package org.apache.nifi.security.util.crypto;

import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.security.util.EncryptionMethod;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.MD5Digest;
import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.digests.SHA384Digest;
import org.bouncycastle.crypto.digests.SHA512Digest;
import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator;
import org.bouncycastle.crypto.params.KeyParameter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.5.0.jar:org/apache/nifi/security/util/crypto/PBKDF2CipherProvider.class */
public class PBKDF2CipherProvider extends RandomIVPBECipherProvider {
    private static final Logger logger = LoggerFactory.getLogger(PBKDF2CipherProvider.class);
    private static final int DEFAULT_SALT_LENGTH = 16;
    private final int iterationCount;
    private final Digest prf;
    private static final String DEFAULT_PRF = "SHA-512";
    private static final int DEFAULT_ITERATION_COUNT = 160000;

    public PBKDF2CipherProvider() {
        this("SHA-512", DEFAULT_ITERATION_COUNT);
    }

    public PBKDF2CipherProvider(String str, int i) {
        this.iterationCount = i;
        if (i < DEFAULT_ITERATION_COUNT) {
            logger.warn("The provided iteration count {} is below the recommended minimum {}", Integer.valueOf(i), Integer.valueOf(DEFAULT_ITERATION_COUNT));
        }
        this.prf = resolvePRF(str);
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        try {
            return getInitializedCipher(encryptionMethod, str, bArr, bArr2, i, z);
        } catch (IllegalArgumentException e) {
            throw e;
        } catch (Exception e2) {
            throw new ProcessException("Error initializing the cipher", e2);
        }
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    Logger getLogger() {
        return logger;
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, int i, boolean z) throws Exception {
        return getCipher(encryptionMethod, str, bArr, new byte[0], i, z);
    }

    protected Cipher getInitializedCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        if (encryptionMethod == null) {
            throw new IllegalArgumentException("The encryption method must be specified");
        }
        if (!encryptionMethod.isCompatibleWithStrongKDFs()) {
            throw new IllegalArgumentException(encryptionMethod.name() + " is not compatible with PBKDF2");
        }
        String algorithm = encryptionMethod.getAlgorithm();
        String parseCipherFromAlgorithm = CipherUtility.parseCipherFromAlgorithm(algorithm);
        if (!CipherUtility.isValidKeyLength(i, parseCipherFromAlgorithm)) {
            throw new IllegalArgumentException(String.valueOf(i) + " is not a valid key length for " + parseCipherFromAlgorithm);
        }
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Encryption with an empty password is not supported");
        }
        if (bArr == null || bArr.length < 16) {
            throw new IllegalArgumentException("The salt must be at least 16 bytes. To generate a salt, use PBKDF2CipherProvider#generateSalt()");
        }
        PKCS5S2ParametersGenerator pKCS5S2ParametersGenerator = new PKCS5S2ParametersGenerator(this.prf);
        pKCS5S2ParametersGenerator.init(str.getBytes(StandardCharsets.UTF_8), bArr, getIterationCount());
        return new AESKeyedCipherProvider().getCipher(encryptionMethod, new SecretKeySpec(((KeyParameter) pKCS5S2ParametersGenerator.generateDerivedParameters(i)).getKey(), algorithm), bArr2, z);
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public byte[] generateSalt() {
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public int getDefaultSaltLength() {
        return 16;
    }

    protected int getIterationCount() {
        return this.iterationCount;
    }

    protected String getPRFName() {
        return this.prf != null ? this.prf.getAlgorithmName() : "No PRF enabled";
    }

    private Digest resolvePRF(String str) {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Cannot resolve empty PRF");
        }
        String replaceAll = str.toLowerCase().replaceAll("[\\W]+", "");
        logger.debug("Resolved PRF {} to {}", str, replaceAll);
        boolean z = -1;
        switch (replaceAll.hashCode()) {
            case -903629273:
                if (replaceAll.equals("sha256")) {
                    z = 3;
                    break;
                }
                break;
            case -903628221:
                if (replaceAll.equals("sha384")) {
                    z = 2;
                    break;
                }
                break;
            case -903626518:
                if (replaceAll.equals("sha512")) {
                    z = 4;
                    break;
                }
                break;
            case 107902:
                if (replaceAll.equals("md5")) {
                    z = false;
                    break;
                }
                break;
            case 3528965:
                if (replaceAll.equals("sha1")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new MD5Digest();
            case true:
                return new SHA1Digest();
            case true:
                return new SHA384Digest();
            case true:
                return new SHA256Digest();
            case true:
                return new SHA512Digest();
            default:
                logger.warn("Could not resolve PRF {}. Using default PRF {} instead", str, "SHA-512");
                return new SHA512Digest();
        }
    }
}
