package com.atlassian.secrets.service.aes;

import com.atlassian.secrets.api.SealedSecret;
import com.atlassian.secrets.api.SecretService;
import com.atlassian.secrets.api.SecretServiceException;
import com.atlassian.secrets.service.EncryptionBasedSecret;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.UUID;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/secrets/service/aes/AESSecretService.class */
public class AESSecretService implements SecretService {
    public static final String AES_ALGORITHM = "AES";
    public static final String ALGORITHM_SPECIFICATION = "AES/GCM/NoPadding";
    public static final int IV_LENGTH = 12;
    public static final int MAX_AES_KEY_SIZE = 256;
    public static final int TAG_LENGTH = 128;
    private static final Logger log = LoggerFactory.getLogger(AESSecretService.class);
    private final SecretKey key;
    private final byte[] keyHash;
    private final Cipher cipher;
    private final GeneratedIv generatedIv;

    @FunctionalInterface
    /* loaded from: input_file:com/atlassian/secrets/service/aes/AESSecretService$GeneratedIv.class */
    interface GeneratedIv {
        byte[] get();
    }

    public AESSecretService(AESConfig aESConfig) throws SecretServiceException {
        this(aESConfig, AESSecretService::generateIV);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AESSecretService(AESConfig aESConfig, GeneratedIv generatedIv) throws SecretServiceException {
        try {
            this.generatedIv = generatedIv;
            byte[] readAllBytes = Files.readAllBytes(Paths.get(aESConfig.getKey(), new String[0]));
            this.key = new SecretKeySpec(readAllBytes, AES_ALGORITHM);
            this.keyHash = calculateSha256(readAllBytes);
            this.cipher = Cipher.getInstance(ALGORITHM_SPECIFICATION, SecurityProvider.get());
        } catch (IOException | GeneralSecurityException e) {
            throw new SecretServiceException(e);
        }
    }

    public static String generateDefaultKey(Path path) {
        try {
            SecretKeySpec generateSecretKey = generateSecretKey();
            Path resolve = path.resolve("AES-" + UUID.randomUUID());
            if (!Files.exists(path, new LinkOption[0])) {
                Files.createDirectories(path, new FileAttribute[0]);
            }
            Files.write(resolve, generateSecretKey.getEncoded(), new OpenOption[0]);
            return resolve.toAbsolutePath().toString();
        } catch (Exception e) {
            log.error("Problem when trying to write the default AES encryption key file.");
            throw new SecretServiceException("Problem when trying to write the default AES encryption key file.", e);
        } catch (SecretServiceException e2) {
            throw e2;
        }
    }

    public SealedSecret seal(String str, String str2) throws SecretServiceException {
        try {
            byte[] bArr = this.generatedIv.get();
            this.cipher.init(1, this.key, new GCMParameterSpec(TAG_LENGTH, bArr));
            byte[] doFinal = this.cipher.doFinal(str2.getBytes(StandardCharsets.UTF_8));
            log.info("Sealing secret with identifier: {}", str);
            return new EncryptionBasedSecret(str, ALGORITHM_SPECIFICATION, doFinal, bArr, this.keyHash);
        } catch (GeneralSecurityException e) {
            throw new SecretServiceException("Error when sealing the secret", e);
        }
    }

    public String unseal(SealedSecret sealedSecret) throws SecretServiceException {
        if (!(sealedSecret instanceof EncryptionBasedSecret)) {
            throw new SecretServiceException("Expecting encrypted secret but secret identifier was passed in");
        }
        EncryptionBasedSecret encryptionBasedSecret = (EncryptionBasedSecret) sealedSecret;
        if (!Arrays.equals(encryptionBasedSecret.getKeyHash(), this.keyHash)) {
            throw new SecretServiceException("This secret cannot be decrypted with the configured encryption key");
        }
        if (!ALGORITHM_SPECIFICATION.equals(encryptionBasedSecret.getAlgorithm())) {
            throw new SecretServiceException(String.format("This secret cannot be decrypted with the %s algorithm", ALGORITHM_SPECIFICATION));
        }
        try {
            byte[] encryptedData = encryptionBasedSecret.getEncryptedData();
            this.cipher.init(2, this.key, new GCMParameterSpec(TAG_LENGTH, encryptionBasedSecret.getIv()));
            log.info("Unsealing secret.");
            return new String(this.cipher.doFinal(encryptedData));
        } catch (GeneralSecurityException e) {
            throw new SecretServiceException("Error when unsealing the secret", e);
        }
    }

    private static SecretKeySpec generateSecretKey() {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(AES_ALGORITHM, SecurityProvider.get());
            keyGenerator.init(MAX_AES_KEY_SIZE);
            return (SecretKeySpec) keyGenerator.generateKey();
        } catch (GeneralSecurityException e) {
            throw new SecretServiceException("Error when generating the AES key", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateIV() {
        byte[] bArr = new byte[12];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    private static byte[] calculateSha256(byte[] bArr) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance("SHA-256").digest(bArr);
    }
}
