package net.solarnetwork.node.loxone.protocol.ws;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import net.solarnetwork.node.loxone.dao.jdbc.SettingsConfigAuthenticationTokenDao;
import net.solarnetwork.node.loxone.domain.AuthenticationKey;
import net.solarnetwork.node.loxone.domain.AuthenticationToken;
import net.solarnetwork.node.loxone.domain.ConfigApi;
import org.apache.commons.codec.binary.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/solarnetwork/node/loxone/protocol/ws/TokenSecurityHelper.class */
public class TokenSecurityHelper implements SecurityHelper {
    public static final int DEFAULT_SALT_LENGTH = 16;
    public static final long DEFAULT_SALT_MAX_AGE = 3600000;
    public static final int DEFAULT_SALT_MAX_USE_COUNT = 30;
    private static final Logger log = LoggerFactory.getLogger(TokenSecurityHelper.class);
    private static final int AES_IV_LENGTH_BYTES = 16;
    private static final String AES_CIPHER_NAME = "AES/CBC/PKCS5Padding";
    private final ConfigApi apiConfig;
    private SecretKey aesKey;
    private Cipher aesEncryptCipher;
    private Cipher aesDecryptCipher;
    private SecureRandom secureRandom;
    private String salt;
    private int saltUseCount;
    private long saltTimestamp;
    private boolean encryptionReady;
    private AuthenticationToken authToken;
    private int saltLength = 16;
    private long saltMaxAge = DEFAULT_SALT_MAX_AGE;
    private int saltMaxUse = 30;
    private final byte[] aesInitVector = new byte[16];

    public TokenSecurityHelper(ConfigApi configApi) {
        if (configApi == null) {
            throw new IllegalArgumentException("ConfigApi must not be null");
        }
        this.apiConfig = configApi;
        initialize();
    }

    private boolean initialize() {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(256);
            this.aesKey = keyGenerator.generateKey();
            this.secureRandom = new SecureRandom();
            this.secureRandom.nextBytes(this.aesInitVector);
            IvParameterSpec ivParameterSpec = new IvParameterSpec(this.aesInitVector);
            this.aesEncryptCipher = Cipher.getInstance(AES_CIPHER_NAME);
            this.aesEncryptCipher.init(1, this.aesKey, ivParameterSpec);
            this.aesDecryptCipher = Cipher.getInstance(AES_CIPHER_NAME);
            this.aesDecryptCipher.init(2, this.aesKey, ivParameterSpec);
            return true;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | InvalidParameterException | NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw new RuntimeException(e.getClass().getSimpleName() + " initializing AES encryption: " + e.getMessage());
        }
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public String generateSessionKey() {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
            cipher.init(1, this.apiConfig.getPublicKey());
            String encodeToString = Base64.getEncoder().encodeToString(cipher.doFinal((Hex.encodeHexString(this.aesKey.getEncoded()) + ":" + Hex.encodeHexString(this.aesInitVector)).getBytes()));
            log.debug("Generated Loxone [{}] session key [{}]", this.apiConfig.getWebsocketUri(), encodeToString);
            return encodeToString;
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new RuntimeException(e.getClass().getSimpleName() + " generating session key for [" + this.apiConfig.getWebsocketUri() + "]:" + e.getMessage());
        }
    }

    private synchronized boolean isSaltExpired() {
        return this.salt != null && (this.saltTimestamp + this.saltMaxAge < System.currentTimeMillis() || this.saltUseCount > this.saltMaxUse);
    }

    private String currSalt() {
        return this.salt;
    }

    private String generateSalt() {
        byte[] bArr = new byte[this.saltLength];
        this.secureRandom.nextBytes(bArr);
        String encodeHexString = Hex.encodeHexString(bArr);
        log.info("Generated salt for [{}]: {}", this.apiConfig.getWebsocketUri(), encodeHexString);
        return encodeHexString;
    }

    private synchronized String generateAndSaveSalt() {
        String generateSalt = generateSalt();
        this.saltTimestamp = System.currentTimeMillis();
        this.saltUseCount = 0;
        this.salt = generateSalt;
        return generateSalt;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public AuthenticationToken extractTokenValue(Map<String, Object> map) {
        if (map != null) {
            String obj = map.containsKey(SettingsConfigAuthenticationTokenDao.TOKEN_SETTING) ? map.get(SettingsConfigAuthenticationTokenDao.TOKEN_SETTING).toString() : null;
            String obj2 = map.containsKey(SettingsConfigAuthenticationTokenDao.KEY_SETTING) ? map.get(SettingsConfigAuthenticationTokenDao.KEY_SETTING).toString() : null;
            Number number = map.containsKey("validUntil") ? (Number) map.get("validUntil") : null;
            Number number2 = map.containsKey("tokenRights") ? (Number) map.get("tokenRights") : null;
            Boolean bool = map.containsKey("unsecurePass") ? (Boolean) map.get("unsecurePass") : null;
            if (obj != null && obj2 != null && number != null && number2 != null && bool != null) {
                this.authToken = new AuthenticationToken(obj, number.longValue(), number2.intValue(), bool.booleanValue(), obj2);
            }
        }
        return this.authToken;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public AuthenticationToken extractTokenRefreshValue(Map<String, Object> map) {
        AuthenticationToken authenticationToken = this.authToken;
        if (map != null && authenticationToken != null) {
            Number number = map.containsKey("validUntil") ? (Number) map.get("validUntil") : null;
            Boolean bool = map.containsKey("unsecurePass") ? (Boolean) map.get("unsecurePass") : null;
            if (number != null && bool != null) {
                this.authToken = authenticationToken.refreshedCopy(number.longValue(), bool.booleanValue());
            }
        }
        return this.authToken;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public AuthenticationToken getAuthenticationToken() {
        return this.authToken;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public void setAuthenticationToken(AuthenticationToken authenticationToken) {
        this.authToken = authenticationToken;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public boolean hasValidToken() {
        return (this.authToken == null || this.authToken.isExpired()) ? false : true;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public AuthenticationKey extractAuthenticationKey(Map<String, Object> map) {
        AuthenticationKey authenticationKey = null;
        if (map != null && map.containsKey(SettingsConfigAuthenticationTokenDao.KEY_SETTING) && map.containsKey("salt")) {
            authenticationKey = new AuthenticationKey(map.get(SettingsConfigAuthenticationTokenDao.KEY_SETTING).toString(), map.get("salt").toString());
        }
        return authenticationKey;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public void keyExchangeComplete() {
        this.encryptionReady = true;
    }

    private boolean isEncryptionReady() {
        return this.encryptionReady;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public synchronized String encryptCommand(CommandType commandType, String str) {
        String str2;
        if (!isEncryptionReady() || (commandType != null && !commandType.isEncryptionSupported())) {
            return str;
        }
        if (isSaltExpired()) {
            str2 = "nextSalt/" + currSalt() + "/" + generateAndSaveSalt() + "/" + str + "��";
        } else {
            String currSalt = currSalt();
            if (currSalt == null) {
                currSalt = generateAndSaveSalt();
            }
            str2 = "salt/" + currSalt + "/" + str + "��";
        }
        String str3 = null;
        try {
            try {
                str3 = URLEncoder.encode(Base64.getEncoder().encodeToString(this.aesEncryptCipher.doFinal(str2.getBytes("UTF-8"))), "UTF-8");
            } catch (BadPaddingException | IllegalBlockSizeException e) {
                log.warn("Loxone [{}] command [{}] encryption failed: {}", new Object[]{this.apiConfig.getWebsocketUri(), str2, e.getMessage()});
                return str;
            }
        } catch (UnsupportedEncodingException e2) {
        }
        if (log.isTraceEnabled()) {
            log.trace("Encrypted command [{}] as: {}", str2, str3);
        }
        this.saltUseCount++;
        return CommandType.EncryptedCommand.getControlValue() + "/" + str3;
    }

    @Override // net.solarnetwork.node.loxone.protocol.ws.SecurityHelper
    public String decryptCommand(String str) {
        if (CommandType.forControlValue(str) != CommandType.EncryptedCommand) {
            return str;
        }
        String substring = str.substring(CommandType.EncryptedCommand.getControlValue().length() + 1);
        try {
            substring = new String(this.aesDecryptCipher.doFinal(org.apache.commons.codec.binary.Base64.decodeBase64(substring)), "UTF-8").replaceAll("��+.*$", "").replaceFirst("^salt/[^/]*/", "").replaceFirst("^nextSalt/[^/]+/[^/]+/", "");
            return substring;
        } catch (UnsupportedEncodingException | BadPaddingException | IllegalBlockSizeException e) {
            log.warn("Loxone [{}] command [{}] decryption failed: {}", new Object[]{this.apiConfig.getWebsocketUri(), str, e.getMessage()});
            return substring;
        }
    }

    public int getSaltLength() {
        return this.saltLength;
    }

    public void setSaltLength(int i) {
        if (i < 2) {
            throw new IllegalArgumentException("Salt length must be at least 2");
        }
        if (i > 64) {
            throw new IllegalArgumentException("Salt length must be no more than 64");
        }
        this.saltLength = i;
    }

    public long getSaltMaxAge() {
        return this.saltMaxAge;
    }

    public void setSaltMaxAge(long j) {
        this.saltMaxAge = j;
    }

    public int getSaltMaxUse() {
        return this.saltMaxUse;
    }

    public void setSaltMaxUse(int i) {
        this.saltMaxUse = i;
    }
}
