package org.apache.nifi.security.util.crypto;

import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.security.util.EncryptionMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.11.3.jar:org/apache/nifi/security/util/crypto/AESKeyedCipherProvider.class */
public class AESKeyedCipherProvider extends KeyedCipherProvider {
    private static final int IV_LENGTH = 16;
    private static final Logger logger = LoggerFactory.getLogger(AESKeyedCipherProvider.class);
    private static final List<Integer> VALID_KEY_LENGTHS = Arrays.asList(128, 192, 256);

    @Override // org.apache.nifi.security.util.crypto.KeyedCipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, SecretKey secretKey, byte[] bArr, boolean z) throws Exception {
        try {
            return getInitializedCipher(encryptionMethod, secretKey, bArr, z);
        } catch (IllegalArgumentException e) {
            throw e;
        } catch (Exception e2) {
            throw new ProcessException("Error initializing the cipher", e2);
        }
    }

    @Override // org.apache.nifi.security.util.crypto.KeyedCipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, SecretKey secretKey, boolean z) throws Exception {
        return getCipher(encryptionMethod, secretKey, new byte[0], z);
    }

    protected Cipher getInitializedCipher(EncryptionMethod encryptionMethod, SecretKey secretKey, byte[] bArr, boolean z) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, UnsupportedEncodingException {
        if (encryptionMethod == null) {
            throw new IllegalArgumentException("The encryption method must be specified");
        }
        if (!encryptionMethod.isKeyedCipher()) {
            throw new IllegalArgumentException(encryptionMethod.name() + " requires a PBECipherProvider");
        }
        String algorithm = encryptionMethod.getAlgorithm();
        String provider = encryptionMethod.getProvider();
        if (secretKey == null) {
            throw new IllegalArgumentException("The key must be specified");
        }
        if (!isValidKeyLength(secretKey)) {
            throw new IllegalArgumentException("The key must be of length [" + StringUtils.join(VALID_KEY_LENGTHS, ", ") + DefaultExpressionEngineSymbols.DEFAULT_ATTRIBUTE_END);
        }
        Cipher cipher = Cipher.getInstance(algorithm, provider);
        String str = z ? "encrypt" : "decrypt";
        boolean z2 = false;
        int blockSize = cipher.getBlockSize();
        if (bArr.length != blockSize) {
            logger.warn("An IV was provided of length {} bytes for {}ion but should be {} bytes", new Object[]{Integer.valueOf(bArr.length), str, Integer.valueOf(blockSize)});
            z2 = true;
        }
        if (Arrays.equals(bArr, new byte[blockSize])) {
            logger.warn("An empty IV was provided of length {} for {}ion", Integer.valueOf(bArr.length), str);
            z2 = true;
        }
        if (z2) {
            if (!z) {
                throw new IllegalArgumentException("Cannot decrypt without a valid IV");
            }
            logger.warn("Generating new IV. The value can be obtained in the calling code by invoking 'cipher.getIV()';");
            bArr = generateIV();
        }
        cipher.init(z ? 1 : 2, secretKey, new IvParameterSpec(bArr));
        return cipher;
    }

    private boolean isValidKeyLength(SecretKey secretKey) {
        return VALID_KEY_LENGTHS.contains(Integer.valueOf(secretKey.getEncoded().length * 8));
    }

    @Override // org.apache.nifi.security.util.crypto.KeyedCipherProvider
    public byte[] generateIV() {
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }
}
