package com.ibm.ws.sip.container.protocol;

import com.ibm.sip.util.log.Log;
import com.ibm.sip.util.log.LogMgr;
import com.ibm.sip.util.seqlog.LogEvent;
import com.ibm.websphere.crypto.KeyException;
import com.ibm.websphere.crypto.KeySetHelper;
import com.ibm.ws.sip.container.SipContainer;
import com.ibm.ws.sip.container.properties.PropertiesStore;
import com.ibm.ws.sip.hamanagment.util.SipClusterUtil;
import com.ibm.ws.sip.parser.Separators;
import com.ibm.ws.sip.properties.CoreProperties;
import com.ibm.ws.sip.stack.util.SipStackUtil;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Map;
import java.util.concurrent.atomic.AtomicLong;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;

/* loaded from: input_file:com/ibm/ws/sip/container/protocol/FlowTokenSecurity.class */
class FlowTokenSecurity {
    private final boolean m_standalone;
    private final String m_keySetName;
    private volatile ArrayList<Secret> m_secretSet;
    private static final String HMACSHA1 = "HmacSHA1";
    private static final int KEY_CACHE_TIME = 10000;
    private final AtomicLong m_lastKeyRefresh;
    private static final LogMgr s_logger = Log.get(FlowTokenSecurity.class);
    private static final FlowTokenSecurity s_instance = new FlowTokenSecurity();
    private static final ThreadLocal<byte[]> s_workByteArray = new ThreadLocal<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/ibm/ws/sip/container/protocol/FlowTokenSecurity$Secret.class */
    public static class Secret {
        Key m_key;
        Mac m_mac;
        String m_alias;

        Secret(Key key, Mac mac, String str) {
            this.m_key = key;
            this.m_mac = mac;
            this.m_alias = str;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder(LogEvent.NORMAL);
            sb.append("alias [").append(this.m_alias);
            sb.append("] format [").append(this.m_key.getFormat());
            sb.append("] algorithm [").append(this.m_mac.getAlgorithm());
            sb.append("] size [").append(this.m_mac.getMacLength()).append(']');
            return sb.toString();
        }
    }

    public static FlowTokenSecurity instance() {
        return s_instance;
    }

    private FlowTokenSecurity() {
        this.m_standalone = SipContainer.isRunningInWAS() ? !SipClusterUtil.isServerInCluster() : true;
        String string = PropertiesStore.getInstance().getProperties().getString(CoreProperties.SIP_KEY_SET);
        if (string != null && string.trim().length() == 0) {
            string = null;
        }
        ArrayList<Secret> initializeSecretSet = initializeSecretSet(string);
        this.m_keySetName = string;
        this.m_secretSet = initializeSecretSet;
        this.m_lastKeyRefresh = new AtomicLong(SipStackUtil.currentTimeMillis());
        logSecretKeyInitResult();
    }

    private final ArrayList<Secret> initializeSecretSet(String str) {
        ArrayList<Secret> obtainSecretSet;
        if (str != null) {
            obtainSecretSet = obtainSecretSet(str);
        } else if (this.m_standalone) {
            Key generateKey = generateKey();
            if (generateKey == null) {
                obtainSecretSet = null;
            } else {
                Mac initializeMac = initializeMac(generateKey);
                if (initializeMac == null) {
                    obtainSecretSet = null;
                } else {
                    Secret secret = new Secret(generateKey, initializeMac, null);
                    obtainSecretSet = new ArrayList<>(1);
                    obtainSecretSet.add(secret);
                }
            }
        } else {
            if (s_logger.isWarnEnabled()) {
                s_logger.warn("warn.sip.outbound.no.key.set", null);
            }
            obtainSecretSet = null;
        }
        return obtainSecretSet;
    }

    private ArrayList<Secret> obtainSecretSet(String str) {
        if (s_logger.isTraceDebugEnabled()) {
            s_logger.traceDebug(this, "obtainSecretSet", "key set [" + str + ']');
        }
        Key obtainLatestKey = obtainLatestKey(str);
        if (obtainLatestKey == null) {
            return null;
        }
        try {
            Map allKeysForKeySet = KeySetHelper.getInstance().getAllKeysForKeySet(str);
            if (allKeysForKeySet == null) {
                if (!s_logger.isTraceFailureEnabled()) {
                    return null;
                }
                s_logger.traceFailure(this, "obtainSecretSet", "no such key set [" + str + ']');
                return null;
            }
            int size = allKeysForKeySet.size();
            if (s_logger.isTraceDebugEnabled()) {
                s_logger.traceDebug(this, "obtainSecretSet", "there are [" + size + "] keys in [" + str + ']');
            }
            ArrayList<Secret> arrayList = new ArrayList<>(size);
            for (Map.Entry entry : allKeysForKeySet.entrySet()) {
                String str2 = (String) entry.getKey();
                Object value = entry.getValue();
                if (s_logger.isTraceDebugEnabled()) {
                    s_logger.traceDebug(this, "obtainSecretSet", "processing key [" + str2 + ']');
                }
                Key castKey = castKey(value);
                if (castKey != null) {
                    Mac initializeMac = initializeMac(castKey);
                    if (initializeMac == null) {
                        return null;
                    }
                    Secret secret = new Secret(castKey, initializeMac, str2);
                    if (castKey.equals(obtainLatestKey)) {
                        arrayList.add(0, secret);
                    } else {
                        arrayList.add(secret);
                    }
                } else if (s_logger.isTraceFailureEnabled()) {
                    s_logger.traceFailure(this, "obtainSecretSet", "invalid key [" + str2 + ']');
                }
            }
            if (s_logger.isTraceDebugEnabled()) {
                s_logger.traceDebug(this, "obtainSecretSet", "obtained secret set of [" + arrayList.size() + "] keys");
            }
            return arrayList;
        } catch (KeyException e) {
            if (!s_logger.isTraceFailureEnabled()) {
                return null;
            }
            s_logger.traceFailure(this, "obtainSecretSet", "", e);
            return null;
        }
    }

    private final Key obtainLatestKey(String str) {
        if (s_logger.isTraceDebugEnabled()) {
            s_logger.traceDebug(this, "obtainLatestKey", "key set [" + str + ']');
        }
        try {
            return castKey(KeySetHelper.getInstance().getLatestKeyForKeySet(str));
        } catch (KeyException e) {
            if (!s_logger.isTraceFailureEnabled()) {
                return null;
            }
            s_logger.traceFailure(this, "obtainLatestKey", "", e);
            return null;
        }
    }

    private final Key castKey(Object obj) {
        Key key;
        if (obj == null) {
            if (s_logger.isTraceFailureEnabled()) {
                s_logger.traceFailure(this, "castKey", "no key");
            }
            key = null;
        } else if (obj instanceof Key) {
            key = (Key) obj;
        } else if (obj instanceof KeyPair) {
            key = ((KeyPair) obj).getPrivate();
        } else if (obj instanceof com.ibm.websphere.crypto.KeyPair) {
            key = ((com.ibm.websphere.crypto.KeyPair) obj).getPrivateKey();
        } else {
            if (s_logger.isTraceFailureEnabled()) {
                s_logger.traceFailure(this, "castKey", "unsupported key type [" + obj.getClass().getName() + ']');
            }
            key = null;
        }
        return key;
    }

    private final Key generateKey() {
        SecretKey secretKey;
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(HMACSHA1);
            keyGenerator.init(160);
            secretKey = keyGenerator.generateKey();
        } catch (NoSuchAlgorithmException e) {
            if (s_logger.isErrorEnabled()) {
                s_logger.error("error.exception", (String) null, (Object[]) null, (Throwable) e);
            }
            secretKey = null;
        }
        return secretKey;
    }

    private final Mac initializeMac(Key key) {
        Mac mac;
        try {
            mac = Mac.getInstance(HMACSHA1);
            mac.init(key);
        } catch (GeneralSecurityException e) {
            if (s_logger.isErrorEnabled()) {
                s_logger.error("error.exception", (String) null, (Object[]) null, (Throwable) e);
            }
            mac = null;
        }
        return mac;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Secret getLatestSecret() {
        refreshKeySetIfNeeded();
        ArrayList<Secret> arrayList = this.m_secretSet;
        if (arrayList == null) {
            return null;
        }
        return arrayList.get(0);
    }

    private boolean refreshKeySetIfNeeded() {
        ArrayList<Secret> arrayList = this.m_secretSet;
        if (arrayList == null || this.m_keySetName == null) {
            return false;
        }
        long currentTimeMillis = SipStackUtil.currentTimeMillis();
        long j = this.m_lastKeyRefresh.get();
        if (currentTimeMillis - j < 10000 || !this.m_lastKeyRefresh.compareAndSet(j, currentTimeMillis)) {
            return false;
        }
        if (s_logger.isTraceDebugEnabled()) {
            s_logger.traceDebug(this, "refreshKeySetIfNeeded", "checking if refresh is needed");
        }
        if (arrayList.get(0).m_key.equals(obtainLatestKey(this.m_keySetName))) {
            if (!s_logger.isTraceDebugEnabled()) {
                return false;
            }
            s_logger.traceDebug(this, "refreshKeySetIfNeeded", "refresh not needed");
            return false;
        }
        if (s_logger.isInfoEnabled()) {
            s_logger.info("info.sip.outbound.key.set.updated", null);
        }
        this.m_secretSet = obtainSecretSet(this.m_keySetName);
        return true;
    }

    private final void logSecretKeyInitResult() {
        ArrayList<Secret> arrayList = this.m_secretSet;
        if (arrayList == null) {
            if (this.m_keySetName == null) {
                if (s_logger.isWarnEnabled()) {
                    s_logger.warn("warn.sip.outbound.no.key.set", null);
                    return;
                }
                return;
            } else {
                if (s_logger.isErrorEnabled()) {
                    s_logger.error("error.sip.outbound.failure", (String) null, this.m_keySetName);
                    return;
                }
                return;
            }
        }
        if (s_logger.isInfoEnabled()) {
            s_logger.info("info.sip.outbound.initialized", null);
        }
        if (s_logger.isTraceDebugEnabled()) {
            StringBuilder sb = new StringBuilder(1024);
            int size = arrayList.size();
            sb.append("Flow token security initialized with [" + size + "] key(s):\r\n");
            for (int i = 0; i < size; i++) {
                sb.append(i).append(": ").append(arrayList.get(i).toString()).append(Separators.NEWLINE);
            }
            s_logger.traceDebug(this, "logSecretKeyInitResult", sb.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean authenticateMac(ArrayList<Secret> arrayList, byte[] bArr, int i, int i2, int i3) {
        int size = arrayList.size();
        for (int i4 = 0; i4 < size; i4++) {
            Secret secret = arrayList.get(i4);
            if (s_logger.isTraceDebugEnabled()) {
                s_logger.traceDebug(this, "authenticateMac", "authenticating MAC by: " + secret);
            }
            byte[] calculateMac = calculateMac(bArr, i, i2, secret.m_mac, i3);
            if (0 < i3) {
                if (bArr[i2 + 0] == calculateMac[0]) {
                    if (!s_logger.isTraceDebugEnabled()) {
                        return true;
                    }
                    s_logger.traceDebug(this, "authenticateMac", "match: " + secret);
                    return true;
                }
                if (s_logger.isTraceDebugEnabled()) {
                    s_logger.traceDebug(this, "authenticateMac", "no match: " + secret);
                }
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] calculateMac(byte[] bArr, int i, int i2, Mac mac, int i3) {
        int macLength = mac.getMacLength();
        byte[] bArr2 = s_workByteArray.get();
        if (bArr2 == null || bArr2.length < macLength) {
            bArr2 = new byte[macLength];
            s_workByteArray.set(bArr2);
        }
        synchronized (mac) {
            mac.update(bArr, i, i2);
            try {
                mac.doFinal(bArr2, 0);
            } catch (ShortBufferException e) {
                if (s_logger.isTraceFailureEnabled()) {
                    s_logger.traceFailure(this, "calculateMac", "failed writing MAC of [" + macLength + "] to byte array of size [" + bArr2.length + ']', e);
                }
                throw new RuntimeException(e);
            }
        }
        while (macLength < i3) {
            int i4 = macLength;
            macLength++;
            bArr2[i4] = 0;
        }
        return bArr2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ArrayList<Secret> getSecretSet() {
        return this.m_secretSet;
    }
}
