package io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh.kdf;

import io.jenkins.cli.shaded.org.apache.sshd.common.NamedResource;
import io.jenkins.cli.shaded.org.apache.sshd.common.RuntimeSshException;
import io.jenkins.cli.shaded.org.apache.sshd.common.cipher.BuiltinCiphers;
import io.jenkins.cli.shaded.org.apache.sshd.common.cipher.CipherFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyEntryResolver;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh.OpenSSHKdfOptions;
import io.jenkins.cli.shaded.org.apache.sshd.common.session.SessionContext;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ExceptionUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.NumberUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.BufferUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.security.SecurityUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StreamCorruptedException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.concurrent.atomic.AtomicInteger;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:WEB-INF/lib/cli-2.344-rc32268.58022cf2024f.jar:io/jenkins/cli/shaded/org/apache/sshd/common/config/keys/loader/openssh/kdf/BCryptKdfOptions.class */
public class BCryptKdfOptions implements OpenSSHKdfOptions {
    public static final String NAME = "bcrypt";
    public static final int DEFAULT_MAX_ROUNDS = 255;
    private static final AtomicInteger MAX_ROUNDS_HOLDER = new AtomicInteger(255);
    private byte[] salt;
    private int numRounds;

    /* loaded from: input_file:WEB-INF/lib/cli-2.344-rc32268.58022cf2024f.jar:io/jenkins/cli/shaded/org/apache/sshd/common/config/keys/loader/openssh/kdf/BCryptKdfOptions$BCryptBadRoundsException.class */
    public static class BCryptBadRoundsException extends RuntimeSshException {
        private static final long serialVersionUID = 1724985268892193553L;
        private final int rounds;

        public BCryptBadRoundsException(int i) {
            this(i, "Bad rounds value: " + i);
        }

        public BCryptBadRoundsException(int i, String str) {
            this(i, str, null);
        }

        public BCryptBadRoundsException(int i, String str, Throwable th) {
            super(str, th);
            this.rounds = i;
        }

        public int getRounds() {
            return this.rounds;
        }
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh.OpenSSHKdfOptions
    public void initialize(String str, byte[] bArr) throws IOException {
        if (!NAME.equalsIgnoreCase(str)) {
            throw new StreamCorruptedException("Mismatched KDF name: " + str);
        }
        if (NumberUtils.isEmpty(bArr)) {
            throw new StreamCorruptedException("Missing KDF options for " + str);
        }
        int length = bArr.length - 8;
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        Throwable th = null;
        try {
            try {
                initialize(byteArrayInputStream, length);
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                int length2 = NumberUtils.length(getSalt());
                if (length2 != length) {
                    throw new StreamCorruptedException("Mismatched salt data length: expected=" + length + ", actual=" + length2);
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (byteArrayInputStream != null) {
                if (th != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    byteArrayInputStream.close();
                }
            }
            throw th3;
        }
    }

    protected void initialize(InputStream inputStream, int i) throws IOException {
        setSalt(KeyEntryResolver.readRLEBytes(inputStream, i));
        setNumRounds(KeyEntryResolver.decodeInt(inputStream));
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh.OpenSSHKeyDecryptor
    public boolean isEncrypted() {
        return true;
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh.OpenSSHKeyDecryptor
    public byte[] decodePrivateKeyBytes(SessionContext sessionContext, NamedResource namedResource, String str, byte[] bArr, String str2) throws IOException, GeneralSecurityException {
        if (NumberUtils.isEmpty(bArr)) {
            return bArr;
        }
        CipherFactory resolveFactory = BuiltinCiphers.resolveFactory(str);
        if (resolveFactory == null || !resolveFactory.isSupported()) {
            throw new NoSuchAlgorithmException("Unsupported cipher: " + str);
        }
        int cipherBlockSize = resolveFactory.getCipherBlockSize();
        if (bArr.length % cipherBlockSize != 0) {
            throw new StreamCorruptedException("Encrypted data size (" + bArr.length + ") is not aligned to  " + str + " block size (" + cipherBlockSize + ")");
        }
        byte[] bytes = str2.getBytes(StandardCharsets.UTF_8);
        int kdfSize = resolveFactory.getKdfSize();
        byte[] bArr2 = new byte[kdfSize + resolveFactory.getIVSize()];
        try {
            try {
                bcryptKdf(bytes, bArr2);
                byte[] copyOfRange = Arrays.copyOfRange(bArr2, 0, kdfSize);
                byte[] copyOfRange2 = Arrays.copyOfRange(bArr2, kdfSize, bArr2.length);
                try {
                    Cipher cipher = SecurityUtils.getCipher(resolveFactory.getTransformation());
                    cipher.init(2, new SecretKeySpec(copyOfRange, resolveFactory.getAlgorithm()), new IvParameterSpec(copyOfRange2));
                    byte[] doFinal = cipher.doFinal(bArr);
                    Arrays.fill(copyOfRange, (byte) 0);
                    Arrays.fill(copyOfRange2, (byte) 0);
                    Arrays.fill(bytes, (byte) 0);
                    Arrays.fill(bArr2, (byte) 0);
                    return doFinal;
                } catch (Throwable th) {
                    Arrays.fill(copyOfRange, (byte) 0);
                    Arrays.fill(copyOfRange2, (byte) 0);
                    throw th;
                }
            } catch (RuntimeException e) {
                Throwable peelException = ExceptionUtils.peelException(e);
                Throwable th2 = null;
                if ((peelException instanceof IOException) || (peelException instanceof GeneralSecurityException)) {
                    th2 = peelException;
                } else {
                    Throwable resolveExceptionCause = ExceptionUtils.resolveExceptionCause(e);
                    if ((resolveExceptionCause instanceof IOException) || (resolveExceptionCause instanceof GeneralSecurityException)) {
                        th2 = resolveExceptionCause;
                    }
                }
                if (th2 instanceof IOException) {
                    throw ((IOException) th2);
                }
                if (th2 instanceof GeneralSecurityException) {
                    throw ((GeneralSecurityException) th2);
                }
                throw e;
            }
        } catch (Throwable th3) {
            Arrays.fill(bytes, (byte) 0);
            Arrays.fill(bArr2, (byte) 0);
            throw th3;
        }
    }

    protected void bcryptKdf(byte[] bArr, byte[] bArr2) throws IOException, GeneralSecurityException {
        new BCrypt().pbkdf(bArr, getSalt(), getNumRounds(), bArr2);
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.NamedResource
    public final String getName() {
        return NAME;
    }

    public byte[] getSalt() {
        return NumberUtils.emptyIfNull(this.salt);
    }

    public void setSalt(byte[] bArr) {
        this.salt = NumberUtils.emptyIfNull(bArr);
    }

    public int getNumRounds() {
        return this.numRounds;
    }

    public void setNumRounds(int i) {
        int maxAllowedRounds = getMaxAllowedRounds();
        if (i <= 0 || i > maxAllowedRounds) {
            throw new BCryptBadRoundsException(i, "Bad rounds value (" + i + ") - max. allowed " + maxAllowedRounds);
        }
        this.numRounds = i;
    }

    public int hashCode() {
        return (31 * getNumRounds()) + Arrays.hashCode(getSalt());
    }

    public boolean equals(Object obj) {
        if (obj == null) {
            return false;
        }
        if (this == obj) {
            return true;
        }
        if (getClass() != obj.getClass()) {
            return false;
        }
        BCryptKdfOptions bCryptKdfOptions = (BCryptKdfOptions) obj;
        return getNumRounds() == bCryptKdfOptions.getNumRounds() && Arrays.equals(getSalt(), bCryptKdfOptions.getSalt());
    }

    public String toString() {
        return getName() + ": rounds=" + getNumRounds() + ", salt=" + BufferUtils.toHex(':', getSalt());
    }

    public static int getMaxAllowedRounds() {
        return MAX_ROUNDS_HOLDER.get();
    }

    public static void setMaxAllowedRounds(int i) {
        ValidateUtils.checkTrue(i > 0, "Invalid max. rounds value: %d", i);
        MAX_ROUNDS_HOLDER.set(i);
    }
}
