package com.aliyun.encdb.mysql.crypto;

import com.aliyun.encdb.common.cipher.Envelope;
import com.aliyun.encdb.common.common.Constants;
import com.aliyun.encdb.common.common.ServerInfo;
import com.aliyun.encdb.common.common.Utils;
import com.aliyun.encdb.common.crypto.CipherSuite;
import com.aliyun.encdb.common.crypto.HKDF;
import com.aliyun.encdb.common.crypto.HashAlgo;
import com.aliyun.encdb.common.crypto.Symmetric;
import com.aliyun.encdb.common.exception.EncdbCheckedException;
import com.aliyun.encdb.common.exception.EncdbRuntimeException;
import com.aliyun.encdb.common.json.JSONObject;
import com.aliyun.encdb.common.msgio.MsgKeyConstants;
import com.aliyun.encdb.common.msgio.MsgType;
import com.aliyun.encdb.mysql.cipher.CipherForMySQL;
import com.aliyun.encdb.mysql.jdbc.external.com.google.gson.JsonObject;
import com.aliyun.encdb.mysql.msgio.MySQLMsgIO;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidParameterException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Base64;
import java.util.zip.DataFormatException;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/aliyun/encdb/mysql/crypto/Cryptor.class */
public class Cryptor {
    private static final Logger logger = LoggerFactory.getLogger(Cryptor.class);
    private byte[] cachedMek;
    private byte[] cachedNonce;
    private byte[] cachedDek;
    private final ServerInfo serverInfo;
    private final CipherSuite cipherSuite;
    private final String username;
    private final Connection dbConnection;
    private final MySQLMsgIO msgio;
    private final boolean isDuplicate;

    protected Cryptor(Cryptor cryptor) {
        this.cachedMek = null;
        this.cachedNonce = null;
        this.cachedDek = null;
        this.cachedMek = cryptor.cachedMek == null ? null : Arrays.copyOf(cryptor.cachedMek, cryptor.cachedMek.length);
        this.cachedNonce = cryptor.cachedNonce == null ? null : Arrays.copyOf(cryptor.cachedNonce, cryptor.cachedNonce.length);
        this.cachedDek = cryptor.cachedDek == null ? null : Arrays.copyOf(cryptor.cachedDek, cryptor.cachedDek.length);
        this.cipherSuite = cryptor.cipherSuite;
        this.username = cryptor.username;
        this.serverInfo = cryptor.serverInfo;
        this.msgio = null;
        this.dbConnection = null;
        this.isDuplicate = true;
    }

    public Cryptor getDuplicate() {
        return new Cryptor(this);
    }

    public Cryptor(Connection connection) {
        this.cachedMek = null;
        this.cachedNonce = null;
        this.cachedDek = null;
        this.serverInfo = ServerInfo.requestServerInfo(connection, Constants.KeyMgmtType.MySQL);
        this.cipherSuite = this.serverInfo.getCipherSuite();
        this.dbConnection = connection;
        this.msgio = new MySQLMsgIO(connection);
        this.username = getCurrentUsername();
        this.isDuplicate = false;
    }

    public byte[] decrypt(byte[] bArr) throws EncdbCheckedException {
        if (this.cachedMek == null) {
            throw new EncdbCheckedException("MEK not set");
        }
        CipherForMySQL buildCipher = CipherForMySQL.buildCipher(bArr);
        if (this.cachedDek == null || !buildCipher.checkNonce(this.cachedNonce)) {
            this.cachedNonce = buildCipher.getNonce();
            if (this.cipherSuite.getHashAlgo() == HashAlgo.SM3) {
                this.cachedDek = HKDF.deriveWithSM3(Symmetric.Params.SM4_128_KEY_SIZE.getVal(), this.cachedMek, this.cachedNonce, null);
            } else {
                if (this.cipherSuite.getHashAlgo() != HashAlgo.SHA256) {
                    throw new InvalidParameterException("Invalid Hash Alg");
                }
                this.cachedDek = HKDF.deriveWithSHA256(Symmetric.Params.AES_128_KEY_SIZE.getVal(), this.cachedMek, this.cachedNonce, null);
            }
        }
        try {
            return buildCipher.decrypt(this.cachedDek);
        } catch (Exception e) {
            logger.debug("decrypt failed", e);
            throw new EncdbCheckedException("decrypt failed");
        }
    }

    public int getType(byte[] bArr) throws EncdbCheckedException {
        return CipherForMySQL.buildCipher(bArr).getEncType();
    }

    public void setMek(String str, Constants.EncAlgo encAlgo) throws EncdbCheckedException {
        byte[] decode = Hex.decode(str);
        if (decode == null || decode.length != 16) {
            throw new EncdbRuntimeException("Invalid MEK [" + str + "]");
        }
        setMek(decode, encAlgo);
    }

    public void setMek(byte[] bArr, Constants.EncAlgo encAlgo) throws EncdbCheckedException {
        if (bArr == null || bArr.length != 16) {
            throw new EncdbRuntimeException("Invalid MEK [" + (bArr == null ? "null" : Hex.toHexString(bArr)) + "]");
        }
        this.cachedMek = bArr;
        if (this.isDuplicate) {
            return;
        }
        try {
            JSONObject envelopSealedMekObj = getEnvelopSealedMekObj(bArr, null, encAlgo);
            envelopSealedMekObj.put("username", this.username);
            this.msgio.send_recv(envelopSealedMekObj.toJSONString().getBytes(StandardCharsets.UTF_8));
        } catch (Exception e) {
            throw new EncdbCheckedException("failed to provision mek", e);
        }
    }

    public void updateMek(String str, String str2, Constants.EncAlgo encAlgo) throws EncdbCheckedException {
        byte[] decode = Hex.decode(str);
        byte[] decode2 = Hex.decode(str2);
        if (decode == null || decode.length != 16) {
            throw new EncdbRuntimeException("Invalid old MEK [" + str + "]");
        }
        if (decode2 == null || decode2.length != 16) {
            throw new EncdbRuntimeException("Invalid new MEK [" + str2 + "]");
        }
        updateMek(decode, decode2, encAlgo);
    }

    public void updateMek(byte[] bArr, byte[] bArr2, Constants.EncAlgo encAlgo) throws EncdbCheckedException {
        if (bArr == null || bArr.length != 16) {
            throw new EncdbRuntimeException("Invalid oldMek [" + (bArr == null ? "null" : Hex.toHexString(bArr)) + "]");
        }
        if (bArr2 == null || bArr2.length != 16) {
            throw new EncdbRuntimeException("Invalid newMek [" + (bArr2 == null ? "null" : Hex.toHexString(bArr2)) + "]");
        }
        this.cachedMek = bArr2;
        if (this.isDuplicate) {
            return;
        }
        try {
            JSONObject envelopSealedMekObj = getEnvelopSealedMekObj(bArr2, bArr, encAlgo);
            envelopSealedMekObj.put("username", this.username);
            this.msgio.send_recv(envelopSealedMekObj.toJSONString().getBytes(StandardCharsets.UTF_8));
        } catch (Exception e) {
            throw new EncdbCheckedException("failed to update mek", e);
        }
    }

    private String getEnvelopeString(byte[] bArr, byte[] bArr2) throws IOException, CryptoException, DataFormatException {
        JSONObject jSONObject = new JSONObject();
        if (bArr != null) {
            jSONObject.put(MsgKeyConstants.MEK, Utils.bytesTobase64(bArr));
        }
        if (bArr2 != null) {
            jSONObject.put(MsgKeyConstants.OLD_MEK, Utils.bytesTobase64(bArr2));
        }
        Envelope envelope = new Envelope(jSONObject.toJSONString().getBytes(StandardCharsets.UTF_8));
        envelope.setCiperSuite(this.cipherSuite);
        return Utils.bytesTobase64(envelope.seal(this.serverInfo.getPublicKey()).getBytes());
    }

    private JSONObject getEnvelopSealedMekObj(byte[] bArr, byte[] bArr2, Constants.EncAlgo encAlgo) throws CryptoException, DataFormatException, IOException {
        JSONObject jSONObject = new JSONObject();
        if (bArr2 != null) {
            jSONObject.put(MsgKeyConstants.REQUEST_TYPE, (Number) 49);
        } else {
            jSONObject.put(MsgKeyConstants.REQUEST_TYPE, (Number) 48);
        }
        if (encAlgo != null) {
            jSONObject.put(MsgKeyConstants.ALGORITHM, encAlgo);
        }
        jSONObject.put(MsgKeyConstants.ENVELOPE, getEnvelopeString(bArr, bArr2));
        jSONObject.put(MsgKeyConstants.PUBLIC_KEY_HASH, this.serverInfo.getPublicKeyHash());
        return jSONObject;
    }

    public void setEncRule(String str) throws EncdbCheckedException {
        if (str == null) {
            throw new EncdbRuntimeException("wrong configuration, enc rule not set");
        }
        if (this.isDuplicate) {
            return;
        }
        try {
            JsonObject jsonObject = new JsonObject();
            jsonObject.addProperty(MsgKeyConstants.REQUEST_TYPE, Integer.valueOf(MsgType.ENC_RULE_IMPORT));
            jsonObject.addProperty(MsgKeyConstants.ENC_RULE, Base64.getEncoder().encodeToString(str.getBytes(StandardCharsets.UTF_8)));
            jsonObject.addProperty("username", this.username);
            this.msgio.send_recv(jsonObject.toString().getBytes(StandardCharsets.UTF_8));
        } catch (Exception e) {
            throw new EncdbCheckedException("import enc rule failed", e);
        }
    }

    private String getCurrentUsername() {
        try {
            ResultSet executeQuery = this.dbConnection.createStatement().executeQuery("select current_user()");
            executeQuery.next();
            return executeQuery.getString(1).split("@")[0];
        } catch (SQLException e) {
            throw new EncdbRuntimeException("not able to get connection username", e);
        }
    }
}
