package com.mastercard.developer.encryption;

import com.google.gson.Gson;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.jayway.jsonpath.Configuration;
import com.jayway.jsonpath.DocumentContext;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.Option;
import com.jayway.jsonpath.Predicate;
import com.jayway.jsonpath.spi.json.GsonJsonProvider;
import com.jayway.jsonpath.spi.mapper.GsonMappingProvider;
import com.mastercard.developer.encryption.FieldLevelEncryptionConfig;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:com/mastercard/developer/encryption/FieldLevelEncryption.class */
public class FieldLevelEncryption {
    private static final String SUN_JCE = "SunJCE";
    private static final String SYMMETRIC_KEY_TYPE = "AES";
    private static final String SYMMETRIC_CYPHER = "AES/CBC/PKCS5Padding";
    private static final String ASYMMETRIC_CYPHER = "RSA/ECB/OAEPWith{ALG}AndMGF1Padding";
    private static final Integer SYMMETRIC_KEY_SIZE = 128;
    private static final Pattern LAST_ELEMENT_IN_PATH = Pattern.compile(".*(\\['.*'\\])");
    private static final Configuration jsonPathConfig = new Configuration.ConfigurationBuilder().jsonProvider(new GsonJsonProvider()).mappingProvider(new GsonMappingProvider()).options(new Option[]{Option.SUPPRESS_EXCEPTIONS}).build();

    private FieldLevelEncryption() {
    }

    public static String encryptPayload(String str, FieldLevelEncryptionConfig fieldLevelEncryptionConfig) throws EncryptionException {
        try {
            DocumentContext parse = JsonPath.parse(str, jsonPathConfig);
            for (Map.Entry<String, String> entry : fieldLevelEncryptionConfig.encryptionPaths.entrySet()) {
                encryptPayloadPath(parse, entry.getKey(), entry.getValue(), fieldLevelEncryptionConfig);
            }
            return parse.json().toString();
        } catch (GeneralSecurityException e) {
            throw new EncryptionException("Payload encryption failed!", e);
        }
    }

    public static String decryptPayload(String str, FieldLevelEncryptionConfig fieldLevelEncryptionConfig) throws EncryptionException {
        try {
            DocumentContext parse = JsonPath.parse(str, jsonPathConfig);
            for (Map.Entry<String, String> entry : fieldLevelEncryptionConfig.decryptionPaths.entrySet()) {
                decryptPayloadPath(parse, entry.getKey(), entry.getValue(), fieldLevelEncryptionConfig);
            }
            return parse.json().toString();
        } catch (GeneralSecurityException | DecoderException e) {
            throw new EncryptionException("Payload decryption failed!", e);
        }
    }

    private static void encryptPayloadPath(DocumentContext documentContext, String str, String str2, FieldLevelEncryptionConfig fieldLevelEncryptionConfig) throws GeneralSecurityException {
        JsonElement readJsonElement = readJsonElement(documentContext, str, jsonPathConfig);
        if (readJsonElement == null) {
            return;
        }
        IvParameterSpec generateIv = generateIv();
        String encodeBytes = encodeBytes(generateIv.getIV(), fieldLevelEncryptionConfig.fieldValueEncoding);
        SecretKey generateSecretKey = generateSecretKey();
        String encodeBytes2 = encodeBytes(wrapSecretKey(fieldLevelEncryptionConfig, generateSecretKey), fieldLevelEncryptionConfig.fieldValueEncoding);
        byte[] bArr = null;
        try {
            bArr = sanitizeJson(readJsonElement.toString()).getBytes(StandardCharsets.UTF_8.name());
        } catch (UnsupportedEncodingException e) {
        }
        String encodeBytes3 = encodeBytes(encryptBytes(generateSecretKey, generateIv, bArr), fieldLevelEncryptionConfig.fieldValueEncoding);
        JsonObject readOrCreateOutObject = readOrCreateOutObject(documentContext, str2);
        readOrCreateOutObject.addProperty(fieldLevelEncryptionConfig.ivFieldName, encodeBytes);
        readOrCreateOutObject.addProperty(fieldLevelEncryptionConfig.encryptedKeyFieldName, encodeBytes2);
        readOrCreateOutObject.addProperty(fieldLevelEncryptionConfig.encryptedValueFieldName, encodeBytes3);
        addEncryptionCertificateFingerprint(readOrCreateOutObject, fieldLevelEncryptionConfig);
        addEncryptionKeyFingerprint(readOrCreateOutObject, fieldLevelEncryptionConfig);
        addOaepPaddingDigestAlgorithm(readOrCreateOutObject, fieldLevelEncryptionConfig);
        documentContext.delete(str, new Predicate[0]);
        documentContext.set(str2, readOrCreateOutObject, new Predicate[0]);
    }

    private static void decryptPayloadPath(DocumentContext documentContext, String str, String str2, FieldLevelEncryptionConfig fieldLevelEncryptionConfig) throws GeneralSecurityException, DecoderException {
        JsonObject readJsonObject = readJsonObject(documentContext, str, jsonPathConfig);
        if (readJsonObject == null) {
            return;
        }
        JsonElement remove = readJsonObject.remove(fieldLevelEncryptionConfig.encryptedValueFieldName);
        JsonElement remove2 = readJsonObject.remove(fieldLevelEncryptionConfig.encryptedKeyFieldName);
        JsonElement remove3 = readJsonObject.remove(fieldLevelEncryptionConfig.ivFieldName);
        JsonElement remove4 = fieldLevelEncryptionConfig.oaepPaddingDigestAlgorithmFieldName != null ? readJsonObject.remove(fieldLevelEncryptionConfig.oaepPaddingDigestAlgorithmFieldName) : null;
        if (fieldLevelEncryptionConfig.encryptionCertificateFingerprintFieldName != null) {
            readJsonObject.remove(fieldLevelEncryptionConfig.encryptionCertificateFingerprintFieldName);
        }
        if (fieldLevelEncryptionConfig.encryptionKeyFingerprintFieldName != null) {
            readJsonObject.remove(fieldLevelEncryptionConfig.encryptionKeyFingerprintFieldName);
        }
        documentContext.set(str, readJsonObject, new Predicate[0]);
        JsonObject jsonObject = (JsonElement) new Gson().fromJson(sanitizeJson(new String(decryptBytes(unwrapSecretKey(fieldLevelEncryptionConfig, decodeValue(remove2.getAsString(), fieldLevelEncryptionConfig.fieldValueEncoding), null != remove4 ? remove4.getAsString() : fieldLevelEncryptionConfig.oaepPaddingDigestAlgorithm), new IvParameterSpec(decodeValue(remove3.getAsString(), fieldLevelEncryptionConfig.fieldValueEncoding)), decodeValue(remove.getAsString(), fieldLevelEncryptionConfig.fieldValueEncoding)), StandardCharsets.UTF_8)), JsonElement.class);
        JsonObject readOrCreateOutObject = readOrCreateOutObject(documentContext, str2);
        if (jsonObject.isJsonObject()) {
            for (Map.Entry entry : jsonObject.entrySet()) {
                readOrCreateOutObject.remove((String) entry.getKey());
                readOrCreateOutObject.add((String) entry.getKey(), (JsonElement) entry.getValue());
            }
            documentContext.set(str2, readOrCreateOutObject, new Predicate[0]);
        } else {
            documentContext.set(str2, jsonObject, new Predicate[0]);
        }
        JsonObject readJsonObject2 = readJsonObject(documentContext, str, jsonPathConfig);
        if (readJsonObject2 == null || !readJsonObject2.keySet().isEmpty()) {
            return;
        }
        documentContext.delete(str, new Predicate[0]);
    }

    private static JsonObject readOrCreateOutObject(DocumentContext documentContext, String str) {
        JsonObject readJsonObject = readJsonObject(documentContext, str, jsonPathConfig);
        if (null != readJsonObject) {
            return readJsonObject;
        }
        String parentJsonPath = getParentJsonPath(str);
        if (readJsonObject(documentContext, parentJsonPath, jsonPathConfig) == null) {
            throw new IllegalArgumentException(String.format("Parent path not found in payload: '%s'!", parentJsonPath));
        }
        JsonObject jsonObject = new JsonObject();
        documentContext.put(parentJsonPath, getJsonElementKey(str), jsonObject, new Predicate[0]);
        return jsonObject;
    }

    private static JsonElement readJsonElement(DocumentContext documentContext, String str, Configuration configuration) {
        return (JsonElement) JsonPath.compile(str, new Predicate[0]).read((JsonObject) documentContext.json(), configuration);
    }

    private static JsonObject readJsonObject(DocumentContext documentContext, String str, Configuration configuration) {
        JsonObject readJsonElement = readJsonElement(documentContext, str, configuration);
        if (readJsonElement == null) {
            return null;
        }
        if (readJsonElement.isJsonObject()) {
            return readJsonElement;
        }
        throw new IllegalArgumentException(String.format("JSON object expected at path: '%s'!", str));
    }

    private static String getParentJsonPath(String str) {
        String path = JsonPath.compile(str, new Predicate[0]).getPath();
        Matcher matcher = LAST_ELEMENT_IN_PATH.matcher(path);
        if (matcher.find()) {
            return path.replace(matcher.group(1), "");
        }
        throw new IllegalStateException(String.format("Unable to find parent for '%s'", str));
    }

    private static String getJsonElementKey(String str) {
        Matcher matcher = LAST_ELEMENT_IN_PATH.matcher(JsonPath.compile(str, new Predicate[0]).getPath());
        if (matcher.find()) {
            return matcher.group(1).replace("['", "").replace("']", "");
        }
        throw new IllegalStateException(String.format("Unable to find object key for '%s'", str));
    }

    private static void addEncryptionCertificateFingerprint(JsonObject jsonObject, FieldLevelEncryptionConfig fieldLevelEncryptionConfig) throws GeneralSecurityException {
        if (isNullOrEmpty(fieldLevelEncryptionConfig.encryptionCertificateFingerprintFieldName)) {
            return;
        }
        String str = fieldLevelEncryptionConfig.encryptionCertificateFingerprint;
        if (!isNullOrEmpty(str)) {
            jsonObject.addProperty(fieldLevelEncryptionConfig.encryptionCertificateFingerprintFieldName, str);
        } else {
            jsonObject.addProperty(fieldLevelEncryptionConfig.encryptionCertificateFingerprintFieldName, encodeBytes(sha256digestBytes(fieldLevelEncryptionConfig.encryptionCertificate.getEncoded()), fieldLevelEncryptionConfig.fieldValueEncoding));
        }
    }

    private static void addEncryptionKeyFingerprint(JsonObject jsonObject, FieldLevelEncryptionConfig fieldLevelEncryptionConfig) throws GeneralSecurityException {
        if (isNullOrEmpty(fieldLevelEncryptionConfig.encryptionKeyFingerprintFieldName)) {
            return;
        }
        String str = fieldLevelEncryptionConfig.encryptionKeyFingerprint;
        if (!isNullOrEmpty(str)) {
            jsonObject.addProperty(fieldLevelEncryptionConfig.encryptionKeyFingerprintFieldName, str);
        } else {
            jsonObject.addProperty(fieldLevelEncryptionConfig.encryptionKeyFingerprintFieldName, encodeBytes(sha256digestBytes(fieldLevelEncryptionConfig.encryptionCertificate.getPublicKey().getEncoded()), fieldLevelEncryptionConfig.fieldValueEncoding));
        }
    }

    private static void addOaepPaddingDigestAlgorithm(JsonObject jsonObject, FieldLevelEncryptionConfig fieldLevelEncryptionConfig) {
        if (isNullOrEmpty(fieldLevelEncryptionConfig.oaepPaddingDigestAlgorithmFieldName)) {
            return;
        }
        jsonObject.addProperty(fieldLevelEncryptionConfig.oaepPaddingDigestAlgorithmFieldName, fieldLevelEncryptionConfig.oaepPaddingDigestAlgorithm.replace("-", ""));
    }

    private static IvParameterSpec generateIv() throws GeneralSecurityException {
        byte[] bArr = new byte[16];
        SecureRandom.getInstance("SHA1PRNG", "SUN").nextBytes(bArr);
        return new IvParameterSpec(bArr);
    }

    private static SecretKey generateSecretKey() throws GeneralSecurityException {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(SYMMETRIC_KEY_TYPE, SUN_JCE);
        keyGenerator.init(SYMMETRIC_KEY_SIZE.intValue());
        return keyGenerator.generateKey();
    }

    private static byte[] wrapSecretKey(FieldLevelEncryptionConfig fieldLevelEncryptionConfig, Key key) throws GeneralSecurityException {
        PublicKey publicKey = fieldLevelEncryptionConfig.encryptionCertificate.getPublicKey();
        MGF1ParameterSpec mGF1ParameterSpec = new MGF1ParameterSpec(fieldLevelEncryptionConfig.oaepPaddingDigestAlgorithm);
        Cipher cipher = Cipher.getInstance(ASYMMETRIC_CYPHER.replace("{ALG}", mGF1ParameterSpec.getDigestAlgorithm()), SUN_JCE);
        cipher.init(3, publicKey, getOaepParameterSpec(mGF1ParameterSpec));
        return cipher.wrap(key);
    }

    private static Key unwrapSecretKey(FieldLevelEncryptionConfig fieldLevelEncryptionConfig, byte[] bArr, String str) throws GeneralSecurityException {
        if (!str.contains("-")) {
            str = str.replace("SHA", "SHA-");
        }
        MGF1ParameterSpec mGF1ParameterSpec = new MGF1ParameterSpec(str);
        PrivateKey privateKey = fieldLevelEncryptionConfig.decryptionKey;
        Cipher cipher = Cipher.getInstance(ASYMMETRIC_CYPHER.replace("{ALG}", mGF1ParameterSpec.getDigestAlgorithm()), SUN_JCE);
        cipher.init(4, privateKey, getOaepParameterSpec(mGF1ParameterSpec));
        return cipher.unwrap(bArr, SYMMETRIC_KEY_TYPE, 3);
    }

    private static OAEPParameterSpec getOaepParameterSpec(MGF1ParameterSpec mGF1ParameterSpec) {
        return new OAEPParameterSpec(mGF1ParameterSpec.getDigestAlgorithm(), "MGF1", mGF1ParameterSpec, PSource.PSpecified.DEFAULT);
    }

    private static byte[] encryptBytes(Key key, AlgorithmParameterSpec algorithmParameterSpec, byte[] bArr) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(SYMMETRIC_CYPHER, SUN_JCE);
        cipher.init(1, key, algorithmParameterSpec);
        return cipher.doFinal(bArr);
    }

    private static byte[] decryptBytes(Key key, AlgorithmParameterSpec algorithmParameterSpec, byte[] bArr) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(SYMMETRIC_CYPHER, SUN_JCE);
        cipher.init(2, key, algorithmParameterSpec);
        return cipher.doFinal(bArr);
    }

    private static byte[] sha256digestBytes(byte[] bArr) throws GeneralSecurityException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bArr);
        return messageDigest.digest();
    }

    private static String sanitizeJson(String str) {
        return str.replaceAll("\n", "").replaceAll("\r", "").replaceAll("\t", "").replaceAll(" ", "");
    }

    private static String encodeBytes(byte[] bArr, FieldLevelEncryptionConfig.FieldValueEncoding fieldValueEncoding) {
        return fieldValueEncoding == FieldLevelEncryptionConfig.FieldValueEncoding.HEX ? new String(Hex.encodeHex(bArr)) : Base64.encodeBase64String(bArr);
    }

    private static byte[] decodeValue(String str, FieldLevelEncryptionConfig.FieldValueEncoding fieldValueEncoding) throws DecoderException {
        return fieldValueEncoding == FieldLevelEncryptionConfig.FieldValueEncoding.HEX ? Hex.decodeHex(str.toCharArray()) : Base64.decodeBase64(str);
    }

    private static boolean isNullOrEmpty(String str) {
        return null == str || str.length() == 0;
    }
}
