package org.apache.nifi.security.util.crypto;

import java.io.ByteArrayOutputStream;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.io.StreamCallback;
import org.apache.nifi.processors.standard.EncryptContent;
import org.apache.nifi.security.util.EncryptionMethod;
import org.apache.nifi.security.util.KeyDerivationFunction;
import org.apache.nifi.stream.io.ByteCountingInputStream;
import org.apache.nifi.stream.io.ByteCountingOutputStream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/security/util/crypto/PasswordBasedEncryptor.class */
public class PasswordBasedEncryptor extends AbstractEncryptor {
    private static final Logger logger = LoggerFactory.getLogger(PasswordBasedEncryptor.class);
    private EncryptionMethod encryptionMethod;
    private PBEKeySpec password;
    private KeyDerivationFunction kdf;
    private static final int DEFAULT_MAX_ALLOWED_KEY_LENGTH = 128;
    private static final int MINIMUM_SAFE_PASSWORD_LENGTH = 10;

    /* loaded from: input_file:org/apache/nifi/security/util/crypto/PasswordBasedEncryptor$DecryptCallback.class */
    private class DecryptCallback implements StreamCallback {
        private static final boolean DECRYPT = false;
        private static final int RETRY_LIMIT_LENGTH = 10485760;

        public DecryptCallback() {
        }

        public void process(InputStream inputStream, OutputStream outputStream) throws IOException {
            Cipher cipher;
            NiFiLegacyCipherProvider niFiLegacyCipherProvider = (PBECipherProvider) CipherProviderFactory.getCipherProvider(PasswordBasedEncryptor.this.kdf);
            ByteCountingInputStream wrapStreamForCounting = CipherUtility.wrapStreamForCounting(inputStream);
            ByteCountingOutputStream wrapStreamForCounting2 = CipherUtility.wrapStreamForCounting(outputStream);
            try {
                byte[] readSalt = niFiLegacyCipherProvider instanceof NiFiLegacyCipherProvider ? niFiLegacyCipherProvider.readSalt(PasswordBasedEncryptor.this.encryptionMethod, wrapStreamForCounting) : niFiLegacyCipherProvider.readSalt(wrapStreamForCounting);
                int parseKeyLengthFromAlgorithm = CipherUtility.parseKeyLengthFromAlgorithm(PasswordBasedEncryptor.this.encryptionMethod.getAlgorithm());
                try {
                    String str = new String(PasswordBasedEncryptor.this.password.getPassword());
                    byte[] bArr = new byte[0];
                    if (niFiLegacyCipherProvider instanceof RandomIVPBECipherProvider) {
                        RandomIVPBECipherProvider randomIVPBECipherProvider = (RandomIVPBECipherProvider) niFiLegacyCipherProvider;
                        bArr = randomIVPBECipherProvider.readIV(wrapStreamForCounting);
                        cipher = randomIVPBECipherProvider.getCipher(PasswordBasedEncryptor.this.encryptionMethod, str, readSalt, bArr, parseKeyLengthFromAlgorithm, false);
                    } else {
                        cipher = niFiLegacyCipherProvider.getCipher(PasswordBasedEncryptor.this.encryptionMethod, str, readSalt, parseKeyLengthFromAlgorithm, false);
                    }
                    if (PasswordBasedEncryptor.this.kdf == KeyDerivationFunction.BCRYPT) {
                        boolean z = niFiLegacyCipherProvider instanceof BcryptCipherProvider;
                        PasswordBasedEncryptor.logger.debug("Cipher provider instance of BcryptCipherProvider: {}", Boolean.valueOf(z));
                        if (!z) {
                            throw new ProcessException("The KDF is Bcrypt but the cipher provider is not a Bcrypt cipher provider; " + niFiLegacyCipherProvider.getClass().getSimpleName());
                        }
                        handleBcryptDecryption((BcryptCipherProvider) niFiLegacyCipherProvider, wrapStreamForCounting, wrapStreamForCounting2, readSalt, parseKeyLengthFromAlgorithm, cipher, bArr, str);
                    } else {
                        CipherUtility.processStreams(cipher, wrapStreamForCounting, wrapStreamForCounting2);
                    }
                    PasswordBasedEncryptor.this.flowfileAttributes.putAll(PasswordBasedEncryptor.writeAttributes(PasswordBasedEncryptor.this.encryptionMethod, PasswordBasedEncryptor.this.kdf, cipher.getIV(), readSalt, wrapStreamForCounting, wrapStreamForCounting2, false));
                } catch (Exception e) {
                    throw new ProcessException(e);
                }
            } catch (EOFException e2) {
                throw new ProcessException("Cannot decrypt because file size is smaller than salt size", e2);
            }
        }

        protected void handleBcryptDecryption(BcryptCipherProvider bcryptCipherProvider, ByteCountingInputStream byteCountingInputStream, ByteCountingOutputStream byteCountingOutputStream, byte[] bArr, int i, Cipher cipher, byte[] bArr2, String str) throws IOException, ProcessException {
            byteCountingInputStream.mark(RETRY_LIMIT_LENGTH);
            try {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                CipherUtility.processStreams(cipher, byteCountingInputStream, byteArrayOutputStream);
                byteCountingOutputStream.write(byteArrayOutputStream.toByteArray());
            } catch (ProcessException e) {
                if (!shouldAttemptLegacyDecrypt(e, byteCountingInputStream.getBytesConsumed())) {
                    throw e;
                }
                PasswordBasedEncryptor.logger.warn("Error decrypting content using Bcrypt-derived key; attempting legacy key derivation for backward compatibility");
                byteCountingInputStream.reset();
                CipherUtility.processStreams(bcryptCipherProvider.getLegacyDecryptCipher(PasswordBasedEncryptor.this.encryptionMethod, str, bArr, bArr2, i), byteCountingInputStream, byteCountingOutputStream);
            }
        }

        protected boolean shouldAttemptLegacyDecrypt(ProcessException processException, long j) {
            boolean z = processException.getCause() instanceof BadPaddingException;
            boolean z2 = j < 10485760;
            if (PasswordBasedEncryptor.logger.isDebugEnabled()) {
                PasswordBasedEncryptor.logger.debug("Exception cause instance of BadPaddingException: {}", Boolean.valueOf(z));
                PasswordBasedEncryptor.logger.debug("Bytes consumed ({} B) < retry limit ({} B): {}", new Object[]{Long.valueOf(j), Integer.valueOf(RETRY_LIMIT_LENGTH), Boolean.valueOf(z2)});
            }
            return z && z2;
        }
    }

    /* loaded from: input_file:org/apache/nifi/security/util/crypto/PasswordBasedEncryptor$EncryptCallback.class */
    private class EncryptCallback implements StreamCallback {
        private static final boolean ENCRYPT = true;

        public EncryptCallback() {
        }

        public void process(InputStream inputStream, OutputStream outputStream) throws IOException {
            PBKDF2CipherProvider pBKDF2CipherProvider = (PBECipherProvider) CipherProviderFactory.getCipherProvider(PasswordBasedEncryptor.this.kdf);
            if (PasswordBasedEncryptor.this.kdf == KeyDerivationFunction.PBKDF2) {
                PasswordBasedEncryptor.this.flowfileAttributes.put("encryptcontent.pbkdf2_iterations", String.valueOf(pBKDF2CipherProvider.getIterationCount()));
            }
            byte[] generateSalt = pBKDF2CipherProvider instanceof NiFiLegacyCipherProvider ? ((NiFiLegacyCipherProvider) pBKDF2CipherProvider).generateSalt(PasswordBasedEncryptor.this.encryptionMethod) : pBKDF2CipherProvider.generateSalt();
            ByteCountingInputStream wrapStreamForCounting = CipherUtility.wrapStreamForCounting(inputStream);
            ByteCountingOutputStream wrapStreamForCounting2 = CipherUtility.wrapStreamForCounting(outputStream);
            pBKDF2CipherProvider.writeSalt(generateSalt, wrapStreamForCounting2);
            try {
                Cipher cipher = pBKDF2CipherProvider.getCipher(PasswordBasedEncryptor.this.encryptionMethod, new String(PasswordBasedEncryptor.this.password.getPassword()), generateSalt, CipherUtility.parseKeyLengthFromAlgorithm(PasswordBasedEncryptor.this.encryptionMethod.getAlgorithm()), true);
                if (pBKDF2CipherProvider instanceof RandomIVPBECipherProvider) {
                    ((RandomIVPBECipherProvider) pBKDF2CipherProvider).writeIV(cipher.getIV(), wrapStreamForCounting2);
                }
                CipherUtility.processStreams(cipher, wrapStreamForCounting, wrapStreamForCounting2);
                PasswordBasedEncryptor.this.flowfileAttributes.putAll(PasswordBasedEncryptor.writeAttributes(PasswordBasedEncryptor.this.encryptionMethod, PasswordBasedEncryptor.this.kdf, cipher.getIV(), generateSalt, wrapStreamForCounting, wrapStreamForCounting2, true));
            } catch (Exception e) {
                throw new ProcessException(e);
            }
        }
    }

    public PasswordBasedEncryptor(EncryptionMethod encryptionMethod, char[] cArr, KeyDerivationFunction keyDerivationFunction) {
        try {
            if (encryptionMethod == null) {
                throw new IllegalArgumentException("Cannot initialize password-based encryptor with null encryption method");
            }
            this.encryptionMethod = encryptionMethod;
            if (keyDerivationFunction == null || keyDerivationFunction.equals(KeyDerivationFunction.NONE)) {
                throw new IllegalArgumentException("Cannot initialize password-based encryptor with null KDF");
            }
            this.kdf = keyDerivationFunction;
            if (cArr == null || cArr.length == 0) {
                throw new IllegalArgumentException("Cannot initialize password-based encryptor with empty password");
            }
            this.password = new PBEKeySpec(cArr);
        } catch (Exception e) {
            throw new ProcessException(e);
        }
    }

    public static int getMaxAllowedKeyLength(String str) {
        if (StringUtils.isEmpty(str)) {
            return DEFAULT_MAX_ALLOWED_KEY_LENGTH;
        }
        try {
            return Cipher.getMaxAllowedKeyLength(CipherUtility.parseCipherFromAlgorithm(str));
        } catch (NoSuchAlgorithmException e) {
            return DEFAULT_MAX_ALLOWED_KEY_LENGTH;
        }
    }

    public static int getMinimumSafePasswordLength() {
        return 10;
    }

    static Map<String, String> writeAttributes(EncryptionMethod encryptionMethod, KeyDerivationFunction keyDerivationFunction, byte[] bArr, byte[] bArr2, ByteCountingInputStream byteCountingInputStream, ByteCountingOutputStream byteCountingOutputStream, boolean z) {
        Map<String, String> writeAttributes = AbstractEncryptor.writeAttributes(encryptionMethod, keyDerivationFunction, bArr, byteCountingInputStream, byteCountingOutputStream, z);
        if (keyDerivationFunction.hasFormattedSalt()) {
            String str = new String(bArr2, StandardCharsets.UTF_8);
            writeAttributes.put(EncryptContent.KDF_SALT_ATTR, str);
            writeAttributes.put(EncryptContent.KDF_SALT_LEN_ATTR, String.valueOf(str.length()));
        }
        byte[] extractRawSalt = CipherUtility.extractRawSalt(bArr2, keyDerivationFunction);
        writeAttributes.put(EncryptContent.SALT_ATTR, Hex.encodeHexString(extractRawSalt));
        writeAttributes.put(EncryptContent.SALT_LEN_ATTR, String.valueOf(extractRawSalt.length));
        return writeAttributes;
    }

    @Override // org.apache.nifi.processors.standard.EncryptContent.Encryptor
    public StreamCallback getEncryptionCallback() throws ProcessException {
        return new EncryptCallback();
    }

    @Override // org.apache.nifi.processors.standard.EncryptContent.Encryptor
    public StreamCallback getDecryptionCallback() throws ProcessException {
        return new DecryptCallback();
    }
}
