package com.symphony.bdk.workflow.engine.secret;

import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.function.Function;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.scheduling.annotation.Scheduled;

/* loaded from: input_file:com/symphony/bdk/workflow/engine/secret/SecretCryptVault.class */
public class SecretCryptVault {
    private static final String DEFAULT_CIPHER = "AES/GCM/NoPadding";
    private static final String DEFAULT_ALGORITHM = "AES";
    private static final int DEFAULT_SALT_LENGTH = 8;
    private static final int ALGORITHM_NONCE_SIZE = 12;
    private static final int ALGORITHM_TAG_SIZE = 128;
    private SecureRandom secureRandom = new SecureRandom();
    private final CryptVersion[] cryptVersions = new CryptVersion[256];
    private int defaultVersion = -1;
    private static final Function<Integer, Integer> AESLengthCalculator = num -> {
        return Integer.valueOf((num.intValue() | 15) + 1);
    };

    /* loaded from: input_file:com/symphony/bdk/workflow/engine/secret/SecretCryptVault$CryptVersion.class */
    public static class CryptVersion {
        public final int saltLength;
        public final String cipher;
        public final Key key;
        public final Function<Integer, Integer> encryptedLength;

        public CryptVersion(int i, String str, Key key, Function<Integer, Integer> function) {
            this.saltLength = i;
            this.cipher = str;
            this.key = key;
            this.encryptedLength = function;
        }
    }

    public SecretCryptVault with256BitAesGcmNoPaddingAnd64BitSaltKey(int i, byte[] bArr) {
        if (bArr.length != 32) {
            throw new IllegalArgumentException("invalid AES key size; should be 256 bits!");
        }
        return withKey(i, new CryptVersion(DEFAULT_SALT_LENGTH, DEFAULT_CIPHER, new SecretKeySpec(bArr, DEFAULT_ALGORITHM), AESLengthCalculator));
    }

    public SecretCryptVault withKey(int i, CryptVersion cryptVersion) {
        if (i < 0 || i > 255) {
            throw new IllegalArgumentException("version must be a byte");
        }
        if (this.cryptVersions[i] != null) {
            throw new IllegalArgumentException("version " + i + " is already defined");
        }
        this.cryptVersions[i] = cryptVersion;
        if (i > this.defaultVersion) {
            this.defaultVersion = i;
        }
        return this;
    }

    public byte[] encrypt(byte[] bArr) {
        return encrypt(this.defaultVersion, bArr);
    }

    public byte[] encrypt(int i, byte[] bArr) {
        CryptVersion cryptVersion = cryptVersion(i);
        byte signedByte = toSignedByte(i);
        try {
            byte[] bArr2 = new byte[ALGORITHM_NONCE_SIZE];
            this.secureRandom.nextBytes(bArr2);
            Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER);
            cipher.init(1, cryptVersion.key, new GCMParameterSpec(ALGORITHM_TAG_SIZE, bArr2));
            byte[] doFinal = cipher.doFinal(bArr);
            byte[] bArr3 = new byte[bArr2.length + doFinal.length + 1];
            bArr3[0] = signedByte;
            System.arraycopy(bArr2, 0, bArr3, 1, bArr2.length);
            System.arraycopy(doFinal, 0, bArr3, bArr2.length + 1, doFinal.length);
            return bArr3;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new CryptOperationException("JCE exception caught while encrypting with version " + i, e);
        }
    }

    public byte[] decrypt(byte[] bArr) {
        int fromSignedByte = fromSignedByte(bArr[0]);
        CryptVersion cryptVersion = cryptVersion(fromSignedByte);
        try {
            byte[] bArr2 = new byte[ALGORITHM_NONCE_SIZE];
            byte[] bArr3 = new byte[(bArr.length - ALGORITHM_NONCE_SIZE) - 1];
            System.arraycopy(bArr, 1, bArr2, 0, bArr2.length);
            System.arraycopy(bArr, bArr2.length + 1, bArr3, 0, bArr3.length);
            Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER);
            cipher.init(2, cryptVersion.key, new GCMParameterSpec(ALGORITHM_TAG_SIZE, bArr2));
            return cipher.doFinal(bArr3);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new CryptOperationException("JCE exception caught while encrypting with version " + fromSignedByte, e);
        }
    }

    private CryptVersion cryptVersion(int i) {
        try {
            CryptVersion cryptVersion = this.cryptVersions[i];
            if (cryptVersion == null) {
                throw new IllegalArgumentException("version " + i + " undefined");
            }
            return cryptVersion;
        } catch (IndexOutOfBoundsException e) {
            if (i < 0) {
                throw new IllegalStateException("encryption keys are not initialized");
            }
            throw new IllegalArgumentException("version must be a byte (0-255)");
        }
    }

    public SecretCryptVault withDefaultKeyVersion(int i) {
        if (i < 0 || i > 255) {
            throw new IllegalArgumentException("version must be a byte");
        }
        if (this.cryptVersions[i] == null) {
            throw new IllegalArgumentException("version " + i + " is undefined");
        }
        this.defaultVersion = i;
        return this;
    }

    @Scheduled(initialDelay = 3600000, fixedDelay = 3600000)
    public void reInitSecureRandomHourly() {
        this.secureRandom = new SecureRandom();
    }

    public static byte toSignedByte(int i) {
        return (byte) (i - 128);
    }

    public static int fromSignedByte(byte b) {
        return b - Byte.MIN_VALUE;
    }
}
