package org.apache.james.blob.objectstorage;

import com.google.common.io.ByteSource;
import com.google.common.io.FileBackedOutputStream;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.subtle.AesGcmJce;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Optional;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.james.blob.objectstorage.crypto.CryptoConfig;
import org.jclouds.io.Payloads;

/* loaded from: input_file:org/apache/james/blob/objectstorage/AESPayloadCodec.class */
public class AESPayloadCodec implements PayloadCodec {
    private static final int PBKDF2_ITERATIONS = 65536;
    private static final int KEY_SIZE = 256;
    private static final String SECRET_KEY_FACTORY_ALGORITHM = "PBKDF2WithHmacSHA256";
    private final Aead aead;
    private static final byte[] EMPTY_ASSOCIATED_DATA = new byte[0];
    private static final BigInteger MAX_BYTES = FileUtils.ONE_MB_BI;

    public AESPayloadCodec(CryptoConfig cryptoConfig) {
        try {
            AeadConfig.register();
            this.aead = new AesGcmJce(deriveKey(cryptoConfig).getEncoded());
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Error while starting AESPayloadCodec", e);
        }
    }

    private static SecretKey deriveKey(CryptoConfig cryptoConfig) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_ALGORITHM).generateSecret(new PBEKeySpec(cryptoConfig.password(), cryptoConfig.salt(), PBKDF2_ITERATIONS, KEY_SIZE));
    }

    @Override // org.apache.james.blob.objectstorage.PayloadCodec
    public Payload write(byte[] bArr) {
        return write(new ByteArrayInputStream(bArr));
    }

    @Override // org.apache.james.blob.objectstorage.PayloadCodec
    public Payload write(InputStream inputStream) {
        try {
            FileBackedOutputStream fileBackedOutputStream = new FileBackedOutputStream(MAX_BYTES.intValue());
            try {
                fileBackedOutputStream.write(this.aead.encrypt(IOUtils.toByteArray(inputStream), EMPTY_ASSOCIATED_DATA));
                ByteSource asByteSource = fileBackedOutputStream.asByteSource();
                Payload payload = new Payload(Payloads.newByteSourcePayload(asByteSource), Optional.of(Long.valueOf(asByteSource.size())));
                fileBackedOutputStream.close();
                return payload;
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("Unable to build payload for object storage, failed to encrypt", e);
        }
    }

    @Override // org.apache.james.blob.objectstorage.PayloadCodec
    public InputStream read(Payload payload) throws IOException {
        try {
            return new ByteArrayInputStream(this.aead.decrypt(IOUtils.toByteArray(payload.getPayload().openStream()), EMPTY_ASSOCIATED_DATA));
        } catch (GeneralSecurityException e) {
            throw new IOException("Incorrect crypto setup", e);
        }
    }
}
