package com.tibco.bw.confidentiality.runtime;

import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.fasterxml.jackson.databind.node.TextNode;
import com.jayway.jsonpath.Configuration;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.Option;
import com.jayway.jsonpath.Predicate;
import com.jayway.jsonpath.spi.json.JacksonJsonNodeJsonProvider;
import com.tibco.bw.confidentiality.ConfidentialityFunctions;
import com.tibco.bw.sharedresource.confidentiality.model.helper.ConfidentialityConstants;
import com.tibco.bw.sharedresource.confidentiality.runtime.Activator;
import com.tibco.bw.sharedresource.confidentiality.runtime.ConfidentialityConfigurationResource;
import java.io.FileInputStream;
import java.io.StringReader;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.rmi.dgc.VMID;
import java.security.Key;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.Security;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.xpath.XPathConstants;
import org.apache.xpath.jaxp.XPathFactoryImpl;
import org.bouncycastle.crypto.CryptoServicesRegistrar;
import org.bouncycastle.crypto.fips.FipsDRBG;
import org.bouncycastle.crypto.util.BasicEntropySourceProvider;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.bouncycastle.util.Strings;
import org.osgi.framework.ServiceReference;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;

/* loaded from: input_file:payload/TIB_bwpluginconfidentiality_6.1.0_common.zip:assemblies/assembly_tibco_com_tibco_bw_confidentiality_runtime_feature_6.1.0.001.zip:source/plugins/com.tibco.bw.confidentiality.runtime_6.1.0.001.jar:com/tibco/bw/confidentiality/runtime/ConfidentialityFunctionsImpl.class */
public class ConfidentialityFunctionsImpl extends ConfidentialityFunctions {
    public static final String BCFIPS_PROVIDER_NAME = "BCFIPS";
    public static final String IBMJCE_PROVIDER_NAME = "IBMJCE";
    public static final String ECB_MODE = "ECB";
    public static final String GCM_MODE = "GCM";
    public static final String DATA_KEY_ENCRYPTION_ALGO = "AES/CBC/PKCS5Padding";
    public static final int GCM_TAG_LENGTH = 128;

    private ConfidentialityConfigurationResource initialise(String str, String str2, String str3) throws Exception {
        ServiceTracker serviceTracker = null;
        ConfidentialityConfigurationResource confidentialityConfigurationResource = null;
        String format = String.format("(&(%s=%s)(%s=%s)(%s=%s))", "objectClass", ConfidentialityConfigurationResource.class.getCanonicalName(), ".deployment.name", str2, ".deployment.version", str3);
        String substring = str.equals(null) ? false : str.trim().endsWith(".confidentialityConfigurationResource") ? str.substring(str.lastIndexOf(".") + 1, str.length()) : str;
        if (substring != null) {
            try {
                try {
                    if (!substring.trim().isEmpty()) {
                        serviceTracker = new ServiceTracker(Activator.getContext(), Activator.getContext().createFilter(format), (ServiceTrackerCustomizer) null);
                        serviceTracker.open();
                        if (serviceTracker.getServiceReferences() != null) {
                            for (ServiceReference serviceReference : serviceTracker.getServiceReferences()) {
                                if (((String) serviceReference.getProperty(".name")).equals(substring)) {
                                    confidentialityConfigurationResource = (ConfidentialityConfigurationResource) serviceTracker.getService(serviceReference);
                                    if (confidentialityConfigurationResource != null && "BCFIPS".equalsIgnoreCase(confidentialityConfigurationResource.getProvider())) {
                                        initialiseBCFIPSProvider();
                                    }
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    throw new Exception("Please check shared resource name and other details", e);
                }
            } catch (Throwable th) {
                serviceTracker.close();
                throw th;
            }
        }
        serviceTracker.close();
        return confidentialityConfigurationResource;
    }

    private Key fetchMasterKey(ConfidentialityConfigurationResource confidentialityConfigurationResource) throws Exception {
        try {
            KeyStore keyStore = "BCFIPS".equalsIgnoreCase(confidentialityConfigurationResource.getProvider()) ? KeyStore.getInstance(confidentialityConfigurationResource.getKeyStoreType(), "BCFIPS") : "IBMJCE".equalsIgnoreCase(confidentialityConfigurationResource.getProvider()) ? KeyStore.getInstance(confidentialityConfigurationResource.getKeyStoreType(), "IBMJCE") : KeyStore.getInstance(confidentialityConfigurationResource.getKeyStoreType());
            keyStore.load(new FileInputStream(confidentialityConfigurationResource.getKeyStoreUrl()), confidentialityConfigurationResource.getKeyStorePassword().toCharArray());
            if (!keyStore.containsAlias(confidentialityConfigurationResource.getKeyAliasName())) {
                throw new RuntimeException("Alias for key not found");
            }
            Key publicKey = keyStore.isCertificateEntry(confidentialityConfigurationResource.getKeyAliasName()) ? keyStore.getCertificate(confidentialityConfigurationResource.getKeyAliasName()).getPublicKey() : keyStore.getKey(confidentialityConfigurationResource.getKeyAliasName(), confidentialityConfigurationResource.getKeyAliasPassword().toCharArray());
            if (publicKey == null) {
                throw new Exception("Key not found");
            }
            return publicKey;
        } catch (Exception e) {
            throw new Exception("Exception while fetching key: " + e.getMessage());
        }
    }

    private void initialiseBCFIPSProvider() {
        Security.addProvider(new BouncyCastleFipsProvider());
        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
            return;
        }
        CryptoServicesRegistrar.setApprovedOnlyMode(true);
    }

    private SecureRandom fetchDRBGForKeys(String str, String str2) {
        if (!"BCFIPS".equalsIgnoreCase(str2)) {
            return new SecureRandom();
        }
        SecureRandom secureRandom = new SecureRandom();
        byte[] uTF8ByteArray = Strings.toUTF8ByteArray(new VMID().toString());
        return FipsDRBG.SHA512_HMAC.fromEntropySource(new BasicEntropySourceProvider(secureRandom, true)).setSecurityStrength(256).setEntropyBitsRequired(256).setPersonalizationString(uTF8ByteArray).build(secureRandom.generateSeed(16), true);
    }

    public SecureRandom fetchDBRGForIV(String str) {
        if (!"BCFIPS".equalsIgnoreCase(str)) {
            return new SecureRandom();
        }
        SecureRandom secureRandom = new SecureRandom();
        return FipsDRBG.SHA512_HMAC.fromEntropySource(new BasicEntropySourceProvider(secureRandom, true)).setSecurityStrength(256).setEntropyBitsRequired(256).build(secureRandom.generateSeed(16), false);
    }

    public SecretKey generateAndfetchDataKey(String str, String str2, int i) throws Exception {
        KeyGenerator keyGenerator = "BCFIPS".equalsIgnoreCase(str2) ? KeyGenerator.getInstance(str, "BCFIPS") : "IBMJCE".equalsIgnoreCase(str2) ? KeyGenerator.getInstance(str, "IBMJCE") : KeyGenerator.getInstance(str);
        keyGenerator.init(i, fetchDRBGForKeys(str, str2));
        return keyGenerator.generateKey();
    }

    @Override // com.tibco.bw.confidentiality.ConfidentialityFunctions
    public String encrypt(String str, String str2, String str3, String str4) throws Exception {
        ConfidentialityConfigurationResource initialise = initialise(str2, str3, str4);
        if (initialise == null) {
            throw new Exception("Please check shared resource name and other details.");
        }
        validate(getEncryptionAlgo(initialise.getEncryptionType()));
        return !initialise.isDualEncruption() ? basicEncryption(str, initialise, str3, str4) : dualEncryption(str, initialise, str3, str4, initialise.getDatakeyLength());
    }

    public String basicEncryption(String str, ConfidentialityConfigurationResource confidentialityConfigurationResource, String str2, String str3) throws Exception {
        Key fetchMasterKey = fetchMasterKey(confidentialityConfigurationResource);
        if (fetchMasterKey.getAlgorithm() == null || fetchMasterKey.getAlgorithm().equalsIgnoreCase(getEncryptionAlgo(confidentialityConfigurationResource.getEncryptionType()))) {
            return encrypt(str, confidentialityConfigurationResource.getEncryptionType(), confidentialityConfigurationResource.getProvider(), fetchMasterKey);
        }
        throw new Exception("Key generated with invalid algorithm- " + fetchMasterKey.getAlgorithm() + " is choosen for the encryption algorithm: " + getEncryptionAlgo(confidentialityConfigurationResource.getEncryptionType()));
    }

    public String dualEncryption(String str, ConfidentialityConfigurationResource confidentialityConfigurationResource, String str2, String str3, int i) throws Exception {
        SecretKey generateAndfetchDataKey = generateAndfetchDataKey(getEncryptionAlgo(confidentialityConfigurationResource.getEncryptionType()), confidentialityConfigurationResource.getProvider(), i);
        String encrypt = encrypt(str, confidentialityConfigurationResource.getEncryptionType(), confidentialityConfigurationResource.getProvider(), generateAndfetchDataKey);
        Key fetchMasterKey = fetchMasterKey(confidentialityConfigurationResource);
        if (fetchMasterKey.getAlgorithm().equalsIgnoreCase(getEncryptionAlgo("AES/CBC/PKCS5Padding"))) {
            return encrypt(Base64.getEncoder().encodeToString(generateAndfetchDataKey.getEncoded()), "AES/CBC/PKCS5Padding", confidentialityConfigurationResource.getProvider(), fetchMasterKey).concat(encrypt);
        }
        throw new Exception("The master key should be an AES key with size: 128, 192 or 256");
    }

    public String encrypt(String str, String str2, String str3, Key key) throws Exception {
        byte[] doFinal;
        try {
            String encryptionMode = getEncryptionMode(str2);
            Cipher cipher = "BCFIPS".equalsIgnoreCase(str3) ? Cipher.getInstance(str2, "BCFIPS") : "IBMJCE".equalsIgnoreCase(str3) ? Cipher.getInstance(str2, "IBMJCE") : Cipher.getInstance(str2);
            if (encryptionMode == null || ECB_MODE.equalsIgnoreCase(encryptionMode)) {
                cipher.init(1, key);
                doFinal = cipher.doFinal(str.getBytes());
            } else if (GCM_MODE.equalsIgnoreCase(encryptionMode)) {
                GCMParameterSpec gCMParameterSpec = (GCMParameterSpec) fetchInitializationVector(str3, cipher, encryptionMode, 1, null);
                cipher.init(1, key, gCMParameterSpec);
                byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
                doFinal = new byte[gCMParameterSpec.getIV().length + cipher.getOutputSize(bytes.length)];
                for (int i = 0; i < gCMParameterSpec.getIV().length; i++) {
                    doFinal[i] = gCMParameterSpec.getIV()[i];
                }
                cipher.doFinal(bytes, 0, bytes.length, doFinal, gCMParameterSpec.getIV().length);
            } else {
                IvParameterSpec ivParameterSpec = (IvParameterSpec) fetchInitializationVector(str3, cipher, encryptionMode, 1, null);
                cipher.init(1, key, ivParameterSpec);
                byte[] bytes2 = str.getBytes();
                doFinal = new byte[ivParameterSpec.getIV().length + cipher.getOutputSize(bytes2.length)];
                for (int i2 = 0; i2 < ivParameterSpec.getIV().length; i2++) {
                    doFinal[i2] = ivParameterSpec.getIV()[i2];
                }
                cipher.doFinal(bytes2, 0, bytes2.length, doFinal, ivParameterSpec.getIV().length);
            }
            return Base64.getEncoder().encodeToString(doFinal);
        } catch (Exception e) {
            throw new Exception("Exception while encrypting: " + e.getMessage());
        }
    }

    private int getDataKeysize(String str, int i, Key key, String str2) throws Exception {
        int length = Base64.getEncoder().encodeToString(generateAndfetchDataKey(str, str2, i).getEncoded()).getBytes().length;
        Cipher cipher = "BCFIPS".equalsIgnoreCase(str2) ? Cipher.getInstance("AES/CBC/PKCS5Padding", "BCFIPS") : "IBMJCE".equalsIgnoreCase(str2) ? Cipher.getInstance("AES/CBC/PKCS5Padding", "IBMJCE") : Cipher.getInstance("AES/CBC/PKCS5Padding");
        IvParameterSpec ivParameterSpec = (IvParameterSpec) fetchInitializationVector(str2, cipher, getEncryptionMode("AES/CBC/PKCS5Padding"), 1, null);
        cipher.init(1, key, ivParameterSpec);
        return getBase64EncodedLength((ivParameterSpec.getIV().length + cipher.getOutputSize(length)) * 8);
    }

    private int getBase64EncodedLength(int i) {
        return (int) (4.0d * Math.ceil((i / 8) / 3.0d));
    }

    @Override // com.tibco.bw.confidentiality.ConfidentialityFunctions
    public String decrypt(String str, String str2, String str3, String str4) throws Exception {
        ConfidentialityConfigurationResource initialise = initialise(str2, str3, str4);
        if (initialise == null) {
            throw new Exception("Please check shared resource name and other details.");
        }
        validate(getEncryptionAlgo(initialise.getEncryptionType()));
        return !initialise.isDualEncruption() ? basicDecryption(str, initialise, str3, str4) : dualDecryption(str, initialise, str3, str4, initialise.getDatakeyLength());
    }

    public String basicDecryption(String str, ConfidentialityConfigurationResource confidentialityConfigurationResource, String str2, String str3) throws Exception {
        return decrypt(str, confidentialityConfigurationResource.getEncryptionType(), confidentialityConfigurationResource.getProvider(), fetchMasterKey(confidentialityConfigurationResource));
    }

    public String dualDecryption(String str, ConfidentialityConfigurationResource confidentialityConfigurationResource, String str2, String str3, int i) throws Exception {
        Key fetchMasterKey = fetchMasterKey(confidentialityConfigurationResource);
        byte[] bytes = str.getBytes();
        String encryptionAlgo = getEncryptionAlgo(confidentialityConfigurationResource.getEncryptionType());
        int dataKeysize = getDataKeysize(encryptionAlgo, i, fetchMasterKey, confidentialityConfigurationResource.getProvider());
        byte[] copyOfRange = Arrays.copyOfRange(bytes, 0, dataKeysize);
        byte[] copyOfRange2 = Arrays.copyOfRange(bytes, dataKeysize, bytes.length);
        return decrypt(new String(copyOfRange2), confidentialityConfigurationResource.getEncryptionType(), confidentialityConfigurationResource.getProvider(), new SecretKeySpec(Base64.getDecoder().decode(decrypt(new String(copyOfRange), "AES/CBC/PKCS5Padding", confidentialityConfigurationResource.getProvider(), fetchMasterKey)), encryptionAlgo));
    }

    public String decrypt(String str, String str2, String str3, Key key) throws Exception {
        byte[] doFinal;
        try {
            String encryptionMode = getEncryptionMode(str2);
            Cipher cipher = "BCFIPS".equalsIgnoreCase(str3) ? Cipher.getInstance(str2, str3) : "IBMJCE".equalsIgnoreCase(str3) ? Cipher.getInstance(str2, str3) : Cipher.getInstance(str2);
            byte[] decode = Base64.getDecoder().decode(str);
            if (encryptionMode == null || ECB_MODE.equalsIgnoreCase(encryptionMode)) {
                cipher.init(2, key);
                doFinal = cipher.doFinal(decode);
            } else if (GCM_MODE.equalsIgnoreCase(encryptionMode)) {
                cipher.init(2, key, (GCMParameterSpec) fetchInitializationVector(str3, cipher, encryptionMode, 2, decode));
                if (decode.length - cipher.getBlockSize() <= 0) {
                    throw new Exception("Verify correct encryption algorithm/padding/mode is used.");
                }
                doFinal = cipher.doFinal(decode, cipher.getBlockSize(), decode.length - cipher.getBlockSize());
            } else {
                cipher.init(2, key, (IvParameterSpec) fetchInitializationVector(str3, cipher, encryptionMode, 2, decode));
                if (decode.length - cipher.getBlockSize() <= 0) {
                    throw new Exception("Verify correct encryption algorithm/padding/mode is used.");
                }
                doFinal = cipher.doFinal(decode, cipher.getBlockSize(), decode.length - cipher.getBlockSize());
            }
            return new String(doFinal);
        } catch (Exception e) {
            throw new Exception("Exception while decrypting: " + e.getMessage());
        }
    }

    private String getEncryptionAlgo(String str) {
        String[] split = str.split("/");
        if (split.length >= 1) {
            return split[0];
        }
        return null;
    }

    private String getEncryptionMode(String str) {
        String[] split = str.split("/");
        if (split.length >= 2) {
            return split[1];
        }
        return null;
    }

    private Object fetchInitializationVector(String str, Cipher cipher, String str2, int i, byte[] bArr) {
        byte[] copyOfRange;
        if (1 == i) {
            copyOfRange = new byte[cipher.getBlockSize()];
            fetchDBRGForIV(str).nextBytes(copyOfRange);
        } else {
            copyOfRange = Arrays.copyOfRange(bArr, 0, cipher.getBlockSize());
        }
        return GCM_MODE.equalsIgnoreCase(str2) ? new GCMParameterSpec(128, copyOfRange) : new IvParameterSpec(copyOfRange);
    }

    @Override // com.tibco.bw.confidentiality.ConfidentialityFunctions
    public String maskString(String str, int i, int i2) {
        String str2;
        if (str == null || str.length() <= 0 || i < 0 || i2 < 0) {
            return str;
        }
        if (i > 0 || i2 > 0) {
            if (i != 0 && i2 != 0 && i + i2 > str.length()) {
                return str;
            }
            if (i != 0 && i2 == 0 && i > str.length()) {
                return str;
            }
            if (i == 0 && i2 > 0 && i2 > str.length()) {
                return str;
            }
            str2 = String.valueOf(i > 0 ? str.substring(0, i) : "") + str.substring(i, str.length() - i2).replaceAll(".", "*") + (i2 > 0 ? str.substring(str.length() - i2, str.length()) : "");
        } else {
            str2 = str.replaceAll(".", "*");
        }
        return str2;
    }

    @Override // com.tibco.bw.confidentiality.ConfidentialityFunctions
    public String maskDocumentField(String str, String str2, int i, int i2, String str3) throws Exception {
        String str4 = null;
        if ("XML".equalsIgnoreCase(str2)) {
            str4 = maskXMLDocumentFields(str, i, i2, str3);
        }
        if ("JSON".equalsIgnoreCase(str2)) {
            str4 = maskJSONDocumentFields(str, i, i2, str3);
        }
        return str4;
    }

    private String maskJSONDocumentFields(String str, int i, int i2, String str2) throws Exception {
        HashSet hashSet = new HashSet();
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.configure(JsonParser.Feature.ALLOW_SINGLE_QUOTES, true);
        try {
            JsonNode readTree = objectMapper.readTree(str);
            if (!str2.startsWith("$")) {
                throw new Exception("Invalid json path");
            }
            JsonPath compile = JsonPath.compile(str2, new Predicate[0]);
            if (readTree == null || compile == null) {
                return str;
            }
            Configuration build = Configuration.builder().jsonProvider(new JacksonJsonNodeJsonProvider()).options(Option.AS_PATH_LIST, Option.SUPPRESS_EXCEPTIONS).build();
            if (compile.isDefinite()) {
                hashSet.add(compile.getPath());
            } else {
                Iterator it = ((ArrayNode) compile.read(readTree, build)).iterator();
                while (it.hasNext()) {
                    hashSet.add(((JsonNode) it.next()).asText());
                }
            }
            return traverseAndMask(readTree.deepCopy(), hashSet, "$", i, i2).toString();
        } catch (Exception e) {
            throw new Exception("Exception while masking JSON document:- " + e.getMessage());
        }
    }

    private JsonNode traverseAndMask(JsonNode jsonNode, Set<String> set, String str, int i, int i2) {
        if ((jsonNode.isTextual() || jsonNode.isNumber()) && set.contains(str)) {
            return new TextNode(maskString(jsonNode.asText(), i, i2));
        }
        if (jsonNode.isObject()) {
            Iterator fields = jsonNode.fields();
            while (fields.hasNext()) {
                Map.Entry entry = (Map.Entry) fields.next();
                ((ObjectNode) jsonNode).replace((String) entry.getKey(), traverseAndMask((JsonNode) entry.getValue(), set, appendPath(str, (String) entry.getKey()), i, i2));
            }
        }
        if (jsonNode.isArray()) {
            for (int i3 = 0; i3 < jsonNode.size(); i3++) {
                ((ArrayNode) jsonNode).set(i3, traverseAndMask(jsonNode.get(i3), set, appendPath(str, i3), i, i2));
            }
        }
        return jsonNode;
    }

    private static String appendPath(String str, String str2) {
        return String.valueOf(str) + "['" + str2 + "']";
    }

    private static String appendPath(String str, int i) {
        return String.valueOf(str) + "[" + i + "]";
    }

    private String maskXMLDocumentFields(String str, int i, int i2, String str2) throws Exception {
        try {
            Document parse = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(new StringReader(str)));
            NodeList nodeList = (NodeList) new XPathFactoryImpl().newXPath().compile(str2).evaluate(parse, XPathConstants.NODESET);
            for (int i3 = 0; i3 < nodeList.getLength(); i3++) {
                Node item = nodeList.item(i3);
                item.setTextContent(maskString(item.getTextContent(), i, i2));
            }
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            if (!str.contains("?xml version")) {
                newTransformer.setOutputProperty("omit-xml-declaration", "yes");
            }
            newTransformer.setOutputProperty("indent", "no");
            StringWriter stringWriter = new StringWriter();
            newTransformer.transform(new DOMSource(parse), new StreamResult(stringWriter));
            return stringWriter.toString();
        } catch (Exception e) {
            throw new Exception("Exception while masking XML document:- " + e.getMessage());
        }
    }

    private void validate(String str) throws Exception {
        if (str == null || !(str.equalsIgnoreCase(ConfidentialityConstants.AES_ALGO) || str.equalsIgnoreCase(ConfidentialityConstants.DESEDE_ALGO) || str.equalsIgnoreCase(ConfidentialityConstants.RSA_ALGO))) {
            throw new Exception("Algorithm is not supported. Supported Algorithms: AES, DESede, RSA");
        }
    }
}
