package com.couchbase.client.encryption.internal;

import com.couchbase.client.core.annotation.Stability;
import com.couchbase.client.encryption.Decrypter;
import com.couchbase.client.encryption.EncryptionResult;
import com.couchbase.client.encryption.Keyring;
import com.couchbase.client.encryption.errors.CryptoKeyNotFoundException;
import com.couchbase.client.encryption.errors.InvalidCiphertextException;
import com.couchbase.client.encryption.errors.InvalidKeySizeException;
import java.nio.charset.Charset;
import java.security.MessageDigest;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;

@Stability.Internal
/* loaded from: input_file:com/couchbase/client/encryption/internal/LegacyAesDecrypter.class */
public class LegacyAesDecrypter implements Decrypter {
    private final String algorithmName;
    private final int encryptionKeySize;
    private final Keyring keyring;
    private final Function<String, String> encryptionKeyNameToSigningKeyName;

    private LegacyAesDecrypter(String str, int i, Keyring keyring, Function<String, String> function) {
        this.keyring = (Keyring) Objects.requireNonNull(keyring);
        this.encryptionKeyNameToSigningKeyName = (Function) Objects.requireNonNull(function);
        this.algorithmName = (String) Objects.requireNonNull(str);
        this.encryptionKeySize = i;
    }

    public static Decrypter aes128(Keyring keyring, Function<String, String> function) {
        return new LegacyAesDecrypter("AES-128-HMAC-SHA256", 16, keyring, function);
    }

    public static Decrypter aes256(Keyring keyring, Function<String, String> function) {
        return new LegacyAesDecrypter("AES-256-HMAC-SHA256", 32, keyring, function);
    }

    private int getKeySize() {
        return this.encryptionKeySize;
    }

    @Override // com.couchbase.client.encryption.Decrypter
    public String algorithm() {
        return this.algorithmName;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r2v4, types: [byte[], byte[][]] */
    @Override // com.couchbase.client.encryption.Decrypter
    public byte[] decrypt(EncryptionResult encryptionResult) throws Exception {
        String algorithm = encryptionResult.getAlgorithm();
        String string = encryptionResult.getString("kid");
        byte[] bytes = encryptionResult.getBytes("iv");
        byte[] bytes2 = encryptionResult.getBytes("ciphertext");
        if (!MessageDigest.isEqual(encryptionResult.getBytes("sig"), sign(getSigningKeyName(string), new byte[]{(string + algorithm + encryptionResult.getString("iv") + encryptionResult.getString("ciphertext")).getBytes(Charset.defaultCharset())}))) {
            throw new InvalidCiphertextException("Signature does not match.");
        }
        ZeroizableSecretKey aesKey = getAesKey(string);
        Throwable th = null;
        try {
            try {
                IvParameterSpec ivParameterSpec = new IvParameterSpec(bytes);
                Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                cipher.init(2, aesKey, ivParameterSpec);
                byte[] doFinal = cipher.doFinal(bytes2);
                if (aesKey != null) {
                    if (0 != 0) {
                        try {
                            aesKey.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        aesKey.close();
                    }
                }
                return doFinal;
            } finally {
            }
        } catch (Throwable th3) {
            if (aesKey != null) {
                if (th != null) {
                    try {
                        aesKey.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    aesKey.close();
                }
            }
            throw th3;
        }
    }

    private ZeroizableSecretKey getKey(String str, String str2) {
        Zeroizer zeroizer = new Zeroizer();
        Throwable th = null;
        try {
            try {
                ZeroizableSecretKey zeroizableSecretKey = new ZeroizableSecretKey(zeroizer.add(this.keyring.getOrThrow(str).bytes()), str2);
                if (zeroizer != null) {
                    if (0 != 0) {
                        try {
                            zeroizer.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        zeroizer.close();
                    }
                }
                return zeroizableSecretKey;
            } finally {
            }
        } catch (Throwable th3) {
            if (zeroizer != null) {
                if (th != null) {
                    try {
                        zeroizer.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    zeroizer.close();
                }
            }
            throw th3;
        }
    }

    private ZeroizableSecretKey getAesKey(String str) {
        ZeroizableSecretKey key = getKey(str, "AES");
        int size = key.size();
        if (size == getKeySize()) {
            return key;
        }
        key.destroy();
        throw new InvalidKeySizeException(algorithm() + " requires key with " + getKeySize() + " bytes but key '" + str + "' has " + size + " bytes.");
    }

    private String getSigningKeyName(String str) {
        return (String) Optional.of(this.encryptionKeyNameToSigningKeyName.apply(str)).orElseThrow(() -> {
            return new CryptoKeyNotFoundException("No mapping to signature key name found for encryption key '" + str + "'");
        });
    }

    private byte[] sign(String str, byte[]... bArr) throws Exception {
        ZeroizableSecretKey key = getKey(str, "HMAC");
        Throwable th = null;
        try {
            try {
                Mac mac = Mac.getInstance("HmacSHA256");
                mac.init(key);
                for (byte[] bArr2 : bArr) {
                    mac.update(bArr2);
                }
                byte[] doFinal = mac.doFinal();
                if (key != null) {
                    if (0 != 0) {
                        try {
                            key.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        key.close();
                    }
                }
                return doFinal;
            } finally {
            }
        } catch (Throwable th3) {
            if (key != null) {
                if (th != null) {
                    try {
                        key.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    key.close();
                }
            }
            throw th3;
        }
    }
}
