package com.microsoft.sqlserver.jdbc;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.xml.bind.DatatypeConverter;

/* loaded from: input_file:com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionJVMKeyStoreProvider.class */
public class SQLServerColumnEncryptionJVMKeyStoreProvider extends SQLServerColumnEncryptionKeyStoreProvider {
    static final String KEYSTORE_SUFFIX_FOR_WINDOWS = "\\lib\\security\\cacerts";
    static final String KEYSTORE_NAME = "MSSQL_JVM_KEYSTORE";
    String keyStorePath;
    char[] keyStorePwd;
    private static final String THUMBPRINT = "Thumbprint";
    private static final String ALIAS = "Alias";
    static final String KEYSTORE_SUFFIX_FOR_LINUX = null;
    private static final Logger jvmKeyStoreLogger = Logger.getLogger("com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionJVMKeyStoreProvider");
    Map<String, char[]> certificatePasswords = new HashMap();
    private final String rsaEncryptionAlgorithmWithOAEP = "RSA_OAEP";
    private byte[] version = {1};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionJVMKeyStoreProvider$CertificateDetails.class */
    public class CertificateDetails {
        private X509Certificate certificate;
        private Key privateKey;

        public CertificateDetails(X509Certificate x509Certificate, Key key) {
            this.certificate = x509Certificate;
            this.privateKey = key;
        }
    }

    public SQLServerColumnEncryptionJVMKeyStoreProvider(String str, char[] cArr, Map<String, char[]> map) throws SQLServerException {
        this.keyStorePath = null;
        this.keyStorePwd = null;
        jvmKeyStoreLogger.entering(SQLServerColumnEncryptionJVMKeyStoreProvider.class.getName(), Thread.currentThread().getStackTrace()[1].getMethodName());
        if (null == str) {
            this.keyStorePath = System.getProperty("java.home").trim() + KEYSTORE_SUFFIX_FOR_WINDOWS;
        } else {
            this.keyStorePath = str;
            if (jvmKeyStoreLogger.isLoggable(Level.FINE)) {
                jvmKeyStoreLogger.fine("Path of key store provider is set.");
            }
        }
        if (null == cArr) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_KeyStorePwdNull"), (String) null, 0, false);
        }
        this.keyStorePwd = new char[cArr.length];
        System.arraycopy(cArr, 0, this.keyStorePwd, 0, cArr.length);
        if (jvmKeyStoreLogger.isLoggable(Level.FINE)) {
            jvmKeyStoreLogger.fine("Password for key store provider is set.");
        }
        if (null != map) {
            this.certificatePasswords.putAll(map);
        }
        jvmKeyStoreLogger.exiting(SQLServerColumnEncryptionJVMKeyStoreProvider.class.getName(), Thread.currentThread().getStackTrace()[1].getMethodName(), "Number of certificate-password pairs: " + this.certificatePasswords.size());
    }

    public synchronized void updateColumnMasterKeyCredentials(String str, char[] cArr) {
        this.certificatePasswords.put(str, cArr);
        SQLServerSymmetricKeyCache.getInstance().clear();
    }

    public synchronized void removeColumnMasterKeyCredentials(String str) {
        this.certificatePasswords.remove(str);
        SQLServerSymmetricKeyCache.getInstance().clear();
    }

    private synchronized char[] getCertificatePassword(String str) {
        return this.certificatePasswords.get(str);
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public byte[] decryptColumnEncryptionKey(String str, String str2, byte[] bArr) throws SQLServerException {
        jvmKeyStoreLogger.entering(SQLServerColumnEncryptionJVMKeyStoreProvider.class.getName(), Thread.currentThread().getStackTrace()[1].getMethodName(), "Decrypting Column Encryption Key.");
        validateMasterKeyDetails(str);
        if (null == bArr) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_NullEncryptedColumnEncryptionKey"), (String) null, 0, false);
        }
        if (0 == bArr.length) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_EmptyEncryptedColumnEncryptionKey"), (String) null, 0, false);
        }
        validateEncryptionAlgorithm(str2);
        byte[] bArr2 = new byte[bArr.length];
        CertificateDetails certificateDetails = getCertificateDetails(str);
        int length = this.version.length;
        short convertTwoBytesToShort = convertTwoBytesToShort(bArr, length);
        int i = length + 2;
        int convertTwoBytesToShort2 = convertTwoBytesToShort(bArr, i);
        int i2 = i + 2 + convertTwoBytesToShort;
        int length2 = (bArr.length - i2) - convertTwoBytesToShort2;
        byte[] bArr3 = new byte[convertTwoBytesToShort2];
        System.arraycopy(bArr, i2, bArr3, 0, convertTwoBytesToShort2);
        int i3 = i2 + convertTwoBytesToShort2;
        byte[] bArr4 = new byte[length2];
        System.arraycopy(bArr, i3, bArr4, 0, length2);
        byte[] bArr5 = new byte[bArr.length - bArr4.length];
        System.arraycopy(bArr, 0, bArr5, 0, bArr.length - bArr4.length);
        if (!verifyRSASignature(bArr5, bArr4, certificateDetails.certificate)) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_InvalidCertificateSignature")).format(new Object[]{str}), (String) null, 0, false);
        }
        byte[] decryptRSAOAEP = decryptRSAOAEP(bArr3, certificateDetails);
        jvmKeyStoreLogger.exiting(SQLServerColumnEncryptionJVMKeyStoreProvider.class.getName(), Thread.currentThread().getStackTrace()[1].getMethodName(), "Finished decrypting Column Encryption Key.");
        return decryptRSAOAEP;
    }

    private byte[] decryptRSAOAEP(byte[] bArr, CertificateDetails certificateDetails) throws SQLServerException {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
            cipher.init(2, certificateDetails.privateKey);
            cipher.update(bArr);
            return cipher.doFinal();
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CEKDecryptionFailed")).format(new Object[]{e.getMessage()}), (String) null, 0, false);
        }
    }

    private boolean verifyRSASignature(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws SQLServerException {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_SignatureVerificationFailed")).format(new Object[]{e.getMessage()}), (String) null, 0, false);
        }
    }

    private short convertTwoBytesToShort(byte[] bArr, int i) throws SQLServerException {
        if (i + 1 >= bArr.length) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_ByteToShortConversion"), (String) null, 0, false);
        }
        ByteBuffer allocate = ByteBuffer.allocate(2);
        allocate.order(ByteOrder.LITTLE_ENDIAN);
        allocate.put(bArr[i]);
        allocate.put(bArr[i + 1]);
        return allocate.getShort(0);
    }

    private String getThumbPrint(X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
        messageDigest.update(x509Certificate.getEncoded());
        return DatatypeConverter.printHexBinary(messageDigest.digest());
    }

    private CertificateDetails getCertificateDetailsByThumbPrint(String str, String str2, KeyStore keyStore) throws SQLServerException {
        try {
            try {
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(nextElement);
                    if (str2.matches(getThumbPrint(x509Certificate))) {
                        Key key = keyStore.getKey(nextElement, getCertificatePassword(str));
                        if (null == key) {
                            throw new UnrecoverableKeyException();
                        }
                        return new CertificateDetails(x509Certificate, key);
                    }
                }
                throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CertificateNotFound")).format(new Object[]{str2, this.keyStorePath}), (String) null, 0, false);
            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CertificateError")).format(new Object[]{str, e.getMessage()}), (String) null, 0, false);
            }
        } catch (UnrecoverableKeyException e2) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_UnrecoverableKeyAE")).format(new Object[]{str}), (String) null, 0, false);
        }
    }

    private CertificateDetails getCertificateDetails(String str) throws SQLServerException {
        CertificateDetails certificateDetailsByAlias;
        String[] split = str.split(":");
        try {
            if (split.length != 2) {
                throw new SQLServerException((Object) null, SQLServerException.getErrString("R_InvalidMasterKeyDetails"), (String) null, 0, false);
            }
            String trim = split[0].trim();
            String trim2 = split[1].trim();
            if (null == getCertificatePassword(str)) {
                throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CertificatePwdNotFound")).format(new Object[]{str}), (String) null, 0, false);
            }
            if (trim2.length() == 0 || trim.length() == 0) {
                throw new SQLServerException((Object) null, SQLServerException.getErrString("R_InvalidMasterKeyDetails"), (String) null, 0, false);
            }
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            FileInputStream fileInputStream = new FileInputStream(this.keyStorePath);
            keyStore.load(fileInputStream, this.keyStorePwd);
            if (THUMBPRINT.equalsIgnoreCase(trim)) {
                certificateDetailsByAlias = getCertificateDetailsByThumbPrint(str, trim2, keyStore);
            } else {
                if (!ALIAS.equalsIgnoreCase(trim)) {
                    throw new SQLServerException((Object) null, SQLServerException.getErrString("R_InvalidMasterKeyDetails"), (String) null, 0, false);
                }
                certificateDetailsByAlias = getCertificateDetailsByAlias(keyStore, str, trim2);
            }
            fileInputStream.close();
            return certificateDetailsByAlias;
        } catch (FileNotFoundException e) {
            throw new SQLServerException((Object) this, SQLServerException.getErrString("R_KeyStoreNotFound"), (String) null, 0, false);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CertificateError")).format(new Object[]{str, e2.getMessage()}), (String) null, 0, false);
        }
    }

    private CertificateDetails getCertificateDetailsByAlias(KeyStore keyStore, String str, String str2) throws SQLServerException {
        try {
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(str2);
            Key key = keyStore.getKey(str2, getCertificatePassword(str));
            if (null == x509Certificate) {
                throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CertificateNotFoundForAlias")).format(new Object[]{str2, KEYSTORE_NAME}), (String) null, 0, false);
            }
            if (null == key) {
                throw new UnrecoverableKeyException();
            }
            return new CertificateDetails(x509Certificate, key);
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CertificateError")).format(new Object[]{str, e.getMessage()}), (String) null, 0, false);
        } catch (UnrecoverableKeyException e2) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_UnrecoverableKeyAE")).format(new Object[]{str}), (String) null, 0, false);
        }
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public byte[] encryptColumnEncryptionKey(String str, String str2, byte[] bArr) throws SQLServerException {
        jvmKeyStoreLogger.entering(SQLServerColumnEncryptionJVMKeyStoreProvider.class.getName(), Thread.currentThread().getStackTrace()[1].getMethodName(), "Encrypting Column Encryption Key.");
        validateMasterKeyDetails(str);
        if (null == bArr) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_NullColumnEncryptionKey"), (String) null, 0, false);
        }
        if (0 == bArr.length) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_EmptyColumnEncryptionKey"), (String) null, 0, false);
        }
        validateEncryptionAlgorithm(str2);
        CertificateDetails certificateDetails = getCertificateDetails(str);
        byte[] encryptRSAOAEP = encryptRSAOAEP(bArr, certificateDetails);
        byte[] littleEndianBytesFromShort = getLittleEndianBytesFromShort((short) encryptRSAOAEP.length);
        try {
            byte[] bytes = str.toLowerCase().getBytes("UTF-16LE");
            byte[] littleEndianBytesFromShort2 = getLittleEndianBytesFromShort((short) bytes.length);
            byte[] bArr2 = new byte[this.version.length + littleEndianBytesFromShort2.length + littleEndianBytesFromShort.length + bytes.length + encryptRSAOAEP.length];
            int length = this.version.length;
            System.arraycopy(this.version, 0, bArr2, 0, this.version.length);
            System.arraycopy(littleEndianBytesFromShort2, 0, bArr2, length, littleEndianBytesFromShort2.length);
            int length2 = length + littleEndianBytesFromShort2.length;
            System.arraycopy(littleEndianBytesFromShort, 0, bArr2, length2, littleEndianBytesFromShort.length);
            int length3 = length2 + littleEndianBytesFromShort.length;
            System.arraycopy(bytes, 0, bArr2, length3, bytes.length);
            System.arraycopy(encryptRSAOAEP, 0, bArr2, length3 + bytes.length, encryptRSAOAEP.length);
            byte[] rsaSignHashedData = rsaSignHashedData(bArr2, certificateDetails);
            byte[] bArr3 = new byte[this.version.length + littleEndianBytesFromShort.length + littleEndianBytesFromShort2.length + encryptRSAOAEP.length + bytes.length + rsaSignHashedData.length];
            System.arraycopy(this.version, 0, bArr3, 0, this.version.length);
            int length4 = 0 + this.version.length;
            System.arraycopy(littleEndianBytesFromShort2, 0, bArr3, length4, littleEndianBytesFromShort2.length);
            int length5 = length4 + littleEndianBytesFromShort2.length;
            System.arraycopy(littleEndianBytesFromShort, 0, bArr3, length5, littleEndianBytesFromShort.length);
            int length6 = length5 + littleEndianBytesFromShort.length;
            System.arraycopy(bytes, 0, bArr3, length6, bytes.length);
            int length7 = length6 + bytes.length;
            System.arraycopy(encryptRSAOAEP, 0, bArr3, length7, encryptRSAOAEP.length);
            System.arraycopy(rsaSignHashedData, 0, bArr3, length7 + encryptRSAOAEP.length, rsaSignHashedData.length);
            jvmKeyStoreLogger.exiting(SQLServerColumnEncryptionJVMKeyStoreProvider.class.getName(), Thread.currentThread().getStackTrace()[1].getMethodName(), "Finished encrypting Column Encryption Key.");
            return bArr3;
        } catch (UnsupportedEncodingException e) {
            throw new SQLServerException(new MessageFormat(SQLServerException.getErrString("R_unsupportedEncoding")).format(new Object[]{"UTF-16LE"}), (String) null, 0, (Throwable) null);
        }
    }

    private byte[] encryptRSAOAEP(byte[] bArr, CertificateDetails certificateDetails) throws SQLServerException {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
            cipher.init(1, certificateDetails.certificate.getPublicKey());
            cipher.update(bArr);
            return cipher.doFinal();
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_EncryptionFailed")).format(new Object[]{e.getMessage()}), (String) null, 0, false);
        }
    }

    private byte[] rsaSignHashedData(byte[] bArr, CertificateDetails certificateDetails) throws SQLServerException {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign((PrivateKey) certificateDetails.privateKey);
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_EncryptionFailed")).format(new Object[]{e.getMessage()}), (String) null, 0, false);
        }
    }

    private void validateMasterKeyDetails(String str) throws SQLServerException {
        if (null == str || str.trim().length() == 0) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_InvalidMasterKeyDetails"), (String) null, 0, false);
        }
    }

    private void validateEncryptionAlgorithm(String str) throws SQLServerException {
        if (null == str) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_NullKeyEncryptionAlgorithm"), (String) null, 0, false);
        }
        if (!"RSA_OAEP".equalsIgnoreCase(str.trim())) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_InvalidKeyEncryptionAlgorithm")).format(new Object[]{str, "RSA_OAEP"}), (String) null, 0, false);
        }
    }

    private byte[] getLittleEndianBytesFromShort(short s) {
        ByteBuffer allocate = ByteBuffer.allocate(2);
        allocate.order(ByteOrder.LITTLE_ENDIAN);
        return allocate.putShort(s).array();
    }
}
