package org.apache.nifi.repository.encryption.configuration.kms;

import java.io.IOException;
import java.util.Objects;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType;
import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.security.kms.KeyProviderFactory;
import org.apache.nifi.security.kms.configuration.FileBasedKeyProviderConfiguration;
import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration;
import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration;
import org.apache.nifi.security.kms.configuration.StaticKeyProviderConfiguration;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.NiFiBootstrapUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;

/* loaded from: input_file:org/apache/nifi/repository/encryption/configuration/kms/StandardRepositoryKeyProviderFactory.class */
public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProviderFactory {
    private static final String ROOT_KEY_ALGORITHM = "AES";

    @Override // org.apache.nifi.repository.encryption.configuration.kms.RepositoryKeyProviderFactory
    public KeyProvider getKeyProvider(EncryptedRepositoryType encryptedRepositoryType, NiFiProperties niFiProperties) {
        Objects.requireNonNull(encryptedRepositoryType, "Encrypted Repository Type required");
        Objects.requireNonNull(niFiProperties, "NiFi Properties required");
        EncryptedRepositoryProperty fromEncryptedRepositoryType = EncryptedRepositoryProperty.fromEncryptedRepositoryType(encryptedRepositoryType);
        return KeyProviderFactory.getKeyProvider(getKeyProviderConfiguration(fromEncryptedRepositoryType, getEncryptionKeyProvider(fromEncryptedRepositoryType, niFiProperties), niFiProperties));
    }

    private EncryptionKeyProvider getEncryptionKeyProvider(EncryptedRepositoryProperty encryptedRepositoryProperty, NiFiProperties niFiProperties) {
        EncryptionKeyProvider valueOf;
        String property = niFiProperties.getProperty("nifi.repository.encryption.key.provider");
        if (StringUtils.isBlank(property)) {
            String implementationClass = encryptedRepositoryProperty.getImplementationClass();
            String property2 = niFiProperties.getProperty(implementationClass);
            if (StringUtils.isBlank(property2)) {
                throw new EncryptedConfigurationException(String.format("Key Provider Property [%s] not configured", implementationClass));
            }
            valueOf = EncryptionKeyProvider.fromImplementationClass(property2);
        } else {
            try {
                valueOf = EncryptionKeyProvider.valueOf(property);
            } catch (IllegalArgumentException e) {
                throw new EncryptedConfigurationException(String.format("Key Provider [%s] not supported for Repository Type [%s] ", property, encryptedRepositoryProperty.getEncryptedRepositoryType()));
            }
        }
        if (valueOf == null) {
            throw new EncryptedConfigurationException(String.format("Key Provider [%s] not found for Repository Type [%s] ", property, encryptedRepositoryProperty.getEncryptedRepositoryType()));
        }
        return valueOf;
    }

    private KeyProviderConfiguration<?> getKeyProviderConfiguration(EncryptedRepositoryProperty encryptedRepositoryProperty, EncryptionKeyProvider encryptionKeyProvider, NiFiProperties niFiProperties) {
        if (EncryptionKeyProvider.NIFI_PROPERTIES == encryptionKeyProvider) {
            return new StaticKeyProviderConfiguration(niFiProperties.getRepositoryEncryptionKeys(encryptedRepositoryProperty.getPropertyType()));
        }
        if (EncryptionKeyProvider.FILE_PROPERTIES == encryptionKeyProvider) {
            return new FileBasedKeyProviderConfiguration(niFiProperties.getProperty(encryptedRepositoryProperty.getLocation()), getRootKey());
        }
        if (EncryptionKeyProvider.KEYSTORE != encryptionKeyProvider) {
            throw new UnsupportedOperationException(String.format("Key Provider [%s] not supported", encryptionKeyProvider));
        }
        String providerPassword = getProviderPassword(encryptedRepositoryProperty, niFiProperties);
        if (StringUtils.isBlank(providerPassword)) {
            throw new EncryptedConfigurationException("Key Provider Password not configured");
        }
        char[] charArray = providerPassword.toCharArray();
        String providerLocation = getProviderLocation(encryptedRepositoryProperty, niFiProperties);
        try {
            return new KeyStoreKeyProviderConfiguration(KeyStoreUtils.loadSecretKeyStore(providerLocation, charArray, KeyStoreUtils.getKeystoreTypeFromExtension(providerLocation).getType()), charArray);
        } catch (TlsException e) {
            throw new EncryptedConfigurationException("Key Store Provider loading failed", e);
        }
    }

    private String getProviderLocation(EncryptedRepositoryProperty encryptedRepositoryProperty, NiFiProperties niFiProperties) {
        return niFiProperties.getProperty(encryptedRepositoryProperty.getLocation(), niFiProperties.getProperty("nifi.repository.encryption.key.provider.keystore.location"));
    }

    private String getProviderPassword(EncryptedRepositoryProperty encryptedRepositoryProperty, NiFiProperties niFiProperties) {
        return niFiProperties.getProperty(encryptedRepositoryProperty.getPassword(), niFiProperties.getProperty("nifi.repository.encryption.key.provider.keystore.password"));
    }

    private static SecretKey getRootKey() {
        try {
            return new SecretKeySpec(Hex.decodeHex(NiFiBootstrapUtils.extractKeyFromBootstrapFile()), ROOT_KEY_ALGORITHM);
        } catch (IOException | DecoderException e) {
            throw new EncryptedConfigurationException("Read Root Key from Bootstrap Failed", e);
        }
    }
}
