package io.digdag.core.database;

import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import io.digdag.core.crypto.SecretCrypto;
import io.digdag.core.crypto.SecretCryptoException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.AEADBadTagException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:io/digdag/core/database/AESGCMSecretCrypto.class */
public class AESGCMSecretCrypto implements SecretCrypto {
    private static final SecureRandom SECURE_RANDOM;
    private static final String NAME = "aesgcm";
    private static final byte[] NAME_BYTES;
    private final SecretKey sharedSecret;
    private static final int AES_KEY_SIZE = 128;
    private static final int GCM_NONCE_LENGTH = 12;
    private static final int GCM_TAG_LENGTH = 16;
    private static final int TERM = 1;
    private static final int VERSION_1 = 1;
    private static final int VERSION_2 = 2;
    private static final int RECORD_SIZE_ALIGNMENT = 16;
    private static final int MAX_PLAINTEXT_LENGTH = 16384;
    private static final int LENGTH_SIZE = 4;
    private static final int NAME_SIZE;
    private static final int TERM_SIZE = 4;
    private static final int VERSION_SIZE = 4;
    private static final int WRAPPING_SIZE;
    static final /* synthetic */ boolean $assertionsDisabled;

    public AESGCMSecretCrypto(String str) {
        byte[] decode = Base64.getDecoder().decode(str);
        Preconditions.checkArgument(decode.length * 8 == AES_KEY_SIZE);
        this.sharedSecret = new SecretKeySpec(decode, "AES");
    }

    @Override // io.digdag.core.crypto.SecretCrypto
    public String encryptSecret(String str) {
        if (str.length() > MAX_PLAINTEXT_LENGTH) {
            throw new IllegalArgumentException("Too long text");
        }
        byte[] generateNonce = generateNonce();
        Cipher cipher = cipher(1, this.sharedSecret, generateNonce);
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        if (bytes.length > MAX_PLAINTEXT_LENGTH) {
            throw new IllegalArgumentException("Too long text");
        }
        byte[] bArr = new byte[16 * ((((4 + bytes.length) + 16) - 1) / 16)];
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        wrap.putInt(bytes.length);
        wrap.put(bytes);
        try {
            byte[] doFinal = cipher.doFinal(bArr);
            byte[] bArr2 = new byte[WRAPPING_SIZE + doFinal.length];
            ByteBuffer wrap2 = ByteBuffer.wrap(bArr2);
            wrap2.put(NAME_BYTES);
            wrap2.putInt(2);
            wrap2.putInt(1);
            wrap2.put(generateNonce);
            wrap2.put(doFinal);
            if ($assertionsDisabled || wrap2.remaining() == 0) {
                return Base64.getEncoder().encodeToString(bArr2);
            }
            throw new AssertionError();
        } catch (BadPaddingException | IllegalBlockSizeException e) {
            throw Throwables.propagate(e);
        }
    }

    @Override // io.digdag.core.crypto.SecretCrypto
    public String decryptSecret(String str) {
        byte[] decode = Base64.getDecoder().decode(str);
        Preconditions.checkArgument(decode.length >= WRAPPING_SIZE + 16, "Bad size");
        ByteBuffer wrap = ByteBuffer.wrap(decode);
        byte[] bArr = new byte[NAME_SIZE];
        wrap.get(bArr);
        if (!Arrays.equals(NAME_BYTES, bArr)) {
            throw new IllegalArgumentException("Crypto engine mismatch");
        }
        int i = wrap.getInt();
        if (i != 1 && i != 2) {
            throw new IllegalArgumentException("Bad version");
        }
        if (wrap.getInt() != 1) {
            throw new IllegalArgumentException("Bad term");
        }
        byte[] bArr2 = new byte[GCM_NONCE_LENGTH];
        wrap.get(bArr2);
        try {
            ByteBuffer wrap2 = ByteBuffer.wrap(cipher(2, this.sharedSecret, bArr2).doFinal(decode, wrap.position(), wrap.remaining()));
            int i2 = wrap2.getInt();
            if (i2 < -1 || i2 > MAX_PLAINTEXT_LENGTH) {
                throw new IllegalArgumentException("Bad length");
            }
            wrap2.limit(wrap2.position() + i2);
            return StandardCharsets.UTF_8.decode(wrap2).toString();
        } catch (AEADBadTagException e) {
            throw new SecretCryptoException(e);
        } catch (BadPaddingException | IllegalBlockSizeException e2) {
            throw Throwables.propagate(e2);
        }
    }

    @Override // io.digdag.core.crypto.SecretCrypto
    public String getName() {
        return NAME;
    }

    private Cipher cipher(int i, SecretKey secretKey, byte[] bArr) {
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            try {
                cipher.init(i, secretKey, new GCMParameterSpec(AES_KEY_SIZE, bArr));
                return cipher;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e) {
                throw Throwables.propagate(e);
            }
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e2) {
            throw Throwables.propagate(e2);
        }
    }

    private byte[] generateNonce() {
        byte[] bArr = new byte[GCM_NONCE_LENGTH];
        SECURE_RANDOM.nextBytes(bArr);
        return bArr;
    }

    static {
        $assertionsDisabled = !AESGCMSecretCrypto.class.desiredAssertionStatus();
        SECURE_RANDOM = new SecureRandom();
        NAME_BYTES = NAME.getBytes(StandardCharsets.UTF_8);
        NAME_SIZE = NAME_BYTES.length;
        WRAPPING_SIZE = NAME_SIZE + 4 + 4 + GCM_NONCE_LENGTH;
    }
}
