package com.microsoft.azure.keyvault.messagesecurity;

import com.microsoft.azure.keyvault.cryptography.RsaKey;
import com.microsoft.azure.keyvault.cryptography.SymmetricKey;
import com.microsoft.azure.keyvault.webkey.JsonWebKey;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import okhttp3.MediaType;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import okhttp3.ResponseBody;
import okhttp3.internal.http.HttpHeaders;
import okio.Buffer;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.lang3.tuple.Triple;

/* loaded from: input_file:com/microsoft/azure/keyvault/messagesecurity/HttpMessageSecurity.class */
public class HttpMessageSecurity {
    private static final String AUTHENTICATE = "Authorization";
    private static final String BEARER_TOKEP_REFIX = "Bearer ";
    private boolean testMode;
    private String clientSecurityToken;
    private JsonWebKey clientSignatureKey;
    private JsonWebKey clientEncryptionKey;
    private JsonWebKey serverSignatureKey;
    private JsonWebKey serverEncryptionKey;

    public HttpMessageSecurity(String str, String str2, String str3, String str4) throws IOException {
        this.testMode = false;
        this.clientSecurityToken = str;
        if (str2 != null && !str2.equals("")) {
            this.clientSignatureKey = MessageSecurityHelper.jsonWebKeyFromString(str2);
        }
        if (str4 != null && !str4.equals("")) {
            this.serverSignatureKey = MessageSecurityHelper.jsonWebKeyFromString(str4);
        }
        if (str3 != null && !str3.equals("")) {
            this.serverEncryptionKey = MessageSecurityHelper.jsonWebKeyFromString(str3);
        }
        this.clientEncryptionKey = MessageSecurityHelper.generateJsonWebKey();
    }

    public HttpMessageSecurity(String str, String str2, String str3, String str4, String str5, boolean z) throws IOException {
        this(str, str3, str4, str5);
        this.testMode = z;
        if (str2 == null || str2.equals("")) {
            return;
        }
        this.clientEncryptionKey = MessageSecurityHelper.jsonWebKeyFromString(str2);
    }

    public Request protectRequest(Request request) throws IOException {
        try {
            Request build = request.newBuilder().header(AUTHENTICATE, BEARER_TOKEP_REFIX + this.clientSecurityToken).build();
            if (!supportsProtection()) {
                return build;
            }
            Buffer buffer = new Buffer();
            request.body().writeTo(buffer);
            String readUtf8 = buffer.readUtf8();
            if (readUtf8 == null || readUtf8.length() == 0) {
                return build;
            }
            JWEObject protectPayload = protectPayload(readUtf8.substring(0, readUtf8.length() - 1) + ",\"rek\":{\"jwk\":" + MessageSecurityHelper.getJwkWithPublicKeyOnly(this.clientEncryptionKey).toString() + "}}");
            JWSHeader jWSHeader = new JWSHeader("RS256", this.clientSignatureKey.kid(), this.clientSecurityToken, getCurrentTimestamp(), "PoP", null);
            String stringToBase64Url = MessageSecurityHelper.stringToBase64Url(jWSHeader.serialize());
            String stringToBase64Url2 = MessageSecurityHelper.stringToBase64Url(protectPayload.serialize());
            return build.newBuilder().method(request.method(), RequestBody.create(MediaType.parse("application/jose+json"), new JWSObject(jWSHeader, stringToBase64Url2, MessageSecurityHelper.bytesToBase64Url((byte[]) ((Pair) new RsaKey(this.clientSignatureKey.kid(), this.clientSignatureKey.toRSA(true)).signAsync(getSha256((stringToBase64Url + "." + stringToBase64Url2).getBytes()), "RS256").get()).getKey())).serialize())).build();
        } catch (InterruptedException e) {
            return null;
        } catch (NoSuchAlgorithmException e2) {
            return null;
        } catch (ExecutionException e3) {
            return null;
        }
    }

    public Response unprotectResponse(Response response) throws IOException {
        try {
            if (!supportsProtection() || !HttpHeaders.hasBody(response)) {
                return response;
            }
            if (!response.header("content-type").toLowerCase().contains("application/jose+json")) {
                return response;
            }
            JWSObject deserialize = JWSObject.deserialize(response.body().string());
            JWSHeader jwsHeader = deserialize.jwsHeader();
            if (!jwsHeader.kid().equals(this.serverSignatureKey.kid()) || !jwsHeader.alg().equals("RS256")) {
                throw new IOException("Invalid protected response");
            }
            if (!((Boolean) new RsaKey(this.serverSignatureKey.kid(), this.serverSignatureKey.toRSA(false)).verifyAsync(getSha256((deserialize.originalProtected() + "." + deserialize.payload()).getBytes()), MessageSecurityHelper.base64UrltoByteArray(deserialize.signature()), "RS256").get()).booleanValue()) {
                throw new IOException("Wrong signature.");
            }
            return response.newBuilder().body(ResponseBody.create(response.body().contentType(), unprotectPayload(deserialize.payload()))).build();
        } catch (InterruptedException e) {
            return null;
        } catch (NoSuchAlgorithmException e2) {
            return null;
        } catch (ExecutionException e3) {
            return null;
        }
    }

    private long getCurrentTimestamp() {
        if (this.testMode) {
            return 0L;
        }
        return System.currentTimeMillis() / 1000;
    }

    private boolean supportsProtection() {
        return (this.clientSignatureKey == null || this.serverSignatureKey == null || this.serverEncryptionKey == null) ? false : true;
    }

    private JWEObject protectPayload(String str) throws IOException {
        try {
            JWEHeader jWEHeader = new JWEHeader("RSA-OAEP", this.serverEncryptionKey.kid(), "A128CBC-HS256");
            byte[] generateAesKey = generateAesKey();
            SymmetricKey symmetricKey = new SymmetricKey(UUID.randomUUID().toString(), generateAesKey);
            byte[] generateAesIv = generateAesIv();
            Triple triple = (Triple) new RsaKey(this.serverEncryptionKey.kid(), this.serverEncryptionKey.toRSA(false)).encryptAsync(generateAesKey, (byte[]) null, (byte[]) null, "RSA-OAEP").get();
            Triple triple2 = (Triple) symmetricKey.encryptAsync(str.getBytes(), generateAesIv, MessageSecurityHelper.stringToBase64Url(jWEHeader.serialize()).getBytes(), "A128CBC-HS256").get();
            return new JWEObject(jWEHeader, MessageSecurityHelper.bytesToBase64Url(!this.testMode ? (byte[]) triple.getLeft() : "key".getBytes()), MessageSecurityHelper.bytesToBase64Url(generateAesIv), MessageSecurityHelper.bytesToBase64Url((byte[]) triple2.getLeft()), MessageSecurityHelper.bytesToBase64Url((byte[]) triple2.getMiddle()));
        } catch (InterruptedException e) {
            return null;
        } catch (NoSuchAlgorithmException e2) {
            return null;
        } catch (ExecutionException e3) {
            return null;
        }
    }

    private String unprotectPayload(String str) throws IOException {
        try {
            JWEObject deserialize = JWEObject.deserialize(MessageSecurityHelper.base64UrltoString(str));
            JWEHeader jweHeader = deserialize.jweHeader();
            if (!this.clientEncryptionKey.kid().equals(jweHeader.kid()) || !jweHeader.alg().equals("RSA-OAEP") || !jweHeader.enc().equals("A128CBC-HS256")) {
                throw new IOException("Invalid protected response");
            }
            return new String((byte[]) new SymmetricKey(UUID.randomUUID().toString(), (byte[]) new RsaKey(this.clientEncryptionKey.kid(), this.clientEncryptionKey.toRSA(true)).decryptAsync(MessageSecurityHelper.base64UrltoByteArray(deserialize.encryptedKey()), (byte[]) null, (byte[]) null, (byte[]) null, "RSA-OAEP").get()).decryptAsync(MessageSecurityHelper.base64UrltoByteArray(deserialize.cipherText()), MessageSecurityHelper.base64UrltoByteArray(deserialize.iv()), deserialize.originalProtected().getBytes(), MessageSecurityHelper.base64UrltoByteArray(deserialize.tag()), "A128CBC-HS256").get());
        } catch (InterruptedException e) {
            return null;
        } catch (NoSuchAlgorithmException e2) {
            return null;
        } catch (ExecutionException e3) {
            return null;
        }
    }

    private byte[] getSha256(byte[] bArr) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance("SHA-256").digest(bArr);
    }

    private byte[] generateAesKey() {
        byte[] bArr = new byte[32];
        if (this.testMode) {
            bArr = "TEST1234TEST1234TEST1234TEST1234".getBytes();
        } else {
            new SecureRandom().nextBytes(bArr);
        }
        return bArr;
    }

    private byte[] generateAesIv() {
        byte[] bArr = new byte[16];
        if (this.testMode) {
            bArr = "TEST1234TEST1234".getBytes();
        } else {
            new SecureRandom().nextBytes(bArr);
        }
        return bArr;
    }
}
