package org.opcfoundation.ua.transport.security;

import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
import org.bouncycastle.crypto.AsymmetricBlockCipher;
import org.bouncycastle.crypto.BufferedBlockCipher;
import org.bouncycastle.crypto.CipherParameters;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.DataLengthException;
import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.Signer;
import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.encodings.OAEPEncoding;
import org.bouncycastle.crypto.encodings.PKCS1Encoding;
import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.engines.RSAEngine;
import org.bouncycastle.crypto.engines.RijndaelEngine;
import org.bouncycastle.crypto.macs.HMac;
import org.bouncycastle.crypto.modes.CBCBlockCipher;
import org.bouncycastle.crypto.params.KeyParameter;
import org.bouncycastle.crypto.params.ParametersWithIV;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters;
import org.bouncycastle.crypto.signers.RSADigestSigner;
import org.bouncycastle.util.encoders.Base64;
import org.opcfoundation.ua.common.ServiceResultException;
import org.opcfoundation.ua.core.StatusCodes;
import org.opcfoundation.ua.transport.tcp.impl.SecurityToken;
import org.opcfoundation.ua.utils.CryptoUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opcfoundation/ua/transport/security/BcCryptoProvider.class */
public class BcCryptoProvider implements CryptoProvider {
    static Logger logger = LoggerFactory.getLogger(BcCryptoProvider.class);

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public byte[] base64Decode(String str) {
        return Base64.decode(str);
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public String base64Encode(byte[] bArr) {
        try {
            return new String(Base64.encode(bArr), "UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public Mac createMac(SecurityAlgorithm securityAlgorithm, byte[] bArr) throws ServiceResultException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, securityAlgorithm.getStandardName());
        try {
            Mac mac = Mac.getInstance(securityAlgorithm.getStandardName());
            mac.init(secretKeySpec);
            return mac;
        } catch (InvalidKeyException e) {
            throw new ServiceResultException(StatusCodes.Bad_SecurityChecksFailed, e);
        } catch (GeneralSecurityException e2) {
            throw new ServiceResultException(StatusCodes.Bad_InternalError, e2);
        }
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public int decryptAsymm(PrivateKey privateKey, SecurityAlgorithm securityAlgorithm, byte[] bArr, byte[] bArr2, int i) throws ServiceResultException {
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) privateKey;
        AsymmetricBlockCipher asymmetricCipher = getAsymmetricCipher(securityAlgorithm, new RSAPrivateKey(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent(), rSAPrivateCrtKey.getPrivateExponent(), rSAPrivateCrtKey.getPrimeP(), rSAPrivateCrtKey.getPrimeQ(), rSAPrivateCrtKey.getPrimeExponentP(), rSAPrivateCrtKey.getPrimeExponentQ(), rSAPrivateCrtKey.getCrtCoefficient()));
        try {
            int i2 = 0;
            int inputBlockSize = asymmetricCipher.getInputBlockSize();
            logger.debug("Decrypt: inputBlockSize={}, outputBlockSize={}, dataToDecrypt.length={}", new Object[]{Integer.valueOf(inputBlockSize), Integer.valueOf(asymmetricCipher.getOutputBlockSize()), Integer.valueOf(bArr.length)});
            for (int i3 = 0; i3 < bArr.length; i3 += inputBlockSize) {
                byte[] processBlock = asymmetricCipher.processBlock(bArr, i3, Math.min(bArr.length - i3, inputBlockSize));
                System.arraycopy(processBlock, 0, bArr2, i + i2, processBlock.length);
                i2 += processBlock.length;
            }
            return i2;
        } catch (CryptoException e) {
            throw new ServiceResultException(StatusCodes.Bad_InternalError, (Throwable) e);
        }
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public int decryptSymm(SecurityToken securityToken, byte[] bArr, int i, int i2, byte[] bArr2, int i3) throws ServiceResultException {
        BufferedBlockCipher bufferedBlockCipher = new BufferedBlockCipher(new CBCBlockCipher(new AESEngine()));
        bufferedBlockCipher.init(false, new ParametersWithIV(new KeyParameter(securityToken.getRemoteEncryptingKey()), securityToken.getRemoteInitializationVector()));
        int processBytes = bufferedBlockCipher.processBytes(bArr, i, i2, bArr2, i3);
        try {
            return processBytes + bufferedBlockCipher.doFinal(bArr2, i3 + processBytes);
        } catch (DataLengthException e) {
            logger.error("Input data is not an even number of encryption blocks.");
            throw new ServiceResultException(StatusCodes.Bad_InternalError, "Error in symmetric decrypt: Input data is not an even number of encryption blocks.");
        } catch (CryptoException e2) {
            throw new ServiceResultException(StatusCodes.Bad_InternalError, (Throwable) e2);
        }
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public void encryptAsymm(PublicKey publicKey, SecurityAlgorithm securityAlgorithm, byte[] bArr, byte[] bArr2, int i) throws ServiceResultException {
        try {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            AsymmetricBlockCipher asymmetricCipher = getAsymmetricCipher(securityAlgorithm, new org.bouncycastle.asn1.pkcs.RSAPublicKey(rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent()));
            int i2 = 0;
            int inputBlockSize = asymmetricCipher.getInputBlockSize();
            logger.debug("Encrypt: inputBlockSize={}, outputBlockSize={}, dataToEncrypt.length={}", new Object[]{Integer.valueOf(inputBlockSize), Integer.valueOf(asymmetricCipher.getOutputBlockSize()), Integer.valueOf(bArr.length)});
            for (int i3 = 0; i3 < bArr.length; i3 += inputBlockSize) {
                byte[] processBlock = asymmetricCipher.processBlock(bArr, i3, Math.min(bArr.length - i3, inputBlockSize));
                System.arraycopy(processBlock, 0, bArr2, i + i2, processBlock.length);
                i2 += processBlock.length;
            }
        } catch (InvalidCipherTextException e) {
            throw new ServiceResultException(StatusCodes.Bad_InternalError, (Throwable) e);
        }
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public int encryptSymm(SecurityToken securityToken, byte[] bArr, int i, int i2, byte[] bArr2, int i3) throws ServiceResultException {
        BufferedBlockCipher bufferedBlockCipher = new BufferedBlockCipher(new CBCBlockCipher(new RijndaelEngine()));
        bufferedBlockCipher.init(true, new ParametersWithIV(new KeyParameter(securityToken.getLocalEncryptingKey()), securityToken.getLocalInitializationVector()));
        int processBytes = bufferedBlockCipher.processBytes(bArr, i, i2, bArr2, i3);
        try {
            return processBytes + bufferedBlockCipher.doFinal(bArr2, i3 + processBytes);
        } catch (DataLengthException e) {
            logger.error("Input data is not an even number of encryption blocks.");
            throw new ServiceResultException(StatusCodes.Bad_InternalError, "Error in symmetric decrypt: Input data is not an even number of encryption blocks.");
        } catch (CryptoException e2) {
            throw new ServiceResultException(StatusCodes.Bad_InternalError, (Throwable) e2);
        }
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public byte[] signAsymm(PrivateKey privateKey, SecurityAlgorithm securityAlgorithm, byte[] bArr) throws ServiceResultException {
        if (securityAlgorithm == null) {
            return null;
        }
        if (bArr == null || privateKey == null) {
            throw new IllegalArgumentException("null arg");
        }
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) privateKey;
        Signer asymmetricSigner = getAsymmetricSigner(true, securityAlgorithm, new RSAPrivateKey(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent(), rSAPrivateCrtKey.getPrivateExponent(), rSAPrivateCrtKey.getPrimeP(), rSAPrivateCrtKey.getPrimeQ(), rSAPrivateCrtKey.getPrimeExponentP(), rSAPrivateCrtKey.getPrimeExponentQ(), rSAPrivateCrtKey.getCrtCoefficient()));
        asymmetricSigner.update(bArr, 0, bArr.length);
        try {
            return asymmetricSigner.generateSignature();
        } catch (CryptoException e) {
            throw new ServiceResultException(StatusCodes.Bad_InternalError, (Throwable) e);
        } catch (DataLengthException e2) {
            logger.error("Input data is not an even number of encryption blocks.");
            throw new ServiceResultException(StatusCodes.Bad_InternalError, "Error in symmetric decrypt: Input data is not an even number of encryption blocks.");
        }
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public void signSymm(SecurityToken securityToken, byte[] bArr, int i, byte[] bArr2) throws ServiceResultException {
        HMac createMac = createMac(securityToken.getSecurityPolicy().getSymmetricSignatureAlgorithm(), new KeyParameter(securityToken.getLocalSigningKey()));
        createMac.update(bArr, 0, i);
        createMac.doFinal(bArr2, 0);
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public boolean verifyAsymm(PublicKey publicKey, SecurityAlgorithm securityAlgorithm, byte[] bArr, byte[] bArr2) throws ServiceResultException {
        if (securityAlgorithm == null) {
            return true;
        }
        if (publicKey == null || bArr == null || bArr2 == null) {
            throw new IllegalArgumentException("null arg");
        }
        RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
        Signer asymmetricSigner = getAsymmetricSigner(false, securityAlgorithm, new org.bouncycastle.asn1.pkcs.RSAPublicKey(rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent()));
        asymmetricSigner.update(bArr, 0, bArr.length);
        return asymmetricSigner.verifySignature(bArr2);
    }

    @Override // org.opcfoundation.ua.transport.security.CryptoProvider
    public void verifySymm(SecurityToken securityToken, byte[] bArr, byte[] bArr2) throws ServiceResultException {
        HMac createMac = createMac(securityToken.getSecurityPolicy().getSymmetricSignatureAlgorithm(), new KeyParameter(securityToken.getRemoteSigningKey()));
        byte[] bArr3 = new byte[createMac.getMacSize()];
        createMac.update(bArr, 0, bArr.length);
        createMac.doFinal(bArr3, 0);
        if (bArr2.length != bArr3.length) {
            logger.warn("Signature lengths do not match: \n" + CryptoUtil.toHex(bArr2) + " vs. \n" + CryptoUtil.toHex(bArr3));
            throw new ServiceResultException(StatusCodes.Bad_SecurityChecksFailed, "Invalid signature: lengths do not match");
        }
        for (int i = 0; i < bArr2.length; i++) {
            if (bArr2[i] != bArr3[i]) {
                logger.warn("Signatures do not match: \n" + CryptoUtil.toHex(bArr2) + " vs. \n" + CryptoUtil.toHex(bArr3));
                throw new ServiceResultException(StatusCodes.Bad_SecurityChecksFailed, "Invalid signature: signatures do not match");
            }
        }
    }

    private HMac createMac(SecurityAlgorithm securityAlgorithm, KeyParameter keyParameter) throws ServiceResultException {
        HMac hMac;
        if (securityAlgorithm.equals(SecurityAlgorithm.HmacSha1)) {
            hMac = new HMac(new SHA1Digest());
        } else {
            if (!securityAlgorithm.equals(SecurityAlgorithm.HmacSha256)) {
                throw new ServiceResultException(StatusCodes.Bad_SecurityPolicyRejected, "Unsupported symmetric signature algorithm: " + securityAlgorithm);
            }
            hMac = new HMac(new SHA256Digest());
        }
        hMac.init(keyParameter);
        return hMac;
    }

    private AsymmetricBlockCipher getAsymmetricCipher(boolean z, SecurityAlgorithm securityAlgorithm, CipherParameters cipherParameters) throws ServiceResultException {
        PKCS1Encoding oAEPEncoding;
        if (securityAlgorithm.equals(SecurityAlgorithm.Rsa15)) {
            oAEPEncoding = new PKCS1Encoding(new RSAEngine());
        } else {
            if (!securityAlgorithm.equals(SecurityAlgorithm.RsaOaep)) {
                throw new ServiceResultException(StatusCodes.Bad_SecurityPolicyRejected, "Unsupported asymmetric encryption algorithm: " + securityAlgorithm);
            }
            oAEPEncoding = new OAEPEncoding(new RSAEngine(), new SHA1Digest());
        }
        oAEPEncoding.init(z, cipherParameters);
        return oAEPEncoding;
    }

    private AsymmetricBlockCipher getAsymmetricCipher(SecurityAlgorithm securityAlgorithm, RSAPrivateKey rSAPrivateKey) throws ServiceResultException {
        return getAsymmetricCipher(false, securityAlgorithm, new RSAPrivateCrtKeyParameters(rSAPrivateKey.getModulus(), rSAPrivateKey.getPublicExponent(), rSAPrivateKey.getPrivateExponent(), rSAPrivateKey.getPrime1(), rSAPrivateKey.getPrime2(), rSAPrivateKey.getExponent1(), rSAPrivateKey.getExponent2(), rSAPrivateKey.getCoefficient()));
    }

    private AsymmetricBlockCipher getAsymmetricCipher(SecurityAlgorithm securityAlgorithm, org.bouncycastle.asn1.pkcs.RSAPublicKey rSAPublicKey) throws ServiceResultException {
        return getAsymmetricCipher(true, securityAlgorithm, new RSAKeyParameters(false, rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent()));
    }

    private Signer getAsymmetricSigner(boolean z, SecurityAlgorithm securityAlgorithm, CipherParameters cipherParameters) throws ServiceResultException {
        RSADigestSigner rSADigestSigner;
        if (securityAlgorithm.equals(SecurityAlgorithm.RsaSha1)) {
            rSADigestSigner = new RSADigestSigner(new SHA1Digest());
        } else {
            if (!securityAlgorithm.equals(SecurityAlgorithm.RsaSha256)) {
                throw new ServiceResultException(StatusCodes.Bad_SecurityPolicyRejected, "Unsupported asymmetric signature algorithm: " + securityAlgorithm);
            }
            rSADigestSigner = new RSADigestSigner(new SHA256Digest());
        }
        rSADigestSigner.init(z, cipherParameters);
        return rSADigestSigner;
    }

    private Signer getAsymmetricSigner(boolean z, SecurityAlgorithm securityAlgorithm, RSAPrivateKey rSAPrivateKey) throws ServiceResultException {
        return getAsymmetricSigner(z, securityAlgorithm, (CipherParameters) new RSAPrivateCrtKeyParameters(rSAPrivateKey.getModulus(), rSAPrivateKey.getPublicExponent(), rSAPrivateKey.getPrivateExponent(), rSAPrivateKey.getPrime1(), rSAPrivateKey.getPrime2(), rSAPrivateKey.getExponent1(), rSAPrivateKey.getExponent2(), rSAPrivateKey.getCoefficient()));
    }

    private Signer getAsymmetricSigner(boolean z, SecurityAlgorithm securityAlgorithm, org.bouncycastle.asn1.pkcs.RSAPublicKey rSAPublicKey) throws ServiceResultException {
        return getAsymmetricSigner(z, securityAlgorithm, (CipherParameters) new RSAKeyParameters(false, rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent()));
    }
}
