package org.apache.nifi.security.repository.block.aes;

import java.io.IOException;
import java.security.KeyManagementException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import org.apache.nifi.security.kms.CryptoUtils;
import org.apache.nifi.security.kms.EncryptionException;
import org.apache.nifi.security.repository.AbstractAESEncryptor;
import org.apache.nifi.security.repository.RepositoryEncryptorUtils;
import org.apache.nifi.security.repository.RepositoryObjectEncryptionMetadata;
import org.apache.nifi.security.repository.block.BlockEncryptionMetadata;
import org.apache.nifi.security.repository.block.RepositoryObjectBlockEncryptor;
import org.apache.nifi.security.util.EncryptionMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.12.1.jar:org/apache/nifi/security/repository/block/aes/RepositoryObjectAESGCMEncryptor.class */
public class RepositoryObjectAESGCMEncryptor extends AbstractAESEncryptor implements RepositoryObjectBlockEncryptor {
    private static final int MIN_METADATA_LENGTH = 22;
    private static final Logger logger = LoggerFactory.getLogger(RepositoryObjectAESGCMEncryptor.class);
    private static final String VERSION = "v1";
    private static final List<String> SUPPORTED_VERSIONS = Arrays.asList(VERSION);
    private static final String ALGORITHM = "AES/GCM/NoPadding";
    private static final int METADATA_DEFAULT_LENGTH = (((20 + ALGORITHM.length()) + 16) + VERSION.length()) * 2;
    private static final byte[] SENTINEL = {1};

    /* JADX WARN: Type inference failed for: r0v33, types: [byte[], byte[][]] */
    @Override // org.apache.nifi.security.repository.block.RepositoryObjectBlockEncryptor
    public byte[] encrypt(byte[] bArr, String str, String str2) throws EncryptionException {
        if (bArr == null || CryptoUtils.isEmpty(str2)) {
            throw new EncryptionException("The repository object and key ID cannot be missing");
        }
        if (this.keyProvider == null || !this.keyProvider.keyExists(str2)) {
            throw new EncryptionException("The requested key ID is not available");
        }
        byte[] bArr2 = new byte[16];
        new SecureRandom().nextBytes(bArr2);
        try {
            logger.debug("Encrypting repository object " + str + " with key ID " + str2);
            Cipher initCipher = RepositoryEncryptorUtils.initCipher(this.aesKeyedCipherProvider, EncryptionMethod.AES_GCM, 1, this.keyProvider.getKey(str2), bArr2);
            byte[] iv = initCipher.getIV();
            byte[] doFinal = initCipher.doFinal(bArr);
            byte[] serializeEncryptionMetadata = RepositoryEncryptorUtils.serializeEncryptionMetadata(new BlockEncryptionMetadata(str2, ALGORITHM, iv, VERSION, doFinal.length));
            logger.debug("Generated encryption metadata ({} bytes) for repository object {}", Integer.valueOf(serializeEncryptionMetadata.length), str);
            logger.debug("Encrypted repository object " + str + " with key ID " + str2);
            return CryptoUtils.concatByteArrays(new byte[]{serializeEncryptionMetadata, doFinal});
        } catch (IOException | KeyManagementException | BadPaddingException | IllegalBlockSizeException | EncryptionException e) {
            String str3 = "Encountered an exception encrypting repository object " + str;
            logger.error(str3, e);
            throw new EncryptionException(str3, e);
        }
    }

    @Override // org.apache.nifi.security.repository.block.RepositoryObjectBlockEncryptor
    public byte[] decrypt(byte[] bArr, String str) throws EncryptionException {
        RepositoryObjectEncryptionMetadata prepareObjectForDecryption = prepareObjectForDecryption(bArr, str, "repository object", SUPPORTED_VERSIONS);
        if (this.keyProvider == null || !this.keyProvider.keyExists(prepareObjectForDecryption.keyId) || CryptoUtils.isEmpty(prepareObjectForDecryption.keyId)) {
            throw new EncryptionException("The requested key ID " + prepareObjectForDecryption.keyId + " is not available");
        }
        try {
            logger.debug("Decrypting repository object " + str + " with key ID " + prepareObjectForDecryption.keyId);
            byte[] doFinal = RepositoryEncryptorUtils.initCipher(this.aesKeyedCipherProvider, EncryptionMethod.forAlgorithm(prepareObjectForDecryption.algorithm), 2, this.keyProvider.getKey(prepareObjectForDecryption.keyId), prepareObjectForDecryption.ivBytes).doFinal(extractCipherBytes(bArr, prepareObjectForDecryption));
            logger.debug("Decrypted repository object " + str + " with key ID " + prepareObjectForDecryption.keyId);
            return doFinal;
        } catch (KeyManagementException | BadPaddingException | IllegalBlockSizeException | EncryptionException e) {
            String str2 = "Encountered an exception decrypting repository object " + str;
            logger.error(str2, e);
            throw new EncryptionException(str2, e);
        }
    }

    @Override // org.apache.nifi.security.repository.block.RepositoryObjectBlockEncryptor
    public String getNextKeyId() throws KeyManagementException {
        if (this.keyProvider != null) {
            List<String> availableKeyIds = this.keyProvider.getAvailableKeyIds();
            if (!availableKeyIds.isEmpty()) {
                return availableKeyIds.get(0);
            }
        }
        throw new KeyManagementException("No available key IDs");
    }

    private byte[] extractCipherBytes(byte[] bArr, RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata) {
        return Arrays.copyOfRange(bArr, bArr.length - repositoryObjectEncryptionMetadata.cipherByteLength, bArr.length);
    }

    public String toString() {
        return "Repository Object Block Encryptor using AES G/CM with Key Provider: " + this.keyProvider.toString();
    }
}
