package io.confluent.kafka.secretregistry.crypto;

import com.google.common.io.BaseEncoding;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/secretregistry/crypto/Cryptor.class */
public class Cryptor {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) Cryptor.class);
    private static final String ENCRYPTION_ALGORITHM = "AES/GCM/NoPadding";
    private static final String KEY_ALGORITHM = "AES";
    private static final int TAG_BITS = 128;
    private static final int NONCE_BYTES = 12;
    private final SecretKey key;
    private final Provider provider;
    private final SecureRandom random;

    /* loaded from: input_file:io/confluent/kafka/secretregistry/crypto/Cryptor$Encrypter.class */
    public class Encrypter {
        private final String derivationInfo;

        private Encrypter(String str) {
            this.derivationInfo = str;
        }

        public Encrypted encrypt(byte[] bArr) {
            byte[] bArr2 = new byte[12];
            Cryptor.this.random.nextBytes(bArr2);
            return Encrypted.of(this.derivationInfo, Cryptor.this.gcm(Mode.ENCRYPT, this.derivationInfo, bArr2, bArr), bArr2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/secretregistry/crypto/Cryptor$Mode.class */
    public enum Mode {
        ENCRYPT(1),
        DECRYPT(2);

        final int cipherMode;

        Mode(int i) {
            this.cipherMode = i;
        }
    }

    public Cryptor(SecretKey secretKey, Provider provider, SecureRandom secureRandom) {
        this.key = secretKey;
        this.provider = provider;
        this.random = secureRandom;
    }

    public Encrypter encryptionKeyDerivedFrom(String str) {
        return new Encrypter(str);
    }

    public byte[] decrypt(Encrypted encrypted) {
        return gcm(Mode.DECRYPT, encrypted.derivationInfo(), encrypted.ivBytes(), encrypted.contentBytes());
    }

    public String computeHmac(byte[] bArr) {
        SecretKey deriveKey = deriveKey(32, "hmackey");
        try {
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(deriveKey);
            return BaseEncoding.base16().encode(mac.doFinal(bArr));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            logger.warn("Error computing HMAC: ", e);
            return null;
        }
    }

    private SecretKey deriveKey(int i, String str) {
        return new SecretKeySpec(Hkdf.usingProvider(this.provider).expand(this.key, str.getBytes(StandardCharsets.UTF_8), i), "AES");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] gcm(Mode mode, String str, byte[] bArr, byte[] bArr2) {
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", this.provider);
            cipher.init(mode.cipherMode, deriveKey(cipher.getBlockSize(), str), new GCMParameterSpec(128, bArr));
            return cipher.doFinal(bArr2);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new RuntimeException(e);
        }
    }
}
