package org.apache.nifi.provenance;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.KeyManagementException;
import java.security.SecureRandom;
import java.security.Security;
import java.util.Arrays;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.SecretKey;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.security.kms.CryptoUtils;
import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/provenance/AESProvenanceEventEncryptor.class */
public class AESProvenanceEventEncryptor implements ProvenanceEventEncryptor {
    private static final int MIN_METADATA_LENGTH = 22;
    private KeyProvider keyProvider;
    private AESKeyedCipherProvider aesKeyedCipherProvider = new AESKeyedCipherProvider();
    private static final Logger logger = LoggerFactory.getLogger(AESProvenanceEventEncryptor.class);
    private static final int IV_LENGTH = 16;
    private static final byte[] EMPTY_IV = new byte[IV_LENGTH];
    private static final String VERSION = "v1";
    private static final List<String> SUPPORTED_VERSIONS = Arrays.asList(VERSION);
    private static final String ALGORITHM = "AES/GCM/NoPadding";
    private static final int METADATA_DEFAULT_LENGTH = (((20 + ALGORITHM.length()) + IV_LENGTH) + VERSION.length()) * 2;
    private static final byte[] SENTINEL = {1};

    @Override // org.apache.nifi.provenance.ProvenanceEventEncryptor
    public void initialize(KeyProvider keyProvider) throws KeyManagementException {
        this.keyProvider = keyProvider;
        if (this.aesKeyedCipherProvider == null) {
            this.aesKeyedCipherProvider = new AESKeyedCipherProvider();
        }
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    void setCipherProvider(AESKeyedCipherProvider aESKeyedCipherProvider) {
        this.aesKeyedCipherProvider = aESKeyedCipherProvider;
    }

    /* JADX WARN: Type inference failed for: r0v31, types: [byte[], byte[][]] */
    @Override // org.apache.nifi.provenance.ProvenanceEventEncryptor
    public byte[] encrypt(byte[] bArr, String str, String str2) throws EncryptionException {
        if (bArr == null || CryptoUtils.isEmpty(str2)) {
            throw new EncryptionException("The provenance record and key ID cannot be missing");
        }
        if (this.keyProvider == null || !this.keyProvider.keyExists(str2)) {
            throw new EncryptionException("The requested key ID is not available");
        }
        byte[] bArr2 = new byte[IV_LENGTH];
        new SecureRandom().nextBytes(bArr2);
        try {
            logger.debug("Encrypting provenance record " + str + " with key ID " + str2);
            Cipher initCipher = initCipher(EncryptionMethod.AES_GCM, 1, this.keyProvider.getKey(str2), bArr2);
            byte[] iv = initCipher.getIV();
            byte[] doFinal = initCipher.doFinal(bArr);
            byte[] serializeEncryptionMetadata = serializeEncryptionMetadata(new EncryptionMetadata(str2, ALGORITHM, iv, VERSION, doFinal.length));
            logger.debug("Encrypted provenance event record " + str + " with key ID " + str2);
            return CryptoUtils.concatByteArrays((byte[][]) new byte[]{SENTINEL, serializeEncryptionMetadata, doFinal});
        } catch (IOException | KeyManagementException | BadPaddingException | IllegalBlockSizeException | EncryptionException e) {
            String str3 = "Encountered an exception encrypting provenance record " + str;
            logger.error(str3, e);
            throw new EncryptionException(str3, e);
        }
    }

    private byte[] serializeEncryptionMetadata(EncryptionMetadata encryptionMetadata) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(encryptionMetadata);
        objectOutputStream.close();
        return byteArrayOutputStream.toByteArray();
    }

    private Cipher initCipher(EncryptionMethod encryptionMethod, int i, SecretKey secretKey, byte[] bArr) throws EncryptionException {
        try {
            if (encryptionMethod == null || secretKey == null || bArr == null) {
                throw new IllegalArgumentException("Missing critical information");
            }
            return this.aesKeyedCipherProvider.getCipher(encryptionMethod, secretKey, bArr, i == 1);
        } catch (Exception e) {
            logger.error("Encountered an exception initializing the cipher", e);
            throw new EncryptionException(e);
        }
    }

    @Override // org.apache.nifi.provenance.ProvenanceEventEncryptor
    public byte[] decrypt(byte[] bArr, String str) throws EncryptionException {
        if (bArr == null) {
            throw new EncryptionException("The encrypted provenance record cannot be missing");
        }
        try {
            EncryptionMetadata extractEncryptionMetadata = extractEncryptionMetadata(bArr);
            if (!SUPPORTED_VERSIONS.contains(extractEncryptionMetadata.version)) {
                throw new EncryptionException("The event was encrypted with version " + extractEncryptionMetadata.version + " which is not in the list of supported versions " + StringUtils.join(SUPPORTED_VERSIONS, ","));
            }
            if (this.keyProvider == null || !this.keyProvider.keyExists(extractEncryptionMetadata.keyId) || CryptoUtils.isEmpty(extractEncryptionMetadata.keyId)) {
                throw new EncryptionException("The requested key ID " + extractEncryptionMetadata.keyId + " is not available");
            }
            try {
                logger.debug("Decrypting provenance record " + str + " with key ID " + extractEncryptionMetadata.keyId);
                byte[] doFinal = initCipher(EncryptionMethod.forAlgorithm(extractEncryptionMetadata.algorithm), 2, this.keyProvider.getKey(extractEncryptionMetadata.keyId), extractEncryptionMetadata.ivBytes).doFinal(extractCipherBytes(bArr, extractEncryptionMetadata));
                logger.debug("Decrypted provenance event record " + str + " with key ID " + extractEncryptionMetadata.keyId);
                return doFinal;
            } catch (KeyManagementException | BadPaddingException | IllegalBlockSizeException | EncryptionException e) {
                String str2 = "Encountered an exception decrypting provenance record " + str;
                logger.error(str2, e);
                throw new EncryptionException(str2, e);
            }
        } catch (IOException | ClassNotFoundException e2) {
            logger.error("Encountered an error reading the encryption metadata: ", e2);
            throw new EncryptionException("Encountered an error reading the encryption metadata: ", e2);
        }
    }

    @Override // org.apache.nifi.provenance.ProvenanceEventEncryptor
    public String getNextKeyId() throws KeyManagementException {
        if (this.keyProvider != null) {
            List availableKeyIds = this.keyProvider.getAvailableKeyIds();
            if (!availableKeyIds.isEmpty()) {
                return (String) availableKeyIds.get(0);
            }
        }
        throw new KeyManagementException("No available key IDs");
    }

    private EncryptionMetadata extractEncryptionMetadata(byte[] bArr) throws EncryptionException, IOException, ClassNotFoundException {
        if (bArr == null || bArr.length < MIN_METADATA_LENGTH) {
            throw new EncryptionException("The encrypted record is too short to contain the metadata");
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        byteArrayInputStream.read();
        ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
        Throwable th = null;
        try {
            try {
                EncryptionMetadata encryptionMetadata = (EncryptionMetadata) objectInputStream.readObject();
                if (objectInputStream != null) {
                    if (0 != 0) {
                        try {
                            objectInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        objectInputStream.close();
                    }
                }
                return encryptionMetadata;
            } finally {
            }
        } catch (Throwable th3) {
            if (objectInputStream != null) {
                if (th != null) {
                    try {
                        objectInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    objectInputStream.close();
                }
            }
            throw th3;
        }
    }

    private byte[] extractCipherBytes(byte[] bArr, EncryptionMetadata encryptionMetadata) {
        return Arrays.copyOfRange(bArr, bArr.length - encryptionMetadata.cipherByteLength, bArr.length);
    }

    public String toString() {
        return "AES Provenance Event Encryptor with Key Provider: " + this.keyProvider.toString();
    }
}
