package com.apple.foundationdb.record.provider.common;

import com.apple.foundationdb.annotation.API;
import com.apple.foundationdb.record.RecordCoreArgumentException;
import com.apple.foundationdb.record.provider.common.RecordSerializer;
import com.apple.foundationdb.record.provider.common.TransformedRecordSerializer;
import com.google.protobuf.Message;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.SecureRandom;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;

@API(API.Status.UNSTABLE)
/* loaded from: input_file:com/apple/foundationdb/record/provider/common/TransformedRecordSerializerJCE.class */
public class TransformedRecordSerializerJCE<M extends Message> extends TransformedRecordSerializer<M> {
    protected static final String DEFAULT_CIPHER = "AES/CBC/PKCS5Padding";
    protected static final int IV_SIZE = 16;

    @Nullable
    protected final String cipherName;

    @Nullable
    protected final Key encryptionKey;

    @Nullable
    protected final SecureRandom secureRandom;

    /* loaded from: input_file:com/apple/foundationdb/record/provider/common/TransformedRecordSerializerJCE$Builder.class */
    public static class Builder<M extends Message> extends TransformedRecordSerializer.Builder<M> {

        @Nullable
        protected String cipherName;

        @Nullable
        protected Key encryptionKey;

        @Nullable
        protected SecureRandom secureRandom;

        protected Builder(@Nonnull RecordSerializer<M> recordSerializer) {
            super(recordSerializer);
        }

        @Override // com.apple.foundationdb.record.provider.common.TransformedRecordSerializer.Builder
        public Builder<M> setCompressWhenSerializing(boolean z) {
            super.setCompressWhenSerializing(z);
            return this;
        }

        @Override // com.apple.foundationdb.record.provider.common.TransformedRecordSerializer.Builder
        public Builder<M> setCompressionLevel(int i) {
            super.setCompressionLevel(i);
            return this;
        }

        @Override // com.apple.foundationdb.record.provider.common.TransformedRecordSerializer.Builder
        public Builder<M> setEncryptWhenSerializing(boolean z) {
            super.setEncryptWhenSerializing(z);
            return this;
        }

        public Builder<M> setEncryptionKey(@Nonnull Key key) {
            this.encryptionKey = key;
            return this;
        }

        public Builder<M> setCipherName(@Nonnull String str) {
            this.cipherName = str;
            return this;
        }

        public Builder<M> clearEncryption() {
            this.cipherName = null;
            this.encryptionKey = null;
            return this;
        }

        public Builder<M> setSecureRandom(@Nonnull SecureRandom secureRandom) {
            this.secureRandom = secureRandom;
            return this;
        }

        public Builder<M> clearSecureRandom() {
            this.secureRandom = null;
            return this;
        }

        @Override // com.apple.foundationdb.record.provider.common.TransformedRecordSerializer.Builder
        public TransformedRecordSerializerJCE<M> build() {
            if (this.encryptWhenSerializing && this.encryptionKey == null) {
                throw new RecordCoreArgumentException("cannot encrypt when serializing if encryption key is not set", new Object[0]);
            }
            if (this.encryptionKey != null) {
                if (this.cipherName == null) {
                    this.cipherName = TransformedRecordSerializerJCE.DEFAULT_CIPHER;
                }
                if (this.secureRandom == null) {
                    this.secureRandom = new SecureRandom();
                }
            }
            return new TransformedRecordSerializerJCE<>(this.inner, this.compressWhenSerializing, this.compressionLevel, this.encryptWhenSerializing, this.cipherName, this.encryptionKey, this.secureRandom);
        }
    }

    protected TransformedRecordSerializerJCE(@Nonnull RecordSerializer<M> recordSerializer, boolean z, int i, boolean z2, @Nullable String str, @Nullable Key key, @Nullable SecureRandom secureRandom) {
        super(recordSerializer, z, i, z2);
        this.cipherName = str;
        this.encryptionKey = key;
        this.secureRandom = secureRandom;
    }

    @Override // com.apple.foundationdb.record.provider.common.TransformedRecordSerializer
    protected void encrypt(@Nonnull TransformedRecordSerializer.TransformState transformState, @Nullable StoreTimer storeTimer) throws GeneralSecurityException {
        if (this.cipherName == null || this.encryptionKey == null || this.secureRandom == null) {
            throw new RecordSerializationException("attempted to encrypt without setting cipher name and key", new Object[0]);
        }
        long nanoTime = System.nanoTime();
        byte[] bArr = new byte[IV_SIZE];
        this.secureRandom.nextBytes(bArr);
        IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
        Cipher cipher = Cipher.getInstance(this.cipherName);
        cipher.init(1, this.encryptionKey, ivParameterSpec);
        byte[] doFinal = cipher.doFinal(transformState.getDataArray());
        byte[] bArr2 = new byte[IV_SIZE + doFinal.length];
        System.arraycopy(ivParameterSpec.getIV(), 0, bArr2, 0, IV_SIZE);
        System.arraycopy(doFinal, 0, bArr2, IV_SIZE, doFinal.length);
        transformState.encrypted = true;
        transformState.setDataArray(bArr2);
        if (storeTimer != null) {
            storeTimer.recordSinceNanoTime(RecordSerializer.Events.ENCRYPT_SERIALIZED_RECORD, nanoTime);
        }
    }

    @Override // com.apple.foundationdb.record.provider.common.TransformedRecordSerializer
    protected void decrypt(@Nonnull TransformedRecordSerializer.TransformState transformState, @Nullable StoreTimer storeTimer) throws GeneralSecurityException {
        if (this.cipherName == null || this.encryptionKey == null || this.secureRandom == null) {
            throw new RecordSerializationException("missing encryption key or provider during decryption", new Object[0]);
        }
        long nanoTime = System.nanoTime();
        byte[] bArr = new byte[IV_SIZE];
        System.arraycopy(transformState.data, transformState.offset, bArr, 0, IV_SIZE);
        IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
        byte[] bArr2 = new byte[transformState.length - IV_SIZE];
        System.arraycopy(transformState.data, transformState.offset + IV_SIZE, bArr2, 0, bArr2.length);
        Cipher cipher = Cipher.getInstance(this.cipherName);
        cipher.init(2, this.encryptionKey, ivParameterSpec);
        transformState.setDataArray(cipher.doFinal(bArr2));
        if (storeTimer != null) {
            storeTimer.recordSinceNanoTime(RecordSerializer.Events.DECRYPT_SERIALIZED_RECORD, nanoTime);
        }
    }

    public static Builder<Message> newDefaultBuilder() {
        return newBuilder((RecordSerializer) DynamicMessageRecordSerializer.instance());
    }

    public static <M extends Message> Builder<M> newBuilder(@Nonnull RecordSerializer<M> recordSerializer) {
        return new Builder<>(recordSerializer);
    }
}
