package org.apache.nifi.repository.encryption;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import org.apache.nifi.repository.encryption.configuration.EncryptionMetadataHeader;
import org.apache.nifi.repository.encryption.configuration.EncryptionProtocol;
import org.apache.nifi.repository.encryption.configuration.RepositoryEncryptionMethod;
import org.apache.nifi.repository.encryption.metadata.RecordMetadata;
import org.apache.nifi.repository.encryption.metadata.RecordMetadataSerializer;
import org.apache.nifi.repository.encryption.metadata.serialization.RecordMetadataObjectInputStream;
import org.apache.nifi.repository.encryption.metadata.serialization.StandardRecordMetadataSerializer;
import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.stream.io.NonCloseableInputStream;

/* loaded from: input_file:org/apache/nifi/repository/encryption/AesSecretKeyRepositoryEncryptor.class */
public abstract class AesSecretKeyRepositoryEncryptor<I, O> implements RepositoryEncryptor<I, O> {
    private static final int INITIALIZATION_VECTOR_LENGTH = 16;
    private static final int TAG_LENGTH = 128;
    private static final int END_OF_STREAM = -1;
    private static final int STREAM_LENGTH = -1;
    private static final RecordMetadataSerializer RECORD_METADATA_SERIALIZER = new StandardRecordMetadataSerializer(EncryptionProtocol.VERSION_1);
    private final SecureRandom secureRandom = new SecureRandom();
    private final KeyProvider keyProvider;
    private final EncryptionMetadataHeader encryptionMetadataHeader;
    private final RepositoryEncryptionMethod repositoryEncryptionMethod;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AesSecretKeyRepositoryEncryptor(RepositoryEncryptionMethod repositoryEncryptionMethod, KeyProvider keyProvider, EncryptionMetadataHeader encryptionMetadataHeader) {
        this.repositoryEncryptionMethod = (RepositoryEncryptionMethod) Objects.requireNonNull(repositoryEncryptionMethod, "Encryption Method required");
        this.keyProvider = (KeyProvider) Objects.requireNonNull(keyProvider, "Key Provider required");
        this.encryptionMetadataHeader = (EncryptionMetadataHeader) Objects.requireNonNull(encryptionMetadataHeader, "Encryption Metadata Header required");
    }

    @Override // org.apache.nifi.repository.encryption.RepositoryEncryptor
    public I encrypt(I i, String str, String str2) {
        Objects.requireNonNull(i, "Record required");
        Objects.requireNonNull(str, "Record ID required");
        Objects.requireNonNull(str2, "Key ID required");
        return encrypt(i, str, str2, getEncryptionCipher(str2));
    }

    protected abstract I encrypt(I i, String str, String str2, Cipher cipher);

    protected Cipher getEncryptionCipher(String str) {
        return getCipher(1, str, getInitializationVector());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Cipher getDecryptionCipher(String str, byte[] bArr) {
        return getCipher(2, str, bArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] getMetadata(String str, byte[] bArr, int i) {
        return writeMetadata(str, bArr, i);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] getMetadata(String str, byte[] bArr) {
        return writeMetadata(str, bArr, -1);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RecordMetadata readMetadata(InputStream inputStream) {
        int length = this.encryptionMetadataHeader.getLength();
        try {
            if (-1 == inputStream.read(new byte[length])) {
                throw new RepositoryEncryptionException("End of InputStream while reading metadata header");
            }
            try {
                RecordMetadataObjectInputStream recordMetadataObjectInputStream = new RecordMetadataObjectInputStream(new NonCloseableInputStream(inputStream));
                Throwable th = null;
                try {
                    RecordMetadata recordMetadata = recordMetadataObjectInputStream.getRecordMetadata();
                    if (recordMetadataObjectInputStream != null) {
                        if (0 != 0) {
                            try {
                                recordMetadataObjectInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            recordMetadataObjectInputStream.close();
                        }
                    }
                    return recordMetadata;
                } finally {
                }
            } catch (IOException e) {
                throw new RepositoryEncryptionException("Read Encryption Metadata Failed", e);
            }
        } catch (IOException e2) {
            throw new RepositoryEncryptionException(String.format("Read Metadata Header bytes [%d] failed", Integer.valueOf(length)), e2);
        }
    }

    private byte[] writeMetadata(String str, byte[] bArr, int i) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            byteArrayOutputStream.write(this.encryptionMetadataHeader.getHeader());
            byteArrayOutputStream.write(RECORD_METADATA_SERIALIZER.writeMetadata(str, bArr, i, this.repositoryEncryptionMethod));
            return byteArrayOutputStream.toByteArray();
        } catch (IOException e) {
            throw new RepositoryEncryptionException("Write Encryption Metadata Failed", e);
        }
    }

    private byte[] getInitializationVector() {
        byte[] bArr = new byte[INITIALIZATION_VECTOR_LENGTH];
        this.secureRandom.nextBytes(bArr);
        return bArr;
    }

    private Cipher getCipher(int i, String str, byte[] bArr) {
        SecretKey secretKey = getSecretKey(str);
        String algorithm = this.repositoryEncryptionMethod.getAlgorithm();
        try {
            Cipher cipher = Cipher.getInstance(algorithm);
            cipher.init(i, secretKey, getAlgorithmParametersSpec(bArr), this.secureRandom);
            return cipher;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw new RepositoryEncryptionException(String.format("Cipher [%s] Mode [%d] Key ID [%s] configuration failed", algorithm, Integer.valueOf(i), str), e);
        }
    }

    private AlgorithmParameterSpec getAlgorithmParametersSpec(byte[] bArr) {
        return RepositoryEncryptionMethod.AES_GCM == this.repositoryEncryptionMethod ? new GCMParameterSpec(TAG_LENGTH, bArr) : new IvParameterSpec(bArr);
    }

    private SecretKey getSecretKey(String str) {
        if (!this.keyProvider.keyExists(str)) {
            throw new RepositoryEncryptionException(String.format("Key ID [%s] not found", str));
        }
        try {
            return this.keyProvider.getKey(str);
        } catch (KeyManagementException e) {
            throw new RepositoryEncryptionException(String.format("Key ID [%s] retrieval failed", str), e);
        }
    }
}
