package org.kafkacrypto;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.kafkacrypto.exceptions.KafkaCryptoExchangeException;
import org.kafkacrypto.exceptions.KafkaCryptoInternalError;
import org.kafkacrypto.msgs.ChainCert;
import org.kafkacrypto.msgs.PathlenPoison;
import org.kafkacrypto.msgs.SignedChain;
import org.kafkacrypto.msgs.TopicsPoison;
import org.kafkacrypto.msgs.UsagesPoison;
import org.kafkacrypto.msgs.msgpack;
import org.kafkacrypto.types.ByteHashMap;
import org.msgpack.value.Value;
import org.msgpack.value.Variable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/kafkacrypto/CryptoExchange.class */
public class CryptoExchange {
    protected Logger _logger;
    private int __maxage;
    private int __randombytes;
    private CryptoKey __cryptokey;
    private SignedChain __spk_chain;
    private ChainCert __spk;
    private boolean __spk_direct_request;
    private Lock __spk_lock;
    private List<ChainCert> __allowlist;
    private List<ChainCert> __denylist;
    private Lock __allowdenylist_lock;

    public CryptoExchange(SignedChain signedChain, CryptoKey cryptoKey, List<ChainCert> list, List<ChainCert> list2) {
        this(signedChain, cryptoKey, list, list2, 0, 32);
    }

    public CryptoExchange(SignedChain signedChain, CryptoKey cryptoKey, List<ChainCert> list, List<ChainCert> list2, int i) {
        this(signedChain, cryptoKey, list, list2, i, 32);
    }

    public CryptoExchange(SignedChain signedChain, CryptoKey cryptoKey, List<ChainCert> list, List<ChainCert> list2, int i, int i2) {
        this.__maxage = 86400;
        this.__randombytes = 32;
        this.__spk_chain = new SignedChain();
        this.__spk = null;
        this.__spk_direct_request = true;
        this.__spk_lock = new ReentrantLock();
        this.__allowlist = new ArrayList();
        this.__denylist = new ArrayList();
        this.__allowdenylist_lock = new ReentrantLock();
        this._logger = LoggerFactory.getLogger("kafkacrypto-java.cryptoexchange");
        if (i > 0) {
            this.__maxage = i;
        }
        if (i2 > this.__randombytes) {
            this.__randombytes = i2;
        }
        this.__cryptokey = cryptoKey;
        if (list != null) {
            this.__allowlist = list;
        }
        if (list2 != null) {
            this.__denylist = list2;
        }
        __update_spk_chain(signedChain);
    }

    /* JADX WARN: Type inference failed for: r0v34, types: [byte[], byte[][]] */
    public byte[] encrypt_keys(List<byte[]> list, List<byte[]> list2, String str, byte[] bArr) {
        this.__allowdenylist_lock.lock();
        try {
            try {
                ChainCert process_chain = new SignedChain().unpackb(bArr).process_chain(str, "key-encrypt-request", this.__allowlist, this.__denylist);
                byte[] bArr2 = this.__cryptokey.get_epk(str, "encrypt_keys");
                byte[][] use_epk = this.__cryptokey.use_epk(str, "encrypt_keys", new byte[][]{process_chain.pk}, true);
                byte[] bArr3 = use_epk[0];
                use_epk[0] = bArr2;
                byte[] asByteArray = process_chain.getExtra(0).asRawValue().asByteArray();
                byte[] randombytes = jasodium.randombytes(this.__randombytes);
                byte[] bArr4 = Utils.splitArray(jasodium.crypto_hash_sha256(Utils.concatArrays(new byte[]{str.getBytes(), asByteArray, randombytes, bArr3})), 32)[0];
                ArrayList arrayList = new ArrayList();
                for (int i = 0; i < list.size(); i++) {
                    arrayList.add(list.get(i));
                    arrayList.add(list2.get(i));
                }
                byte[] crypto_secretbox_auto = jasodium.crypto_secretbox_auto(msgpack.packb(arrayList), bArr4);
                ChainCert chainCert = new ChainCert();
                chainCert.max_age = Utils.currentTime() + this.__maxage;
                chainCert.poisons.add(new TopicsPoison(str));
                chainCert.poisons.add(new UsagesPoison("key-encrypt"));
                chainCert.pk = use_epk[0];
                chainCert.pk_array = use_epk;
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(new Variable().setStringValue(asByteArray));
                arrayList2.add(new Variable().setStringValue(randombytes));
                chainCert.extra.add(new Variable().setArrayValue(arrayList2));
                chainCert.extra.add(new Variable().setStringValue(crypto_secretbox_auto));
                byte[] sign_spk = this.__cryptokey.sign_spk(msgpack.packb(chainCert));
                this.__spk_lock.lock();
                try {
                    try {
                        SignedChain signedChain = new SignedChain(this.__spk_chain);
                        if (signedChain.chain.size() == 0) {
                            ChainCert chainCert2 = new ChainCert();
                            ChainCert chainCert3 = new ChainCert();
                            chainCert2.max_age = Utils.currentTime() + this.__maxage;
                            chainCert2.poisons.add(new TopicsPoison(str));
                            chainCert2.poisons.add(new UsagesPoison("key-encrypt"));
                            chainCert2.poisons.add(new PathlenPoison(1));
                            chainCert2.pk = this.__cryptokey.get_spk();
                            signedChain.append(jasodium.crypto_sign(msgpack.packb(chainCert2), jasodium.crypto_sign_seed_keypair(Utils.hexToBytes("4c194f7de97c67626cc43fbdaf93dffbc4735352b37370072697d44254e1bc6c"))[1]));
                            SignedChain signedChain2 = new SignedChain();
                            chainCert3.max_age = 0.0d;
                            chainCert3.pk = this.__cryptokey.get_spk();
                            signedChain2.append(msgpack.packb(chainCert3));
                            signedChain2.append(this.__cryptokey.sign_spk(msgpack.packb(chainCert2)));
                            this._logger.warn("Current signing chain is empty. Use {} to provision access and then remove temporary root of trust from allowedlist.", Utils.bytesToHex(msgpack.packb(signedChain2)));
                        }
                        signedChain.append(sign_spk);
                        byte[] packb = msgpack.packb(signedChain);
                        this.__spk_lock.unlock();
                        this.__allowdenylist_lock.unlock();
                        return packb;
                    } catch (Throwable th) {
                        this._logger.info("Could not build reply chain", th);
                        this.__spk_lock.unlock();
                        this.__allowdenylist_lock.unlock();
                        return null;
                    }
                } catch (Throwable th2) {
                    this.__spk_lock.unlock();
                    throw th2;
                }
            } catch (Throwable th3) {
                this.__allowdenylist_lock.unlock();
                throw th3;
            }
        } catch (Throwable th4) {
            this._logger.info("Error replying to encrypt_keys message", th4);
            this.__allowdenylist_lock.unlock();
            return null;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v50, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r3v10, types: [byte[], byte[][]] */
    public Map<byte[], byte[]> decrypt_keys(String str, byte[] bArr) {
        this.__allowdenylist_lock.lock();
        try {
            try {
                ChainCert process_chain = new SignedChain().unpackb(bArr).process_chain(str, "key-encrypt", this.__allowlist, this.__denylist);
                List list = process_chain.getExtra(0).asArrayValue().list();
                byte[] asByteArray = process_chain.getExtra(1).asRawValue().asByteArray();
                byte[] asByteArray2 = ((Value) list.get(0)).asRawValue().asByteArray();
                byte[] asByteArray3 = ((Value) list.get(1)).asRawValue().asByteArray();
                for (byte[] bArr2 : this.__cryptokey.use_epk(str, "decrypt_keys", process_chain.pk_array, false)) {
                    try {
                        List<Value> unpackb = msgpack.unpackb(jasodium.crypto_secretbox_open_auto(asByteArray, Utils.splitArray(jasodium.crypto_hash_sha256(Utils.concatArrays(new byte[]{str.getBytes(), asByteArray2, asByteArray3, bArr2})), 32)[0]));
                        if (unpackb.size() % 2 != 0 || unpackb.size() < 2) {
                            throw new KafkaCryptoInternalError("Invalid encryption key set!");
                        }
                        ByteHashMap byteHashMap = new ByteHashMap();
                        for (int i = 0; i < unpackb.size(); i += 2) {
                            byteHashMap.put((ByteHashMap) unpackb.get(i).asRawValue().asByteArray(), unpackb.get(i + 1).asRawValue().asByteArray());
                        }
                        this.__cryptokey.use_epk(str, "decrypt_keys", new byte[0], true);
                        this.__allowdenylist_lock.unlock();
                        return byteHashMap;
                    } catch (Throwable th) {
                        this._logger.debug("Failure to decrypt keys", th);
                    }
                }
                this.__allowdenylist_lock.unlock();
                return null;
            } catch (Throwable th2) {
                this._logger.info("Unable to interpret decrypt_keys message", th2);
                this.__allowdenylist_lock.unlock();
                return null;
            }
        } catch (Throwable th3) {
            this.__allowdenylist_lock.unlock();
            throw th3;
        }
    }

    public byte[] signed_epk(String str, byte[] bArr) throws IOException {
        if (bArr == null) {
            bArr = this.__cryptokey.get_epk(str, "decrypt_keys");
        }
        byte[] randombytes = jasodium.randombytes(this.__randombytes);
        ChainCert chainCert = new ChainCert();
        chainCert.poisons.add(new TopicsPoison(str));
        chainCert.poisons.add(new UsagesPoison("key-encrypt-request", "key-encrypt-subscribe"));
        chainCert.max_age = Utils.currentTime() + this.__maxage;
        chainCert.pk = bArr;
        chainCert.extra.add(new Variable().setStringValue(randombytes));
        byte[] sign_spk = this.__cryptokey.sign_spk(msgpack.packb(chainCert));
        this.__spk_lock.lock();
        try {
            SignedChain signedChain = new SignedChain(this.__spk_chain);
            if (signedChain.chain.size() == 0) {
                this.__spk_direct_request = true;
                ChainCert chainCert2 = new ChainCert();
                ChainCert chainCert3 = new ChainCert();
                chainCert2.max_age = Utils.currentTime() + this.__maxage;
                chainCert2.poisons.add(new TopicsPoison(str));
                chainCert2.poisons.add(new UsagesPoison("key-encrypt-request", "key-encrypt-subscribe"));
                chainCert2.poisons.add(new PathlenPoison(1));
                chainCert2.pk = this.__cryptokey.get_spk();
                signedChain.append(jasodium.crypto_sign(msgpack.packb(chainCert2), jasodium.crypto_sign_seed_keypair(Utils.hexToBytes("4c194f7de97c67626cc43fbdaf93dffbc4735352b37370072697d44254e1bc6c"))[1]));
                SignedChain signedChain2 = new SignedChain();
                chainCert3.max_age = 0.0d;
                chainCert3.pk = this.__cryptokey.get_spk();
                signedChain2.append(msgpack.packb(chainCert3));
                signedChain2.append(this.__cryptokey.sign_spk(msgpack.packb(chainCert2)));
                this._logger.warn("Current signing chain is empty. Use {} to provision access and then remove temporary root of trust from allowedlist.", Utils.bytesToHex(msgpack.packb(signedChain2)));
            }
            signedChain.append(sign_spk);
            byte[] packb = msgpack.packb(signedChain);
            this.__spk_lock.unlock();
            return packb;
        } catch (Throwable th) {
            this.__spk_lock.unlock();
            throw th;
        }
    }

    public ChainCert add_allowlist(SignedChain signedChain) {
        this.__allowdenylist_lock.lock();
        try {
            try {
                ChainCert process_chain = signedChain.process_chain(null, "key-allowlist", this.__allowlist, this.__denylist);
                ChainCert unpackb = new ChainCert().unpackb(process_chain.getExtra(0).asRawValue().asByteArray());
                if (!process_chain.pk.equals(unpackb.pk)) {
                    throw new KafkaCryptoInternalError("Mismatch in keys for allowlist.");
                }
                if (this.__allowlist.contains(unpackb)) {
                    this.__allowdenylist_lock.unlock();
                    return null;
                }
                this.__allowlist.add(unpackb);
                this.__allowdenylist_lock.unlock();
                return unpackb;
            } catch (IOException e) {
                this._logger.info("add_allowlist error", e);
                this.__allowdenylist_lock.unlock();
                return null;
            } catch (NullPointerException e2) {
                this._logger.info("add_allowlist error", e2);
                this.__allowdenylist_lock.unlock();
                return null;
            } catch (KafkaCryptoInternalError e3) {
                this._logger.warn("add_allowlist error", e3);
                this.__allowdenylist_lock.unlock();
                return null;
            }
        } catch (Throwable th) {
            this.__allowdenylist_lock.unlock();
            throw th;
        }
    }

    public ChainCert add_denylist(SignedChain signedChain) {
        this.__allowdenylist_lock.lock();
        try {
            try {
                ChainCert process_chain = signedChain.process_chain(null, "key-denylist", this.__allowlist, this.__denylist);
                ChainCert unpackb = new ChainCert().unpackb(process_chain.getExtra(0).asRawValue().asByteArray());
                if (!process_chain.pk.equals(unpackb.pk)) {
                    throw new KafkaCryptoInternalError("Mismatch in keys for denylist.");
                }
                if (this.__denylist.contains(unpackb)) {
                    this.__allowdenylist_lock.unlock();
                    return null;
                }
                this.__denylist.add(unpackb);
                this.__allowdenylist_lock.unlock();
                return unpackb;
            } catch (IOException e) {
                this._logger.info("add_denylist error", e);
                this.__allowdenylist_lock.unlock();
                return null;
            } catch (NullPointerException e2) {
                this._logger.info("add_denylist error", e2);
                this.__allowdenylist_lock.unlock();
                return null;
            } catch (KafkaCryptoInternalError e3) {
                this._logger.warn("add_denylist error", e3);
                this.__allowdenylist_lock.unlock();
                return null;
            }
        } catch (Throwable th) {
            this.__allowdenylist_lock.unlock();
            throw th;
        }
    }

    public boolean direct_request_spk_chain() {
        this.__spk_lock.lock();
        try {
            return this.__spk_direct_request;
        } finally {
            this.__spk_lock.unlock();
        }
    }

    public SignedChain replace_spk_chain(SignedChain signedChain) {
        return __update_spk_chain(signedChain);
    }

    private SignedChain __update_spk_chain(SignedChain signedChain) {
        if (signedChain == null || signedChain.chain.size() < 1) {
            return null;
        }
        this.__allowdenylist_lock.lock();
        try {
            try {
                ChainCert process_chain = signedChain.process_chain(null, null, this.__allowlist, this.__denylist);
                if (process_chain == null) {
                    this.__allowdenylist_lock.unlock();
                    return null;
                }
                this.__spk_lock.lock();
                try {
                    if (!Arrays.equals(this.__cryptokey.get_spk(), process_chain.pk)) {
                        this._logger.warn("Key mismatch: {} vs {}", this.__cryptokey.get_spk(), process_chain.pk);
                        throw new KafkaCryptoExchangeException("New chain does not match current signing public key!");
                    }
                    if (this.__spk != null && process_chain.max_age <= this.__spk.max_age) {
                        this._logger.warn("Non-superior chain: {} vs {}", Double.valueOf(this.__spk.max_age), Double.valueOf(process_chain.max_age));
                        throw new KafkaCryptoExchangeException("New chain has sooner expiry time than current chain!");
                    }
                    this.__spk_chain = signedChain;
                    this.__spk = process_chain;
                    this.__spk_direct_request = false;
                    try {
                        signedChain.process_chain(null, "key-encrypt-request", this.__allowlist, this.__denylist);
                        this.__spk_direct_request = true;
                    } catch (KafkaCryptoInternalError e) {
                        this.__spk_direct_request = false;
                    }
                    this.__allowdenylist_lock.unlock();
                    return signedChain;
                } finally {
                    this.__spk_lock.unlock();
                }
            } catch (KafkaCryptoExchangeException e2) {
                this._logger.warn("__update_spk_chain error", e2);
                this.__allowdenylist_lock.unlock();
                return null;
            }
        } catch (Throwable th) {
            this.__allowdenylist_lock.unlock();
            throw th;
        }
    }
}
