package io.hops.hopsworks.common.security;

import io.hops.hopsworks.common.featurestore.FeaturestoreConstants;
import io.hops.hopsworks.common.security.SymmetricEncryptionDescriptor;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import javax.annotation.PostConstruct;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.ejb.Stateless;
import org.apache.commons.lang3.tuple.Pair;

@Stateless
/* loaded from: input_file:io/hops/hopsworks/common/security/SymmetricEncryptionService.class */
public class SymmetricEncryptionService {
    private static final String RNG_IMPL = "NativePRNGNonBlocking";
    public static final int SALT_LENGTH = 64;
    private static final int KEY_DERIVATION_ITERATIONS = 10000;
    private static final int KEY_SIZE = 128;
    private static final String KEY_DERIVATION_ALGORITHM = "PBKDF2WithHmacSHA512";
    private static final String ENCRYPTION_ALGORITHM = "AES";
    private static final String AES_MODE = "AES/GCM/PKCS5Padding";
    private static final int GCM_AUTHENTICATION_TAG_SIZE = 128;
    public static final int IV_LENGTH = 12;
    SecureRandom rand;

    @PostConstruct
    public void init() {
        try {
            this.rand = SecureRandom.getInstance(RNG_IMPL);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    public SymmetricEncryptionDescriptor encrypt(SymmetricEncryptionDescriptor symmetricEncryptionDescriptor) throws GeneralSecurityException {
        byte[] bArr;
        byte[] bArr2;
        if (symmetricEncryptionDescriptor.getSalt() != null) {
            bArr = symmetricEncryptionDescriptor.getSalt();
        } else {
            bArr = new byte[64];
            generateRandom(bArr);
        }
        if (symmetricEncryptionDescriptor.getIv() != null) {
            bArr2 = symmetricEncryptionDescriptor.getIv();
        } else {
            bArr2 = new byte[12];
            generateRandom(bArr2);
        }
        Pair<KeySpec, SecretKey> buildSecretKey = buildSecretKey(symmetricEncryptionDescriptor.getPassword(), bArr);
        Cipher cipher = getCipher();
        cipher.init(1, (Key) buildSecretKey.getRight(), getGCMSpec(bArr2));
        byte[] doFinal = cipher.doFinal(symmetricEncryptionDescriptor.getInput());
        clearPasswords((KeySpec) buildSecretKey.getLeft(), symmetricEncryptionDescriptor);
        return new SymmetricEncryptionDescriptor.Builder().setOutput(doFinal).setSalt(bArr).setIV(bArr2).build();
    }

    public SymmetricEncryptionDescriptor decrypt(SymmetricEncryptionDescriptor symmetricEncryptionDescriptor) throws GeneralSecurityException {
        if (symmetricEncryptionDescriptor.getSalt() == null || symmetricEncryptionDescriptor.getIv() == null || symmetricEncryptionDescriptor.getPassword() == null) {
            throw new IllegalArgumentException("Cryptographic primitives are empty");
        }
        Pair<KeySpec, SecretKey> buildSecretKey = buildSecretKey(symmetricEncryptionDescriptor.getPassword(), symmetricEncryptionDescriptor.getSalt());
        Cipher cipher = getCipher();
        cipher.init(2, (Key) buildSecretKey.getRight(), getGCMSpec(symmetricEncryptionDescriptor.getIv()));
        byte[] doFinal = cipher.doFinal(symmetricEncryptionDescriptor.getInput());
        clearPasswords((KeySpec) buildSecretKey.getLeft(), symmetricEncryptionDescriptor);
        return new SymmetricEncryptionDescriptor.Builder().setOutput(doFinal).build();
    }

    public byte[] mergePayloadWithCryptoPrimitives(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        byte[] bArr4 = new byte[bArr.length + bArr2.length + bArr3.length];
        System.arraycopy(bArr, 0, bArr4, 0, bArr.length);
        System.arraycopy(bArr2, 0, bArr4, bArr.length, bArr2.length);
        System.arraycopy(bArr3, 0, bArr4, bArr.length + bArr2.length, bArr3.length);
        return bArr4;
    }

    /* JADX WARN: Type inference failed for: r0v13, types: [byte[], byte[][]] */
    public byte[][] splitPayloadFromCryptoPrimitives(byte[] bArr) {
        byte[] bArr2 = new byte[64];
        byte[] bArr3 = new byte[12];
        byte[] bArr4 = new byte[(bArr.length - 64) - 12];
        System.arraycopy(bArr, 0, bArr2, 0, bArr2.length);
        System.arraycopy(bArr, bArr2.length, bArr3, 0, bArr3.length);
        System.arraycopy(bArr, bArr2.length + bArr3.length, bArr4, 0, bArr4.length);
        return new byte[]{bArr2, bArr3, bArr4};
    }

    private void clearPasswords(KeySpec keySpec, SymmetricEncryptionDescriptor symmetricEncryptionDescriptor) {
        if (keySpec instanceof PBEKeySpec) {
            ((PBEKeySpec) keySpec).clearPassword();
        }
        symmetricEncryptionDescriptor.clearPassword();
    }

    private Pair<KeySpec, SecretKey> buildSecretKey(char[] cArr, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeySpecException {
        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(KEY_DERIVATION_ALGORITHM);
        PBEKeySpec pBEKeySpec = new PBEKeySpec(cArr, bArr, KEY_DERIVATION_ITERATIONS, FeaturestoreConstants.MAX_CHARACTERS_IN_FEATURE_MONITORING_CONFIG_NAME);
        return Pair.of(pBEKeySpec, new SecretKeySpec(secretKeyFactory.generateSecret(pBEKeySpec).getEncoded(), ENCRYPTION_ALGORITHM));
    }

    private Cipher getCipher() throws NoSuchAlgorithmException, NoSuchPaddingException {
        return Cipher.getInstance(AES_MODE);
    }

    private GCMParameterSpec getGCMSpec(byte[] bArr) {
        return new GCMParameterSpec(FeaturestoreConstants.MAX_CHARACTERS_IN_FEATURE_MONITORING_CONFIG_NAME, bArr);
    }

    private void generateRandom(byte[] bArr) {
        this.rand.nextBytes(bArr);
    }
}
