package com.microsoft.identity.broker4j.broker.prtv2;

import com.microsoft.identity.broker4j.broker.crypto.IKeyEntry;
import com.microsoft.identity.broker4j.broker.platform.components.IBrokerPlatformComponents;
import com.microsoft.identity.broker4j.opentelemetry.AttributeName;
import com.microsoft.identity.broker4j.workplacejoin.WorkplaceJoinFailure;
import com.microsoft.identity.common.java.AuthenticationConstants;
import com.microsoft.identity.common.java.cache.CacheKeyValueDelegate;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.logging.Logger;
import com.microsoft.identity.common.java.opentelemetry.SpanExtension;
import com.microsoft.identity.common.java.platform.JweResponse;
import com.microsoft.identity.common.java.util.CopyUtil;
import cz.msebera.android.httpclient.extras.Base64;
import io.opentelemetry.api.trace.Span;
import java.io.UnsupportedEncodingException;
import java.security.SecureRandom;
import org.json.JSONException;
import org.slf4j.Marker;

/* loaded from: classes5.dex */
public final class SessionKeyUtil {
    public static final String DERIVED_KEY_ALGORITHM = "AES";
    public static final String DERIVED_KEY_DECRYPTION_ALGORITHM = "AES/CBC/PKCS7Padding";
    public static final String DERIVED_KEY_HMAC_SIGNING_ALGORITHM = "HmacSHA256";
    public static final String SESSION_KEY_UNWRAP_ALGORITHM = "RSA/NONE/OAEPWithSHA1AndMGF1Padding";
    public static final int SP800_108_CTX_SIZE = 24;
    public static final String SP800_108_LABEL = "AzureAD-SecureConversation";
    private static final String TAG = SessionKeyUtil.class.getSimpleName();

    private SessionKeyUtil() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }

    private static byte[] base64Decode(String str, int i, String str2) {
        if (str == null) {
            throw new NullPointerException("input is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("failureMessage is marked non-null but is null");
        }
        String str3 = TAG + ":base64Decode";
        try {
            return Base64.decode(str, i);
        } catch (IllegalArgumentException e) {
            Logger.error(str3, str2 + " " + e.getMessage(), null);
            throw e;
        }
    }

    public static String decryptTokenResponseWithSessionKey(IBrokerPlatformComponents iBrokerPlatformComponents, String str, IKeyEntry iKeyEntry) throws UnsupportedEncodingException, JSONException, ClientException {
        if (iBrokerPlatformComponents == null) {
            throw new NullPointerException("brokerComponents is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("jweTokenResponse is marked non-null but is null");
        }
        if (iKeyEntry == null) {
            throw new NullPointerException("sessionKey is marked non-null but is null");
        }
        String str2 = TAG + ":decryptTokenResponseWithSessionKey";
        Span current = SpanExtension.current();
        JweResponse parseJwe = JweResponse.parseJwe(str);
        if (!parseJwe.getJweHeader().getEncryptionAlgorithm().equalsIgnoreCase("A256GCM") && !parseJwe.getJweHeader().getEncryptionAlgorithm().equalsIgnoreCase("dir")) {
            Logger.error(str2, "Invalid encryption algorithm: " + parseJwe.getJweHeader().getEncryptionAlgorithm(), null);
            throw new IllegalArgumentException("Invalid encryption algorithm");
        }
        byte[] base64Decode = base64Decode(parseJwe.getIV(), 8, "IV not base64 url-encoded.");
        byte[] base64Decode2 = base64Decode(parseJwe.getPayload(), 8, "Payload is not base64 url-encoded.");
        byte[] base64Decode3 = base64Decode(parseJwe.getJweHeader().getContext(), 0, "CTX is not base64 encoded.");
        Logger.verbose(str2, "Decrypting the token response for using PRT. IV size: " + base64Decode.length + " mPayload size:" + base64Decode2.length + " ctx size:" + base64Decode3.length);
        current.setAttribute(AttributeName.iv_decoded_length.name(), (long) base64Decode.length);
        current.setAttribute(AttributeName.payload_ciphertext_length.name(), (long) base64Decode2.length);
        current.setAttribute(AttributeName.derived_key_ctx_length.name(), (long) base64Decode3.length);
        IKeyEntry deriveKey = deriveKey(iBrokerPlatformComponents, iKeyEntry, base64Decode3);
        byte[] decrypt = iBrokerPlatformComponents.getBrokerKeyAccessorFactory().getDerivedSessionKeyAccessor(deriveKey).decrypt(base64Decode2, base64Decode);
        iBrokerPlatformComponents.getKeyManager().deleteKey(deriveKey);
        return new String(decrypt, AuthenticationConstants.CHARSET_UTF8);
    }

    public static IKeyEntry deriveKey(IBrokerPlatformComponents iBrokerPlatformComponents, IKeyEntry iKeyEntry, byte[] bArr) throws ClientException {
        if (iBrokerPlatformComponents == null) {
            throw new NullPointerException("brokerComponents is marked non-null but is null");
        }
        if (iKeyEntry == null) {
            throw new NullPointerException("sessionKey is marked non-null but is null");
        }
        Logger.info(TAG + ":deriveKey", "Deriving a key from Session Key.");
        return iBrokerPlatformComponents.getKeyManager().generateDerivedKey(iKeyEntry, getDerivedKeyLabel(), bArr, "AES");
    }

    public static byte[] extractRawSessionKey(String str) throws ClientException {
        if (str == null) {
            throw new NullPointerException("jwe is marked non-null but is null");
        }
        String str2 = TAG + ":extractSessionKey";
        Logger.info(str2, "Extracting session key from JWE");
        try {
            JweResponse parseJwe = JweResponse.parseJwe(str);
            if (parseJwe.getJweHeader().getAlgorithm().equalsIgnoreCase("RSA-OAEP")) {
                return getEncryptedKeyFromJweResponse(parseJwe);
            }
            ClientException clientException = new ClientException("Header algorithm is not RSA-OAEP. Current Alg:" + parseJwe.getJweHeader().getAlgorithm());
            Logger.error(str2, clientException.getMessage() + " " + WorkplaceJoinFailure.INTERNAL, clientException);
            throw clientException;
        } catch (JSONException e) {
            Logger.error(str2, e.getMessage(), e);
            throw new ClientException(ClientException.JSON_CONSTRUCTION_FAILED, "Invalid JsonObject for sessionkey", e);
        }
    }

    public static byte[] generateRandomKeyContext() {
        byte[] bArr = new byte[24];
        new SecureRandom().nextBytes(bArr);
        return CopyUtil.copyIfNotNull(bArr);
    }

    public static byte[] getDerivedKeyLabel() {
        return CopyUtil.copyIfNotNull("AzureAD-SecureConversation".getBytes(AuthenticationConstants.CHARSET_ASCII));
    }

    private static byte[] getEncryptedKeyFromJweResponse(JweResponse jweResponse) {
        if (jweResponse == null) {
            throw new NullPointerException("jweResponse is marked non-null but is null");
        }
        String str = TAG + ":getEncryptedKeyFromJweResponse";
        String replace = jweResponse.getEncryptedKey().replace(CacheKeyValueDelegate.CACHE_VALUE_SEPARATOR, Marker.ANY_NON_NULL_MARKER).replace("_", "/");
        Logger.info(str, "JWE encrypted key (Session Key) length: " + replace.length());
        int length = replace.length() % 4;
        if (length != 0) {
            if (length == 2) {
                replace = replace + "==";
            } else {
                if (length != 3) {
                    IllegalArgumentException illegalArgumentException = new IllegalArgumentException("Illegal base64url string!");
                    Logger.error(str, illegalArgumentException.getMessage(), illegalArgumentException);
                    throw illegalArgumentException;
                }
                replace = replace + '=';
            }
        }
        return base64Decode(replace, 0, "Jwe encrypted key not valid base64 encoded. Key length: " + replace.length());
    }
}
