package org.apache.nifi.encrypt;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Objects;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.nifi.security.util.crypto.SecureHasher;
import org.apache.nifi.security.util.crypto.SecureHasherFactory;
import org.apache.nifi.util.NiFiProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/encrypt/StandardSensitiveValueEncoder.class */
public class StandardSensitiveValueEncoder implements SensitiveValueEncoder {
    private SecretKeySpec secretKeySpec;
    private static Base64.Encoder base64Encoder;
    private static final String HMAC_SHA256 = "HmacSHA256";
    private static final Logger logger = LoggerFactory.getLogger(StandardSensitiveValueEncoder.class);
    private static final Charset PROPERTY_CHARSET = StandardCharsets.UTF_8;

    public StandardSensitiveValueEncoder(NiFiProperties niFiProperties) {
        this(niFiProperties.getProperty("nifi.sensitive.props.key"), SecureHasherFactory.getSecureHasher(niFiProperties.getProperty("nifi.sensitive.props.algorithm")));
    }

    private StandardSensitiveValueEncoder(String str, SecureHasher secureHasher) {
        Objects.requireNonNull(str, "Sensitive Properties Key is required");
        Objects.requireNonNull(secureHasher, "SecureHasher is required");
        this.secretKeySpec = new SecretKeySpec(secureHasher.hashRaw(str.getBytes(PROPERTY_CHARSET)), HMAC_SHA256);
        base64Encoder = Base64.getEncoder();
    }

    @Override // org.apache.nifi.encrypt.SensitiveValueEncoder
    public String getEncoded(String str) {
        try {
            Mac mac = Mac.getInstance(HMAC_SHA256);
            mac.init(this.secretKeySpec);
            return "[MASKED] (" + base64Encoder.encodeToString(mac.doFinal(str.getBytes(PROPERTY_CHARSET))) + ")";
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            logger.error("Encountered an error making the sensitive value loggable: {}", e.getLocalizedMessage());
            return "[Unable to mask value]";
        }
    }
}
