package org.springframework.content.encryption;

import java.io.FilterInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.data.util.Pair;
import org.springframework.vault.core.VaultOperations;
import org.springframework.vault.core.VaultTransitOperations;

/* loaded from: input_file:org/springframework/content/encryption/EnvelopeEncryptionService.class */
public class EnvelopeEncryptionService {
    private static KeyGenerator KEY_GENERATOR;
    private static String transformation = "AES/CTR/NoPadding";
    private static final String AES = "AES";
    private final VaultOperations vaultOperations;
    private final SecureRandom secureRandom = new SecureRandom();

    /* loaded from: input_file:org/springframework/content/encryption/EnvelopeEncryptionService$OffsetSkipInputStream.class */
    public class OffsetSkipInputStream extends FilterInputStream {
        private static final int MAX_SKIP_BUFFER_SIZE = 2048;
        private final int offset;

        protected OffsetSkipInputStream(InputStream inputStream, int i) {
            super(inputStream);
            this.offset = i;
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public long skip(long j) throws IOException {
            int read;
            long j2 = this.offset;
            if (j <= 0) {
                return 0L;
            }
            int min = (int) Math.min(2048L, j2);
            byte[] bArr = new byte[min];
            while (j2 > 0 && (read = this.in.read(bArr, 0, (int) Math.min(min, j2))) >= 0) {
                j2 -= read;
            }
            return j - j2;
        }
    }

    /* loaded from: input_file:org/springframework/content/encryption/EnvelopeEncryptionService$ZeroOffsetSkipInputStream.class */
    public class ZeroOffsetSkipInputStream extends FilterInputStream {
        private static final int MAX_SKIP_BUFFER_SIZE = 2048;

        protected ZeroOffsetSkipInputStream(InputStream inputStream) {
            super(inputStream);
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public long skip(long j) throws IOException {
            int read;
            long j2 = j;
            if (j <= 0) {
                return 0L;
            }
            int min = (int) Math.min(2048L, j2);
            byte[] bArr = new byte[min];
            while (j2 > 0 && (read = this.in.read(bArr, 0, (int) Math.min(min, j2))) >= 0) {
                j2 -= read;
            }
            return j - j2;
        }
    }

    public EnvelopeEncryptionService(VaultOperations vaultOperations) {
        this.vaultOperations = vaultOperations;
    }

    private CipherInputStream encryptMessage(InputStream inputStream, SecretKey secretKey, byte[] bArr) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException {
        Cipher cipher = Cipher.getInstance(transformation);
        SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getEncoded(), AES);
        byte[] bArr2 = new byte[16];
        System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
        cipher.init(1, secretKeySpec, new IvParameterSpec(bArr2));
        return new CipherInputStream(inputStream, cipher);
    }

    public Pair<CipherInputStream, byte[]> encrypt(InputStream inputStream, String str) {
        try {
            SecretKey generateDataKey = generateDataKey();
            byte[] bArr = new byte[12];
            this.secureRandom.nextBytes(bArr);
            VaultTransitOperations opsForTransit = this.vaultOperations.opsForTransit();
            String encodeToString = Base64.getEncoder().encodeToString(generateDataKey.getEncoded());
            opsForTransit.createKey(str);
            String encrypt = opsForTransit.encrypt(str, encodeToString);
            byte[] bArr2 = new byte[117];
            System.arraycopy(encrypt.getBytes("UTF-8"), 0, bArr2, 0, 105);
            System.arraycopy(bArr, 0, bArr2, 105, 12);
            return Pair.of(encryptMessage(inputStream, generateDataKey, bArr), bArr2);
        } catch (Exception e) {
            throw new RuntimeException("unable to encrypt", e);
        }
    }

    private SecretKey generateDataKey() {
        return KEY_GENERATOR.generateKey();
    }

    private InputStream decryptInputStream(SecretKeySpec secretKeySpec, byte[] bArr, int i, InputStream inputStream) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, IOException, InvalidAlgorithmParameterException {
        IvParameterSpec ivParameterSpec;
        Cipher cipher = Cipher.getInstance(transformation);
        byte[] bArr2 = new byte[16];
        System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
        byte[] byteArray = new BigInteger(1, bArr2).add(BigInteger.valueOf((i - (i % 16)) / 16)).toByteArray();
        if (byteArray.length >= 16) {
            ivParameterSpec = new IvParameterSpec(byteArray, byteArray.length - 16, 16);
        } else {
            byte[] bArr3 = new byte[16];
            System.arraycopy(byteArray, 0, bArr3, 16 - byteArray.length, byteArray.length);
            ivParameterSpec = new IvParameterSpec(bArr3);
        }
        cipher.init(1, secretKeySpec, ivParameterSpec);
        FilterInputStream cipherInputStream = new CipherInputStream(inputStream, cipher);
        FilterInputStream filterInputStream = cipherInputStream;
        if (i == 0) {
            filterInputStream = new ZeroOffsetSkipInputStream(cipherInputStream);
        } else if (i > 0) {
            filterInputStream = new OffsetSkipInputStream(cipherInputStream, i % 16);
        }
        return filterInputStream;
    }

    private SecretKeySpec decryptKey(byte[] bArr, String str) {
        return new SecretKeySpec(Base64.getDecoder().decode(this.vaultOperations.opsForTransit().decrypt(str, new String(bArr))), AES);
    }

    public InputStream decrypt(byte[] bArr, InputStream inputStream, int i, String str) {
        byte[] bArr2 = new byte[105];
        System.arraycopy(bArr, 0, bArr2, 0, 105);
        byte[] bArr3 = new byte[12];
        System.arraycopy(bArr, 105, bArr3, 0, 12);
        try {
            return decryptInputStream(decryptKey(bArr2, str), bArr3, i, inputStream);
        } catch (Exception e) {
            throw new RuntimeException("unable to decrypt", e);
        }
    }

    public void rotate(String str) {
        this.vaultOperations.opsForTransit().rotate(str);
    }

    static {
        try {
            KEY_GENERATOR = KeyGenerator.getInstance(AES);
            KEY_GENERATOR.init(256, new SecureRandom());
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }
}
