package tuwien.auto.calimero.secure;

import java.io.ByteArrayOutputStream;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.IntStream;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import tuwien.auto.calimero.GroupAddress;
import tuwien.auto.calimero.IndividualAddress;
import tuwien.auto.calimero.KNXFormatException;
import tuwien.auto.calimero.KNXIllegalArgumentException;
import tuwien.auto.calimero.xml.KNXMLException;
import tuwien.auto.calimero.xml.XmlInputFactory;
import tuwien.auto.calimero.xml.XmlReader;

/* loaded from: input_file:tuwien/auto/calimero/secure/Keyring.class */
public final class Keyring {
    private static final String keyringNamespace = "http://knx.org/xml/keyring/1";
    private final String keyringUri;
    private final char[] keyringPassword;
    private byte[] signature;
    private volatile Backbone backbone;
    private static final byte[] keyringSalt = utf8Bytes("1.keyring.ets.knx.org");
    private static final byte[] emptyPwd = new byte[0];
    private static final Logger logger = LoggerFactory.getLogger("calimero.keyring");
    private static final long DefaultMulticast = unsigned(new byte[]{-32, 0, 23, 12});
    private byte[] passwordHash = new byte[0];
    private byte[] createdHash = new byte[0];
    private volatile Map<IndividualAddress, List<Interface>> interfaces = Map.of();
    private volatile Map<GroupAddress, byte[]> groups = Map.of();
    private volatile Map<IndividualAddress, Device> devices = Map.of();

    /* loaded from: input_file:tuwien/auto/calimero/secure/Keyring$Backbone.class */
    public static final class Backbone {
        private final InetAddress mcGroup;
        private final byte[] groupKey;
        private final Duration latency;

        Backbone(InetAddress inetAddress, byte[] bArr, Duration duration) {
            this.mcGroup = inetAddress;
            this.groupKey = bArr;
            this.latency = duration;
        }

        public InetAddress multicastGroup() {
            return this.mcGroup;
        }

        public Optional<byte[]> groupKey() {
            return Keyring.optional(this.groupKey);
        }

        public Duration latencyTolerance() {
            return this.latency;
        }

        public int hashCode() {
            return Objects.hash(this.mcGroup, Integer.valueOf(Arrays.hashCode(this.groupKey)), this.latency);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (!(obj instanceof Backbone)) {
                return false;
            }
            Backbone backbone = (Backbone) obj;
            return Objects.equals(this.mcGroup, backbone.mcGroup) && Objects.equals(this.latency, backbone.latency) && Arrays.equals(this.groupKey, backbone.groupKey);
        }

        public String toString() {
            return multicastGroup().getHostAddress() + " (latency tolerance " + this.latency.toMillis() + " ms)";
        }
    }

    /* loaded from: input_file:tuwien/auto/calimero/secure/Keyring$Device.class */
    public static final class Device {
        private final IndividualAddress addr;
        private final byte[] toolkey;
        private final byte[] pwd;
        private final byte[] auth;
        private final long sequence;

        Device(IndividualAddress individualAddress, byte[] bArr, byte[] bArr2, byte[] bArr3, long j) {
            this.addr = individualAddress;
            this.toolkey = bArr;
            this.pwd = bArr2;
            this.auth = bArr3;
            this.sequence = j;
        }

        public Optional<byte[]> toolKey() {
            return Keyring.optional(this.toolkey);
        }

        public Optional<byte[]> password() {
            return Keyring.optional(this.pwd);
        }

        public Optional<byte[]> authentication() {
            return Keyring.optional(this.auth);
        }

        public long sequenceNumber() {
            return this.sequence;
        }

        public String toString() {
            return "device " + this.addr + " (seq " + this.sequence + ")";
        }
    }

    /* loaded from: input_file:tuwien/auto/calimero/secure/Keyring$Interface.class */
    public static final class Interface {
        private final String type;
        private final IndividualAddress addr;
        private final int user;
        private final byte[] pwd;
        private final byte[] auth;
        private volatile Map<GroupAddress, Set<IndividualAddress>> groups = Map.of();

        /* loaded from: input_file:tuwien/auto/calimero/secure/Keyring$Interface$Type.class */
        public enum Type {
            Backbone,
            Tunneling,
            Usb;

            static Type from(String str) {
                boolean z = -1;
                switch (str.hashCode()) {
                    case -2108958645:
                        if (str.equals("Backbone")) {
                            z = false;
                            break;
                        }
                        break;
                    case -1664979366:
                        if (str.equals("Tunneling")) {
                            z = true;
                            break;
                        }
                        break;
                    case 84324:
                        if (str.equals("USB")) {
                            z = 2;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        return Backbone;
                    case true:
                        return Tunneling;
                    case true:
                        return Usb;
                    default:
                        throw new KNXIllegalArgumentException("unknown interface type " + str);
                }
            }
        }

        Interface(String str, IndividualAddress individualAddress, int i, byte[] bArr, byte[] bArr2) {
            this.type = str;
            this.addr = individualAddress;
            this.user = i;
            this.pwd = bArr;
            this.auth = bArr2;
        }

        public Type type() {
            return Type.from(this.type);
        }

        public IndividualAddress address() {
            return this.addr;
        }

        public int user() {
            return this.user;
        }

        public Optional<byte[]> password() {
            return Keyring.optional(this.pwd);
        }

        public Optional<byte[]> authentication() {
            return Keyring.optional(this.auth);
        }

        public Map<GroupAddress, Set<IndividualAddress>> groups() {
            return this.groups;
        }

        public String toString() {
            return this.type + " interface " + this.addr + ", user " + this.user + ", groups " + this.groups.keySet();
        }
    }

    private static Optional<byte[]> optional(byte[] bArr) {
        return Optional.ofNullable(bArr).map(obj -> {
            return (byte[]) ((byte[]) obj).clone();
        });
    }

    public static Keyring load(String str) {
        Keyring keyring = new Keyring(str, new char[0]);
        keyring.load();
        return keyring;
    }

    Keyring(String str, char[] cArr) {
        if (!str.endsWith(".knxkeys")) {
            throw new KNXIllegalArgumentException("'" + str + "' is not a keyring file");
        }
        this.keyringUri = str;
        this.keyringPassword = cArr;
    }

    void load() {
        try {
            try {
                XmlReader createXMLReader = XmlInputFactory.newInstance().createXMLReader(this.keyringUri);
                try {
                    createXMLReader.nextTag();
                    String namespaceURI = createXMLReader.getNamespaceURI();
                    if (!keyringNamespace.equals(namespaceURI)) {
                        throw new KNXMLException("keyring '" + this.keyringUri + "' with unsupported namespace '" + namespaceURI + "'");
                    }
                    if (!"Keyring".equals(createXMLReader.getLocalName())) {
                        throw new KNXMLException("keyring '" + this.keyringUri + "' requires 'Keyring' element");
                    }
                    String attributeValue = createXMLReader.getAttributeValue(null, "Project");
                    String attributeValue2 = createXMLReader.getAttributeValue(null, "CreatedBy");
                    String attributeValue3 = createXMLReader.getAttributeValue(null, "Created");
                    logger.debug("read keyring for project '{}', created by {} on {}", new Object[]{attributeValue, attributeValue2, attributeValue3});
                    this.passwordHash = hashKeyringPwd(this.keyringPassword);
                    this.createdHash = sha256(utf8Bytes(attributeValue3));
                    this.signature = decode(createXMLReader.getAttributeValue(null, "Signature"));
                    if (this.keyringPassword.length > 0 && !verifySignature(this.passwordHash)) {
                        throw new KnxSecureException("signature verification failed for keyring '" + this.keyringUri + "'");
                    }
                    Interface r16 = null;
                    boolean z = false;
                    boolean z2 = false;
                    HashMap hashMap = new HashMap();
                    HashMap hashMap2 = new HashMap();
                    HashMap hashMap3 = new HashMap();
                    createXMLReader.next();
                    while (createXMLReader.getEventType() != 8) {
                        int eventType = createXMLReader.getEventType();
                        if (createXMLReader.getEventType() == 1) {
                            String localName = createXMLReader.getLocalName();
                            createXMLReader.getLocation().getLineNumber();
                            if ("Backbone".equals(localName)) {
                                InetAddress byName = InetAddress.getByName(createXMLReader.getAttributeValue(null, "MulticastAddress"));
                                if (!validRoutingMulticast(byName)) {
                                    throw new KNXMLException("loading keyring '" + this.keyringUri + "': " + byName.getHostAddress() + " is not a valid KNX multicast address");
                                }
                                String attributeValue4 = createXMLReader.getAttributeValue(null, "Key");
                                this.backbone = new Backbone(byName, attributeValue4 != null ? decode(attributeValue4) : null, createXMLReader.getAttributeValue(null, "Latency") != null ? Duration.ofMillis(Integer.parseInt(r0)) : Duration.ZERO);
                            } else if ("Interface".equals(localName)) {
                                z2 = false;
                                String attributeValue5 = createXMLReader.getAttributeValue(null, "Type");
                                String attributeValue6 = createXMLReader.getAttributeValue(null, "Host");
                                IndividualAddress individualAddress = attributeValue6 != null ? new IndividualAddress(attributeValue6) : new IndividualAddress(0);
                                String attributeValue7 = createXMLReader.getAttributeValue(null, "IndividualAddress");
                                r16 = new Interface(attributeValue5, attributeValue7 != null ? new IndividualAddress(attributeValue7) : new IndividualAddress(0), ((Integer) readAttribute(createXMLReader, "UserID", Integer::parseInt, 0)).intValue(), (byte[]) readAttribute(createXMLReader, "Password", Keyring::decode, null), (byte[]) readAttribute(createXMLReader, "Authentication", Keyring::decode, null));
                                ((List) hashMap.computeIfAbsent(individualAddress, individualAddress2 -> {
                                    return new ArrayList();
                                })).add(r16);
                            } else if (r16 != null && "Group".equals(localName)) {
                                GroupAddress groupAddress = new GroupAddress(createXMLReader.getAttributeValue(null, "Address"));
                                String attributeValue8 = createXMLReader.getAttributeValue(null, "Senders");
                                ArrayList arrayList = new ArrayList();
                                if (attributeValue8 != null) {
                                    Matcher matcher = Pattern.compile("[^\\s]+").matcher(attributeValue8);
                                    while (matcher.find()) {
                                        arrayList.add(new IndividualAddress(matcher.group()));
                                    }
                                }
                                if (r16.groups.isEmpty()) {
                                    r16.groups = new HashMap();
                                }
                                r16.groups.put(groupAddress, Set.of(arrayList.toArray(new IndividualAddress[0])));
                            } else if ("Devices".equals(localName)) {
                                z = true;
                            } else if (z && "Device".equals(localName)) {
                                IndividualAddress individualAddress3 = new IndividualAddress(createXMLReader.getAttributeValue(null, "IndividualAddress"));
                                Device device = new Device(individualAddress3, (byte[]) readAttribute(createXMLReader, "ToolKey", Keyring::decode, null), (byte[]) readAttribute(createXMLReader, "ManagementPassword", Keyring::decode, null), (byte[]) readAttribute(createXMLReader, "Authentication", Keyring::decode, null), ((Long) readAttribute(createXMLReader, "SequenceNumber", Long::parseLong, 0L)).longValue());
                                hashMap3.put(individualAddress3, device);
                                logger.trace("add {}", device);
                            } else if ("GroupAddresses".equals(localName)) {
                                z2 = true;
                            } else if (z2 && "Group".equals(localName)) {
                                hashMap2.put(new GroupAddress(createXMLReader.getAttributeValue(null, "Address")), decode(createXMLReader.getAttributeValue(null, "Key")));
                            } else {
                                logger.warn("keyring '" + this.keyringUri + "': skip unknown element '{}'", localName);
                            }
                        } else if (eventType == 2 && "Interface".equals(createXMLReader.getLocalName()) && r16 != null) {
                            r16.groups = Map.copyOf(r16.groups);
                            logger.trace("add {}", r16);
                            r16 = null;
                        }
                        createXMLReader.next();
                    }
                    this.interfaces = Map.copyOf(hashMap);
                    this.groups = Map.copyOf(hashMap2);
                    this.devices = Map.copyOf(hashMap3);
                    if (createXMLReader != null) {
                        createXMLReader.close();
                    }
                } catch (Throwable th) {
                    if (createXMLReader != null) {
                        try {
                            createXMLReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (UnknownHostException | KNXFormatException e) {
                throw new KNXMLException("loading keyring '" + this.keyringUri + "'" + (0 != 0 ? " [line " + 0 + "]" : "") + " address element with " + e.getMessage());
            } catch (GeneralSecurityException e2) {
                throw new KnxSecureException("crypto error", e2);
            }
        } finally {
            Arrays.fill(this.passwordHash, (byte) 0);
        }
    }

    public boolean verifySignature(char[] cArr) {
        try {
            return verifySignature(hashKeyringPwd(cArr));
        } catch (GeneralSecurityException e) {
            return false;
        }
    }

    public Optional<Backbone> backbone() {
        return Optional.ofNullable(this.backbone);
    }

    public Map<IndividualAddress, List<Interface>> interfaces() {
        return this.interfaces;
    }

    public Map<GroupAddress, byte[]> groups() {
        return this.groups;
    }

    public Map<IndividualAddress, Device> devices() {
        return this.devices;
    }

    private boolean verifySignature(byte[] bArr) throws GeneralSecurityException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        XmlReader createXMLReader = XmlInputFactory.newInstance().createXMLReader(this.keyringUri);
        while (createXMLReader.next() != 8) {
            try {
                if (createXMLReader.getEventType() == 1) {
                    appendElement(createXMLReader, byteArrayOutputStream);
                } else if (createXMLReader.getEventType() == 2) {
                    byteArrayOutputStream.write(2);
                }
            } catch (Throwable th) {
                if (createXMLReader != null) {
                    try {
                        createXMLReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (createXMLReader != null) {
            createXMLReader.close();
        }
        appendString(Base64.getEncoder().encode(bArr), byteArrayOutputStream);
        return Arrays.equals(sha256(byteArrayOutputStream.toByteArray()), this.signature);
    }

    public byte[] decryptKey(byte[] bArr, char[] cArr) {
        byte[] hashKeyringPwd = hashKeyringPwd(cArr);
        try {
            try {
                byte[] aes128Cbc = aes128Cbc(bArr, hashKeyringPwd, this.createdHash);
                Arrays.fill(hashKeyringPwd, (byte) 0);
                return aes128Cbc;
            } catch (RuntimeException | GeneralSecurityException e) {
                throw new KnxSecureException("decrypting key data", e);
            }
        } catch (Throwable th) {
            Arrays.fill(hashKeyringPwd, (byte) 0);
            throw th;
        }
    }

    public char[] decryptPassword(byte[] bArr, char[] cArr) {
        byte[] hashKeyringPwd = hashKeyringPwd(cArr);
        try {
            try {
                byte[] extractPassword = extractPassword(aes128Cbc(bArr, hashKeyringPwd, this.createdHash));
                char[] cArr2 = new char[extractPassword.length];
                for (int i = 0; i < extractPassword.length; i++) {
                    cArr2[i] = (char) (extractPassword[i] & 255);
                }
                Arrays.fill(extractPassword, (byte) 0);
                Arrays.fill(hashKeyringPwd, (byte) 0);
                return cArr2;
            } catch (RuntimeException | GeneralSecurityException e) {
                throw new KnxSecureException("decrypting password data", e);
            }
        } catch (Throwable th) {
            Arrays.fill(hashKeyringPwd, (byte) 0);
            throw th;
        }
    }

    private static boolean validRoutingMulticast(InetAddress inetAddress) {
        return inetAddress != null && inetAddress.isMulticastAddress() && unsigned(inetAddress.getAddress()) >= DefaultMulticast;
    }

    private static long unsigned(byte[] bArr) {
        long j = 0;
        for (byte b : bArr) {
            j = (j << 8) | (b & 255);
        }
        return j;
    }

    private static <R> R readAttribute(XmlReader xmlReader, String str, Function<String, R> function, R r) {
        String attributeValue = xmlReader.getAttributeValue(null, str);
        return attributeValue == null ? r : function.apply(attributeValue);
    }

    private static void appendElement(XmlReader xmlReader, ByteArrayOutputStream byteArrayOutputStream) {
        byteArrayOutputStream.write(1);
        appendString(utf8Bytes(xmlReader.getLocalName()), byteArrayOutputStream);
        IntStream range = IntStream.range(0, xmlReader.getAttributeCount());
        Objects.requireNonNull(xmlReader);
        range.mapToObj(xmlReader::getAttributeLocalName).filter(Predicate.not(Predicate.isEqual("xmlns").or(Predicate.isEqual("Signature")))).sorted().forEach(str -> {
            appendAttribute(str, xmlReader, byteArrayOutputStream);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void appendAttribute(String str, XmlReader xmlReader, ByteArrayOutputStream byteArrayOutputStream) {
        appendString(utf8Bytes(str), byteArrayOutputStream);
        appendString(utf8Bytes(xmlReader.getAttributeValue(null, str)), byteArrayOutputStream);
    }

    private static void appendString(byte[] bArr, ByteArrayOutputStream byteArrayOutputStream) {
        byteArrayOutputStream.write(bArr.length);
        byteArrayOutputStream.write(bArr, 0, bArr.length);
    }

    private static byte[] decode(String str) {
        return Base64.getDecoder().decode(str);
    }

    private static byte[] extractPassword(byte[] bArr) {
        if (bArr.length == 0) {
            return emptyPwd;
        }
        return Arrays.copyOfRange(bArr, 8, bArr.length - (bArr[bArr.length - 1] & 255));
    }

    private static byte[] hashKeyringPwd(char[] cArr) {
        try {
            return pbkdf2WithHmacSha256(cArr, keyringSalt);
        } catch (GeneralSecurityException e) {
            throw new KnxSecureException("hashing keyring password", e);
        }
    }

    private static byte[] aes128Cbc(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
        cipher.init(2, new SecretKeySpec(bArr2, "AES"), new IvParameterSpec(bArr3));
        return cipher.doFinal(bArr);
    }

    private static byte[] sha256(byte[] bArr) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bArr);
        return Arrays.copyOf(messageDigest.digest(), 16);
    }

    private static byte[] pbkdf2WithHmacSha256(char[] cArr, byte[] bArr) throws GeneralSecurityException {
        PBEKeySpec pBEKeySpec = new PBEKeySpec(cArr, bArr, 65536, 128);
        try {
            byte[] encoded = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(pBEKeySpec).getEncoded();
            pBEKeySpec.clearPassword();
            return encoded;
        } catch (Throwable th) {
            pBEKeySpec.clearPassword();
            throw th;
        }
    }

    private static byte[] utf8Bytes(String str) {
        return str.getBytes(StandardCharsets.UTF_8);
    }
}
