package org.apache.nifi.properties;

import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:org/apache/nifi/properties/AesGcmSensitivePropertyProvider.class */
class AesGcmSensitivePropertyProvider implements SensitivePropertyProvider {
    private static final String ALGORITHM = "AES/GCM/NoPadding";
    private static final String SECRET_KEY_ALGORITHM = "AES";
    private static final int IV_LENGTH = 12;
    private static final String IDENTIFIER_KEY_FORMAT = "aes/gcm/%d";
    private static final int BITS_PER_BYTE = 8;
    private final SecureRandom secureRandom;
    private final Cipher cipher;
    private final SecretKey key;
    private final String identifierKey;
    private static final String DELIMITER = "||";
    private static final int MIN_CIPHER_TEXT_LENGTH = (16 + DELIMITER.length()) + 1;
    private static final int TAG_LENGTH = 128;
    private static final List<Integer> VALID_KEY_LENGTHS = Arrays.asList(Integer.valueOf(TAG_LENGTH), 192, 256);
    private static final Base64.Encoder BASE_64_ENCODER = Base64.getEncoder();
    private static final Base64.Decoder BASE_64_DECODER = Base64.getDecoder();

    public AesGcmSensitivePropertyProvider(String str) {
        byte[] validateKey = validateKey(str);
        this.secureRandom = new SecureRandom();
        try {
            this.cipher = Cipher.getInstance(ALGORITHM);
            this.key = new SecretKeySpec(validateKey, SECRET_KEY_ALGORITHM);
            this.identifierKey = String.format(IDENTIFIER_KEY_FORMAT, Integer.valueOf(validateKey.length * BITS_PER_BYTE));
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw new SensitivePropertyProtectionException(String.format("Cipher [%s] initialization failed", ALGORITHM), e);
        }
    }

    public boolean isSupported() {
        return true;
    }

    public String getIdentifierKey() {
        return this.identifierKey;
    }

    public String protect(String str, ProtectedPropertyContext protectedPropertyContext) throws SensitivePropertyProtectionException {
        Objects.requireNonNull(str, "Value required");
        byte[] generateIV = generateIV();
        try {
            this.cipher.init(1, this.key, new GCMParameterSpec(TAG_LENGTH, generateIV));
            return BASE_64_ENCODER.encodeToString(generateIV) + DELIMITER + BASE_64_ENCODER.encodeToString(this.cipher.doFinal(str.getBytes(StandardCharsets.UTF_8)));
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException e) {
            throw new SensitivePropertyProtectionException("AES-GCM encryption failed", e);
        }
    }

    public String unprotect(String str, ProtectedPropertyContext protectedPropertyContext) throws SensitivePropertyProtectionException {
        if (str == null || str.trim().length() < MIN_CIPHER_TEXT_LENGTH) {
            throw new IllegalArgumentException("Cannot decrypt a cipher text shorter than " + MIN_CIPHER_TEXT_LENGTH + " chars");
        }
        if (!str.contains(DELIMITER)) {
            throw new IllegalArgumentException("The cipher text does not contain the delimiter || -- it should be of the form Base64(IV) || Base64(cipherText)");
        }
        String trim = str.trim();
        byte[] decode = BASE_64_DECODER.decode(trim.substring(0, trim.indexOf(DELIMITER)));
        if (decode.length < IV_LENGTH) {
            throw new IllegalArgumentException(String.format("The IV (%s bytes) must be at least %s bytes", Integer.valueOf(decode.length), Integer.valueOf(IV_LENGTH)));
        }
        try {
            byte[] decode2 = BASE_64_DECODER.decode(trim.substring(trim.indexOf(DELIMITER) + 2));
            this.cipher.init(2, this.key, new GCMParameterSpec(TAG_LENGTH, decode));
            return new String(this.cipher.doFinal(decode2), StandardCharsets.UTF_8);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException e) {
            throw new SensitivePropertyProtectionException("AES-GCM decryption failed", e);
        }
    }

    public void cleanUp() {
    }

    private byte[] generateIV() {
        byte[] bArr = new byte[IV_LENGTH];
        this.secureRandom.nextBytes(bArr);
        return bArr;
    }

    private byte[] validateKey(String str) {
        if (str == null || str.isEmpty()) {
            throw new SensitivePropertyProtectionException("AES Key not provided");
        }
        String formatHexKey = formatHexKey(str);
        if (!isHexKeyValid(formatHexKey)) {
            throw new SensitivePropertyProtectionException("AES Key not hexadecimal");
        }
        try {
            byte[] decodeHex = Hex.decodeHex(formatHexKey);
            int length = decodeHex.length * BITS_PER_BYTE;
            if (VALID_KEY_LENGTHS.contains(Integer.valueOf(length))) {
                return decodeHex;
            }
            throw new SensitivePropertyProtectionException(String.format("AES Key length not valid [%d]", Integer.valueOf(length)));
        } catch (DecoderException e) {
            throw new SensitivePropertyProtectionException("AES Key Hexadecimal decoding failed", e);
        }
    }

    private static String formatHexKey(String str) {
        return (str == null || str.isEmpty()) ? "" : str.replaceAll("[^0-9a-fA-F]", "").toLowerCase();
    }

    private static boolean isHexKeyValid(String str) {
        if (str == null || str.isEmpty()) {
            return false;
        }
        return str.matches("^[0-9a-fA-F]*$");
    }
}
