package keywhiz.service.crypto;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import io.dropwizard.jackson.Jackson;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Base64;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.inject.Inject;
import keywhiz.auth.Subtles;
import keywhiz.hkdf.Hkdf;
import keywhiz.service.crypto.CryptoModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:keywhiz/service/crypto/ContentCryptographer.class */
public class ContentCryptographer {
    private static final String ENCRYPTION_ALGORITHM = "AES/GCM/NoPadding";
    private static final String KEY_ALGORITHM = "AES";
    private static final int TAG_BITS = 128;
    private static final int IV_BYTES = 16;
    private final SecretKey key;
    private final Provider derivationProvider;
    private final Provider encryptionProvider;
    private final SecureRandom random;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) ContentCryptographer.class);
    private static final ObjectMapper MAPPER = Jackson.newObjectMapper();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:keywhiz/service/crypto/ContentCryptographer$Crypted.class */
    public static abstract class Crypted {
        static Crypted of(String str, byte[] bArr, byte[] bArr2) {
            Base64.Encoder encoder = Base64.getEncoder();
            return new AutoValue_ContentCryptographer_Crypted(str, encoder.encodeToString(bArr), encoder.encodeToString(bArr2));
        }

        @JsonCreator
        static Crypted fromJson(@JsonProperty("derivationInfo") String str, @JsonProperty("content") String str2, @JsonProperty("iv") String str3) {
            return new AutoValue_ContentCryptographer_Crypted(str, str2, str3);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @JsonProperty
        public abstract String derivationInfo();

        /* JADX INFO: Access modifiers changed from: package-private */
        @JsonProperty
        public abstract String content();

        /* JADX INFO: Access modifiers changed from: package-private */
        @JsonProperty
        public abstract String iv();

        byte[] contentBytes() {
            return Base64.getDecoder().decode(content());
        }

        byte[] ivBytes() {
            return Base64.getDecoder().decode(iv());
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("derivationInfo", derivationInfo()).add("content", "REDACTED").add("iv", "REDACTED").toString();
        }
    }

    /* loaded from: input_file:keywhiz/service/crypto/ContentCryptographer$Encrypter.class */
    public class Encrypter {
        private final String derivationInfo;

        private Encrypter(String str) {
            this.derivationInfo = str;
        }

        public String encrypt(String str) {
            Base64.Decoder decoder = Base64.getDecoder();
            byte[] decode = decoder.decode(str);
            byte[] bArr = new byte[16];
            ContentCryptographer.this.random.nextBytes(bArr);
            try {
                String writeValueAsString = ContentCryptographer.MAPPER.writeValueAsString(Crypted.of(this.derivationInfo, ContentCryptographer.this.gcm(Mode.ENCRYPT, this.derivationInfo, bArr, decode), bArr));
                if (!Subtles.secureCompare(decoder.decode(ContentCryptographer.this.decrypt(writeValueAsString)), decode)) {
                    ContentCryptographer.logger.warn("Decryption of (just encrypted) data does not match original! [name={}]", this.derivationInfo);
                }
                return writeValueAsString;
            } catch (JsonProcessingException e) {
                throw Throwables.propagate(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:keywhiz/service/crypto/ContentCryptographer$Mode.class */
    public enum Mode {
        ENCRYPT(1),
        DECRYPT(2);

        public final int cipherMode;

        Mode(int i) {
            this.cipherMode = i;
        }
    }

    @Inject
    public ContentCryptographer(@CryptoModule.Derivation SecretKey secretKey, @CryptoModule.Derivation Provider provider, @CryptoModule.Encryption Provider provider2, SecureRandom secureRandom) {
        this.key = secretKey;
        this.derivationProvider = provider;
        this.encryptionProvider = provider2;
        this.random = secureRandom;
    }

    public Encrypter encryptionKeyDerivedFrom(String str) {
        Preconditions.checkArgument(!str.isEmpty());
        return new Encrypter(str);
    }

    public String decrypt(String str) {
        try {
            Crypted crypted = (Crypted) MAPPER.readValue(str, Crypted.class);
            return Base64.getEncoder().encodeToString(gcm(Mode.DECRYPT, crypted.derivationInfo(), crypted.ivBytes(), crypted.contentBytes()));
        } catch (IOException e) {
            throw new IllegalArgumentException("Cannot deserialize Crypted json", e);
        }
    }

    private SecretKey deriveKey(int i, String str) {
        return new SecretKeySpec(Hkdf.usingProvider(this.derivationProvider).expand(this.key, str.getBytes(StandardCharsets.UTF_8), i), KEY_ALGORITHM);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] gcm(Mode mode, String str, byte[] bArr, byte[] bArr2) {
        try {
            Cipher cipher = Cipher.getInstance(ENCRYPTION_ALGORITHM, this.encryptionProvider);
            cipher.init(mode.cipherMode, deriveKey(cipher.getBlockSize(), str), new GCMParameterSpec(128, bArr));
            return cipher.doFinal(bArr2);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw Throwables.propagate(e);
        }
    }
}
