package org.apache.nifi.security.repository;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.KeyManagementException;
import java.util.Arrays;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import org.apache.nifi.security.kms.CryptoUtils;
import org.apache.nifi.security.kms.EncryptionException;
import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.security.kms.KeyProviderFactory;
import org.apache.nifi.security.repository.config.RepositoryEncryptionConfiguration;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider;
import org.apache.nifi.stream.io.NonCloseableInputStream;
import org.apache.nifi.util.NiFiProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.12.0.jar:org/apache/nifi/security/repository/RepositoryEncryptorUtils.class */
public class RepositoryEncryptorUtils {
    private static final int CONTENT_HEADER_SIZE = 2;
    private static final int IV_LENGTH = 16;
    private static final int MIN_METADATA_LENGTH = 22;
    private static final String EWAPR_CLASS_NAME = "org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository";
    private static final Logger logger = LoggerFactory.getLogger(RepositoryEncryptorUtils.class);
    private static final byte[] EMPTY_IV = new byte[16];
    private static final String VERSION = "v1";
    private static final List<String> SUPPORTED_VERSIONS = Arrays.asList(VERSION);
    private static final int METADATA_DEFAULT_LENGTH = (53 + VERSION.length()) * 2;

    public static byte[] serializeEncryptionMetadata(RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(repositoryObjectEncryptionMetadata);
        objectOutputStream.close();
        return byteArrayOutputStream.toByteArray();
    }

    public static Cipher initCipher(AESKeyedCipherProvider aESKeyedCipherProvider, EncryptionMethod encryptionMethod, int i, SecretKey secretKey, byte[] bArr) throws EncryptionException {
        try {
            if (encryptionMethod == null || secretKey == null || bArr == null) {
                throw new IllegalArgumentException("Missing critical information");
            }
            return aESKeyedCipherProvider.getCipher(encryptionMethod, secretKey, bArr, i == 1);
        } catch (Exception e) {
            logger.error("Encountered an exception initializing the cipher", e);
            throw new EncryptionException(e);
        }
    }

    public static RepositoryObjectEncryptionMetadata extractEncryptionMetadata(byte[] bArr) throws EncryptionException, IOException, ClassNotFoundException {
        if (bArr == null || bArr.length < 22) {
            throw new EncryptionException("The encrypted record is too short to contain the metadata");
        }
        ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(bArr));
        Throwable th = null;
        try {
            try {
                RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata = (RepositoryObjectEncryptionMetadata) objectInputStream.readObject();
                if (objectInputStream != null) {
                    if (0 != 0) {
                        try {
                            objectInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        objectInputStream.close();
                    }
                }
                return repositoryObjectEncryptionMetadata;
            } finally {
            }
        } catch (Throwable th3) {
            if (objectInputStream != null) {
                if (th != null) {
                    try {
                        objectInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    objectInputStream.close();
                }
            }
            throw th3;
        }
    }

    public static RepositoryObjectEncryptionMetadata extractEncryptionMetadata(InputStream inputStream) throws EncryptionException, IOException, ClassNotFoundException {
        if (inputStream == null) {
            throw new EncryptionException("The encrypted record is too short to contain the metadata");
        }
        inputStream.read(new byte[2]);
        ObjectInputStream objectInputStream = new ObjectInputStream(new NonCloseableInputStream(inputStream));
        Throwable th = null;
        try {
            RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata = (RepositoryObjectEncryptionMetadata) objectInputStream.readObject();
            if (objectInputStream != null) {
                if (0 != 0) {
                    try {
                        objectInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    objectInputStream.close();
                }
            }
            return repositoryObjectEncryptionMetadata;
        } catch (Throwable th3) {
            if (objectInputStream != null) {
                if (0 != 0) {
                    try {
                        objectInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    objectInputStream.close();
                }
            }
            throw th3;
        }
    }

    public static byte[] extractCipherBytes(byte[] bArr, RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata) {
        return Arrays.copyOfRange(bArr, repositoryObjectEncryptionMetadata.cipherByteLength > 0 ? bArr.length - repositoryObjectEncryptionMetadata.cipherByteLength : repositoryObjectEncryptionMetadata.length() + 2, bArr.length);
    }

    public static boolean isRepositoryEncryptionConfigured(NiFiProperties niFiProperties, RepositoryType repositoryType) {
        switch (repositoryType) {
            case CONTENT:
                return isContentRepositoryEncryptionConfigured(niFiProperties);
            case PROVENANCE:
                return isProvenanceRepositoryEncryptionConfigured(niFiProperties);
            case FLOWFILE:
                return isFlowFileRepositoryEncryptionConfigured(niFiProperties);
            default:
                logger.warn("Repository encryption configuration validation attempted for {}, an invalid repository type", repositoryType);
                return false;
        }
    }

    static boolean isProvenanceRepositoryEncryptionConfigured(NiFiProperties niFiProperties) {
        if (EWAPR_CLASS_NAME.equals(niFiProperties.getProperty("nifi.provenance.repository.implementation"))) {
            return CryptoUtils.isValidKeyProvider(niFiProperties.getProperty("nifi.provenance.repository.encryption.key.provider.implementation"), niFiProperties.getProperty("nifi.provenance.repository.encryption.key.provider.location"), niFiProperties.getProvenanceRepoEncryptionKeyId(), niFiProperties.getProvenanceRepoEncryptionKeys());
        }
        return false;
    }

    static boolean isContentRepositoryEncryptionConfigured(NiFiProperties niFiProperties) {
        if (CryptoUtils.ENCRYPTED_FSR_CLASS_NAME.equals(niFiProperties.getProperty("nifi.content.repository.implementation"))) {
            return CryptoUtils.isValidKeyProvider(niFiProperties.getProperty("nifi.content.repository.encryption.key.provider.implementation"), niFiProperties.getProperty("nifi.content.repository.encryption.key.provider.location"), niFiProperties.getContentRepositoryEncryptionKeyId(), niFiProperties.getContentRepositoryEncryptionKeys());
        }
        return false;
    }

    static boolean isFlowFileRepositoryEncryptionConfigured(NiFiProperties niFiProperties) {
        if (CryptoUtils.EWAFFR_CLASS_NAME.equals(niFiProperties.getProperty("nifi.flowfile.repository.implementation"))) {
            return CryptoUtils.isValidKeyProvider(niFiProperties.getProperty("nifi.flowfile.repository.encryption.key.provider.implementation"), niFiProperties.getProperty("nifi.flowfile.repository.encryption.key.provider.location"), niFiProperties.getFlowFileRepoEncryptionKeyId(), niFiProperties.getFlowFileRepoEncryptionKeys());
        }
        return false;
    }

    private static KeyProvider buildKeyProvider(NiFiProperties niFiProperties, RepositoryType repositoryType) throws KeyManagementException {
        return buildKeyProvider(niFiProperties, null, repositoryType);
    }

    public static KeyProvider buildKeyProvider(NiFiProperties niFiProperties, SecretKey secretKey, RepositoryType repositoryType) throws KeyManagementException {
        return buildKeyProviderFromConfig(secretKey, RepositoryEncryptionConfiguration.fromNiFiProperties(niFiProperties, repositoryType));
    }

    public static KeyProvider buildKeyProviderFromConfig(SecretKey secretKey, RepositoryEncryptionConfiguration repositoryEncryptionConfiguration) throws KeyManagementException {
        if (repositoryEncryptionConfiguration.getKeyProviderImplementation() != null) {
            return KeyProviderFactory.buildKeyProvider(repositoryEncryptionConfiguration, secretKey);
        }
        throw new KeyManagementException("Cannot create key provider because the NiFi properties are missing the following property: " + determineKeyProviderImplementationClassName(repositoryEncryptionConfiguration.getRepositoryType()));
    }

    static String determineKeyProviderImplementationClassName(RepositoryType repositoryType) {
        if (repositoryType == null) {
            logger.warn("Could not determine key provider implementation class name for null repository");
            return "no_such_key_provider_defined";
        }
        switch (repositoryType) {
            case CONTENT:
                return "nifi.content.repository.encryption.key.provider.implementation";
            case PROVENANCE:
                return "nifi.provenance.repository.encryption.key.provider.implementation";
            case FLOWFILE:
                return "nifi.flowfile.repository.encryption.key.provider.implementation";
            default:
                logger.warn("Could not determine key provider implementation class name for " + repositoryType.getName());
                return "no_such_key_provider_defined";
        }
    }

    public static KeyProvider validateAndBuildRepositoryKeyProvider(NiFiProperties niFiProperties, RepositoryType repositoryType) throws IOException {
        if (!isRepositoryEncryptionConfigured(niFiProperties, repositoryType)) {
            throw new IOException("The provided configuration does not support an encrypted " + repositoryType.getName());
        }
        try {
            return KeyProviderFactory.requiresRootKey(niFiProperties.getProperty(determineKeyProviderImplementationClassName(repositoryType))) ? buildKeyProvider(niFiProperties, CryptoUtils.getRootKey(), repositoryType) : buildKeyProvider(niFiProperties, repositoryType);
        } catch (KeyManagementException e) {
            logger.error("Encountered an error building the key provider", e);
            throw new IOException("Encountered an error building the key provider", e);
        }
    }

    public static KeyProvider validateAndBuildRepositoryKeyProvider(RepositoryEncryptionConfiguration repositoryEncryptionConfiguration) throws IOException {
        try {
            return buildKeyProviderFromConfig(KeyProviderFactory.requiresRootKey(repositoryEncryptionConfiguration.getKeyProviderImplementation()) ? CryptoUtils.getRootKey() : null, repositoryEncryptionConfiguration);
        } catch (KeyManagementException e) {
            logger.error("Encountered an error building the key provider", e);
            throw new IOException("Encountered an error building the key provider", e);
        }
    }
}
