package com.microsoft.sqlserver.jdbc;

import com.microsoft.azure.AzureResponseBuilder;
import com.microsoft.azure.keyvault.KeyVaultClient;
import com.microsoft.azure.keyvault.models.KeyBundle;
import com.microsoft.azure.keyvault.webkey.JsonWebKeyEncryptionAlgorithm;
import com.microsoft.azure.keyvault.webkey.JsonWebKeySignatureAlgorithm;
import com.microsoft.azure.serializer.AzureJacksonAdapter;
import com.microsoft.rest.RestClient;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.Properties;
import java.util.concurrent.ExecutorService;
import java.util.logging.Logger;
import okhttp3.OkHttpClient;
import retrofit2.Retrofit;

/* loaded from: classes3.dex */
public class SQLServerColumnEncryptionAzureKeyVaultProvider extends SQLServerColumnEncryptionKeyStoreProvider {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private static final String AKV_TRUSTED_ENDPOINTS_KEYWORD = "AKVTrustedEndpoints";
    private static final String MSSQL_JDBC_PROPERTIES = "mssql-jdbc.properties";
    private static final Logger akvLogger = Logger.getLogger("com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider");
    private static final List<String> akvTrustedEndpoints = getTrustedEndpoints();
    private final String baseUrl;
    private KeyVaultCredential credentials;
    private final byte[] firstVersion;
    private KeyVaultClient keyVaultClient;
    String name;
    private final String rsaEncryptionAlgorithmWithOAEPForAKV;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SQLServerColumnEncryptionAzureKeyVaultProvider() throws SQLServerException {
        this.name = "AZURE_KEY_VAULT";
        this.baseUrl = "https://{vaultBaseUrl}";
        this.rsaEncryptionAlgorithmWithOAEPForAKV = "RSA-OAEP";
        this.firstVersion = new byte[]{1};
        this.credentials = new KeyVaultCredential();
        this.keyVaultClient = new KeyVaultClient(this.credentials);
    }

    public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback sQLServerKeyVaultAuthenticationCallback) throws SQLServerException {
        this.name = "AZURE_KEY_VAULT";
        this.baseUrl = "https://{vaultBaseUrl}";
        this.rsaEncryptionAlgorithmWithOAEPForAKV = "RSA-OAEP";
        this.firstVersion = new byte[]{1};
        if (sQLServerKeyVaultAuthenticationCallback == null) {
            throw new SQLServerException(new MessageFormat(SQLServerException.getErrString("R_NullValue")).format(new Object[]{"SQLServerKeyVaultAuthenticationCallback"}), null);
        }
        this.credentials = new KeyVaultCredential(sQLServerKeyVaultAuthenticationCallback);
        this.keyVaultClient = new KeyVaultClient(new RestClient.Builder(new OkHttpClient.Builder(), new Retrofit.Builder()).withBaseUrl("https://{vaultBaseUrl}").withCredentials(this.credentials).withSerializerAdapter(new AzureJacksonAdapter()).withResponseBuilderFactory(new AzureResponseBuilder.Factory()).build());
    }

    @Deprecated
    public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback sQLServerKeyVaultAuthenticationCallback, ExecutorService executorService) throws SQLServerException {
        this(sQLServerKeyVaultAuthenticationCallback);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SQLServerColumnEncryptionAzureKeyVaultProvider(String str) throws SQLServerException {
        this.name = "AZURE_KEY_VAULT";
        this.baseUrl = "https://{vaultBaseUrl}";
        this.rsaEncryptionAlgorithmWithOAEPForAKV = "RSA-OAEP";
        this.firstVersion = new byte[]{1};
        this.credentials = new KeyVaultCredential(str);
        this.keyVaultClient = new KeyVaultClient(this.credentials);
    }

    public SQLServerColumnEncryptionAzureKeyVaultProvider(String str, String str2) throws SQLServerException {
        this.name = "AZURE_KEY_VAULT";
        this.baseUrl = "https://{vaultBaseUrl}";
        this.rsaEncryptionAlgorithmWithOAEPForAKV = "RSA-OAEP";
        this.firstVersion = new byte[]{1};
        this.credentials = new KeyVaultCredential(str, str2);
        this.keyVaultClient = new KeyVaultClient(this.credentials);
    }

    private byte[] AzureKeyVaultSignHashedData(byte[] bArr, String str) throws SQLServerException {
        return this.keyVaultClient.sign(str, JsonWebKeySignatureAlgorithm.RS256, bArr).result();
    }

    private byte[] AzureKeyVaultUnWrap(String str, String str2, byte[] bArr) throws SQLServerException {
        if (bArr == null) {
            throw new SQLServerException(SQLServerException.getErrString("R_EncryptedCEKNull"), null);
        }
        if (bArr.length == 0) {
            throw new SQLServerException(SQLServerException.getErrString("R_EmptyEncryptedCEK"), null);
        }
        return this.keyVaultClient.unwrapKey(str, new JsonWebKeyEncryptionAlgorithm(str2), bArr).result();
    }

    private boolean AzureKeyVaultVerifySignature(byte[] bArr, byte[] bArr2, String str) throws SQLServerException {
        return this.keyVaultClient.verify(str, JsonWebKeySignatureAlgorithm.RS256, bArr, bArr2).value().booleanValue();
    }

    private byte[] AzureKeyVaultWrap(String str, String str2, byte[] bArr) throws SQLServerException {
        if (bArr == null) {
            throw new SQLServerException(SQLServerException.getErrString("R_CEKNull"), null);
        }
        return this.keyVaultClient.wrapKey(str, new JsonWebKeyEncryptionAlgorithm(str2), bArr).result();
    }

    private void ValidateNonEmptyAKVPath(String str) throws SQLServerException {
        if (str == null || str.trim().isEmpty()) {
            throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_AKVPathNull")).format(new Object[]{str}), (String) null, 0, false);
        }
        try {
            String host = new URI(str).getHost();
            if (host != null) {
                host = host.toLowerCase(Locale.ENGLISH);
            }
            for (String str2 : akvTrustedEndpoints) {
                if (host != null && host.endsWith(str2)) {
                    return;
                }
            }
            throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_AKVMasterKeyPathInvalid")).format(new Object[]{str}), (String) null, 0, false);
        } catch (URISyntaxException e) {
            throw new SQLServerException(new MessageFormat(SQLServerException.getErrString("R_AKVURLInvalid")).format(new Object[]{str}), (String) null, 0, e);
        }
    }

    private short convertTwoBytesToShort(byte[] bArr, int i) throws SQLServerException {
        int i2 = i + 1;
        if (i2 >= bArr.length) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_ByteToShortConversion"), (String) null, 0, false);
        }
        ByteBuffer allocate = ByteBuffer.allocate(2);
        allocate.order(ByteOrder.LITTLE_ENDIAN);
        allocate.put(bArr[i]);
        allocate.put(bArr[i2]);
        return allocate.getShort(0);
    }

    private int getAKVKeySize(String str) throws SQLServerException {
        KeyBundle key = this.keyVaultClient.getKey(str);
        if (key == null) {
            String[] split = str.split("/");
            throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_AKVKeyNotFound")).format(new Object[]{split[split.length - 1]}), (String) null, 0, false);
        }
        if ("RSA".equalsIgnoreCase(key.key().kty().toString()) || "RSA-HSM".equalsIgnoreCase(key.key().kty().toString())) {
            return key.key().n().length;
        }
        throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_NonRSAKey")).format(new Object[]{key.key().kty().toString()}), (String) null, 0, false);
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x0045  */
    /* JADX WARN: Removed duplicated region for block: B:17:? A[ADDED_TO_REGION, RETURN, SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:33:0x002f  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static java.util.Properties getMssqlJdbcProperties() {
        /*
            r0 = 0
            java.io.FileInputStream r1 = new java.io.FileInputStream     // Catch: java.io.IOException -> L23
            java.lang.String r2 = "mssql-jdbc.properties"
            r1.<init>(r2)     // Catch: java.io.IOException -> L23
            java.util.Properties r2 = new java.util.Properties     // Catch: java.lang.Throwable -> L18
            r2.<init>()     // Catch: java.lang.Throwable -> L18
            r2.load(r1)     // Catch: java.lang.Throwable -> L16
            r1.close()     // Catch: java.io.IOException -> L14
            goto L43
        L14:
            r1 = move-exception
            goto L25
        L16:
            r3 = move-exception
            goto L1a
        L18:
            r3 = move-exception
            r2 = r0
        L1a:
            r1.close()     // Catch: java.lang.Throwable -> L1e
            goto L22
        L1e:
            r1 = move-exception
            r3.addSuppressed(r1)     // Catch: java.io.IOException -> L14
        L22:
            throw r3     // Catch: java.io.IOException -> L14
        L23:
            r1 = move-exception
            r2 = r0
        L25:
            java.util.logging.Logger r3 = com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider.akvLogger
            java.util.logging.Level r4 = java.util.logging.Level.FINER
            boolean r4 = r3.isLoggable(r4)
            if (r4 == 0) goto L43
            java.lang.StringBuilder r4 = new java.lang.StringBuilder
            r4.<init>()
            java.lang.String r5 = "Unable to load the mssql-jdbc.properties file: "
            r4.append(r5)
            r4.append(r1)
            java.lang.String r1 = r4.toString()
            r3.finer(r1)
        L43:
            if (r2 == 0) goto L4c
            boolean r1 = r2.isEmpty()
            if (r1 != 0) goto L4c
            r0 = r2
        L4c:
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider.getMssqlJdbcProperties():java.util.Properties");
    }

    private static List<String> getTrustedEndpoints() {
        String property;
        Properties mssqlJdbcProperties = getMssqlJdbcProperties();
        ArrayList arrayList = new ArrayList();
        boolean z = true;
        if (mssqlJdbcProperties != null && (property = mssqlJdbcProperties.getProperty(AKV_TRUSTED_ENDPOINTS_KEYWORD)) != null && !property.trim().isEmpty()) {
            String trim = property.trim();
            if (';' != trim.charAt(0)) {
                z = false;
            } else {
                trim = trim.substring(1);
            }
            for (String str : trim.split(";")) {
                if (str != null && !str.trim().isEmpty()) {
                    arrayList.add(str.trim());
                }
            }
        }
        if (z) {
            arrayList.add("vault.azure.net");
            arrayList.add("vault.azure.cn");
            arrayList.add("vault.usgovcloudapi.net");
            arrayList.add("vault.microsoftazure.de");
        }
        return arrayList;
    }

    private String validateEncryptionAlgorithm(String str) throws SQLServerException {
        String str2 = str;
        if (str2 == null) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_NullKeyEncryptionAlgorithm"), (String) null, 0, false);
        }
        if ("RSA_OAEP".equalsIgnoreCase(str2)) {
            str2 = "RSA-OAEP";
        }
        if ("RSA-OAEP".equalsIgnoreCase(str2.trim())) {
            return str2;
        }
        throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_InvalidKeyEncryptionAlgorithm")).format(new Object[]{str2, "RSA-OAEP"}), (String) null, 0, false);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public byte[] decryptColumnEncryptionKey(String str, String str2, byte[] bArr) throws SQLServerException {
        ValidateNonEmptyAKVPath(str);
        if (bArr == null) {
            throw new SQLServerException(SQLServerException.getErrString("R_NullEncryptedColumnEncryptionKey"), null);
        }
        if (bArr.length == 0) {
            throw new SQLServerException(SQLServerException.getErrString("R_EmptyEncryptedColumnEncryptionKey"), null);
        }
        String validateEncryptionAlgorithm = validateEncryptionAlgorithm(str2);
        int aKVKeySize = getAKVKeySize(str);
        byte b = bArr[0];
        byte[] bArr2 = this.firstVersion;
        if (b != bArr2[0]) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_InvalidEcryptionAlgorithmVersion")).format(new Object[]{String.format("%02X ", Byte.valueOf(bArr[0])), String.format("%02X ", Byte.valueOf(this.firstVersion[0]))}), (String) null, 0, false);
        }
        int length = bArr2.length;
        short convertTwoBytesToShort = convertTwoBytesToShort(bArr, length);
        int i = length + 2;
        int convertTwoBytesToShort2 = convertTwoBytesToShort(bArr, i);
        int i2 = i + 2 + convertTwoBytesToShort;
        if (convertTwoBytesToShort2 != aKVKeySize) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_AKVKeyLengthError")).format(new Object[]{Short.valueOf((short) convertTwoBytesToShort2), Integer.valueOf(aKVKeySize), str}), (String) null, 0, false);
        }
        int length2 = (bArr.length - i2) - convertTwoBytesToShort2;
        if (length2 != aKVKeySize) {
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_AKVSignatureLengthError")).format(new Object[]{Integer.valueOf(length2), Integer.valueOf(aKVKeySize), str}), (String) null, 0, false);
        }
        byte[] bArr3 = new byte[convertTwoBytesToShort2];
        System.arraycopy(bArr, i2, bArr3, 0, convertTwoBytesToShort2);
        byte[] bArr4 = new byte[length2];
        System.arraycopy(bArr, i2 + convertTwoBytesToShort2, bArr4, 0, length2);
        byte[] bArr5 = new byte[bArr.length - length2];
        System.arraycopy(bArr, 0, bArr5, 0, bArr.length - length2);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(bArr5);
            byte[] digest = messageDigest.digest();
            if (digest == null) {
                throw new SQLServerException(SQLServerException.getErrString("R_HashNull"), null);
            }
            if (AzureKeyVaultVerifySignature(digest, bArr4, str)) {
                return AzureKeyVaultUnWrap(str, validateEncryptionAlgorithm, bArr3);
            }
            throw new SQLServerException((Object) this, new MessageFormat(SQLServerException.getErrString("R_CEKSignatureNotMatchCMK")).format(new Object[]{str}), (String) null, 0, false);
        } catch (NoSuchAlgorithmException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_NoSHA256Algorithm"), e);
        }
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public byte[] encryptColumnEncryptionKey(String str, String str2, byte[] bArr) throws SQLServerException {
        ValidateNonEmptyAKVPath(str);
        if (bArr == null) {
            throw new SQLServerException(SQLServerException.getErrString("R_NullColumnEncryptionKey"), null);
        }
        if (bArr.length == 0) {
            throw new SQLServerException(SQLServerException.getErrString("R_EmptyCEK"), null);
        }
        String validateEncryptionAlgorithm = validateEncryptionAlgorithm(str2);
        int aKVKeySize = getAKVKeySize(str);
        byte[] bArr2 = {this.firstVersion[0]};
        byte[] bytes = str.toLowerCase(Locale.ENGLISH).getBytes(StandardCharsets.UTF_16LE);
        byte[] bArr3 = {(byte) (((short) bytes.length) & 255), (byte) ((((short) bytes.length) >> 8) & 255)};
        byte[] AzureKeyVaultWrap = AzureKeyVaultWrap(str, validateEncryptionAlgorithm, bArr);
        byte[] bArr4 = {(byte) (((short) AzureKeyVaultWrap.length) & 255), (byte) ((((short) AzureKeyVaultWrap.length) >> 8) & 255)};
        if (AzureKeyVaultWrap.length != aKVKeySize) {
            throw new SQLServerException(SQLServerException.getErrString("R_CipherTextLengthNotMatchRSASize"), null);
        }
        byte[] bArr5 = new byte[bytes.length + 5 + AzureKeyVaultWrap.length];
        System.arraycopy(bArr2, 0, bArr5, 0, 1);
        System.arraycopy(bArr3, 0, bArr5, 1, 2);
        System.arraycopy(bArr4, 0, bArr5, 3, 2);
        System.arraycopy(bytes, 0, bArr5, 5, bytes.length);
        System.arraycopy(AzureKeyVaultWrap, 0, bArr5, bytes.length + 5, AzureKeyVaultWrap.length);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(bArr5);
            byte[] digest = messageDigest.digest();
            byte[] AzureKeyVaultSignHashedData = AzureKeyVaultSignHashedData(digest, str);
            if (AzureKeyVaultSignHashedData.length != aKVKeySize) {
                throw new SQLServerException(SQLServerException.getErrString("R_SignedHashLengthError"), null);
            }
            if (!AzureKeyVaultVerifySignature(digest, AzureKeyVaultSignHashedData, str)) {
                throw new SQLServerException(SQLServerException.getErrString("R_InvalidSignatureComputed"), null);
            }
            byte[] bArr6 = new byte[AzureKeyVaultWrap.length + 5 + bytes.length + AzureKeyVaultSignHashedData.length];
            System.arraycopy(bArr2, 0, bArr6, 0, 1);
            System.arraycopy(bArr3, 0, bArr6, 1, 2);
            System.arraycopy(bArr4, 0, bArr6, 3, 2);
            System.arraycopy(bytes, 0, bArr6, 5, bytes.length);
            int length = 5 + bytes.length;
            System.arraycopy(AzureKeyVaultWrap, 0, bArr6, length, AzureKeyVaultWrap.length);
            System.arraycopy(AzureKeyVaultSignHashedData, 0, bArr6, length + AzureKeyVaultWrap.length, AzureKeyVaultSignHashedData.length);
            return bArr6;
        } catch (NoSuchAlgorithmException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_NoSHA256Algorithm"), e);
        }
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public String getName() {
        return this.name;
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public void setName(String str) {
        this.name = str;
    }

    @Override // com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
    public boolean verifyColumnMasterKeyMetadata(String str, boolean z, byte[] bArr) throws SQLServerException {
        if (!z) {
            return false;
        }
        KeyStoreProviderCommon.validateNonEmptyMasterKeyPath(str);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(this.name.toLowerCase().getBytes(StandardCharsets.UTF_16LE));
            messageDigest.update(str.toLowerCase().getBytes(StandardCharsets.UTF_16LE));
            messageDigest.update("true".getBytes(StandardCharsets.UTF_16LE));
            byte[] digest = messageDigest.digest();
            if (digest == null) {
                throw new SQLServerException(SQLServerException.getErrString("R_HashNull"), null);
            }
            if (AzureKeyVaultSignHashedData(digest, str) != null) {
                return AzureKeyVaultVerifySignature(digest, bArr, str);
            }
            throw new SQLServerException(SQLServerException.getErrString("R_SignedHashLengthError"), null);
        } catch (NoSuchAlgorithmException e) {
            throw new SQLServerException(SQLServerException.getErrString("R_NoSHA256Algorithm"), e);
        }
    }
}
