package org.apache.nifi.security.util.crypto;

import com.bazaarvoice.jolt.modifier.TemplatrSpecBuilder;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.security.util.EncryptionMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.13.0.jar:org/apache/nifi/security/util/crypto/Argon2CipherProvider.class */
public class Argon2CipherProvider extends RandomIVPBECipherProvider {
    private static final int DEFAULT_PARALLELISM = 8;
    private static final int DEFAULT_MEMORY = 65536;
    private static final int DEFAULT_ITERATIONS = 5;
    private static final int DEFAULT_SALT_LENGTH = 16;
    private final Integer memory;
    private final int parallelism;
    private final Integer iterations;
    private static final Logger logger = LoggerFactory.getLogger(Argon2CipherProvider.class);
    private static final Pattern ARGON2_SALT_FORMAT = Pattern.compile("^\\$argon2id\\$v=19\\$m=\\d+,t=\\d+,p=\\d+\\$[\\w\\+\\/]{22}(?=\\$?)$");

    public Argon2CipherProvider() {
        this(65536, 8, 5);
    }

    public Argon2CipherProvider(Integer num, int i, Integer num2) {
        this.memory = num;
        this.parallelism = i;
        this.iterations = num2;
        if (num.intValue() < 65536) {
            logger.warn("The provided memory size {} KiB is below the recommended minimum {} KiB", num, 65536);
        }
        if (i < 8) {
            logger.warn("The provided parallelization factor {} is below the recommended minimum {}", Integer.valueOf(i), 8);
        }
        if (num2.intValue() < 5) {
            logger.warn("The provided iterations count {} is below the recommended minimum {}", num2, 5);
        }
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        try {
            return getInitializedCipher(encryptionMethod, str, bArr, bArr2, i, z);
        } catch (IllegalArgumentException e) {
            throw e;
        } catch (Exception e2) {
            throw new ProcessException("Error initializing the cipher", e2);
        }
    }

    @Override // org.apache.nifi.security.util.crypto.RandomIVPBECipherProvider
    Logger getLogger() {
        return logger;
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public Cipher getCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, int i, boolean z) throws Exception {
        return getCipher(encryptionMethod, str, bArr, new byte[0], i, z);
    }

    protected Cipher getInitializedCipher(EncryptionMethod encryptionMethod, String str, byte[] bArr, byte[] bArr2, int i, boolean z) throws Exception {
        int memory;
        int iterations;
        int parallelism;
        if (encryptionMethod == null) {
            throw new IllegalArgumentException("The encryption method must be specified");
        }
        if (!encryptionMethod.isCompatibleWithStrongKDFs()) {
            throw new IllegalArgumentException(encryptionMethod.name() + " is not compatible with Argon2");
        }
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Encryption with an empty password is not supported");
        }
        String algorithm = encryptionMethod.getAlgorithm();
        String parseCipherFromAlgorithm = CipherUtility.parseCipherFromAlgorithm(algorithm);
        if (!CipherUtility.isValidKeyLength(i, parseCipherFromAlgorithm)) {
            throw new IllegalArgumentException(i + " is not a valid key length for " + parseCipherFromAlgorithm);
        }
        String str2 = new String(bArr, StandardCharsets.UTF_8);
        byte[] bArr3 = new byte[getDefaultSaltLength()];
        if (isArgon2FormattedSalt(str2)) {
            ArrayList arrayList = new ArrayList(3);
            parseSalt(str2, bArr3, arrayList);
            memory = arrayList.get(0).intValue();
            iterations = arrayList.get(1).intValue();
            parallelism = arrayList.get(2).intValue();
        } else {
            bArr3 = bArr;
            memory = getMemory();
            iterations = getIterations();
            parallelism = getParallelism();
        }
        try {
            return new AESKeyedCipherProvider().getCipher(encryptionMethod, new SecretKeySpec(new Argon2SecureHasher(Integer.valueOf(i / 8), Integer.valueOf(memory), parallelism, Integer.valueOf(iterations)).hashRaw(str.getBytes(StandardCharsets.UTF_8), bArr3), algorithm), bArr2, z);
        } catch (IllegalArgumentException e) {
            if (e.getMessage().contains("The salt length")) {
                throw new IllegalArgumentException("The raw salt must be greater than or equal to 8 bytes", e);
            }
            logger.error("Encountered an error generating the Argon2 hash", e);
            throw e;
        }
    }

    public static byte[] extractRawSaltFromArgon2Salt(String str) {
        String[] split = str.split("\\$");
        if (split.length < 4) {
            throw new IllegalArgumentException("Could not parse salt");
        }
        return Base64.decodeBase64(split[split.length - 1]);
    }

    public static boolean isArgon2FormattedSalt(String str) {
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("The salt cannot be empty. To generate a salt, use Argon2CipherProvider#generateSalt()");
        }
        return ARGON2_SALT_FORMAT.matcher(str).find();
    }

    private void parseSalt(String str, byte[] bArr, List<Integer> list) {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Cannot parse empty salt");
        }
        byte[] extractRawSaltFromArgon2Salt = extractRawSaltFromArgon2Salt(str);
        if (bArr.length < extractRawSaltFromArgon2Salt.length) {
            byte[] bArr2 = new byte[extractRawSaltFromArgon2Salt.length];
            System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
            bArr = bArr2;
        }
        System.arraycopy(extractRawSaltFromArgon2Salt, 0, bArr, 0, bArr.length);
        if (list == null) {
            list = new ArrayList(3);
        }
        Map map = (Map) Arrays.stream(str.split("\\$")[3].split(",")).collect(Collectors.toMap(str2 -> {
            return str2.split(TemplatrSpecBuilder.FUNCTION)[0];
        }, str3 -> {
            return str3.split(TemplatrSpecBuilder.FUNCTION)[1];
        }));
        list.add(Integer.valueOf(Integer.parseInt((String) map.get("m"))));
        list.add(Integer.valueOf(Integer.parseInt((String) map.get("t"))));
        list.add(Integer.valueOf(Integer.parseInt((String) map.get("p"))));
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public byte[] generateSalt() {
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        return formSalt(bArr, getMemory(), getIterations(), getParallelism()).getBytes(StandardCharsets.UTF_8);
    }

    public static String formSalt(byte[] bArr, int i, int i2, int i3) {
        StringBuilder sb = new StringBuilder("$argon2id$");
        sb.append("v=19").append("$");
        sb.append("m=").append(i).append(",");
        sb.append("t=").append(i2).append(",");
        sb.append("p=").append(i3).append("$");
        sb.append(CipherUtility.encodeBase64NoPadding(bArr));
        return sb.toString();
    }

    @Override // org.apache.nifi.security.util.crypto.PBECipherProvider
    public int getDefaultSaltLength() {
        return 16;
    }

    protected int getMemory() {
        return this.memory.intValue();
    }

    protected int getParallelism() {
        return this.parallelism;
    }

    protected int getIterations() {
        return this.iterations.intValue();
    }
}
