package com.cht.kms.client.jose;

import com.cht.kms.client.rest.KMSClient;
import com.cht.org.bouncycastle.util.encoders.Base64;
import com.cht.org.jose4j.base64url.Base64Url;
import com.cht.org.jose4j.jwa.AlgorithmFactoryFactory;
import com.cht.org.jose4j.jwe.ContentEncryptionAlgorithm;
import com.cht.org.jose4j.jwe.ContentEncryptionKeyDescriptor;
import com.cht.org.jose4j.jwe.ContentEncryptionKeys;
import com.cht.org.jose4j.jwe.ContentEncryptionParts;
import com.cht.org.jose4j.jwe.JsonWebEncryption;
import com.cht.org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import com.cht.org.jose4j.jwx.CompactSerializer;
import com.cht.org.jose4j.jwx.HeaderParameterNames;
import com.cht.org.jose4j.jwx.Headers;
import com.cht.org.jose4j.lang.ByteUtil;
import com.cht.org.jose4j.lang.InvalidAlgorithmException;
import com.cht.org.jose4j.lang.JoseException;
import com.cht.org.jose4j.lang.StringUtil;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/cht/kms/client/jose/PKCS11JWEObject.class */
public class PKCS11JWEObject extends JsonWebEncryption {
    private static Map<String, String> algorithms = new HashMap();
    private KMSClient client;
    private int opmode;
    private String key;
    private Base64Url base64url = new Base64Url();
    private byte[] plaintext;
    byte[] encryptedKey;
    byte[] ciphertext;

    /* loaded from: input_file:com/cht/kms/client/jose/PKCS11JWEObject$A128KW.class */
    public static final class A128KW extends OidImpl {
        public A128KW() {
            super(KeyManagementAlgorithmIdentifiers.A128KW);
        }
    }

    /* loaded from: input_file:com/cht/kms/client/jose/PKCS11JWEObject$A192KW.class */
    public static final class A192KW extends OidImpl {
        public A192KW() {
            super(KeyManagementAlgorithmIdentifiers.A192KW);
        }
    }

    /* loaded from: input_file:com/cht/kms/client/jose/PKCS11JWEObject$A256KW.class */
    public static final class A256KW extends OidImpl {
        public A256KW() {
            super(KeyManagementAlgorithmIdentifiers.A256KW);
        }
    }

    /* loaded from: input_file:com/cht/kms/client/jose/PKCS11JWEObject$OidImpl.class */
    static abstract class OidImpl extends PKCS11JWEObject {
        protected OidImpl(String str) {
            super(str);
        }
    }

    /* loaded from: input_file:com/cht/kms/client/jose/PKCS11JWEObject$RSA1_5.class */
    public static final class RSA1_5 extends OidImpl {
        public RSA1_5() {
            super(KeyManagementAlgorithmIdentifiers.RSA1_5);
        }
    }

    protected PKCS11JWEObject(String str) {
        super.setAlgorithmHeaderValue(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PKCS11JWEObject() {
    }

    public void init(int i, KMSClient kMSClient, String str) throws IllegalArgumentException {
        this.opmode = i;
        this.client = kMSClient;
        this.key = str;
    }

    @Override // com.cht.org.jose4j.jwe.JsonWebEncryption
    public void setPlaintext(byte[] bArr) {
        super.setPlaintext(bArr);
        this.plaintext = bArr;
    }

    @Override // com.cht.org.jose4j.jwe.JsonWebEncryption
    public void setPlaintext(String str) {
        setPlaintext(StringUtil.getBytesUnchecked(str, StringUtil.UTF_8));
    }

    private void decrypt() throws JoseException {
        try {
            ContentEncryptionAlgorithm contentEncryptionAlgorithm = getContentEncryptionAlgorithm();
            setPlaintext(decompress(getHeaders(), contentEncryptionAlgorithm.decrypt(new ContentEncryptionParts(super.getIv(), this.ciphertext, getIntegrity()), getEncodedHeaderAsciiBytesForAdditionalAuthenticatedData(), manageForDecrypt(getEncryptedKey(), contentEncryptionAlgorithm.getContentEncryptionKeyDescriptor(), getHeaders()).getEncoded(), getHeaders(), getProviderCtx())));
        } catch (Exception e) {
            throw new JoseException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.cht.org.jose4j.jwe.JsonWebEncryption, com.cht.org.jose4j.jwx.JsonWebStructure
    public void setCompactSerializationParts(String[] strArr) throws JoseException {
        super.setCompactSerializationParts(strArr);
        this.ciphertext = this.base64url.base64UrlDecode(strArr[3]);
    }

    byte[] getEncodedHeaderAsciiBytesForAdditionalAuthenticatedData() {
        return StringUtil.getBytesAscii(getEncodedHeader());
    }

    byte[] decompress(Headers headers, byte[] bArr) throws JoseException {
        String stringHeaderValue = headers.getStringHeaderValue(HeaderParameterNames.ZIP);
        if (stringHeaderValue != null) {
            bArr = AlgorithmFactoryFactory.getInstance().getCompressionAlgorithmFactory().getAlgorithm(stringHeaderValue).decompress(bArr);
        }
        return bArr;
    }

    @Override // com.cht.org.jose4j.jwe.JsonWebEncryption
    public byte[] getPlaintextBytes() throws JoseException {
        if (this.plaintext == null) {
            decrypt();
        }
        return this.plaintext;
    }

    byte[] compress(Headers headers, byte[] bArr) throws InvalidAlgorithmException {
        String stringHeaderValue = headers.getStringHeaderValue(HeaderParameterNames.ZIP);
        if (stringHeaderValue != null) {
            bArr = AlgorithmFactoryFactory.getInstance().getCompressionAlgorithmFactory().getAlgorithm(stringHeaderValue).compress(bArr);
        }
        return bArr;
    }

    @Override // com.cht.org.jose4j.jwe.JsonWebEncryption
    public byte[] getEncryptedKey() {
        return super.getEncryptedKey() == null ? this.encryptedKey : super.getEncryptedKey();
    }

    @Override // com.cht.org.jose4j.jwe.JsonWebEncryption, com.cht.org.jose4j.jwx.JsonWebStructure
    public String getCompactSerialization() throws JoseException {
        try {
            ContentEncryptionAlgorithm contentEncryptionAlgorithm = getContentEncryptionAlgorithm();
            ContentEncryptionKeys manageForEncrypt = manageForEncrypt(contentEncryptionAlgorithm.getContentEncryptionKeyDescriptor(), getHeaders(), super.getContentEncryptionKey());
            setContentEncryptionKey(manageForEncrypt.getContentEncryptionKey());
            this.encryptedKey = manageForEncrypt.getEncryptedKey();
            byte[] encodedHeaderAsciiBytesForAdditionalAuthenticatedData = getEncodedHeaderAsciiBytesForAdditionalAuthenticatedData();
            byte[] contentEncryptionKey = manageForEncrypt.getContentEncryptionKey();
            byte[] bArr = this.plaintext;
            if (bArr == null) {
                throw new NullPointerException("The plaintext payload for the JWE has not been set.");
            }
            ContentEncryptionParts encrypt = contentEncryptionAlgorithm.encrypt(compress(getHeaders(), bArr), encodedHeaderAsciiBytesForAdditionalAuthenticatedData, contentEncryptionKey, getHeaders(), getIv(), getProviderCtx());
            setIv(encrypt.getIv());
            this.ciphertext = encrypt.getCiphertext();
            return CompactSerializer.serialize(getEncodedHeader(), this.base64url.base64UrlEncode(manageForEncrypt.getEncryptedKey()), this.base64url.base64UrlEncode(encrypt.getIv()), this.base64url.base64UrlEncode(encrypt.getCiphertext()), this.base64url.base64UrlEncode(encrypt.getAuthenticationTag()));
        } catch (Exception e) {
            throw new JoseException(e.getMessage(), e);
        }
    }

    private ContentEncryptionKeys manageForEncrypt(ContentEncryptionKeyDescriptor contentEncryptionKeyDescriptor, Headers headers, byte[] bArr) throws NoSuchAlgorithmException {
        byte[] randomBytes = bArr == null ? ByteUtil.randomBytes(contentEncryptionKeyDescriptor.getContentEncryptionKeyByteLength(), new SecureRandom()) : bArr;
        return new ContentEncryptionKeys(randomBytes, Base64.decode((String) this.client.rawencrypt(this.key, Base64.toBase64String(randomBytes), algorithms.get(super.getAlgorithmHeaderValue()), null).get("ciphertext")));
    }

    private Key manageForDecrypt(byte[] bArr, ContentEncryptionKeyDescriptor contentEncryptionKeyDescriptor, Headers headers) {
        return new SecretKeySpec(Base64.decode((String) this.client.rawdecrypt(this.key, Base64.toBase64String(bArr), algorithms.get(super.getAlgorithmHeaderValue()), null).get("plaintext")), contentEncryptionKeyDescriptor.getContentEncryptionKeyAlgorithm());
    }

    public static PKCS11JWEObject getInstance(String str) {
        return new PKCS11JWEObject(str);
    }

    static {
        algorithms.put(KeyManagementAlgorithmIdentifiers.RSA1_5, "CKM_RSA_PKCS");
        algorithms.put(KeyManagementAlgorithmIdentifiers.A128KW, "CKM_AES_KEY_WRAP");
        algorithms.put(KeyManagementAlgorithmIdentifiers.A192KW, "CKM_AES_KEY_WRAP");
        algorithms.put(KeyManagementAlgorithmIdentifiers.A256KW, "CKM_AES_KEY_WRAP");
    }
}
