package io.cloudsoft.winrm4j.client.encryption;

import io.cloudsoft.winrm4j.client.PayloadEncryptionMode;
import io.cloudsoft.winrm4j.client.ntlm.NTCredentialsWithEncryption;
import io.cloudsoft.winrm4j.client.ntlm.NtlmKeys;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
import java.util.function.Function;
import java.util.zip.CRC32;
import javax.crypto.Cipher;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.message.Message;
import org.apache.http.auth.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/cloudsoft/winrm4j/client/encryption/NtlmEncryptionUtils.class */
public class NtlmEncryptionUtils {
    private static final Logger LOG = LoggerFactory.getLogger(NtlmEncryptionUtils.class);
    public static final String ENCRYPTED_BOUNDARY_PREFIX = "--Encrypted Boundary";
    public static final String ENCRYPTED_BOUNDARY_CR = "--Encrypted Boundary\r\n";
    public static final String ENCRYPTED_BOUNDARY_END = "--Encrypted Boundary--\r\n";
    protected final NTCredentialsWithEncryption credentials;
    protected final PayloadEncryptionMode payloadEncryptionMode;

    /* loaded from: input_file:io/cloudsoft/winrm4j/client/encryption/NtlmEncryptionUtils$Decryptor.class */
    public static class Decryptor {
        private final PayloadEncryptionMode payloadEncryptionMode;
        NTCredentialsWithEncryption credentials;
        private byte[] rawBytes;
        private byte[] encryptedPayloadBytes;
        int index;
        int lastBlockStart;
        int lastBlockEnd;
        private byte[] signatureBytes;
        private byte[] sealedBytes;
        private String newHeaders;
        private byte[] unsealedBytes;

        public Decryptor(NTCredentialsWithEncryption nTCredentialsWithEncryption, PayloadEncryptionMode payloadEncryptionMode) {
            this.credentials = nTCredentialsWithEncryption;
            this.payloadEncryptionMode = payloadEncryptionMode;
        }

        public void handle(Message message) {
            Object obj = message.get("Content-Type");
            if (!(obj == null ? false : obj.toString().startsWith("multipart/encrypted"))) {
                if (this.payloadEncryptionMode.isRequired() && this.credentials != null && this.credentials.isAuthenticated()) {
                    throw new IllegalStateException("Unencrypted payload from server when authenticated and encryption is required");
                }
                return;
            }
            if (this.credentials == null) {
                throw new IllegalStateException("Encrypted payload from server when no credentials with encryption known");
            }
            if (!this.credentials.isAuthenticated()) {
                throw new IllegalStateException("Encrypted payload from server when not authenticated");
            }
            try {
                decrypt(message);
            } catch (Exception e) {
                throw new IllegalStateException(e);
            }
        }

        void decrypt(Message message) throws IOException {
            this.rawBytes = IOUtils.readBytesFromStream((InputStream) message.getContent(InputStream.class));
            if (NtlmEncryptionUtils.LOG.isTraceEnabled()) {
                NtlmEncryptionUtils.LOG.trace("Decrypting message, seq=" + this.credentials.getSequenceNumberIncoming() + " key=" + ByteArrayUtils.formatHexDump(this.credentials.getServerSigningKey()) + "; body:\n" + ByteArrayUtils.formatHexDump(this.rawBytes));
            }
            unwrap();
            int readLittleEndianUnsignedInt = (int) ByteArrayUtils.readLittleEndianUnsignedInt(this.encryptedPayloadBytes, 0);
            this.signatureBytes = Arrays.copyOfRange(this.encryptedPayloadBytes, 4, 4 + readLittleEndianUnsignedInt);
            this.sealedBytes = Arrays.copyOfRange(this.encryptedPayloadBytes, 4 + readLittleEndianUnsignedInt, this.encryptedPayloadBytes.length);
            unseal();
            verify();
            if (NtlmEncryptionUtils.LOG.isTraceEnabled()) {
                NtlmEncryptionUtils.LOG.trace("Decrypted message: {}", new String(this.unsealedBytes));
            }
            message.setContent(InputStream.class, new ByteArrayInputStream(this.unsealedBytes));
        }

        private void verify() throws IOException {
            long readLittleEndianUnsignedInt = ByteArrayUtils.readLittleEndianUnsignedInt(this.signatureBytes, 12);
            int i = this.credentials.hasNegotiateFlag(NtlmKeys.NegotiateFlags.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) ? 4 : 8;
            byte[] copyOfRange = Arrays.copyOfRange(this.signatureBytes, i, 12);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = this.unsealedBytes;
            NTCredentialsWithEncryption nTCredentialsWithEncryption = this.credentials;
            Function function = (v0) -> {
                return v0.getServerSigningKey();
            };
            Cipher statefulDecryptor = this.credentials.getStatefulDecryptor();
            statefulDecryptor.getClass();
            NtlmEncryptionUtils.calculateSignature(bArr, readLittleEndianUnsignedInt, byteArrayOutputStream, nTCredentialsWithEncryption, function, statefulDecryptor::update);
            byte[] copyOfRange2 = Arrays.copyOfRange(byteArrayOutputStream.toByteArray(), i, 12);
            long readLittleEndianUnsignedInt2 = ByteArrayUtils.readLittleEndianUnsignedInt(byteArrayOutputStream.toByteArray(), 12);
            if (!Arrays.equals(copyOfRange, copyOfRange2)) {
                throw new IllegalStateException("Checksum mismatch\n" + ByteArrayUtils.formatHexDump(copyOfRange) + "--\n" + ByteArrayUtils.formatHexDump(copyOfRange2));
            }
            if (readLittleEndianUnsignedInt2 != readLittleEndianUnsignedInt) {
                throw new IllegalStateException("Sequence number mismatch: " + readLittleEndianUnsignedInt + " != " + readLittleEndianUnsignedInt2);
            }
            this.credentials.getSequenceNumberIncoming().incrementAndGet();
        }

        void unwrap() {
            this.index = 0;
            skipOver(NtlmEncryptionUtils.ENCRYPTED_BOUNDARY_CR);
            skipUntil("\n--Encrypted Boundary\r\n");
            this.newHeaders = new String(Arrays.copyOfRange(this.rawBytes, this.lastBlockStart, this.lastBlockEnd)).trim();
            skipUntil("\r\n");
            new String(Arrays.copyOfRange(this.rawBytes, this.lastBlockStart, this.lastBlockEnd)).trim();
            this.lastBlockStart = this.index;
            this.lastBlockEnd = this.rawBytes.length - NtlmEncryptionUtils.ENCRYPTED_BOUNDARY_END.length();
            this.index = this.lastBlockEnd;
            skipOver(NtlmEncryptionUtils.ENCRYPTED_BOUNDARY_END);
            this.encryptedPayloadBytes = Arrays.copyOfRange(this.rawBytes, this.lastBlockStart, this.lastBlockEnd);
        }

        void skipOver(String str) {
            skipOver(str.getBytes());
        }

        void skipOver(byte[] bArr) {
            int i = 0;
            while (i < bArr.length) {
                if (this.index >= this.rawBytes.length) {
                    throw new IllegalStateException("Invalid format for response from server; terminated early (" + i + ") when expecting '" + new String(bArr) + "'\n" + ByteArrayUtils.formatHexDump(this.rawBytes));
                }
                int i2 = i;
                i++;
                byte b = bArr[i2];
                byte[] bArr2 = this.rawBytes;
                int i3 = this.index;
                this.index = i3 + 1;
                if (b != bArr2[i3]) {
                    throw new IllegalStateException("Invalid format for response from server; mismatch at position " + this.index + " (" + i + ") when expecting '" + new String(bArr) + "'\n" + ByteArrayUtils.formatHexDump(this.rawBytes));
                }
            }
        }

        void skipUntil(String str) {
            skipUntil(str.getBytes());
        }

        void skipUntil(byte[] bArr) {
            int i = this.index;
            loop0: while (true) {
                for (int i2 = 0; i2 < bArr.length && i + i2 < this.rawBytes.length; i2++) {
                    if (i + i2 >= this.rawBytes.length) {
                        throw new IllegalStateException("Invalid format for response from server; terminated early (" + i2 + ") when looking for '" + new String(bArr) + "'\n" + ByteArrayUtils.formatHexDump(this.rawBytes));
                    }
                    if (bArr[i2] != this.rawBytes[i + i2]) {
                        break;
                    }
                }
                i++;
            }
            this.lastBlockStart = this.index;
            this.lastBlockEnd = i;
            this.index = i + bArr.length;
        }

        private void unseal() {
            this.unsealedBytes = this.credentials.getStatefulDecryptor().update(this.sealedBytes);
        }
    }

    public NtlmEncryptionUtils(NTCredentialsWithEncryption nTCredentialsWithEncryption, PayloadEncryptionMode payloadEncryptionMode) {
        this.credentials = nTCredentialsWithEncryption;
        this.payloadEncryptionMode = payloadEncryptionMode;
    }

    public static NtlmEncryptionUtils of(Credentials credentials, PayloadEncryptionMode payloadEncryptionMode) {
        if (credentials instanceof NTCredentialsWithEncryption) {
            return new NtlmEncryptionUtils((NTCredentialsWithEncryption) credentials, payloadEncryptionMode);
        }
        if (payloadEncryptionMode.isRequired()) {
            throw new IllegalStateException("NTCredentials required to use encryption; instead have " + credentials);
        }
        return null;
    }

    public static NtlmEncryptionUtils of(Message message, PayloadEncryptionMode payloadEncryptionMode) {
        return of((Credentials) message.getExchange().get(Credentials.class.getName()), payloadEncryptionMode);
    }

    public byte[] encryptAndSign(Message message, byte[] bArr) {
        try {
            if (LOG.isTraceEnabled()) {
                LOG.trace("Encrypting message, seq=" + this.credentials.getSequenceNumberOutgoing() + " key=" + ByteArrayUtils.formatHexDump(this.credentials.getClientSigningKey()) + "; body:\n" + new String(bArr));
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byteArrayOutputStream.write(ENCRYPTED_BOUNDARY_CR.getBytes());
            byteArrayOutputStream.write("\tContent-Type: application/HTTP-SPNEGO-session-encrypted\r\n".getBytes());
            byteArrayOutputStream.write(("\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=" + bArr.length + "\r\n").getBytes());
            byteArrayOutputStream.write(ENCRYPTED_BOUNDARY_CR.getBytes());
            byteArrayOutputStream.write("\tContent-Type: application/octet-stream\r\n".getBytes());
            writeNtlmEncrypted(bArr, byteArrayOutputStream);
            byteArrayOutputStream.write(ENCRYPTED_BOUNDARY_END.getBytes());
            message.put("Content-Type", "multipart/encrypted;protocol=\"application/HTTP-SPNEGO-session-encrypted\";boundary=\"Encrypted Boundary\"");
            message.put(Message.ENCODING, (Object) null);
            if (LOG.isTraceEnabled()) {
                LOG.trace("Encrypted message: " + ByteArrayUtils.formatHexDump(byteArrayOutputStream.toByteArray()));
            }
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new IllegalStateException("Cannot encrypt WinRM message", e);
        }
    }

    private byte[] seal(byte[] bArr) {
        return this.credentials.getStatefulEncryptor().update(bArr);
    }

    private void writeNtlmEncrypted(byte[] bArr, ByteArrayOutputStream byteArrayOutputStream) throws IOException {
        long incrementAndGet = this.credentials.getSequenceNumberOutgoing().incrementAndGet();
        ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
        ByteArrayOutputStream byteArrayOutputStream3 = new ByteArrayOutputStream();
        byteArrayOutputStream3.write(seal(bArr));
        calculateSignature(bArr, incrementAndGet, byteArrayOutputStream2, this.credentials, (v0) -> {
            return v0.getClientSigningKey();
        }, this::seal);
        byteArrayOutputStream.write(ByteArrayUtils.getLittleEndianUnsignedInt(byteArrayOutputStream2.size()));
        byteArrayOutputStream.write(byteArrayOutputStream2.toByteArray());
        byteArrayOutputStream.write(byteArrayOutputStream3.toByteArray());
    }

    public void decrypt(Message message) {
        new Decryptor(this.credentials, this.payloadEncryptionMode).handle(message);
    }

    /* JADX WARN: Type inference failed for: r1v16, types: [byte[], byte[][]] */
    static void calculateSignature(byte[] bArr, long j, ByteArrayOutputStream byteArrayOutputStream, NTCredentialsWithEncryption nTCredentialsWithEncryption, Function<NTCredentialsWithEncryption, byte[]> function, Function<byte[], byte[]> function2) throws IOException {
        if (nTCredentialsWithEncryption.hasNegotiateFlag(NtlmKeys.NegotiateFlags.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)) {
            byte[] copyOfRange = Arrays.copyOfRange(WinrmEncryptionUtils.hmacMd5(function.apply(nTCredentialsWithEncryption), ByteArrayUtils.concat(new byte[]{ByteArrayUtils.getLittleEndianUnsignedInt(j), bArr})), 0, 8);
            if (nTCredentialsWithEncryption.hasNegotiateFlag(NtlmKeys.NegotiateFlags.NTLMSSP_NEGOTIATE_KEY_EXCH)) {
                copyOfRange = function2.apply(copyOfRange);
            }
            byteArrayOutputStream.write(new byte[]{1, 0, 0, 0});
            byteArrayOutputStream.write(copyOfRange);
            byteArrayOutputStream.write(ByteArrayUtils.getLittleEndianUnsignedInt(j));
            return;
        }
        CRC32 crc32 = new CRC32();
        crc32.update(bArr);
        long value = crc32.getValue();
        byteArrayOutputStream.write(new byte[]{1, 0, 0, 0});
        byteArrayOutputStream.write(function2.apply(ByteArrayUtils.getLittleEndianUnsignedInt(0L)));
        byteArrayOutputStream.write(function2.apply(ByteArrayUtils.getLittleEndianUnsignedInt(value)));
        byteArrayOutputStream.write(function2.apply(ByteArrayUtils.getLittleEndianUnsignedInt(j)));
    }
}
