package org.apache.nifi.processors.cipher;

import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.KeySpec;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.nifi.annotation.behavior.InputRequirement;
import org.apache.nifi.annotation.behavior.SideEffectFree;
import org.apache.nifi.annotation.behavior.SupportsBatching;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.DeprecationNotice;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.cipher.algorithm.CipherAlgorithmMode;
import org.apache.nifi.processors.cipher.algorithm.CipherAlgorithmPadding;
import org.apache.nifi.processors.cipher.algorithm.SymmetricCipher;
import org.apache.nifi.processors.cipher.encoded.EncodedDelimiter;
import org.apache.nifi.processors.cipher.encoded.KeySpecificationFormat;
import org.apache.nifi.processors.cipher.io.DecryptStreamCallback;
import org.apache.nifi.security.crypto.key.DerivedKeyParameterSpec;
import org.apache.nifi.security.crypto.key.DerivedKeySpec;
import org.apache.nifi.security.crypto.key.StandardDerivedKeySpec;
import org.apache.nifi.security.crypto.key.detection.DetectedDerivedKeyParameterSpecReader;
import org.apache.nifi.security.crypto.key.detection.DetectedDerivedKeyProvider;
import org.apache.nifi.security.crypto.key.io.ByteBufferSearch;
import org.bouncycastle.util.encoders.Hex;

@CapabilityDescription("Decrypt content encrypted with AES and encoded according conventions added in NiFi 0.5.0 for the EncryptContent Processor. The Processor reads the first 256 bytes to determine the presence of a cryptographic salt based on finding the 'NiFiSALT' delimiter. The salt is not present for content encrypted with a raw hexadecimal key. The Processor determines the presence of the initialization vector based on finding the 'NiFiIV' delimiter.The salt format indicates the Key Derivation Function that the Processor uses to generate a secret key based on a configured password. The Processor derives keys with a size of 128 bits according to the conventions implemented in NiFi 0.5.0.")
@InputRequirement(InputRequirement.Requirement.INPUT_REQUIRED)
@SupportsBatching
@Tags({"cryptography", "decipher", "decrypt", "AES", "Argon2", "bcrypt", "scrypt", "PBKDF2"})
@SideEffectFree
@DeprecationNotice(reason = "This component is deprecated and will be removed in NiFi 2.x.")
/* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContent.class */
public class DecryptContent extends AbstractProcessor {
    static final PropertyDescriptor CIPHER_ALGORITHM_MODE = new PropertyDescriptor.Builder().name("cipher-algorithm-mode").displayName("Cipher Algorithm Mode").description("Block cipher mode of operation for decryption using the Advanced Encryption Standard").required(true).allowableValues(CipherAlgorithmMode.class).defaultValue(CipherAlgorithmMode.GCM.getValue()).build();
    static final PropertyDescriptor CIPHER_ALGORITHM_PADDING = new PropertyDescriptor.Builder().name("cipher-algorithm-padding").displayName("Cipher Algorithm Padding").description("Padding specification used in cipher operation for decryption using the Advanced Encryption Standard").required(true).allowableValues(CipherAlgorithmPadding.class).defaultValue(CipherAlgorithmPadding.NO_PADDING.getValue()).build();
    static final PropertyDescriptor KEY_SPECIFICATION_FORMAT = new PropertyDescriptor.Builder().name("key-specification-format").displayName("Key Specification Format").description("Format describing the configured Key Specification").required(true).allowableValues(KeySpecificationFormat.class).defaultValue(KeySpecificationFormat.PASSWORD.getValue()).build();
    static final PropertyDescriptor KEY_SPECIFICATION = new PropertyDescriptor.Builder().name("key-specification").displayName("Key Specification").description("Specification providing the raw secret key or a password from which to derive a secret key").required(true).sensitive(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    static final Relationship SUCCESS = new Relationship.Builder().name("success").description("Decryption succeeded").build();
    static final Relationship FAILURE = new Relationship.Builder().name("failure").description("Decryption failed").build();
    private static final List<PropertyDescriptor> DESCRIPTORS = Collections.unmodifiableList(Arrays.asList(CIPHER_ALGORITHM_MODE, CIPHER_ALGORITHM_PADDING, KEY_SPECIFICATION_FORMAT, KEY_SPECIFICATION));
    private static final Set<Relationship> RELATIONSHIPS = Collections.unmodifiableSet(new HashSet(Arrays.asList(SUCCESS, FAILURE)));
    private static final SymmetricCipher SYMMETRIC_CIPHER = SymmetricCipher.AES;
    private static final String TRANSFORMATION_FORMAT = "%s/%s/%s";

    /* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContent$DecryptCallback.class */
    private static class DecryptCallback extends DecryptStreamCallback {
        private static final int PARAMETERS_BUFFER_LENGTH = 256;
        private static final int DERIVED_KEY_LENGTH_BYTES = 16;
        private static final int END_OF_FILE = -1;
        private static final byte[] EMPTY_BYTES = new byte[0];
        private static final DetectedDerivedKeyParameterSpecReader parameterSpecReader = new DetectedDerivedKeyParameterSpecReader();
        private static final DetectedDerivedKeyProvider derivedKeyProvider = new DetectedDerivedKeyProvider();
        private final CipherAlgorithmMode cipherAlgorithmMode;
        private final KeySpec keySpec;

        private DecryptCallback(Cipher cipher, CipherAlgorithmMode cipherAlgorithmMode, KeySpec keySpec) {
            super(cipher, PARAMETERS_BUFFER_LENGTH);
            this.cipherAlgorithmMode = cipherAlgorithmMode;
            this.keySpec = keySpec;
        }

        @Override // org.apache.nifi.processors.cipher.io.DecryptStreamCallback
        protected AlgorithmParameterSpec readAlgorithmParameterSpec(ByteBuffer byteBuffer) {
            byte[] readDelimitedBytes = readDelimitedBytes(byteBuffer, EncodedDelimiter.SALT);
            byte[] readDelimitedBytes2 = readDelimitedBytes(byteBuffer, EncodedDelimiter.IV);
            return CipherAlgorithmMode.GCM == this.cipherAlgorithmMode ? new GCMSerializedParameterSpec(readDelimitedBytes2, readDelimitedBytes) : new IvSerializedParameterSpec(readDelimitedBytes2, readDelimitedBytes);
        }

        @Override // org.apache.nifi.processors.cipher.io.DecryptStreamCallback
        protected Key getKey(AlgorithmParameterSpec algorithmParameterSpec) {
            Key derivedKey;
            if (this.keySpec instanceof SecretKeySpec) {
                derivedKey = (SecretKeySpec) this.keySpec;
            } else {
                if (!(algorithmParameterSpec instanceof SerializedParameterSpec)) {
                    throw new IllegalArgumentException(String.format("Key Derivation Function Parameters not provided [%s]", algorithmParameterSpec.getClass()));
                }
                derivedKey = getDerivedKey(((SerializedParameterSpec) algorithmParameterSpec).getParameters());
            }
            return derivedKey;
        }

        private Key getDerivedKey(byte[] bArr) {
            return derivedKeyProvider.getDerivedKey(getDerivedKeySpec(parameterSpecReader.read(bArr)));
        }

        private DerivedKeySpec<DerivedKeyParameterSpec> getDerivedKeySpec(DerivedKeyParameterSpec derivedKeyParameterSpec) {
            return new StandardDerivedKeySpec(((PBEKeySpec) this.keySpec).getPassword(), DERIVED_KEY_LENGTH_BYTES, DecryptContent.SYMMETRIC_CIPHER.getValue(), derivedKeyParameterSpec);
        }

        private byte[] readDelimitedBytes(ByteBuffer byteBuffer, EncodedDelimiter encodedDelimiter) {
            byte[] bArr;
            byte[] delimiter = encodedDelimiter.getDelimiter();
            int indexOf = ByteBufferSearch.indexOf(byteBuffer, delimiter);
            if (indexOf == END_OF_FILE) {
                bArr = EMPTY_BYTES;
            } else {
                bArr = new byte[indexOf - byteBuffer.position()];
                byteBuffer.get(bArr);
                byteBuffer.position(indexOf + delimiter.length);
            }
            return bArr;
        }
    }

    /* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContent$GCMSerializedParameterSpec.class */
    private static class GCMSerializedParameterSpec extends GCMParameterSpec implements SerializedParameterSpec {
        private static final int GCM_TAG_LENGTH_BITS = 128;
        private final byte[] parameters;

        private GCMSerializedParameterSpec(byte[] bArr, byte[] bArr2) {
            super(GCM_TAG_LENGTH_BITS, bArr);
            this.parameters = bArr2;
        }

        @Override // org.apache.nifi.processors.cipher.DecryptContent.SerializedParameterSpec
        public byte[] getParameters() {
            return this.parameters;
        }
    }

    /* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContent$IvSerializedParameterSpec.class */
    private static class IvSerializedParameterSpec extends IvParameterSpec implements SerializedParameterSpec {
        private final byte[] parameters;

        private IvSerializedParameterSpec(byte[] bArr, byte[] bArr2) {
            super(bArr);
            this.parameters = bArr2;
        }

        @Override // org.apache.nifi.processors.cipher.DecryptContent.SerializedParameterSpec
        public byte[] getParameters() {
            return this.parameters;
        }
    }

    /* loaded from: input_file:org/apache/nifi/processors/cipher/DecryptContent$SerializedParameterSpec.class */
    private interface SerializedParameterSpec {
        byte[] getParameters();
    }

    public List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return DESCRIPTORS;
    }

    public Set<Relationship> getRelationships() {
        return RELATIONSHIPS;
    }

    public void onTrigger(ProcessContext processContext, ProcessSession processSession) {
        FlowFile flowFile = processSession.get();
        if (flowFile == null) {
            return;
        }
        KeySpecificationFormat valueOf = KeySpecificationFormat.valueOf(processContext.getProperty(KEY_SPECIFICATION_FORMAT).getValue());
        String cipherTransformation = getCipherTransformation(processContext);
        try {
            flowFile = processSession.write(flowFile, new DecryptCallback(getCipher(cipherTransformation), CipherAlgorithmMode.valueOf(processContext.getProperty(CIPHER_ALGORITHM_MODE).getValue()), getKeySpec(processContext, valueOf)));
            getLogger().debug("Decryption completed using [{}] {}", new Object[]{cipherTransformation, flowFile});
            processSession.transfer(flowFile, SUCCESS);
        } catch (RuntimeException e) {
            getLogger().error("Decryption failed using [{}] {}", new Object[]{cipherTransformation, flowFile, e});
            processSession.transfer(flowFile, FAILURE);
        }
    }

    private String getCipherTransformation(ProcessContext processContext) {
        return String.format(TRANSFORMATION_FORMAT, SYMMETRIC_CIPHER.getValue(), processContext.getProperty(CIPHER_ALGORITHM_MODE).getValue(), processContext.getProperty(CIPHER_ALGORITHM_PADDING).getValue());
    }

    private Cipher getCipher(String str) {
        try {
            return Cipher.getInstance(str);
        } catch (GeneralSecurityException e) {
            throw new CipherException(String.format("Cipher [%s] not found", str), e);
        }
    }

    private KeySpec getKeySpec(ProcessContext processContext, KeySpecificationFormat keySpecificationFormat) {
        String value = processContext.getProperty(KEY_SPECIFICATION).getValue();
        return KeySpecificationFormat.RAW == keySpecificationFormat ? new SecretKeySpec(Hex.decode(value), SYMMETRIC_CIPHER.getValue()) : new PBEKeySpec(value.toCharArray());
    }
}
