package org.apache.kafka.metadata;

import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.kafka.common.Uuid;
import org.jose4j.jwe.SimpleAeadCipher;

/* loaded from: input_file:org/apache/kafka/metadata/AesGcm128MetadataEncryptor.class */
public class AesGcm128MetadataEncryptor implements MetadataEncryptor {
    private static final int NUM_INIT_VECTOR_BYTES = 12;
    private static final int NUM_AUTH_TAG_BITS = 128;
    static final int KEY_LENGTH = 16;
    private final Uuid id;
    private final SecureRandom random;
    private final Cipher cipher;
    private final SecretKeySpec secretKeySpec;

    public AesGcm128MetadataEncryptor() throws GeneralSecurityException {
        this.id = Uuid.randomUuid();
        this.random = new SecureRandom();
        this.cipher = createCipher();
        byte[] bArr = new byte[16];
        this.random.nextBytes(bArr);
        this.secretKeySpec = createSecretKeySpec(bArr);
    }

    public AesGcm128MetadataEncryptor(Uuid uuid, byte[] bArr) throws GeneralSecurityException {
        if (uuid.equals(Uuid.ZERO_UUID)) {
            throw new RuntimeException("Invalid zero id.");
        }
        this.id = uuid;
        this.random = new SecureRandom();
        this.cipher = createCipher();
        if (bArr.length != 16) {
            throw new RuntimeException("Invalid key length " + bArr.length + ". " + getClass().getSimpleName() + " requires a length of 16");
        }
        this.secretKeySpec = createSecretKeySpec(bArr);
    }

    private static Cipher createCipher() throws GeneralSecurityException {
        return Cipher.getInstance(SimpleAeadCipher.GCM_TRANSFORMATION_NAME);
    }

    private static SecretKeySpec createSecretKeySpec(byte[] bArr) {
        return new SecretKeySpec(bArr, "AES");
    }

    @Override // org.apache.kafka.metadata.MetadataEncryptor
    public Uuid id() {
        return this.id;
    }

    @Override // org.apache.kafka.metadata.MetadataEncryptor
    public byte[] decrypt(byte[] bArr) {
        try {
            byte[] bArr2 = new byte[12];
            System.arraycopy(bArr, 0, bArr2, 0, bArr2.length);
            this.cipher.init(2, this.secretKeySpec, new GCMParameterSpec(128, bArr2));
            byte[] bArr3 = new byte[bArr.length - bArr2.length];
            System.arraycopy(bArr, bArr2.length, bArr3, 0, bArr.length - bArr2.length);
            return this.cipher.doFinal(bArr3);
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("decryption failed", e);
        }
    }

    @Override // org.apache.kafka.metadata.MetadataEncryptor
    public byte[] encrypt(byte[] bArr) {
        try {
            byte[] bArr2 = new byte[12];
            this.random.nextBytes(bArr2);
            this.cipher.init(1, this.secretKeySpec, new GCMParameterSpec(128, bArr2));
            byte[] doFinal = this.cipher.doFinal(bArr);
            byte[] bArr3 = new byte[bArr2.length + doFinal.length];
            System.arraycopy(bArr2, 0, bArr3, 0, bArr2.length);
            System.arraycopy(doFinal, 0, bArr3, bArr2.length, doFinal.length);
            return bArr3;
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("encryption failed", e);
        }
    }

    @Override // org.apache.kafka.metadata.MetadataEncryptor
    public byte[] secret() {
        return this.secretKeySpec.getEncoded();
    }
}
