package org.eclipse.milo.opcua.stack.core.channel;

import io.netty.buffer.ByteBuf;
import io.netty.util.ReferenceCountUtil;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.eclipse.milo.opcua.stack.core.StatusCodes;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity;
import org.eclipse.milo.opcua.stack.core.channel.headers.AsymmetricSecurityHeader;
import org.eclipse.milo.opcua.stack.core.channel.headers.SecureMessageHeader;
import org.eclipse.milo.opcua.stack.core.channel.headers.SequenceHeader;
import org.eclipse.milo.opcua.stack.core.channel.headers.SymmetricSecurityHeader;
import org.eclipse.milo.opcua.stack.core.channel.messages.MessageType;
import org.eclipse.milo.opcua.stack.core.util.BufferUtil;
import org.eclipse.milo.opcua.stack.core.util.LongSequence;
import org.eclipse.milo.opcua.stack.core.util.SignatureUtil;

/* loaded from: input_file:org/eclipse/milo/opcua/stack/core/channel/ChunkEncoder.class */
public final class ChunkEncoder {
    private final AsymmetricEncoder asymmetricEncoder = new AsymmetricEncoder();
    private final SymmetricEncoder symmetricEncoder = new SymmetricEncoder();
    private final LongSequence sequenceNumber = new LongSequence(1, 4294966272L);
    private final ChannelParameters parameters;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/milo/opcua/stack/core/channel/ChunkEncoder$AbstractEncoder.class */
    public abstract class AbstractEncoder {
        static final /* synthetic */ boolean $assertionsDisabled;

        private AbstractEncoder() {
        }

        EncodedMessage encode(List<ByteBuf> list, SecureChannel secureChannel, long j, ByteBuf byteBuf, MessageType messageType) throws UaException {
            int i;
            boolean isEncryptionEnabled = isEncryptionEnabled(secureChannel);
            int securityHeaderSize = getSecurityHeaderSize(secureChannel);
            int cipherTextBlockSize = getCipherTextBlockSize(secureChannel);
            int plainTextBlockSize = getPlainTextBlockSize(secureChannel);
            int signatureSize = getSignatureSize(secureChannel);
            int localSendBufferSize = ChunkEncoder.this.parameters.getLocalSendBufferSize();
            int i2 = isEncryptionEnabled ? cipherTextBlockSize > 256 ? 2 : 1 : 0;
            int i3 = (((localSendBufferSize - 12) - securityHeaderSize) / cipherTextBlockSize) * plainTextBlockSize;
            int i4 = ((i3 - 8) - i2) - signatureSize;
            if (!$assertionsDisabled && i3 + securityHeaderSize + 12 > localSendBufferSize) {
                throw new AssertionError();
            }
            while (byteBuf.readableBytes() > 0) {
                int min = Math.min(byteBuf.readableBytes(), i4);
                if (isEncryptionEnabled) {
                    int i5 = (((8 + min) + i2) + signatureSize) % plainTextBlockSize;
                    i = i5 > 0 ? plainTextBlockSize - i5 : 0;
                } else {
                    i = 0;
                }
                int i6 = 8 + min + signatureSize + i + i2;
                if (!$assertionsDisabled && i6 % plainTextBlockSize != 0) {
                    throw new AssertionError();
                }
                int i7 = 12 + securityHeaderSize + ((i6 / plainTextBlockSize) * cipherTextBlockSize);
                if (!$assertionsDisabled && i7 > localSendBufferSize) {
                    throw new AssertionError();
                }
                ByteBuf pooledBuffer = BufferUtil.pooledBuffer(i7);
                list.add(pooledBuffer);
                int remoteMaxChunkCount = ChunkEncoder.this.parameters.getRemoteMaxChunkCount();
                if (remoteMaxChunkCount > 0 && list.size() > remoteMaxChunkCount) {
                    throw new UaException(StatusCodes.Bad_EncodingLimitsExceeded, "remote chunk count exceeded: " + remoteMaxChunkCount);
                }
                SecureMessageHeader.encode(new SecureMessageHeader(messageType, byteBuf.readableBytes() > min ? 'C' : 'F', i7, secureChannel.getChannelId()), pooledBuffer);
                encodeSecurityHeader(secureChannel, pooledBuffer);
                SequenceHeader.encode(new SequenceHeader(ChunkEncoder.this.sequenceNumber.getAndIncrement(), j), pooledBuffer);
                pooledBuffer.writeBytes(byteBuf, min);
                if (isEncryptionEnabled) {
                    writePadding(cipherTextBlockSize, i, pooledBuffer);
                }
                if (isSigningEnabled(secureChannel)) {
                    pooledBuffer.writeBytes(signChunk(secureChannel, pooledBuffer.nioBuffer(0, pooledBuffer.writerIndex())));
                }
                if (isEncryptionEnabled) {
                    pooledBuffer.readerIndex(12 + securityHeaderSize);
                    if (!$assertionsDisabled && pooledBuffer.readableBytes() % plainTextBlockSize != 0) {
                        throw new AssertionError();
                    }
                    try {
                        int readableBytes = pooledBuffer.readableBytes() / plainTextBlockSize;
                        ByteBuffer nioBuffer = pooledBuffer.nioBuffer(pooledBuffer.readerIndex(), readableBytes * cipherTextBlockSize);
                        ByteBuf copy = pooledBuffer.copy();
                        ByteBuffer nioBuffer2 = copy.nioBuffer();
                        Cipher cipher = getCipher(secureChannel);
                        if (isAsymmetric()) {
                            for (int i8 = 0; i8 < readableBytes; i8++) {
                                nioBuffer2.position(i8 * plainTextBlockSize);
                                nioBuffer2.limit((i8 + 1) * plainTextBlockSize);
                                int doFinal = cipher.doFinal(nioBuffer2, nioBuffer);
                                if (!$assertionsDisabled && doFinal != cipherTextBlockSize) {
                                    throw new AssertionError();
                                }
                            }
                        } else {
                            cipher.doFinal(nioBuffer2, nioBuffer);
                        }
                        copy.release();
                    } catch (GeneralSecurityException e) {
                        throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e);
                    }
                }
                pooledBuffer.readerIndex(0).writerIndex(i7);
            }
            return new EncodedMessage(list, j);
        }

        private void writePadding(int i, int i2, ByteBuf byteBuf) {
            byteBuf.writeByte(i2);
            for (int i3 = 0; i3 < i2; i3++) {
                byteBuf.writeByte(i2);
            }
            if (i > 256) {
                byteBuf.writeByte((i2 >> 8) & 255);
            }
        }

        protected abstract byte[] signChunk(SecureChannel secureChannel, ByteBuffer byteBuffer) throws UaException;

        protected abstract void encodeSecurityHeader(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException;

        protected abstract Cipher getCipher(SecureChannel secureChannel) throws UaException;

        protected abstract int getSecurityHeaderSize(SecureChannel secureChannel) throws UaException;

        protected abstract int getCipherTextBlockSize(SecureChannel secureChannel);

        protected abstract int getPlainTextBlockSize(SecureChannel secureChannel);

        protected abstract int getSignatureSize(SecureChannel secureChannel);

        protected abstract boolean isAsymmetric();

        protected abstract boolean isEncryptionEnabled(SecureChannel secureChannel);

        protected abstract boolean isSigningEnabled(SecureChannel secureChannel);

        static {
            $assertionsDisabled = !ChunkEncoder.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/eclipse/milo/opcua/stack/core/channel/ChunkEncoder$AsymmetricEncoder.class */
    private final class AsymmetricEncoder extends AbstractEncoder {
        static final /* synthetic */ boolean $assertionsDisabled;

        private AsymmetricEncoder() {
            super();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public byte[] signChunk(SecureChannel secureChannel, ByteBuffer byteBuffer) throws UaException {
            return SignatureUtil.sign(secureChannel.getSecurityPolicy().getAsymmetricSignatureAlgorithm(), secureChannel.getKeyPair().getPrivate(), byteBuffer);
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public Cipher getCipher(SecureChannel secureChannel) throws UaException {
            X509Certificate remoteCertificate = secureChannel.getRemoteCertificate();
            if (!$assertionsDisabled && remoteCertificate == null) {
                throw new AssertionError();
            }
            try {
                Cipher cipher = Cipher.getInstance(secureChannel.getSecurityPolicy().getAsymmetricEncryptionAlgorithm().getTransformation());
                cipher.init(1, remoteCertificate.getPublicKey());
                return cipher;
            } catch (GeneralSecurityException e) {
                throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e);
            }
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public void encodeSecurityHeader(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException {
            AsymmetricSecurityHeader.encode(new AsymmetricSecurityHeader(secureChannel.getSecurityPolicy().getUri(), secureChannel.getLocalCertificateChainBytes(), secureChannel.getRemoteCertificateThumbprint()), byteBuf);
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getSecurityHeaderSize(SecureChannel secureChannel) throws UaException {
            String uri = secureChannel.getSecurityPolicy().getUri();
            byte[] bytes = secureChannel.getLocalCertificateChainBytes().bytes();
            byte[] bytes2 = secureChannel.getRemoteCertificateThumbprint().bytes();
            return 12 + uri.length() + (bytes != null ? bytes.length : 0) + (bytes2 != null ? bytes2.length : 0);
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getCipherTextBlockSize(SecureChannel secureChannel) {
            return secureChannel.getRemoteAsymmetricCipherTextBlockSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getPlainTextBlockSize(SecureChannel secureChannel) {
            return secureChannel.getRemoteAsymmetricPlainTextBlockSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getSignatureSize(SecureChannel secureChannel) {
            return secureChannel.getLocalAsymmetricSignatureSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        protected boolean isAsymmetric() {
            return true;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public boolean isEncryptionEnabled(SecureChannel secureChannel) {
            return secureChannel.isAsymmetricEncryptionEnabled();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public boolean isSigningEnabled(SecureChannel secureChannel) {
            return secureChannel.isAsymmetricSigningEnabled();
        }

        static {
            $assertionsDisabled = !ChunkEncoder.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/eclipse/milo/opcua/stack/core/channel/ChunkEncoder$EncodedMessage.class */
    public static class EncodedMessage {
        private final List<ByteBuf> messageChunks;
        private final long requestId;

        public EncodedMessage(List<ByteBuf> list, long j) {
            this.messageChunks = list;
            this.requestId = j;
        }

        public List<ByteBuf> getMessageChunks() {
            return this.messageChunks;
        }

        public long getRequestId() {
            return this.requestId;
        }
    }

    /* loaded from: input_file:org/eclipse/milo/opcua/stack/core/channel/ChunkEncoder$SymmetricEncoder.class */
    private final class SymmetricEncoder extends AbstractEncoder {
        private volatile ChannelSecurity.SecurityKeys securityKeys;
        private volatile Cipher cipher;
        private volatile long cipherId;
        static final /* synthetic */ boolean $assertionsDisabled;

        private SymmetricEncoder() {
            super();
            this.cipher = null;
            this.cipherId = -1L;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public void encodeSecurityHeader(SecureChannel secureChannel, ByteBuf byteBuf) throws UaException {
            ChannelSecurity channelSecurity = secureChannel.getChannelSecurity();
            long longValue = channelSecurity != null ? channelSecurity.getCurrentToken().getTokenId().longValue() : 0L;
            SymmetricSecurityHeader.encode(new SymmetricSecurityHeader(longValue), byteBuf);
            this.securityKeys = channelSecurity != null ? channelSecurity.getCurrentKeys() : null;
            if (this.cipherId == longValue || !secureChannel.isSymmetricEncryptionEnabled()) {
                return;
            }
            this.cipher = initCipher(secureChannel);
            this.cipherId = longValue;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public byte[] signChunk(SecureChannel secureChannel, ByteBuffer byteBuffer) throws UaException {
            return SignatureUtil.hmac(secureChannel.getSecurityPolicy().getSymmetricSignatureAlgorithm(), secureChannel.getEncryptionKeys(this.securityKeys).getSignatureKey(), byteBuffer);
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public Cipher getCipher(SecureChannel secureChannel) {
            if ($assertionsDisabled || this.cipher != null) {
                return this.cipher;
            }
            throw new AssertionError();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getSecurityHeaderSize(SecureChannel secureChannel) {
            return 4;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getCipherTextBlockSize(SecureChannel secureChannel) {
            return secureChannel.getSymmetricBlockSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getPlainTextBlockSize(SecureChannel secureChannel) {
            return secureChannel.getSymmetricBlockSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public int getSignatureSize(SecureChannel secureChannel) {
            return secureChannel.getSymmetricSignatureSize();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        protected boolean isAsymmetric() {
            return false;
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public boolean isEncryptionEnabled(SecureChannel secureChannel) {
            return secureChannel.isSymmetricEncryptionEnabled();
        }

        @Override // org.eclipse.milo.opcua.stack.core.channel.ChunkEncoder.AbstractEncoder
        public boolean isSigningEnabled(SecureChannel secureChannel) {
            return secureChannel.isSymmetricSigningEnabled();
        }

        private Cipher initCipher(SecureChannel secureChannel) throws UaException {
            try {
                String transformation = secureChannel.getSecurityPolicy().getSymmetricEncryptionAlgorithm().getTransformation();
                ChannelSecurity.SecretKeys encryptionKeys = secureChannel.getEncryptionKeys(this.securityKeys);
                SecretKeySpec secretKeySpec = new SecretKeySpec(encryptionKeys.getEncryptionKey(), "AES");
                IvParameterSpec ivParameterSpec = new IvParameterSpec(encryptionKeys.getInitializationVector());
                Cipher cipher = Cipher.getInstance(transformation);
                cipher.init(1, secretKeySpec, ivParameterSpec);
                if ($assertionsDisabled || cipher.getBlockSize() == secureChannel.getSymmetricBlockSize()) {
                    return cipher;
                }
                throw new AssertionError();
            } catch (GeneralSecurityException e) {
                throw new UaException(StatusCodes.Bad_SecurityChecksFailed, e);
            }
        }

        static {
            $assertionsDisabled = !ChunkEncoder.class.desiredAssertionStatus();
        }
    }

    public ChunkEncoder(ChannelParameters channelParameters) {
        this.parameters = channelParameters;
    }

    public EncodedMessage encodeAsymmetric(SecureChannel secureChannel, long j, ByteBuf byteBuf, MessageType messageType) throws MessageEncodeException {
        return encode(this.asymmetricEncoder, secureChannel, j, byteBuf, messageType);
    }

    public EncodedMessage encodeSymmetric(SecureChannel secureChannel, long j, ByteBuf byteBuf, MessageType messageType) throws MessageEncodeException {
        return encode(this.symmetricEncoder, secureChannel, j, byteBuf, messageType);
    }

    private EncodedMessage encode(AbstractEncoder abstractEncoder, SecureChannel secureChannel, long j, ByteBuf byteBuf, MessageType messageType) throws MessageEncodeException {
        ArrayList arrayList = new ArrayList();
        try {
            return abstractEncoder.encode(arrayList, secureChannel, j, byteBuf, messageType);
        } catch (UaException e) {
            arrayList.forEach((v0) -> {
                ReferenceCountUtil.safeRelease(v0);
            });
            throw new MessageEncodeException(e);
        }
    }
}
