package org.apache.nifi.registry.properties;

import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.security.crypto.CryptoKeyProvider;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.encoders.DecoderException;
import org.bouncycastle.util.encoders.EncoderException;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/registry/properties/AESSensitivePropertyProvider.class */
public class AESSensitivePropertyProvider implements SensitivePropertyProvider {
    private static final String IMPLEMENTATION_NAME = "AES Sensitive Property Provider";
    private static final String IMPLEMENTATION_KEY = "aes/gcm/";
    private static final String ALGORITHM = "AES/GCM/NoPadding";
    private static final String PROVIDER = "BC";
    private static final int IV_LENGTH = 12;
    private Cipher cipher;
    private final SecretKey key;
    private static final Logger logger = LoggerFactory.getLogger(AESSensitivePropertyProvider.class);
    private static final String DELIMITER = "||";
    private static final int MIN_CIPHER_TEXT_LENGTH = (16 + DELIMITER.length()) + 1;

    public AESSensitivePropertyProvider(String str) throws NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException {
        byte[] validateKey = validateKey(str);
        try {
            Security.addProvider(new BouncyCastleProvider());
            this.cipher = Cipher.getInstance(ALGORITHM, PROVIDER);
            this.key = new SecretKeySpec(validateKey, "AES");
        } catch (NoSuchAlgorithmException | NoSuchProviderException | NoSuchPaddingException e) {
            logger.error("Encountered an error initializing the {}: {}", IMPLEMENTATION_NAME, e.getMessage());
            throw new SensitivePropertyProtectionException("Error initializing the protection cipher", e);
        }
    }

    private byte[] validateKey(String str) {
        if (str == null || StringUtils.isBlank(str)) {
            throw new SensitivePropertyProtectionException("The key cannot be empty");
        }
        String formatHexKey = formatHexKey(str);
        if (!isHexKeyValid(formatHexKey)) {
            throw new SensitivePropertyProtectionException("The key must be a valid hexadecimal key");
        }
        byte[] decode = Hex.decode(formatHexKey);
        List<Integer> validKeyLengths = getValidKeyLengths();
        if (validKeyLengths.contains(Integer.valueOf(decode.length * 8))) {
            return decode;
        }
        throw new SensitivePropertyProtectionException("The key (" + (decode.length * 8) + " bits) must be a valid length: " + StringUtils.join((List) validKeyLengths.stream().map(num -> {
            return Integer.toString(num.intValue());
        }).collect(Collectors.toList()), ", "));
    }

    public AESSensitivePropertyProvider(byte[] bArr) throws NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException {
        this(bArr == null ? CryptoKeyProvider.EMPTY_KEY : Hex.toHexString(bArr));
    }

    private static String formatHexKey(String str) {
        return (str == null || StringUtils.isBlank(str)) ? CryptoKeyProvider.EMPTY_KEY : str.replaceAll("[^0-9a-fA-F]", CryptoKeyProvider.EMPTY_KEY).toLowerCase();
    }

    private static boolean isHexKeyValid(String str) {
        return str != null && !StringUtils.isBlank(str) && getValidKeyLengths().contains(Integer.valueOf(str.length() * 4)) && str.matches("^[0-9a-fA-F]*$");
    }

    private static List<Integer> getValidKeyLengths() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(128);
        try {
            if (Cipher.getMaxAllowedKeyLength("AES") > 128) {
                arrayList.add(192);
                arrayList.add(256);
            } else {
                logger.warn("JCE Unlimited Strength Cryptography Jurisdiction policies are not available, so the max key length is 128 bits");
            }
        } catch (NoSuchAlgorithmException e) {
            logger.warn("Encountered an error determining the max key length", e);
        }
        return arrayList;
    }

    @Override // org.apache.nifi.registry.properties.SensitivePropertyProvider
    public String getName() {
        return IMPLEMENTATION_NAME;
    }

    @Override // org.apache.nifi.registry.properties.SensitivePropertyProvider
    public String getIdentifierKey() {
        return IMPLEMENTATION_KEY + getKeySize(Hex.toHexString(this.key.getEncoded()));
    }

    private int getKeySize(String str) {
        if (StringUtils.isBlank(str)) {
            return 0;
        }
        return formatHexKey(str).length() * 4;
    }

    @Override // org.apache.nifi.registry.properties.SensitivePropertyProvider
    public String protect(String str) throws SensitivePropertyProtectionException {
        if (str == null || str.trim().length() == 0) {
            throw new IllegalArgumentException("Cannot encrypt an empty value");
        }
        byte[] generateIV = generateIV();
        if (generateIV.length < IV_LENGTH) {
            throw new IllegalArgumentException("The IV (" + generateIV.length + " bytes) must be at least " + IV_LENGTH + " bytes");
        }
        try {
            this.cipher.init(1, this.key, new IvParameterSpec(generateIV));
            byte[] doFinal = this.cipher.doFinal(str.getBytes(StandardCharsets.UTF_8));
            logger.info(getName() + " encrypted a sensitive value successfully");
            return base64Encode(generateIV) + DELIMITER + base64Encode(doFinal);
        } catch (BadPaddingException | IllegalBlockSizeException | EncoderException | InvalidAlgorithmParameterException | InvalidKeyException e) {
            logger.error("Error encrypting a protected value", e);
            throw new SensitivePropertyProtectionException("Error encrypting a protected value", e);
        }
    }

    private String base64Encode(byte[] bArr) {
        return Base64.toBase64String(bArr).replaceAll("=", CryptoKeyProvider.EMPTY_KEY);
    }

    private byte[] generateIV() {
        byte[] bArr = new byte[IV_LENGTH];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    @Override // org.apache.nifi.registry.properties.SensitivePropertyProvider
    public String unprotect(String str) throws SensitivePropertyProtectionException {
        if (str == null || str.trim().length() < MIN_CIPHER_TEXT_LENGTH) {
            throw new IllegalArgumentException("Cannot decrypt a cipher text shorter than " + MIN_CIPHER_TEXT_LENGTH + " chars");
        }
        if (!str.contains(DELIMITER)) {
            throw new IllegalArgumentException("The cipher text does not contain the delimiter || -- it should be of the form Base64(IV) || Base64(cipherText)");
        }
        String trim = str.trim();
        byte[] decode = Base64.decode(trim.substring(0, trim.indexOf(DELIMITER)));
        if (decode.length < IV_LENGTH) {
            throw new IllegalArgumentException("The IV (" + decode.length + " bytes) must be at least " + IV_LENGTH + " bytes");
        }
        String substring = trim.substring(trim.indexOf(DELIMITER) + 2);
        if (substring.length() % 4 != 0) {
            substring = StringUtils.rightPad(substring, (substring.length() + 4) - (substring.length() % 4), '=');
        }
        try {
            byte[] decode2 = Base64.decode(substring);
            this.cipher.init(2, this.key, new IvParameterSpec(decode));
            byte[] doFinal = this.cipher.doFinal(decode2);
            logger.debug(getName() + " decrypted a sensitive value successfully");
            return new String(doFinal, StandardCharsets.UTF_8);
        } catch (BadPaddingException | IllegalBlockSizeException | DecoderException | InvalidAlgorithmParameterException | InvalidKeyException e) {
            logger.error("Error decrypting a protected value", e);
            throw new SensitivePropertyProtectionException("Error decrypting a protected value", e);
        }
    }

    public static int getIvLength() {
        return IV_LENGTH;
    }

    public static int getMinCipherTextLength() {
        return MIN_CIPHER_TEXT_LENGTH;
    }

    public static String getDelimiter() {
        return DELIMITER;
    }
}
