package org.apache.nifi.security.util.crypto;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.security.util.EncryptionMethod;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.11.3.jar:org/apache/nifi/security/util/crypto/BcryptCipherProvider.class */
public class BcryptCipherProvider extends RandomIVPBECipherProvider {
    private final int workFactor;
    private static final int DEFAULT_WORK_FACTOR = 12;
    private static final int DEFAULT_SALT_LENGTH = 16;
    private static final Logger logger = LoggerFactory.getLogger(BcryptCipherProvider.class);
    private static final Pattern BCRYPT_SALT_FORMAT = Pattern.compile("^\\$\\d\\w\\$\\d{2}\\$[\\w\\/\\.]{22}");

    public BcryptCipherProvider() {
        this(12);
    }

    public BcryptCipherProvider(int i) {
        this.workFactor = i;
        if (i < 12) {
            logger.warn("The provided work factor {} is below the recommended minimum {}", Integer.valueOf(i), 12);
        }
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        try {
            return getInitializedCipher(encryptionMethod, str, bArr, bArr2, i, z);
        } catch (IllegalArgumentException e) {
            throw e;
        } catch (Exception e2) {
            throw new ProcessException("Error initializing the cipher", e2);
        }
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    Logger getLogger() {
        return logger;
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, int i, boolean z) throws Exception {
        return getCipher(encryptionMethod, str, bArr, new byte[0], i, z);
    }

    protected Cipher getInitializedCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        if (encryptionMethod == null) {
            throw new IllegalArgumentException("The encryption method must be specified");
        }
        if (!encryptionMethod.isCompatibleWithStrongKDFs()) {
            throw new IllegalArgumentException(encryptionMethod.name() + " is not compatible with Bcrypt");
        }
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Encryption with an empty password is not supported");
        }
        String algorithm = encryptionMethod.getAlgorithm();
        String provider = encryptionMethod.getProvider();
        String parseCipherFromAlgorithm = CipherUtility.parseCipherFromAlgorithm(algorithm);
        if (!CipherUtility.isValidKeyLength(i, parseCipherFromAlgorithm)) {
            throw new IllegalArgumentException(String.valueOf(i) + " is not a valid key length for " + parseCipherFromAlgorithm);
        }
        return new AESKeyedCipherProvider().getCipher(encryptionMethod, new SecretKeySpec(Arrays.copyOf(MessageDigest.getInstance("SHA-512", provider).digest(BCrypt.hashpw(str, formatSaltForBcrypt(bArr)).getBytes(StandardCharsets.UTF_8)), i / 8), algorithm), bArr2, z);
    }

    private String formatSaltForBcrypt(byte[] bArr) {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("The salt cannot be empty. To generate a salt, use BcryptCipherProvider#generateSalt()");
        }
        String str = new String(bArr, StandardCharsets.UTF_8);
        if (BCRYPT_SALT_FORMAT.matcher(str).find()) {
            return str;
        }
        throw new IllegalArgumentException("The salt must be of the format $2a$10$gUVbkVzp79H8YaCOsCVZNu. To generate a salt, use BcryptCipherProvider#generateSalt()");
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public byte[] generateSalt() {
        return BCrypt.gensalt(this.workFactor).getBytes(StandardCharsets.UTF_8);
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public int getDefaultSaltLength() {
        return 16;
    }

    protected int getWorkFactor() {
        return this.workFactor;
    }
}
