package org.apache.nifi.encrypt;

import java.nio.charset.StandardCharsets;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.security.kms.CryptoUtils;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.KeyDerivationFunction;
import org.apache.nifi.security.util.crypto.Argon2SecureHasher;
import org.apache.nifi.security.util.crypto.CipherProvider;
import org.apache.nifi.security.util.crypto.CipherProviderFactory;
import org.apache.nifi.security.util.crypto.CipherUtility;
import org.apache.nifi.security.util.crypto.KeyedCipherProvider;
import org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider;
import org.apache.nifi.security.util.crypto.PBECipherProvider;
import org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider;
import org.apache.nifi.util.NiFiProperties;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/encrypt/StringEncryptor.class */
public class StringEncryptor {
    public static final int CUSTOM_ALGORITHM_SALT_LENGTH = 53;
    private static final int IV_LENGTH = 16;
    private final String algorithm;
    private final String provider;
    private final PBEKeySpec password;
    private SecretKeySpec key;
    private static final String HEX_ENCODING = "HEX";
    private static final String B64_ENCODING = "BASE64";
    private String encoding;
    private CipherProvider cipherProvider;
    public static final String NF_SENSITIVE_PROPS_KEY = "nifi.sensitive.props.key";
    public static final String NF_SENSITIVE_PROPS_ALGORITHM = "nifi.sensitive.props.algorithm";
    public static final String NF_SENSITIVE_PROPS_PROVIDER = "nifi.sensitive.props.provider";
    private static final String DEFAULT_SENSITIVE_PROPS_KEY = "nififtw!";
    private static final Logger logger = LoggerFactory.getLogger(StringEncryptor.class);
    private static final List<String> SUPPORTED_ALGORITHMS = new ArrayList();
    private static final List<String> SUPPORTED_PROVIDERS = new ArrayList();
    private static final String ARGON2_AES_GCM_128_ALGORITHM = "NIFI_ARGON2_AES_GCM_128";
    private static final String ARGON2_AES_GCM_256_ALGORITHM = "NIFI_ARGON2_AES_GCM_256";
    private static final List<String> CUSTOM_ALGORITHMS = Arrays.asList(ARGON2_AES_GCM_128_ALGORITHM, ARGON2_AES_GCM_256_ALGORITHM);

    public StringEncryptor(String str, String str2, String str3) {
        this.encoding = HEX_ENCODING;
        this.algorithm = str;
        this.provider = str2;
        this.key = null;
        this.password = new PBEKeySpec(str3 == null ? DEFAULT_SENSITIVE_PROPS_KEY.toCharArray() : str3.toCharArray());
        initialize();
    }

    public StringEncryptor(String str, String str2, byte[] bArr) {
        this.encoding = HEX_ENCODING;
        this.algorithm = str;
        this.provider = str2;
        this.key = new SecretKeySpec(bArr, extractKeyTypeFromAlgorithm(str));
        this.password = null;
        initialize();
    }

    protected StringEncryptor() {
        this.encoding = HEX_ENCODING;
        this.algorithm = null;
        this.provider = null;
        this.key = null;
        this.password = null;
    }

    private String extractKeyTypeFromAlgorithm(String str) throws EncryptionException {
        if (StringUtils.isBlank(str)) {
            throw new EncryptionException("The algorithm cannot be null or empty");
        }
        String parseCipherFromAlgorithm = CipherUtility.parseCipherFromAlgorithm(str);
        if (parseCipherFromAlgorithm.equals(str)) {
            throw new EncryptionException("No supported algorithm detected");
        }
        return parseCipherFromAlgorithm;
    }

    @Deprecated
    public static StringEncryptor createEncryptor(NiFiProperties niFiProperties) throws EncryptionException {
        String property = niFiProperties.getProperty(NF_SENSITIVE_PROPS_ALGORITHM);
        String property2 = niFiProperties.getProperty(NF_SENSITIVE_PROPS_PROVIDER);
        String property3 = niFiProperties.getProperty(NF_SENSITIVE_PROPS_KEY);
        if (StringUtils.isBlank(property3)) {
            printBlankKeyWarning();
            property3 = DEFAULT_SENSITIVE_PROPS_KEY;
        }
        return createEncryptor(property, property2, property3);
    }

    public static StringEncryptor createEncryptor(String str, String str2, String str3) {
        if (StringUtils.isBlank(str)) {
            throw new EncryptionException("nifi.sensitive.props.algorithm must be set");
        }
        if (StringUtils.isBlank(str2)) {
            throw new EncryptionException("nifi.sensitive.props.provider must be set");
        }
        if (StringUtils.isBlank(str3)) {
            printBlankKeyWarning();
            str3 = DEFAULT_SENSITIVE_PROPS_KEY;
        }
        return new StringEncryptor(str, str2, str3);
    }

    private static void printBlankKeyWarning() {
        logger.error(StringUtils.repeat("*", 80));
        logger.error(centerString("A blank sensitive properties key was provided"));
        logger.error(centerString("Specify a unique key in nifi.properties"));
        logger.error(centerString("for nifi.sensitive.props.key"));
        logger.error(centerString(""));
        logger.error(centerString("The Encrypt Config Tool in NiFi Toolkit can be used to"));
        logger.error(centerString("migrate the flow to the new key"));
        logger.error(StringUtils.repeat("*", 80));
    }

    private static String centerString(String str) {
        return "*" + StringUtils.center(str, 78, " ") + "*";
    }

    protected void initialize() {
        if (isInitialized()) {
            logger.debug("Attempted to initialize an already-initialized StringEncryptor");
            return;
        }
        if (!paramsAreValid()) {
            throw new EncryptionException("Cannot initialize the StringEncryptor because some configuration values are invalid");
        }
        if (isCustomAlgorithm(this.algorithm)) {
            this.key = new SecretKeySpec(new Argon2SecureHasher().hashRaw(new String(this.password.getPassword()).getBytes(StandardCharsets.UTF_8)), "AES");
            this.cipherProvider = CipherProviderFactory.getCipherProvider(KeyDerivationFunction.NONE);
        } else if (CipherUtility.isPBECipher(this.algorithm)) {
            this.cipherProvider = CipherProviderFactory.getCipherProvider(KeyDerivationFunction.NIFI_LEGACY);
        } else {
            this.cipherProvider = CipherProviderFactory.getCipherProvider(KeyDerivationFunction.NONE);
        }
    }

    public static boolean isCustomAlgorithm(String str) {
        return CUSTOM_ALGORITHMS.contains(str.toUpperCase());
    }

    private boolean paramsAreValid() {
        boolean z = algorithmIsValid(this.algorithm) && providerIsValid(this.provider);
        boolean z2 = false;
        if (isCustomAlgorithm(this.algorithm)) {
            z2 = customSecretIsValid(this.password, this.key, this.algorithm);
            if (!z2) {
                throw new EncryptionException("The nifi.sensitive.props.key password provided is invalid for algorithm " + this.algorithm + "; must be >= 12 characters");
            }
        } else if (CipherUtility.isPBECipher(this.algorithm)) {
            z2 = passwordIsValid(this.password);
        } else if (CipherUtility.isKeyedCipher(this.algorithm)) {
            z2 = keyIsValid(this.key, this.algorithm);
        }
        return z && z2;
    }

    private boolean customSecretIsValid(PBEKeySpec pBEKeySpec, SecretKeySpec secretKeySpec, String str) {
        String str2 = new String(pBEKeySpec.getPassword());
        return StringUtils.isNotBlank(str2) && str2.trim().length() >= 12;
    }

    private boolean keyIsValid(SecretKeySpec secretKeySpec, String str) {
        return secretKeySpec != null && CipherUtility.getValidKeyLengthsForAlgorithm(str).contains(Integer.valueOf(secretKeySpec.getEncoded().length * 8));
    }

    private boolean passwordIsValid(PBEKeySpec pBEKeySpec) {
        try {
            return pBEKeySpec.getPassword().length > 0;
        } catch (IllegalStateException | NullPointerException e) {
            return false;
        }
    }

    public void setEncoding(String str) {
        if (HEX_ENCODING.equalsIgnoreCase(str)) {
            this.encoding = HEX_ENCODING;
        } else {
            if (!B64_ENCODING.equalsIgnoreCase(str)) {
                throw new IllegalArgumentException("The encoding base must be 'HEX' or 'BASE64'");
            }
            this.encoding = B64_ENCODING;
        }
    }

    public String encrypt(String str) throws EncryptionException {
        try {
            if (isInitialized()) {
                return encode(CipherUtility.isPBECipher(this.algorithm) ? encryptPBE(str) : encryptKeyed(str));
            }
            throw new EncryptionException("The encryptor is not initialized");
        } catch (Exception e) {
            throw new EncryptionException(e);
        }
    }

    /* JADX WARN: Type inference failed for: r0v23, types: [byte[], byte[][]] */
    private byte[] encryptPBE(String str) {
        Cipher cipher;
        NiFiLegacyCipherProvider niFiLegacyCipherProvider = (PBECipherProvider) this.cipherProvider;
        EncryptionMethod encryptionMethodForAlgorithm = getEncryptionMethodForAlgorithm(this.algorithm);
        byte[] generateSalt = niFiLegacyCipherProvider instanceof NiFiLegacyCipherProvider ? niFiLegacyCipherProvider.generateSalt(encryptionMethodForAlgorithm) : niFiLegacyCipherProvider.generateSalt();
        int parseKeyLengthFromAlgorithm = CipherUtility.parseKeyLengthFromAlgorithm(this.algorithm);
        try {
            byte[] bArr = new byte[0];
            if (this.cipherProvider instanceof RandomIVPBECipherProvider) {
                bArr = new byte[IV_LENGTH];
                new SecureRandom().nextBytes(bArr);
                cipher = ((RandomIVPBECipherProvider) niFiLegacyCipherProvider).getCipher(encryptionMethodForAlgorithm, new String(this.password.getPassword()), generateSalt, bArr, parseKeyLengthFromAlgorithm, true);
            } else {
                cipher = niFiLegacyCipherProvider.getCipher(encryptionMethodForAlgorithm, new String(this.password.getPassword()), generateSalt, parseKeyLengthFromAlgorithm, true);
            }
            return CryptoUtils.concatByteArrays((byte[][]) new byte[]{generateSalt, bArr, cipher.doFinal(str.getBytes(StandardCharsets.UTF_8))});
        } catch (Exception e) {
            throw new EncryptionException("Could not encrypt sensitive value", e);
        }
    }

    private EncryptionMethod getEncryptionMethodForAlgorithm(String str) {
        return isCustomAlgorithm(str) ? EncryptionMethod.AES_GCM : EncryptionMethod.forAlgorithm(str);
    }

    /* JADX WARN: Type inference failed for: r0v13, types: [byte[], byte[][]] */
    private byte[] encryptKeyed(String str) {
        KeyedCipherProvider keyedCipherProvider = this.cipherProvider;
        try {
            SecureRandom secureRandom = new SecureRandom();
            byte[] bArr = new byte[IV_LENGTH];
            secureRandom.nextBytes(bArr);
            return CryptoUtils.concatByteArrays((byte[][]) new byte[]{bArr, keyedCipherProvider.getCipher(getEncryptionMethodForAlgorithm(this.algorithm), this.key, bArr, true).doFinal(str.getBytes(StandardCharsets.UTF_8))});
        } catch (Exception e) {
            throw new EncryptionException("Could not encrypt sensitive value", e);
        }
    }

    private String encode(byte[] bArr) {
        return this.encoding.equalsIgnoreCase(HEX_ENCODING) ? Hex.encodeHexString(bArr) : Base64.toBase64String(bArr);
    }

    public String decrypt(String str) throws EncryptionException {
        try {
            if (!isInitialized()) {
                throw new EncryptionException("The encryptor is not initialized");
            }
            byte[] decode = decode(str);
            return new String(CipherUtility.isPBECipher(this.algorithm) ? decryptPBE(decode) : decryptKeyed(decode), StandardCharsets.UTF_8);
        } catch (Exception e) {
            throw new EncryptionException(e);
        }
    }

    private byte[] decryptPBE(byte[] bArr) {
        RandomIVPBECipherProvider randomIVPBECipherProvider = (PBECipherProvider) this.cipherProvider;
        EncryptionMethod encryptionMethodForAlgorithm = getEncryptionMethodForAlgorithm(this.algorithm);
        int determineSaltLength = determineSaltLength(this.algorithm);
        byte[] bArr2 = new byte[determineSaltLength];
        System.arraycopy(bArr, 0, bArr2, 0, determineSaltLength);
        byte[] bArr3 = new byte[0];
        int i = determineSaltLength;
        if (randomIVPBECipherProvider instanceof RandomIVPBECipherProvider) {
            bArr3 = new byte[IV_LENGTH];
            System.arraycopy(bArr, determineSaltLength, bArr3, 0, bArr3.length);
            i = determineSaltLength + bArr3.length;
        }
        byte[] copyOfRange = Arrays.copyOfRange(bArr, i, bArr.length);
        int parseKeyLengthFromAlgorithm = CipherUtility.parseKeyLengthFromAlgorithm(this.algorithm);
        try {
            return (randomIVPBECipherProvider instanceof RandomIVPBECipherProvider ? randomIVPBECipherProvider.getCipher(encryptionMethodForAlgorithm, new String(this.password.getPassword()), bArr2, bArr3, parseKeyLengthFromAlgorithm, false) : randomIVPBECipherProvider.getCipher(encryptionMethodForAlgorithm, new String(this.password.getPassword()), bArr2, parseKeyLengthFromAlgorithm, false)).doFinal(copyOfRange);
        } catch (Exception e) {
            throw new EncryptionException("Could not decrypt sensitive value", e);
        }
    }

    private static int determineSaltLength(String str) {
        if (isCustomAlgorithm(str)) {
            return 53;
        }
        return CipherUtility.getSaltLengthForAlgorithm(str);
    }

    private byte[] decryptKeyed(byte[] bArr) {
        KeyedCipherProvider keyedCipherProvider = this.cipherProvider;
        try {
            byte[] bArr2 = new byte[IV_LENGTH];
            System.arraycopy(bArr, 0, bArr2, 0, IV_LENGTH);
            return keyedCipherProvider.getCipher(getEncryptionMethodForAlgorithm(this.algorithm), this.key, bArr2, false).doFinal(Arrays.copyOfRange(bArr, IV_LENGTH, bArr.length));
        } catch (Exception e) {
            throw new EncryptionException("Could not decrypt sensitive value", e);
        }
    }

    private byte[] decode(String str) throws DecoderException {
        return this.encoding.equalsIgnoreCase(HEX_ENCODING) ? Hex.decodeHex(str.toCharArray()) : Base64.decode(str);
    }

    public boolean isInitialized() {
        return this.cipherProvider != null;
    }

    protected static boolean algorithmIsValid(String str) {
        return SUPPORTED_ALGORITHMS.contains(str);
    }

    protected static boolean providerIsValid(String str) {
        return SUPPORTED_PROVIDERS.contains(str);
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        StringEncryptor stringEncryptor = (StringEncryptor) obj;
        return Objects.equals(this.algorithm, stringEncryptor.algorithm) && Objects.equals(this.provider, stringEncryptor.provider) && Objects.equals(this.encoding, stringEncryptor.encoding) && secretsAreEqual(stringEncryptor.password, stringEncryptor.key);
    }

    private boolean secretsAreEqual(PBEKeySpec pBEKeySpec, SecretKeySpec secretKeySpec) {
        return isPBEKeySpecEqual(this.password, pBEKeySpec) && Objects.equals(this.key, secretKeySpec);
    }

    private static boolean isPBEKeySpecEqual(PBEKeySpec pBEKeySpec, PBEKeySpec pBEKeySpec2) {
        if (pBEKeySpec == null) {
            return pBEKeySpec2 == null;
        }
        if (pBEKeySpec2 == null) {
            return false;
        }
        boolean z = pBEKeySpec.getIterationCount() == pBEKeySpec2.getIterationCount() && pBEKeySpec.getKeyLength() == pBEKeySpec2.getKeyLength() && Arrays.equals(pBEKeySpec.getSalt(), pBEKeySpec2.getSalt());
        try {
            boolean constantTimeEquals = CryptoUtils.constantTimeEquals(pBEKeySpec.getPassword(), pBEKeySpec2.getPassword());
            if (logger.isDebugEnabled()) {
                logger.debug("The PBEKeySpec objects have equal non-null elements ({}) and equal passwords ({})", new Object[]{String.valueOf(z), String.valueOf(constantTimeEquals)});
            }
            return z && constantTimeEquals;
        } catch (IllegalStateException e) {
            logger.warn("Encountered an error trying to compare password equality (one or more passwords have been cleared)");
            return false;
        }
    }

    public int hashCode() {
        return Objects.hash(this.algorithm, this.provider, this.encoding, this.password, this.key);
    }

    public String toString() {
        return "StringEncryptor using " + this.algorithm + " from " + this.provider + " with " + this.encoding + " encoding and cipher provider " + this.cipherProvider.getClass().getName();
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        SUPPORTED_ALGORITHMS.addAll(CUSTOM_ALGORITHMS);
        for (EncryptionMethod encryptionMethod : EncryptionMethod.values()) {
            SUPPORTED_ALGORITHMS.add(encryptionMethod.getAlgorithm());
        }
        logger.debug("Supported encryption algorithms: " + StringUtils.join(SUPPORTED_ALGORITHMS, "\n"));
        for (Provider provider : Security.getProviders()) {
            SUPPORTED_PROVIDERS.add(provider.getName());
        }
        logger.debug("Supported providers: " + StringUtils.join(SUPPORTED_PROVIDERS, "\n"));
    }
}
