package org.apache.nifi.security.util.crypto;

import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.crypto.scrypt.Scrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.11.3.jar:org/apache/nifi/security/util/crypto/ScryptCipherProvider.class */
public class ScryptCipherProvider extends RandomIVPBECipherProvider {
    private final int n;
    private final int r;
    private final int p;
    private static final int DEFAULT_R = 8;
    private static final int DEFAULT_P = 1;
    private static final Logger logger = LoggerFactory.getLogger(ScryptCipherProvider.class);
    private static final int DEFAULT_N = Double.valueOf(Math.pow(2.0d, 14.0d)).intValue();
    private static final Pattern SCRYPT_SALT_FORMAT = Pattern.compile("^\\$s0\\$[a-f0-9]{5,16}\\$[\\w\\/\\.]{12,44}");
    private static final Pattern MCRYPT_SALT_FORMAT = Pattern.compile("^\\$\\d+\\$\\d+\\$\\d+\\$[a-f0-9]{16,64}");

    public ScryptCipherProvider() {
        this(DEFAULT_N, 8, 1);
    }

    public ScryptCipherProvider(int i, int i2, int i3) {
        this.n = i;
        this.r = i2;
        this.p = i3;
        if (i < DEFAULT_N) {
            logger.warn("The provided iteration count {} is below the recommended minimum {}", Integer.valueOf(i), Integer.valueOf(DEFAULT_N));
        }
        if (i2 < 8) {
            logger.warn("The provided block size {} is below the recommended minimum {}", Integer.valueOf(i2), 8);
        }
        if (i3 < 1) {
            logger.warn("The provided parallelization factor {} is below the recommended minimum {}", Integer.valueOf(i3), 1);
        }
        if (isPValid(i2, i3)) {
            return;
        }
        logger.warn("Based on the provided block size {}, the provided parallelization factor {} is out of bounds", Integer.valueOf(i2), Integer.valueOf(i3));
        throw new IllegalArgumentException("Invalid p value exceeds p boundary");
    }

    public static boolean isPValid(int i, int i2) {
        if (isRValid(i)) {
            return ((double) i2) <= (Math.pow(2.0d, 32.0d) - 1.0d) * (32.0d / ((double) (i * 128))) && i2 > 0;
        }
        logger.warn("The provided block size {} must be greater than 0", Integer.valueOf(i));
        throw new IllegalArgumentException("Invalid r value; must be greater than 0");
    }

    public static boolean isRValid(int i) {
        return i > 0;
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        try {
            return getInitializedCipher(encryptionMethod, str, bArr, bArr2, i, z);
        } catch (IllegalArgumentException e) {
            throw e;
        } catch (Exception e2) {
            throw new ProcessException("Error initializing the cipher", e2);
        }
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    Logger getLogger() {
        return logger;
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, int i, boolean z) throws Exception {
        return getCipher(encryptionMethod, str, bArr, new byte[0], i, z);
    }

    protected Cipher getInitializedCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        if (encryptionMethod == null) {
            throw new IllegalArgumentException("The encryption method must be specified");
        }
        if (!encryptionMethod.isCompatibleWithStrongKDFs()) {
            throw new IllegalArgumentException(encryptionMethod.name() + " is not compatible with Scrypt");
        }
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Encryption with an empty password is not supported");
        }
        String algorithm = encryptionMethod.getAlgorithm();
        String parseCipherFromAlgorithm = CipherUtility.parseCipherFromAlgorithm(algorithm);
        if (!CipherUtility.isValidKeyLength(i, parseCipherFromAlgorithm)) {
            throw new IllegalArgumentException(String.valueOf(i) + " is not a valid key length for " + parseCipherFromAlgorithm);
        }
        String formatSaltForScrypt = formatSaltForScrypt(bArr);
        ArrayList arrayList = new ArrayList(3);
        byte[] bArr3 = new byte[Scrypt.getDefaultSaltLength()];
        parseSalt(formatSaltForScrypt, bArr3, arrayList);
        String[] split = Scrypt.scrypt(str, bArr3, arrayList.get(0).intValue(), arrayList.get(1).intValue(), arrayList.get(2).intValue(), i).split("\\$");
        if (split.length < 4) {
            throw new ProcessException("There was an error generating a scrypt hash -- the resulting hash was not properly formatted");
        }
        return new AESKeyedCipherProvider().getCipher(encryptionMethod, new SecretKeySpec(Base64.decodeBase64(split[4]), algorithm), bArr2, z);
    }

    private void parseSalt(String str, byte[] bArr, List<Integer> list) {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Cannot parse empty salt");
        }
        String[] split = str.split("\\$");
        if (split.length < 4) {
            throw new IllegalArgumentException("Could not parse salt");
        }
        byte[] decodeBase64 = Base64.decodeBase64(split[3]);
        if (bArr.length < decodeBase64.length) {
            byte[] bArr2 = new byte[decodeBase64.length];
            System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
            bArr = bArr2;
        }
        System.arraycopy(decodeBase64, 0, bArr, 0, decodeBase64.length);
        if (list == null) {
            list = new ArrayList(3);
        }
        list.addAll(Scrypt.parseParameters(split[2]));
    }

    private String formatSaltForScrypt(byte[] bArr) {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("The salt cannot be empty. To generate a salt, use ScryptCipherProvider#generateSalt()");
        }
        String str = new String(bArr, StandardCharsets.UTF_8);
        if (SCRYPT_SALT_FORMAT.matcher(str).find()) {
            return str;
        }
        if (str.startsWith("$")) {
            logger.warn("Salt starts with $ but is not valid scrypt salt");
            if (MCRYPT_SALT_FORMAT.matcher(str).find()) {
                logger.warn("The salt appears to be of the modified mcrypt format. Use ScryptCipherProvider#translateSalt(mcryptSalt) to form a valid salt");
                return translateSalt(str);
            }
            logger.info("Salt is not modified mcrypt format");
        }
        logger.info("Treating as raw salt bytes");
        int length = bArr.length;
        if (length < 8 || length > 32) {
            throw new IllegalArgumentException("The raw salt must be between 8 and 32 bytes");
        }
        return Scrypt.formatSalt(bArr, this.n, this.r, this.p);
    }

    public String translateSalt(String str) {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Cannot translate empty salt");
        }
        if (!MCRYPT_SALT_FORMAT.matcher(str).matches()) {
            throw new IllegalArgumentException("Salt is not valid mcrypt format of $n$r$p$saltHex");
        }
        String[] split = str.split("\\$");
        try {
            return Scrypt.formatSalt(Hex.decodeHex(split[4].toCharArray()), Integer.valueOf(split[1]).intValue(), Integer.valueOf(split[2]).intValue(), Integer.valueOf(split[3]).intValue());
        } catch (DecoderException e) {
            logger.warn("Mcrypt salt was not properly hex-encoded");
            throw new IllegalArgumentException("Mcrypt salt was not properly hex-encoded");
        }
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public byte[] generateSalt() {
        byte[] bArr = new byte[Scrypt.getDefaultSaltLength()];
        new SecureRandom().nextBytes(bArr);
        return Scrypt.formatSalt(bArr, this.n, this.r, this.p).getBytes(StandardCharsets.UTF_8);
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public int getDefaultSaltLength() {
        return Scrypt.getDefaultSaltLength();
    }

    protected int getN() {
        return this.n;
    }

    protected int getR() {
        return this.r;
    }

    protected int getP() {
        return this.p;
    }
}
