package org.apache.nifi.security.repository;

import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.Security;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.security.kms.EncryptionException;
import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.11.0.jar:org/apache/nifi/security/repository/AbstractAESEncryptor.class */
public abstract class AbstractAESEncryptor implements RepositoryObjectEncryptor {
    protected static final int IV_LENGTH = 16;
    protected KeyProvider keyProvider;
    protected AESKeyedCipherProvider aesKeyedCipherProvider = new AESKeyedCipherProvider();
    private static final Logger logger = LoggerFactory.getLogger(AbstractAESEncryptor.class);
    private static final byte[] EM_START_SENTINEL = {0, 0};
    private static final byte[] EM_END_SENTINEL = {-1, -1};
    private static String ALGORITHM = "AES/CTR/NoPadding";
    protected static final byte[] EMPTY_IV = new byte[16];

    @Override // org.apache.nifi.security.repository.RepositoryObjectEncryptor
    public void initialize(KeyProvider keyProvider) throws KeyManagementException {
        this.keyProvider = keyProvider;
        if (this.aesKeyedCipherProvider == null) {
            this.aesKeyedCipherProvider = new AESKeyedCipherProvider();
        }
        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    void setCipherProvider(AESKeyedCipherProvider aESKeyedCipherProvider) {
        this.aesKeyedCipherProvider = aESKeyedCipherProvider;
    }

    public static RepositoryObjectEncryptionMetadata prepareObjectForDecryption(Object obj, String str, String str2, List<String> list) throws EncryptionException {
        RepositoryObjectEncryptionMetadata extractEncryptionMetadata;
        if (obj == null) {
            throw new EncryptionException("The encrypted " + str2 + " cannot be missing");
        }
        try {
            if (obj instanceof InputStream) {
                logger.debug("Detected encrypted input stream for {} with ID {}", str2, str);
                extractEncryptionMetadata = RepositoryEncryptorUtils.extractEncryptionMetadata((InputStream) obj);
            } else {
                if (!(obj instanceof byte[])) {
                    String str3 = "The " + str2 + " with ID " + str + " was detected as " + obj.getClass().getSimpleName() + "; this is not a supported source of ciphertext";
                    logger.error(str3);
                    throw new EncryptionException(str3);
                }
                logger.debug("Detected byte[] for {} with ID {}", str2, str);
                extractEncryptionMetadata = RepositoryEncryptorUtils.extractEncryptionMetadata((byte[]) obj);
            }
            if (list.contains(extractEncryptionMetadata.version)) {
                return extractEncryptionMetadata;
            }
            throw new EncryptionException("The " + str2 + " with ID " + str + " was encrypted with version " + extractEncryptionMetadata.version + " which is not in the list of supported versions " + StringUtils.join(list, ","));
        } catch (IOException | ClassNotFoundException e) {
            logger.error("Encountered an error reading the encryption metadata: ", e);
            throw new EncryptionException("Encountered an error reading the encryption metadata: ", e);
        }
    }
}
