package org.forgerock.json.jose.jwe.handlers.encryption;

import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.forgerock.json.jose.exceptions.JweDecryptionException;
import org.forgerock.json.jose.exceptions.JweEncryptionException;
import org.forgerock.json.jose.jwe.EncryptionMethod;
import org.forgerock.json.jose.jwe.JweEncryption;
import org.forgerock.json.jose.utils.Utils;

/* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.commons.json-web-token.jar:org/forgerock/json/jose/jwe/handlers/encryption/AESCBCHMACSHA2ContentEncryptionHandler.class */
final class AESCBCHMACSHA2ContentEncryptionHandler extends ContentEncryptionHandler {
    private static final Logger LOGGER = Logger.getLogger(AESCBCHMACSHA2ContentEncryptionHandler.class.getName());
    private static final String RAW_KEY_FORMAT = "RAW";
    private final EncryptionMethod method;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AESCBCHMACSHA2ContentEncryptionHandler(EncryptionMethod encryptionMethod) {
        this.method = encryptionMethod;
    }

    @Override // org.forgerock.json.jose.jwe.handlers.encryption.ContentEncryptionHandler
    public JweEncryption encrypt(Key key, byte[] bArr, byte[] bArr2, byte[] bArr3) {
        SecretKey macKey = macKey(key, this.method);
        SecretKey encKey = encKey(key, this.method);
        try {
            Cipher cipher = Cipher.getInstance(this.method.getTransformation());
            cipher.init(1, encKey, new IvParameterSpec(bArr));
            byte[] doFinal = cipher.doFinal(bArr2);
            byte[] array = ByteBuffer.allocate(8).order(ByteOrder.BIG_ENDIAN).putLong(bArr3.length * 8).array();
            Mac mac = Mac.getInstance(this.method.getMacAlgorithm());
            mac.init(macKey);
            mac.update(bArr3);
            mac.update(bArr);
            mac.update(doFinal);
            mac.update(array);
            return new JweEncryption(doFinal, Arrays.copyOf(mac.doFinal(), this.method.getKeyOffset()));
        } catch (GeneralSecurityException e) {
            throw new JweEncryptionException(e);
        }
    }

    @Override // org.forgerock.json.jose.jwe.handlers.encryption.ContentEncryptionHandler
    public byte[] decrypt(Key key, byte[] bArr, JweEncryption jweEncryption, byte[] bArr2) {
        SecretKey macKey = macKey(key, this.method);
        SecretKey encKey = encKey(key, this.method);
        byte[] array = ByteBuffer.allocate(8).order(ByteOrder.BIG_ENDIAN).putLong(bArr2.length * 8).array();
        try {
            Mac mac = Mac.getInstance(this.method.getMacAlgorithm());
            mac.init(macKey);
            mac.update(bArr2);
            mac.update(bArr);
            mac.update(jweEncryption.getCiphertext());
            mac.update(array);
            boolean constantEquals = Utils.constantEquals(Arrays.copyOf(mac.doFinal(), this.method.getKeyOffset()), jweEncryption.getAuthenticationTag());
            Cipher cipher = Cipher.getInstance(this.method.getTransformation());
            cipher.init(2, encKey, new IvParameterSpec(bArr));
            byte[] doFinal = cipher.doFinal(jweEncryption.getCiphertext());
            if (constantEquals) {
                return doFinal;
            }
            throw new GeneralSecurityException("MAC verification failed");
        } catch (GeneralSecurityException e) {
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Decryption failed: " + e, (Throwable) e);
            }
            throw new JweDecryptionException();
        }
    }

    @Override // org.forgerock.json.jose.jwe.handlers.encryption.ContentEncryptionHandler
    Key generateEncryptionKey() {
        try {
            int keyOffset = this.method.getKeyOffset() * 8;
            KeyGenerator keyGenerator = KeyGenerator.getInstance(this.method.getMacAlgorithm());
            keyGenerator.init(keyOffset);
            SecretKey generateKey = keyGenerator.generateKey();
            if (!RAW_KEY_FORMAT.equals(generateKey.getFormat())) {
                throw new IllegalStateException("HMAC KeyGenerator returned non-RAW key material!");
            }
            int keySize = this.method.getKeySize() - keyOffset;
            KeyGenerator keyGenerator2 = KeyGenerator.getInstance(this.method.getEncryptionAlgorithm());
            keyGenerator2.init(keySize);
            SecretKey generateKey2 = keyGenerator2.generateKey();
            if (RAW_KEY_FORMAT.equals(generateKey.getFormat())) {
                return new SecretKeySpec(ByteBuffer.allocate(this.method.getKeySize() / 8).put(generateKey.getEncoded()).put(generateKey2.getEncoded()).array(), this.method.getEncryptionAlgorithm());
            }
            throw new IllegalStateException("AES KeyGenerator returned non-RAW key material!");
        } catch (NoSuchAlgorithmException e) {
            throw new JweEncryptionException("Unsupported Encryption Algorithm, " + this.method.getEncryptionAlgorithm(), e);
        }
    }

    private static SecretKey macKey(Key key, EncryptionMethod encryptionMethod) {
        return new SecretKeySpec(key.getEncoded(), 0, encryptionMethod.getKeyOffset(), encryptionMethod.getMacAlgorithm());
    }

    private static SecretKey encKey(Key key, EncryptionMethod encryptionMethod) {
        return new SecretKeySpec(key.getEncoded(), encryptionMethod.getKeyOffset(), encryptionMethod.getKeyOffset(), encryptionMethod.getEncryptionAlgorithm());
    }
}
