package org.cryptomator.cryptofs;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.InvalidClaimException;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.net.URI;
import java.util.Arrays;
import java.util.Objects;
import java.util.UUID;
import org.cryptomator.cryptolib.api.Masterkey;
import org.cryptomator.cryptolib.api.MasterkeyLoader;
import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;

/* loaded from: input_file:org/cryptomator/cryptofs/VaultConfig.class */
public class VaultConfig {
    private static final String JSON_KEY_VAULTVERSION = "format";
    private static final String JSON_KEY_CIPHERCONFIG = "cipherCombo";
    private static final String JSON_KEY_SHORTENING_THRESHOLD = "shorteningThreshold";
    private final String id;
    private final int vaultVersion;
    private final VaultCipherCombo cipherCombo;
    private final int shorteningThreshold;

    /* loaded from: input_file:org/cryptomator/cryptofs/VaultConfig$UnverifiedVaultConfig.class */
    public static class UnverifiedVaultConfig {
        private final DecodedJWT unverifiedConfig;

        private UnverifiedVaultConfig(DecodedJWT decodedJWT) {
            this.unverifiedConfig = decodedJWT;
        }

        public URI getKeyId() {
            return URI.create(this.unverifiedConfig.getKeyId());
        }

        public int allegedVaultVersion() {
            return this.unverifiedConfig.getClaim(VaultConfig.JSON_KEY_VAULTVERSION).asInt().intValue();
        }

        public int allegedShorteningThreshold() {
            return this.unverifiedConfig.getClaim(VaultConfig.JSON_KEY_SHORTENING_THRESHOLD).asInt().intValue();
        }

        public VaultConfig verify(byte[] bArr, int i) throws VaultKeyInvalidException, VaultVersionMismatchException, VaultConfigLoadException {
            try {
                return new VaultConfig(JWT.require(Algorithm.HMAC256(bArr)).withClaim(VaultConfig.JSON_KEY_VAULTVERSION, Integer.valueOf(i)).build().verify(this.unverifiedConfig));
            } catch (InvalidClaimException e) {
                throw new VaultVersionMismatchException("Vault config not for version " + i);
            } catch (JWTVerificationException e2) {
                throw new VaultConfigLoadException("Failed to verify vault config: " + this.unverifiedConfig.getToken());
            } catch (SignatureVerificationException e3) {
                throw new VaultKeyInvalidException();
            }
        }
    }

    /* loaded from: input_file:org/cryptomator/cryptofs/VaultConfig$VaultConfigBuilder.class */
    public static class VaultConfigBuilder {
        private final String id = UUID.randomUUID().toString();
        private final int vaultVersion = 8;
        private VaultCipherCombo cipherCombo;
        private int shorteningThreshold;

        public VaultConfigBuilder cipherCombo(VaultCipherCombo vaultCipherCombo) {
            this.cipherCombo = vaultCipherCombo;
            return this;
        }

        public VaultConfigBuilder shorteningThreshold(int i) {
            this.shorteningThreshold = i;
            return this;
        }

        public VaultConfig build() {
            return new VaultConfig(this);
        }
    }

    private VaultConfig(DecodedJWT decodedJWT) {
        this.id = decodedJWT.getId();
        this.vaultVersion = decodedJWT.getClaim(JSON_KEY_VAULTVERSION).asInt().intValue();
        this.cipherCombo = VaultCipherCombo.valueOf(decodedJWT.getClaim("cipherCombo").asString());
        this.shorteningThreshold = decodedJWT.getClaim(JSON_KEY_SHORTENING_THRESHOLD).asInt().intValue();
    }

    private VaultConfig(VaultConfigBuilder vaultConfigBuilder) {
        this.id = vaultConfigBuilder.id;
        Objects.requireNonNull(vaultConfigBuilder);
        this.vaultVersion = 8;
        this.cipherCombo = vaultConfigBuilder.cipherCombo;
        this.shorteningThreshold = vaultConfigBuilder.shorteningThreshold;
    }

    public String getId() {
        return this.id;
    }

    public int getVaultVersion() {
        return this.vaultVersion;
    }

    public VaultCipherCombo getCipherCombo() {
        return this.cipherCombo;
    }

    public int getShorteningThreshold() {
        return this.shorteningThreshold;
    }

    public String toToken(String str, byte[] bArr) {
        return JWT.create().withKeyId(str).withJWTId(this.id).withClaim(JSON_KEY_VAULTVERSION, Integer.valueOf(this.vaultVersion)).withClaim("cipherCombo", this.cipherCombo.name()).withClaim(JSON_KEY_SHORTENING_THRESHOLD, Integer.valueOf(this.shorteningThreshold)).sign(Algorithm.HMAC256(bArr));
    }

    public static VaultConfig load(String str, MasterkeyLoader masterkeyLoader, int i) throws MasterkeyLoadingFailedException, VaultConfigLoadException {
        UnverifiedVaultConfig decode = decode(str);
        byte[] bArr = new byte[0];
        try {
            Masterkey loadKey = masterkeyLoader.loadKey(decode.getKeyId());
            try {
                bArr = loadKey.getEncoded();
                VaultConfig verify = decode.verify(bArr, i);
                if (loadKey != null) {
                    loadKey.close();
                }
                Arrays.fill(bArr, (byte) 0);
                return verify;
            } finally {
            }
        } catch (Throwable th) {
            Arrays.fill(bArr, (byte) 0);
            throw th;
        }
    }

    public static UnverifiedVaultConfig decode(String str) throws VaultConfigLoadException {
        try {
            return new UnverifiedVaultConfig(JWT.decode(str));
        } catch (JWTDecodeException e) {
            throw new VaultConfigLoadException("Failed to parse config: " + str);
        }
    }

    public static VaultConfigBuilder createNew() {
        return new VaultConfigBuilder();
    }
}
