package org.opensearch.common.settings;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.nio.file.AccessDeniedException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.crypto.AEADBadTagException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.lucene.backward_codecs.store.EndiannessReverserUtil;
import org.apache.lucene.codecs.CodecUtil;
import org.apache.lucene.index.IndexFormatTooNewException;
import org.apache.lucene.index.IndexFormatTooOldException;
import org.apache.lucene.store.ChecksumIndexInput;
import org.apache.lucene.store.IOContext;
import org.apache.lucene.store.IndexOutput;
import org.apache.lucene.store.NIOFSDirectory;
import org.opensearch.cli.UserException;
import org.opensearch.common.Randomness;
import org.opensearch.common.SetOnce;
import org.opensearch.common.hash.MessageDigests;
import org.opensearch.common.settings.Setting;
import org.opensearch.core.common.settings.SecureString;
import org.opensearch.transport.RemoteClusterAware;

/* loaded from: input_file:org/opensearch/common/settings/KeyStoreWrapper.class */
public class KeyStoreWrapper implements SecureSettings {
    private static final Pattern ALLOWED_SETTING_NAME;
    public static final Setting<SecureString> SEED_SETTING;
    private static final char[] SEED_CHARS;
    private static final String KEYSTORE_FILENAME = "opensearch.keystore";
    static final int FORMAT_VERSION = 4;
    private static final int MIN_FORMAT_VERSION = 1;
    private static final String KDF_ALGO = "PBKDF2WithHmacSHA512";
    private static final int KDF_ITERS = 10000;
    private static final int CIPHER_KEY_BITS = 128;
    private static final int GCM_TAG_BITS = 128;
    private static final String CIPHER_ALGO = "AES";
    private static final String CIPHER_MODE = "GCM";
    private static final String CIPHER_PADDING = "NoPadding";
    private final int formatVersion;
    private final boolean hasPassword;
    private final byte[] dataBytes;
    private final SetOnce<Map<String, Entry>> entries = new SetOnce<>();
    private volatile boolean closed;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opensearch/common/settings/KeyStoreWrapper$Entry.class */
    public static class Entry {
        final byte[] bytes;
        final byte[] sha256Digest;

        Entry(byte[] bArr) {
            this.bytes = bArr;
            this.sha256Digest = MessageDigests.sha256().digest(bArr);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opensearch/common/settings/KeyStoreWrapper$EntryType.class */
    public enum EntryType {
        STRING,
        FILE
    }

    private KeyStoreWrapper(int i, boolean z, byte[] bArr) {
        this.formatVersion = i;
        this.hasPassword = z;
        this.dataBytes = bArr;
    }

    public int getFormatVersion() {
        return this.formatVersion;
    }

    public static Path keystorePath(Path path) {
        return keystorePath(path, KEYSTORE_FILENAME);
    }

    private static Path keystorePath(Path path, String str) {
        return path.resolve(str);
    }

    public static KeyStoreWrapper create() {
        KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(4, false, null);
        keyStoreWrapper.entries.set(new HashMap());
        addBootstrapSeed(keyStoreWrapper);
        return keyStoreWrapper;
    }

    public static void addBootstrapSeed(KeyStoreWrapper keyStoreWrapper) {
        if (!$assertionsDisabled && keyStoreWrapper.getSettingNames().contains(SEED_SETTING.getKey())) {
            throw new AssertionError();
        }
        SecureRandom createSecure = Randomness.createSecure();
        char[] cArr = new char[20];
        for (int i = 0; i < 20; i++) {
            cArr[i] = SEED_CHARS[createSecure.nextInt(SEED_CHARS.length)];
        }
        keyStoreWrapper.setString(SEED_SETTING.getKey(), cArr);
        Arrays.fill(cArr, (char) 0);
    }

    public static KeyStoreWrapper load(Path path) throws IOException {
        return load(path, KEYSTORE_FILENAME);
    }

    public static KeyStoreWrapper load(Path path, String str) throws IOException {
        byte[] bArr;
        Path keystorePath = keystorePath(path, str);
        if (!Files.exists(keystorePath, new LinkOption[0])) {
            return null;
        }
        ChecksumIndexInput openChecksumInput = EndiannessReverserUtil.openChecksumInput(new NIOFSDirectory(path), str, IOContext.READONCE);
        try {
            try {
                try {
                    int checkHeader = CodecUtil.checkHeader(openChecksumInput, str, 1, 4);
                    byte readByte = openChecksumInput.readByte();
                    boolean z = readByte == 1;
                    if (!z && readByte != 0) {
                        throw new IllegalStateException("hasPassword boolean is corrupt: " + String.format(Locale.ROOT, "%02x", Byte.valueOf(readByte)));
                    }
                    if (checkHeader <= 2) {
                        if (!openChecksumInput.readString().equals("PKCS12")) {
                            throw new IllegalStateException("Corrupted legacy keystore string encryption algorithm");
                        }
                        if (!openChecksumInput.readString().equals("PBE")) {
                            throw new IllegalStateException("Corrupted legacy keystore string encryption algorithm");
                        }
                        if (checkHeader == 2 && !openChecksumInput.readString().equals("PBE")) {
                            throw new IllegalStateException("Corrupted legacy keystore file encryption algorithm");
                        }
                    }
                    if (checkHeader == 2) {
                        Map readMapOfStrings = openChecksumInput.readMapOfStrings();
                        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                        DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
                        try {
                            dataOutputStream.writeInt(readMapOfStrings.size());
                            for (Map.Entry entry : readMapOfStrings.entrySet()) {
                                dataOutputStream.writeUTF((String) entry.getKey());
                                dataOutputStream.writeUTF((String) entry.getValue());
                            }
                            int readInt = openChecksumInput.readInt();
                            byte[] bArr2 = new byte[readInt];
                            openChecksumInput.readBytes(bArr2, 0, readInt);
                            dataOutputStream.write(bArr2);
                            dataOutputStream.close();
                            bArr = byteArrayOutputStream.toByteArray();
                        } finally {
                        }
                    } else {
                        int readInt2 = openChecksumInput.readInt();
                        bArr = new byte[readInt2];
                        openChecksumInput.readBytes(bArr, 0, readInt2);
                    }
                    CodecUtil.checkFooter(openChecksumInput);
                    KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(checkHeader, z, bArr);
                    if (openChecksumInput != null) {
                        openChecksumInput.close();
                    }
                    return keyStoreWrapper;
                } catch (IndexFormatTooOldException e) {
                    throw new IllegalStateException("The OpenSearch keystore [" + String.valueOf(keystorePath) + "] format is too old. You should delete and recreate it in order to upgrade.", e);
                }
            } catch (IndexFormatTooNewException e2) {
                throw new IllegalStateException("The OpenSearch keystore [" + String.valueOf(keystorePath) + "] format is too new. Are you trying to downgrade? You should delete and recreate it in order to downgrade.", e2);
            }
        } catch (Throwable th) {
            if (openChecksumInput != null) {
                try {
                    openChecksumInput.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static void upgrade(KeyStoreWrapper keyStoreWrapper, Path path, char[] cArr) throws Exception {
        if (keyStoreWrapper.getFormatVersion() == 4 && keyStoreWrapper.getSettingNames().contains(SEED_SETTING.getKey())) {
            return;
        }
        if (!keyStoreWrapper.getSettingNames().contains(SEED_SETTING.getKey())) {
            addBootstrapSeed(keyStoreWrapper);
        }
        keyStoreWrapper.save(path, cArr);
    }

    @Override // org.opensearch.common.settings.SecureSettings
    public boolean isLoaded() {
        return this.entries.get() != null;
    }

    public boolean hasPassword() {
        return this.hasPassword;
    }

    private Cipher createCipher(int i, char[] cArr, byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(SecretKeyFactory.getInstance(KDF_ALGO).generateSecret(new PBEKeySpec(cArr, bArr, 10000, 128)).getEncoded(), CIPHER_ALGO);
        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, bArr2);
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(i, secretKeySpec, gCMParameterSpec);
        cipher.updateAAD(bArr);
        return cipher;
    }

    public void decrypt(char[] cArr) throws GeneralSecurityException, IOException {
        if (this.entries.get() != null) {
            throw new IllegalStateException("Keystore has already been decrypted");
        }
        if (this.formatVersion <= 2) {
            decryptLegacyEntries();
            if (cArr.length != 0) {
                throw new IllegalArgumentException("Keystore format does not accept non-empty passwords");
            }
            return;
        }
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.dataBytes);
            try {
                DataInputStream dataInputStream = new DataInputStream(byteArrayInputStream);
                try {
                    byte[] bArr = new byte[dataInputStream.readInt()];
                    dataInputStream.readFully(bArr);
                    byte[] bArr2 = new byte[dataInputStream.readInt()];
                    dataInputStream.readFully(bArr2);
                    byte[] bArr3 = new byte[dataInputStream.readInt()];
                    dataInputStream.readFully(bArr3);
                    if (dataInputStream.read() != -1) {
                        throw new SecurityException("Keystore has been corrupted or tampered with");
                    }
                    dataInputStream.close();
                    byteArrayInputStream.close();
                    Cipher createCipher = createCipher(2, cArr, bArr, bArr2);
                    try {
                        byteArrayInputStream = new ByteArrayInputStream(bArr3);
                        try {
                            CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, createCipher);
                            try {
                                dataInputStream = new DataInputStream(cipherInputStream);
                                try {
                                    this.entries.set(new HashMap());
                                    int readInt = dataInputStream.readInt();
                                    while (true) {
                                        int i = readInt;
                                        readInt--;
                                        if (i <= 0) {
                                            break;
                                        }
                                        String readUTF = dataInputStream.readUTF();
                                        if (this.formatVersion == 3) {
                                            dataInputStream.readUTF();
                                        }
                                        byte[] bArr4 = new byte[dataInputStream.readInt()];
                                        dataInputStream.readFully(bArr4);
                                        ((Map) this.entries.get()).put(readUTF, new Entry(bArr4));
                                    }
                                    if (dataInputStream.read() != -1) {
                                        throw new SecurityException("Keystore has been corrupted or tampered with");
                                    }
                                    dataInputStream.close();
                                    cipherInputStream.close();
                                    byteArrayInputStream.close();
                                } finally {
                                }
                            } catch (Throwable th) {
                                try {
                                    cipherInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                                throw th;
                            }
                        } finally {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        }
                    } catch (IOException e) {
                        if (!(e.getCause() instanceof AEADBadTagException)) {
                            throw new SecurityException("Keystore has been corrupted or tampered with", e);
                        }
                        throw new SecurityException("Provided keystore password was incorrect", e);
                    }
                } finally {
                }
            } finally {
            }
        } catch (EOFException e2) {
            throw new SecurityException("Keystore has been corrupted or tampered with", e2);
        }
    }

    private byte[] encrypt(char[] cArr, byte[] bArr, byte[] bArr2) throws GeneralSecurityException, IOException {
        if (!$assertionsDisabled && !isLoaded()) {
            throw new AssertionError();
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        CipherOutputStream cipherOutputStream = new CipherOutputStream(byteArrayOutputStream, createCipher(1, cArr, bArr, bArr2));
        try {
            DataOutputStream dataOutputStream = new DataOutputStream(cipherOutputStream);
            try {
                dataOutputStream.writeInt(((Map) this.entries.get()).size());
                for (Map.Entry entry : ((Map) this.entries.get()).entrySet()) {
                    dataOutputStream.writeUTF((String) entry.getKey());
                    byte[] bArr3 = ((Entry) entry.getValue()).bytes;
                    dataOutputStream.writeInt(bArr3.length);
                    dataOutputStream.write(bArr3);
                }
                dataOutputStream.close();
                cipherOutputStream.close();
                return byteArrayOutputStream.toByteArray();
            } finally {
            }
        } catch (Throwable th) {
            try {
                cipherOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private void decryptLegacyEntries() throws GeneralSecurityException, IOException {
        byte[] decode;
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        HashMap hashMap = new HashMap();
        DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(this.dataBytes));
        try {
            if (this.formatVersion == 2) {
                int readInt = dataInputStream.readInt();
                for (int i = 0; i < readInt; i++) {
                    hashMap.put(dataInputStream.readUTF(), EntryType.valueOf(dataInputStream.readUTF()));
                }
            }
            keyStore.load(dataInputStream, RemoteClusterAware.LOCAL_CLUSTER_GROUP_KEY.toCharArray());
            dataInputStream.close();
            Enumeration<String> aliases = keyStore.aliases();
            if (this.formatVersion == 1) {
                while (aliases.hasMoreElements()) {
                    hashMap.put(aliases.nextElement(), EntryType.STRING);
                }
            } else {
                HashSet hashSet = new HashSet(hashMap.keySet());
                while (aliases.hasMoreElements()) {
                    if (!hashSet.remove(aliases.nextElement())) {
                        throw new SecurityException("Keystore has been corrupted or tampered with");
                    }
                }
                if (!hashSet.isEmpty()) {
                    throw new SecurityException("Keystore has been corrupted or tampered with");
                }
            }
            this.entries.set(new HashMap());
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBE");
            KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(RemoteClusterAware.LOCAL_CLUSTER_GROUP_KEY.toCharArray());
            for (Map.Entry entry : hashMap.entrySet()) {
                String str = (String) entry.getKey();
                EntryType entryType = (EntryType) entry.getValue();
                PBEKeySpec pBEKeySpec = (PBEKeySpec) secretKeyFactory.getKeySpec(((KeyStore.SecretKeyEntry) keyStore.getEntry(str, passwordProtection)).getSecretKey(), PBEKeySpec.class);
                char[] password = pBEKeySpec.getPassword();
                pBEKeySpec.clearPassword();
                if (entryType == EntryType.STRING) {
                    ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(password));
                    decode = Arrays.copyOfRange(encode.array(), encode.position(), encode.limit());
                    Arrays.fill(encode.array(), (byte) 0);
                } else {
                    if (!$assertionsDisabled && entryType != EntryType.FILE) {
                        throw new AssertionError();
                    }
                    byte[] bArr = new byte[password.length];
                    for (int i2 = 0; i2 < bArr.length; i2++) {
                        bArr[i2] = (byte) password[i2];
                    }
                    decode = Base64.getDecoder().decode(bArr);
                    Arrays.fill(bArr, (byte) 0);
                }
                Arrays.fill(password, (char) 0);
                ((Map) this.entries.get()).put(str, new Entry(decode));
            }
        } catch (Throwable th) {
            try {
                dataInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public synchronized void save(Path path, char[] cArr) throws Exception {
        ensureOpen();
        try {
            IndexOutput createOutput = EndiannessReverserUtil.createOutput(new NIOFSDirectory(path), "opensearch.keystore.tmp", IOContext.DEFAULT);
            try {
                CodecUtil.writeHeader(createOutput, KEYSTORE_FILENAME, 4);
                createOutput.writeByte(cArr.length == 0 ? (byte) 0 : (byte) 1);
                SecureRandom createSecure = Randomness.createSecure();
                byte[] bArr = new byte[64];
                createSecure.nextBytes(bArr);
                byte[] bArr2 = new byte[12];
                createSecure.nextBytes(bArr2);
                byte[] encrypt = encrypt(cArr, bArr, bArr2);
                createOutput.writeInt(4 + bArr.length + 4 + bArr2.length + 4 + encrypt.length);
                createOutput.writeInt(bArr.length);
                createOutput.writeBytes(bArr, bArr.length);
                createOutput.writeInt(bArr2.length);
                createOutput.writeBytes(bArr2, bArr2.length);
                createOutput.writeInt(encrypt.length);
                createOutput.writeBytes(encrypt, encrypt.length);
                CodecUtil.writeFooter(createOutput);
                if (createOutput != null) {
                    createOutput.close();
                }
                Path keystorePath = keystorePath(path);
                Files.move(path.resolve("opensearch.keystore.tmp"), keystorePath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
                PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(keystorePath, PosixFileAttributeView.class, new LinkOption[0]);
                if (posixFileAttributeView != null) {
                    posixFileAttributeView.setPermissions(PosixFilePermissions.fromString("rw-rw----"));
                }
            } finally {
            }
        } catch (AccessDeniedException e) {
            throw new UserException(78, String.format(Locale.ROOT, "unable to create temporary keystore at [%s], write permissions required for [%s] or run [opensearch-keystore upgrade]", path.resolve("opensearch.keystore.tmp"), path), e);
        }
    }

    @Override // org.opensearch.common.settings.SecureSettings
    public Set<String> getSettingNames() {
        if ($assertionsDisabled || this.entries.get() != null) {
            return ((Map) this.entries.get()).keySet();
        }
        throw new AssertionError("Keystore is not loaded");
    }

    @Override // org.opensearch.common.settings.SecureSettings
    public synchronized SecureString getString(String str) {
        ensureOpen();
        CharBuffer decode = StandardCharsets.UTF_8.decode(ByteBuffer.wrap(((Entry) ((Map) this.entries.get()).get(str)).bytes));
        return new SecureString(Arrays.copyOfRange(decode.array(), decode.position(), decode.limit()));
    }

    @Override // org.opensearch.common.settings.SecureSettings
    public synchronized InputStream getFile(String str) {
        ensureOpen();
        return new ByteArrayInputStream(((Entry) ((Map) this.entries.get()).get(str)).bytes);
    }

    @Override // org.opensearch.common.settings.SecureSettings
    public byte[] getSHA256Digest(String str) {
        if ($assertionsDisabled || this.entries.get() != null) {
            return ((Entry) ((Map) this.entries.get()).get(str)).sha256Digest;
        }
        throw new AssertionError("Keystore is not loaded");
    }

    public static void validateSettingName(String str) {
        if (!ALLOWED_SETTING_NAME.matcher(str).matches()) {
            throw new IllegalArgumentException("Setting name [" + str + "] does not match the allowed setting name pattern [" + ALLOWED_SETTING_NAME.pattern() + "]");
        }
    }

    synchronized void setString(String str, char[] cArr) {
        ensureOpen();
        validateSettingName(str);
        ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(cArr));
        Entry entry = (Entry) ((Map) this.entries.get()).put(str, new Entry(Arrays.copyOfRange(encode.array(), encode.position(), encode.limit())));
        if (entry != null) {
            Arrays.fill(entry.bytes, (byte) 0);
        }
    }

    synchronized void setFile(String str, byte[] bArr) {
        ensureOpen();
        validateSettingName(str);
        Entry entry = (Entry) ((Map) this.entries.get()).put(str, new Entry(Arrays.copyOf(bArr, bArr.length)));
        if (entry != null) {
            Arrays.fill(entry.bytes, (byte) 0);
        }
    }

    void remove(String str) {
        ensureOpen();
        Entry entry = (Entry) ((Map) this.entries.get()).remove(str);
        if (entry != null) {
            Arrays.fill(entry.bytes, (byte) 0);
        }
    }

    private void ensureOpen() {
        if (this.closed) {
            throw new IllegalStateException("Keystore is closed");
        }
        if (!$assertionsDisabled && !isLoaded()) {
            throw new AssertionError("Keystore is not loaded");
        }
    }

    @Override // org.opensearch.common.settings.SecureSettings, java.io.Closeable, java.lang.AutoCloseable
    public synchronized void close() {
        this.closed = true;
        if (null == this.entries.get() || ((Map) this.entries.get()).isEmpty()) {
            return;
        }
        Iterator it = ((Map) this.entries.get()).values().iterator();
        while (it.hasNext()) {
            Arrays.fill(((Entry) it.next()).bytes, (byte) 0);
        }
    }

    static {
        $assertionsDisabled = !KeyStoreWrapper.class.desiredAssertionStatus();
        ALLOWED_SETTING_NAME = Pattern.compile("[A-Za-z0-9_\\-.]+");
        SEED_SETTING = SecureSetting.secureString("keystore.seed", null, new Setting.Property[0]);
        SEED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789~!@#$%^&*-_=+?".toCharArray();
    }
}
