package org.apache.iceberg.encryption;

import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import javax.crypto.AEADBadTagException;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;

/* loaded from: input_file:org/apache/iceberg/encryption/Ciphers.class */
public class Ciphers {
    public static final int PLAIN_BLOCK_SIZE = 1048576;
    public static final int NONCE_LENGTH = 12;
    public static final int GCM_TAG_LENGTH = 16;
    public static final int CIPHER_BLOCK_SIZE = 1048604;
    private static final int GCM_TAG_LENGTH_BITS = 128;
    public static final String GCM_STREAM_MAGIC_STRING = "AGS1";
    static final byte[] GCM_STREAM_MAGIC_ARRAY = GCM_STREAM_MAGIC_STRING.getBytes(StandardCharsets.UTF_8);
    static final ByteBuffer GCM_STREAM_MAGIC = ByteBuffer.wrap(GCM_STREAM_MAGIC_ARRAY).asReadOnlyBuffer();
    static final int GCM_STREAM_HEADER_LENGTH = GCM_STREAM_MAGIC_ARRAY.length + 4;
    static final int MIN_STREAM_LENGTH = (GCM_STREAM_HEADER_LENGTH + 12) + 16;

    /* loaded from: input_file:org/apache/iceberg/encryption/Ciphers$AesGcmDecryptor.class */
    public static class AesGcmDecryptor {
        private final SecretKeySpec aesKey;
        private final Cipher cipher = Ciphers.access$100();

        public AesGcmDecryptor(byte[] bArr) {
            this.aesKey = Ciphers.newKey(bArr);
        }

        public byte[] decrypt(byte[] bArr, byte[] bArr2) {
            return decrypt(bArr, 0, bArr.length, bArr2);
        }

        public byte[] decrypt(byte[] bArr, int i, int i2, byte[] bArr2) {
            byte[] bArr3 = new byte[(i2 - 16) - 12];
            decrypt(bArr, i, i2, bArr3, 0, bArr2);
            return bArr3;
        }

        public int decrypt(byte[] bArr, int i, int i2, byte[] bArr2, int i3, byte[] bArr3) {
            Preconditions.checkState((i2 - 16) - 12 >= 0, "Cannot decrypt cipher text of length " + bArr.length + " because text must longer than GCM_TAG_LENGTH + NONCE_LENGTH bytes. Text may not be encrypted with AES GCM cipher");
            try {
                this.cipher.init(2, this.aesKey, new GCMParameterSpec(Ciphers.GCM_TAG_LENGTH_BITS, bArr, i, 12));
                if (null != bArr3) {
                    this.cipher.updateAAD(bArr3);
                }
                return this.cipher.doFinal(bArr, i + 12, i2 - 12, bArr2, i3);
            } catch (AEADBadTagException e) {
                throw new RuntimeException("GCM tag check failed. Possible reasons: wrong decryption key; or corrupt/tampered data. AES GCM doesn't differentiate between these two.", e);
            } catch (GeneralSecurityException e2) {
                throw new RuntimeException("Failed to decrypt", e2);
            }
        }
    }

    /* loaded from: input_file:org/apache/iceberg/encryption/Ciphers$AesGcmEncryptor.class */
    public static class AesGcmEncryptor {
        private final SecretKeySpec aesKey;
        private final Cipher cipher = Ciphers.access$100();
        private final SecureRandom randomGenerator = new SecureRandom();
        private final byte[] nonce = new byte[12];

        public AesGcmEncryptor(byte[] bArr) {
            this.aesKey = Ciphers.newKey(bArr);
        }

        public byte[] encrypt(byte[] bArr, byte[] bArr2) {
            return encrypt(bArr, 0, bArr.length, bArr2);
        }

        public byte[] encrypt(byte[] bArr, int i, int i2, byte[] bArr2) {
            byte[] bArr3 = new byte[12 + i2 + 16];
            encrypt(bArr, i, i2, bArr3, 0, bArr2);
            return bArr3;
        }

        public int encrypt(byte[] bArr, int i, int i2, byte[] bArr2, int i3, byte[] bArr3) {
            Preconditions.checkArgument(i2 >= 0, "Invalid plain text length: %s", i2);
            this.randomGenerator.nextBytes(this.nonce);
            try {
                this.cipher.init(1, this.aesKey, new GCMParameterSpec(Ciphers.GCM_TAG_LENGTH_BITS, this.nonce));
                if (null != bArr3) {
                    this.cipher.updateAAD(bArr3);
                }
                int doFinal = this.cipher.doFinal(bArr, i, i2, bArr2, i3 + 12);
                if (doFinal != i2 + 16) {
                    throw new RuntimeException("Failed to encrypt block: expected " + i2 + "16 encrypted bytes but produced bytes " + doFinal);
                }
                System.arraycopy(this.nonce, 0, bArr2, i3, 12);
                return doFinal + 12;
            } catch (GeneralSecurityException e) {
                throw new RuntimeException("Failed to encrypt", e);
            }
        }
    }

    private Ciphers() {
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SecretKeySpec newKey(byte[] bArr) {
        Preconditions.checkArgument(bArr != null, "Invalid key: null");
        int length = bArr.length;
        Preconditions.checkArgument(length == 16 || length == 24 || length == 32, "Invalid key length: %s (must be 16, 24, or 32 bytes)", length);
        return new SecretKeySpec(bArr, "AES");
    }

    private static Cipher newCipher() {
        try {
            return Cipher.getInstance("AES/GCM/NoPadding");
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Failed to create GCM cipher", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] streamBlockAAD(byte[] bArr, int i) {
        byte[] array = ByteBuffer.allocate(4).order(ByteOrder.LITTLE_ENDIAN).putInt(i).array();
        if (null == bArr) {
            return array;
        }
        byte[] bArr2 = new byte[bArr.length + 4];
        System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
        System.arraycopy(array, 0, bArr2, bArr.length, 4);
        return bArr2;
    }

    static /* synthetic */ Cipher access$100() {
        return newCipher();
    }
}
