package com.prosysopc.ua.stack.transport.tcp.impl;

import com.prosysopc.ua.stack.common.RuntimeServiceResultException;
import com.prosysopc.ua.stack.common.ServiceResultException;
import com.prosysopc.ua.stack.core.MessageSecurityMode;
import com.prosysopc.ua.stack.core.StatusCodes;
import com.prosysopc.ua.stack.transport.security.SecurityAlgorithm;
import com.prosysopc.ua.stack.transport.security.SecurityConfiguration;
import com.prosysopc.ua.stack.transport.security.SecurityPolicy;
import com.prosysopc.ua.stack.utils.CryptoUtil;
import java.nio.ByteBuffer;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/prosys-opc-ua-java-sdk-client-4.6.0-1594.jar:com/prosysopc/ua/stack/transport/tcp/impl/ChunkAsymmDecryptVerifier.class */
public class ChunkAsymmDecryptVerifier implements Runnable {
    static Logger logger = LoggerFactory.getLogger((Class<?>) ChunkAsymmDecryptVerifier.class);
    ByteBuffer kZ;
    SecurityConfiguration la;
    String securityPolicyUri;
    byte[] lb;
    byte[] lc;

    public ChunkAsymmDecryptVerifier(ByteBuffer byteBuffer, SecurityConfiguration securityConfiguration) {
        this.kZ = byteBuffer;
        this.la = securityConfiguration;
    }

    public byte[] getReceiverCertificateThumbprint() {
        return this.lc;
    }

    public String getSecurityPolicyUri() {
        return this.securityPolicyUri;
    }

    public byte[] getSenderCertificate() {
        return this.lb;
    }

    @Override // java.lang.Runnable
    public void run() throws RuntimeServiceResultException {
        byte b;
        try {
            SecurityPolicy securityPolicy = this.la.getSecurityPolicy();
            MessageSecurityMode messageSecurityMode = this.la.getMessageSecurityMode();
            if (messageSecurityMode == MessageSecurityMode.Sign) {
                messageSecurityMode = MessageSecurityMode.SignAndEncrypt;
            }
            this.kZ.position(12);
            this.securityPolicyUri = ChunkUtils.getString(this.kZ);
            logger.debug("SecurityPolicy in use: {}", this.securityPolicyUri);
            logger.debug("SecurityMode in use: {}", this.la.getMessageSecurityMode());
            if (logger.isTraceEnabled()) {
                logger.trace("Chunk: {}", CryptoUtil.toHex(this.kZ.array(), 64));
            }
            this.lb = ChunkUtils.getByteString(this.kZ);
            this.lc = ChunkUtils.getByteString(this.kZ);
            int position = this.kZ.position();
            int position2 = this.kZ.position() + 8;
            int limit = this.kZ.limit() - position;
            if (messageSecurityMode == MessageSecurityMode.SignAndEncrypt) {
                byte[] bArr = new byte[limit];
                this.kZ.position(position);
                this.kZ.get(bArr, 0, bArr.length);
                limit = a(bArr, this.la.getLocalPrivateKey(), this.kZ.array(), position + this.kZ.arrayOffset());
                if (logger.isTraceEnabled()) {
                    logger.trace("Chunk decrypted: {}", CryptoUtil.toHex(this.kZ.array(), 64));
                }
            }
            int i = 0;
            if (MessageSecurityMode.Sign == messageSecurityMode || MessageSecurityMode.SignAndEncrypt == messageSecurityMode) {
                SecurityAlgorithm asymmetricSignatureAlgorithm = securityPolicy.getAsymmetricSignatureAlgorithm();
                logger.debug("signatureAlgorithm={}", asymmetricSignatureAlgorithm);
                i = CryptoUtil.getSignatureSize(asymmetricSignatureAlgorithm, this.la.getRemoteCertificate().getPublicKey());
                logger.debug("signatureSize={}", Integer.valueOf(i));
                byte[] bArr2 = new byte[(position + limit) - i];
                this.kZ.position(0);
                this.kZ.get(bArr2, 0, bArr2.length);
                this.kZ.position((position + limit) - i);
                byte[] bArr3 = new byte[i];
                this.kZ.get(bArr3, 0, i);
                if (!a(bArr2, this.la.getRemoteCertificate(), bArr3)) {
                    logger.error("Signature verification fails.");
                    throw new ServiceResultException(StatusCodes.Bad_SecurityChecksFailed, "Signature could not be VERIFIED");
                }
            }
            int i2 = 0;
            if (messageSecurityMode == MessageSecurityMode.SignAndEncrypt) {
                int i3 = ((position + limit) - i) - 1;
                boolean z = this.la.getLocalCertificate2().getCertificate().getKeySize() > 2048;
                if (z) {
                    b = this.kZ.get(i3 - 1);
                    i2 = ((b & 255) | ((this.kZ.get(i3) & 255) << 8)) + 2;
                } else {
                    b = this.kZ.get(i3);
                    i2 = (b & 255) + 1;
                }
                logger.debug("paddingEnd={} paddingSize={}", Integer.valueOf(i3), Integer.valueOf(i2));
                int i4 = z ? i2 - 1 : i2;
                int i5 = z ? i3 - i4 : (i3 - i4) + 1;
                for (int i6 = 0; i6 < i4; i6++) {
                    byte b2 = this.kZ.get(i5 + i6);
                    if (b2 != b) {
                        logger.error(String.format("Padding does not match: %x <> %x", Integer.valueOf(b2), Integer.valueOf(b)));
                        throw new ServiceResultException(StatusCodes.Bad_SecurityChecksFailed, "Could not verify the padding in the message");
                    }
                }
            }
            this.kZ.position(position2);
            this.kZ.limit((((this.kZ.position() + limit) - 8) - i2) - i);
        } catch (ServiceResultException e) {
            throw new RuntimeServiceResultException(e);
        }
    }

    private int a(byte[] bArr, PrivateKey privateKey, byte[] bArr2, int i) throws ServiceResultException {
        int decryptAsymm = CryptoUtil.getCryptoProvider().decryptAsymm(privateKey, this.la.getSecurityPolicy().getAsymmetricEncryptionAlgorithm(), bArr, bArr2, i);
        if (logger.isTraceEnabled()) {
            logger.trace("decrypt: dataToDecrypt={}", CryptoUtil.toHex(bArr, 64));
            logger.trace("decrypt: output={}", CryptoUtil.toHex(bArr2, 64));
            logger.trace("decrypt: bytesDecrypted={}", Integer.valueOf(decryptAsymm));
        }
        return decryptAsymm;
    }

    private boolean a(byte[] bArr, Certificate certificate, byte[] bArr2) throws ServiceResultException {
        logger.debug("verify: policy={}", this.la.getSecurityPolicy());
        if (logger.isTraceEnabled()) {
            logger.trace("verify: {}", certificate);
            logger.trace("verify: dataToVerify={}", CryptoUtil.toHex(bArr, 64));
            logger.trace("verify: signature={}", CryptoUtil.toHex(bArr2, 64));
        }
        return CryptoUtil.getCryptoProvider().verifyAsymm(certificate.getPublicKey(), this.la.getSecurityPolicy().getAsymmetricSignatureAlgorithm(), bArr, bArr2);
    }
}
