package de.saly.kafka.crypto;

import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:de/saly/kafka/crypto/SerdeCryptoBase.class */
public abstract class SerdeCryptoBase {
    public static final String CRYPTO_RSA_PRIVATEKEY_FILEPATH = "crypto.rsa.privatekey.filepath";
    public static final String CRYPTO_RSA_PUBLICKEY_FILEPATH = "crypto.rsa.publickey.filepath";
    public static final String CRYPTO_HASH_METHOD = "crypto.hash_method";
    public static final String CRYPTO_IGNORE_DECRYPT_FAILURES = "crypto.ignore_decrypt_failures";
    public static final String CRYPTO_AES_KEY_LEN = "crypto.aes.key_len";
    protected static final String DEFAULT_TRANSFORMATION = "AES/CBC/PKCS5Padding";
    private static final String AES = "AES";
    private static final String RSA = "RSA";
    private static final String RSA_TRANFORMATION = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
    private static final int RSA_MULTIPLICATOR = 128;
    private int opMode;
    private String hashMethod = "SHA-256";
    private int aesKeyLen = RSA_MULTIPLICATOR;
    private boolean ignoreDecryptFailures = false;
    private ProducerCryptoBundle producerCryptoBundle = null;
    private ConsumerCryptoBundle consumerCryptoBundle = null;
    static final byte[] MAGIC_BYTES = {-33, -69};
    private static final Map<String, byte[]> aesKeyCache = new HashMap();
    private static final int MAGIC_BYTES_LENGTH = MAGIC_BYTES.length;
    private static final int HEADER_LENGTH = MAGIC_BYTES_LENGTH + 3;

    /* loaded from: input_file:de/saly/kafka/crypto/SerdeCryptoBase$ConsumerCryptoBundle.class */
    private class ConsumerCryptoBundle {
        private Cipher rsaDecrypt;
        final Cipher aesDecrypt;

        private ConsumerCryptoBundle(PrivateKey privateKey) throws Exception {
            this.aesDecrypt = Cipher.getInstance(SerdeCryptoBase.DEFAULT_TRANSFORMATION);
            this.rsaDecrypt = Cipher.getInstance(SerdeCryptoBase.RSA_TRANFORMATION);
            this.rsaDecrypt.init(2, privateKey);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public byte[] aesDecrypt(byte[] bArr) throws KafkaException {
            try {
                if (bArr[0] != SerdeCryptoBase.MAGIC_BYTES[0] || bArr[1] != SerdeCryptoBase.MAGIC_BYTES[1]) {
                    return bArr;
                }
                byte b = bArr[2];
                byte b2 = bArr[3];
                byte b3 = bArr[4];
                int i = SerdeCryptoBase.HEADER_LENGTH + b + (b2 * SerdeCryptoBase.RSA_MULTIPLICATOR) + b3;
                String printHexBinary = DatatypeConverter.printHexBinary(Arrays.copyOfRange(bArr, SerdeCryptoBase.HEADER_LENGTH, SerdeCryptoBase.HEADER_LENGTH + b));
                byte[] copyOfRange = Arrays.copyOfRange(bArr, SerdeCryptoBase.HEADER_LENGTH + b + (b2 * SerdeCryptoBase.RSA_MULTIPLICATOR), SerdeCryptoBase.HEADER_LENGTH + b + (b2 * SerdeCryptoBase.RSA_MULTIPLICATOR) + b3);
                byte[] bArr2 = (byte[]) SerdeCryptoBase.aesKeyCache.get(printHexBinary);
                if (bArr2 != null) {
                    this.aesDecrypt.init(2, SerdeCryptoBase.createAESSecretKey(bArr2), new IvParameterSpec(copyOfRange));
                    return SerdeCryptoBase.crypt(this.aesDecrypt, bArr, i, bArr.length - i);
                }
                byte[] crypt = SerdeCryptoBase.crypt(this.rsaDecrypt, Arrays.copyOfRange(bArr, SerdeCryptoBase.HEADER_LENGTH + b, SerdeCryptoBase.HEADER_LENGTH + b + (b2 * SerdeCryptoBase.RSA_MULTIPLICATOR)));
                this.aesDecrypt.init(2, SerdeCryptoBase.createAESSecretKey(crypt), new IvParameterSpec(copyOfRange));
                SerdeCryptoBase.aesKeyCache.put(printHexBinary, crypt);
                return SerdeCryptoBase.crypt(this.aesDecrypt, bArr, i, bArr.length - i);
            } catch (Exception e) {
                if (SerdeCryptoBase.this.ignoreDecryptFailures) {
                    return bArr;
                }
                throw new KafkaException("Decrypt failed", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/saly/kafka/crypto/SerdeCryptoBase$ProducerCryptoBundle.class */
    public class ProducerCryptoBundle {
        private ThreadLocal<ThreadAwareKeyInfo> keyInfo;
        private final PublicKey publicKey;

        private ProducerCryptoBundle(PublicKey publicKey) throws Exception {
            this.keyInfo = new ThreadLocal<ThreadAwareKeyInfo>() { // from class: de.saly.kafka.crypto.SerdeCryptoBase.ProducerCryptoBundle.1
                /* JADX INFO: Access modifiers changed from: protected */
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.lang.ThreadLocal
                public ThreadAwareKeyInfo initialValue() {
                    try {
                        return new ThreadAwareKeyInfo(ProducerCryptoBundle.this.publicKey);
                    } catch (Exception e) {
                        throw new KafkaException(e);
                    }
                }
            };
            this.publicKey = publicKey;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void newKey() throws Exception {
            this.keyInfo.remove();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public byte[] aesEncrypt(byte[] bArr) throws KafkaException {
            ThreadAwareKeyInfo threadAwareKeyInfo = this.keyInfo.get();
            try {
                byte[] bArr2 = new byte[16];
                threadAwareKeyInfo.random.nextBytes(bArr2);
                threadAwareKeyInfo.aesCipher.init(1, threadAwareKeyInfo.aesKey, new IvParameterSpec(bArr2));
                return SerdeCryptoBase.concatenate(SerdeCryptoBase.MAGIC_BYTES, new byte[]{(byte) threadAwareKeyInfo.aesHash.length, (byte) (threadAwareKeyInfo.rsaEncyptedAesKey.length / SerdeCryptoBase.RSA_MULTIPLICATOR), (byte) bArr2.length}, threadAwareKeyInfo.aesHash, threadAwareKeyInfo.rsaEncyptedAesKey, bArr2, SerdeCryptoBase.crypt(threadAwareKeyInfo.aesCipher, bArr));
            } catch (Exception e) {
                throw new KafkaException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/saly/kafka/crypto/SerdeCryptoBase$ThreadAwareKeyInfo.class */
    public class ThreadAwareKeyInfo {
        private final SecretKey aesKey;
        private final byte[] aesHash;
        private final byte[] rsaEncyptedAesKey;
        private final Cipher rsaCipher;
        private final Cipher aesCipher;
        private final SecureRandom random = new SecureRandom();

        protected ThreadAwareKeyInfo(PublicKey publicKey) throws Exception {
            byte[] bArr = new byte[SerdeCryptoBase.this.aesKeyLen / 8];
            this.random.nextBytes(bArr);
            this.aesCipher = Cipher.getInstance(SerdeCryptoBase.DEFAULT_TRANSFORMATION);
            this.aesKey = SerdeCryptoBase.createAESSecretKey(bArr);
            this.aesHash = SerdeCryptoBase.this.hash(bArr);
            this.rsaCipher = Cipher.getInstance(SerdeCryptoBase.RSA_TRANFORMATION);
            this.rsaCipher.init(1, publicKey);
            this.rsaEncyptedAesKey = SerdeCryptoBase.crypt(this.rsaCipher, bArr);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void init(int i, Map<String, ?> map, boolean z) throws KafkaException {
        this.opMode = i;
        String str = (String) map.get(CRYPTO_HASH_METHOD);
        if (str != null && str.length() != 0) {
            this.hashMethod = str;
        }
        String str2 = (String) map.get(CRYPTO_IGNORE_DECRYPT_FAILURES);
        if (str2 != null && str2.length() != 0) {
            this.ignoreDecryptFailures = Boolean.parseBoolean(str2);
        }
        String str3 = (String) map.get(CRYPTO_AES_KEY_LEN);
        if (str3 != null && str3.length() != 0) {
            this.aesKeyLen = Integer.parseInt(str3);
            if (this.aesKeyLen < RSA_MULTIPLICATOR || this.aesKeyLen % 8 != 0) {
                throw new KafkaException("Invalid aes key size, should be 128, 192 or 256");
            }
        }
        try {
            if (i == 2) {
                this.consumerCryptoBundle = new ConsumerCryptoBundle(createRSAPrivateKey(readBytesFromFile((String) map.get(CRYPTO_RSA_PRIVATEKEY_FILEPATH))));
            } else {
                this.producerCryptoBundle = new ProducerCryptoBundle(createRSAPublicKey(readBytesFromFile((String) map.get(CRYPTO_RSA_PUBLICKEY_FILEPATH))));
            }
        } catch (Exception e) {
            throw new KafkaException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] crypt(byte[] bArr) throws KafkaException {
        return (bArr == null || bArr.length == 0) ? bArr : this.opMode == 2 ? this.consumerCryptoBundle.aesDecrypt(bArr) : this.producerCryptoBundle.aesEncrypt(bArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void newKey() {
        try {
            this.producerCryptoBundle.newKey();
        } catch (Exception e) {
            throw new KafkaException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <T> T newInstance(Map<String, ?> map, String str, Class<T> cls) throws KafkaException {
        Object obj = map.get(str);
        if (obj == null) {
            throw new KafkaException("No value for '" + str + "' found");
        }
        if (obj instanceof String) {
            try {
                return (T) Utils.newInstance(Class.forName((String) obj));
            } catch (Exception e) {
                throw new KafkaException(e);
            }
        }
        if (obj instanceof Class) {
            return (T) Utils.newInstance((Class) obj);
        }
        throw new KafkaException("Unexpected type '" + obj.getClass() + "' for '" + str + "'");
    }

    private static PrivateKey createRSAPrivateKey(byte[] bArr) throws NoSuchAlgorithmException, InvalidKeySpecException {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("Key bytes must not be null or empty");
        }
        return KeyFactory.getInstance(RSA).generatePrivate(new PKCS8EncodedKeySpec(bArr));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SecretKey createAESSecretKey(byte[] bArr) {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("Key bytes must not be null or empty");
        }
        return new SecretKeySpec(bArr, AES);
    }

    private static PublicKey createRSAPublicKey(byte[] bArr) throws NoSuchAlgorithmException, InvalidKeySpecException {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("Key bytes must not be null or empty");
        }
        return KeyFactory.getInstance(RSA).generatePublic(new X509EncodedKeySpec(bArr));
    }

    private static byte[] readBytesFromFile(String str) throws IOException {
        if (str == null) {
            throw new IllegalArgumentException("Filename must not be null");
        }
        File file = new File(str);
        DataInputStream dataInputStream = new DataInputStream(new FileInputStream(file));
        byte[] bArr = new byte[(int) file.length()];
        dataInputStream.readFully(bArr);
        dataInputStream.close();
        return bArr;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] hash(byte[] bArr) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(this.hashMethod);
            messageDigest.update(bArr);
            return messageDigest.digest();
        } catch (Exception e) {
            throw new KafkaException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] crypt(Cipher cipher, byte[] bArr) throws IllegalBlockSizeException, BadPaddingException {
        return cipher.doFinal(bArr);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] crypt(Cipher cipher, byte[] bArr, int i, int i2) throws IllegalBlockSizeException, BadPaddingException {
        return cipher.doFinal(bArr, i, i2);
    }

    public static byte[] concatenate(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4, byte[] bArr5, byte[] bArr6) {
        if (bArr == null || bArr2 == null || bArr3 == null || bArr4 == null || bArr5 == null || bArr6 == null) {
            throw new IllegalArgumentException("arrays must not be null");
        }
        byte[] bArr7 = new byte[bArr.length + bArr2.length + bArr3.length + bArr4.length + bArr5.length + bArr6.length];
        System.arraycopy(bArr, 0, bArr7, 0, bArr.length);
        System.arraycopy(bArr2, 0, bArr7, bArr.length, bArr2.length);
        System.arraycopy(bArr3, 0, bArr7, bArr.length + bArr2.length, bArr3.length);
        System.arraycopy(bArr4, 0, bArr7, bArr.length + bArr2.length + bArr3.length, bArr4.length);
        System.arraycopy(bArr5, 0, bArr7, bArr.length + bArr2.length + bArr3.length + bArr4.length, bArr5.length);
        System.arraycopy(bArr6, 0, bArr7, bArr.length + bArr2.length + bArr3.length + bArr4.length + bArr5.length, bArr6.length);
        return bArr7;
    }
}
