package org.apache.kafka.security;

import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Collectors;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.security.authorizer.AclEntry;
import org.apache.kafka.server.util.Csv;

/* loaded from: input_file:org/apache/kafka/security/EncryptingPasswordEncoder.class */
public class EncryptingPasswordEncoder implements PasswordEncoder {
    private final SecureRandom secureRandom = new SecureRandom();
    private final Password secret;
    private final String keyFactoryAlgorithm;
    private final String cipherAlgorithm;
    private final int keyLength;
    private final int iterations;
    private final CipherParamsEncoder cipherParamsEncoder;

    public EncryptingPasswordEncoder(Password password, String str, String str2, int i, int i2) {
        this.secret = password;
        this.keyFactoryAlgorithm = str;
        this.cipherAlgorithm = str2;
        this.keyLength = i;
        this.iterations = i2;
        this.cipherParamsEncoder = cipherParamsInstance(str2);
    }

    @Override // org.apache.kafka.security.PasswordEncoder
    public String encode(Password password) throws GeneralSecurityException {
        byte[] bArr = new byte[256];
        this.secureRandom.nextBytes(bArr);
        Cipher cipher = Cipher.getInstance(this.cipherAlgorithm);
        SecretKeyFactory secretKeyFactory = secretKeyFactory(this.keyFactoryAlgorithm);
        cipher.init(1, secretKeySpec(secretKeyFactory, this.cipherAlgorithm, this.keyLength, bArr, this.iterations));
        byte[] doFinal = cipher.doFinal(password.value().getBytes(StandardCharsets.UTF_8));
        HashMap hashMap = new HashMap();
        hashMap.put(PasswordEncoder.KEY_FACTORY_ALGORITHM, secretKeyFactory.getAlgorithm());
        hashMap.put(PasswordEncoder.CIPHER_ALGORITHM, this.cipherAlgorithm);
        hashMap.put(PasswordEncoder.KEY_LENGTH, String.valueOf(this.keyLength));
        hashMap.put(PasswordEncoder.SALT, PasswordEncoder.base64Encode(bArr));
        hashMap.put(PasswordEncoder.ITERATIONS, String.valueOf(this.iterations));
        hashMap.put(PasswordEncoder.ENCRYPTED_PASSWORD, PasswordEncoder.base64Encode(doFinal));
        hashMap.put(PasswordEncoder.PASSWORD_LENGTH, String.valueOf(password.value().length()));
        hashMap.putAll(this.cipherParamsEncoder.toMap(cipher.getParameters()));
        return (String) hashMap.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + AclEntry.RESOURCE_SEPARATOR + ((String) entry.getValue());
        }).collect(Collectors.joining(","));
    }

    @Override // org.apache.kafka.security.PasswordEncoder
    public Password decode(String str) throws GeneralSecurityException {
        Map<String, String> parseCsvMap = Csv.parseCsvMap(str);
        String str2 = parseCsvMap.get(PasswordEncoder.KEY_FACTORY_ALGORITHM);
        String str3 = parseCsvMap.get(PasswordEncoder.CIPHER_ALGORITHM);
        int parseInt = Integer.parseInt(parseCsvMap.get(PasswordEncoder.KEY_LENGTH));
        byte[] base64Decode = PasswordEncoder.base64Decode(parseCsvMap.get(PasswordEncoder.SALT));
        int parseInt2 = Integer.parseInt(parseCsvMap.get(PasswordEncoder.ITERATIONS));
        byte[] base64Decode2 = PasswordEncoder.base64Decode(parseCsvMap.get(PasswordEncoder.ENCRYPTED_PASSWORD));
        int parseInt3 = Integer.parseInt(parseCsvMap.get(PasswordEncoder.PASSWORD_LENGTH));
        Cipher cipher = Cipher.getInstance(str3);
        cipher.init(2, secretKeySpec(secretKeyFactory(str2), str3, parseInt, base64Decode, parseInt2), this.cipherParamsEncoder.toParameterSpec(parseCsvMap));
        try {
            String str4 = new String(cipher.doFinal(base64Decode2), StandardCharsets.UTF_8);
            if (str4.length() != parseInt3) {
                throw new ConfigException("Password could not be decoded, sanity check of length failed");
            }
            return new Password(str4);
        } catch (Exception e) {
            throw new ConfigException("Password could not be decoded", e);
        }
    }

    private SecretKeyFactory secretKeyFactory(String str) throws NoSuchAlgorithmException {
        if (str != null) {
            return SecretKeyFactory.getInstance(str);
        }
        try {
            return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
        } catch (NoSuchAlgorithmException e) {
            return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
        }
    }

    private SecretKeySpec secretKeySpec(SecretKeyFactory secretKeyFactory, String str, int i, byte[] bArr, int i2) throws InvalidKeySpecException {
        PBEKeySpec pBEKeySpec = new PBEKeySpec(this.secret.value().toCharArray(), bArr, i2, i);
        return new SecretKeySpec(secretKeyFactory.generateSecret(pBEKeySpec).getEncoded(), str.indexOf(47) > 0 ? str.substring(0, str.indexOf(47)) : str);
    }

    private CipherParamsEncoder cipherParamsInstance(String str) {
        return str.startsWith("AES/GCM/") ? new GcmParamsEncoder() : new IvParamsEncoder();
    }
}
