package org.dcache.xrootd.plugins.alice;

import java.io.IOException;
import java.io.LineNumberReader;
import java.io.StringReader;
import java.security.GeneralSecurityException;
import java.security.Security;
import java.security.Signature;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Stack;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:org/dcache/xrootd/plugins/alice/EncryptedAuthzToken.class */
public class EncryptedAuthzToken {
    private static final String CYPHER_START = "-----BEGIN SEALED CIPHER-----";
    private static final String CYPHER_END = "-----END SEALED CIPHER-----";
    private static final String ENVELOPE_START = "-----BEGIN SEALED ENVELOPE-----";
    private static final String ENVELOPE_END = "-----END SEALED ENVELOPE-----";
    private static final byte[] BLOWFISH_IV = "$KJh#(}q".getBytes();
    private StringBuffer cipherEncryptedBase64;
    private StringBuffer envelopeEncryptedBase64;
    private byte[] symmetricKey;
    private byte[] signature;
    private byte[] envelope;
    private RSAPrivateKey privKey;
    private RSAPublicKey pubKey;

    public EncryptedAuthzToken(String str, RSAPrivateKey rSAPrivateKey, RSAPublicKey rSAPublicKey) throws GeneralSecurityException {
        this.privKey = rSAPrivateKey;
        this.pubKey = rSAPublicKey;
        splitToken(str);
    }

    public String decrypt() throws GeneralSecurityException {
        decryptSealedCipher();
        decryptSealedEnvelope();
        if (verifyEnvelope()) {
            return new String(this.envelope);
        }
        return null;
    }

    private void decryptSealedCipher() throws GeneralSecurityException {
        byte[] decode = Base64.decode(this.cipherEncryptedBase64.toString());
        Cipher cipher = Cipher.getInstance("RSA/NONE/PKCS1Padding", "BC");
        cipher.init(4, this.privKey);
        this.symmetricKey = cipher.unwrap(decode, "Blowfish", 3).getEncoded();
    }

    private void decryptSealedEnvelope() throws GeneralSecurityException {
        byte[] decode = Base64.decode(this.envelopeEncryptedBase64.toString());
        int i = (decode[0] & (-16777216)) | (decode[1] & 16711680) | (decode[2] & 65280) | (decode[3] & 255);
        int i2 = 4 + i;
        this.signature = new byte[i];
        System.arraycopy(decode, 4, this.signature, 0, i);
        SecretKeySpec secretKeySpec = new SecretKeySpec(this.symmetricKey, 0, this.symmetricKey.length - 1, "Blowfish");
        Cipher cipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding", "BC");
        cipher.init(2, secretKeySpec, new IvParameterSpec(BLOWFISH_IV));
        this.envelope = cipher.doFinal(decode, i2, decode.length - i2);
    }

    private boolean verifyEnvelope() throws GeneralSecurityException {
        Signature signature = Signature.getInstance("SHA1withRSA", "BC");
        signature.initVerify(this.pubKey);
        signature.update(this.envelope);
        return signature.verify(this.signature);
    }

    private void splitToken(String str) throws GeneralSecurityException {
        this.cipherEncryptedBase64 = new StringBuffer();
        this.envelopeEncryptedBase64 = new StringBuffer();
        Stack stack = new Stack();
        LineNumberReader lineNumberReader = new LineNumberReader(new StringReader(str));
        while (true) {
            try {
                String readLine = lineNumberReader.readLine();
                if (readLine == null) {
                    try {
                        lineNumberReader.close();
                        return;
                    } catch (IOException e) {
                        throw new GeneralSecurityException("error closing stream where token string was parsed from");
                    }
                }
                if (readLine.equals(CYPHER_START)) {
                    stack.push(CYPHER_START);
                } else if (readLine.equals(CYPHER_END)) {
                    if (!stack.peek().equals(CYPHER_START)) {
                        throw new GeneralSecurityException("Illegal format: Cannot parse encrypted cipher");
                    }
                    stack.pop();
                } else if (readLine.equals(ENVELOPE_START)) {
                    if (!stack.isEmpty()) {
                        throw new GeneralSecurityException("Illegal format: Cannot parse encrypted envelope");
                    }
                    stack.push(ENVELOPE_START);
                } else if (readLine.equals(ENVELOPE_END)) {
                    if (!stack.peek().equals(ENVELOPE_START)) {
                        throw new GeneralSecurityException("Illegal format: Cannot parse encrypted envelope");
                    }
                    stack.pop();
                } else if (!stack.isEmpty()) {
                    if (stack.peek().equals(CYPHER_START)) {
                        this.cipherEncryptedBase64.append(readLine);
                    } else if (stack.peek().equals(ENVELOPE_START)) {
                        this.envelopeEncryptedBase64.append(readLine);
                    }
                }
            } catch (IOException e2) {
                throw new GeneralSecurityException("error reading from token string");
            }
        }
    }

    private String arrayToHex(String str, byte[] bArr, int i, int i2) {
        if (bArr == null) {
            return "";
        }
        StringBuilder sb = new StringBuilder(str + ": ");
        for (int i3 = i; i3 < i + i2; i3++) {
            String hexString = Integer.toHexString(bArr[i3] & 255);
            if (hexString.length() == 1) {
                sb.append("0");
            }
            sb.append(hexString.toUpperCase());
        }
        sb.append(" (total:");
        sb.append(i2);
        sb.append(" bytes)");
        return sb.toString();
    }

    public Envelope getEnvelope() throws CorruptedEnvelopeException, GeneralSecurityException {
        return new Envelope(new String(this.envelope));
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
