package io.confluent.kafka.security.config.provider;

import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Base64;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.kafka.common.config.ConfigException;
import org.jose4j.jwe.SimpleAeadCipher;
import org.jose4j.keys.AesKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/security/config/provider/DecryptionEngine.class */
public class DecryptionEngine {
    public static final int GCM_TAG_LENGTH = 128;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private byte[] dataEncryptionKey;
    private String masterKey;
    private int dataKeyLength;
    public static final Pattern CIPHER_PATTERN = Pattern.compile("ENC\\[(.*?),data:(.*?),iv:(.*?),type:(.*?)(.*?)\\]");

    public DecryptionEngine(String str, String str2, String str3) throws Exception {
        try {
            this.masterKey = loadMasterKey(str);
            this.dataEncryptionKey = loadDataKey(str2);
            this.dataKeyLength = Integer.parseInt(str3);
        } catch (Exception e) {
            this.log.error("Failed to initialize the decryption engine", (Throwable) e);
            throw new ConfigException("Failed to initialize the decryption engine", e);
        }
    }

    private byte[] base64Decode(String str) throws Exception {
        return Base64.getDecoder().decode(str.getBytes());
    }

    private Key convertByteArrKeyToAESKey(byte[] bArr) {
        return new SecretKeySpec(bArr, AesKey.ALGORITHM);
    }

    protected String loadMasterKey(String str) {
        String str2 = System.getenv(str);
        if (str2 != null) {
            return str2;
        }
        this.log.error("Failed to load master key from environment variable.");
        throw new ConfigException("Failed to load master key from environment variable.");
    }

    private byte[] loadDataKey(String str) throws Exception {
        try {
            return base64Decode(decryptWithMasterKey(str));
        } catch (Exception e) {
            this.log.error("Failed to unwrap the data key", (Throwable) e);
            throw new ConfigException("Failed to unwrap the data key", e);
        }
    }

    private AlgorithmParameterSpec getAlgorithmSpec(String str, byte[] bArr) throws Exception {
        AlgorithmParameterSpec gCMParameterSpec;
        boolean z = -1;
        switch (str.hashCode()) {
            case -1593046894:
                if (str.equals("AES/CBC/PKCS5Padding")) {
                    z = false;
                    break;
                }
                break;
            case -1183691157:
                if (str.equals("AES/OFB/PKCS5Padding")) {
                    z = 2;
                    break;
                }
                break;
            case 403528690:
                if (str.equals(SimpleAeadCipher.GCM_TRANSFORMATION_NAME)) {
                    z = 3;
                    break;
                }
                break;
            case 647751671:
                if (str.equals("AES/CFB/PKCS5Padding")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
                gCMParameterSpec = new IvParameterSpec(bArr);
                break;
            case true:
                gCMParameterSpec = new GCMParameterSpec(128, bArr);
                break;
            default:
                throw new NoSuchAlgorithmException("Algorithm not supported !!!");
        }
        return gCMParameterSpec;
    }

    public String decryptWithMasterKey(String str) throws Exception {
        return decrypt(str, base64Decode(this.masterKey));
    }

    public String decryptWithDEK(String str) throws Exception {
        return decrypt(str, this.dataEncryptionKey);
    }

    private String decrypt(String str, byte[] bArr) throws Exception {
        Matcher matcher = CIPHER_PATTERN.matcher(str);
        if (!matcher.matches()) {
            throw new ConfigException("Invalid cipher.");
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        String group3 = matcher.group(3);
        Cipher cipher = Cipher.getInstance(group);
        cipher.init(2, convertByteArrKeyToAESKey(bArr), getAlgorithmSpec(group, base64Decode(group3)));
        return new String(cipher.doFinal(base64Decode(group2)));
    }
}
