package org.forgerock.openam.shared.security.crypto;

import com.iplanet.services.util.ConfigurableKey;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import javax.crypto.SecretKeyFactory;
import javax.crypto.interfaces.PBEKey;
import javax.crypto.spec.PBEKeySpec;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.util.Reject;
import org.forgerock.util.annotations.VisibleForTesting;

/* loaded from: input_file:org/forgerock/openam/shared/security/crypto/PBKDF2KeyDerivation.class */
public class PBKDF2KeyDerivation implements ConfigurableKey {
    private static final int SALT_BYTES = 16;
    private static final String DIGEST_ALGORITHM_PROPERTY = "org.forgerock.openam.encryption.key.digest";
    private static final String ITERATIONS_PROPERTY = "org.forgerock.openam.encryption.key.iterations";
    private final int iterations;
    private final SecretKeyFactory secretKeyFactory;
    private final SecureRandom secureRandom;
    private volatile char[] password;

    @VisibleForTesting
    PBKDF2KeyDerivation(String str, int i) {
        this.secureRandom = new SecureRandom();
        Reject.rejectStateIfTrue(i < 10000, "Should use at least 10,000 iterations");
        this.iterations = i;
        try {
            this.secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmac" + str);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Invalid message digest: " + str, e);
        }
    }

    public PBKDF2KeyDerivation() {
        this(SystemPropertiesManager.get(DIGEST_ALGORITHM_PROPERTY, "SHA1"), SystemPropertiesManager.getAsInt(ITERATIONS_PROPERTY, 10000));
    }

    @Override // com.iplanet.services.util.ConfigurableKey
    public void setPassword(String str) throws Exception {
        Reject.ifTrue(StringUtils.isBlank(str));
        char[] cArr = this.password;
        if (cArr != null) {
            Arrays.fill(cArr, ' ');
        }
        this.password = str.toCharArray();
    }

    public PBEKey deriveSecretKey(int i) {
        byte[] bArr = new byte[SALT_BYTES];
        this.secureRandom.nextBytes(bArr);
        return deriveSecretKey(i, bArr);
    }

    public PBEKey deriveSecretKey(int i, byte[] bArr) {
        Reject.ifNull(bArr);
        Reject.ifTrue(bArr.length < SALT_BYTES, "Salt should be at least 16 bytes");
        Reject.rejectStateIfTrue(this.password == null, "No password configured");
        try {
            return (PBEKey) this.secretKeyFactory.generateSecret(new PBEKeySpec(this.password, bArr, this.iterations, i));
        } catch (InvalidKeySpecException e) {
            throw new IllegalArgumentException("Invalid key size", e);
        }
    }

    public void clear() {
        Arrays.fill(this.password, ' ');
        this.password = null;
    }
}
