package org.apache.hadoop.crypto.key;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.UserProvider;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;

/* loaded from: input_file:WEB-INF/lib/hadoop-common-3.4.0-tests.jar:org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.class */
public class TestKeyProviderCryptoExtension {
    private static final String CIPHER = "AES";
    private static final String ENCRYPTION_KEY_NAME = "fooKey";
    private static Configuration conf;
    private static KeyProvider kp;
    private static KeyProviderCryptoExtension kpExt;
    private static KeyProvider.Options options;
    private static KeyProvider.KeyVersion encryptionKey;

    @Rule
    public Timeout testTimeout = new Timeout(YarnConfiguration.DEFAULT_CLIENT_NM_CONNECT_MAX_WAIT_MS, TimeUnit.MILLISECONDS);

    /* loaded from: input_file:WEB-INF/lib/hadoop-common-3.4.0-tests.jar:org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension$DummyCachingCryptoExtensionKeyProvider.class */
    public class DummyCachingCryptoExtensionKeyProvider extends CachingKeyProvider implements KeyProviderCryptoExtension.CryptoExtension {
        private KeyProvider kp;
        private KeyProvider.KeyVersion kv;
        private KeyProviderCryptoExtension.EncryptedKeyVersion ekv;

        public DummyCachingCryptoExtensionKeyProvider(KeyProvider keyProvider, long j, long j2) {
            super(keyProvider, j, j2);
            Configuration unused = TestKeyProviderCryptoExtension.conf = new Configuration();
            try {
                this.kp = new UserProvider.Factory().createProvider(new URI("user:///"), TestKeyProviderCryptoExtension.conf);
                this.kv = new KeyProvider.KeyVersion(TestKeyProviderCryptoExtension.ENCRYPTION_KEY_NAME, "dummyCachingFakeKey@1", new byte[16]);
                this.ekv = new KeyProviderCryptoExtension.EncryptedKeyVersion(TestKeyProviderCryptoExtension.ENCRYPTION_KEY_NAME, "dummyCachingFakeKey@1", new byte[16], this.kv);
            } catch (IOException e) {
                Assert.fail(e.getMessage());
            } catch (URISyntaxException e2) {
                Assert.fail(e2.getMessage());
            }
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public void warmUpEncryptedKeys(String... strArr) throws IOException {
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public void drain(String str) {
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String str) throws IOException, GeneralSecurityException {
            return this.ekv;
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
            return this.kv;
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
            return encryptedKeyVersion;
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> list) throws IOException, GeneralSecurityException {
        }
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-common-3.4.0-tests.jar:org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension$DummyCryptoExtensionKeyProvider.class */
    public class DummyCryptoExtensionKeyProvider extends KeyProvider implements KeyProviderCryptoExtension.CryptoExtension {
        private KeyProvider kp;
        private KeyProvider.KeyVersion kv;
        private KeyProviderCryptoExtension.EncryptedKeyVersion ekv;

        public DummyCryptoExtensionKeyProvider(Configuration configuration) {
            super(configuration);
            try {
                this.kp = new UserProvider.Factory().createProvider(new URI("user:///"), new Configuration());
                this.kv = new KeyProvider.KeyVersion(TestKeyProviderCryptoExtension.ENCRYPTION_KEY_NAME, "dummyFakeKey@1", new byte[16]);
                this.ekv = new KeyProviderCryptoExtension.EncryptedKeyVersion(TestKeyProviderCryptoExtension.ENCRYPTION_KEY_NAME, "dummyFakeKey@1", new byte[16], this.kv);
            } catch (IOException e) {
                Assert.fail(e.getMessage());
            } catch (URISyntaxException e2) {
                Assert.fail(e2.getMessage());
            }
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public void warmUpEncryptedKeys(String... strArr) throws IOException {
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public void drain(String str) {
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String str) throws IOException, GeneralSecurityException {
            return this.ekv;
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
            return encryptedKeyVersion;
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> list) throws IOException, GeneralSecurityException {
        }

        @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
        public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
            return this.kv;
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
            return this.kp.getKeyVersion(str);
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public List<String> getKeys() throws IOException {
            return this.kp.getKeys();
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
            return this.kp.getKeyVersions(str);
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public KeyProvider.Metadata getMetadata(String str) throws IOException {
            return this.kp.getMetadata(str);
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
            return this.kp.createKey(str, bArr, options);
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public void deleteKey(String str) throws IOException {
            this.kp.deleteKey(str);
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
            return this.kp.rollNewVersion(str, bArr);
        }

        @Override // org.apache.hadoop.crypto.key.KeyProvider
        public void flush() throws IOException {
            this.kp.flush();
        }
    }

    @BeforeClass
    public static void setup() throws Exception {
        conf = new Configuration();
        kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
        kpExt = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
        options = new KeyProvider.Options(conf);
        options.setCipher("AES");
        options.setBitLength(128);
        encryptionKey = kp.createKey(ENCRYPTION_KEY_NAME, SecureRandom.getSeed(16), options);
    }

    @Test
    public void testGenerateEncryptedKey() throws Exception {
        KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey = kpExt.generateEncryptedKey(encryptionKey.getName());
        Assert.assertEquals("Version name of EEK should be EEK", KeyProviderCryptoExtension.EEK, generateEncryptedKey.getEncryptedKeyVersion().getVersionName());
        Assert.assertEquals("Name of EEK should be encryption key name", ENCRYPTION_KEY_NAME, generateEncryptedKey.getEncryptionKeyName());
        Assert.assertNotNull("Expected encrypted key material", generateEncryptedKey.getEncryptedKeyVersion().getMaterial());
        Assert.assertEquals("Length of encryption key material and EEK material should be the same", encryptionKey.getMaterial().length, generateEncryptedKey.getEncryptedKeyVersion().getMaterial().length);
        KeyProvider.KeyVersion decryptEncryptedKey = kpExt.decryptEncryptedKey(generateEncryptedKey);
        Assert.assertEquals(KeyProviderCryptoExtension.EK, decryptEncryptedKey.getVersionName());
        Assert.assertEquals(encryptionKey.getMaterial().length, decryptEncryptedKey.getMaterial().length);
        Assert.assertArrayEquals(decryptEncryptedKey.getMaterial(), kpExt.decryptEncryptedKey(generateEncryptedKey).getMaterial());
        KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey2 = kpExt.generateEncryptedKey(encryptionKey.getName());
        if (Arrays.equals(decryptEncryptedKey.getMaterial(), kpExt.decryptEncryptedKey(generateEncryptedKey2).getMaterial())) {
            Assert.fail("Generated EEKs should have different material!");
        }
        if (Arrays.equals(generateEncryptedKey.getEncryptedKeyIv(), generateEncryptedKey2.getEncryptedKeyIv())) {
            Assert.fail("Generated EEKs should have different IVs!");
        }
    }

    @Test
    public void testEncryptDecrypt() throws Exception {
        KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey = kpExt.generateEncryptedKey(encryptionKey.getName());
        byte[] encryptedKeyIv = generateEncryptedKey.getEncryptedKeyIv();
        byte[] material = generateEncryptedKey.getEncryptedKeyVersion().getMaterial();
        Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
        cipher.init(2, new SecretKeySpec(encryptionKey.getMaterial(), "AES"), new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion.deriveIV(encryptedKeyIv)));
        Assert.assertArrayEquals("Wrong key material from decryptEncryptedKey", cipher.doFinal(material), kpExt.decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(generateEncryptedKey.getEncryptionKeyName(), generateEncryptedKey.getEncryptionKeyVersionName(), generateEncryptedKey.getEncryptedKeyIv(), generateEncryptedKey.getEncryptedKeyVersion().getMaterial())).getMaterial());
    }

    @Test
    public void testReencryptEncryptedKey() throws Exception {
        KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey = kpExt.generateEncryptedKey(encryptionKey.getName());
        Assert.assertEquals(KeyProviderCryptoExtension.EK, kpExt.decryptEncryptedKey(generateEncryptedKey).getVersionName());
        Assert.assertEquals(encryptionKey.getMaterial().length, r0.getMaterial().length);
        kpExt.rollNewVersion(generateEncryptedKey.getEncryptionKeyName());
        KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey = kpExt.reencryptEncryptedKey(generateEncryptedKey);
        Assert.assertEquals("Version name of EEK should be EEK", KeyProviderCryptoExtension.EEK, reencryptEncryptedKey.getEncryptedKeyVersion().getVersionName());
        Assert.assertEquals("Name of EEK should be encryption key name", ENCRYPTION_KEY_NAME, reencryptEncryptedKey.getEncryptionKeyName());
        Assert.assertNotNull("Expected encrypted key material", reencryptEncryptedKey.getEncryptedKeyVersion().getMaterial());
        Assert.assertEquals("Length of encryption key material and EEK material should be the same", encryptionKey.getMaterial().length, reencryptEncryptedKey.getEncryptedKeyVersion().getMaterial().length);
        if (Arrays.equals(reencryptEncryptedKey.getEncryptedKeyVersion().getMaterial(), generateEncryptedKey.getEncryptedKeyVersion().getMaterial())) {
            Assert.fail("Re-encrypted EEK should have different material");
        }
        Assert.assertEquals(KeyProviderCryptoExtension.EK, kpExt.decryptEncryptedKey(reencryptEncryptedKey).getVersionName());
        Assert.assertEquals(encryptionKey.getMaterial().length, r0.getMaterial().length);
        KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey2 = kpExt.reencryptEncryptedKey(generateEncryptedKey);
        Assert.assertEquals("Version name of EEK should be EEK", KeyProviderCryptoExtension.EEK, reencryptEncryptedKey2.getEncryptedKeyVersion().getVersionName());
        Assert.assertEquals("Name of EEK should be encryption key name", ENCRYPTION_KEY_NAME, reencryptEncryptedKey2.getEncryptionKeyName());
        Assert.assertNotNull("Expected encrypted key material", reencryptEncryptedKey2.getEncryptedKeyVersion().getMaterial());
        Assert.assertEquals("Length of encryption key material and EEK material should be the same", encryptionKey.getMaterial().length, reencryptEncryptedKey2.getEncryptedKeyVersion().getMaterial().length);
        if (Arrays.equals(reencryptEncryptedKey2.getEncryptedKeyVersion().getMaterial(), generateEncryptedKey.getEncryptedKeyVersion().getMaterial())) {
            Assert.fail("Re-encrypted EEK should have different material");
        }
        Assert.assertArrayEquals(reencryptEncryptedKey.getEncryptedKeyVersion().getMaterial(), reencryptEncryptedKey2.getEncryptedKeyVersion().getMaterial());
        KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey3 = kpExt.reencryptEncryptedKey(reencryptEncryptedKey);
        Assert.assertEquals("Version name of EEK should be EEK", KeyProviderCryptoExtension.EEK, reencryptEncryptedKey3.getEncryptedKeyVersion().getVersionName());
        Assert.assertEquals("Name of EEK should be encryption key name", ENCRYPTION_KEY_NAME, reencryptEncryptedKey3.getEncryptionKeyName());
        Assert.assertNotNull("Expected encrypted key material", reencryptEncryptedKey3.getEncryptedKeyVersion().getMaterial());
        Assert.assertEquals("Length of encryption key material and EEK material should be the same", encryptionKey.getMaterial().length, reencryptEncryptedKey3.getEncryptedKeyVersion().getMaterial().length);
        if (Arrays.equals(reencryptEncryptedKey3.getEncryptedKeyVersion().getMaterial(), generateEncryptedKey.getEncryptedKeyVersion().getMaterial())) {
            Assert.fail("Re-encrypted EEK should have different material");
        }
        Assert.assertArrayEquals(reencryptEncryptedKey.getEncryptedKeyVersion().getMaterial(), reencryptEncryptedKey3.getEncryptedKeyVersion().getMaterial());
    }

    @Test
    public void testReencryptEncryptedKeys() throws Exception {
        ArrayList<KeyProviderCryptoExtension.EncryptedKeyVersion> arrayList = new ArrayList(4);
        arrayList.add(kpExt.generateEncryptedKey(encryptionKey.getName()));
        arrayList.add(kpExt.generateEncryptedKey(encryptionKey.getName()));
        kpExt.rollNewVersion(((KeyProviderCryptoExtension.EncryptedKeyVersion) arrayList.get(0)).getEncryptionKeyName());
        arrayList.add(kpExt.generateEncryptedKey(encryptionKey.getName()));
        kpExt.rollNewVersion(((KeyProviderCryptoExtension.EncryptedKeyVersion) arrayList.get(0)).getEncryptionKeyName());
        arrayList.add(kpExt.generateEncryptedKey(encryptionKey.getName()));
        ArrayList arrayList2 = new ArrayList(arrayList.size());
        for (KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion : arrayList) {
            arrayList2.add(new KeyProviderCryptoExtension.EncryptedKeyVersion(encryptedKeyVersion.getEncryptionKeyName(), encryptedKeyVersion.getEncryptionKeyVersionName(), encryptedKeyVersion.getEncryptedKeyIv(), encryptedKeyVersion.getEncryptedKeyVersion()));
        }
        kpExt.reencryptEncryptedKeys(arrayList);
        for (int i = 0; i < arrayList.size(); i++) {
            KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion2 = (KeyProviderCryptoExtension.EncryptedKeyVersion) arrayList.get(i);
            KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion3 = (KeyProviderCryptoExtension.EncryptedKeyVersion) arrayList2.get(i);
            Assert.assertEquals("Version name should be EEK", KeyProviderCryptoExtension.EEK, encryptedKeyVersion2.getEncryptedKeyVersion().getVersionName());
            Assert.assertEquals("Encryption key name should be fooKey", ENCRYPTION_KEY_NAME, encryptedKeyVersion2.getEncryptionKeyName());
            Assert.assertNotNull("Expected encrypted key material", encryptedKeyVersion2.getEncryptedKeyVersion().getMaterial());
            Assert.assertEquals("Length of encryption key material and EEK material should be the same", encryptionKey.getMaterial().length, encryptedKeyVersion2.getEncryptedKeyVersion().getMaterial().length);
            Assert.assertFalse("Encrypted key material should not equal encryption key material", Arrays.equals(encryptedKeyVersion2.getEncryptedKeyVersion().getMaterial(), encryptionKey.getMaterial()));
            if (i < 3) {
                Assert.assertFalse("Re-encrypted EEK should have different material", Arrays.equals(encryptedKeyVersion2.getEncryptedKeyVersion().getMaterial(), encryptedKeyVersion3.getEncryptedKeyVersion().getMaterial()));
            } else {
                Assert.assertTrue("Re-encrypted EEK should have same material", Arrays.equals(encryptedKeyVersion2.getEncryptedKeyVersion().getMaterial(), encryptedKeyVersion3.getEncryptedKeyVersion().getMaterial()));
            }
            KeyProvider.KeyVersion decryptEncryptedKey = kpExt.decryptEncryptedKey(encryptedKeyVersion2);
            Assert.assertEquals(KeyProviderCryptoExtension.EK, decryptEncryptedKey.getVersionName());
            Assert.assertArrayEquals(decryptEncryptedKey.getMaterial(), kpExt.decryptEncryptedKey(encryptedKeyVersion2).getMaterial());
            Assert.assertTrue("Returned EEK and original EEK should both decrypt to the same kv.", Arrays.equals(kpExt.decryptEncryptedKey(encryptedKeyVersion3).getMaterial(), decryptEncryptedKey.getMaterial()));
        }
    }

    @Test
    public void testNonDefaultCryptoExtensionSelectionWithCachingKeyProvider() throws Exception {
        Configuration configuration = new Configuration();
        Assert.assertEquals("dummyFakeKey@1", getEncryptedKeyVersion(configuration, new CachingKeyProvider(new DummyCryptoExtensionKeyProvider(configuration), 30000L, 30000L)).getEncryptionKeyVersionName());
    }

    @Test
    public void testDefaultCryptoExtensionSelectionWithCachingKeyProvider() throws Exception {
        Configuration configuration = new Configuration();
        Assert.assertEquals("fooKey@0", getEncryptedKeyVersion(configuration, new CachingKeyProvider(new UserProvider.Factory().createProvider(new URI("user:///"), configuration), 30000L, 30000L)).getEncryptionKeyVersionName());
    }

    @Test
    public void testNonDefaultCryptoExtensionSelectionOnKeyProviderExtension() throws Exception {
        Configuration configuration = new Configuration();
        Assert.assertEquals("dummyCachingFakeKey@1", getEncryptedKeyVersion(configuration, new DummyCachingCryptoExtensionKeyProvider(new UserProvider.Factory().createProvider(new URI("user:///"), configuration), 30000L, 30000L)).getEncryptionKeyVersionName());
    }

    private KeyProviderCryptoExtension.EncryptedKeyVersion getEncryptedKeyVersion(Configuration configuration, KeyProvider keyProvider) throws IOException, GeneralSecurityException {
        KeyProvider.Options options2 = new KeyProvider.Options(configuration);
        options2.setCipher("AES");
        options2.setBitLength(128);
        return KeyProviderCryptoExtension.createKeyProviderCryptoExtension(keyProvider).generateEncryptedKey(keyProvider.createKey(ENCRYPTION_KEY_NAME, SecureRandom.getSeed(16), options2).getName());
    }
}
