package io.cloudsoft.winrm4j.client.encryption;

import io.cloudsoft.winrm4j.client.PayloadEncryptionMode;
import io.cloudsoft.winrm4j.client.ntlm.NtlmKeys;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.util.Arrays;
import java.util.function.Function;
import java.util.zip.CRC32;
import org.apache.cxf.interceptor.StaxOutInterceptor;
import org.apache.cxf.io.WriteOnCloseOutputStream;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.http.auth.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/cloudsoft/winrm4j/client/encryption/SignAndEncryptOutInterceptor.class */
public class SignAndEncryptOutInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final Logger LOG = LoggerFactory.getLogger(SignAndEncryptOutInterceptor.class);
    public static final String APPLIED = SignAndEncryptOutInterceptor.class.getSimpleName() + ".APPLIED";
    public static final String ENCRYPTED_BOUNDARY_PREFIX = "--Encrypted Boundary";
    public static final String ENCRYPTED_BOUNDARY_CR = "--Encrypted Boundary\r\n";
    public static final String ENCRYPTED_BOUNDARY_END = "--Encrypted Boundary--\r\n";
    private final PayloadEncryptionMode payloadEncryptionMode;

    /* loaded from: input_file:io/cloudsoft/winrm4j/client/encryption/SignAndEncryptOutInterceptor$EncryptAndSignOutputStream.class */
    class EncryptAndSignOutputStream extends WriteOnCloseOutputStream {
        protected final Message message;
        private final OutputStream stream;
        CredentialsWithEncryption credentials;

        public EncryptAndSignOutputStream(Message message, OutputStream outputStream) {
            super(outputStream);
            this.message = message;
            this.stream = outputStream;
            Object obj = message.get(Credentials.class.getName());
            if (obj instanceof CredentialsWithEncryption) {
                this.credentials = (CredentialsWithEncryption) obj;
            }
        }

        public void resetOut(OutputStream outputStream, boolean z) throws IOException {
            if (SignAndEncryptOutInterceptor.this.payloadEncryptionMode.isPermitted() && this.credentials != null && this.credentials.isAuthenticated()) {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                super.resetOut(byteArrayOutputStream, z);
                outputStream.write(encryptAndSign(this.message, byteArrayOutputStream.toByteArray()));
                super.resetOut(outputStream, false);
                return;
            }
            if (SignAndEncryptOutInterceptor.this.payloadEncryptionMode.isRequired() && this.credentials == null) {
                throw new IllegalStateException("Encryption required but unavailable");
            }
            super.resetOut(outputStream, z);
        }

        protected byte[] encryptAndSign(Message message, byte[] bArr) {
            try {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                byteArrayOutputStream.write("--Encrypted Boundary\r\n".getBytes());
                byteArrayOutputStream.write("\tContent-Type: application/HTTP-SPNEGO-session-encrypted\r\n".getBytes());
                byteArrayOutputStream.write(("\tOriginalContent: type=application/soap+xml;charset=UTF-8;Length=" + bArr.length + "\r\n").getBytes());
                byteArrayOutputStream.write("--Encrypted Boundary\r\n".getBytes());
                byteArrayOutputStream.write("\tContent-Type: application/octet-stream\r\n".getBytes());
                writeNtlmEncrypted(bArr, byteArrayOutputStream);
                byteArrayOutputStream.write("--Encrypted Boundary--\r\n".getBytes());
                message.put("Content-Type", "multipart/encrypted;protocol=\"application/HTTP-SPNEGO-session-encrypted\";boundary=\"Encrypted Boundary\"");
                message.put(Message.ENCODING, (Object) null);
                return byteArrayOutputStream.toByteArray();
            } catch (Exception e) {
                throw new IllegalStateException("Cannot encrypt WinRM message", e);
            }
        }

        private byte[] seal(byte[] bArr) {
            return this.credentials.getStatefulEncryptor().update(bArr);
        }

        private void writeNtlmEncrypted(byte[] bArr, ByteArrayOutputStream byteArrayOutputStream) throws IOException {
            long incrementAndGet = this.credentials.getSequenceNumberOutgoing().incrementAndGet();
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            ByteArrayOutputStream byteArrayOutputStream3 = new ByteArrayOutputStream();
            byteArrayOutputStream3.write(seal(bArr));
            SignAndEncryptOutInterceptor.calculateSignature(bArr, incrementAndGet, byteArrayOutputStream2, this.credentials, (v0) -> {
                return v0.getClientSigningKey();
            }, this::seal);
            byteArrayOutputStream.write(ByteArrayUtils.getLittleEndianUnsignedInt(byteArrayOutputStream2.size()));
            byteArrayOutputStream.write(byteArrayOutputStream2.toByteArray());
            byteArrayOutputStream.write(byteArrayOutputStream3.toByteArray());
        }
    }

    public SignAndEncryptOutInterceptor(PayloadEncryptionMode payloadEncryptionMode) {
        super("pre-stream");
        addBefore(StaxOutInterceptor.class.getName());
        this.payloadEncryptionMode = payloadEncryptionMode;
    }

    public void handleMessage(Message message) {
        OutputStream outputStream = (OutputStream) message.getContent(OutputStream.class);
        if (message.containsKey(APPLIED)) {
            return;
        }
        message.put(APPLIED, Boolean.TRUE);
        if (outputStream == null) {
            throw new IllegalStateException("Encryption only supported with output streams");
        }
        message.setContent(OutputStream.class, new EncryptAndSignOutputStream(message, outputStream));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Type inference failed for: r1v16, types: [byte[], byte[][]] */
    public static void calculateSignature(byte[] bArr, long j, ByteArrayOutputStream byteArrayOutputStream, CredentialsWithEncryption credentialsWithEncryption, Function<CredentialsWithEncryption, byte[]> function, Function<byte[], byte[]> function2) throws IOException {
        if (credentialsWithEncryption.hasNegotiateFlag(NtlmKeys.NegotiateFlags.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)) {
            byte[] copyOfRange = Arrays.copyOfRange(WinrmEncryptionUtils.hmacMd5(function.apply(credentialsWithEncryption), ByteArrayUtils.concat(new byte[]{ByteArrayUtils.getLittleEndianUnsignedInt(j), bArr})), 0, 8);
            if (credentialsWithEncryption.hasNegotiateFlag(NtlmKeys.NegotiateFlags.NTLMSSP_NEGOTIATE_KEY_EXCH)) {
                copyOfRange = function2.apply(copyOfRange);
            }
            byteArrayOutputStream.write(new byte[]{1, 0, 0, 0});
            byteArrayOutputStream.write(copyOfRange);
            byteArrayOutputStream.write(ByteArrayUtils.getLittleEndianUnsignedInt(j));
            return;
        }
        CRC32 crc32 = new CRC32();
        crc32.update(bArr);
        long value = crc32.getValue();
        byteArrayOutputStream.write(new byte[]{1, 0, 0, 0});
        byteArrayOutputStream.write(function2.apply(ByteArrayUtils.getLittleEndianUnsignedInt(0L)));
        byteArrayOutputStream.write(function2.apply(ByteArrayUtils.getLittleEndianUnsignedInt(value)));
        byteArrayOutputStream.write(function2.apply(ByteArrayUtils.getLittleEndianUnsignedInt(j)));
    }
}
