package com.hazelcast.internal.hotrestart.impl.encryption;

import com.hazelcast.hotrestart.HotRestartException;
import com.hazelcast.internal.hotrestart.impl.di.Inject;
import com.hazelcast.internal.hotrestart.impl.di.Name;
import com.hazelcast.internal.nio.IOUtil;
import com.hazelcast.internal.util.Preconditions;
import com.hazelcast.logging.ILogger;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;

/* loaded from: input_file:WEB-INF/lib/hazelcast-jet-enterprise-4.3.jar:com/hazelcast/internal/hotrestart/impl/encryption/EncryptionManager.class */
public class EncryptionManager {
    public static final String KEY_FILE_NAME = "key.bin";
    private static final int KEY_HASH_SIZE = 32;
    private final File homeDir;
    private final int keySize;
    private final HotRestartCipherBuilder cipherBuilder;
    private final ILogger logger;
    private byte[] storeKey;
    private volatile byte[] masterKey;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public EncryptionManager(ILogger iLogger, @Nonnull @Name("homeDir") File file, @Nonnull HotRestartStoreEncryptionConfig hotRestartStoreEncryptionConfig) {
        Preconditions.checkNotNull(file, "homeDir cannot be null!");
        Preconditions.checkNotNull(hotRestartStoreEncryptionConfig, "encryptionConfig cannot be null!");
        this.logger = iLogger;
        HotRestartCipherBuilder cipherBuilder = hotRestartStoreEncryptionConfig.cipherBuilder();
        this.homeDir = file;
        this.cipherBuilder = cipherBuilder;
        this.keySize = hotRestartStoreEncryptionConfig.keySize();
        initialize(hotRestartStoreEncryptionConfig.initialKeysSupplier());
    }

    public boolean isEncryptionEnabled() {
        return this.cipherBuilder != null;
    }

    private void initialize(InitialKeysSupplier initialKeysSupplier) {
        if (isEncryptionEnabled()) {
            List<byte[]> list = initialKeysSupplier == null ? null : initialKeysSupplier.get();
            if (list == null || list.isEmpty()) {
                throw new HotRestartException("No master encryption key available");
            }
            this.masterKey = list.get(0);
            checkKey(this.masterKey);
            byte[] readKeyFile = readKeyFile(list, this.masterKey);
            this.storeKey = readKeyFile;
            if (readKeyFile == null) {
                try {
                    this.storeKey = this.cipherBuilder.generateKey(this.keySize);
                    writeKeyFile(this.storeKey);
                    this.logger.info("Written key file: " + getKeyFile());
                } catch (Throwable th) {
                    throw new HotRestartException("Unable to generate encryption key", th);
                }
            }
        }
    }

    private byte[] readKeyFile(List<byte[]> list, byte[] bArr) {
        File keyFile = getKeyFile();
        if (!keyFile.exists()) {
            return null;
        }
        BufferedInputStream bufferedInputStream = null;
        byte[] bArr2 = null;
        boolean z = false;
        try {
            try {
                bufferedInputStream = new BufferedInputStream(new FileInputStream(keyFile));
                byte[] readKeyHashBytes = readKeyHashBytes(bufferedInputStream);
                Iterator<byte[]> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    byte[] next = it.next();
                    if (Arrays.equals(readKeyHashBytes, computeKeyHash(next))) {
                        bArr2 = readEncryptionKey(bufferedInputStream, next);
                        z = !Arrays.equals(next, bArr);
                    }
                }
                if (bArr2 == null) {
                    throw new HotRestartException("Cannot find master encryption key for key hash: " + keyHashToString(readKeyHashBytes));
                }
                IOUtil.closeResource(bufferedInputStream);
                if (z) {
                    writeKeyFile(bArr2);
                    this.logger.info("Re-encrypted key file: " + keyFile);
                }
                return bArr2;
            } catch (IOException e) {
                throw new HotRestartException(e);
            }
        } catch (Throwable th) {
            IOUtil.closeResource(bufferedInputStream);
            throw th;
        }
    }

    private byte[] readEncryptionKey(InputStream inputStream, byte[] bArr) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            IOUtil.drainTo(new CipherInputStream(inputStream, createCipher(false, bArr)), byteArrayOutputStream);
            if (this.keySize <= 0 || byteArrayOutputStream.size() * 8 == this.keySize) {
                return byteArrayOutputStream.toByteArray();
            }
            throw new HotRestartException("Encryption key has length: " + (byteArrayOutputStream.size() * 8) + ", expected: " + this.keySize);
        } catch (Exception e) {
            throw new HotRestartException("Failed to decrypt proxy encryption key", e);
        }
    }

    @SuppressFBWarnings(value = {"OS_OPEN_STREAM"}, justification = "The DataOutputStream not closed intentionally (so that the wrapped stream does not get closed)")
    private void writeKeyFile(byte[] bArr) {
        synchronized (this) {
            File file = new File(this.homeDir, "key.bin.tmp");
            BufferedOutputStream bufferedOutputStream = null;
            try {
                try {
                    bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(file));
                    byte[] bArr2 = this.masterKey;
                    String encodeToString = Base64.getEncoder().encodeToString(computeKeyHash(bArr2));
                    DataOutputStream dataOutputStream = new DataOutputStream(bufferedOutputStream);
                    dataOutputStream.writeUTF(encodeToString);
                    dataOutputStream.flush();
                    CipherOutputStream cipherOutputStream = new CipherOutputStream(bufferedOutputStream, createCipher(true, bArr2));
                    cipherOutputStream.write(bArr);
                    cipherOutputStream.close();
                    IOUtil.closeResource(bufferedOutputStream);
                    IOUtil.rename(file, getKeyFile());
                } catch (Exception e) {
                    throw new HotRestartException(e);
                }
            } catch (Throwable th) {
                IOUtil.closeResource(bufferedOutputStream);
                throw th;
            }
        }
    }

    public void backup(File file) {
        if (isEncryptionEnabled()) {
            synchronized (this) {
                IOUtil.copy(getKeyFile(), file);
            }
        }
    }

    File getKeyFile() {
        return new File(this.homeDir, KEY_FILE_NAME);
    }

    public void rotateMasterKey(byte[] bArr) {
        if (isEncryptionEnabled()) {
            this.masterKey = Arrays.copyOf(bArr, bArr.length);
            writeKeyFile(this.storeKey);
            this.logger.info("Re-encrypted key file: " + getKeyFile());
        }
    }

    private void checkKey(byte[] bArr) {
        createCipher(true, bArr);
        createCipher(false, bArr);
    }

    private static String keyHashToString(byte[] bArr) {
        return String.format("%x", new BigInteger(1, bArr));
    }

    public Cipher newWriteCipher() {
        if (isEncryptionEnabled()) {
            return createCipher(true, this.storeKey);
        }
        return null;
    }

    private Cipher newReadCipher() {
        return createCipher(false, this.storeKey);
    }

    Cipher createCipher(boolean z, byte[] bArr) {
        if ($assertionsDisabled || this.cipherBuilder != null) {
            return this.cipherBuilder.create(z, bArr);
        }
        throw new AssertionError();
    }

    public static byte[] computeKeyHash(byte[] bArr) {
        byte[] bArr2 = new byte[32];
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(bArr);
            messageDigest.digest(bArr2, 0, bArr2.length);
            return bArr2;
        } catch (GeneralSecurityException e) {
            throw new HotRestartException(e);
        }
    }

    public InputStream wrap(InputStream inputStream) {
        return !isEncryptionEnabled() ? inputStream : new HotRestartCipherInputStream(inputStream, newReadCipher());
    }

    private static byte[] readKeyHashBytes(InputStream inputStream) {
        try {
            return Base64.getDecoder().decode(new DataInputStream(inputStream).readUTF());
        } catch (Exception e) {
            throw new HotRestartException(e);
        }
    }

    public boolean isEffectivelyEmpty(File file) {
        if (file.length() == 0) {
            return true;
        }
        if (!isEncryptionEnabled()) {
            return false;
        }
        try {
            InputStream wrap = wrap(new FileInputStream(file));
            Throwable th = null;
            try {
                try {
                    boolean z = wrap.read() == -1;
                    if (wrap != null) {
                        if (0 != 0) {
                            try {
                                wrap.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            wrap.close();
                        }
                    }
                    return z;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            return false;
        }
    }

    static {
        $assertionsDisabled = !EncryptionManager.class.desiredAssertionStatus();
    }
}
