package org.apache.nifi.security.repository.stream.aes;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.KeyManagementException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import org.apache.nifi.security.kms.CryptoUtils;
import org.apache.nifi.security.kms.EncryptionException;
import org.apache.nifi.security.repository.AbstractAESEncryptor;
import org.apache.nifi.security.repository.RepositoryEncryptorUtils;
import org.apache.nifi.security.repository.RepositoryObjectEncryptionMetadata;
import org.apache.nifi.security.repository.StreamingEncryptionMetadata;
import org.apache.nifi.security.repository.stream.RepositoryObjectStreamEncryptor;
import org.apache.nifi.security.util.EncryptionMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.13.0.jar:org/apache/nifi/security/repository/stream/aes/RepositoryObjectAESCTREncryptor.class */
public class RepositoryObjectAESCTREncryptor extends AbstractAESEncryptor implements RepositoryObjectStreamEncryptor {
    private static final Logger logger = LoggerFactory.getLogger(RepositoryObjectAESCTREncryptor.class);
    private static final byte[] EM_START_SENTINEL = {0, 0};
    private static String ALGORITHM = "AES/CTR/NoPadding";
    private static final String VERSION = "v1";
    private static final List<String> SUPPORTED_VERSIONS = Arrays.asList(VERSION);

    @Override // org.apache.nifi.security.repository.stream.RepositoryObjectStreamEncryptor
    public OutputStream encrypt(OutputStream outputStream, String str, String str2) throws EncryptionException {
        if (outputStream == null || CryptoUtils.isEmpty(str2)) {
            throw new EncryptionException("The streaming repository object and key ID cannot be missing");
        }
        if (this.keyProvider == null || !this.keyProvider.keyExists(str2)) {
            throw new EncryptionException("The requested key ID is not available");
        }
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        try {
            logger.debug("Encrypting streaming repository object " + str + " with key ID " + str2);
            Cipher initCipher = RepositoryEncryptorUtils.initCipher(this.aesKeyedCipherProvider, EncryptionMethod.forAlgorithm(ALGORITHM), 1, this.keyProvider.getKey(str2), bArr);
            byte[] iv = initCipher.getIV();
            CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStream, initCipher);
            byte[] serializeEncryptionMetadata = RepositoryEncryptorUtils.serializeEncryptionMetadata(new StreamingEncryptionMetadata(str2, ALGORITHM, iv, VERSION));
            outputStream.write(EM_START_SENTINEL);
            outputStream.write(serializeEncryptionMetadata);
            outputStream.flush();
            logger.debug("Encrypted streaming repository object " + str + " with key ID " + str2);
            return cipherOutputStream;
        } catch (IOException | KeyManagementException | EncryptionException e) {
            String str3 = "Encountered an exception encrypting streaming repository object " + str;
            logger.error(str3, e);
            throw new EncryptionException(str3, e);
        }
    }

    @Override // org.apache.nifi.security.repository.stream.RepositoryObjectStreamEncryptor
    public InputStream decrypt(InputStream inputStream, String str) throws EncryptionException {
        RepositoryObjectEncryptionMetadata prepareObjectForDecryption = prepareObjectForDecryption(inputStream, str, "streaming repository object", SUPPORTED_VERSIONS);
        if (this.keyProvider == null || !this.keyProvider.keyExists(prepareObjectForDecryption.keyId) || CryptoUtils.isEmpty(prepareObjectForDecryption.keyId)) {
            throw new EncryptionException("The requested key ID " + prepareObjectForDecryption.keyId + " is not available");
        }
        try {
            logger.debug("Decrypting streaming repository object with ID " + str + " with key ID " + prepareObjectForDecryption.keyId);
            CipherInputStream cipherInputStream = new CipherInputStream(inputStream, RepositoryEncryptorUtils.initCipher(this.aesKeyedCipherProvider, EncryptionMethod.forAlgorithm(prepareObjectForDecryption.algorithm), 2, this.keyProvider.getKey(prepareObjectForDecryption.keyId), prepareObjectForDecryption.ivBytes));
            logger.debug("Decrypted streaming repository object with ID " + str + " with key ID " + prepareObjectForDecryption.keyId);
            return cipherInputStream;
        } catch (KeyManagementException | EncryptionException e) {
            String str2 = "Encountered an exception decrypting streaming repository object with ID " + str;
            logger.error(str2, e);
            throw new EncryptionException(str2, e);
        }
    }

    @Override // org.apache.nifi.security.repository.stream.RepositoryObjectStreamEncryptor
    public String getNextKeyId() throws KeyManagementException {
        return null;
    }
}
