package org.eclipse.milo.opcua.stack.core.channel;

import io.netty.buffer.ByteBuf;
import io.netty.buffer.CompositeByteBuf;
import io.netty.util.ReferenceCountUtil;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Iterator;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.eclipse.milo.opcua.stack.core.StatusCodes;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity;
import org.eclipse.milo.opcua.stack.core.channel.headers.AsymmetricSecurityHeader;
import org.eclipse.milo.opcua.stack.core.channel.headers.SymmetricSecurityHeader;
import org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm;
import org.eclipse.milo.opcua.stack.core.util.BufferUtil;
import org.eclipse.milo.opcua.stack.core.util.SignatureUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/*  JADX ERROR: NullPointerException in pass: ClassModifier
    java.lang.NullPointerException
    */
/*  JADX ERROR: NullPointerException in pass: ProcessKotlinInternals
    java.lang.NullPointerException
    */
/* loaded from: input_file:BOOT-INF/lib/stack-core-0.6.4.jar:org/eclipse/milo/opcua/stack/core/channel/ChunkDecoder.class */
public final class ChunkDecoder {
    private final AsymmetricDecoder asymmetricDecoder = new AsymmetricDecoder();
    private final SymmetricDecoder symmetricDecoder = new SymmetricDecoder();
    private volatile long lastSequenceNumber = -1;
    private final ChannelParameters parameters;
    private final EncodingLimits encodingLimits;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/stack-core-0.6.4.jar:org/eclipse/milo/opcua/stack/core/channel/ChunkDecoder$AbstractDecoder.class */
    public abstract class AbstractDecoder {
        protected final Logger logger;
        static final /* synthetic */ boolean $assertionsDisabled;

        private AbstractDecoder() {
            this.logger = LoggerFactory.getLogger(getClass());
        }

        /*  JADX ERROR: JadxRuntimeException in pass: InlineMethods
            jadx.core.utils.exceptions.JadxRuntimeException: Failed to process method for inline: org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.access$202(org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder, long):long
            	at jadx.core.dex.visitors.InlineMethods.processInvokeInsn(InlineMethods.java:74)
            	at jadx.core.dex.visitors.InlineMethods.visit(InlineMethods.java:49)
            Caused by: jadx.core.utils.exceptions.JadxRuntimeException: Class not yet loaded at codegen stage: org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder
            	at jadx.core.dex.nodes.ClassNode.reloadAtCodegenStage(ClassNode.java:883)
            	at jadx.core.dex.visitors.InlineMethods.processInvokeInsn(InlineMethods.java:66)
            	... 1 more
            */
        org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.DecodedMessage decode(org.eclipse.milo.opcua.stack.core.channel.SecureChannel r10, io.netty.buffer.CompositeByteBuf r11, java.util.List<io.netty.buffer.ByteBuf> r12) throws org.eclipse.milo.opcua.stack.core.channel.MessageAbortException, org.eclipse.milo.opcua.stack.core.UaException {
            /*
                Method dump skipped, instructions count: 567
                To view this dump add '--comments-level debug' option
            */
            throw new UnsupportedOperationException("Method not decompiled: org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder.decode(org.eclipse.milo.opcua.stack.core.channel.SecureChannel, io.netty.buffer.CompositeByteBuf, java.util.List):org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder$DecodedMessage");
        }

        private void decryptChunk(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException {
            int cipherTextBlockSize = getCipherTextBlockSize(secureChannel);
            int readableBytes = byteBuf.readableBytes() / cipherTextBlockSize;
            int i = cipherTextBlockSize * readableBytes;
            ByteBuf pooledBuffer = BufferUtil.pooledBuffer(i);
            ByteBuffer nioBuffer = pooledBuffer.writerIndex(i).nioBuffer();
            ByteBuffer nioBuffer2 = byteBuf.nioBuffer();
            try {
                try {
                    Cipher cipher = getCipher(secureChannel);
                    if (!$assertionsDisabled && byteBuf.readableBytes() % cipherTextBlockSize != 0) {
                        throw new AssertionError();
                    }
                    if (isAsymmetric()) {
                        for (int i2 = 0; i2 < readableBytes; i2++) {
                            nioBuffer2.limit(nioBuffer2.position() + cipherTextBlockSize);
                            cipher.doFinal(nioBuffer2, nioBuffer);
                        }
                    } else {
                        cipher.doFinal(nioBuffer2, nioBuffer);
                    }
                    nioBuffer.flip();
                    byteBuf.writerIndex(byteBuf.readerIndex());
                    byteBuf.writeBytes(nioBuffer);
                    pooledBuffer.release();
                } catch (GeneralSecurityException e) {
                    throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e);
                }
            } catch (Throwable th) {
                pooledBuffer.release();
                throw th;
            }
        }

        private int getPaddingSize(int i, int i2, ByteBuf byteBuf) {
            int readableBytes = (byteBuf.readableBytes() - i2) - 1;
            return i <= 256 ? byteBuf.getUnsignedByte(readableBytes) : byteBuf.getUnsignedShortLE(readableBytes - 1);
        }

        protected abstract void readSecurityHeader(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException;

        protected abstract Cipher getCipher(SecureChannel secureChannel) throws UaException;

        protected abstract int getCipherTextBlockSize(SecureChannel secureChannel);

        protected abstract int getSignatureSize(SecureChannel secureChannel);

        protected abstract void verifyChunk(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException;

        protected abstract boolean isAsymmetric();

        protected abstract boolean isEncryptionEnabled(SecureChannel secureChannel);

        protected abstract boolean isSigningEnabled(SecureChannel secureChannel);

        static {
            $assertionsDisabled = !ChunkDecoder.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/stack-core-0.6.4.jar:org/eclipse/milo/opcua/stack/core/channel/ChunkDecoder$AsymmetricDecoder.class */
    public final class AsymmetricDecoder extends AbstractDecoder {
        private AsymmetricDecoder() {
            super();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public void readSecurityHeader(SecureChannel secureChannel, ByteBuf byteBuf) {
            AsymmetricSecurityHeader.decode(byteBuf, ChunkDecoder.this.encodingLimits);
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public Cipher getCipher(SecureChannel secureChannel) throws UaException {
            try {
                Cipher cipher = Cipher.getInstance(secureChannel.getSecurityPolicy().getAsymmetricEncryptionAlgorithm().getTransformation());
                cipher.init(2, secureChannel.getKeyPair().getPrivate());
                return cipher;
            } catch (GeneralSecurityException e) {
                throw new UaException(StatusCodes.Bad_InternalError, e);
            }
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public int getCipherTextBlockSize(SecureChannel secureChannel) {
            return secureChannel.getLocalAsymmetricCipherTextBlockSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public int getSignatureSize(SecureChannel secureChannel) {
            return secureChannel.getRemoteAsymmetricSignatureSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public void verifyChunk(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException {
            String transformation = secureChannel.getSecurityPolicy().getAsymmetricSignatureAlgorithm().getTransformation();
            int remoteAsymmetricSignatureSize = secureChannel.getRemoteAsymmetricSignatureSize();
            ByteBuffer nioBuffer = byteBuf.nioBuffer(0, byteBuf.writerIndex());
            nioBuffer.position(0);
            nioBuffer.limit(byteBuf.writerIndex() - remoteAsymmetricSignatureSize);
            try {
                Signature signature = Signature.getInstance(transformation);
                signature.initVerify(secureChannel.getRemoteCertificate().getPublicKey());
                signature.update(nioBuffer);
                byte[] bArr = new byte[remoteAsymmetricSignatureSize];
                nioBuffer.limit(nioBuffer.position() + remoteAsymmetricSignatureSize);
                nioBuffer.get(bArr);
                if (signature.verify(bArr)) {
                } else {
                    throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "could not verify signature");
                }
            } catch (InvalidKeyException e) {
                throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
            } catch (NoSuchAlgorithmException e2) {
                throw new UaException(StatusCodes.Bad_InternalError, e2);
            } catch (SignatureException e3) {
                throw new UaException(StatusCodes.Bad_ApplicationSignatureInvalid, e3);
            }
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        protected boolean isAsymmetric() {
            return true;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public boolean isEncryptionEnabled(SecureChannel secureChannel) {
            return secureChannel.isAsymmetricEncryptionEnabled();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public boolean isSigningEnabled(SecureChannel secureChannel) {
            return secureChannel.isAsymmetricEncryptionEnabled();
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/stack-core-0.6.4.jar:org/eclipse/milo/opcua/stack/core/channel/ChunkDecoder$DecodedMessage.class */
    public static class DecodedMessage {
        private final ByteBuf message;
        private final long requestId;

        private DecodedMessage(ByteBuf byteBuf, long j) {
            this.message = byteBuf;
            this.requestId = j;
        }

        public ByteBuf getMessage() {
            return this.message;
        }

        public long getRequestId() {
            return this.requestId;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/stack-core-0.6.4.jar:org/eclipse/milo/opcua/stack/core/channel/ChunkDecoder$SymmetricDecoder.class */
    public final class SymmetricDecoder extends AbstractDecoder {
        private volatile ChannelSecurity.SecurityKeys securityKeys;
        private volatile Cipher cipher;
        private volatile long cipherId;
        static final /* synthetic */ boolean $assertionsDisabled;

        private SymmetricDecoder() {
            super();
            this.cipher = null;
            this.cipherId = -1L;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public void readSecurityHeader(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException {
            long tokenId = SymmetricSecurityHeader.decode(byteBuf).getTokenId();
            ChannelSecurity channelSecurity = secureChannel.getChannelSecurity();
            if (channelSecurity == null) {
                if (tokenId != 0) {
                    throw new UaException(StatusCodes.Bad_SecureChannelTokenUnknown, "unknown secure channel token: " + tokenId);
                }
                return;
            }
            if (tokenId == channelSecurity.getCurrentToken().getTokenId().longValue()) {
                this.securityKeys = channelSecurity.getCurrentKeys();
            } else {
                long longValue = ((Long) channelSecurity.getPreviousToken().map(channelSecurityToken -> {
                    return Long.valueOf(channelSecurityToken.getTokenId().longValue());
                }).orElse(-1L)).longValue();
                this.logger.debug("Attempting to use SecurityKeys from previousTokenId={}", Long.valueOf(longValue));
                if (tokenId != longValue) {
                    this.logger.warn("receivedTokenId={} did not match previousTokenId={}", Long.valueOf(tokenId), Long.valueOf(longValue));
                    throw new UaException(StatusCodes.Bad_SecureChannelTokenUnknown, "unknown secure channel token: " + tokenId);
                }
                if (secureChannel.isSymmetricEncryptionEnabled() && channelSecurity.getPreviousKeys().isPresent()) {
                    this.securityKeys = channelSecurity.getPreviousKeys().get();
                }
            }
            if (this.cipherId == tokenId || !secureChannel.isSymmetricEncryptionEnabled()) {
                return;
            }
            this.cipher = initCipher(secureChannel);
            this.cipherId = tokenId;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public Cipher getCipher(SecureChannel secureChannel) {
            if ($assertionsDisabled || this.cipher != null) {
                return this.cipher;
            }
            throw new AssertionError();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public int getCipherTextBlockSize(SecureChannel secureChannel) {
            return secureChannel.getSymmetricBlockSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public int getSignatureSize(SecureChannel secureChannel) {
            return secureChannel.getSymmetricSignatureSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public void verifyChunk(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException {
            SecurityAlgorithm symmetricSignatureAlgorithm = secureChannel.getSecurityPolicy().getSymmetricSignatureAlgorithm();
            byte[] signatureKey = secureChannel.getDecryptionKeys(this.securityKeys).getSignatureKey();
            int symmetricSignatureSize = secureChannel.getSymmetricSignatureSize();
            ByteBuffer nioBuffer = byteBuf.nioBuffer(0, byteBuf.writerIndex());
            nioBuffer.position(0);
            nioBuffer.limit(byteBuf.writerIndex() - symmetricSignatureSize);
            byte[] hmac = SignatureUtil.hmac(symmetricSignatureAlgorithm, signatureKey, nioBuffer);
            byte[] bArr = new byte[symmetricSignatureSize];
            nioBuffer.limit(nioBuffer.position() + symmetricSignatureSize);
            nioBuffer.get(bArr);
            if (!MessageDigest.isEqual(hmac, bArr)) {
                throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "could not verify signature");
            }
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        protected boolean isAsymmetric() {
            return false;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public boolean isEncryptionEnabled(SecureChannel secureChannel) {
            return secureChannel.isSymmetricEncryptionEnabled();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.AbstractDecoder
        public boolean isSigningEnabled(SecureChannel secureChannel) {
            return secureChannel.isSymmetricSigningEnabled();
        }

        private Cipher initCipher(SecureChannel secureChannel) throws UaException {
            try {
                String transformation = secureChannel.getSecurityPolicy().getSymmetricEncryptionAlgorithm().getTransformation();
                ChannelSecurity.SecretKeys decryptionKeys = secureChannel.getDecryptionKeys(this.securityKeys);
                SecretKeySpec secretKeySpec = new SecretKeySpec(decryptionKeys.getEncryptionKey(), "AES");
                IvParameterSpec ivParameterSpec = new IvParameterSpec(decryptionKeys.getInitializationVector());
                Cipher cipher = Cipher.getInstance(transformation);
                cipher.init(2, secretKeySpec, ivParameterSpec);
                return cipher;
            } catch (GeneralSecurityException e) {
                throw new UaException(StatusCodes.Bad_InternalError, e);
            }
        }

        static {
            $assertionsDisabled = !ChunkDecoder.class.desiredAssertionStatus();
        }
    }

    public ChunkDecoder(ChannelParameters channelParameters, EncodingLimits encodingLimits) {
        this.parameters = channelParameters;
        this.encodingLimits = encodingLimits;
    }

    public DecodedMessage decodeAsymmetric(SecureChannel secureChannel, List<ByteBuf> list) throws MessageAbortException, MessageDecodeException {
        return decode(this.asymmetricDecoder, secureChannel, list);
    }

    public DecodedMessage decodeSymmetric(SecureChannel secureChannel, List<ByteBuf> list) throws MessageAbortException, MessageDecodeException {
        try {
            validateSymmetricSecurityHeaders(secureChannel, list);
            return decode(this.symmetricDecoder, secureChannel, list);
        } catch (UaException e) {
            list.forEach((v0) -> {
                ReferenceCountUtil.safeRelease(v0);
            });
            throw new MessageDecodeException(e);
        }
    }

    private static DecodedMessage decode(AbstractDecoder abstractDecoder, SecureChannel secureChannel, List<ByteBuf> list) throws MessageAbortException, MessageDecodeException {
        CompositeByteBuf compositeBuffer = BufferUtil.compositeBuffer();
        try {
            return abstractDecoder.decode(secureChannel, compositeBuffer, list);
        } catch (UaException e) {
            ReferenceCountUtil.safeRelease(compositeBuffer);
            list.forEach((v0) -> {
                ReferenceCountUtil.safeRelease(v0);
            });
            throw new MessageDecodeException(e);
        } catch (MessageAbortException e2) {
            ReferenceCountUtil.safeRelease(compositeBuffer);
            list.forEach((v0) -> {
                ReferenceCountUtil.safeRelease(v0);
            });
            throw e2;
        }
    }

    private static void validateSymmetricSecurityHeaders(SecureChannel secureChannel, List<ByteBuf> list) throws UaException {
        ChannelSecurity channelSecurity = secureChannel.getChannelSecurity();
        long longValue = channelSecurity.getCurrentToken().getTokenId().longValue();
        long longValue2 = ((Long) channelSecurity.getPreviousToken().map(channelSecurityToken -> {
            return Long.valueOf(channelSecurityToken.getTokenId().longValue());
        }).orElse(-1L)).longValue();
        Iterator<ByteBuf> it = list.iterator();
        while (it.hasNext()) {
            long unsignedIntLE = it.next().getUnsignedIntLE(12);
            if (unsignedIntLE != longValue && unsignedIntLE != longValue2) {
                throw new UaException(StatusCodes.Bad_SecureChannelTokenUnknown, String.format("received unknown secure channel token: tokenId=%s currentTokenId=%s previousTokenId=%s", Long.valueOf(unsignedIntLE), Long.valueOf(longValue), Long.valueOf(longValue2)));
            }
        }
    }

    /*  JADX ERROR: Failed to decode insn: 0x0002: MOVE_MULTI, method: org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.access$202(org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder, long):long
        java.lang.ArrayIndexOutOfBoundsException: arraycopy: source index -1 out of bounds for object array[6]
        	at java.base/java.lang.System.arraycopy(Native Method)
        	at jadx.plugins.input.java.data.code.StackState.insert(StackState.java:49)
        	at jadx.plugins.input.java.data.code.CodeDecodeState.insert(CodeDecodeState.java:118)
        	at jadx.plugins.input.java.data.code.JavaInsnsRegister.dup2x1(JavaInsnsRegister.java:313)
        	at jadx.plugins.input.java.data.code.JavaInsnData.decode(JavaInsnData.java:46)
        	at jadx.core.dex.instructions.InsnDecoder.lambda$process$0(InsnDecoder.java:54)
        	at jadx.plugins.input.java.data.code.JavaCodeReader.visitInstructions(JavaCodeReader.java:81)
        	at jadx.core.dex.instructions.InsnDecoder.process(InsnDecoder.java:50)
        	at jadx.core.dex.nodes.MethodNode.load(MethodNode.java:156)
        	at jadx.core.dex.nodes.ClassNode.load(ClassNode.java:443)
        	at jadx.core.ProcessClass.process(ProcessClass.java:70)
        	at jadx.core.ProcessClass.generateCode(ProcessClass.java:118)
        	at jadx.core.dex.nodes.ClassNode.generateClassCode(ClassNode.java:400)
        	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:388)
        	at jadx.core.dex.nodes.ClassNode.getCode(ClassNode.java:338)
        */
    static /* synthetic */ long access$202(org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder r6, long r7) {
        /*
            r0 = r6
            r1 = r7
            // decode failed: arraycopy: source index -1 out of bounds for object array[6]
            r0.lastSequenceNumber = r1
            return r-1
        */
        throw new UnsupportedOperationException("Method not decompiled: org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder.access$202(org.eclipse.milo.opcua.stack.core.channel.ChunkDecoder, long):long");
    }

    static /* synthetic */ ChannelParameters access$300(ChunkDecoder chunkDecoder) {
        return chunkDecoder.parameters;
    }
}
