package com.hazelcast.internal.hotrestart.impl.encryption;

import com.hazelcast.hotrestart.HotRestartException;
import com.hazelcast.internal.hotrestart.impl.di.Inject;
import com.hazelcast.internal.hotrestart.impl.di.Name;
import com.hazelcast.internal.hotrestart.impl.gc.chunk.Chunk;
import com.hazelcast.internal.nio.IOUtil;
import com.hazelcast.internal.util.Preconditions;
import com.hazelcast.logging.ILogger;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.time.Duration;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;

/* loaded from: input_file:com/hazelcast/internal/hotrestart/impl/encryption/EncryptionManager.class */
public class EncryptionManager {
    public static final String KEY_FILE_NAME = "key.bin";
    public static final String IV_FILE_NAME = "iv.bin";
    private static final int KEY_HASH_SIZE = 32;
    private static final int FILE_RENAME_TIMEOUT_SECONDS = 15;
    private final File homeDir;
    private final int keySize;
    private final HotRestartCipherBuilder cipherBuilder;
    private final ILogger logger;
    private byte[] storeKey;
    private volatile byte[] masterKey;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public EncryptionManager(ILogger iLogger, @Nonnull @Name("homeDir") File file, @Nonnull HotRestartStoreEncryptionConfig hotRestartStoreEncryptionConfig) {
        Preconditions.checkNotNull(file, "homeDir cannot be null!");
        Preconditions.checkNotNull(hotRestartStoreEncryptionConfig, "encryptionConfig cannot be null!");
        this.logger = iLogger;
        HotRestartCipherBuilder cipherBuilder = hotRestartStoreEncryptionConfig.cipherBuilder();
        this.homeDir = file;
        this.cipherBuilder = cipherBuilder;
        this.keySize = hotRestartStoreEncryptionConfig.keySize();
        initialize(hotRestartStoreEncryptionConfig.initialKeysSupplier());
    }

    public boolean isEncryptionEnabled() {
        return this.cipherBuilder != null;
    }

    private void initialize(InitialKeysSupplier initialKeysSupplier) {
        if (isEncryptionEnabled()) {
            List<byte[]> list = initialKeysSupplier == null ? null : initialKeysSupplier.get();
            if (list == null || list.isEmpty()) {
                throw new HotRestartException("No master encryption key available");
            }
            this.masterKey = list.get(0);
            checkKey(this.masterKey);
            byte[] readKeyFile = readKeyFile(list, this.masterKey);
            this.storeKey = readKeyFile;
            if (readKeyFile == null) {
                try {
                    this.storeKey = this.cipherBuilder.generateKey(this.keySize);
                    this.logger.fine("New key will be stored.");
                    writeKeyFile(this.storeKey);
                    this.logger.info("Written key file: " + getKeyFile());
                } catch (Throwable th) {
                    throw new HotRestartException("Unable to generate encryption key", th);
                }
            }
        }
    }

    private byte[] readKeyFile(List<byte[]> list, byte[] bArr) {
        File keyFile = getKeyFile();
        if (!keyFile.exists()) {
            return null;
        }
        BufferedInputStream bufferedInputStream = null;
        byte[] bArr2 = null;
        boolean z = false;
        try {
            try {
                bufferedInputStream = new BufferedInputStream(new FileInputStream(keyFile));
                byte[] readKeyHashBytes = readKeyHashBytes(bufferedInputStream);
                Iterator<byte[]> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    byte[] next = it.next();
                    if (Arrays.equals(readKeyHashBytes, computeKeyHash(next))) {
                        bArr2 = readEncryptionKey(bufferedInputStream, next);
                        z = !Arrays.equals(next, bArr);
                    }
                }
                if (bArr2 == null) {
                    throw new HotRestartException("Cannot find master encryption key for key hash: " + keyHashToString(readKeyHashBytes));
                }
                IOUtil.closeResource(bufferedInputStream);
                if (z) {
                    this.logger.fine("Master key rotation is detected during EncryptionManager initialization.");
                    writeKeyFile(bArr2);
                    this.logger.info("Re-encrypted key file: " + keyFile);
                }
                return bArr2;
            } catch (IOException e) {
                throw new HotRestartException(e);
            }
        } catch (Throwable th) {
            IOUtil.closeResource(bufferedInputStream);
            throw th;
        }
    }

    private byte[] readEncryptionKey(InputStream inputStream, byte[] bArr) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            IOUtil.drainTo(new CipherInputStream(inputStream, createCipher(false, bArr, getIvFile())), byteArrayOutputStream);
            if (this.keySize <= 0 || byteArrayOutputStream.size() * 8 == this.keySize) {
                return byteArrayOutputStream.toByteArray();
            }
            throw new HotRestartException("Encryption key has length: " + (byteArrayOutputStream.size() * 8) + ", expected: " + this.keySize);
        } catch (Exception e) {
            throw new HotRestartException("Failed to decrypt proxy encryption key", e);
        }
    }

    /* JADX WARN: Failed to calculate best type for var: r11v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r12v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 11, insn: 0x011c: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r11 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:32:0x011c */
    /* JADX WARN: Not initialized variable reg: 12, insn: 0x0121: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r12 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:33:0x011e */
    /* JADX WARN: Type inference failed for: r11v0, types: [java.io.Closeable] */
    /* JADX WARN: Type inference failed for: r12v0, types: [java.io.Closeable] */
    @SuppressFBWarnings(value = {"OS_OPEN_STREAM"}, justification = "The DataOutputStream not closed intentionally (so that the wrapped stream does not get closed)")
    private void writeKeyFile(byte[] bArr) {
        ?? r11;
        ?? r12;
        if (this.logger.isFineEnabled()) {
            this.logger.fine("Initiated writing the key file. Data bytes sum: " + sum(bArr));
        }
        synchronized (this) {
            try {
                File file = new File(this.homeDir, "key.bin.tmp");
                File file2 = new File(this.homeDir, "iv.bin.tmp");
                try {
                    BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(file));
                    BufferedOutputStream bufferedOutputStream2 = new BufferedOutputStream(new FileOutputStream(file2));
                    byte[] bArr2 = this.masterKey;
                    String encodeToString = Base64.getEncoder().encodeToString(computeKeyHash(bArr2));
                    DataOutputStream dataOutputStream = new DataOutputStream(bufferedOutputStream);
                    DataOutputStream dataOutputStream2 = new DataOutputStream(bufferedOutputStream2);
                    if (!$assertionsDisabled && this.cipherBuilder == null) {
                        throw new AssertionError();
                    }
                    byte[] generateIV = this.cipherBuilder.generateIV();
                    dataOutputStream2.write(generateIV);
                    dataOutputStream2.flush();
                    dataOutputStream.writeUTF(encodeToString);
                    dataOutputStream.flush();
                    CipherOutputStream cipherOutputStream = new CipherOutputStream(bufferedOutputStream, this.cipherBuilder.create(true, bArr2, generateIV));
                    cipherOutputStream.write(bArr);
                    cipherOutputStream.close();
                    IOUtil.closeResource(bufferedOutputStream);
                    IOUtil.closeResource(bufferedOutputStream2);
                    IOUtil.moveWithTimeout(file.toPath(), getKeyFile().toPath(), Duration.ofSeconds(15L));
                    IOUtil.moveWithTimeout(file2.toPath(), getIvFile().toPath(), Duration.ofSeconds(15L));
                } catch (Exception e) {
                    throw new HotRestartException(e);
                }
            } catch (Throwable th) {
                IOUtil.closeResource(r11);
                IOUtil.closeResource(r12);
                throw th;
            }
        }
        this.logger.fine("Writing the key file finished.");
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v10, types: [int] */
    private static int sum(byte[] bArr) {
        byte b = 0;
        for (byte b2 : bArr) {
            b += b2;
        }
        return b;
    }

    public void backup(File file) {
        if (isEncryptionEnabled()) {
            synchronized (this) {
                IOUtil.copy(getKeyFile(), file);
                IOUtil.copy(getIvFile(), file);
                backupIVs(file, "value");
                backupIVs(file, Chunk.TOMB_BASEDIR);
            }
        }
    }

    private void backupIVs(File file, String str) {
        String[] list = new File(this.homeDir.getPath(), str).list();
        if (!$assertionsDisabled && !new File(file, str).mkdir()) {
            throw new AssertionError();
        }
        for (String str2 : list) {
            File file2 = new File(this.homeDir, str + "/" + str2 + "/" + IV_FILE_NAME);
            if (file2.exists()) {
                File file3 = new File(file, str + "/" + str2);
                if (!$assertionsDisabled && !file3.mkdir()) {
                    throw new AssertionError();
                }
                IOUtil.copy(file2, file3);
            }
        }
    }

    File getKeyFile() {
        return new File(this.homeDir, KEY_FILE_NAME);
    }

    File getIvFile() {
        return new File(this.homeDir, IV_FILE_NAME);
    }

    public void rotateMasterKey(byte[] bArr) {
        if (isEncryptionEnabled()) {
            this.logger.fine("Master key is being rotated.");
            this.masterKey = Arrays.copyOf(bArr, bArr.length);
            writeKeyFile(this.storeKey);
            this.logger.info("Re-encrypted key file: " + getKeyFile());
        }
    }

    private void checkKey(byte[] bArr) {
        createCipher(true, bArr, getIvFile());
        createCipher(false, bArr, getIvFile());
    }

    private static String keyHashToString(byte[] bArr) {
        return String.format("%x", new BigInteger(1, bArr));
    }

    public Cipher newWriteCipher(String str) {
        if (isEncryptionEnabled()) {
            return createCipher(true, this.storeKey, new File(str, IV_FILE_NAME));
        }
        return null;
    }

    private Cipher newReadCipher(String str) {
        return createCipher(false, this.storeKey, new File(str, IV_FILE_NAME));
    }

    Cipher createCipher(boolean z, byte[] bArr, File file) {
        if (!$assertionsDisabled && this.cipherBuilder == null) {
            throw new AssertionError();
        }
        Cipher create = this.cipherBuilder.create(z, bArr, file);
        this.logger.fine("Cipher is created with randomIVEnabled = " + this.cipherBuilder.getRandomIVEnabled());
        return create;
    }

    public static byte[] computeKeyHash(byte[] bArr) {
        byte[] bArr2 = new byte[32];
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(bArr);
            messageDigest.digest(bArr2, 0, bArr2.length);
            return bArr2;
        } catch (GeneralSecurityException e) {
            throw new HotRestartException(e);
        }
    }

    public InputStream wrap(InputStream inputStream, String str) {
        return !isEncryptionEnabled() ? inputStream : new HotRestartCipherInputStream(inputStream, newReadCipher(str));
    }

    private static byte[] readKeyHashBytes(InputStream inputStream) {
        try {
            return Base64.getDecoder().decode(new DataInputStream(inputStream).readUTF());
        } catch (Exception e) {
            throw new HotRestartException(e);
        }
    }

    public boolean isEffectivelyEmpty(File file) {
        if (file.length() == 0) {
            return true;
        }
        if (!isEncryptionEnabled()) {
            return false;
        }
        try {
            InputStream wrap = wrap(new FileInputStream(file), file.getParent());
            Throwable th = null;
            try {
                try {
                    boolean z = wrap.read() == -1;
                    if (wrap != null) {
                        if (0 != 0) {
                            try {
                                wrap.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            wrap.close();
                        }
                    }
                    return z;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            return false;
        }
    }

    static {
        $assertionsDisabled = !EncryptionManager.class.desiredAssertionStatus();
    }
}
