package se.litsec.opensaml.xmlsec;

import com.google.common.base.Strings;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.Collection;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.crypto.spec.SecretKeySpec;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.encryption.EncryptionMethod;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLCipherInput;
import org.apache.xml.security.encryption.XMLEncryptionException;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.DecryptionParameters;
import org.opensaml.xmlsec.algorithm.AlgorithmSupport;
import org.opensaml.xmlsec.encryption.EncryptedKey;
import org.opensaml.xmlsec.encryption.support.Decrypter;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import sun.security.rsa.RSAPadding;

/* loaded from: input_file:se/litsec/opensaml/xmlsec/ExtendedDecrypter.class */
public class ExtendedDecrypter extends Decrypter {
    private final Logger log;
    private boolean testMode;
    private int keyLength;
    private KeyInfoCredentialResolver _kekResolver;

    public ExtendedDecrypter(DecryptionParameters decryptionParameters) {
        super(decryptionParameters);
        this.log = LoggerFactory.getLogger(ExtendedDecrypter.class);
        this.testMode = false;
        this.keyLength = -1;
        this._kekResolver = decryptionParameters.getKEKKeyInfoCredentialResolver();
    }

    public ExtendedDecrypter(KeyInfoCredentialResolver keyInfoCredentialResolver, KeyInfoCredentialResolver keyInfoCredentialResolver2, EncryptedKeyResolver encryptedKeyResolver) {
        super(keyInfoCredentialResolver, keyInfoCredentialResolver2, encryptedKeyResolver);
        this.log = LoggerFactory.getLogger(ExtendedDecrypter.class);
        this.testMode = false;
        this.keyLength = -1;
        this._kekResolver = keyInfoCredentialResolver2;
    }

    public ExtendedDecrypter(KeyInfoCredentialResolver keyInfoCredentialResolver, KeyInfoCredentialResolver keyInfoCredentialResolver2, EncryptedKeyResolver encryptedKeyResolver, Collection<String> collection, Collection<String> collection2) {
        super(keyInfoCredentialResolver, keyInfoCredentialResolver2, encryptedKeyResolver, collection, collection2);
        this.log = LoggerFactory.getLogger(ExtendedDecrypter.class);
        this.testMode = false;
        this.keyLength = -1;
        this._kekResolver = keyInfoCredentialResolver2;
    }

    public void init() {
        PublicKey publicKey;
        if (this._kekResolver != null) {
            try {
                Credential credential = (Credential) this._kekResolver.resolveSingle(new CriteriaSet());
                if (credential != null && (publicKey = credential.getPublicKey()) != null) {
                    this.keyLength = getKeyLength(publicKey);
                }
            } catch (ResolverException e) {
            }
            if (this.keyLength <= 0) {
                this.log.error("Failed to resolve any certificates for key decryption");
            }
        }
    }

    public Key decryptKey(EncryptedKey encryptedKey, String str, Key key) throws DecryptionException {
        if ((this.testMode || key == null || "sun.security.pkcs11.P11Key$P11PrivateKey".equals(key.getClass().getName())) && AlgorithmSupport.isRSAOAEP(encryptedKey.getEncryptionMethod().getAlgorithm())) {
            if (Strings.isNullOrEmpty(str)) {
                this.log.error("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
                throw new DecryptionException("Algorithm of encrypted key not supplied, key decryption cannot proceed.");
            }
            validateAlgorithms(encryptedKey);
            try {
                checkAndMarshall(encryptedKey);
                preProcessEncryptedKey(encryptedKey, str, key);
                try {
                    XMLCipher providerInstance = getJCAProviderName() != null ? XMLCipher.getProviderInstance(getJCAProviderName()) : XMLCipher.getInstance();
                    providerInstance.init(4, key);
                    try {
                        Element dom = encryptedKey.getDOM();
                        try {
                            Key customizedDecryptKey = customizedDecryptKey(providerInstance.loadEncryptedKey(dom.getOwnerDocument(), dom), str, key);
                            if (customizedDecryptKey == null) {
                                throw new DecryptionException("Key could not be decrypted");
                            }
                            return customizedDecryptKey;
                        } catch (XMLEncryptionException e) {
                            this.log.error("Error decrypting encrypted key", e);
                            throw new DecryptionException("Error decrypting encrypted key", e);
                        } catch (Exception e2) {
                            throw new DecryptionException("Probable runtime exception on decryption:" + e2.getMessage(), e2);
                        }
                    } catch (XMLEncryptionException e3) {
                        this.log.error("Error when loading library native encrypted key representation", e3);
                        throw new DecryptionException("Error when loading library native encrypted key representation", e3);
                    }
                } catch (XMLEncryptionException e4) {
                    this.log.error("Error initialzing cipher instance on key decryption", e4);
                    throw new DecryptionException("Error initialzing cipher instance on key decryption", e4);
                }
            } catch (DecryptionException e5) {
                this.log.error("Error marshalling EncryptedKey for decryption", e5);
                throw e5;
            }
        }
        return super.decryptKey(encryptedKey, str, key);
    }

    private Key customizedDecryptKey(org.apache.xml.security.encryption.EncryptedKey encryptedKey, String str, Key key) throws XMLEncryptionException {
        byte[] bytes = new XMLCipherInput(encryptedKey).getBytes();
        try {
            String jCAProviderName = getJCAProviderName();
            Cipher cipher = jCAProviderName != null ? Cipher.getInstance("RSA/ECB/NoPadding", jCAProviderName) : Cipher.getInstance("RSA/ECB/NoPadding");
            cipher.init(2, key);
            byte[] doFinal = cipher.doFinal(bytes);
            if (doFinal.length < this.keyLength / 8) {
                byte[] bArr = new byte[this.keyLength / 8];
                System.arraycopy(doFinal, 0, bArr, bArr.length - doFinal.length, doFinal.length);
                doFinal = bArr;
            }
            EncryptionMethod encryptionMethod = encryptedKey.getEncryptionMethod();
            return new SecretKeySpec(RSAPadding.getInstance(4, this.keyLength / 8, new SecureRandom(), constructOAEPParameters(encryptionMethod.getAlgorithm(), encryptionMethod.getDigestAlgorithm(), encryptionMethod.getMGFAlgorithm(), encryptionMethod.getOAEPparams())).unpad(doFinal), JCEMapper.getJCEKeyAlgorithmFromURI(str));
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new XMLEncryptionException(e);
        }
    }

    private OAEPParameterSpec constructOAEPParameters(String str, String str2, String str3, byte[] bArr) {
        String translateURItoJCEID = str2 != null ? JCEMapper.translateURItoJCEID(str2) : "SHA-1";
        PSource.PSpecified pSpecified = PSource.PSpecified.DEFAULT;
        if (bArr != null) {
            pSpecified = new PSource.PSpecified(bArr);
        }
        MGF1ParameterSpec mGF1ParameterSpec = new MGF1ParameterSpec("SHA-1");
        if ("http://www.w3.org/2009/xmlenc11#rsa-oaep".equals(str)) {
            if ("http://www.w3.org/2009/xmlenc11#mgf1sha256".equals(str3)) {
                mGF1ParameterSpec = new MGF1ParameterSpec("SHA-256");
            } else if ("http://www.w3.org/2009/xmlenc11#mgf1sha384".equals(str3)) {
                mGF1ParameterSpec = new MGF1ParameterSpec("SHA-384");
            } else if ("http://www.w3.org/2009/xmlenc11#mgf1sha512".equals(str3)) {
                mGF1ParameterSpec = new MGF1ParameterSpec("SHA-512");
            }
        }
        return new OAEPParameterSpec(translateURItoJCEID, "MGF1", mGF1ParameterSpec, pSpecified);
    }

    public void setTestMode(boolean z) {
        this.testMode = z;
    }

    private static int getKeyLength(PublicKey publicKey) {
        int i = -1;
        if (publicKey instanceof RSAPublicKey) {
            i = ((RSAPublicKey) publicKey).getModulus().bitLength();
        } else if (publicKey instanceof ECPublicKey) {
            ECParameterSpec params = ((ECPublicKey) publicKey).getParams();
            i = params != null ? params.getOrder().bitLength() : 0;
        } else if (publicKey instanceof DSAPublicKey) {
            DSAPublicKey dSAPublicKey = (DSAPublicKey) publicKey;
            i = dSAPublicKey.getParams() != null ? dSAPublicKey.getParams().getP().bitLength() : dSAPublicKey.getY().bitLength();
        }
        return i;
    }
}
