package net.corda.node.services.persistence;

import java.nio.ByteBuffer;
import java.security.Key;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Table;
import javax.persistence.criteria.CriteriaQuery;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.Unit;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import net.corda.core.crypto.CryptoUtils;
import net.corda.core.crypto.SecureHash;
import net.corda.core.identity.Party;
import net.corda.core.internal.InternalUtils;
import net.corda.core.serialization.SingletonSerializeAsToken;
import net.corda.node.services.EncryptionService;
import net.corda.node.services.persistence.AesDbEncryptionService;
import net.corda.nodeapi.internal.crypto.AesEncryption;
import net.corda.nodeapi.internal.persistence.CordaPersistence;
import net.corda.nodeapi.internal.persistence.DatabaseTransaction;
import org.hibernate.Session;
import org.hibernate.annotations.Type;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: AesDbEncryptionService.kt */
@Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��V\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0012\n\u0002\b\u0005\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0005\u0018�� \u001f2\u00020\u00012\u00020\u0002:\u0002\u001f B\r\u0012\u0006\u0010\u0003\u001a\u00020\u0004¢\u0006\u0002\u0010\u0005J\u0018\u0010\f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\tH\u0002J\u0010\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u0014H\u0016J\u001a\u0010\u0015\u001a\u00020\u00142\u0006\u0010\u0016\u001a\u00020\u00142\b\u0010\u0017\u001a\u0004\u0018\u00010\u0014H\u0016J\u0012\u0010\u0018\u001a\u0004\u0018\u00010\u00142\u0006\u0010\u0013\u001a\u00020\u0014H\u0016J\u000e\u0010\u0019\u001a\u00020\u001a2\u0006\u0010\u000e\u001a\u00020\u000fJ\u0010\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u0013\u001a\u00020\u0014H\u0002J\u000e\u0010\u001d\u001a\u0004\u0018\u00010\u0014*\u00020\u001cH\u0002J\f\u0010\u001e\u001a\u00020\u0014*\u00020\tH\u0002R6\u0010\u0006\u001a*\u0012\u0010\u0012\u000e\u0012\u0004\u0012\u00020\t\u0012\u0004\u0012\u00020\n0\b0\u0007j\u0014\u0012\u0010\u0012\u000e\u0012\u0004\u0012\u00020\t\u0012\u0004\u0012\u00020\n0\b`\u000bX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082\u0004¢\u0006\u0002\n��¨\u0006!"}, d2 = {"Lnet/corda/node/services/persistence/AesDbEncryptionService;", "Lnet/corda/node/services/EncryptionService;", "Lnet/corda/core/serialization/SingletonSerializeAsToken;", "database", "Lnet/corda/nodeapi/internal/persistence/CordaPersistence;", "(Lnet/corda/nodeapi/internal/persistence/CordaPersistence;)V", "aesKeys", "Ljava/util/ArrayList;", "Lkotlin/Pair;", "Ljava/util/UUID;", "Ljavax/crypto/SecretKey;", "Lkotlin/collections/ArrayList;", "createKEK", "Ljava/security/Key;", "ourIdentity", "Lnet/corda/core/identity/Party;", "keyId", "decrypt", "Lnet/corda/node/services/EncryptionService$PlaintextAndAAD;", "ciphertext", "", "encrypt", "plaintext", "additionalData", "extractUnauthenticatedAdditionalData", "start", "", "wrap", "Ljava/nio/ByteBuffer;", "getAdditionaData", "toByteArray", "Companion", "EncryptionKeyRecord", "node"})
@SourceDebugExtension({"SMAP\nAesDbEncryptionService.kt\nKotlin\n*S Kotlin\n*F\n+ 1 AesDbEncryptionService.kt\nnet/corda/node/services/persistence/AesDbEncryptionService\n+ 2 fake.kt\nkotlin/jvm/internal/FakeKt\n*L\n1#1,159:1\n1#2:160\n*E\n"})
/* loaded from: input_file:net/corda/node/services/persistence/AesDbEncryptionService.class */
public final class AesDbEncryptionService extends SingletonSerializeAsToken implements EncryptionService {

    @NotNull
    public static final Companion Companion = new Companion(null);

    @NotNull
    private final CordaPersistence database;

    @NotNull
    private final ArrayList<Pair<UUID, SecretKey>> aesKeys;
    private static final int INITIAL_KEY_COUNT = 10;
    private static final int UUID_BYTES = 16;
    private static final int VERSION_TAG = 1;

    /* compiled from: AesDbEncryptionService.kt */
    @Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��\u0014\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010\b\n\u0002\b\u0003\b\u0086\u0003\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\u0005\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\u0006\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��¨\u0006\u0007"}, d2 = {"Lnet/corda/node/services/persistence/AesDbEncryptionService$Companion;", "", "()V", "INITIAL_KEY_COUNT", "", "UUID_BYTES", "VERSION_TAG", "node"})
    /* loaded from: input_file:net/corda/node/services/persistence/AesDbEncryptionService$Companion.class */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    /* compiled from: AesDbEncryptionService.kt */
    @Table(name = "node_aes_encryption_keys")
    @Entity
    @Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��\u0018\n\u0002\u0018\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0012\n\u0002\b\u0006\b\u0017\u0018��2\u00020\u0001B\u0015\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005¢\u0006\u0002\u0010\u0006R\u0016\u0010\u0002\u001a\u00020\u00038\u0016X\u0097\u0004¢\u0006\b\n��\u001a\u0004\b\u0007\u0010\bR\u0016\u0010\u0004\u001a\u00020\u00058\u0016X\u0097\u0004¢\u0006\b\n��\u001a\u0004\b\t\u0010\n¨\u0006\u000b"}, d2 = {"Lnet/corda/node/services/persistence/AesDbEncryptionService$EncryptionKeyRecord;", "", "keyId", "Ljava/util/UUID;", "keyMaterial", "", "(Ljava/util/UUID;[B)V", "getKeyId", "()Ljava/util/UUID;", "getKeyMaterial", "()[B", "node"})
    /* loaded from: input_file:net/corda/node/services/persistence/AesDbEncryptionService$EncryptionKeyRecord.class */
    public static class EncryptionKeyRecord {

        @Type(type = "uuid-char")
        @NotNull
        @Id
        @Column(name = "key_id", nullable = false)
        private final UUID keyId;

        @Column(name = "key_material", nullable = false)
        @NotNull
        private final byte[] keyMaterial;

        public EncryptionKeyRecord(@NotNull UUID keyId, @NotNull byte[] keyMaterial) {
            Intrinsics.checkNotNullParameter(keyId, "keyId");
            Intrinsics.checkNotNullParameter(keyMaterial, "keyMaterial");
            this.keyId = keyId;
            this.keyMaterial = keyMaterial;
        }

        @NotNull
        public UUID getKeyId() {
            return this.keyId;
        }

        @NotNull
        public byte[] getKeyMaterial() {
            return this.keyMaterial;
        }

        public EncryptionKeyRecord() {
        }
    }

    public AesDbEncryptionService(@NotNull CordaPersistence database) {
        Intrinsics.checkNotNullParameter(database, "database");
        this.database = database;
        this.aesKeys = new ArrayList<>();
    }

    public final void start(@NotNull final Party ourIdentity) {
        Intrinsics.checkNotNullParameter(ourIdentity, "ourIdentity");
        CordaPersistence.transaction$default(this.database, false, new Function1<DatabaseTransaction, Unit>() { // from class: net.corda.node.services.persistence.AesDbEncryptionService$start$1
            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super(1);
            }

            /* renamed from: invoke, reason: avoid collision after fix types in other method */
            public final void invoke2(@NotNull DatabaseTransaction transaction) {
                Key createKEK;
                ArrayList arrayList;
                ArrayList arrayList2;
                Key createKEK2;
                Intrinsics.checkNotNullParameter(transaction, "$this$transaction");
                CriteriaQuery createQuery = transaction.getSession().getCriteriaBuilder().createQuery(AesDbEncryptionService.EncryptionKeyRecord.class);
                createQuery.select(createQuery.from(AesDbEncryptionService.EncryptionKeyRecord.class));
                List<AesDbEncryptionService.EncryptionKeyRecord> resultList = transaction.getSession().createQuery(createQuery).getResultList();
                Cipher cipher = Cipher.getInstance("AESWrap");
                if (!resultList.isEmpty()) {
                    for (AesDbEncryptionService.EncryptionKeyRecord encryptionKeyRecord : resultList) {
                        createKEK = AesDbEncryptionService.this.createKEK(ourIdentity, encryptionKeyRecord.getKeyId());
                        cipher.init(4, createKEK);
                        Key unwrap = cipher.unwrap(encryptionKeyRecord.getKeyMaterial(), "AES", 3);
                        Intrinsics.checkNotNull(unwrap, "null cannot be cast to non-null type javax.crypto.SecretKey");
                        SecretKey secretKey = (SecretKey) unwrap;
                        arrayList = AesDbEncryptionService.this.aesKeys;
                        arrayList.add(new Pair(encryptionKeyRecord.getKeyId(), secretKey));
                    }
                    return;
                }
                AesDbEncryptionService aesDbEncryptionService = AesDbEncryptionService.this;
                Party party = ourIdentity;
                for (int i = 0; i < 10; i++) {
                    UUID randomUUID = UUID.randomUUID();
                    SecretKey randomKey = AesEncryption.INSTANCE.randomKey();
                    arrayList2 = aesDbEncryptionService.aesKeys;
                    arrayList2.add(new Pair(randomUUID, randomKey));
                    Intrinsics.checkNotNull(randomUUID);
                    createKEK2 = aesDbEncryptionService.createKEK(party, randomUUID);
                    cipher.init(3, createKEK2);
                    byte[] wrap = cipher.wrap(randomKey);
                    Session session = transaction.getSession();
                    Intrinsics.checkNotNull(wrap);
                    session.save(new AesDbEncryptionService.EncryptionKeyRecord(randomUUID, wrap));
                }
            }

            @Override // kotlin.jvm.functions.Function1
            public /* bridge */ /* synthetic */ Unit invoke(DatabaseTransaction databaseTransaction) {
                invoke2(databaseTransaction);
                return Unit.INSTANCE;
            }
        }, 1, (Object) null);
    }

    @Override // net.corda.node.services.EncryptionService
    @NotNull
    public byte[] encrypt(@NotNull byte[] plaintext, @Nullable byte[] bArr) {
        Intrinsics.checkNotNullParameter(plaintext, "plaintext");
        Pair<UUID, SecretKey> pair = this.aesKeys.get(CryptoUtils.newSecureRandom().nextInt(this.aesKeys.size()));
        UUID component1 = pair.component1();
        byte[] encrypt = AesEncryption.INSTANCE.encrypt(pair.component2(), plaintext, bArr);
        ByteBuffer allocate = ByteBuffer.allocate(21 + (bArr != null ? bArr.length : 0) + encrypt.length);
        allocate.put((byte) 1);
        Intrinsics.checkNotNull(allocate);
        AesDbEncryptionServiceKt.putUUID(allocate, component1);
        if (bArr != null) {
            allocate.putInt(bArr.length);
            allocate.put(bArr);
        } else {
            allocate.putInt(0);
        }
        allocate.put(encrypt);
        byte[] array = allocate.array();
        Intrinsics.checkNotNullExpressionValue(array, "array(...)");
        return array;
    }

    @Override // net.corda.node.services.EncryptionService
    @NotNull
    public EncryptionService.PlaintextAndAAD decrypt(@NotNull byte[] ciphertext) {
        Object obj;
        Intrinsics.checkNotNullParameter(ciphertext, "ciphertext");
        ByteBuffer wrap = wrap(ciphertext);
        UUID uuid = AesDbEncryptionServiceKt.getUUID(wrap);
        Iterator<T> it = this.aesKeys.iterator();
        while (true) {
            if (!it.hasNext()) {
                obj = null;
                break;
            }
            Object next = it.next();
            if (Intrinsics.areEqual(((Pair) next).getFirst(), uuid)) {
                obj = next;
                break;
            }
        }
        Pair pair = (Pair) obj;
        SecretKey secretKey = pair != null ? (SecretKey) pair.getSecond() : null;
        if (secretKey == null) {
            throw new IllegalArgumentException("Unable to decrypt".toString());
        }
        SecretKey secretKey2 = secretKey;
        byte[] additionaData = getAdditionaData(wrap);
        return new EncryptionService.PlaintextAndAAD(AesEncryption.INSTANCE.decrypt(secretKey2, InternalUtils.copyBytes(wrap), additionaData), additionaData);
    }

    @Override // net.corda.node.services.EncryptionService
    @Nullable
    public byte[] extractUnauthenticatedAdditionalData(@NotNull byte[] ciphertext) {
        Intrinsics.checkNotNullParameter(ciphertext, "ciphertext");
        ByteBuffer wrap = wrap(ciphertext);
        wrap.position(wrap.position() + 16);
        return getAdditionaData(wrap);
    }

    private final ByteBuffer wrap(byte[] bArr) {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        byte b = wrap.get();
        if (!(b == 1)) {
            throw new IllegalArgumentException(("Unknown version " + b).toString());
        }
        Intrinsics.checkNotNull(wrap);
        return wrap;
    }

    private final byte[] getAdditionaData(ByteBuffer byteBuffer) {
        int i = byteBuffer.getInt();
        if (i <= 0) {
            return null;
        }
        byte[] bArr = new byte[i];
        byteBuffer.get(bArr);
        return bArr;
    }

    private final byte[] toByteArray(UUID uuid) {
        ByteBuffer allocate = ByteBuffer.allocate(16);
        Intrinsics.checkNotNull(allocate);
        AesDbEncryptionServiceKt.putUUID(allocate, uuid);
        byte[] array = allocate.array();
        Intrinsics.checkNotNullExpressionValue(array, "array(...)");
        return array;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public final Key createKEK(Party party, UUID uuid) {
        MessageDigest messageDigest = MessageDigest.getInstance(SecureHash.SHA2_256);
        messageDigest.update(party.getName().getX500Principal().getEncoded());
        messageDigest.update(toByteArray(uuid));
        return new SecretKeySpec(messageDigest.digest(), 0, 16, "AES");
    }
}
