package io.trino.plugin.password.file;

import at.favre.lib.crypto.bcrypt.BCrypt;
import at.favre.lib.crypto.bcrypt.IllegalBCryptFormatException;
import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.io.BaseEncoding;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.List;
import java.util.Objects;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

/* loaded from: input_file:io/trino/plugin/password/file/EncryptionUtil.class */
public final class EncryptionUtil {
    private static final int BCRYPT_MIN_COST = 8;
    private static final int PBKDF2_MIN_ITERATIONS = 1000;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/plugin/password/file/EncryptionUtil$PBKDF2Password.class */
    public static class PBKDF2Password {
        private final int iterations;
        private final byte[] salt;
        private final byte[] hash;

        private PBKDF2Password(int i, byte[] bArr, byte[] bArr2) {
            this.iterations = i;
            this.salt = (byte[]) Objects.requireNonNull(bArr, "salt is null");
            this.hash = (byte[]) Objects.requireNonNull(bArr2, "hash is null");
        }

        public int iterations() {
            return this.iterations;
        }

        public byte[] salt() {
            return this.salt;
        }

        public byte[] hash() {
            return this.hash;
        }

        public static PBKDF2Password fromString(String str) {
            try {
                List splitToList = Splitter.on(":").splitToList(str);
                Preconditions.checkArgument(splitToList.size() == 3, "wrong part count");
                return new PBKDF2Password(Integer.parseInt((String) splitToList.get(0)), BaseEncoding.base16().lowerCase().decode((CharSequence) splitToList.get(1)), BaseEncoding.base16().lowerCase().decode((CharSequence) splitToList.get(2)));
            } catch (IllegalArgumentException e) {
                throw new HashedPasswordException("Invalid PBKDF2 password");
            }
        }
    }

    private EncryptionUtil() {
    }

    public static int getBCryptCost(String str) {
        try {
            return BCrypt.Version.VERSION_2A.parser.parse(str.getBytes(StandardCharsets.UTF_8)).cost;
        } catch (IllegalBCryptFormatException e) {
            throw new HashedPasswordException("Invalid BCrypt password", e);
        }
    }

    public static int getPBKDF2Iterations(String str) {
        return PBKDF2Password.fromString(str).iterations();
    }

    public static boolean doesBCryptPasswordMatch(String str, String str2) {
        return BCrypt.verifyer().verify(str.toCharArray(), str2).verified;
    }

    public static boolean doesPBKDF2PasswordMatch(String str, String str2) {
        PBKDF2Password fromString = PBKDF2Password.fromString(str2);
        try {
            byte[] encoded = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(str.toCharArray(), fromString.salt(), fromString.iterations(), fromString.hash().length * BCRYPT_MIN_COST)).getEncoded();
            if (fromString.hash().length != encoded.length) {
                throw new HashedPasswordException("PBKDF2 password input is malformed");
            }
            return MessageDigest.isEqual(fromString.hash(), encoded);
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new HashedPasswordException("Invalid PBKDF2 password", e);
        }
    }

    public static HashingAlgorithm getHashingAlgorithm(String str) {
        if (str.startsWith("$2y")) {
            if (getBCryptCost(str) < BCRYPT_MIN_COST) {
                throw new HashedPasswordException("Minimum cost of BCrypt password must be 8");
            }
            return HashingAlgorithm.BCRYPT;
        }
        if (!str.contains(":")) {
            throw new HashedPasswordException("Password hashing algorithm cannot be determined");
        }
        if (getPBKDF2Iterations(str) < PBKDF2_MIN_ITERATIONS) {
            throw new HashedPasswordException("Minimum iterations of PBKDF2 password must be 1000");
        }
        return HashingAlgorithm.PBKDF2;
    }
}
