package com.nimbusds.openid.connect.sdk.id;

import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.ByteUtils;
import com.nimbusds.oauth2.sdk.id.Subject;
import java.util.AbstractMap;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import net.jcip.annotations.ThreadSafe;
import org.cryptomator.siv.SivMode;
import org.jose4j.keys.AesKey;

@ThreadSafe
/* loaded from: input_file:WEB-INF/lib/oauth2-oidc-sdk-9.9.1.jar:com/nimbusds/openid/connect/sdk/id/SIVAESBasedPairwiseSubjectCodec.class */
public class SIVAESBasedPairwiseSubjectCodec extends PairwiseSubjectCodec {
    private static final SivMode AES_SIV = new SivMode();
    private final byte[] aesCtrKey;
    private final byte[] macKey;
    private final int padSubjectToLength;

    public SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey) {
        this(secretKey, -1);
    }

    public SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey, int i) {
        super(null);
        if (secretKey == null) {
            throw new IllegalArgumentException("The SIV AES secret key must not be null");
        }
        byte[] encoded = secretKey.getEncoded();
        switch (encoded.length) {
            case 32:
                this.aesCtrKey = ByteUtils.subArray(encoded, 0, 16);
                this.macKey = ByteUtils.subArray(encoded, 16, 16);
                break;
            case 48:
                this.aesCtrKey = ByteUtils.subArray(encoded, 0, 24);
                this.macKey = ByteUtils.subArray(encoded, 24, 24);
                break;
            case 64:
                this.aesCtrKey = ByteUtils.subArray(encoded, 0, 32);
                this.macKey = ByteUtils.subArray(encoded, 32, 32);
                break;
            default:
                throw new IllegalArgumentException("The SIV AES secret key length must be 256, 384 or 512 bits");
        }
        this.padSubjectToLength = i;
    }

    /* JADX WARN: Type inference failed for: r2v1, types: [byte[], byte[][]] */
    public SecretKey getSecretKey() {
        return new SecretKeySpec(ByteUtils.concat(new byte[]{this.aesCtrKey, this.macKey}), AesKey.ALGORITHM);
    }

    public int getPadSubjectToLength() {
        return this.padSubjectToLength;
    }

    private static String escapeSeparator(String str) {
        return str.replace("|", "\\|");
    }

    /* JADX WARN: Type inference failed for: r4v1, types: [byte[], byte[][]] */
    @Override // com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
    public Subject encode(SectorID sectorID, Subject subject) {
        String escapeSeparator = escapeSeparator(sectorID.getValue());
        String escapeSeparator2 = escapeSeparator(subject.getValue());
        StringBuilder sb = new StringBuilder();
        if (this.padSubjectToLength > 0) {
            int length = this.padSubjectToLength - escapeSeparator2.length();
            if (length == 1) {
                sb = new StringBuilder("|");
            } else if (length > 1) {
                sb = new StringBuilder("|");
                int i = length;
                while (true) {
                    i--;
                    if (i <= 0) {
                        break;
                    }
                    sb.append("0");
                }
            }
        }
        return new Subject(Base64URL.encode(AES_SIV.encrypt(this.aesCtrKey, this.macKey, (escapeSeparator + '|' + escapeSeparator2 + ((Object) sb)).getBytes(CHARSET), (byte[][]) new byte[0])).toString());
    }

    /* JADX WARN: Type inference failed for: r4v1, types: [byte[], byte[][]] */
    @Override // com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
    public Map.Entry<SectorID, Subject> decode(Subject subject) throws InvalidPairwiseSubjectException {
        try {
            String[] split = new String(AES_SIV.decrypt(this.aesCtrKey, this.macKey, new Base64URL(subject.getValue()).decode(), (byte[][]) new byte[0]), CHARSET).split("(?<!\\\\)\\|");
            for (int i = 0; i < split.length; i++) {
                split[i] = split[i].replace("\\|", "|");
            }
            if (split.length > 3) {
                throw new InvalidPairwiseSubjectException("Invalid format: Unexpected number of tokens: " + split.length);
            }
            return new AbstractMap.SimpleImmutableEntry(new SectorID(split[0]), new Subject(split[1]));
        } catch (Exception e) {
            throw new InvalidPairwiseSubjectException("Decryption failed: " + e.getMessage(), e);
        }
    }
}
