package org.apache.nifi.security.repository;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.KeyManagementException;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import org.apache.nifi.security.kms.CryptoUtils;
import org.apache.nifi.security.kms.EncryptionException;
import org.apache.nifi.security.kms.FileBasedKeyProvider;
import org.apache.nifi.security.kms.KeyProvider;
import org.apache.nifi.security.kms.KeyProviderFactory;
import org.apache.nifi.security.kms.KeyStoreKeyProvider;
import org.apache.nifi.security.kms.StaticKeyProvider;
import org.apache.nifi.security.kms.configuration.FileBasedKeyProviderConfiguration;
import org.apache.nifi.security.kms.configuration.KeyProviderConfiguration;
import org.apache.nifi.security.kms.configuration.KeyStoreKeyProviderConfiguration;
import org.apache.nifi.security.kms.configuration.StaticKeyProviderConfiguration;
import org.apache.nifi.security.repository.config.RepositoryEncryptionConfiguration;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.security.util.crypto.AESKeyedCipherProvider;
import org.apache.nifi.stream.io.NonCloseableInputStream;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/security/repository/RepositoryEncryptorUtils.class */
public class RepositoryEncryptorUtils {
    private static final Logger logger = LoggerFactory.getLogger(RepositoryEncryptorUtils.class);
    private static final int CONTENT_HEADER_SIZE = 2;
    private static final int IV_LENGTH = 16;
    private static final int MIN_METADATA_LENGTH = 22;
    private static final String EWAPR_CLASS_NAME = "org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.nifi.security.repository.RepositoryEncryptorUtils$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/nifi/security/repository/RepositoryEncryptorUtils$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$nifi$security$repository$RepositoryType = new int[RepositoryType.values().length];

        static {
            try {
                $SwitchMap$org$apache$nifi$security$repository$RepositoryType[RepositoryType.CONTENT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$nifi$security$repository$RepositoryType[RepositoryType.PROVENANCE.ordinal()] = RepositoryEncryptorUtils.CONTENT_HEADER_SIZE;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$nifi$security$repository$RepositoryType[RepositoryType.FLOWFILE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public static byte[] serializeEncryptionMetadata(RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(repositoryObjectEncryptionMetadata);
        objectOutputStream.close();
        return byteArrayOutputStream.toByteArray();
    }

    public static Cipher initCipher(AESKeyedCipherProvider aESKeyedCipherProvider, EncryptionMethod encryptionMethod, int i, SecretKey secretKey, byte[] bArr) throws EncryptionException {
        try {
            if (encryptionMethod == null || secretKey == null || bArr == null) {
                throw new IllegalArgumentException("Missing critical information");
            }
            return aESKeyedCipherProvider.getCipher(encryptionMethod, secretKey, bArr, i == 1);
        } catch (Exception e) {
            logger.error("Encountered an exception initializing the cipher", e);
            throw new EncryptionException(e);
        }
    }

    public static RepositoryObjectEncryptionMetadata extractEncryptionMetadata(byte[] bArr) throws EncryptionException, IOException, ClassNotFoundException {
        if (bArr == null || bArr.length < MIN_METADATA_LENGTH) {
            throw new EncryptionException("The encrypted record is too short to contain the metadata");
        }
        ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(bArr));
        Throwable th = null;
        try {
            try {
                RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata = (RepositoryObjectEncryptionMetadata) objectInputStream.readObject();
                if (objectInputStream != null) {
                    if (0 != 0) {
                        try {
                            objectInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        objectInputStream.close();
                    }
                }
                return repositoryObjectEncryptionMetadata;
            } finally {
            }
        } catch (Throwable th3) {
            if (objectInputStream != null) {
                if (th != null) {
                    try {
                        objectInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    objectInputStream.close();
                }
            }
            throw th3;
        }
    }

    public static RepositoryObjectEncryptionMetadata extractEncryptionMetadata(InputStream inputStream) throws EncryptionException, IOException, ClassNotFoundException {
        if (inputStream == null) {
            throw new EncryptionException("The encrypted record is too short to contain the metadata");
        }
        inputStream.read(new byte[CONTENT_HEADER_SIZE]);
        ObjectInputStream objectInputStream = new ObjectInputStream(new NonCloseableInputStream(inputStream));
        Throwable th = null;
        try {
            RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata = (RepositoryObjectEncryptionMetadata) objectInputStream.readObject();
            if (objectInputStream != null) {
                if (0 != 0) {
                    try {
                        objectInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    objectInputStream.close();
                }
            }
            return repositoryObjectEncryptionMetadata;
        } catch (Throwable th3) {
            if (objectInputStream != null) {
                if (0 != 0) {
                    try {
                        objectInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    objectInputStream.close();
                }
            }
            throw th3;
        }
    }

    public static byte[] extractCipherBytes(byte[] bArr, RepositoryObjectEncryptionMetadata repositoryObjectEncryptionMetadata) {
        return Arrays.copyOfRange(bArr, repositoryObjectEncryptionMetadata.cipherByteLength > 0 ? bArr.length - repositoryObjectEncryptionMetadata.cipherByteLength : repositoryObjectEncryptionMetadata.length() + CONTENT_HEADER_SIZE, bArr.length);
    }

    public static boolean isRepositoryEncryptionConfigured(NiFiProperties niFiProperties, RepositoryType repositoryType) {
        switch (AnonymousClass1.$SwitchMap$org$apache$nifi$security$repository$RepositoryType[repositoryType.ordinal()]) {
            case 1:
                return isContentRepositoryEncryptionConfigured(niFiProperties);
            case CONTENT_HEADER_SIZE /* 2 */:
                return isProvenanceRepositoryEncryptionConfigured(niFiProperties);
            case 3:
                return isFlowFileRepositoryEncryptionConfigured(niFiProperties);
            default:
                logger.warn("Repository encryption configuration validation attempted for {}, an invalid repository type", repositoryType);
                return false;
        }
    }

    static boolean isProvenanceRepositoryEncryptionConfigured(NiFiProperties niFiProperties) {
        if (EWAPR_CLASS_NAME.equals(niFiProperties.getProperty("nifi.provenance.repository.implementation"))) {
            return CryptoUtils.isValidKeyProvider(niFiProperties.getProperty("nifi.provenance.repository.encryption.key.provider.implementation"), niFiProperties.getProperty("nifi.provenance.repository.encryption.key.provider.location"), niFiProperties.getProvenanceRepoEncryptionKeyId(), niFiProperties.getProvenanceRepoEncryptionKeys());
        }
        return false;
    }

    static boolean isContentRepositoryEncryptionConfigured(NiFiProperties niFiProperties) {
        if (CryptoUtils.ENCRYPTED_FSR_CLASS_NAME.equals(niFiProperties.getProperty("nifi.content.repository.implementation"))) {
            return CryptoUtils.isValidKeyProvider(niFiProperties.getProperty("nifi.content.repository.encryption.key.provider.implementation"), niFiProperties.getProperty("nifi.content.repository.encryption.key.provider.location"), niFiProperties.getContentRepositoryEncryptionKeyId(), niFiProperties.getContentRepositoryEncryptionKeys());
        }
        return false;
    }

    static boolean isFlowFileRepositoryEncryptionConfigured(NiFiProperties niFiProperties) {
        if (CryptoUtils.EWAFFR_CLASS_NAME.equals(niFiProperties.getProperty("nifi.flowfile.repository.implementation"))) {
            return CryptoUtils.isValidKeyProvider(niFiProperties.getProperty("nifi.flowfile.repository.encryption.key.provider.implementation"), niFiProperties.getProperty("nifi.flowfile.repository.encryption.key.provider.location"), niFiProperties.getFlowFileRepoEncryptionKeyId(), niFiProperties.getFlowFileRepoEncryptionKeys());
        }
        return false;
    }

    static String determineKeyProviderImplementationClassName(RepositoryType repositoryType) {
        if (repositoryType == null) {
            logger.warn("Could not determine key provider implementation class name for null repository");
            return "no_such_key_provider_defined";
        }
        switch (AnonymousClass1.$SwitchMap$org$apache$nifi$security$repository$RepositoryType[repositoryType.ordinal()]) {
            case 1:
                return "nifi.content.repository.encryption.key.provider.implementation";
            case CONTENT_HEADER_SIZE /* 2 */:
                return "nifi.provenance.repository.encryption.key.provider.implementation";
            case 3:
                return "nifi.flowfile.repository.encryption.key.provider.implementation";
            default:
                logger.warn("Could not determine key provider implementation class name for " + repositoryType.getName());
                return "no_such_key_provider_defined";
        }
    }

    public static KeyProvider validateAndBuildRepositoryKeyProvider(NiFiProperties niFiProperties, RepositoryType repositoryType) throws IOException {
        if (!isRepositoryEncryptionConfigured(niFiProperties, repositoryType)) {
            throw new IOException("The provided configuration does not support an encrypted " + repositoryType.getName());
        }
        try {
            return getKeyProvider(RepositoryEncryptionConfiguration.fromNiFiProperties(niFiProperties, repositoryType));
        } catch (KeyManagementException e) {
            logger.error("Encountered an error building the key provider", e);
            throw new IOException("Encountered an error building the key provider", e);
        }
    }

    public static KeyProvider validateAndBuildRepositoryKeyProvider(RepositoryEncryptionConfiguration repositoryEncryptionConfiguration) throws IOException {
        try {
            return getKeyProvider(repositoryEncryptionConfiguration);
        } catch (KeyManagementException e) {
            logger.error("Encountered an error building the key provider", e);
            throw new IOException("Encountered an error building the key provider", e);
        }
    }

    private static KeyProvider getKeyProvider(RepositoryEncryptionConfiguration repositoryEncryptionConfiguration) throws KeyManagementException {
        KeyProvider keyProvider = KeyProviderFactory.getKeyProvider(getKeyProviderConfiguration(repositoryEncryptionConfiguration));
        String encryptionKeyId = repositoryEncryptionConfiguration.getEncryptionKeyId();
        if (keyProvider.keyExists(encryptionKeyId)) {
            return keyProvider;
        }
        throw new KeyManagementException(String.format("Key Identifier [%s] not found in Key Provider", encryptionKeyId));
    }

    private static KeyProviderConfiguration<?> getKeyProviderConfiguration(RepositoryEncryptionConfiguration repositoryEncryptionConfiguration) throws KeyManagementException {
        String keyProviderImplementation = repositoryEncryptionConfiguration.getKeyProviderImplementation();
        if (keyProviderImplementation.endsWith(StaticKeyProvider.class.getSimpleName())) {
            return new StaticKeyProviderConfiguration(repositoryEncryptionConfiguration.getEncryptionKeys());
        }
        if (keyProviderImplementation.endsWith(FileBasedKeyProvider.class.getSimpleName())) {
            return new FileBasedKeyProviderConfiguration(repositoryEncryptionConfiguration.getKeyProviderLocation(), CryptoUtils.getRootKey());
        }
        if (!keyProviderImplementation.endsWith(KeyStoreKeyProvider.class.getSimpleName())) {
            throw new UnsupportedOperationException(String.format("Key Provider Implementation [%s] not supported", keyProviderImplementation));
        }
        if (StringUtils.isBlank(repositoryEncryptionConfiguration.getKeyProviderPassword())) {
            throw new KeyManagementException("Key Provider Password not configured");
        }
        String keyProviderLocation = repositoryEncryptionConfiguration.getKeyProviderLocation();
        char[] charArray = repositoryEncryptionConfiguration.getKeyProviderPassword().toCharArray();
        try {
            return new KeyStoreKeyProviderConfiguration(KeyStoreUtils.loadSecretKeyStore(keyProviderLocation, charArray, repositoryEncryptionConfiguration.getKeyStoreType()), charArray);
        } catch (TlsException e) {
            throw new KeyManagementException("Key Store Provider loading failed", e);
        }
    }
}
