package org.apache.james.blob.objectstorage.crypto;

import com.google.crypto.tink.subtle.AesGcmHkdfStreaming;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

/* loaded from: input_file:org/apache/james/blob/objectstorage/crypto/PBKDF2StreamingAeadFactory.class */
public class PBKDF2StreamingAeadFactory {
    private static final int PBKDF2_ITERATIONS = 65536;
    private static final int KEY_SIZE = 256;
    private static final String SECRET_KEY_FACTORY_ALGORITHM = "PBKDF2WithHmacSHA1";
    private static final String HKDF_ALGO = "HmacSha256";
    private static final int KEY_SIZE_IN_BYTES = 32;
    private static final int SEGMENT_SIZE = 4096;
    private static final int OFFSET = 0;
    public static final byte[] EMPTY_ASSOCIATED_DATA = new byte[OFFSET];

    public static AesGcmHkdfStreaming newAesGcmHkdfStreaming(CryptoConfig cryptoConfig) {
        try {
            return new AesGcmHkdfStreaming(deriveKey(cryptoConfig).getEncoded(), HKDF_ALGO, KEY_SIZE_IN_BYTES, SEGMENT_SIZE, OFFSET);
        } catch (GeneralSecurityException e) {
            throw new CryptoException("Incorrect crypto setup", e);
        }
    }

    private static SecretKey deriveKey(CryptoConfig cryptoConfig) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_ALGORITHM).generateSecret(new PBEKeySpec(cryptoConfig.password(), cryptoConfig.salt(), PBKDF2_ITERATIONS, KEY_SIZE));
    }
}
