package org.apache.nifi.security.util.crypto;

import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.shaded.crypto.Digest;
import org.bouncycastle.shaded.crypto.digests.MD5Digest;
import org.bouncycastle.shaded.crypto.digests.SHA1Digest;
import org.bouncycastle.shaded.crypto.digests.SHA256Digest;
import org.bouncycastle.shaded.crypto.digests.SHA384Digest;
import org.bouncycastle.shaded.crypto.digests.SHA512Digest;
import org.bouncycastle.shaded.crypto.generators.PKCS5S2ParametersGenerator;
import org.bouncycastle.shaded.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/security/util/crypto/PBKDF2SecureHasher.class */
public class PBKDF2SecureHasher extends AbstractSecureHasher {
    private static final Logger logger = LoggerFactory.getLogger(PBKDF2SecureHasher.class);
    private static final String DEFAULT_PRF = "SHA-512";
    private static final int DEFAULT_SALT_LENGTH = 16;
    private static final int DEFAULT_ITERATION_COUNT = 160000;
    private static final int DEFAULT_DK_LENGTH = 32;
    private static final int MIN_ITERATION_COUNT = 1;
    private static final int MIN_DK_LENGTH = 1;
    private static final int MIN_SALT_LENGTH = 8;
    private final Digest prf;
    private final Integer iterationCount;
    private final int dkLength;

    public PBKDF2SecureHasher() {
        this(DEFAULT_PRF, Integer.valueOf(DEFAULT_ITERATION_COUNT), 0, DEFAULT_DK_LENGTH);
    }

    public PBKDF2SecureHasher(int i) {
        this(DEFAULT_PRF, Integer.valueOf(DEFAULT_ITERATION_COUNT), 0, i);
    }

    public PBKDF2SecureHasher(int i, int i2) {
        this(DEFAULT_PRF, Integer.valueOf(i), 0, i2);
    }

    public PBKDF2SecureHasher(String str, Integer num, int i, int i2) {
        validateParameters(str, num, i, i2);
        this.prf = resolvePRF(str);
        this.iterationCount = num;
        this.saltLength = i;
        this.dkLength = i2;
    }

    private void validateParameters(String str, Integer num, int i, int i2) {
        logger.debug("Validating PBKDF2 secure hasher with prf {}, iteration count {}, salt length {} bytes, output length {} bytes", new Object[]{str, num, Integer.valueOf(i), Integer.valueOf(i2)});
        if (!isIterationCountValid(num)) {
            logger.error("The provided iteration count {} is below the minimum {}.", num, 1);
            throw new IllegalArgumentException("Invalid iterationCount is not within iteration count boundary.");
        }
        initializeSalt(Integer.valueOf(i));
        Digest resolvePRF = resolvePRF(str);
        int digestSize = resolvePRF.getDigestSize();
        logger.debug("The PRF is {}, with a digest size (hLen) of {} bytes", resolvePRF.getAlgorithmName(), Integer.valueOf(digestSize));
        if (isDKLengthValid(digestSize, Integer.valueOf(i2))) {
            return;
        }
        logger.error("The provided dkLength {} bytes is outside the output boundary {} to {}.", new Object[]{Integer.valueOf(i2), 1, Integer.valueOf(getMaxDKLength(digestSize))});
        throw new IllegalArgumentException("Invalid dkLength is not within derived key length boundary.");
    }

    @Override // org.apache.nifi.security.util.crypto.AbstractSecureHasher
    String getAlgorithmName() {
        return "PBKDF2";
    }

    @Override // org.apache.nifi.security.util.crypto.AbstractSecureHasher
    boolean acceptsEmptyInput() {
        return true;
    }

    public static boolean isIterationCountValid(Integer num) {
        if (num.intValue() < DEFAULT_ITERATION_COUNT) {
            logger.warn("The provided iteration count {} is below the recommended minimum {}.", num, Integer.valueOf(DEFAULT_ITERATION_COUNT));
        }
        return num.intValue() >= 1;
    }

    @Override // org.apache.nifi.security.util.crypto.AbstractSecureHasher
    int getDefaultSaltLength() {
        return DEFAULT_SALT_LENGTH;
    }

    @Override // org.apache.nifi.security.util.crypto.AbstractSecureHasher
    int getMinSaltLength() {
        return 8;
    }

    @Override // org.apache.nifi.security.util.crypto.AbstractSecureHasher
    int getMaxSaltLength() {
        return Integer.MAX_VALUE;
    }

    public static boolean isDKLengthValid(int i, Integer num) {
        int maxDKLength = getMaxDKLength(i);
        logger.debug("The max dkLength is {} bytes for hLen {} bytes.", Integer.valueOf(maxDKLength), Integer.valueOf(i));
        return num.intValue() >= 1 && num.intValue() <= maxDKLength;
    }

    private static int getMaxDKLength(int i) {
        return Long.valueOf(Math.min((Double.valueOf(Math.pow(2.0d, 32.0d)).longValue() - 1) * i, 2147483647L)).intValue();
    }

    @Override // org.apache.nifi.security.util.crypto.AbstractSecureHasher
    byte[] hash(byte[] bArr) {
        return hash(bArr, getSalt());
    }

    @Override // org.apache.nifi.security.util.crypto.AbstractSecureHasher
    byte[] hash(byte[] bArr, byte[] bArr2) {
        logger.debug("Creating PBKDF2 hash with salt [{}] ({} bytes)", Hex.toHexString(bArr2), Integer.valueOf(bArr2.length));
        if (!isSaltLengthValid(Integer.valueOf(bArr2.length))) {
            throw new IllegalArgumentException("The salt length (" + bArr2.length + " bytes) is invalid");
        }
        long nanoTime = System.nanoTime();
        PKCS5S2ParametersGenerator pKCS5S2ParametersGenerator = new PKCS5S2ParametersGenerator(this.prf);
        pKCS5S2ParametersGenerator.init(bArr, bArr2, this.iterationCount.intValue());
        byte[] key = pKCS5S2ParametersGenerator.generateDerivedParameters(this.dkLength * 8).getKey();
        logger.debug("Generated PBKDF2 hash in {} ms", Long.valueOf(TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - nanoTime)));
        return key;
    }

    private Digest resolvePRF(String str) {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Cannot resolve empty PRF");
        }
        String replaceAll = str.toLowerCase().replaceAll("[\\W]+", "");
        logger.debug("Resolved PRF {} to {}", str, replaceAll);
        boolean z = -1;
        switch (replaceAll.hashCode()) {
            case -903629273:
                if (replaceAll.equals("sha256")) {
                    z = 2;
                    break;
                }
                break;
            case -903628221:
                if (replaceAll.equals("sha384")) {
                    z = 3;
                    break;
                }
                break;
            case -903626518:
                if (replaceAll.equals("sha512")) {
                    z = 4;
                    break;
                }
                break;
            case 107902:
                if (replaceAll.equals("md5")) {
                    z = false;
                    break;
                }
                break;
            case 3528965:
                if (replaceAll.equals("sha1")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                logger.warn("MD5 is a deprecated cryptographic hash function and should not be used");
                return new MD5Digest();
            case true:
                logger.warn("SHA-1 is a deprecated cryptographic hash function and should not be used");
                return new SHA1Digest();
            case true:
                return new SHA256Digest();
            case true:
                return new SHA384Digest();
            case true:
                return new SHA512Digest();
            default:
                logger.warn("Could not resolve PRF {}. Using default PRF {} instead", str, DEFAULT_PRF);
                return new SHA512Digest();
        }
    }
}
