intValue(), 128);
            try {
                SecretKeySpec secretKeySpec = new SecretKeySpec(secretKeyFactory.generateSecret(pBEKeySpec).getEncoded(), "AES");
                pBEKeySpec.clearPassword();
                return secretKeySpec;
            } catch (Throwable th) {
                pBEKeySpec.clearPassword();
                throw th;
            }
        } catch (NoSuchAlgorithmException e) {
            throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_UNSUPPORTED_KF.get(PBKDF2_ALGORITHM), e);
        } catch (InvalidKeySpecException e2) {
            throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_UNSUPPORTED_KF_ARGS.get(PBKDF2_ALGORITHM, num, 128), e2);
        }
    }

    private static Key pad(Key key) {
        byte[] encoded = key.getEncoded();
        int length = encoded.length;
        int i = 8 - (length % 8);
        byte[] copyOf = Arrays.copyOf(encoded, length + i);
        for (int i2 = 0; i2 < i; i2++) {
            copyOf[length + i2] = (byte) (i2 + 1);
        }
        return new SecretKeySpec(copyOf, DUMMY_KEY_ALGORITHM);
    }

    private static Key unpad(Key key, String str, boolean z) throws LocalizedKeyStoreException {
        byte[] encoded = key.getEncoded();
        int length = encoded.length;
        if (length < 8) {
            throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_BAD_PADDING.get());
        }
        byte b = encoded[length - 1];
        if (b < 1 || b > 8) {
            throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_BAD_PADDING.get());
        }
        int i = length - b;
        for (int i2 = 0; i2 < b; i2++) {
            if (encoded[i + i2] != i2 + 1) {
                throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_DECODE_BAD_PADDING.get());
            }
        }
        return newKeyFromBytes(Arrays.copyOf(encoded, i), str, z);
    }

    private static Key newKeyFromBytes(byte[] bArr, String str, boolean z) throws LocalizedKeyStoreException {
        if (!z) {
            return new SecretKeySpec(bArr, str);
        }
        try {
            return KeyFactory.getInstance(str).generatePrivate(new PKCS8EncodedKeySpec(bArr));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new LocalizedKeyStoreException(KeystoreMessages.KEYSTORE_UNSUPPORTED_KF.get(str), e);
        }
    }

    private static void destroyCharArray(char[] cArr) {
        if (cArr != null) {
            Arrays.fill(cArr, ' ');
        }
    }
}
