package com.orientechnologies.orient.core.encryption.impl;

import com.orientechnologies.common.exception.OException;
import com.orientechnologies.common.thread.NonDaemonThreadFactory;
import com.orientechnologies.orient.core.config.OGlobalConfiguration;
import com.orientechnologies.orient.core.encryption.OEncryption;
import com.orientechnologies.orient.core.exception.OInvalidStorageEncryptionKeyException;
import com.orientechnologies.orient.core.exception.OSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.crypto.AEADBadTagException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/orientechnologies/orient/core/encryption/impl/OAESGCMEncryption.class */
public class OAESGCMEncryption implements OEncryption {
    public static final String NAME = "aes/gcm";
    private static final String ALGORITHM_NAME = "AES";
    private static final String TRANSFORMATION = "AES/GCM/NoPadding";
    private static final ThreadLocal<Cipher> CIPHER = ThreadLocal.withInitial(OAESGCMEncryption::getCipherInstance);
    private static final int GCM_NONCE_SIZE_IN_BYTES = 12;
    private static final int GCM_TAG_SIZE_IN_BYTES = 16;
    private static final int MIN_CIPHERTEXT_SIZE = 28;
    private static final String NO_SUCH_CIPHER = "AES/GCM/NoPadding not supported.";
    private static final String MISSING_KEY_ERROR = "AESGCMEncryption encryption has been selected, but no key was found. Please configure it by passing the key as property at database create/open. The property key is: '%s'";
    private static final String INVALID_KEY_ERROR = "Failed to initialize AESGCMEncryption. Assure the key is a 128, 192 or 256 bits long BASE64 value";
    private static final String ENCRYPTION_NOT_INITIALIZED_ERROR = "OAESGCMEncryption not properly initialized";
    private static final String AUTHENTICATION_ERROR = "Authentication of encrypted data failed. The encrypted data may have been altered or the used key is incorrect";
    private static final String INVALID_CIPHERTEXT_SIZE_ERROR = "Invalid ciphertext size: minimum: %d, actual: %d";
    private static final String INVALID_RANGE_ERROR = "Invalid range: array size: %d, offset: %d, length: %d";
    private static final String BLOCKING_SECURE_RANDOM_ERROR = "SecureRandom blocked while retrieving randomness. This maybe caused by a misconfigured or absent random source on your operating system.";
    private boolean initialized;
    private SecretKey key;
    private SecureRandom csprng;

    @Override // com.orientechnologies.orient.core.encryption.OEncryption
    public String name() {
        return NAME;
    }

    @Override // com.orientechnologies.orient.core.encryption.OEncryption
    public OEncryption configure(String str) {
        this.initialized = false;
        this.key = createKey(str);
        this.csprng = createSecureRandom();
        getCipherInstance();
        this.initialized = true;
        return this;
    }

    @Override // com.orientechnologies.orient.core.encryption.OEncryption
    public byte[] encrypt(byte[] bArr) {
        return encrypt(bArr, 0, bArr.length);
    }

    @Override // com.orientechnologies.orient.core.encryption.OEncryption
    public byte[] decrypt(byte[] bArr) {
        return decrypt(bArr, 0, bArr.length);
    }

    @Override // com.orientechnologies.orient.core.encryption.OEncryption
    public byte[] encrypt(byte[] bArr, int i, int i2) {
        assertInitialized();
        assertRangeIsValid(bArr.length, i, i2);
        byte[] randomNonce = randomNonce();
        Cipher andInitializeCipher = getAndInitializeCipher(1, randomNonce);
        byte[] copyOf = Arrays.copyOf(randomNonce, 12 + andInitializeCipher.getOutputSize(i2));
        try {
            andInitializeCipher.doFinal(bArr, i, i2, copyOf, 12);
            return copyOf;
        } catch (BadPaddingException | IllegalBlockSizeException | ShortBufferException e) {
            throw new IllegalStateException("Unexpected exception during GCM decryption.", e);
        }
    }

    @Override // com.orientechnologies.orient.core.encryption.OEncryption
    public byte[] decrypt(byte[] bArr, int i, int i2) {
        assertInitialized();
        assertRangeIsValid(bArr.length, i, i2);
        assertCiphertextSizeIsValid(i2);
        try {
            return getAndInitializeCipher(2, readNonce(bArr)).doFinal(bArr, i + 12, i2 - 12);
        } catch (AEADBadTagException e) {
            throw OException.wrapException(new OSecurityException(AUTHENTICATION_ERROR), e);
        } catch (BadPaddingException | IllegalBlockSizeException e2) {
            throw new IllegalStateException("Unexpected exception during GCM decryption.", e2);
        }
    }

    private SecretKey createKey(String str) {
        if (str == null) {
            throw new OSecurityException(String.format(MISSING_KEY_ERROR, OGlobalConfiguration.STORAGE_ENCRYPTION_KEY.getKey()));
        }
        try {
            byte[] decode = Base64.getDecoder().decode(str.getBytes());
            validateKeySize(decode.length);
            return new SecretKeySpec(decode, ALGORITHM_NAME);
        } catch (IllegalArgumentException e) {
            throw OException.wrapException(new OInvalidStorageEncryptionKeyException(INVALID_KEY_ERROR), e);
        }
    }

    private SecureRandom createSecureRandom() {
        SecureRandom secureRandom = new SecureRandom();
        assertNonBlocking(secureRandom);
        return secureRandom;
    }

    private void validateKeySize(int i) {
        if (i != 16 && i != 24 && i != 32) {
            throw new OInvalidStorageEncryptionKeyException(INVALID_KEY_ERROR);
        }
    }

    private void assertInitialized() {
        if (!this.initialized) {
            throw new OSecurityException(ENCRYPTION_NOT_INITIALIZED_ERROR);
        }
    }

    private void assertRangeIsValid(int i, int i2, int i3) {
        if (i2 >= i || i2 + i3 > i) {
            throw new IllegalArgumentException(String.format(INVALID_RANGE_ERROR, Integer.valueOf(i), Integer.valueOf(i2), Integer.valueOf(i3)));
        }
    }

    private void assertCiphertextSizeIsValid(int i) {
        if (i < 28) {
            throw new OSecurityException(String.format(INVALID_CIPHERTEXT_SIZE_ERROR, 28, Integer.valueOf(i)));
        }
    }

    private byte[] randomNonce() {
        byte[] bArr = new byte[12];
        this.csprng.nextBytes(bArr);
        return bArr;
    }

    private byte[] readNonce(byte[] bArr) {
        return Arrays.copyOf(bArr, 12);
    }

    private Cipher getAndInitializeCipher(int i, byte[] bArr) {
        try {
            Cipher cipher = CIPHER.get();
            cipher.init(i, this.key, gcmParameterSpec(bArr));
            return cipher;
        } catch (InvalidAlgorithmParameterException e) {
            throw new IllegalArgumentException("Invalid or re-used nonce.", e);
        } catch (InvalidKeyException e2) {
            throw OException.wrapException(new OInvalidStorageEncryptionKeyException(e2.getMessage()), e2);
        }
    }

    private void assertNonBlocking(SecureRandom secureRandom) {
        ExecutorService newSingleThreadExecutor = Executors.newSingleThreadExecutor(new NonDaemonThreadFactory("OAESGCMEncryption thread"));
        try {
            try {
                try {
                    newSingleThreadExecutor.submit(() -> {
                        return Integer.valueOf(secureRandom.nextInt());
                    }).get(1L, TimeUnit.MINUTES);
                    newSingleThreadExecutor.shutdownNow();
                } catch (TimeoutException e) {
                    throw new OSecurityException(BLOCKING_SECURE_RANDOM_ERROR);
                }
            } catch (InterruptedException | ExecutionException e2) {
                throw new IllegalStateException(e2);
            }
        } catch (Throwable th) {
            newSingleThreadExecutor.shutdownNow();
            throw th;
        }
    }

    private GCMParameterSpec gcmParameterSpec(byte[] bArr) {
        return new GCMParameterSpec(128, bArr);
    }

    private static Cipher getCipherInstance() {
        try {
            return Cipher.getInstance(TRANSFORMATION);
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw OException.wrapException(new OSecurityException(NO_SUCH_CIPHER), e);
        }
    }
}
