package com.microsoft.sqlserver.jdbc;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.text.MessageFormat;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.ThreadLocalRandom;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.tomcat.jni.Status;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/mssql-jdbc-11.2.0.jre11.jar:com/microsoft/sqlserver/jdbc/SQLServerSecurityUtility.class */
public class SQLServerSecurityUtility {
    private static final Logger connectionlogger;
    static final int GONE = 410;
    static final int TOO_MANY_RESQUESTS = 429;
    static final int NOT_FOUND = 404;
    static final int INTERNAL_SERVER_ERROR = 500;
    static final int NETWORK_CONNECT_TIMEOUT_ERROR = 599;
    static final String WINDOWS_KEY_STORE_NAME = "MSSQL_CERTIFICATE_STORE";
    private static SimpleTtlCache<String, SqlFedAuthToken> msiTokenCache;
    static final /* synthetic */ boolean $assertionsDisabled;

    SQLServerSecurityUtility() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] getHMACWithSHA256(byte[] bArr, byte[] bArr2, int i) throws NoSuchAlgorithmException, InvalidKeyException {
        byte[] bArr3 = new byte[i];
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(new SecretKeySpec(bArr2, "HmacSHA256"));
        System.arraycopy(mac.doFinal(bArr), 0, bArr3, 0, bArr3.length);
        return bArr3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean compareBytes(byte[] bArr, byte[] bArr2, int i, int i2) {
        if (null == bArr || null == bArr2 || bArr2.length - i < i2) {
            return false;
        }
        for (int i3 = 0; i3 < bArr.length && i3 < i2; i3++) {
            if (bArr[i3] != bArr2[i + i3]) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SQLServerColumnEncryptionKeyStoreProvider getColumnEncryptionKeyStoreProvider(String str, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        if ($assertionsDisabled || !(str == null || str.length() == 0)) {
            return (sQLServerStatement == null || !sQLServerStatement.hasColumnEncryptionKeyStoreProvidersRegistered()) ? sQLServerConnection.getColumnEncryptionKeyStoreProviderOnConnection(str) : sQLServerStatement.getColumnEncryptionKeyStoreProvider(str);
        }
        throw new AssertionError("Provider name should not be null or empty");
    }

    static boolean shouldUseInstanceLevelProviderFlow(String str, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) {
        return !str.equalsIgnoreCase(WINDOWS_KEY_STORE_NAME) && (sQLServerConnection.hasConnectionColumnEncryptionKeyStoreProvidersRegistered() || (null != sQLServerStatement && sQLServerStatement.hasColumnEncryptionKeyStoreProvidersRegistered()));
    }

    static SQLServerSymmetricKey getKeyFromLocalProviders(EncryptionKeyInfo encryptionKeyInfo, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        String trustedServerNameAE = sQLServerConnection.getTrustedServerNameAE();
        if (!$assertionsDisabled && null == trustedServerNameAE) {
            throw new AssertionError("serverName should not be null in getKey.");
        }
        if (connectionlogger.isLoggable(Level.FINE)) {
            connectionlogger.fine("Checking trusted master key path...");
        }
        Boolean[] boolArr = new Boolean[1];
        List<String> columnEncryptionTrustedMasterKeyPaths = SQLServerConnection.getColumnEncryptionTrustedMasterKeyPaths(trustedServerNameAE, boolArr);
        if (boolArr[0].booleanValue() && (null == columnEncryptionTrustedMasterKeyPaths || 0 == columnEncryptionTrustedMasterKeyPaths.size() || !columnEncryptionTrustedMasterKeyPaths.contains(encryptionKeyInfo.keyPath))) {
            throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_UntrustedKeyPath")).format(new Object[]{encryptionKeyInfo.keyPath, trustedServerNameAE}), (String) null, 0, false);
        }
        SQLServerException sQLServerException = null;
        byte[] bArr = null;
        try {
            bArr = getColumnEncryptionKeyStoreProvider(encryptionKeyInfo.keyStoreName, sQLServerConnection, sQLServerStatement).decryptColumnEncryptionKey(encryptionKeyInfo.keyPath, encryptionKeyInfo.algorithmName, encryptionKeyInfo.encryptedKey);
        } catch (SQLServerException e) {
            sQLServerException = e;
        }
        if (null != bArr) {
            return new SQLServerSymmetricKey(bArr);
        }
        if (null != sQLServerException) {
            throw sQLServerException;
        }
        throw new SQLServerException((Object) null, SQLServerException.getErrString("R_CEKDecryptionFailed"), (String) null, 0, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] encryptWithKey(byte[] bArr, CryptoMetadata cryptoMetadata, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        String trustedServerNameAE = sQLServerConnection.getTrustedServerNameAE();
        if (!$assertionsDisabled && trustedServerNameAE == null) {
            throw new AssertionError("Server name should not be null in EncryptWithKey");
        }
        if (!cryptoMetadata.isAlgorithmInitialized()) {
            decryptSymmetricKey(cryptoMetadata, sQLServerConnection, sQLServerStatement);
        }
        if (!$assertionsDisabled && !cryptoMetadata.isAlgorithmInitialized()) {
            throw new AssertionError();
        }
        byte[] encryptData = cryptoMetadata.cipherAlgorithm.encryptData(bArr);
        if (null == encryptData || 0 == encryptData.length) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_NullCipherTextAE"), (String) null, 0, false);
        }
        return encryptData;
    }

    private static String ValidateAndGetEncryptionAlgorithmName(byte b, String str) throws SQLServerException {
        if (2 != b) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_CustomCipherAlgorithmNotSupportedAE"), (String) null, 0, false);
        }
        return "AEAD_AES_256_CBC_HMAC_SHA256";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void decryptSymmetricKey(CryptoMetadata cryptoMetadata, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        if (!$assertionsDisabled && null == cryptoMetadata) {
            throw new AssertionError("md should not be null in DecryptSymmetricKey.");
        }
        if (!$assertionsDisabled && null == cryptoMetadata.cekTableEntry) {
            throw new AssertionError("md.EncryptionInfo should not be null in DecryptSymmetricKey.");
        }
        if (!$assertionsDisabled && null == cryptoMetadata.cekTableEntry.columnEncryptionKeyValues) {
            throw new AssertionError("md.EncryptionInfo.ColumnEncryptionKeyValues should not be null in DecryptSymmetricKey.");
        }
        SQLServerSymmetricKey sQLServerSymmetricKey = null;
        EncryptionKeyInfo encryptionKeyInfo = null;
        SQLServerSymmetricKeyCache sQLServerSymmetricKeyCache = SQLServerSymmetricKeyCache.getInstance();
        Iterator<EncryptionKeyInfo> it = cryptoMetadata.cekTableEntry.columnEncryptionKeyValues.iterator();
        SQLServerException sQLServerException = null;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            EncryptionKeyInfo next = it.next();
            try {
                sQLServerSymmetricKey = shouldUseInstanceLevelProviderFlow(next.keyStoreName, sQLServerConnection, sQLServerStatement) ? getKeyFromLocalProviders(next, sQLServerConnection, sQLServerStatement) : sQLServerSymmetricKeyCache.getKey(next, sQLServerConnection);
            } catch (SQLServerException e) {
                sQLServerException = e;
            }
            if (null != sQLServerSymmetricKey) {
                encryptionKeyInfo = next;
                break;
            }
        }
        if (null == sQLServerSymmetricKey) {
            if (null == sQLServerException) {
                throw new SQLServerException((Object) null, SQLServerException.getErrString("R_CEKDecryptionFailed"), (String) null, 0, false);
            }
            throw sQLServerException;
        }
        cryptoMetadata.cipherAlgorithm = null;
        SQLServerEncryptionAlgorithm algorithm = SQLServerEncryptionAlgorithmFactoryList.getInstance().getAlgorithm(sQLServerSymmetricKey, cryptoMetadata.encryptionType, ValidateAndGetEncryptionAlgorithmName(cryptoMetadata.cipherAlgorithmId, cryptoMetadata.cipherAlgorithmName));
        if (!$assertionsDisabled && null == algorithm) {
            throw new AssertionError("Cipher algorithm cannot be null in DecryptSymmetricKey");
        }
        cryptoMetadata.cipherAlgorithm = algorithm;
        cryptoMetadata.encryptionKeyInfo = encryptionKeyInfo;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] decryptWithKey(byte[] bArr, CryptoMetadata cryptoMetadata, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        String trustedServerNameAE = sQLServerConnection.getTrustedServerNameAE();
        if (!$assertionsDisabled && null == trustedServerNameAE) {
            throw new AssertionError("serverName should not be null in DecryptWithKey.");
        }
        if (!cryptoMetadata.isAlgorithmInitialized()) {
            decryptSymmetricKey(cryptoMetadata, sQLServerConnection, sQLServerStatement);
        }
        if (!$assertionsDisabled && !cryptoMetadata.isAlgorithmInitialized()) {
            throw new AssertionError("Decryption Algorithm is not initialized");
        }
        byte[] decryptData = cryptoMetadata.cipherAlgorithm.decryptData(bArr);
        if (null == decryptData) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_PlainTextNullAE"), (String) null, 0, false);
        }
        return decryptData;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifyColumnMasterKeyMetadata(SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement, String str, String str2, String str3, boolean z, byte[] bArr) throws SQLServerException {
        Boolean[] boolArr = new Boolean[1];
        List<String> columnEncryptionTrustedMasterKeyPaths = SQLServerConnection.getColumnEncryptionTrustedMasterKeyPaths(str3, boolArr);
        if (boolArr[0].booleanValue() && (null == columnEncryptionTrustedMasterKeyPaths || 0 == columnEncryptionTrustedMasterKeyPaths.size() || !columnEncryptionTrustedMasterKeyPaths.contains(str2))) {
            throw new SQLServerException(new MessageFormat(SQLServerException.getErrString("R_UntrustedKeyPath")).format(new Object[]{str2, str3}), null);
        }
        if (!(shouldUseInstanceLevelProviderFlow(str, sQLServerConnection, sQLServerStatement) ? getColumnEncryptionKeyStoreProvider(str, sQLServerConnection, sQLServerStatement) : sQLServerConnection.getSystemOrGlobalColumnEncryptionKeyStoreProvider(str)).verifyColumnMasterKeyMetadata(str2, z, bArr)) {
            throw new SQLServerException(SQLServerException.getErrString("R_VerifySignature"), null);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SqlFedAuthToken getMSIAuthToken(String str, String str2, int i) throws SQLServerException {
        String str3 = "resource:" + str + "|clientid:" + str2;
        SqlFedAuthToken sqlFedAuthToken = msiTokenCache.get(str3);
        if (sqlFedAuthToken != null) {
            if (connectionlogger.isLoggable(Level.FINER)) {
                connectionlogger.finer("Using cached Managed Identity auth token: " + sqlFedAuthToken.toString());
            }
            return sqlFedAuthToken;
        }
        ArrayList arrayList = new ArrayList();
        StringBuilder sb = new StringBuilder();
        int i2 = 1;
        int i3 = 1;
        String str4 = System.getenv("IDENTITY_ENDPOINT");
        if (null == str4 || str4.trim().isEmpty()) {
            str4 = System.getenv("MSI_ENDPOINT");
        }
        String str5 = System.getenv("IDENTITY_HEADER");
        if (null == str5 || str5.trim().isEmpty()) {
            str5 = System.getenv("MSI_SECRET");
        }
        boolean z = (null == str4 || str4.isEmpty() || null == str5 || str5.isEmpty()) ? false : true;
        if (z) {
            sb.append(str4).append("?api-version=2019-08-01&resource=").append(str);
        } else {
            sb.append("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01").append("&resource=").append(str);
            i3 = 20;
            for (int i4 = 0; i4 < 20; i4++) {
                arrayList.add(Integer.valueOf((500 * ((2 << i4) - 1)) / 1000));
            }
        }
        if (null != str2 && !str2.isEmpty()) {
            sb.append("&client_id=").append(str2);
        }
        while (true) {
            if (i2 > i3) {
                break;
            }
            HttpURLConnection httpURLConnection = null;
            try {
                HttpURLConnection httpURLConnection2 = (HttpURLConnection) new URL(sb.toString()).openConnection();
                httpURLConnection2.setRequestMethod("GET");
                if (z) {
                    httpURLConnection2.setRequestProperty("X-IDENTITY-HEADER", str5);
                    if (connectionlogger.isLoggable(Level.FINER)) {
                        connectionlogger.finer("Using Azure Function/App Service Managed Identity auth: " + sb);
                    }
                } else {
                    httpURLConnection2.setRequestProperty("Metadata", "true");
                    if (connectionlogger.isLoggable(Level.FINER)) {
                        connectionlogger.finer("Using Azure Managed Identity auth: " + sb);
                    }
                }
                httpURLConnection2.connect();
                InputStream inputStream = httpURLConnection2.getInputStream();
                try {
                    StringBuilder sb2 = new StringBuilder(new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8), 100).readLine());
                    int indexOf = sb2.indexOf("\"access_token\":\"") + "\"access_token\":\"".length();
                    String substring = sb2.substring(indexOf, sb2.indexOf("\"", indexOf + 1));
                    Calendar build = new Calendar.Builder().setInstant(new Date()).build();
                    int indexOf2 = z ? sb2.indexOf("\"expires_on\":\"") + "\"expires_on\":\"".length() : sb2.indexOf("\"expires_in\":\"") + "\"expires_in\":\"".length();
                    build.add(13, Integer.parseInt(sb2.substring(indexOf2, sb2.indexOf("\"", indexOf2 + 1))));
                    SqlFedAuthToken sqlFedAuthToken2 = new SqlFedAuthToken(substring, build.getTime());
                    if (connectionlogger.isLoggable(Level.FINER)) {
                        connectionlogger.finer("Obtained new Managed Identity auth token: " + sqlFedAuthToken2.toString());
                    }
                    if (i > 0) {
                        msiTokenCache.put(str3, sqlFedAuthToken2, Duration.ofSeconds(Math.min(i, r0 - 300)));
                    }
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    if (httpURLConnection2 != null) {
                        httpURLConnection2.disconnect();
                    }
                    return sqlFedAuthToken2;
                } catch (Throwable th) {
                    if (inputStream != null) {
                        try {
                            inputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e) {
                try {
                    i2++;
                    if (i2 > i3) {
                        if (0 != 0) {
                            httpURLConnection.disconnect();
                        }
                        if (i2 > i3) {
                            throw new SQLServerException(SQLServerException.getErrString(z ? "R_MSITokenFailureEndpoint" : "R_MSITokenFailureImds"), null);
                        }
                        return null;
                    }
                    try {
                        int responseCode = httpURLConnection.getResponseCode();
                        if (410 != responseCode && 429 != responseCode && 404 != responseCode && (500 > responseCode || 599 < responseCode)) {
                            if (null == str2 || str2.isEmpty()) {
                                throw new SQLServerException(SQLServerException.getErrString("R_MSITokenFailureImds"), null);
                            }
                            throw new SQLServerException(SQLServerException.getErrString("R_MSITokenFailureImdsClientId"), null);
                        }
                        try {
                            Thread.sleep((responseCode != 410 || ((Integer) arrayList.get(ThreadLocalRandom.current().nextInt(i2 - 1))).intValue() >= 70000) ? r0 : Status.APR_OS_START_STATUS);
                            if (0 != 0) {
                                httpURLConnection.disconnect();
                            }
                        } catch (InterruptedException e2) {
                            Thread.currentThread().interrupt();
                            throw new RuntimeException(e2);
                        }
                    } catch (IOException e3) {
                        throw new SQLServerException(SQLServerException.getErrString("R_MSITokenFailureUnexpected"), null);
                    }
                } catch (Throwable th3) {
                    if (0 != 0) {
                        httpURLConnection.disconnect();
                    }
                    throw th3;
                }
            }
        }
    }

    static {
        $assertionsDisabled = !SQLServerSecurityUtility.class.desiredAssertionStatus();
        connectionlogger = Logger.getLogger("com.microsoft.sqlserver.jdbc.internals.SQLServerConnection");
        msiTokenCache = new SimpleTtlCache<>();
    }
}
