package org.apache.nifi.processors.cipher;

import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Set;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.SideEffectFree;
import org.apache.nifi.annotation.behavior.SupportsBatching;
import org.apache.nifi.annotation.behavior.WritesAttribute;
import org.apache.nifi.annotation.behavior.WritesAttributes;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.cipher.compatibility.CompatibilityModeEncryptionScheme;
import org.apache.nifi.processors.cipher.compatibility.CompatibilityModeKeyDerivationStrategy;
import org.apache.nifi.processors.cipher.io.DecryptStreamCallback;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

@CapabilityDescription("Decrypt content using password-based encryption schemes with legacy algorithms supporting historical compatibility modes.")
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@SupportsBatching
@Tags({"cryptography", "decipher", "decrypt", "Jasypt", "OpenSSL", "PKCS5", "PBES1"})
@WritesAttributes({@WritesAttribute(attribute = "pbe.scheme", description = "Password-Based Encryption Scheme"), @WritesAttribute(attribute = "pbe.symmetric.cipher", description = "Password-Based Encryption Block Cipher"), @WritesAttribute(attribute = "pbe.digest.algorithm", description = "Password-Based Encryption Digest Algorithm")})
@SideEffectFree
/* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContentCompatibility.class */
public class DecryptContentCompatibility extends AbstractProcessor {
    static final PropertyDescriptor ENCRYPTION_SCHEME = new PropertyDescriptor.Builder().name("encryption-scheme").displayName("Encryption Scheme").description("Password-Based Encryption Scheme including PBES1 described in RFC 8018, and others defined according to PKCS12 and Bouncy Castle implementations").required(true).allowableValues(CompatibilityModeEncryptionScheme.class).build();
    static final PropertyDescriptor KEY_DERIVATION_STRATEGY = new PropertyDescriptor.Builder().name("key-derivation-strategy").displayName("Key Derivation Strategy").description("Strategy for reading salt from encoded contents and deriving the decryption key according to the number of function iterations").required(true).allowableValues(CompatibilityModeKeyDerivationStrategy.class).build();
    static final PropertyDescriptor PASSWORD = new PropertyDescriptor.Builder().name("password").displayName("Password").description("Password required for Password-Based Encryption Schemes").required(true).sensitive(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    static final Relationship SUCCESS = new Relationship.Builder().name("success").description("Decryption succeeded").build();
    static final Relationship FAILURE = new Relationship.Builder().name("failure").description("Decryption failed").build();
    private static final List<PropertyDescriptor> DESCRIPTORS = Collections.unmodifiableList(Arrays.asList(ENCRYPTION_SCHEME, KEY_DERIVATION_STRATEGY, PASSWORD));
    private static final Set<Relationship> RELATIONSHIPS = Collections.unmodifiableSet(new HashSet(Arrays.asList(SUCCESS, FAILURE)));
    private static final BouncyCastleProvider BOUNCY_CASTLE_PROVIDER = new BouncyCastleProvider();

    /* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContentCompatibility$DecryptCallback.class */
    private static class DecryptCallback extends DecryptStreamCallback {
        private final String cipherAlgorithm;
        private final int cipherBlockSize;
        private final PBEKeySpec keySpec;
        private final CompatibilityModeKeyDerivationStrategy keyDerivationStrategy;
        private static final int BLOCK_SIZE_UNDEFINED = 0;
        private static final byte[] EMPTY_SALT = new byte[BLOCK_SIZE_UNDEFINED];

        private DecryptCallback(Cipher cipher, PBEKeySpec pBEKeySpec, CompatibilityModeKeyDerivationStrategy compatibilityModeKeyDerivationStrategy) {
            super(cipher, compatibilityModeKeyDerivationStrategy.getSaltBufferLength());
            this.cipherAlgorithm = cipher.getAlgorithm();
            this.cipherBlockSize = cipher.getBlockSize();
            this.keySpec = pBEKeySpec;
            this.keyDerivationStrategy = compatibilityModeKeyDerivationStrategy;
        }

        @Override // org.apache.nifi.processors.cipher.io.DecryptStreamCallback
        protected Key getKey(AlgorithmParameterSpec algorithmParameterSpec) {
            try {
                return getSecretKeyFactory().generateSecret(this.keySpec);
            } catch (InvalidKeySpecException e) {
                throw new CipherException(String.format("Generate Secret Key Algorithm [%s] invalid specification", this.cipherAlgorithm), e);
            }
        }

        @Override // org.apache.nifi.processors.cipher.io.DecryptStreamCallback
        protected AlgorithmParameterSpec readAlgorithmParameterSpec(ByteBuffer byteBuffer) {
            return new PBEParameterSpec(readSalt(byteBuffer), this.keyDerivationStrategy.getIterations());
        }

        private byte[] readSalt(ByteBuffer byteBuffer) {
            return CompatibilityModeKeyDerivationStrategy.OPENSSL_EVP_BYTES_TO_KEY == this.keyDerivationStrategy ? readSaltOpenSsl(byteBuffer) : readSaltStandard(byteBuffer);
        }

        private byte[] readSaltOpenSsl(ByteBuffer byteBuffer) {
            byte[] bArr;
            byte[] bArr2 = new byte[this.keyDerivationStrategy.getSaltHeader().length];
            byteBuffer.get(bArr2);
            if (MessageDigest.isEqual(this.keyDerivationStrategy.getSaltHeader(), bArr2)) {
                bArr = new byte[this.keyDerivationStrategy.getSaltStandardLength()];
                byteBuffer.get(bArr);
            } else {
                bArr = EMPTY_SALT;
                byteBuffer.rewind();
            }
            return bArr;
        }

        private byte[] readSaltStandard(ByteBuffer byteBuffer) {
            byte[] bArr = new byte[this.cipherBlockSize == 0 ? this.keyDerivationStrategy.getSaltStandardLength() : this.cipherBlockSize];
            byteBuffer.get(bArr);
            return bArr;
        }

        private SecretKeyFactory getSecretKeyFactory() {
            try {
                return SecretKeyFactory.getInstance(this.cipherAlgorithm, (Provider) DecryptContentCompatibility.BOUNCY_CASTLE_PROVIDER);
            } catch (NoSuchAlgorithmException e) {
                throw new CipherException(String.format("Secret Key Factory Algorithm [%s] not found", this.cipherAlgorithm), e);
            }
        }
    }

    public List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return DESCRIPTORS;
    }

    public Set<Relationship> getRelationships() {
        return RELATIONSHIPS;
    }

    public void onTrigger(ProcessContext processContext, ProcessSession processSession) {
        FlowFile flowFile = processSession.get();
        if (flowFile == null) {
            return;
        }
        String value = processContext.getProperty(ENCRYPTION_SCHEME).getValue();
        CompatibilityModeEncryptionScheme encryptionScheme = getEncryptionScheme(value);
        DecryptCallback decryptCallback = new DecryptCallback(getCipher(value), new PBEKeySpec(processContext.getProperty(PASSWORD).getValue().toCharArray()), CompatibilityModeKeyDerivationStrategy.valueOf(processContext.getProperty(KEY_DERIVATION_STRATEGY).getValue()));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("pbe.scheme", encryptionScheme.getValue());
        linkedHashMap.put("pbe.symmetric.cipher", encryptionScheme.getSymmetricCipher().getValue());
        linkedHashMap.put("pbe.digest.algorithm", encryptionScheme.getDigestAlgorithm().getValue());
        try {
            flowFile = processSession.putAllAttributes(processSession.write(flowFile, decryptCallback), linkedHashMap);
            getLogger().debug("Decryption completed using [{}] {}", new Object[]{value, flowFile});
            processSession.transfer(flowFile, SUCCESS);
        } catch (RuntimeException e) {
            getLogger().error("Decryption failed using [{}] {}", new Object[]{value, flowFile, e});
            processSession.transfer(flowFile, FAILURE);
        }
    }

    private CompatibilityModeEncryptionScheme getEncryptionScheme(String str) {
        return (CompatibilityModeEncryptionScheme) Arrays.stream(CompatibilityModeEncryptionScheme.values()).filter(compatibilityModeEncryptionScheme -> {
            return compatibilityModeEncryptionScheme.getValue().equals(str);
        }).findFirst().orElseThrow(() -> {
            return new IllegalArgumentException(String.format("Encryption Scheme [%s] not found", str));
        });
    }

    private Cipher getCipher(String str) {
        try {
            return Cipher.getInstance(str, (Provider) BOUNCY_CASTLE_PROVIDER);
        } catch (GeneralSecurityException e) {
            throw new CipherException(String.format("Cipher [%s] not found", str), e);
        }
    }
}
