package net.netca.pki.encoding.json.jose;

import java.util.ArrayList;
import java.util.Arrays;
import net.netca.pki.PkiException;
import net.netca.pki.encoding.asn1.ASN1Object;
import net.netca.pki.encoding.asn1.ObjectIdentifier;
import net.netca.pki.encoding.asn1.ObjectIdentifierType;
import net.netca.pki.encoding.asn1.Unknown;
import net.netca.pki.encoding.asn1.pki.AlgorithmIdentifier;
import net.netca.pki.encoding.asn1.pki.ECCPublicKey;
import net.netca.pki.encoding.asn1.pki.Extension;
import net.netca.pki.encoding.asn1.pki.Extensions;
import net.netca.pki.encoding.asn1.pki.NamedBitStringExtension;
import net.netca.pki.encoding.asn1.pki.SubjectPublicKeyInfo;
import net.netca.pki.encoding.asn1.pki.X509Certificate;
import net.netca.pki.encoding.json.JSON;
import net.netca.pki.encoding.json.JSONNumber;
import net.netca.pki.encoding.json.JSONObject;
import net.netca.pki.encoding.json.JSONString;

/* loaded from: classes3.dex */
public class JWERecipienter {
    private String cekAlgoName;
    private ArrayList<X509Certificate> certsChain;
    private byte[] ecdhParams_partyUInfo;
    private byte[] ecdhParams_partyVInfo;
    private X509Certificate encCert;
    private byte[] enckey;
    private boolean hasSetPkcs5PBKDF2Params;
    private int pkcs5PBKDF2Params_iterCount;
    private byte[] pkcs5PBKDF2Params_salt;
    private Header unprotectedHeader = new Header();
    private int certIdType = 0;
    private boolean hasSetUnprotectedHeader = false;

    private String aesKeyWrap(byte[] bArr, IJWEKeyWrap iJWEKeyWrap) throws PkiException {
        if (iJWEKeyWrap == null) {
            throw new PkiException("no set IJWEKeyWrap implement!");
        }
        byte[] bArr2 = this.enckey;
        if (bArr2 != null) {
            return Utils.getBase64URLEncode(iJWEKeyWrap.keywrap(this.cekAlgoName, bArr2, bArr));
        }
        throw new PkiException("no set enc key");
    }

    private String certEncrypt(byte[] bArr, IJWEPublicKeyEncrypter iJWEPublicKeyEncrypter) throws PkiException {
        if (iJWEPublicKeyEncrypter != null) {
            return Utils.getBase64URLEncode((this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_RSA1_5) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_SM2_ENCRYPT) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP_256)) ? iJWEPublicKeyEncrypter.encrypt(this.encCert.getSubjectPublicKeyInfo(), this.cekAlgoName, bArr, 0, bArr.length) : null);
        }
        throw new PkiException("no set publicKeyEncrypter implement!");
    }

    private void checkCertMatchEncAlgo(X509Certificate x509Certificate, String str) throws PkiException {
        if (!x509Certificate.isInValidity()) {
            throw new PkiException("cert is not in validity");
        }
        if (x509Certificate.isRSA() || x509Certificate.isSM2()) {
            if (!isEncCert(x509Certificate)) {
                throw new PkiException("cert is not EncCert");
            }
            if (str.equals(JWE.ENCRYPT_CEK_ALGO_RSA1_5) || str.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP) || str.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP_256) || str.equals(JWE.ENCRYPT_CEK_ALGO_SM2_ENCRYPT)) {
                return;
            }
            throw new PkiException("RSA Cert no match algo" + str);
        }
        if (!isECCCert(x509Certificate)) {
            throw new PkiException("Cert no MatchEncAlgo " + str);
        }
        if (!isKeyAgreementCert(x509Certificate)) {
            throw new PkiException("cert is not KeyAgreementCert");
        }
        if (str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES) || str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_128_KEYWRAP) || str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_192_KEYWRAP) || str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_256_KEYWRAP)) {
            return;
        }
        throw new PkiException("ECDH_ES  KeyAgreementCert no match algo" + str);
    }

    private void checkDupHeader(String str) throws PkiException {
        if (this.unprotectedHeader.haveHeaderParam(str)) {
            throw new PkiException("has Dup Header in unprotectedheader !");
        }
    }

    private void checkPublicHeaderParam(String str) throws PkiException {
        if (str.equals(HeaderParameterNames.ALGORITHM)) {
            throw new PkiException("Cannt set PublicHeaderParam alg");
        }
    }

    private String dirEncrypt(byte[] bArr) throws PkiException {
        if (bArr.length == this.enckey.length) {
            Arrays.fill(bArr, (byte) 0);
            byte[] bArr2 = this.enckey;
            System.arraycopy(bArr2, 0, bArr, 0, bArr2.length);
            return "";
        }
        throw new PkiException("enckey length" + this.enckey.length + " no match!");
    }

    private String ecdhEncrypt(byte[] bArr, IJWEKeyAgreement iJWEKeyAgreement, IJWEKDF ijwekdf, IJWEKeyWrap iJWEKeyWrap, String str) throws PkiException {
        byte[] keywrap;
        if (iJWEKeyAgreement == null) {
            throw new PkiException("no set IJWEKeyAgreement implement!");
        }
        if (ijwekdf == null) {
            throw new PkiException("no set IJWEKDF implement!");
        }
        SubjectPublicKeyInfo generateTempEccKeyPair = iJWEKeyAgreement.generateTempEccKeyPair(getECCCurveOid(this.encCert.getSubjectPublicKeyInfo()));
        byte[] eccKDF = ijwekdf.eccKDF("SHA256", iJWEKeyAgreement.ecdhkeyAgreement(this.encCert.getSubjectPublicKeyInfo()), Utils.encodeOtherInfo(str, this.cekAlgoName, this.ecdhParams_partyUInfo, this.ecdhParams_partyVInfo), (Utils.getKekBit(this.cekAlgoName, str) + 7) / 8);
        if (!this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES)) {
            keywrap = iJWEKeyWrap.keywrap(this.cekAlgoName, eccKDF, bArr);
        } else {
            if (bArr.length != eccKDF.length) {
                throw new PkiException("deriveKeyLen length" + this.enckey.length + " no match key length " + bArr.length);
            }
            Arrays.fill(bArr, (byte) 0);
            System.arraycopy(eccKDF, 0, bArr, 0, eccKDF.length);
            keywrap = null;
        }
        setECHeaderParams(generateTempEccKeyPair);
        return Utils.getBase64URLEncode(keywrap);
    }

    private String getECCCurveOid(SubjectPublicKeyInfo subjectPublicKeyInfo) throws PkiException {
        try {
            ASN1Object param = subjectPublicKeyInfo.getAlgorithm().getParam();
            if (param instanceof ObjectIdentifier) {
                return ((ObjectIdentifier) param).getString();
            }
            if (param instanceof Unknown) {
                return ((ObjectIdentifier) ((Unknown) param).to(ObjectIdentifierType.getInstance())).getString();
            }
            throw new PkiException("getECCCurveOid fail");
        } catch (Exception unused) {
            throw new PkiException("getECCCurveOid fail");
        }
    }

    private String getECPulicKeyCrv(SubjectPublicKeyInfo subjectPublicKeyInfo) throws PkiException {
        String eCCCurveOid = getECCCurveOid(subjectPublicKeyInfo);
        if (eCCCurveOid.equals("1.3.132.0.35")) {
            return "P-521";
        }
        if (eCCCurveOid.equals("1.3.132.0.34")) {
            return "P-384";
        }
        if (eCCCurveOid.equals("1.2.840.10045.3.1.7")) {
            return "P-256";
        }
        if (eCCCurveOid.equals(AlgorithmIdentifier.SM2Curve_OID)) {
            return "SM2";
        }
        throw new PkiException("no support PulicKeyCrv!");
    }

    public static JWERecipienter getInstance() {
        return new JWERecipienter();
    }

    private boolean isECCCert(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectPublicKeyInfo().getAlgorithm().getOid().equals(AlgorithmIdentifier.ECPubKey_OID);
    }

    private boolean isEncCert(X509Certificate x509Certificate) {
        Extensions extensions;
        Extension extension;
        try {
            extensions = x509Certificate.getExtensions();
        } catch (PkiException unused) {
        }
        if (extensions == null || (extension = extensions.get(Extension.KEYUSAGE_OID)) == null) {
            return true;
        }
        return ((NamedBitStringExtension) extension.getExtensionObject()).isSet(2);
    }

    private boolean isKeyAgreementCert(X509Certificate x509Certificate) {
        Extensions extensions;
        Extension extension;
        try {
            extensions = x509Certificate.getExtensions();
        } catch (PkiException unused) {
        }
        if (extensions == null || (extension = extensions.get(Extension.KEYUSAGE_OID)) == null) {
            return true;
        }
        return ((NamedBitStringExtension) extension.getExtensionObject()).isSet(4);
    }

    private String pkcs5PBES2KeyWrap(byte[] bArr, IJWECipher iJWECipher, IJWEKDF ijwekdf, IJWEKeyWrap iJWEKeyWrap) throws PkiException {
        if (iJWECipher == null) {
            throw new PkiException("no set IJWECipher implement!");
        }
        if (ijwekdf == null) {
            throw new PkiException("no set IJWEKDF implement!");
        }
        if (iJWEKeyWrap == null) {
            throw new PkiException("no set IJWEKeyWrap implement!");
        }
        if (!this.hasSetPkcs5PBKDF2Params) {
            throw new PkiException("no set  PBKDF2Params!");
        }
        int pBES2KeyWrapDeriveKeyLength = Utils.getPBES2KeyWrapDeriveKeyLength(this.cekAlgoName);
        byte[] keywrap = iJWEKeyWrap.keywrap(this.cekAlgoName, ijwekdf.pkcs5PBKDF2(Utils.getPBES2KeyWrapDeriveHashAlgo(this.cekAlgoName), this.enckey, Utils.genPBES2Salt(this.cekAlgoName, this.pkcs5PBKDF2Params_salt), this.pkcs5PBKDF2Params_iterCount, pBES2KeyWrapDeriveKeyLength), bArr);
        this.unprotectedHeader.addHeaderValue(HeaderParameterNames.PBES2_SALT_INPUT, Utils.getBase64URLEncode(this.pkcs5PBKDF2Params_salt));
        this.unprotectedHeader.addHeaderValue(HeaderParameterNames.PBES2_ITERATION_COUNT, new JSONNumber(this.pkcs5PBKDF2Params_iterCount));
        return Utils.getBase64URLEncode(keywrap);
    }

    private void setECHeaderParams(SubjectPublicKeyInfo subjectPublicKeyInfo) throws PkiException {
        ECCPublicKey eCCPublicKey = new ECCPublicKey(subjectPublicKeyInfo);
        if (eCCPublicKey.getX() == null || eCCPublicKey.getX().toByteArray() == null) {
            throw new PkiException("get ecc X fail!");
        }
        if (eCCPublicKey.getY() == null || eCCPublicKey.getY().toByteArray() == null) {
            throw new PkiException("get ecc Y fail!");
        }
        String base64URLEncode = Utils.getBase64URLEncode(eCCPublicKey.getX().toByteArray());
        String base64URLEncode2 = Utils.getBase64URLEncode(eCCPublicKey.getY().toByteArray());
        JSONObject jSONObject = new JSONObject();
        jSONObject.add("kty", new JSONString("EC"));
        jSONObject.add("crv", new JSONString(getECPulicKeyCrv(subjectPublicKeyInfo)));
        jSONObject.add("x", new JSONString(base64URLEncode));
        jSONObject.add("y", new JSONString(base64URLEncode2));
        this.unprotectedHeader.addHeaderValue(HeaderParameterNames.EPHEMERAL_PUBLIC_KEY, jSONObject);
        byte[] bArr = this.ecdhParams_partyUInfo;
        if (bArr != null) {
            this.unprotectedHeader.addHeaderValue(HeaderParameterNames.AGREEMENT_PARTY_U_INFO, Utils.getBase64URLEncode(bArr));
        }
        byte[] bArr2 = this.ecdhParams_partyVInfo;
        if (bArr2 != null) {
            this.unprotectedHeader.addHeaderValue(HeaderParameterNames.AGREEMENT_PARTY_V_INFO, Utils.getBase64URLEncode(bArr2));
        }
    }

    private void updateRecipientUnprotectedHeader(IHash iHash, boolean z) throws PkiException {
        if (z) {
            this.unprotectedHeader.addHeaderValue(HeaderParameterNames.ALGORITHM, this.cekAlgoName);
        }
        Utils.addCertInfo(this.unprotectedHeader, this.certIdType, this.encCert, iHash, this.certsChain);
    }

    public JWERecipienter addCertChain(ArrayList<X509Certificate> arrayList) {
        this.certsChain = arrayList;
        return this;
    }

    public JWERecipienter addUnProtectedHeader(String str, String str2) throws PkiException {
        checkPublicHeaderParam(str);
        checkDupHeader(str);
        this.unprotectedHeader.addHeaderValue(str, str2);
        this.hasSetUnprotectedHeader = true;
        return this;
    }

    public JWERecipienter addUnProtectedHeader(String str, JSON json) throws PkiException {
        checkPublicHeaderParam(str);
        checkDupHeader(str);
        this.unprotectedHeader.addHeaderValue(str, json);
        this.hasSetUnprotectedHeader = true;
        return this;
    }

    public JWERecipientInfo encryptKek(int i2, String str, byte[] bArr, IJWEPublicKeyEncrypter iJWEPublicKeyEncrypter, IJWECipher iJWECipher, IRandomGenerator iRandomGenerator, IJWEKeyWrap iJWEKeyWrap, IJWEKDF ijwekdf, IJWEKeyAgreement iJWEKeyAgreement, IHash iHash, boolean z) throws PkiException {
        String certEncrypt;
        if (i2 == 1 && this.hasSetUnprotectedHeader) {
            throw new PkiException("COMPACT_SERIALIZATION JWE Cannt set UnprotectedHeader !");
        }
        if (!Utils.isKEKAlgoMatchCEKAlgo(this.cekAlgoName, str)) {
            throw new PkiException("contentEncryptedAlgo" + str + "no match cek algo!" + this.cekAlgoName);
        }
        if (this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_RSA1_5) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP_256) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_SM2_ENCRYPT)) {
            certEncrypt = certEncrypt(bArr, iJWEPublicKeyEncrypter);
        } else if (this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_AES_128_KEYWRAP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_AES_192_KEYWRAP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_AES_256_KEYWRAP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_AES_128_GCM_KEYWRAP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_AES_192_GCM_KEYWRAP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_AES_256_GCM_KEYWRAP)) {
            certEncrypt = aesKeyWrap(bArr, iJWEKeyWrap);
        } else if (this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_DIR)) {
            certEncrypt = dirEncrypt(bArr);
        } else if (this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_PBES2_HMAC_SHA256_AES_128_KEYWRAP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_PBES2_HMAC_SHA384_AES_192_KEYWRAP) || this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_PBES2_HMAC_SHA512_AES_256_KEYWRAP)) {
            certEncrypt = pkcs5PBES2KeyWrap(bArr, iJWECipher, ijwekdf, iJWEKeyWrap);
        } else {
            if (!this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES) && !this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_128_KEYWRAP) && !this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_192_KEYWRAP) && !this.cekAlgoName.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_256_KEYWRAP)) {
                throw new PkiException("no supprort encryptKek algo !");
            }
            certEncrypt = ecdhEncrypt(bArr, iJWEKeyAgreement, ijwekdf, iJWEKeyWrap, str);
        }
        if (certEncrypt == null) {
            throw new PkiException("encryptKek fail, encryptedKey is null!");
        }
        if (i2 == 2) {
            updateRecipientUnprotectedHeader(iHash, z);
        }
        return new JWERecipientInfo(this.unprotectedHeader, certEncrypt, this.cekAlgoName, this.certIdType, this.encCert);
    }

    public String getCekAlgo() {
        return this.cekAlgoName;
    }

    public X509Certificate getCert() {
        return this.encCert;
    }

    public ArrayList<X509Certificate> getCertChain() {
        return this.certsChain;
    }

    public Header getUnProtectHeader() {
        return this.unprotectedHeader;
    }

    public JWERecipienter setCert(int i2, String str, X509Certificate x509Certificate) throws PkiException {
        if (i2 != 0 && i2 != 1 && i2 != 2 && i2 != 3 && i2 != 4) {
            throw new PkiException("bad certIdType");
        }
        if (x509Certificate == null) {
            throw new PkiException("cert is null");
        }
        if (!str.equals(JWE.ENCRYPT_CEK_ALGO_RSA1_5) && !str.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_RSA_OAEP_256) && !str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES) && !str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_128_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_192_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_ECDH_ES_AES_256_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_SM2_ENCRYPT)) {
            throw new PkiException("bad algoName " + str);
        }
        checkCertMatchEncAlgo(x509Certificate, str);
        this.certIdType = i2;
        this.encCert = x509Certificate;
        this.cekAlgoName = str;
        return this;
    }

    public JWERecipienter setECDHParams(byte[] bArr, byte[] bArr2) {
        this.ecdhParams_partyUInfo = bArr;
        this.ecdhParams_partyVInfo = bArr2;
        return this;
    }

    public JWERecipienter setKey(byte[] bArr, String str) throws PkiException {
        if (!str.equals(JWE.ENCRYPT_CEK_ALGO_AES_128_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_AES_192_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_AES_256_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_DIR) && !str.equals(JWE.ENCRYPT_CEK_ALGO_AES_128_GCM_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_AES_192_GCM_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_AES_256_GCM_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_PBES2_HMAC_SHA256_AES_128_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_PBES2_HMAC_SHA384_AES_192_KEYWRAP) && !str.equals(JWE.ENCRYPT_CEK_ALGO_PBES2_HMAC_SHA512_AES_256_KEYWRAP)) {
            throw new PkiException("bad algo " + str);
        }
        if (bArr == null) {
            throw new PkiException("key value is null");
        }
        if (Utils.IsKEKAlgoMatchKeyLength(str, bArr.length)) {
            this.enckey = bArr;
            this.cekAlgoName = str;
            return this;
        }
        throw new PkiException("key length " + bArr.length + "no match algo " + str);
    }

    public JWERecipienter setPBKDF2Params(byte[] bArr, int i2) throws PkiException {
        if (bArr == null) {
            throw new PkiException("salt param is null");
        }
        if (bArr.length < 8) {
            throw new PkiException("salt length less than 8");
        }
        if (i2 < 1000) {
            throw new PkiException("iterCount count less than 1000");
        }
        this.pkcs5PBKDF2Params_salt = bArr;
        this.pkcs5PBKDF2Params_iterCount = i2;
        this.hasSetPkcs5PBKDF2Params = true;
        return this;
    }
}
