package org.elasticsearch.repositories.encrypted;

import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.elasticsearch.common.settings.SecureString;

/* loaded from: input_file:org/elasticsearch/repositories/encrypted/AESKeyUtils.class */
public final class AESKeyUtils {
    public static final int KEY_LENGTH_IN_BYTES = 32;
    public static final int WRAPPED_KEY_LENGTH_IN_BYTES = 40;
    private static final int KDF_ITER = 61616;
    private static final String KDF_ALGO = "PBKDF2WithHmacSHA512";
    private static final byte[] KEY_ID_PLAINTEXT;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static byte[] wrap(SecretKey secretKey, SecretKey secretKey2) throws GeneralSecurityException {
        if (!$assertionsDisabled && !"AES".equals(secretKey.getAlgorithm())) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !"AES".equals(secretKey2.getAlgorithm())) {
            throw new AssertionError();
        }
        Cipher cipher = Cipher.getInstance("AESWrap");
        cipher.init(3, secretKey);
        return cipher.wrap(secretKey2);
    }

    public static SecretKey unwrap(SecretKey secretKey, byte[] bArr) throws GeneralSecurityException {
        if (!$assertionsDisabled && !"AES".equals(secretKey.getAlgorithm())) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && bArr.length != 40) {
            throw new AssertionError();
        }
        Cipher cipher = Cipher.getInstance("AESWrap");
        cipher.init(4, secretKey);
        return new SecretKeySpec(cipher.unwrap(bArr, "AES", 3).getEncoded(), "AES");
    }

    public static String computeId(SecretKey secretKey) throws GeneralSecurityException {
        return new String(Base64.getUrlEncoder().withoutPadding().encode(wrap(secretKey, new SecretKeySpec(KEY_ID_PLAINTEXT, "AES"))), StandardCharsets.UTF_8);
    }

    public static SecretKey generatePasswordBasedKey(SecureString secureString, String str) throws GeneralSecurityException {
        return generatePasswordBasedKey(secureString, str.getBytes(StandardCharsets.UTF_8));
    }

    public static SecretKey generatePasswordBasedKey(SecureString secureString, byte[] bArr) throws GeneralSecurityException {
        return new SecretKeySpec(SecretKeyFactory.getInstance(KDF_ALGO).generateSecret(new PBEKeySpec(secureString.getChars(), bArr, KDF_ITER, 256)).getEncoded(), "AES");
    }

    static {
        $assertionsDisabled = !AESKeyUtils.class.desiredAssertionStatus();
        KEY_ID_PLAINTEXT = "wrapping known text forms key id".getBytes(StandardCharsets.UTF_8);
    }
}
