package org.jscep.message;

import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.spec.IvParameterSpec;
import kotlin.BrokerFlight;
import kotlin.IBrokerFlightsProvider;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.cms.EnvelopedData;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.RecipientOperator;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.cms.jcajce.JceKeyTransRecipientId;
import org.bouncycastle.operator.InputDecryptor;

/* loaded from: classes3.dex */
public final class PkcsPkiEnvelopeDecoder {
    private static final BrokerFlight LOGGER = IBrokerFlightsProvider.MediaBrowserCompat$MediaItem$Flags(PkcsPkiEnvelopeDecoder.class);
    private final PrivateKey privKey;
    private final X509Certificate recipient;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes3.dex */
    public static class InternalKeyTransEnvelopedRecipient extends JceKeyTransEnvelopedRecipient {
        private static final String DES = "DES";
        private static final String RSA = "RSA/ECB/PKCS1Padding";
        private final PrivateKey wrappingKey;

        public InternalKeyTransEnvelopedRecipient(PrivateKey privateKey) {
            super(privateKey);
            this.wrappingKey = privateKey;
        }

        private AlgorithmParameterSpec getIV(AlgorithmIdentifier algorithmIdentifier) throws GeneralSecurityException {
            return new IvParameterSpec(ASN1OctetString.getInstance(algorithmIdentifier.getParameters()).getOctets());
        }

        private Key unwrapKey(PrivateKey privateKey, byte[] bArr) throws GeneralSecurityException {
            Cipher cipher = Cipher.getInstance(RSA);
            cipher.init(4, privateKey);
            try {
                return cipher.unwrap(bArr, DES, 3);
            } catch (InvalidKeyException e) {
                PkcsPkiEnvelopeDecoder.LOGGER.dispatchKeyShortcutEvent("Cannot unwrap symetric key.  Are you using a valid key pair?");
                throw e;
            }
        }

        @Override // org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient, org.bouncycastle.cms.KeyTransRecipient
        public RecipientOperator getRecipientOperator(AlgorithmIdentifier algorithmIdentifier, final AlgorithmIdentifier algorithmIdentifier2, byte[] bArr) throws CMSException {
            if (!"1.3.14.3.2.7".equals(algorithmIdentifier2.getAlgorithm().getId())) {
                return super.getRecipientOperator(algorithmIdentifier, algorithmIdentifier2, bArr);
            }
            try {
                Key unwrapKey = unwrapKey(this.wrappingKey, bArr);
                final Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
                cipher.init(2, unwrapKey, getIV(algorithmIdentifier2));
                return new RecipientOperator(new InputDecryptor() { // from class: org.jscep.message.PkcsPkiEnvelopeDecoder.InternalKeyTransEnvelopedRecipient.1
                    @Override // org.bouncycastle.operator.InputDecryptor
                    public AlgorithmIdentifier getAlgorithmIdentifier() {
                        return algorithmIdentifier2;
                    }

                    @Override // org.bouncycastle.operator.InputDecryptor
                    public InputStream getInputStream(InputStream inputStream) {
                        return new CipherInputStream(inputStream, cipher);
                    }
                });
            } catch (GeneralSecurityException e) {
                throw new CMSException("Could not create DES cipher", e);
            }
        }
    }

    public PkcsPkiEnvelopeDecoder(X509Certificate x509Certificate, PrivateKey privateKey) {
        this.recipient = x509Certificate;
        this.privKey = privateKey;
    }

    private JceKeyTransEnvelopedRecipient getKeyTransRecipient() {
        return new InternalKeyTransEnvelopedRecipient(this.privKey);
    }

    private void validate(CMSEnvelopedData cMSEnvelopedData) {
        EnvelopedData envelopedData = EnvelopedData.getInstance(cMSEnvelopedData.toASN1Structure().getContent());
        BrokerFlight brokerFlight = LOGGER;
        brokerFlight.getServiceComponent("pkcsPkiEnvelope version: {}", envelopedData.getVersion());
        brokerFlight.getServiceComponent("pkcsPkiEnvelope encryptedContentInfo contentType: {}", envelopedData.getEncryptedContentInfo().getContentType());
    }

    public byte[] decode(CMSEnvelopedData cMSEnvelopedData) throws MessageDecodingException {
        BrokerFlight brokerFlight = LOGGER;
        brokerFlight.shouldSkipDump("Decoding pkcsPkiEnvelope");
        validate(cMSEnvelopedData);
        brokerFlight.CertificateInfo$1("Decrypting pkcsPkiEnvelope using key belonging to [dn={}; serial={}]", this.recipient.getSubjectDN(), this.recipient.getSerialNumber());
        RecipientInformation recipientInformation = cMSEnvelopedData.getRecipientInfos().get(new JceKeyTransRecipientId(this.recipient));
        if (recipientInformation == null) {
            throw new MessageDecodingException("Missing expected key transfer recipient " + this.recipient.getSubjectDN());
        }
        brokerFlight.getServiceComponent("pkcsPkiEnvelope encryption algorithm: {}", recipientInformation.getKeyEncryptionAlgorithm().getAlgorithm());
        try {
            byte[] content = recipientInformation.getContent(getKeyTransRecipient());
            brokerFlight.shouldSkipDump("Finished decoding pkcsPkiEnvelope");
            return content;
        } catch (CMSException e) {
            throw new MessageDecodingException(e);
        }
    }
}
