package org.sentrysoftware.winrm.service.client.encryption;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
import java.util.Objects;
import java.util.function.Function;
import javax.crypto.Cipher;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.message.Message;
import org.sentrysoftware.winrm.service.client.auth.ntlm.NTCredentialsWithEncryption;
import org.sentrysoftware.winrm.service.client.auth.ntlm.NTLMEngineUtils;

/* loaded from: input_file:org/sentrysoftware/winrm/service/client/encryption/Decryptor.class */
public class Decryptor {
    private final NTCredentialsWithEncryption credentials;
    private byte[] rawBytes;
    private byte[] encryptedPayloadBytes;
    private int index;
    private int lastBlockStart;
    private int lastBlockEnd;
    private byte[] signatureBytes;
    private byte[] sealedBytes;
    private byte[] unsealedBytes;

    public Decryptor(NTCredentialsWithEncryption nTCredentialsWithEncryption) {
        this.credentials = nTCredentialsWithEncryption;
    }

    public void handle(Message message) {
        Object obj = message.get("Content-Type");
        if (!(obj != null && obj.toString().startsWith("multipart/encrypted"))) {
            if (this.credentials != null && this.credentials.isAuthenticated()) {
                throw new IllegalStateException("Unencrypted payload from server when authenticated and encryption is required");
            }
        } else {
            if (this.credentials == null) {
                throw new IllegalStateException("Encrypted payload from server when no credentials with encryption known");
            }
            if (!this.credentials.isAuthenticated()) {
                throw new IllegalStateException("Encrypted payload from server when not authenticated");
            }
            try {
                decrypt(message);
            } catch (Exception e) {
                throw new IllegalStateException(e);
            }
        }
    }

    void decrypt(Message message) throws IOException {
        InputStream inputStream = (InputStream) message.getContent(InputStream.class);
        try {
            this.rawBytes = IOUtils.readBytesFromStream(inputStream);
            if (inputStream != null) {
                inputStream.close();
            }
            unwrap();
            int readLittleEndianUnsignedInt = (int) ByteArrayUtils.readLittleEndianUnsignedInt(this.encryptedPayloadBytes, 0);
            this.signatureBytes = Arrays.copyOfRange(this.encryptedPayloadBytes, 4, 4 + readLittleEndianUnsignedInt);
            this.sealedBytes = Arrays.copyOfRange(this.encryptedPayloadBytes, 4 + readLittleEndianUnsignedInt, this.encryptedPayloadBytes.length);
            unseal();
            verify();
            message.setContent(InputStream.class, new ByteArrayInputStream(this.unsealedBytes));
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void verify() throws IOException {
        long readLittleEndianUnsignedInt = ByteArrayUtils.readLittleEndianUnsignedInt(this.signatureBytes, 12);
        int i = this.credentials.hasNegotiateFlag(NTLMEngineUtils.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) ? 4 : 8;
        byte[] copyOfRange = Arrays.copyOfRange(this.signatureBytes, i, 12);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            byte[] bArr = this.unsealedBytes;
            NTCredentialsWithEncryption nTCredentialsWithEncryption = this.credentials;
            Function function = (v0) -> {
                return v0.getServerSigningKey();
            };
            Cipher statefulDecryptor = this.credentials.getStatefulDecryptor();
            Objects.requireNonNull(statefulDecryptor);
            NtlmEncryptionUtils.calculateSignature(bArr, readLittleEndianUnsignedInt, byteArrayOutputStream, nTCredentialsWithEncryption, function, statefulDecryptor::update);
            byte[] copyOfRange2 = Arrays.copyOfRange(byteArrayOutputStream.toByteArray(), i, 12);
            long readLittleEndianUnsignedInt2 = ByteArrayUtils.readLittleEndianUnsignedInt(byteArrayOutputStream.toByteArray(), 12);
            if (!Arrays.equals(copyOfRange, copyOfRange2)) {
                throw new IllegalStateException(String.format("Checksum mismatch\n%s--\n%s", ByteArrayUtils.formatHexDump(copyOfRange), ByteArrayUtils.formatHexDump(copyOfRange2)));
            }
            if (readLittleEndianUnsignedInt2 != readLittleEndianUnsignedInt) {
                throw new IllegalStateException(String.format("Sequence number mismatch: %d != %d", Long.valueOf(readLittleEndianUnsignedInt), Long.valueOf(readLittleEndianUnsignedInt2)));
            }
            byteArrayOutputStream.close();
            this.credentials.getSequenceNumberIncoming().incrementAndGet();
        } catch (Throwable th) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    void unwrap() {
        this.index = 0;
        skipOver(NtlmEncryptionUtils.ENCRYPTED_BOUNDARY_CR);
        skipUntil("\n--Encrypted Boundary\r\n");
        skipUntil("\r\n");
        this.lastBlockStart = this.index;
        this.lastBlockEnd = this.rawBytes.length - NtlmEncryptionUtils.ENCRYPTED_BOUNDARY_END.length();
        this.index = this.lastBlockEnd;
        skipOver(NtlmEncryptionUtils.ENCRYPTED_BOUNDARY_END);
        this.encryptedPayloadBytes = Arrays.copyOfRange(this.rawBytes, this.lastBlockStart, this.lastBlockEnd);
    }

    void skipOver(String str) {
        skipOver(str.getBytes());
    }

    void skipOver(byte[] bArr) {
        int i = 0;
        while (i < bArr.length) {
            if (this.index >= this.rawBytes.length) {
                throw new IllegalStateException(String.format("Invalid format for response from server; terminated early (%d) when expecting '%s'\n%s", Integer.valueOf(i), new String(bArr), ByteArrayUtils.formatHexDump(this.rawBytes)));
            }
            int i2 = i;
            i++;
            byte b = bArr[i2];
            byte[] bArr2 = this.rawBytes;
            int i3 = this.index;
            this.index = i3 + 1;
            if (b != bArr2[i3]) {
                throw new IllegalStateException(String.format("Invalid format for response from server; mismatch at position %d (%d) when expecting '%s'\n%s", Integer.valueOf(this.index), Integer.valueOf(i), new String(bArr), ByteArrayUtils.formatHexDump(this.rawBytes)));
            }
        }
    }

    void skipUntil(String str) {
        byte[] bytes = str.getBytes();
        int i = this.index;
        loop0: while (true) {
            for (int i2 = 0; i2 < bytes.length && i + i2 < this.rawBytes.length; i2++) {
                if (i + i2 >= this.rawBytes.length) {
                    throw new IllegalStateException(String.format("Invalid format for response from server; terminated early (%d) when looking for '%s'\n%s", Integer.valueOf(i2), new String(bytes), ByteArrayUtils.formatHexDump(this.rawBytes)));
                }
                if (bytes[i2] != this.rawBytes[i + i2]) {
                    break;
                }
            }
            i++;
        }
        this.lastBlockStart = this.index;
        this.lastBlockEnd = i;
        this.index = i + bytes.length;
    }

    private void unseal() {
        this.unsealedBytes = this.credentials.getStatefulDecryptor().update(this.sealedBytes);
    }
}
