package org.forgerock.openam.shared.security.crypto;

import com.iplanet.services.util.AMEncryption;
import com.iplanet.services.util.ConfigurableKey;
import com.sun.identity.shared.debug.Debug;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.util.Arrays;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.interfaces.PBEKey;
import javax.crypto.spec.SecretKeySpec;
import org.forgerock.openam.sdk.org.forgerock.util.Reject;
import org.forgerock.openam.sdk.org.forgerock.util.annotations.VisibleForTesting;
import org.forgerock.openam.utils.CipherProvider;
import org.forgerock.openam.utils.Providers;

/* loaded from: input_file:org/forgerock/openam/shared/security/crypto/AESWrapEncryption.class */
public class AESWrapEncryption implements AMEncryption, ConfigurableKey {
    private static final byte VERSION = 2;
    private static final int AESWRAP_BLOCK_SIZE = 8;
    private static final String CIPHER_PROVIDER_ALGORITHM;
    private static final CipherProvider CIPHER_PROVIDER;
    private static final int KEY_SIZE;
    private final PBKDF2KeyDerivation keyDerivation;
    private static final Debug DEBUG = Debug.getInstance("amSDK");
    private static final int CACHE_SIZE = Integer.getInteger("amCryptoCacheSize", 1024).intValue();

    @VisibleForTesting
    AESWrapEncryption(PBKDF2KeyDerivation pBKDF2KeyDerivation) {
        this.keyDerivation = pBKDF2KeyDerivation;
    }

    public AESWrapEncryption() {
        this(new PBKDF2KeyDerivation());
    }

    @Override // com.iplanet.services.util.ConfigurableKey
    public void setPassword(String str) throws Exception {
        this.keyDerivation.setPassword(str);
    }

    @Override // com.iplanet.services.util.AMEncryption
    public byte[] encrypt(byte[] bArr) {
        PBEKey deriveSecretKey = this.keyDerivation.deriveSecretKey(KEY_SIZE);
        try {
            Cipher cipher = CIPHER_PROVIDER.getCipher();
            cipher.init(3, new SecretKeySpec(deriveSecretKey.getEncoded(), "AES"));
            return formatEncryptedMessage(deriveSecretKey, cipher.wrap(new SecretKeySpec(pkcs5pad(bArr), "RAW")));
        } catch (GeneralSecurityException e) {
            DEBUG.error("AESWrapEncryption: Failed to encrypt data", e);
            return null;
        }
    }

    @Override // com.iplanet.services.util.AMEncryption
    public byte[] decrypt(byte[] bArr) {
        if (bArr == null || bArr.length < 2 || bArr[0] != 2) {
            DEBUG.error("AESWrapEncryption: malformed input");
            return null;
        }
        int i = bArr[1] & 255;
        if (i < 0 || i > bArr.length - 2) {
            DEBUG.error("AESWrapEncryption: invalid salt length {}", Integer.valueOf(i));
            return null;
        }
        PBEKey deriveSecretKey = this.keyDerivation.deriveSecretKey(KEY_SIZE, Arrays.copyOfRange(bArr, 2, i + 2));
        byte[] copyOfRange = Arrays.copyOfRange(bArr, i + 2, bArr.length);
        try {
            Cipher cipher = CIPHER_PROVIDER.getCipher();
            cipher.init(4, new SecretKeySpec(deriveSecretKey.getEncoded(), "AES"));
            return pkcs5unpad(cipher.unwrap(copyOfRange, "RAW", 3).getEncoded());
        } catch (GeneralSecurityException e) {
            DEBUG.error("AESWrapEncryption: Failed to decrypt data", e);
            return null;
        }
    }

    @VisibleForTesting
    static byte[] formatEncryptedMessage(PBEKey pBEKey, byte[] bArr) {
        byte[] salt = pBEKey.getSalt();
        if (salt.length > 255) {
            throw new IllegalStateException("Salt too large to be encoded");
        }
        ByteBuffer order = ByteBuffer.allocate(2 + salt.length + bArr.length).order(ByteOrder.BIG_ENDIAN);
        order.put((byte) 2);
        order.put((byte) salt.length);
        order.put(salt);
        order.put(bArr);
        return order.array();
    }

    static byte[] pkcs5pad(byte[] bArr) {
        int length = bArr.length;
        int i = 8 - (length % 8);
        byte[] bArr2 = new byte[length + i];
        System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
        Arrays.fill(bArr2, length, length + i, (byte) i);
        return bArr2;
    }

    static byte[] pkcs5unpad(byte[] bArr) throws BadPaddingException {
        Reject.ifNull(bArr);
        int length = bArr.length;
        int i = bArr[length - 1];
        if (i <= 0 || i > 8) {
            throw new BadPaddingException("Invalid padding length: " + i);
        }
        byte[] bArr2 = new byte[i];
        Arrays.fill(bArr2, (byte) i);
        if (MessageDigest.isEqual(bArr2, Arrays.copyOfRange(bArr, length - i, length))) {
            return Arrays.copyOfRange(bArr, 0, length - i);
        }
        throw new BadPaddingException("Invalid padding");
    }

    static {
        CIPHER_PROVIDER_ALGORITHM = Double.parseDouble(System.getProperty("java.specification.version")) >= 17.0d ? "AESWrapPad" : "AESWrap";
        CIPHER_PROVIDER = Providers.cipherProvider(CIPHER_PROVIDER_ALGORITHM, null, CACHE_SIZE);
        KEY_SIZE = Integer.getInteger("org.forgerock.openam.encryption.key.size", 128).intValue();
    }
}
