package org.elasticsearch.common.settings;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.nio.file.AccessDeniedException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import oracle.net.nt.CustomSSLSocketFactory;
import org.apache.lucene.codecs.CodecUtil;
import org.apache.lucene.store.BufferedChecksumIndexInput;
import org.apache.lucene.store.IOContext;
import org.apache.lucene.store.IndexInput;
import org.apache.lucene.store.IndexOutput;
import org.apache.lucene.store.SimpleFSDirectory;
import org.apache.lucene.util.SetOnce;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.Randomness;
import org.elasticsearch.common.settings.Setting;

/* loaded from: input_file:BOOT-INF/lib/elasticsearch-6.4.3.jar:org/elasticsearch/common/settings/KeyStoreWrapper.class */
public class KeyStoreWrapper implements SecureSettings {
    private static final Pattern ALLOWED_SETTING_NAME;
    public static final Setting<SecureString> SEED_SETTING;
    private static final char[] SEED_CHARS;
    private static final String KEYSTORE_FILENAME = "elasticsearch.keystore";
    private static final int FORMAT_VERSION = 3;
    private static final int MIN_FORMAT_VERSION = 1;
    private static final String KDF_ALGO = "PBKDF2WithHmacSHA512";
    private static final int KDF_ITERS = 10000;
    private static final int CIPHER_KEY_BITS = 128;
    private static final int GCM_TAG_BITS = 128;
    private static final String CIPHER_ALGO = "AES";
    private static final String CIPHER_MODE = "GCM";
    private static final String CIPHER_PADDING = "NoPadding";
    private final int formatVersion;
    private final boolean hasPassword;
    private final byte[] dataBytes;
    private final SetOnce<Map<String, Entry>> entries = new SetOnce<>();
    private volatile boolean closed;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/elasticsearch-6.4.3.jar:org/elasticsearch/common/settings/KeyStoreWrapper$Entry.class */
    public static class Entry {
        final EntryType type;
        final byte[] bytes;

        Entry(EntryType entryType, byte[] bArr) {
            this.type = entryType;
            this.bytes = bArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/elasticsearch-6.4.3.jar:org/elasticsearch/common/settings/KeyStoreWrapper$EntryType.class */
    public enum EntryType {
        STRING,
        FILE
    }

    private KeyStoreWrapper(int i, boolean z, byte[] bArr) {
        this.formatVersion = i;
        this.hasPassword = z;
        this.dataBytes = bArr;
    }

    public int getFormatVersion() {
        return this.formatVersion;
    }

    public static Path keystorePath(Path path) {
        return path.resolve(KEYSTORE_FILENAME);
    }

    public static KeyStoreWrapper create() {
        KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(3, false, null);
        keyStoreWrapper.entries.set(new HashMap());
        addBootstrapSeed(keyStoreWrapper);
        return keyStoreWrapper;
    }

    public static void addBootstrapSeed(KeyStoreWrapper keyStoreWrapper) {
        if (!$assertionsDisabled && keyStoreWrapper.getSettingNames().contains(SEED_SETTING.getKey())) {
            throw new AssertionError();
        }
        SecureRandom createSecure = Randomness.createSecure();
        char[] cArr = new char[20];
        for (int i = 0; i < 20; i++) {
            cArr[i] = SEED_CHARS[createSecure.nextInt(SEED_CHARS.length)];
        }
        keyStoreWrapper.setString(SEED_SETTING.getKey(), cArr);
        Arrays.fill(cArr, (char) 0);
    }

    /* JADX WARN: Finally extract failed */
    public static KeyStoreWrapper load(Path path) throws IOException {
        byte[] bArr;
        if (!Files.exists(keystorePath(path), new LinkOption[0])) {
            return null;
        }
        IndexInput openInput = new SimpleFSDirectory(path).openInput(KEYSTORE_FILENAME, IOContext.READONCE);
        try {
            BufferedChecksumIndexInput bufferedChecksumIndexInput = new BufferedChecksumIndexInput(openInput);
            int checkHeader = CodecUtil.checkHeader(bufferedChecksumIndexInput, KEYSTORE_FILENAME, 1, 3);
            byte readByte = bufferedChecksumIndexInput.readByte();
            boolean z = readByte == 1;
            if (!z && readByte != 0) {
                throw new IllegalStateException("hasPassword boolean is corrupt: " + String.format(Locale.ROOT, "%02x", Byte.valueOf(readByte)));
            }
            if (checkHeader <= 2) {
                if (!bufferedChecksumIndexInput.readString().equals(CustomSSLSocketFactory.PKCS12_WALLET_TYPE)) {
                    throw new IllegalStateException("Corrupted legacy keystore string encryption algorithm");
                }
                if (!bufferedChecksumIndexInput.readString().equals("PBE")) {
                    throw new IllegalStateException("Corrupted legacy keystore string encryption algorithm");
                }
                if (checkHeader == 2 && !bufferedChecksumIndexInput.readString().equals("PBE")) {
                    throw new IllegalStateException("Corrupted legacy keystore file encryption algorithm");
                }
            }
            if (checkHeader == 2) {
                Map<String, String> readMapOfStrings = bufferedChecksumIndexInput.readMapOfStrings();
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
                Throwable th = null;
                try {
                    try {
                        dataOutputStream.writeInt(readMapOfStrings.size());
                        for (Map.Entry<String, String> entry : readMapOfStrings.entrySet()) {
                            dataOutputStream.writeUTF(entry.getKey());
                            dataOutputStream.writeUTF(entry.getValue());
                        }
                        int readInt = bufferedChecksumIndexInput.readInt();
                        byte[] bArr2 = new byte[readInt];
                        bufferedChecksumIndexInput.readBytes(bArr2, 0, readInt);
                        dataOutputStream.write(bArr2);
                        $closeResource(null, dataOutputStream);
                        bArr = byteArrayOutputStream.toByteArray();
                    } finally {
                    }
                } catch (Throwable th2) {
                    $closeResource(th, dataOutputStream);
                    throw th2;
                }
            } else {
                int readInt2 = bufferedChecksumIndexInput.readInt();
                bArr = new byte[readInt2];
                bufferedChecksumIndexInput.readBytes(bArr, 0, readInt2);
            }
            CodecUtil.checkFooter(bufferedChecksumIndexInput);
            KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(checkHeader, z, bArr);
            if (openInput != null) {
                $closeResource(null, openInput);
            }
            return keyStoreWrapper;
        } catch (Throwable th3) {
            if (openInput != null) {
                $closeResource(null, openInput);
            }
            throw th3;
        }
    }

    public static void upgrade(KeyStoreWrapper keyStoreWrapper, Path path, char[] cArr) throws Exception {
        if (keyStoreWrapper.getSettingNames().contains(SEED_SETTING.getKey())) {
            return;
        }
        addBootstrapSeed(keyStoreWrapper);
        keyStoreWrapper.save(path, cArr);
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public boolean isLoaded() {
        return this.entries.get() != null;
    }

    public boolean hasPassword() {
        return this.hasPassword;
    }

    private Cipher createCipher(int i, char[] cArr, byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(SecretKeyFactory.getInstance(KDF_ALGO).generateSecret(new PBEKeySpec(cArr, bArr, 10000, 128)).getEncoded(), CIPHER_ALGO);
        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, bArr2);
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(i, secretKeySpec, gCMParameterSpec);
        cipher.updateAAD(bArr);
        return cipher;
    }

    /* JADX WARN: Failed to calculate best type for var: r12v1 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Failed to calculate best type for var: r13v0 ??
    java.lang.NullPointerException
     */
    /* JADX WARN: Incorrect type for immutable var: ssa=int, code=??, for r0v19, types: [int, java.lang.Throwable] */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException
     */
    /* JADX WARN: Not initialized variable reg: 12, insn: 0x00cf: MOVE (r1 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r12 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:92:0x00cf */
    /* JADX WARN: Not initialized variable reg: 13, insn: 0x00cd: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r13 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:91:0x00cd */
    /* JADX WARN: Type inference failed for: r0v12, types: [java.lang.Throwable, java.io.DataInputStream, java.lang.AutoCloseable] */
    /* JADX WARN: Type inference failed for: r0v19, types: [int, java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r12v1, types: [java.lang.AutoCloseable] */
    /* JADX WARN: Type inference failed for: r13v0, types: [java.lang.Throwable] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void decrypt(char[] r8) throws java.security.GeneralSecurityException, java.io.IOException {
        /*
            Method dump skipped, instructions count: 514
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.elasticsearch.common.settings.KeyStoreWrapper.decrypt(char[]):void");
    }

    private byte[] encrypt(char[] cArr, byte[] bArr, byte[] bArr2) throws GeneralSecurityException, IOException {
        if (!$assertionsDisabled && !isLoaded()) {
            throw new AssertionError();
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        CipherOutputStream cipherOutputStream = new CipherOutputStream(byteArrayOutputStream, createCipher(1, cArr, bArr, bArr2));
        try {
            DataOutputStream dataOutputStream = new DataOutputStream(cipherOutputStream);
            Throwable th = null;
            try {
                try {
                    dataOutputStream.writeInt(this.entries.get().size());
                    for (Map.Entry<String, Entry> entry : this.entries.get().entrySet()) {
                        dataOutputStream.writeUTF(entry.getKey());
                        Entry value = entry.getValue();
                        dataOutputStream.writeUTF(value.type.name());
                        dataOutputStream.writeInt(value.bytes.length);
                        dataOutputStream.write(value.bytes);
                    }
                    $closeResource(null, dataOutputStream);
                    return byteArrayOutputStream.toByteArray();
                } finally {
                }
            } catch (Throwable th2) {
                $closeResource(th, dataOutputStream);
                throw th2;
            }
        } finally {
            $closeResource(null, cipherOutputStream);
        }
    }

    private void decryptLegacyEntries() throws GeneralSecurityException, IOException {
        byte[] decode;
        KeyStore keyStore = KeyStore.getInstance(CustomSSLSocketFactory.PKCS12_WALLET_TYPE);
        HashMap hashMap = new HashMap();
        DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(this.dataBytes));
        try {
            if (this.formatVersion == 2) {
                int readInt = dataInputStream.readInt();
                for (int i = 0; i < readInt; i++) {
                    hashMap.put(dataInputStream.readUTF(), EntryType.valueOf(dataInputStream.readUTF()));
                }
            }
            keyStore.load(dataInputStream, "".toCharArray());
            $closeResource(null, dataInputStream);
            Enumeration<String> aliases = keyStore.aliases();
            if (this.formatVersion == 1) {
                while (aliases.hasMoreElements()) {
                    hashMap.put(aliases.nextElement(), EntryType.STRING);
                }
            } else {
                HashSet hashSet = new HashSet(hashMap.keySet());
                while (aliases.hasMoreElements()) {
                    if (!hashSet.remove(aliases.nextElement())) {
                        throw new SecurityException("Keystore has been corrupted or tampered with");
                    }
                }
                if (!hashSet.isEmpty()) {
                    throw new SecurityException("Keystore has been corrupted or tampered with");
                }
            }
            this.entries.set(new HashMap());
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBE");
            KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection("".toCharArray());
            for (Map.Entry entry : hashMap.entrySet()) {
                String str = (String) entry.getKey();
                EntryType entryType = (EntryType) entry.getValue();
                PBEKeySpec pBEKeySpec = (PBEKeySpec) secretKeyFactory.getKeySpec(((KeyStore.SecretKeyEntry) keyStore.getEntry(str, passwordProtection)).getSecretKey(), PBEKeySpec.class);
                char[] password = pBEKeySpec.getPassword();
                pBEKeySpec.clearPassword();
                if (entryType == EntryType.STRING) {
                    ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(password));
                    decode = Arrays.copyOfRange(encode.array(), encode.position(), encode.limit());
                    Arrays.fill(encode.array(), (byte) 0);
                } else {
                    if (!$assertionsDisabled && entryType != EntryType.FILE) {
                        throw new AssertionError();
                    }
                    byte[] bArr = new byte[password.length];
                    for (int i2 = 0; i2 < bArr.length; i2++) {
                        bArr[i2] = (byte) password[i2];
                    }
                    decode = Base64.getDecoder().decode(bArr);
                    Arrays.fill(bArr, (byte) 0);
                }
                Arrays.fill(password, (char) 0);
                this.entries.get().put(str, new Entry(entryType, decode));
            }
        } catch (Throwable th) {
            $closeResource(null, dataInputStream);
            throw th;
        }
    }

    public synchronized void save(Path path, char[] cArr) throws Exception {
        ensureOpen();
        try {
            IndexOutput createOutput = new SimpleFSDirectory(path).createOutput("elasticsearch.keystore.tmp", IOContext.DEFAULT);
            Throwable th = null;
            try {
                try {
                    CodecUtil.writeHeader(createOutput, KEYSTORE_FILENAME, 3);
                    createOutput.writeByte(cArr.length == 0 ? (byte) 0 : (byte) 1);
                    SecureRandom createSecure = Randomness.createSecure();
                    byte[] bArr = new byte[64];
                    createSecure.nextBytes(bArr);
                    byte[] bArr2 = new byte[12];
                    createSecure.nextBytes(bArr2);
                    byte[] encrypt = encrypt(cArr, bArr, bArr2);
                    createOutput.writeInt(4 + bArr.length + 4 + bArr2.length + 4 + encrypt.length);
                    createOutput.writeInt(bArr.length);
                    createOutput.writeBytes(bArr, bArr.length);
                    createOutput.writeInt(bArr2.length);
                    createOutput.writeBytes(bArr2, bArr2.length);
                    createOutput.writeInt(encrypt.length);
                    createOutput.writeBytes(encrypt, encrypt.length);
                    CodecUtil.writeFooter(createOutput);
                    if (createOutput != null) {
                        $closeResource(null, createOutput);
                    }
                    Path keystorePath = keystorePath(path);
                    Files.move(path.resolve("elasticsearch.keystore.tmp"), keystorePath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
                    PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(keystorePath, PosixFileAttributeView.class, new LinkOption[0]);
                    if (posixFileAttributeView != null) {
                        posixFileAttributeView.setPermissions(PosixFilePermissions.fromString("rw-rw----"));
                    }
                } catch (Throwable th2) {
                    th = th2;
                    throw th2;
                }
            } catch (Throwable th3) {
                if (createOutput != null) {
                    $closeResource(th, createOutput);
                }
                throw th3;
            }
        } catch (AccessDeniedException e) {
            throw new UserException(78, String.format(Locale.ROOT, "unable to create temporary keystore at [%s], please check filesystem permissions", path.resolve("elasticsearch.keystore.tmp")), e);
        }
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public Set<String> getSettingNames() {
        if ($assertionsDisabled || this.entries.get() != null) {
            return this.entries.get().keySet();
        }
        throw new AssertionError("Keystore is not loaded");
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public synchronized SecureString getString(String str) {
        ensureOpen();
        Entry entry = this.entries.get().get(str);
        if (entry == null || entry.type != EntryType.STRING) {
            throw new IllegalArgumentException("Secret setting " + str + " is not a string");
        }
        return new SecureString(StandardCharsets.UTF_8.decode(ByteBuffer.wrap(entry.bytes)).array());
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public synchronized InputStream getFile(String str) {
        ensureOpen();
        Entry entry = this.entries.get().get(str);
        if (entry == null || entry.type != EntryType.FILE) {
            throw new IllegalArgumentException("Secret setting " + str + " is not a file");
        }
        return new ByteArrayInputStream(entry.bytes);
    }

    public static void validateSettingName(String str) {
        if (!ALLOWED_SETTING_NAME.matcher(str).matches()) {
            throw new IllegalArgumentException("Setting name [" + str + "] does not match the allowed setting name pattern [" + ALLOWED_SETTING_NAME.pattern() + "]");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized void setString(String str, char[] cArr) {
        ensureOpen();
        validateSettingName(str);
        ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(cArr));
        Entry put = this.entries.get().put(str, new Entry(EntryType.STRING, Arrays.copyOfRange(encode.array(), encode.position(), encode.limit())));
        if (put != null) {
            Arrays.fill(put.bytes, (byte) 0);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized void setFile(String str, byte[] bArr) {
        ensureOpen();
        validateSettingName(str);
        Entry put = this.entries.get().put(str, new Entry(EntryType.FILE, Arrays.copyOf(bArr, bArr.length)));
        if (put != null) {
            Arrays.fill(put.bytes, (byte) 0);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void remove(String str) {
        ensureOpen();
        Entry remove = this.entries.get().remove(str);
        if (remove != null) {
            Arrays.fill(remove.bytes, (byte) 0);
        }
    }

    private void ensureOpen() {
        if (this.closed) {
            throw new IllegalStateException("Keystore is closed");
        }
        if (!$assertionsDisabled && !isLoaded()) {
            throw new AssertionError("Keystore is not loaded");
        }
    }

    @Override // org.elasticsearch.common.settings.SecureSettings, java.io.Closeable, java.lang.AutoCloseable
    public synchronized void close() {
        this.closed = true;
        if (null == this.entries.get() || this.entries.get().isEmpty()) {
            return;
        }
        Iterator<Entry> it = this.entries.get().values().iterator();
        while (it.hasNext()) {
            Arrays.fill(it.next().bytes, (byte) 0);
        }
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }

    static {
        $assertionsDisabled = !KeyStoreWrapper.class.desiredAssertionStatus();
        ALLOWED_SETTING_NAME = Pattern.compile("[a-z0-9_\\-.]+");
        SEED_SETTING = SecureSetting.secureString("keystore.seed", null, new Setting.Property[0]);
        SEED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789~!@#$%^&*-_=+?".toCharArray();
    }
}
