package org.apache.qpid.client.message;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.jms.JMSException;
import javax.security.auth.x500.X500Principal;
import org.apache.qpid.client.AMQSession;
import org.apache.qpid.transport.ConnectionSettings;
import org.icepdf.core.util.PdfOps;

/* loaded from: input_file:BOOT-INF/lib/qpid-client-6.1.2.jar:org/apache/qpid/client/message/MessageEncryptionHelper.class */
public class MessageEncryptionHelper {
    public static final String ENCRYPTION_ALGORITHM_PROPERTY = "x-qpid-encryption-algorithm";
    public static final String KEY_INIT_VECTOR_PROPERTY = "x-qpid-key-init-vector";
    public static final String ENCRYPTED_KEYS_PROPERTY = "x-qpid-encrypted-keys";
    public static final String ENCRYPT_HEADER = "x-qpid-encrypt";
    public static final String ENCRYPT_RECIPIENTS_HEADER = "x-qpid-encrypt-recipients";
    public static final String UNENCRYPTED_PROPERTIES_HEADER = "x-qpid-unencrypted-properties";
    static final int AES_KEY_SIZE_BITS = 256;
    public static final int AES_KEY_SIZE_BYTES = 32;
    public static final String AES_ALGORITHM = "AES";
    public static final String DEFAULT_MESSAGE_ENCRYPTION_CIPHER_NAME = "AES/CBC/PKCS5Padding";
    public static final int AES_INITIALIZATION_VECTOR_LENGTH = 16;
    private final AMQSession<?, ?> _session;
    private static final int KEY_TRANSPORT_RECIPIENT_INFO_TYPE = 1;
    public static final String DEFAULT_KEY_ENCRYPTION_ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
    private final Map<String, X509Certificate> _signingCertificateCache = Collections.synchronizedMap(new LinkedHashMap<String, X509Certificate>(16, 0.75f, true) { // from class: org.apache.qpid.client.message.MessageEncryptionHelper.1
        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<String, X509Certificate> entry) {
            return size() > 128;
        }
    });
    private String _keyEncryptionAlgorithm = DEFAULT_KEY_ENCRYPTION_ALGORITHM;
    private String _messageEncryptionCipherName = DEFAULT_MESSAGE_ENCRYPTION_CIPHER_NAME;
    private SecureRandom _random;

    /* loaded from: input_file:BOOT-INF/lib/qpid-client-6.1.2.jar:org/apache/qpid/client/message/MessageEncryptionHelper$KeyTransportRecipientInfo.class */
    public interface KeyTransportRecipientInfo {
        int getType();

        String getKeyEncryptionAlgorithm();

        String getCertIssuerPrincipal();

        String getCertSerialNumber();

        byte[] getEncryptedKey();

        List<Object> asList();
    }

    /* loaded from: input_file:BOOT-INF/lib/qpid-client-6.1.2.jar:org/apache/qpid/client/message/MessageEncryptionHelper$KeyTransportRecipientInfoImpl.class */
    private static class KeyTransportRecipientInfoImpl implements KeyTransportRecipientInfo {
        private final String _keyEncryptionAlgorithm;
        private final String _issuePrincipal;
        private final String _serialNumber;
        private final byte[] _encryptedKey;

        public KeyTransportRecipientInfoImpl(String str, String str2, String str3, byte[] bArr) {
            this._keyEncryptionAlgorithm = str;
            this._issuePrincipal = str2;
            this._serialNumber = str3;
            this._encryptedKey = bArr;
        }

        @Override // org.apache.qpid.client.message.MessageEncryptionHelper.KeyTransportRecipientInfo
        public int getType() {
            return 1;
        }

        @Override // org.apache.qpid.client.message.MessageEncryptionHelper.KeyTransportRecipientInfo
        public String getKeyEncryptionAlgorithm() {
            return this._keyEncryptionAlgorithm;
        }

        @Override // org.apache.qpid.client.message.MessageEncryptionHelper.KeyTransportRecipientInfo
        public String getCertIssuerPrincipal() {
            return this._issuePrincipal;
        }

        @Override // org.apache.qpid.client.message.MessageEncryptionHelper.KeyTransportRecipientInfo
        public String getCertSerialNumber() {
            return this._serialNumber;
        }

        @Override // org.apache.qpid.client.message.MessageEncryptionHelper.KeyTransportRecipientInfo
        public byte[] getEncryptedKey() {
            return this._encryptedKey;
        }

        @Override // org.apache.qpid.client.message.MessageEncryptionHelper.KeyTransportRecipientInfo
        public List<Object> asList() {
            ArrayList arrayList = new ArrayList();
            arrayList.add(1);
            arrayList.add(this._keyEncryptionAlgorithm);
            arrayList.add(this._issuePrincipal);
            arrayList.add(this._serialNumber);
            arrayList.add(this._encryptedKey);
            return arrayList;
        }
    }

    public MessageEncryptionHelper(AMQSession<?, ?> aMQSession) {
        this._session = aMQSession;
    }

    public String getKeyEncryptionAlgorithm() {
        return this._keyEncryptionAlgorithm;
    }

    public void setKeyEncryptionAlgorithm(String str) {
        this._keyEncryptionAlgorithm = str;
    }

    public String getMessageEncryptionCipherName() {
        return this._messageEncryptionCipherName;
    }

    public void setMessageEncryptionCipherName(String str) {
        this._messageEncryptionCipherName = str;
    }

    public KeyStore getSigningCertificateStore() throws GeneralSecurityException, IOException {
        return this._session.getAMQConnection().getConnectionSettings().getEncryptionTrustStore(new ConnectionSettings.RemoteStoreFinder() { // from class: org.apache.qpid.client.message.MessageEncryptionHelper.2
            @Override // org.apache.qpid.transport.ConnectionSettings.RemoteStoreFinder
            public KeyStore getKeyStore(String str) throws GeneralSecurityException, IOException {
                try {
                    return MessageEncryptionHelper.this._session.getAMQConnection().getBrokerSuppliedTrustStore(str);
                } catch (JMSException e) {
                    throw new CertificateException("Could not load remote certificate store: '" + str + PdfOps.SINGLE_QUOTE_TOKEN, e);
                }
            }
        });
    }

    public List<KeyTransportRecipientInfo> getKeyTransportRecipientInfo(List<String> list, SecretKeySpec secretKeySpec) throws GeneralSecurityException, IOException {
        ArrayList arrayList = new ArrayList();
        String keyEncryptionAlgorithm = getKeyEncryptionAlgorithm();
        for (String str : list) {
            X509Certificate signingCertificate = getSigningCertificate(str.trim());
            if (signingCertificate == null) {
                throw new CertificateException("Unable to find certificate for recipient '" + str + PdfOps.SINGLE_QUOTE_TOKEN);
            }
            Cipher cipher = Cipher.getInstance(keyEncryptionAlgorithm);
            cipher.init(1, signingCertificate.getPublicKey());
            arrayList.add(new KeyTransportRecipientInfoImpl(keyEncryptionAlgorithm, signingCertificate.getIssuerX500Principal().getName("CANONICAL"), signingCertificate.getSerialNumber().toString(), cipher.doFinal(secretKeySpec.getEncoded())));
        }
        return arrayList;
    }

    public X509Certificate getSigningCertificate(String str) throws GeneralSecurityException, IOException {
        X500Principal x500Principal;
        X509Certificate x509Certificate = this._signingCertificateCache.get(str);
        if (x509Certificate == null) {
            KeyStore signingCertificateStore = getSigningCertificateStore();
            ArrayList<X509Certificate> arrayList = new ArrayList();
            try {
                x500Principal = new X500Principal(str);
            } catch (IllegalArgumentException e) {
                x500Principal = null;
            }
            Iterator it = Collections.list(signingCertificateStore.aliases()).iterator();
            while (it.hasNext()) {
                Certificate certificate = signingCertificateStore.getCertificate((String) it.next());
                if (certificate instanceof X509Certificate) {
                    X509Certificate x509Certificate2 = (X509Certificate) certificate;
                    if (x500Principal != null && x500Principal.equals(x509Certificate2.getSubjectX500Principal())) {
                        arrayList.add(x509Certificate2);
                    } else if (x509Certificate2.getSubjectAlternativeNames() != null) {
                        Iterator<List<?>> it2 = x509Certificate2.getSubjectAlternativeNames().iterator();
                        while (true) {
                            if (it2.hasNext()) {
                                List<?> next = it2.next();
                                int intValue = ((Integer) next.get(0)).intValue();
                                if (intValue == 1 || intValue == 2) {
                                    if (next.get(1).toString().trim().equals(str)) {
                                        arrayList.add(x509Certificate2);
                                        break;
                                    }
                                }
                            }
                        }
                    }
                }
            }
            for (X509Certificate x509Certificate3 : arrayList) {
                try {
                    x509Certificate3.checkValidity();
                    if (x509Certificate == null || x509Certificate.getNotAfter().getTime() > x509Certificate3.getNotAfter().getTime()) {
                        x509Certificate = x509Certificate3;
                    }
                } catch (CertificateExpiredException | CertificateNotYetValidException e2) {
                }
            }
            if (x509Certificate != null) {
                this._signingCertificateCache.put(str, x509Certificate);
            }
        }
        return x509Certificate;
    }

    public PrivateKey getEncryptionPrivateKey(X500Principal x500Principal, BigInteger bigInteger) throws GeneralSecurityException, IOException {
        ConnectionSettings connectionSettings = this._session.getAMQConnection().getConnectionSettings();
        KeyStore encryptionKeyStore = connectionSettings.getEncryptionKeyStore();
        if (encryptionKeyStore == null) {
            return null;
        }
        Iterator it = Collections.list(encryptionKeyStore.aliases()).iterator();
        while (it.hasNext()) {
            try {
                KeyStore.Entry entry = encryptionKeyStore.getEntry((String) it.next(), new KeyStore.PasswordProtection(connectionSettings.getEncryptionKeyStorePassword().toCharArray()));
                if (entry instanceof KeyStore.PrivateKeyEntry) {
                    KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
                    if (privateKeyEntry.getCertificate() instanceof X509Certificate) {
                        X509Certificate x509Certificate = (X509Certificate) privateKeyEntry.getCertificate();
                        if (x509Certificate.getIssuerX500Principal().equals(x500Principal) && x509Certificate.getSerialNumber().equals(bigInteger)) {
                            return privateKeyEntry.getPrivateKey();
                        }
                    } else {
                        continue;
                    }
                } else {
                    continue;
                }
            } catch (UnsupportedOperationException e) {
            }
        }
        return null;
    }

    public SecretKeySpec createSecretKey() {
        byte[] bArr = new byte[32];
        getRandomBytes(bArr);
        return new SecretKeySpec(bArr, AES_ALGORITHM);
    }

    private void getRandomBytes(byte[] bArr) {
        synchronized (this) {
            if (this._random == null) {
                this._random = new SecureRandom();
            }
            this._random.nextBytes(bArr);
        }
    }

    public byte[] getInitialisationVector() {
        byte[] bArr = new byte[16];
        getRandomBytes(bArr);
        return bArr;
    }

    public byte[] readFromCipherStream(byte[] bArr, int i, int i2, Cipher cipher) throws IOException {
        CipherInputStream cipherInputStream = new CipherInputStream(new ByteArrayInputStream(bArr, i, i2), cipher);
        Throwable th = null;
        try {
            try {
                byte[] bArr2 = new byte[512];
                int i3 = 0;
                while (true) {
                    int read = cipherInputStream.read(bArr2, i3, bArr2.length - i3);
                    if (read == -1) {
                        break;
                    }
                    i3 += read;
                    if (i3 == bArr2.length) {
                        byte[] bArr3 = bArr2;
                        bArr2 = new byte[bArr2.length + 512];
                        System.arraycopy(bArr3, 0, bArr2, 0, bArr3.length);
                    }
                }
                byte[] bArr4 = new byte[i3];
                System.arraycopy(bArr2, 0, bArr4, 0, i3);
                if (cipherInputStream != null) {
                    if (0 != 0) {
                        try {
                            cipherInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        cipherInputStream.close();
                    }
                }
                return bArr4;
            } finally {
            }
        } catch (Throwable th3) {
            if (cipherInputStream != null) {
                if (th != null) {
                    try {
                        cipherInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    cipherInputStream.close();
                }
            }
            throw th3;
        }
    }

    public byte[] readFromCipherStream(byte[] bArr, Cipher cipher, AMQSession aMQSession) throws IOException {
        return readFromCipherStream(bArr, 0, bArr.length, cipher);
    }

    public byte[] encrypt(SecretKeySpec secretKeySpec, byte[] bArr, byte[] bArr2) {
        try {
            Cipher cipher = Cipher.getInstance(getMessageEncryptionCipherName());
            cipher.init(1, secretKeySpec, new IvParameterSpec(bArr2));
            return readFromCipherStream(bArr, cipher, this._session);
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw new IllegalArgumentException("Unable to encrypt secret with secret key. Cipher: " + getMessageEncryptionCipherName() + " . Key of type " + secretKeySpec.getAlgorithm() + " size " + secretKeySpec.getEncoded().length, e);
        }
    }
}
