package hudson.util;

import hudson.Util;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import jenkins.model.Jenkins;
import jenkins.security.CryptoConfidentialKey;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.406-rc33703.f91ed2ca_a_f69.jar:hudson/util/HistoricalSecrets.class */
public class HistoricalSecrets {
    static final String MAGIC = "::::MAGIC::::";

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Secret decrypt(String str, CryptoConfidentialKey cryptoConfidentialKey) throws IOException, GeneralSecurityException {
        try {
            byte[] decode = Base64.getDecoder().decode(str.getBytes(StandardCharsets.UTF_8));
            Secret tryDecrypt = tryDecrypt(cryptoConfidentialKey.decrypt(), decode);
            if (tryDecrypt != null) {
                return tryDecrypt;
            }
            Cipher cipher = Secret.getCipher("AES");
            cipher.init(2, getLegacyKey());
            return tryDecrypt(cipher, decode);
        } catch (IllegalArgumentException e) {
            throw new IOException("Could not decode secret", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Secret tryDecrypt(Cipher cipher, byte[] bArr) {
        try {
            String str = new String(cipher.doFinal(bArr), StandardCharsets.UTF_8);
            if (str.endsWith(MAGIC)) {
                return new Secret(str.substring(0, str.length() - MAGIC.length()));
            }
            return null;
        } catch (GeneralSecurityException e) {
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Deprecated
    public static SecretKey getLegacyKey() throws GeneralSecurityException {
        if (Secret.SECRET != null) {
            return Util.toAes128Key(Secret.SECRET);
        }
        Jenkins instanceOrNull = Jenkins.getInstanceOrNull();
        return instanceOrNull != null ? instanceOrNull.getSecretKeyAsAES128() : Util.toAes128Key("mock");
    }
}
