package io.helidon.config.encryption;

import io.helidon.common.Base64Value;
import io.helidon.common.LazyValue;
import io.helidon.common.configurable.Resource;
import io.helidon.common.crypto.AsymmetricCipher;
import io.helidon.common.crypto.PasswordKeyDerivation;
import io.helidon.common.crypto.SymmetricCipher;
import io.helidon.common.pki.Keys;
import io.helidon.config.ConfigValue;
import io.helidon.config.mp.MpConfig;
import java.lang.System;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Objects;
import java.util.Optional;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.eclipse.microprofile.config.Config;

/* loaded from: input_file:io/helidon/config/encryption/EncryptionUtil.class */
public final class EncryptionUtil {
    private static final System.Logger LOGGER = System.getLogger(EncryptionUtil.class.getName());
    private static final LazyValue<SecureRandom> SECURE_RANDOM = LazyValue.create(SecureRandom::new);
    private static final int SALT_LENGTH = 16;
    private static final int NONCE_LENGTH = 12;
    private static final int SEED_LENGTH = 16;
    private static final int HASH_ITERATIONS = 10000;
    private static final int KEY_LENGTH_LEGACY = 128;
    private static final int KEY_LENGTH = 256;

    private EncryptionUtil() {
        throw new IllegalStateException("Utility class");
    }

    public static String decryptRsa(PrivateKey privateKey, String str) throws ConfigEncryptionException {
        Objects.requireNonNull(privateKey, "Key must be provided for decryption");
        Objects.requireNonNull(str, "Encrypted bytes must be provided for decryption (base64 encoded)");
        try {
            return AsymmetricCipher.decrypt("RSA/ECB/OAEPWithSHA-256AndMGF1Padding", (String) null, privateKey, Base64Value.createFromEncoded(str)).toDecodedString();
        } catch (ConfigEncryptionException e) {
            throw e;
        } catch (Exception e2) {
            throw new ConfigEncryptionException("Failed to decrypt value using RSA. Returning clear text value as is: " + str, e2);
        }
    }

    public static String encryptRsa(PublicKey publicKey, String str) throws ConfigEncryptionException {
        Objects.requireNonNull(publicKey, "Key must be provided for encryption");
        Objects.requireNonNull(str, "Secret message must be provided to be encrypted");
        if (str.getBytes(StandardCharsets.UTF_8).length > 190) {
            throw new ConfigEncryptionException("Secret value is too large. Maximum of 190 bytes is allowed.");
        }
        try {
            return AsymmetricCipher.encrypt("RSA/ECB/OAEPWithSHA-256AndMGF1Padding", (String) null, publicKey, Base64Value.create(str)).toBase64();
        } catch (Exception e) {
            throw new ConfigEncryptionException("Failed to encrypt using RSA key", e);
        }
    }

    public static String encryptAes(char[] cArr, String str) throws ConfigEncryptionException {
        Objects.requireNonNull(str, "Secret message must be provided to be encrypted");
        return encryptAesBytes(cArr, str.getBytes(StandardCharsets.UTF_8));
    }

    @Deprecated(since = "2.2.0")
    public static String encryptAesBytes(char[] cArr, byte[] bArr) throws ConfigEncryptionException {
        Objects.requireNonNull(cArr, "Password must be provided for encryption");
        Objects.requireNonNull(bArr, "Secret message must be provided to be encrypted");
        byte[] generateSeed = ((SecureRandom) SECURE_RANDOM.get()).generateSeed(16);
        byte[] generateSeed2 = ((SecureRandom) SECURE_RANDOM.get()).generateSeed(NONCE_LENGTH);
        byte[] bytes = SymmetricCipher.encrypt("AES/GCM/NoPadding", PasswordKeyDerivation.deriveKey("PBKDF2WithHmacSHA256", (String) null, cArr, generateSeed, HASH_ITERATIONS, KEY_LENGTH), generateSeed2, Base64Value.create(bArr)).toBytes();
        byte[] bArr2 = new byte[bytes.length + generateSeed.length + generateSeed2.length];
        System.arraycopy(generateSeed, 0, bArr2, 0, generateSeed.length);
        System.arraycopy(generateSeed2, 0, bArr2, generateSeed.length, generateSeed2.length);
        System.arraycopy(bytes, 0, bArr2, generateSeed2.length + generateSeed.length, bytes.length);
        return Base64.getEncoder().encodeToString(bArr2);
    }

    public static String decryptAes(char[] cArr, String str) throws ConfigEncryptionException {
        return new String(decryptAesBytes(cArr, str), StandardCharsets.UTF_8);
    }

    @Deprecated(since = "2.2.0")
    public static byte[] decryptAesBytes(char[] cArr, String str) {
        Objects.requireNonNull(cArr, "Password must be provided for encryption");
        Objects.requireNonNull(str, "Encrypted bytes must be provided for decryption (base64 encoded)");
        try {
            byte[] decode = Base64.getDecoder().decode(str);
            byte[] bArr = new byte[16];
            byte[] bArr2 = new byte[NONCE_LENGTH];
            byte[] bArr3 = new byte[(decode.length - 16) - NONCE_LENGTH];
            System.arraycopy(decode, 0, bArr, 0, 16);
            System.arraycopy(decode, 16, bArr2, 0, NONCE_LENGTH);
            System.arraycopy(decode, 28, bArr3, 0, bArr3.length);
            return SymmetricCipher.decrypt("AES/GCM/NoPadding", PasswordKeyDerivation.deriveKey("PBKDF2WithHmacSHA256", (String) null, cArr, bArr, HASH_ITERATIONS, KEY_LENGTH), bArr2, Base64Value.create(bArr3)).toBytes();
        } catch (Throwable th) {
            throw new ConfigEncryptionException("Failed to decrypt value using AES. Returning clear text value as is: " + str, th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<char[]> resolveMasterPassword(boolean z, Config config) {
        Optional map = getEnv(ConfigProperties.MASTER_PASSWORD_ENV_VARIABLE).or(() -> {
            Optional optionalValue = config.getOptionalValue(ConfigProperties.MASTER_PASSWORD_CONFIG_KEY, String.class);
            if (!optionalValue.isPresent() || !z) {
                return optionalValue;
            }
            LOGGER.log(System.Logger.Level.WARNING, "Master password is configured as clear text in configuration when encryption is required. This value will be ignored. System property or environment variable expected!!!");
            return Optional.empty();
        }).map((v0) -> {
            return v0.toCharArray();
        });
        if (map.isEmpty()) {
            LOGGER.log(System.Logger.Level.DEBUG, "Securing properties using master password is not available, as master password is not configured");
        }
        return map;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<char[]> resolveMasterPassword(boolean z, io.helidon.config.Config config) {
        Optional map = getEnv(ConfigProperties.MASTER_PASSWORD_ENV_VARIABLE).or(() -> {
            ConfigValue asString = config.get(ConfigProperties.MASTER_PASSWORD_CONFIG_KEY).asString();
            if (!asString.isPresent() || !z) {
                return asString.asOptional();
            }
            LOGGER.log(System.Logger.Level.WARNING, "Master password is configured as clear text in configuration when encryption is required. This value will be ignored. System property or environment variable expected!!!");
            return Optional.empty();
        }).map((v0) -> {
            return v0.toCharArray();
        });
        if (!map.isPresent()) {
            LOGGER.log(System.Logger.Level.DEBUG, "Securing properties using master password is not available, as master password is not configured");
        }
        return map;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<PrivateKey> resolvePrivateKey(Config config) {
        return resolvePrivateKey(MpConfig.toHelidonConfig(config).get("security.config.rsa"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<PrivateKey> resolvePrivateKey(io.helidon.config.Config config) {
        Keys.Builder builder = Keys.builder();
        builder.config(config);
        builder.pem(builder2 -> {
            getEnv(ConfigProperties.PRIVATE_KEY_PEM_PATH_ENV_VARIABLE).map(str -> {
                return Paths.get(str, new String[0]);
            }).ifPresent(path -> {
                builder2.key(Resource.create(path));
            });
            Optional<U> map = getEnv(ConfigProperties.PRIVATE_KEY_PASS_ENV_VARIABLE).map((v0) -> {
                return v0.toCharArray();
            });
            Objects.requireNonNull(builder2);
            map.ifPresent(builder2::keyPassphrase);
        });
        getEnv(ConfigProperties.PRIVATE_KEYSTORE_PATH_ENV_VARIABLE).map(str -> {
            return Paths.get(str, new String[0]);
        }).ifPresent(path -> {
            builder.keystore(builder3 -> {
                builder3.keystore(Resource.create(path));
                Optional<String> env = getEnv(ConfigProperties.PRIVATE_KEYSTORE_TYPE_ENV_VARIABLE);
                Objects.requireNonNull(builder3);
                env.ifPresent(builder3::type);
                Optional<U> map = getEnv(ConfigProperties.PRIVATE_KEYSTORE_PASS_ENV_VARIABLE).map((v0) -> {
                    return v0.toCharArray();
                });
                Objects.requireNonNull(builder3);
                map.ifPresent(builder3::passphrase);
                Optional<U> map2 = getEnv(ConfigProperties.PRIVATE_KEY_PASS_ENV_VARIABLE).map((v0) -> {
                    return v0.toCharArray();
                });
                Objects.requireNonNull(builder3);
                map2.ifPresent(builder3::keyPassphrase);
                Optional<String> env2 = getEnv(ConfigProperties.PRIVATE_KEY_ALIAS_ENV_VARIABLE);
                Objects.requireNonNull(builder3);
                env2.ifPresent(builder3::keyAlias);
            });
        });
        Optional<PrivateKey> privateKey = builder.build().privateKey();
        if (privateKey.isEmpty()) {
            LOGGER.log(System.Logger.Level.DEBUG, "Securing properties using asymmetric cipher is not available, as private key is not configured");
        }
        return privateKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Optional<String> getEnv(String str) {
        return Optional.ofNullable(System.getenv(str));
    }

    private static Cipher cipherLegacy(char[] cArr, byte[] bArr, int i) throws ConfigEncryptionException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(cArr, bArr, HASH_ITERATIONS, KEY_LENGTH_LEGACY)).getEncoded(), "AES");
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(i, secretKeySpec, new IvParameterSpec(bArr));
            return cipher;
        } catch (Exception e) {
            throw new ConfigEncryptionException("Failed to prepare a cipher instance", e);
        }
    }
}
