package org.apache.nifi.repository.encryption.configuration.kms;

import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import org.apache.nifi.repository.encryption.configuration.EncryptedRepositoryType;
import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.security.kms.KeyProviderFactory;
import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration;
import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration;
import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:org/apache/nifi/repository/encryption/configuration/kms/StandardRepositoryKeyProviderFactory.class */
public class StandardRepositoryKeyProviderFactory implements RepositoryKeyProviderFactory {
    private static final Map<KeystoreType, String> KEY_STORE_EXTENSIONS = Map.of(KeystoreType.BCFKS, ".bcfks", KeystoreType.JKS, ".jks", KeystoreType.PKCS12, ".p12");

    @Override // org.apache.nifi.repository.encryption.configuration.kms.RepositoryKeyProviderFactory
    public KeyProvider getKeyProvider(EncryptedRepositoryType encryptedRepositoryType, NiFiProperties niFiProperties) {
        Objects.requireNonNull(encryptedRepositoryType, "Encrypted Repository Type required");
        Objects.requireNonNull(niFiProperties, "NiFi Properties required");
        return KeyProviderFactory.getKeyProvider(getKeyProviderConfiguration(getEncryptionKeyProvider(encryptedRepositoryType, niFiProperties), niFiProperties));
    }

    private EncryptionKeyProvider getEncryptionKeyProvider(EncryptedRepositoryType encryptedRepositoryType, NiFiProperties niFiProperties) {
        String property = niFiProperties.getProperty("nifi.repository.encryption.key.provider");
        if (StringUtils.isBlank(property)) {
            throw new EncryptedConfigurationException(String.format("Key Provider [%s] not configured for Repository Type [%s] ", property, encryptedRepositoryType));
        }
        try {
            return EncryptionKeyProvider.valueOf(property);
        } catch (IllegalArgumentException e) {
            throw new EncryptedConfigurationException(String.format("Key Provider [%s] not supported for Repository Type [%s] ", property, encryptedRepositoryType));
        }
    }

    private KeyProviderConfiguration<?> getKeyProviderConfiguration(EncryptionKeyProvider encryptionKeyProvider, NiFiProperties niFiProperties) {
        if (EncryptionKeyProvider.KEYSTORE != encryptionKeyProvider) {
            throw new UnsupportedOperationException(String.format("Key Provider [%s] not supported", encryptionKeyProvider));
        }
        String property = niFiProperties.getProperty("nifi.repository.encryption.key.provider.keystore.password");
        if (StringUtils.isBlank(property)) {
            throw new EncryptedConfigurationException("Key Provider Password not configured");
        }
        char[] charArray = property.toCharArray();
        String property2 = niFiProperties.getProperty("nifi.repository.encryption.key.provider.keystore.location");
        try {
            return new KeyStoreKeyProviderConfiguration(loadSecretKeyStore(property2, charArray, getKeystoreTypeFromExtension(property2)), charArray);
        } catch (GeneralSecurityException e) {
            throw new EncryptedConfigurationException("Key Store Provider loading failed", e);
        }
    }

    private KeystoreType getKeystoreTypeFromExtension(String str) {
        KeystoreType keystoreType = KeystoreType.PKCS12;
        Iterator<Map.Entry<KeystoreType, String>> it = KEY_STORE_EXTENSIONS.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<KeystoreType, String> next = it.next();
            if (str.endsWith(next.getValue().toLowerCase())) {
                keystoreType = next.getKey();
                break;
            }
        }
        return keystoreType;
    }

    private KeyStore loadSecretKeyStore(String str, char[] cArr, KeystoreType keystoreType) throws GeneralSecurityException {
        KeyStore secretKeyStore = getSecretKeyStore(keystoreType);
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                secretKeyStore.load(fileInputStream, cArr);
                fileInputStream.close();
                return secretKeyStore;
            } finally {
            }
        } catch (IOException e) {
            throw new GeneralSecurityException("KeyStore loading failed [%s]".formatted(str), e);
        }
    }

    public static KeyStore getSecretKeyStore(KeystoreType keystoreType) throws KeyStoreException {
        if (KeystoreType.BCFKS == keystoreType) {
            return KeyStore.getInstance(keystoreType.getType(), (Provider) new BouncyCastleProvider());
        }
        if (KeystoreType.PKCS12 == keystoreType) {
            return KeyStore.getInstance(keystoreType.getType());
        }
        throw new KeyStoreException(String.format("Keystore Type [%s] does not support Secret Keys", keystoreType.getType()));
    }
}
