package io.confluent.kafka.secretregistry.crypto;

import com.amazonaws.services.s3.internal.Constants;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Objects;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.jose4j.mac.MacUtil;

/* loaded from: input_file:io/confluent/kafka/secretregistry/crypto/Hkdf.class */
public class Hkdf {
    private static final Hash DEFAULT_HASH = Hash.SHA256;
    private final Hash hash;
    private final Provider provider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/secretregistry/crypto/Hkdf$Hash.class */
    public enum Hash {
        SHA256(MacUtil.HMAC_SHA256, 32),
        SHA1(Constants.HMAC_SHA1_ALGORITHM, 20);

        final String algorithm;
        final int byteLength;

        Hash(String str, int i) {
            if (i <= 0) {
                throw new IllegalArgumentException("byteLength must be positive");
            }
            this.algorithm = str;
            this.byteLength = i;
        }
    }

    private Hkdf(Hash hash, Provider provider) {
        this.hash = hash;
        this.provider = provider;
    }

    public static Hkdf usingDefaults() {
        return new Hkdf(DEFAULT_HASH, null);
    }

    public static Hkdf usingHash(Hash hash) {
        return new Hkdf((Hash) Objects.requireNonNull(hash), null);
    }

    public static Hkdf usingProvider(Provider provider) {
        return new Hkdf(DEFAULT_HASH, (Provider) Objects.requireNonNull(provider));
    }

    public SecretKey extract(SecretKey secretKey, byte[] bArr) {
        Objects.requireNonNull(bArr, "ikm must not be null");
        if (secretKey == null) {
            secretKey = new SecretKeySpec(new byte[this.hash.byteLength], this.hash.algorithm);
        }
        return new SecretKeySpec(initMac(secretKey).doFinal(bArr), this.hash.algorithm);
    }

    public byte[] expand(SecretKey secretKey, byte[] bArr, int i) {
        Objects.requireNonNull(secretKey, "key must not be null");
        if (i < 1) {
            throw new IllegalArgumentException("outputLength must be positive");
        }
        int i2 = this.hash.byteLength;
        if (i > 255 * i2) {
            throw new IllegalArgumentException("outputLength must be less than or equal to 255*HashLen");
        }
        if (bArr == null) {
            bArr = new byte[0];
        }
        int i3 = i % i2 == 0 ? i / i2 : (i / i2) + 1;
        byte[] bArr2 = new byte[0];
        ByteBuffer allocate = ByteBuffer.allocate(Math.multiplyExact(i3, i2));
        Mac initMac = initMac(secretKey);
        for (int i4 = 1; i4 <= i3; i4++) {
            initMac.reset();
            ByteBuffer allocate2 = ByteBuffer.allocate(bArr2.length + bArr.length + 1);
            allocate2.put(bArr2);
            allocate2.put(bArr);
            allocate2.put((byte) i4);
            bArr2 = initMac.doFinal(allocate2.array());
            allocate.put(bArr2);
        }
        byte[] bArr3 = new byte[i];
        allocate.rewind();
        allocate.get(bArr3, 0, i);
        return bArr3;
    }

    public SecretKey randomSalt() {
        SecureRandom secureRandom = new SecureRandom();
        byte[] bArr = new byte[this.hash.byteLength];
        secureRandom.nextBytes(bArr);
        return new SecretKeySpec(bArr, this.hash.algorithm);
    }

    private Mac initMac(SecretKey secretKey) {
        try {
            Mac mac = this.provider != null ? Mac.getInstance(this.hash.algorithm, this.provider) : Mac.getInstance(this.hash.algorithm);
            mac.init(secretKey);
            return mac;
        } catch (InvalidKeyException e) {
            throw new IllegalArgumentException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException(e2);
        }
    }
}
