package org.elasticsearch.common.settings;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.CharBuffer;
import java.nio.charset.CharsetEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.security.auth.DestroyFailedException;
import org.apache.lucene.codecs.CodecUtil;
import org.apache.lucene.store.BufferedChecksumIndexInput;
import org.apache.lucene.store.IOContext;
import org.apache.lucene.store.IndexInput;
import org.apache.lucene.store.IndexOutput;
import org.apache.lucene.store.SimpleFSDirectory;
import org.apache.lucene.util.SetOnce;

/* loaded from: input_file:BOOT-INF/lib/elasticsearch-5.6.12.jar:org/elasticsearch/common/settings/KeyStoreWrapper.class */
public class KeyStoreWrapper implements SecureSettings {
    private static final String KEYSTORE_FILENAME = "elasticsearch.keystore";
    private static final int FORMAT_VERSION = 2;
    private static final int MIN_FORMAT_VERSION = 1;
    private static final String NEW_KEYSTORE_TYPE = "PKCS12";
    private static final String NEW_KEYSTORE_STRING_KEY_ALGO = "PBE";
    private static final String NEW_KEYSTORE_FILE_KEY_ALGO = "PBE";
    private static final CharsetEncoder ASCII_ENCODER;
    private final int formatVersion;
    private final boolean hasPassword;
    private final String type;
    private final SecretKeyFactory stringFactory;
    private final SecretKeyFactory fileFactory;
    private final Map<String, KeyType> settingTypes;
    private final byte[] keystoreBytes;
    private final SetOnce<KeyStore> keystore = new SetOnce<>();
    private final SetOnce<KeyStore.PasswordProtection> keystorePassword = new SetOnce<>();
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/elasticsearch-5.6.12.jar:org/elasticsearch/common/settings/KeyStoreWrapper$KeyType.class */
    public enum KeyType {
        STRING,
        FILE
    }

    private KeyStoreWrapper(int i, boolean z, String str, String str2, String str3, Map<String, KeyType> map, byte[] bArr) {
        this.formatVersion = i;
        this.hasPassword = z;
        this.type = str;
        try {
            this.stringFactory = SecretKeyFactory.getInstance(str2);
            this.fileFactory = SecretKeyFactory.getInstance(str3);
            this.settingTypes = map;
            this.keystoreBytes = bArr;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Path keystorePath(Path path) {
        return path.resolve(KEYSTORE_FILENAME);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStoreWrapper create(char[] cArr) throws Exception {
        KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(2, cArr.length != 0, NEW_KEYSTORE_TYPE, "PBE", "PBE", new HashMap(), null);
        KeyStore keyStore = KeyStore.getInstance(NEW_KEYSTORE_TYPE);
        keyStore.load(null, null);
        keyStoreWrapper.keystore.set(keyStore);
        keyStoreWrapper.keystorePassword.set(new KeyStore.PasswordProtection(cArr));
        return keyStoreWrapper;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v51, types: [java.util.Map] */
    public static KeyStoreWrapper load(Path path) throws IOException {
        if (!Files.exists(keystorePath(path), new LinkOption[0])) {
            return null;
        }
        IndexInput openInput = new SimpleFSDirectory(path).openInput(KEYSTORE_FILENAME, IOContext.READONCE);
        Throwable th = null;
        try {
            BufferedChecksumIndexInput bufferedChecksumIndexInput = new BufferedChecksumIndexInput(openInput);
            int checkHeader = CodecUtil.checkHeader(bufferedChecksumIndexInput, KEYSTORE_FILENAME, 1, 2);
            byte readByte = bufferedChecksumIndexInput.readByte();
            boolean z = readByte == 1;
            if (!z && readByte != 0) {
                throw new IllegalStateException("hasPassword boolean is corrupt: " + String.format(Locale.ROOT, "%02x", Byte.valueOf(readByte)));
            }
            String readString = bufferedChecksumIndexInput.readString();
            String readString2 = bufferedChecksumIndexInput.readString();
            String readString3 = checkHeader >= 2 ? bufferedChecksumIndexInput.readString() : "PBE";
            HashMap hashMap = checkHeader >= 2 ? (Map) bufferedChecksumIndexInput.readMapOfStrings().entrySet().stream().collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, entry -> {
                return KeyType.valueOf((String) entry.getValue());
            })) : new HashMap();
            byte[] bArr = new byte[bufferedChecksumIndexInput.readInt()];
            bufferedChecksumIndexInput.readBytes(bArr, 0, bArr.length);
            CodecUtil.checkFooter(bufferedChecksumIndexInput);
            KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(checkHeader, z, readString, readString2, readString3, hashMap, bArr);
            if (openInput != null) {
                if (0 != 0) {
                    try {
                        openInput.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openInput.close();
                }
            }
            return keyStoreWrapper;
        } catch (Throwable th3) {
            if (openInput != null) {
                if (0 != 0) {
                    try {
                        openInput.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openInput.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public boolean isLoaded() {
        return this.keystore.get() != null;
    }

    public boolean hasPassword() {
        return this.hasPassword;
    }

    public void decrypt(char[] cArr) throws GeneralSecurityException, IOException {
        if (this.keystore.get() != null) {
            throw new IllegalStateException("Keystore has already been decrypted");
        }
        this.keystore.set(KeyStore.getInstance(this.type));
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.keystoreBytes);
            Throwable th = null;
            try {
                try {
                    this.keystore.get().load(byteArrayInputStream, cArr);
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                    this.keystorePassword.set(new KeyStore.PasswordProtection(cArr));
                    Arrays.fill(cArr, (char) 0);
                    Enumeration<String> aliases = this.keystore.get().aliases();
                    if (this.formatVersion == 1) {
                        while (aliases.hasMoreElements()) {
                            this.settingTypes.put(aliases.nextElement(), KeyType.STRING);
                        }
                        return;
                    }
                    HashSet hashSet = new HashSet(this.settingTypes.keySet());
                    while (aliases.hasMoreElements()) {
                        if (!hashSet.remove(aliases.nextElement())) {
                            throw new SecurityException("Keystore has been corrupted or tampered with");
                        }
                    }
                    if (!hashSet.isEmpty()) {
                        throw new SecurityException("Keystore has been corrupted or tampered with");
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } finally {
            Arrays.fill(this.keystoreBytes, (byte) 0);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void save(Path path) throws Exception {
        char[] password = this.keystorePassword.get().getPassword();
        IndexOutput createOutput = new SimpleFSDirectory(path).createOutput("elasticsearch.keystore.tmp", IOContext.DEFAULT);
        Throwable th = null;
        try {
            CodecUtil.writeHeader(createOutput, KEYSTORE_FILENAME, 2);
            createOutput.writeByte(password.length == 0 ? (byte) 0 : (byte) 1);
            createOutput.writeString(NEW_KEYSTORE_TYPE);
            createOutput.writeString("PBE");
            createOutput.writeString("PBE");
            createOutput.writeMapOfStrings((Map) this.settingTypes.entrySet().stream().collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, entry -> {
                return ((KeyType) entry.getValue()).name();
            })));
            if (!$assertionsDisabled && !this.type.equals(NEW_KEYSTORE_TYPE)) {
                throw new AssertionError("keystore type changed");
            }
            if (!$assertionsDisabled && !this.stringFactory.getAlgorithm().equals("PBE")) {
                throw new AssertionError("string pbe algo changed");
            }
            if (!$assertionsDisabled && !this.fileFactory.getAlgorithm().equals("PBE")) {
                throw new AssertionError("file pbe algo changed");
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            this.keystore.get().store(byteArrayOutputStream, password);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            createOutput.writeInt(byteArray.length);
            createOutput.writeBytes(byteArray, byteArray.length);
            CodecUtil.writeFooter(createOutput);
            if (createOutput != null) {
                if (0 != 0) {
                    try {
                        createOutput.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    createOutput.close();
                }
            }
            Path keystorePath = keystorePath(path);
            Files.move(path.resolve("elasticsearch.keystore.tmp"), keystorePath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
            PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(keystorePath, PosixFileAttributeView.class, new LinkOption[0]);
            if (posixFileAttributeView != null) {
                posixFileAttributeView.setPermissions(PosixFilePermissions.fromString("rw-rw----"));
            }
        } catch (Throwable th3) {
            if (createOutput != null) {
                if (0 != 0) {
                    try {
                        createOutput.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createOutput.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public Set<String> getSettingNames() {
        return this.settingTypes.keySet();
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public SecureString getString(String str) throws GeneralSecurityException {
        KeyStore.Entry entry = this.keystore.get().getEntry(str, this.keystorePassword.get());
        if (this.settingTypes.get(str) != KeyType.STRING || !(entry instanceof KeyStore.SecretKeyEntry)) {
            throw new IllegalStateException("Secret setting " + str + " is not a string");
        }
        PBEKeySpec pBEKeySpec = (PBEKeySpec) this.stringFactory.getKeySpec(((KeyStore.SecretKeyEntry) entry).getSecretKey(), PBEKeySpec.class);
        SecureString secureString = new SecureString(pBEKeySpec.getPassword());
        pBEKeySpec.clearPassword();
        return secureString;
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public InputStream getFile(String str) throws GeneralSecurityException {
        KeyStore.Entry entry = this.keystore.get().getEntry(str, this.keystorePassword.get());
        if (this.settingTypes.get(str) != KeyType.FILE || !(entry instanceof KeyStore.SecretKeyEntry)) {
            throw new IllegalStateException("Secret setting " + str + " is not a file");
        }
        PBEKeySpec pBEKeySpec = (PBEKeySpec) this.fileFactory.getKeySpec(((KeyStore.SecretKeyEntry) entry).getSecretKey(), PBEKeySpec.class);
        char[] password = pBEKeySpec.getPassword();
        final byte[] bArr = new byte[password.length];
        for (int i = 0; i < bArr.length; i++) {
            bArr[i] = (byte) password[i];
        }
        pBEKeySpec.clearPassword();
        return Base64.getDecoder().wrap(new ByteArrayInputStream(bArr) { // from class: org.elasticsearch.common.settings.KeyStoreWrapper.1
            @Override // java.io.ByteArrayInputStream, java.io.InputStream, java.io.Closeable, java.lang.AutoCloseable
            public void close() throws IOException {
                super.close();
                Arrays.fill(bArr, (byte) 0);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setString(String str, char[] cArr) throws GeneralSecurityException {
        if (!ASCII_ENCODER.canEncode(CharBuffer.wrap(cArr))) {
            throw new IllegalArgumentException("Value must be ascii");
        }
        this.keystore.get().setEntry(str, new KeyStore.SecretKeyEntry(this.stringFactory.generateSecret(new PBEKeySpec(cArr))), this.keystorePassword.get());
        this.settingTypes.put(str, KeyType.STRING);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setFile(String str, byte[] bArr) throws GeneralSecurityException {
        byte[] encode = Base64.getEncoder().encode(bArr);
        char[] cArr = new char[encode.length];
        for (int i = 0; i < cArr.length; i++) {
            cArr[i] = (char) encode[i];
        }
        this.keystore.get().setEntry(str, new KeyStore.SecretKeyEntry(this.stringFactory.generateSecret(new PBEKeySpec(cArr))), this.keystorePassword.get());
        this.settingTypes.put(str, KeyType.FILE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void remove(String str) throws KeyStoreException {
        this.keystore.get().deleteEntry(str);
        this.settingTypes.remove(str);
    }

    @Override // org.elasticsearch.common.settings.SecureSettings, java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        try {
            if (this.keystorePassword.get() != null) {
                this.keystorePassword.get().destroy();
            }
        } catch (DestroyFailedException e) {
            throw new IOException(e);
        }
    }

    static {
        $assertionsDisabled = !KeyStoreWrapper.class.desiredAssertionStatus();
        ASCII_ENCODER = StandardCharsets.US_ASCII.newEncoder();
    }
}
