package io.helidon.security.tools.config;

import io.helidon.common.OptionalHelper;
import io.helidon.common.configurable.Resource;
import io.helidon.common.pki.KeyConfig;
import io.helidon.config.Config;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.security.Key;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:io/helidon/security/tools/config/CryptUtil.class */
public final class CryptUtil {
    private static final Logger LOGGER = Logger.getLogger(CryptUtil.class.getName());
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    private static final int SALT_LENGTH = 16;
    private static final int SEED_LENGTH = 16;
    private static final int HASH_ITERATIONS = 10000;
    private static final int KEY_LENGTH = 128;

    private CryptUtil() {
        throw new IllegalStateException("Utility class");
    }

    public static String decryptRsa(Key key, String str) throws SecureConfigException {
        Objects.requireNonNull(key, "Key must be provided for decryption");
        Objects.requireNonNull(str, "Encrypted bytes must be provided for decryption (base64 encoded)");
        try {
            Cipher cipher = Cipher.getInstance("RSA");
            cipher.init(2, key);
            return new String(cipher.doFinal(Base64.getDecoder().decode(str)), StandardCharsets.UTF_8);
        } catch (SecureConfigException e) {
            throw e;
        } catch (Exception e2) {
            throw new SecureConfigException("Failed to decrypt value using RSA. Returning clear text value as is: " + str);
        }
    }

    public static String encryptRsa(Key key, String str) throws SecureConfigException {
        Objects.requireNonNull(key, "Key must be provided for encryption");
        Objects.requireNonNull(str, "Secret message must be provided to be encrypted");
        try {
            Cipher cipher = Cipher.getInstance("RSA");
            cipher.init(1, key);
            return Base64.getEncoder().encodeToString(cipher.doFinal(str.getBytes(StandardCharsets.UTF_8)));
        } catch (Exception e) {
            throw new SecureConfigException("Failed to encrypt using RSA key", e);
        }
    }

    public static String encryptAes(char[] cArr, String str) throws SecureConfigException {
        Objects.requireNonNull(cArr, "Password must be provided for encryption");
        Objects.requireNonNull(str, "Secret message must be provided to be encrypted");
        byte[] generateSeed = SECURE_RANDOM.generateSeed(16);
        Cipher cipher = cipher(cArr, generateSeed, 1);
        byte[] generateSeed2 = SECURE_RANDOM.generateSeed(16);
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        byte[] bArr = new byte[bytes.length + generateSeed2.length];
        System.arraycopy(generateSeed2, 0, bArr, 0, generateSeed2.length);
        System.arraycopy(bytes, 0, bArr, generateSeed2.length, bytes.length);
        try {
            byte[] doFinal = cipher.doFinal(bArr);
            byte[] bArr2 = new byte[doFinal.length + generateSeed.length];
            System.arraycopy(generateSeed, 0, bArr2, 0, generateSeed.length);
            System.arraycopy(doFinal, 0, bArr2, generateSeed2.length, doFinal.length);
            return Base64.getEncoder().encodeToString(bArr2);
        } catch (Exception e) {
            throw new SecureConfigException("Failed to encrypt", e);
        }
    }

    private static Cipher cipher(char[] cArr, byte[] bArr, int i) throws SecureConfigException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(cArr, bArr, HASH_ITERATIONS, KEY_LENGTH)).getEncoded(), "AES");
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(i, secretKeySpec, new IvParameterSpec(bArr));
            return cipher;
        } catch (Exception e) {
            throw new SecureConfigException("Failed to prepare a cipher instance", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String decryptAes(char[] cArr, String str) throws SecureConfigException {
        Objects.requireNonNull(cArr, "Password must be provided for encryption");
        Objects.requireNonNull(str, "Encrypted bytes must be provided for decryption (base64 encoded)");
        try {
            byte[] decode = Base64.getDecoder().decode(str);
            byte[] bArr = new byte[16];
            byte[] bArr2 = new byte[decode.length - 16];
            System.arraycopy(decode, 0, bArr, 0, 16);
            System.arraycopy(decode, 16, bArr2, 0, bArr2.length);
            byte[] doFinal = cipher(cArr, bArr, 2).doFinal(bArr2);
            byte[] bArr3 = new byte[doFinal.length - 16];
            System.arraycopy(doFinal, 16, bArr3, 0, bArr3.length);
            return new String(bArr3, StandardCharsets.UTF_8);
        } catch (Throwable th) {
            throw new SecureConfigException("Failed to decrypt value using AES. Returning clear text value as is: " + str, th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<char[]> resolveMasterPassword(boolean z, Config config) {
        Optional<char[]> map = OptionalHelper.from(getEnv(ConfigProperties.MASTER_PASSWORD_ENV_VARIABLE)).or(() -> {
            Optional value = config.get(ConfigProperties.MASTER_PASSWORD_CONFIG_KEY).value();
            if (!value.isPresent() || !z) {
                return value;
            }
            LOGGER.warning("Master password is configured as clear text in configuration when encryption is required. This value will be ignored. System property or environment variable expected!!!");
            return Optional.empty();
        }).asOptional().map((v0) -> {
            return v0.toCharArray();
        });
        if (!map.isPresent()) {
            LOGGER.fine("Securing properties using master password is not available, as master password is not configured");
        }
        return map;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<PrivateKey> resolvePrivateKey(Config config) {
        KeyConfig.PemBuilder from = KeyConfig.pemBuilder().from(config);
        KeyConfig.KeystoreBuilder from2 = KeyConfig.keystoreBuilder().from(config);
        getEnv(ConfigProperties.PRIVATE_KEY_PEM_PATH_ENV_VARIABLE).map(str -> {
            return Paths.get(str, new String[0]);
        }).ifPresent(path -> {
            from.key(Resource.from(path));
        });
        Optional<U> map = getEnv(ConfigProperties.PRIVATE_KEY_PASS_ENV_VARIABLE).map((v0) -> {
            return v0.toCharArray();
        });
        Objects.requireNonNull(from);
        map.ifPresent(from::keyPassphrase);
        getEnv(ConfigProperties.PRIVATE_KEYSTORE_PATH_ENV_VARIABLE).map(str2 -> {
            return Paths.get(str2, new String[0]);
        }).ifPresent(path2 -> {
            from2.keystore(Resource.from(path2));
        });
        Optional<String> env = getEnv(ConfigProperties.PRIVATE_KEYSTORE_TYPE_ENV_VARIABLE);
        Objects.requireNonNull(from2);
        env.ifPresent(from2::keystoreType);
        Optional<U> map2 = getEnv(ConfigProperties.PRIVATE_KEYSTORE_PASS_ENV_VARIABLE).map((v0) -> {
            return v0.toCharArray();
        });
        Objects.requireNonNull(from2);
        map2.ifPresent(from2::keystorePassphrase);
        Optional<U> map3 = getEnv(ConfigProperties.PRIVATE_KEY_PASS_ENV_VARIABLE).map((v0) -> {
            return v0.toCharArray();
        });
        Objects.requireNonNull(from2);
        map3.ifPresent(from2::keyPassphrase);
        Optional<String> env2 = getEnv(ConfigProperties.PRIVATE_KEY_ALIAS_ENV_VARIABLE);
        Objects.requireNonNull(from2);
        env2.ifPresent(from2::keyAlias);
        Optional<PrivateKey> privateKey = KeyConfig.fullBuilder().updateWith(from).updateWith(from2).build().getPrivateKey();
        if (!privateKey.isPresent()) {
            LOGGER.fine("Securing properties using asymmetric cipher is not available, as private key is not configured");
        }
        return privateKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<String> getEnv(String str) {
        return Optional.ofNullable(System.getenv(str));
    }
}
