package org.apache.pulsar.client.impl.crypto;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.io.IOException;
import java.io.StringReader;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.apache.pulsar.client.api.CryptoKeyReader;
import org.apache.pulsar.client.api.EncryptionKeyInfo;
import org.apache.pulsar.client.api.MessageCrypto;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.common.api.proto.EncryptionKeys;
import org.apache.pulsar.common.api.proto.KeyValue;
import org.apache.pulsar.common.api.proto.MessageMetadata;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.ECNamedCurveTable;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.spec.ECParameterSpec;
import org.bouncycastle.jce.spec.ECPrivateKeySpec;
import org.bouncycastle.jce.spec.ECPublicKeySpec;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.jose4j.keys.AesKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/pulsar-client-messagecrypto-bc-2.8.3.1.0.5.jar:org/apache/pulsar/client/impl/crypto/MessageCryptoBc.class */
public class MessageCryptoBc implements MessageCrypto<MessageMetadata, MessageMetadata> {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MessageCryptoBc.class);
    private static final String ECDSA = "ECDSA";
    private static final String RSA = "RSA";
    private static final String ECIES = "ECIES";
    private static final String RSA_TRANS = "RSA/NONE/OAEPWithSHA1AndMGF1Padding";
    private static final String AESGCM = "AES/GCM/NoPadding";
    private static KeyGenerator keyGenerator;
    private static final int tagLen = 128;
    private byte[] iv;
    private Cipher cipher;
    MessageDigest digest;
    private String logCtx;
    private SecretKey dataKey;
    static final SecureRandom secureRandom;
    private ConcurrentHashMap<String, EncryptionKeyInfo> encryptedDataKeyMap = new ConcurrentHashMap<>();
    private LoadingCache<ByteBuffer, SecretKey> dataKeyCache = CacheBuilder.newBuilder().expireAfterAccess(4, TimeUnit.HOURS).build(new CacheLoader<ByteBuffer, SecretKey>() { // from class: org.apache.pulsar.client.impl.crypto.MessageCryptoBc.1
        @Override // com.google.common.cache.CacheLoader
        public SecretKey load(ByteBuffer byteBuffer) {
            return null;
        }
    });

    public MessageCryptoBc(String str, boolean z) {
        this.iv = new byte[12];
        this.logCtx = str;
        try {
            this.cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
        } catch (NoSuchAlgorithmException | NoSuchProviderException | NoSuchPaddingException e) {
            this.cipher = null;
            log.error("{} MessageCrypto initialization Failed {}", str, e.getMessage());
        }
        if (!z) {
            this.digest = MessageDigest.getInstance(MessageDigestAlgorithms.MD5);
            this.dataKey = null;
            return;
        }
        keyGenerator = KeyGenerator.getInstance(AesKey.ALGORITHM);
        int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength(AesKey.ALGORITHM);
        if (maxAllowedKeyLength <= 128) {
            log.warn("{} AES Cryptographic strength is limited to {} bits. Consider installing JCE Unlimited Strength Jurisdiction Policy Files.", str, Integer.valueOf(maxAllowedKeyLength));
            keyGenerator.init(maxAllowedKeyLength, secureRandom);
        } else {
            keyGenerator.init(256, secureRandom);
        }
        this.dataKey = keyGenerator.generateKey();
        this.iv = new byte[12];
    }

    private PublicKey loadPublicKey(byte[] bArr) throws Exception {
        try {
            PEMParser pEMParser = new PEMParser(new StringReader(new String(bArr)));
            try {
                Object readObject = pEMParser.readObject();
                JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter();
                X9ECParameters x9ECParameters = null;
                if (readObject instanceof ASN1ObjectIdentifier) {
                    x9ECParameters = ECNamedCurveTable.getByOID((ASN1ObjectIdentifier) readObject);
                    if (x9ECParameters == null) {
                        throw new PEMException("Unable to find EC Parameter for the given curve oid: " + ((ASN1ObjectIdentifier) readObject).getId());
                    }
                    readObject = pEMParser.readObject();
                } else if (readObject instanceof X9ECParameters) {
                    x9ECParameters = (X9ECParameters) readObject;
                    readObject = pEMParser.readObject();
                }
                PublicKey publicKey = jcaPEMKeyConverter.getPublicKey(readObject instanceof X509CertificateHolder ? ((X509CertificateHolder) readObject).getSubjectPublicKeyInfo() : (SubjectPublicKeyInfo) readObject);
                if (x9ECParameters != null && ECDSA.equals(publicKey.getAlgorithm())) {
                    publicKey = KeyFactory.getInstance(ECDSA, "BC").generatePublic(new ECPublicKeySpec(((BCECPublicKey) publicKey).getQ(), new ECParameterSpec(x9ECParameters.getCurve(), x9ECParameters.getG(), x9ECParameters.getN(), x9ECParameters.getH(), x9ECParameters.getSeed())));
                }
                pEMParser.close();
                return publicKey;
            } finally {
            }
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
            throw new Exception(e);
        }
    }

    private PrivateKey loadPrivateKey(byte[] bArr) throws Exception {
        PrivateKey privateKey = null;
        try {
            PEMParser pEMParser = new PEMParser(new StringReader(new String(bArr)));
            try {
                X9ECParameters x9ECParameters = null;
                Object readObject = pEMParser.readObject();
                if (readObject instanceof ASN1ObjectIdentifier) {
                    ASN1ObjectIdentifier aSN1ObjectIdentifier = (ASN1ObjectIdentifier) readObject;
                    x9ECParameters = ECNamedCurveTable.getByOID(aSN1ObjectIdentifier);
                    if (x9ECParameters == null) {
                        throw new PEMException("Unable to find EC Parameter for the given curve oid: " + aSN1ObjectIdentifier.getId());
                    }
                    readObject = pEMParser.readObject();
                } else if (readObject instanceof X9ECParameters) {
                    x9ECParameters = (X9ECParameters) readObject;
                    readObject = pEMParser.readObject();
                }
                if (readObject instanceof PEMKeyPair) {
                    privateKey = new JcaPEMKeyConverter().getPrivateKey(((PEMKeyPair) readObject).getPrivateKeyInfo());
                }
                if (x9ECParameters != null && ECDSA.equals(privateKey.getAlgorithm())) {
                    privateKey = KeyFactory.getInstance(ECDSA, "BC").generatePrivate(new ECPrivateKeySpec(((BCECPrivateKey) privateKey).getS(), new ECParameterSpec(x9ECParameters.getCurve(), x9ECParameters.getG(), x9ECParameters.getN(), x9ECParameters.getH(), x9ECParameters.getSeed())));
                }
                pEMParser.close();
                return privateKey;
            } finally {
            }
        } catch (IOException e) {
            throw new Exception(e);
        }
    }

    @Override // org.apache.pulsar.client.api.MessageCrypto
    public synchronized void addPublicKeyCipher(Set<String> set, CryptoKeyReader cryptoKeyReader) throws PulsarClientException.CryptoException {
        this.dataKey = keyGenerator.generateKey();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            addPublicKeyCipher(it.next(), cryptoKeyReader);
        }
    }

    private void addPublicKeyCipher(String str, CryptoKeyReader cryptoKeyReader) throws PulsarClientException.CryptoException {
        Cipher cipher;
        if (str == null || cryptoKeyReader == null) {
            throw new PulsarClientException.CryptoException("Keyname or KeyReader is null");
        }
        EncryptionKeyInfo publicKey = cryptoKeyReader.getPublicKey(str, null);
        try {
            PublicKey loadPublicKey = loadPublicKey(publicKey.getKey());
            try {
                if ("RSA".equals(loadPublicKey.getAlgorithm())) {
                    cipher = Cipher.getInstance(RSA_TRANS, "BC");
                } else {
                    if (!ECDSA.equals(loadPublicKey.getAlgorithm())) {
                        String str2 = this.logCtx + "Unsupported key type " + loadPublicKey.getAlgorithm() + " for key " + str;
                        log.error(str2);
                        throw new PulsarClientException.CryptoException(str2);
                    }
                    cipher = Cipher.getInstance(ECIES, "BC");
                }
                cipher.init(1, loadPublicKey);
                this.encryptedDataKeyMap.put(str, new EncryptionKeyInfo(cipher.doFinal(this.dataKey.getEncoded()), publicKey.getMetadata()));
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                log.error("{} Failed to encrypt data key {}. {}", this.logCtx, str, e.getMessage());
                throw new PulsarClientException.CryptoException(e.getMessage());
            }
        } catch (Exception e2) {
            String str3 = this.logCtx + "Failed to load public key " + str + ". " + e2.getMessage();
            log.error(str3);
            throw new PulsarClientException.CryptoException(str3);
        }
    }

    @Override // org.apache.pulsar.client.api.MessageCrypto
    public boolean removeKeyCipher(String str) {
        if (str == null) {
            return false;
        }
        this.encryptedDataKeyMap.remove(str);
        return true;
    }

    @Override // org.apache.pulsar.client.api.MessageCrypto
    public synchronized void encrypt(Set<String> set, CryptoKeyReader cryptoKeyReader, Supplier<MessageMetadata> supplier, ByteBuffer byteBuffer, ByteBuffer byteBuffer2) throws PulsarClientException {
        MessageMetadata messageMetadata = supplier.get();
        if (set.isEmpty()) {
            byteBuffer2.put(byteBuffer);
            byteBuffer2.flip();
            return;
        }
        for (String str : set) {
            if (this.encryptedDataKeyMap.get(str) == null) {
                addPublicKeyCipher(str, cryptoKeyReader);
            }
            EncryptionKeyInfo encryptionKeyInfo = this.encryptedDataKeyMap.get(str);
            if (encryptionKeyInfo == null) {
                log.error("{} Failed to find encrypted Data key for key {}.", this.logCtx, str);
            } else if (encryptionKeyInfo.getMetadata() == null || encryptionKeyInfo.getMetadata().isEmpty()) {
                messageMetadata.addEncryptionKey().setKey(str).setValue(encryptionKeyInfo.getKey());
            } else {
                EncryptionKeys value = messageMetadata.addEncryptionKey().setKey(str).setValue(encryptionKeyInfo.getKey());
                encryptionKeyInfo.getMetadata().forEach((str2, str3) -> {
                    value.addMetadata().setKey(str2).setValue(str3);
                });
            }
        }
        secureRandom.nextBytes(this.iv);
        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, this.iv);
        messageMetadata.setEncryptionParam(this.iv);
        try {
            this.cipher.init(1, this.dataKey, gCMParameterSpec);
            if (byteBuffer2.remaining() < this.cipher.getOutputSize(byteBuffer.remaining())) {
                throw new IllegalArgumentException("Outbuffer has not enough space available");
            }
            int doFinal = this.cipher.doFinal(byteBuffer, byteBuffer2);
            byteBuffer2.flip();
            byteBuffer2.limit(doFinal);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException | ShortBufferException e) {
            log.error("{} Failed to encrypt message. {}", this.logCtx, e);
            throw new PulsarClientException.CryptoException(e.getMessage());
        }
    }

    private boolean decryptDataKey(String str, byte[] bArr, List<KeyValue> list, CryptoKeyReader cryptoKeyReader) {
        Cipher cipher;
        HashMap hashMap = new HashMap();
        list.forEach(keyValue -> {
            hashMap.put(keyValue.getKey(), keyValue.getValue());
        });
        try {
            PrivateKey loadPrivateKey = loadPrivateKey(cryptoKeyReader.getPrivateKey(str, hashMap).getKey());
            if (loadPrivateKey == null) {
                log.error("{} Failed to load private key {}.", this.logCtx, str);
                return false;
            }
            try {
                if ("RSA".equals(loadPrivateKey.getAlgorithm())) {
                    cipher = Cipher.getInstance(RSA_TRANS, "BC");
                } else {
                    if (!ECDSA.equals(loadPrivateKey.getAlgorithm())) {
                        log.error("Unsupported key type {} for key {}.", loadPrivateKey.getAlgorithm(), str);
                        return false;
                    }
                    cipher = Cipher.getInstance(ECIES, "BC");
                }
                cipher.init(2, loadPrivateKey);
                byte[] doFinal = cipher.doFinal(bArr);
                byte[] digest = this.digest.digest(bArr);
                this.dataKey = new SecretKeySpec(doFinal, AesKey.ALGORITHM);
                this.dataKeyCache.put(ByteBuffer.wrap(digest), this.dataKey);
                return true;
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                log.error("{} Failed to decrypt data key {} to decrypt messages {}", this.logCtx, str, e.getMessage());
                return false;
            }
        } catch (Exception e2) {
            log.error("{} Failed to decrypt data key {} to decrypt messages {}", this.logCtx, str, e2.getMessage());
            return false;
        }
    }

    private boolean decryptData(SecretKey secretKey, MessageMetadata messageMetadata, ByteBuffer byteBuffer, ByteBuffer byteBuffer2) {
        this.iv = messageMetadata.getEncryptionParam();
        try {
            this.cipher.init(2, secretKey, new GCMParameterSpec(128, this.iv));
            if (byteBuffer2.remaining() < this.cipher.getOutputSize(byteBuffer.remaining())) {
                throw new IllegalArgumentException("Target buffer size is too small");
            }
            int doFinal = this.cipher.doFinal(byteBuffer, byteBuffer2);
            byteBuffer2.flip();
            byteBuffer2.limit(doFinal);
            return true;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException | ShortBufferException e) {
            log.error("{} Failed to decrypt message {}", this.logCtx, e.getMessage());
            return false;
        }
    }

    @Override // org.apache.pulsar.client.api.MessageCrypto
    public int getMaxOutputSize(int i) {
        return i + Math.max(i, 512);
    }

    private boolean getKeyAndDecryptData(MessageMetadata messageMetadata, ByteBuffer byteBuffer, ByteBuffer byteBuffer2) {
        List<EncryptionKeys> encryptionKeysList = messageMetadata.getEncryptionKeysList();
        for (int i = 0; i < encryptionKeysList.size(); i++) {
            SecretKey ifPresent = this.dataKeyCache.getIfPresent(ByteBuffer.wrap(this.digest.digest(encryptionKeysList.get(i).getValue())));
            if (ifPresent == null) {
                log.debug("{} Failed to decrypt data or data key is not in cache. Will attempt to refresh", this.logCtx);
            } else if (decryptData(ifPresent, messageMetadata, byteBuffer, byteBuffer2)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.pulsar.client.api.MessageCrypto
    public boolean decrypt(Supplier<MessageMetadata> supplier, ByteBuffer byteBuffer, ByteBuffer byteBuffer2, CryptoKeyReader cryptoKeyReader) {
        MessageMetadata messageMetadata = supplier.get();
        if (this.dataKey != null && getKeyAndDecryptData(messageMetadata, byteBuffer, byteBuffer2)) {
            return true;
        }
        if (messageMetadata.getEncryptionKeysList().stream().filter(encryptionKeys -> {
            return decryptDataKey(encryptionKeys.getKey(), encryptionKeys.getValue(), encryptionKeys.getMetadatasList(), cryptoKeyReader);
        }).findFirst().orElse(null) == null || this.dataKey == null) {
            return false;
        }
        return getKeyAndDecryptData(messageMetadata, byteBuffer, byteBuffer2);
    }

    static {
        SecureRandom secureRandom2;
        try {
            secureRandom2 = SecureRandom.getInstance("NativePRNGNonBlocking");
        } catch (NoSuchAlgorithmException e) {
            secureRandom2 = new SecureRandom();
        }
        secureRandom = secureRandom2;
        secureRandom.nextBytes(new byte[12]);
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
