package org.apache.ignite.spi.encryption.keystore;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.net.URL;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.concurrent.ThreadLocalRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.ignite.IgniteException;
import org.apache.ignite.IgniteLogger;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.internal.util.typedef.internal.U;
import org.apache.ignite.resources.LoggerResource;
import org.apache.ignite.spi.IgniteSpiAdapter;
import org.apache.ignite.spi.IgniteSpiException;
import org.apache.ignite.spi.encryption.EncryptionSpi;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.PropertyAccessor;

/* loaded from: input_file:org/apache/ignite/spi/encryption/keystore/KeystoreEncryptionSpi.class */
public class KeystoreEncryptionSpi extends IgniteSpiAdapter implements EncryptionSpi {
    public static final String DEFAULT_MASTER_KEY_NAME = "ignite.master.key";
    public static final String CIPHER_ALGO = "AES";
    public static final int DEFAULT_KEY_SIZE = 256;
    private static final String AES_WITH_PADDING = "AES/CBC/PKCS5Padding";
    private static final String AES_WITHOUT_PADDING = "AES/CBC/NoPadding";
    private static final String DIGEST_ALGO = "SHA-512";
    private static final int BLOCK_SZ = 16;
    private String keyStorePath;
    private char[] keyStorePwd;
    private volatile KeystoreEncryptionKey masterKey;

    @LoggerResource
    protected IgniteLogger log;
    private static final ThreadLocal<Cipher> aesWithPadding;
    private static final ThreadLocal<Cipher> aesWithoutPadding;
    static final /* synthetic */ boolean $assertionsDisabled;
    private int keySize = 256;
    private volatile String masterKeyName = DEFAULT_MASTER_KEY_NAME;

    @Override // org.apache.ignite.spi.IgniteSpi
    public void spiStart(@Nullable String str) throws IgniteSpiException {
        this.masterKey = loadMasterKey(this.masterKeyName);
    }

    @Override // org.apache.ignite.spi.IgniteSpi
    public void spiStop() throws IgniteSpiException {
        ensureStarted();
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public byte[] masterKeyDigest() {
        return masterKeyDigest(null);
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public byte[] masterKeyDigest(String str) {
        ensureStarted();
        return makeDigest(loadKeyOrCurrent(str).key().getEncoded());
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public KeystoreEncryptionKey create() throws IgniteException {
        ensureStarted();
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(CIPHER_ALGO);
            keyGenerator.init(this.keySize);
            SecretKey generateKey = keyGenerator.generateKey();
            return new KeystoreEncryptionKey(generateKey, makeDigest(generateKey.getEncoded()));
        } catch (NoSuchAlgorithmException e) {
            throw new IgniteException(e);
        }
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public void encrypt(ByteBuffer byteBuffer, Serializable serializable, ByteBuffer byteBuffer2) {
        doEncryption(byteBuffer, aesWithPadding.get(), serializable, byteBuffer2);
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public void encryptNoPadding(ByteBuffer byteBuffer, Serializable serializable, ByteBuffer byteBuffer2) {
        doEncryption(byteBuffer, aesWithoutPadding.get(), serializable, byteBuffer2);
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public byte[] decrypt(byte[] bArr, Serializable serializable) {
        if (!$assertionsDisabled && !(serializable instanceof KeystoreEncryptionKey)) {
            throw new AssertionError();
        }
        ensureStarted();
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(((KeystoreEncryptionKey) serializable).key().getEncoded(), CIPHER_ALGO);
            Cipher cipher = aesWithPadding.get();
            cipher.init(2, secretKeySpec, new IvParameterSpec(bArr, 0, cipher.getBlockSize()));
            return cipher.doFinal(bArr, cipher.getBlockSize(), bArr.length - cipher.getBlockSize());
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException e) {
            throw new IgniteSpiException(e);
        }
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public void decryptNoPadding(ByteBuffer byteBuffer, Serializable serializable, ByteBuffer byteBuffer2) {
        if (!$assertionsDisabled && !(serializable instanceof KeystoreEncryptionKey)) {
            throw new AssertionError();
        }
        ensureStarted();
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(((KeystoreEncryptionKey) serializable).key().getEncoded(), CIPHER_ALGO);
            Cipher cipher = aesWithoutPadding.get();
            byte[] bArr = new byte[cipher.getBlockSize()];
            byteBuffer.get(bArr);
            cipher.init(2, secretKeySpec, new IvParameterSpec(bArr));
            cipher.doFinal(byteBuffer, byteBuffer2);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException | ShortBufferException e) {
            throw new IgniteSpiException(e);
        }
    }

    private void doEncryption(ByteBuffer byteBuffer, Cipher cipher, Serializable serializable, ByteBuffer byteBuffer2) {
        if (!$assertionsDisabled && !(serializable instanceof KeystoreEncryptionKey)) {
            throw new AssertionError();
        }
        ensureStarted();
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(((KeystoreEncryptionKey) serializable).key().getEncoded(), CIPHER_ALGO);
            byte[] initVector = initVector(cipher);
            byteBuffer2.put(initVector);
            cipher.init(1, secretKeySpec, new IvParameterSpec(initVector));
            cipher.doFinal(byteBuffer, byteBuffer2);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException | ShortBufferException e) {
            throw new IgniteSpiException(e);
        }
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public byte[] encryptKey(Serializable serializable) {
        return encryptKey(serializable, null);
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public byte[] encryptKey(Serializable serializable, String str) {
        if (!$assertionsDisabled && !(serializable instanceof KeystoreEncryptionKey)) {
            throw new AssertionError();
        }
        byte[] bytes = U.toBytes(serializable);
        byte[] bArr = new byte[encryptedSize(bytes.length)];
        encrypt(ByteBuffer.wrap(bytes), loadKeyOrCurrent(str), ByteBuffer.wrap(bArr));
        return bArr;
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public KeystoreEncryptionKey decryptKey(byte[] bArr) {
        return decryptKey(bArr, (String) null);
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public KeystoreEncryptionKey decryptKey(byte[] bArr, String str) {
        KeystoreEncryptionKey keystoreEncryptionKey = (KeystoreEncryptionKey) U.fromBytes(decrypt(bArr, loadKeyOrCurrent(str)));
        if (Arrays.equals(keystoreEncryptionKey.digest, makeDigest(keystoreEncryptionKey.key().getEncoded()))) {
            return keystoreEncryptionKey;
        }
        throw new IgniteException("Key is broken!");
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public int encryptedSize(int i) {
        return encryptedSize(i, AES_WITH_PADDING);
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public int encryptedSizeNoPadding(int i) {
        return encryptedSize(i, AES_WITHOUT_PADDING);
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public int blockSize() {
        return 16;
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public String getMasterKeyName() {
        return this.masterKeyName;
    }

    @Override // org.apache.ignite.spi.encryption.EncryptionSpi
    public void setMasterKeyName(String str) {
        this.masterKeyName = str;
        if (started()) {
            this.masterKey = loadMasterKey(str);
        }
    }

    private int encryptedSize(int i, String str) {
        int i2;
        boolean z = -1;
        switch (str.hashCode()) {
            case -2057264891:
                if (str.equals(AES_WITHOUT_PADDING)) {
                    z = true;
                    break;
                }
                break;
            case -1593046894:
                if (str.equals(AES_WITH_PADDING)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                i2 = 2;
                break;
            case true:
                i2 = 1;
                break;
            default:
                throw new IllegalStateException("Unknown algorithm: " + str);
        }
        return ((i / 16) + i2) * 16;
    }

    private byte[] makeDigest(byte[] bArr) {
        try {
            return MessageDigest.getInstance("SHA-512").digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new IgniteException(e);
        }
    }

    private byte[] initVector(Cipher cipher) {
        byte[] bArr = new byte[cipher.getBlockSize()];
        ThreadLocalRandom.current().nextBytes(bArr);
        return bArr;
    }

    private void ensureStarted() throws IgniteException {
        if (!started()) {
            throw new IgniteException("EncryptionSpi is not started!");
        }
    }

    public String getKeyStorePath() {
        return this.keyStorePath;
    }

    public void setKeyStorePath(String str) {
        if (!$assertionsDisabled && F.isEmpty(str)) {
            throw new AssertionError("KeyStore path shouldn't be empty");
        }
        if (!$assertionsDisabled && started()) {
            throw new AssertionError("Spi already started");
        }
        this.keyStorePath = str;
    }

    public char[] getKeyStorePwd() {
        return this.keyStorePwd;
    }

    public void setKeyStorePassword(char[] cArr) {
        if (!$assertionsDisabled && (cArr == null || cArr.length <= 0)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && started()) {
            throw new AssertionError("Spi already started");
        }
        this.keyStorePwd = cArr;
    }

    public int getKeySize() {
        return this.keySize;
    }

    public void setKeySize(int i) {
        if (!$assertionsDisabled && started()) {
            throw new AssertionError("Spi already started");
        }
        this.keySize = i;
    }

    private InputStream keyStoreFile() throws IOException {
        File file = new File(this.keyStorePath);
        if (file.exists()) {
            return new FileInputStream(file);
        }
        URL resource = KeystoreEncryptionSpi.class.getClassLoader().getResource(this.keyStorePath);
        if (resource != null) {
            return resource.openStream();
        }
        return null;
    }

    private KeystoreEncryptionKey loadKeyOrCurrent(String str) {
        return (F.isEmpty(str) || str.equals(this.masterKeyName)) ? this.masterKey : loadMasterKey(str);
    }

    private KeystoreEncryptionKey loadMasterKey(String str) {
        assertParameter(!F.isEmpty(this.keyStorePath), "KeyStorePath shouldn't be empty");
        assertParameter(this.keyStorePwd != null && this.keyStorePwd.length > 0, "KeyStorePassword shouldn't be empty");
        try {
            InputStream keyStoreFile = keyStoreFile();
            Throwable th = null;
            try {
                try {
                    assertParameter(keyStoreFile != null, this.keyStorePath + " doesn't exists!");
                    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                    keyStore.load(keyStoreFile, this.keyStorePwd);
                    if (this.log != null && this.log.isInfoEnabled()) {
                        this.log.info("Successfully load keyStore [path=" + this.keyStorePath + PropertyAccessor.PROPERTY_KEY_SUFFIX);
                    }
                    Key key = keyStore.getKey(str, this.keyStorePwd);
                    assertParameter(key != null, "No such master key found [masterKeyName=" + str + ']');
                    KeystoreEncryptionKey keystoreEncryptionKey = new KeystoreEncryptionKey(key, null);
                    if (keyStoreFile != null) {
                        if (0 != 0) {
                            try {
                                keyStoreFile.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            keyStoreFile.close();
                        }
                    }
                    return keystoreEncryptionKey;
                } finally {
                }
            } catch (Throwable th3) {
                if (keyStoreFile != null) {
                    if (th != null) {
                        try {
                            keyStoreFile.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        keyStoreFile.close();
                    }
                }
                throw th3;
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IgniteSpiException(e);
        }
    }

    static {
        $assertionsDisabled = !KeystoreEncryptionSpi.class.desiredAssertionStatus();
        aesWithPadding = ThreadLocal.withInitial(() -> {
            try {
                return Cipher.getInstance(AES_WITH_PADDING);
            } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
                throw new IgniteException(e);
            }
        });
        aesWithoutPadding = ThreadLocal.withInitial(() -> {
            try {
                return Cipher.getInstance(AES_WITHOUT_PADDING);
            } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
                throw new IgniteException(e);
            }
        });
    }
}
