package com.microsoft.sqlserver.jdbc;

import com.azure.core.credential.AccessToken;
import com.azure.core.credential.TokenRequestContext;
import com.azure.identity.DefaultAzureCredential;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.identity.ManagedIdentityCredential;
import com.azure.identity.ManagedIdentityCredentialBuilder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/microsoft/sqlserver/jdbc/SQLServerSecurityUtility.class */
public class SQLServerSecurityUtility {
    private static final Logger logger;
    static final int GONE = 410;
    static final int TOO_MANY_RESQUESTS = 429;
    static final int NOT_FOUND = 404;
    static final int INTERNAL_SERVER_ERROR = 500;
    static final int NETWORK_CONNECT_TIMEOUT_ERROR = 599;
    static final String WINDOWS_KEY_STORE_NAME = "MSSQL_CERTIFICATE_STORE";
    private static final String INTELLIJ_KEEPASS_PASS = "INTELLIJ_KEEPASS_PATH";
    private static final String ADDITIONALLY_ALLOWED_TENANTS = "ADDITIONALLY_ALLOWED_TENANTS";
    static final /* synthetic */ boolean $assertionsDisabled;

    private SQLServerSecurityUtility() {
        throw new UnsupportedOperationException(SQLServerException.getErrString("R_notSupported"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] getHMACWithSHA256(byte[] bArr, byte[] bArr2, int i) throws NoSuchAlgorithmException, InvalidKeyException {
        byte[] bArr3 = new byte[i];
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(new SecretKeySpec(bArr2, "HmacSHA256"));
        System.arraycopy(mac.doFinal(bArr), 0, bArr3, 0, bArr3.length);
        return bArr3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean compareBytes(byte[] bArr, byte[] bArr2, int i, int i2) {
        if (null == bArr || null == bArr2 || bArr2.length - i < i2) {
            return false;
        }
        for (int i3 = 0; i3 < bArr.length && i3 < i2; i3++) {
            if (bArr[i3] != bArr2[i + i3]) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SQLServerColumnEncryptionKeyStoreProvider getColumnEncryptionKeyStoreProvider(String str, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        if ($assertionsDisabled || !(str == null || str.length() == 0)) {
            return (sQLServerStatement == null || !sQLServerStatement.hasColumnEncryptionKeyStoreProvidersRegistered()) ? sQLServerConnection.getColumnEncryptionKeyStoreProviderOnConnection(str) : sQLServerStatement.getColumnEncryptionKeyStoreProvider(str);
        }
        throw new AssertionError("Provider name should not be null or empty");
    }

    static boolean shouldUseInstanceLevelProviderFlow(String str, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) {
        return !str.equalsIgnoreCase(WINDOWS_KEY_STORE_NAME) && (sQLServerConnection.hasConnectionColumnEncryptionKeyStoreProvidersRegistered() || (null != sQLServerStatement && sQLServerStatement.hasColumnEncryptionKeyStoreProvidersRegistered()));
    }

    static SQLServerSymmetricKey getKeyFromLocalProviders(EncryptionKeyInfo encryptionKeyInfo, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        String trustedServerNameAE = sQLServerConnection.getTrustedServerNameAE();
        if (!$assertionsDisabled && null == trustedServerNameAE) {
            throw new AssertionError("serverName should not be null in getKey.");
        }
        if (logger.isLoggable(Level.FINEST)) {
            logger.finest("Checking trusted master key path...");
        }
        Boolean[] boolArr = new Boolean[1];
        List<String> columnEncryptionTrustedMasterKeyPaths = SQLServerConnection.getColumnEncryptionTrustedMasterKeyPaths(trustedServerNameAE, boolArr);
        if (boolArr[0].booleanValue() && (null == columnEncryptionTrustedMasterKeyPaths || columnEncryptionTrustedMasterKeyPaths.isEmpty() || !columnEncryptionTrustedMasterKeyPaths.contains(encryptionKeyInfo.keyPath))) {
            throw new SQLServerException((Object) null, new MessageFormat(SQLServerException.getErrString("R_UntrustedKeyPath")).format(new Object[]{encryptionKeyInfo.keyPath, trustedServerNameAE}), (String) null, 0, false);
        }
        SQLServerException sQLServerException = null;
        byte[] bArr = null;
        try {
            bArr = getColumnEncryptionKeyStoreProvider(encryptionKeyInfo.keyStoreName, sQLServerConnection, sQLServerStatement).decryptColumnEncryptionKey(encryptionKeyInfo.keyPath, encryptionKeyInfo.algorithmName, encryptionKeyInfo.encryptedKey);
        } catch (SQLServerException e) {
            sQLServerException = e;
        }
        if (null != bArr) {
            return new SQLServerSymmetricKey(bArr);
        }
        if (null != sQLServerException) {
            throw sQLServerException;
        }
        throw new SQLServerException((Object) null, SQLServerException.getErrString("R_CEKDecryptionFailed"), (String) null, 0, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] encryptWithKey(byte[] bArr, CryptoMetadata cryptoMetadata, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        String trustedServerNameAE = sQLServerConnection.getTrustedServerNameAE();
        if (!$assertionsDisabled && trustedServerNameAE == null) {
            throw new AssertionError("Server name should not be null in EncryptWithKey");
        }
        if (!cryptoMetadata.isAlgorithmInitialized()) {
            decryptSymmetricKey(cryptoMetadata, sQLServerConnection, sQLServerStatement);
        }
        if (!$assertionsDisabled && !cryptoMetadata.isAlgorithmInitialized()) {
            throw new AssertionError();
        }
        byte[] encryptData = cryptoMetadata.cipherAlgorithm.encryptData(bArr);
        if (null == encryptData || 0 == encryptData.length) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_NullCipherTextAE"), (String) null, 0, false);
        }
        return encryptData;
    }

    private static String validateAndGetEncryptionAlgorithmName(byte b, String str) throws SQLServerException {
        if (2 != b) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_CustomCipherAlgorithmNotSupportedAE"), (String) null, 0, false);
        }
        return "AEAD_AES_256_CBC_HMAC_SHA256";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void decryptSymmetricKey(CryptoMetadata cryptoMetadata, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        if (!$assertionsDisabled && null == cryptoMetadata) {
            throw new AssertionError("md should not be null in DecryptSymmetricKey.");
        }
        if (!$assertionsDisabled && null == cryptoMetadata.cekTableEntry) {
            throw new AssertionError("md.EncryptionInfo should not be null in DecryptSymmetricKey.");
        }
        if (!$assertionsDisabled && null == cryptoMetadata.cekTableEntry.columnEncryptionKeyValues) {
            throw new AssertionError("md.EncryptionInfo.ColumnEncryptionKeyValues should not be null in DecryptSymmetricKey.");
        }
        SQLServerSymmetricKey sQLServerSymmetricKey = null;
        EncryptionKeyInfo encryptionKeyInfo = null;
        SQLServerSymmetricKeyCache sQLServerSymmetricKeyCache = SQLServerSymmetricKeyCache.getInstance();
        Iterator<EncryptionKeyInfo> it = cryptoMetadata.cekTableEntry.columnEncryptionKeyValues.iterator();
        SQLServerException sQLServerException = null;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            EncryptionKeyInfo next = it.next();
            try {
                sQLServerSymmetricKey = shouldUseInstanceLevelProviderFlow(next.keyStoreName, sQLServerConnection, sQLServerStatement) ? getKeyFromLocalProviders(next, sQLServerConnection, sQLServerStatement) : sQLServerSymmetricKeyCache.getKey(next, sQLServerConnection);
            } catch (SQLServerException e) {
                sQLServerException = e;
            }
            if (null != sQLServerSymmetricKey) {
                encryptionKeyInfo = next;
                break;
            }
        }
        if (null == sQLServerSymmetricKey) {
            if (null == sQLServerException) {
                throw new SQLServerException((Object) null, SQLServerException.getErrString("R_CEKDecryptionFailed"), (String) null, 0, false);
            }
            throw sQLServerException;
        }
        cryptoMetadata.cipherAlgorithm = null;
        SQLServerEncryptionAlgorithm algorithm = SQLServerEncryptionAlgorithmFactoryList.getInstance().getAlgorithm(sQLServerSymmetricKey, cryptoMetadata.encryptionType, validateAndGetEncryptionAlgorithmName(cryptoMetadata.cipherAlgorithmId, cryptoMetadata.cipherAlgorithmName));
        if (!$assertionsDisabled && null == algorithm) {
            throw new AssertionError("Cipher algorithm cannot be null in DecryptSymmetricKey");
        }
        cryptoMetadata.cipherAlgorithm = algorithm;
        cryptoMetadata.encryptionKeyInfo = encryptionKeyInfo;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] decryptWithKey(byte[] bArr, CryptoMetadata cryptoMetadata, SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement) throws SQLServerException {
        String trustedServerNameAE = sQLServerConnection.getTrustedServerNameAE();
        if (!$assertionsDisabled && null == trustedServerNameAE) {
            throw new AssertionError("serverName should not be null in DecryptWithKey.");
        }
        if (!cryptoMetadata.isAlgorithmInitialized()) {
            decryptSymmetricKey(cryptoMetadata, sQLServerConnection, sQLServerStatement);
        }
        if (!$assertionsDisabled && !cryptoMetadata.isAlgorithmInitialized()) {
            throw new AssertionError("Decryption Algorithm is not initialized");
        }
        byte[] decryptData = cryptoMetadata.cipherAlgorithm.decryptData(bArr);
        if (null == decryptData) {
            throw new SQLServerException((Object) null, SQLServerException.getErrString("R_PlainTextNullAE"), (String) null, 0, false);
        }
        return decryptData;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifyColumnMasterKeyMetadata(SQLServerConnection sQLServerConnection, SQLServerStatement sQLServerStatement, String str, String str2, String str3, boolean z, byte[] bArr) throws SQLServerException {
        Boolean[] boolArr = new Boolean[1];
        List<String> columnEncryptionTrustedMasterKeyPaths = SQLServerConnection.getColumnEncryptionTrustedMasterKeyPaths(str3, boolArr);
        if (boolArr[0].booleanValue() && (null == columnEncryptionTrustedMasterKeyPaths || columnEncryptionTrustedMasterKeyPaths.isEmpty() || !columnEncryptionTrustedMasterKeyPaths.contains(str2))) {
            throw new SQLServerException(new MessageFormat(SQLServerException.getErrString("R_UntrustedKeyPath")).format(new Object[]{str2, str3}), null);
        }
        if (!(shouldUseInstanceLevelProviderFlow(str, sQLServerConnection, sQLServerStatement) ? getColumnEncryptionKeyStoreProvider(str, sQLServerConnection, sQLServerStatement) : sQLServerConnection.getSystemOrGlobalColumnEncryptionKeyStoreProvider(str)).verifyColumnMasterKeyMetadata(str2, z, bArr)) {
            throw new SQLServerException(SQLServerException.getErrString("R_VerifySignatureFailed"), null);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SqlAuthenticationToken getManagedIdentityCredAuthToken(String str, String str2) throws SQLServerException {
        if (logger.isLoggable(Level.FINEST)) {
            logger.finest("Getting Managed Identity authentication token for: " + str2);
        }
        ManagedIdentityCredential build = (null == str2 || str2.isEmpty()) ? new ManagedIdentityCredentialBuilder().build() : new ManagedIdentityCredentialBuilder().clientId(str2).build();
        TokenRequestContext tokenRequestContext = new TokenRequestContext();
        tokenRequestContext.setScopes(Arrays.asList(str.endsWith("/.default") ? str : str + "/.default"));
        Optional blockOptional = build.getToken(tokenRequestContext).blockOptional();
        if (!blockOptional.isPresent()) {
            throw new SQLServerException(SQLServerException.getErrString("R_ManagedIdentityTokenAcquisitionFail"), null);
        }
        AccessToken accessToken = (AccessToken) blockOptional.get();
        SqlAuthenticationToken sqlAuthenticationToken = new SqlAuthenticationToken(accessToken.getToken(), accessToken.getExpiresAt().toEpochSecond());
        if (logger.isLoggable(Level.FINEST)) {
            logger.finest("Got fedAuth token, expiry: " + sqlAuthenticationToken.getExpiresOn().toString());
        }
        return sqlAuthenticationToken;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SqlAuthenticationToken getDefaultAzureCredAuthToken(String str, String str2) throws SQLServerException {
        String str3 = System.getenv(INTELLIJ_KEEPASS_PASS);
        String[] additonallyAllowedTenants = getAdditonallyAllowedTenants();
        DefaultAzureCredentialBuilder defaultAzureCredentialBuilder = new DefaultAzureCredentialBuilder();
        if (null != str2 && !str2.isEmpty()) {
            defaultAzureCredentialBuilder.managedIdentityClientId(str2);
        }
        if (null != str3 && !str3.isEmpty()) {
            defaultAzureCredentialBuilder.intelliJKeePassDatabasePath(str3);
        }
        if (null != additonallyAllowedTenants && additonallyAllowedTenants.length != 0) {
            defaultAzureCredentialBuilder.additionallyAllowedTenants(additonallyAllowedTenants);
        }
        DefaultAzureCredential build = defaultAzureCredentialBuilder.build();
        TokenRequestContext tokenRequestContext = new TokenRequestContext();
        tokenRequestContext.setScopes(Arrays.asList(str.endsWith("/.default") ? str : str + "/.default"));
        Optional blockOptional = build.getToken(tokenRequestContext).blockOptional();
        if (!blockOptional.isPresent()) {
            throw new SQLServerException(SQLServerException.getErrString("R_ManagedIdentityTokenAcquisitionFail"), null);
        }
        AccessToken accessToken = (AccessToken) blockOptional.get();
        return new SqlAuthenticationToken(accessToken.getToken(), accessToken.getExpiresAt().toEpochSecond());
    }

    private static String[] getAdditonallyAllowedTenants() {
        String str = System.getenv(ADDITIONALLY_ALLOWED_TENANTS);
        if (null == str || str.isEmpty()) {
            return null;
        }
        return System.getenv(ADDITIONALLY_ALLOWED_TENANTS).split(",");
    }

    static {
        $assertionsDisabled = !SQLServerSecurityUtility.class.desiredAssertionStatus();
        logger = Logger.getLogger("com.microsoft.sqlserver.jdbc.SQLServerSecurityUtility");
    }
}
