package io.confluent.kafka.secretregistry.crypto;

import io.confluent.kafka.secretregistry.client.rest.entities.Secret;
import io.confluent.kafka.secretregistry.storage.SecretValue;
import java.nio.charset.StandardCharsets;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/secretregistry/crypto/SecretTransformer.class */
public class SecretTransformer {
    private static final Logger logger = LoggerFactory.getLogger(SecretTransformer.class);
    private final Cryptor cryptor;

    public static SecretTransformer getSecretTransformer(String str) {
        return new SecretTransformer(new Cryptor(getSecretKey(str), getProvider(), new SecureRandom()));
    }

    public SecretTransformer(Cryptor cryptor) {
        this.cryptor = cryptor;
    }

    public Secret transform(SecretValue secretValue) {
        if (secretValue == null) {
            return null;
        }
        return new Secret(secretValue.getPath(), secretValue.getKey(), secretValue.getVersion(), new String(this.cryptor.decrypt(secretValue.getEncrypted()), StandardCharsets.UTF_8));
    }

    public SecretValue transform(Secret secret) {
        if (secret == null) {
            return null;
        }
        byte[] bytes = secret.getSecret().getBytes(StandardCharsets.UTF_8);
        return new SecretValue(secret.getPath(), secret.getKey(), secret.getVersion(), this.cryptor.encryptionKeyDerivedFrom(secret.getPath() + "/" + secret.getKey()).encrypt(bytes), this.cryptor.computeHmac(bytes), null, Long.valueOf(System.currentTimeMillis()));
    }

    private static Provider getProvider() {
        BouncyCastleFipsProvider bouncyCastleFipsProvider = new BouncyCastleFipsProvider();
        if (Security.getProvider(bouncyCastleFipsProvider.getName()) == null) {
            logger.debug("Registering new crypto provider {}", bouncyCastleFipsProvider.getName());
            Security.addProvider(bouncyCastleFipsProvider);
        }
        return bouncyCastleFipsProvider;
    }

    private static SecretKey getSecretKey(String str) {
        return new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), "AES");
    }
}
