package org.elasticsearch.common.settings;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.CharBuffer;
import java.nio.charset.CharsetEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Locale;
import java.util.Set;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.security.auth.DestroyFailedException;
import org.apache.lucene.codecs.CodecUtil;
import org.apache.lucene.store.BufferedChecksumIndexInput;
import org.apache.lucene.store.IOContext;
import org.apache.lucene.store.IndexInput;
import org.apache.lucene.store.IndexOutput;
import org.apache.lucene.store.SimpleFSDirectory;
import org.apache.lucene.util.SetOnce;

/* loaded from: input_file:org/elasticsearch/common/settings/KeyStoreWrapper.class */
public class KeyStoreWrapper implements SecureSettings {
    private static final String KEYSTORE_FILENAME = "elasticsearch.keystore";
    private static final int FORMAT_VERSION = 1;
    private static final String NEW_KEYSTORE_TYPE = "PKCS12";
    private static final String NEW_KEYSTORE_SECRET_KEY_ALGO = "PBE";
    private static final CharsetEncoder ASCII_ENCODER = StandardCharsets.US_ASCII.newEncoder();
    private final boolean hasPassword;
    private final String type;
    private final SecretKeyFactory secretFactory;
    private final byte[] keystoreBytes;
    private final SetOnce<KeyStore> keystore = new SetOnce<>();
    private final SetOnce<KeyStore.PasswordProtection> keystorePassword = new SetOnce<>();
    private final Set<String> settingNames = new HashSet();

    private KeyStoreWrapper(boolean z, String str, String str2, byte[] bArr) {
        this.hasPassword = z;
        this.type = str;
        try {
            this.secretFactory = SecretKeyFactory.getInstance(str2);
            this.keystoreBytes = bArr;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Path keystorePath(Path path) {
        return path.resolve(KEYSTORE_FILENAME);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStoreWrapper create(char[] cArr) throws Exception {
        KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(cArr.length != 0, NEW_KEYSTORE_TYPE, NEW_KEYSTORE_SECRET_KEY_ALGO, null);
        KeyStore keyStore = KeyStore.getInstance(NEW_KEYSTORE_TYPE);
        keyStore.load(null, null);
        keyStoreWrapper.keystore.set(keyStore);
        keyStoreWrapper.keystorePassword.set(new KeyStore.PasswordProtection(cArr));
        return keyStoreWrapper;
    }

    public static KeyStoreWrapper load(Path path) throws IOException {
        if (!Files.exists(keystorePath(path), new LinkOption[0])) {
            return null;
        }
        IndexInput openInput = new SimpleFSDirectory(path).openInput(KEYSTORE_FILENAME, IOContext.READONCE);
        Throwable th = null;
        try {
            BufferedChecksumIndexInput bufferedChecksumIndexInput = new BufferedChecksumIndexInput(openInput);
            CodecUtil.checkHeader(bufferedChecksumIndexInput, KEYSTORE_FILENAME, 1, 1);
            byte readByte = bufferedChecksumIndexInput.readByte();
            boolean z = readByte == 1;
            if (!z && readByte != 0) {
                throw new IllegalStateException("hasPassword boolean is corrupt: " + String.format(Locale.ROOT, "%02x", Byte.valueOf(readByte)));
            }
            String readString = bufferedChecksumIndexInput.readString();
            String readString2 = bufferedChecksumIndexInput.readString();
            byte[] bArr = new byte[bufferedChecksumIndexInput.readInt()];
            bufferedChecksumIndexInput.readBytes(bArr, 0, bArr.length);
            CodecUtil.checkFooter(bufferedChecksumIndexInput);
            KeyStoreWrapper keyStoreWrapper = new KeyStoreWrapper(z, readString, readString2, bArr);
            if (openInput != null) {
                if (0 != 0) {
                    try {
                        openInput.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openInput.close();
                }
            }
            return keyStoreWrapper;
        } catch (Throwable th3) {
            if (openInput != null) {
                if (0 != 0) {
                    try {
                        openInput.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openInput.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public boolean isLoaded() {
        return this.keystore.get() != null;
    }

    public boolean hasPassword() {
        return this.hasPassword;
    }

    public void decrypt(char[] cArr) throws GeneralSecurityException, IOException {
        if (this.keystore.get() != null) {
            throw new IllegalStateException("Keystore has already been decrypted");
        }
        this.keystore.set(KeyStore.getInstance(this.type));
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.keystoreBytes);
            Throwable th = null;
            try {
                try {
                    ((KeyStore) this.keystore.get()).load(byteArrayInputStream, cArr);
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                    this.keystorePassword.set(new KeyStore.PasswordProtection(cArr));
                    Arrays.fill(cArr, (char) 0);
                    Enumeration<String> aliases = ((KeyStore) this.keystore.get()).aliases();
                    while (aliases.hasMoreElements()) {
                        this.settingNames.add(aliases.nextElement());
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            Arrays.fill(this.keystoreBytes, (byte) 0);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void save(Path path) throws Exception {
        char[] password = ((KeyStore.PasswordProtection) this.keystorePassword.get()).getPassword();
        IndexOutput createOutput = new SimpleFSDirectory(path).createOutput("elasticsearch.keystore.tmp", IOContext.DEFAULT);
        Throwable th = null;
        try {
            try {
                CodecUtil.writeHeader(createOutput, KEYSTORE_FILENAME, 1);
                createOutput.writeByte(password.length == 0 ? (byte) 0 : (byte) 1);
                createOutput.writeString(this.type);
                createOutput.writeString(this.secretFactory.getAlgorithm());
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                ((KeyStore) this.keystore.get()).store(byteArrayOutputStream, password);
                byte[] byteArray = byteArrayOutputStream.toByteArray();
                createOutput.writeInt(byteArray.length);
                createOutput.writeBytes(byteArray, byteArray.length);
                CodecUtil.writeFooter(createOutput);
                if (createOutput != null) {
                    if (0 != 0) {
                        try {
                            createOutput.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createOutput.close();
                    }
                }
                Path keystorePath = keystorePath(path);
                Files.move(path.resolve("elasticsearch.keystore.tmp"), keystorePath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
                PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(keystorePath, PosixFileAttributeView.class, new LinkOption[0]);
                if (posixFileAttributeView != null) {
                    posixFileAttributeView.setPermissions(PosixFilePermissions.fromString("rw-------"));
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (createOutput != null) {
                if (th != null) {
                    try {
                        createOutput.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    createOutput.close();
                }
            }
            throw th4;
        }
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public Set<String> getSettingNames() {
        return this.settingNames;
    }

    @Override // org.elasticsearch.common.settings.SecureSettings
    public SecureString getString(String str) throws GeneralSecurityException {
        KeyStore.Entry entry = ((KeyStore) this.keystore.get()).getEntry(str, (KeyStore.ProtectionParameter) this.keystorePassword.get());
        if (!(entry instanceof KeyStore.SecretKeyEntry)) {
            throw new IllegalStateException("Secret setting " + str + " is not a string");
        }
        PBEKeySpec pBEKeySpec = (PBEKeySpec) this.secretFactory.getKeySpec(((KeyStore.SecretKeyEntry) entry).getSecretKey(), PBEKeySpec.class);
        SecureString secureString = new SecureString(pBEKeySpec.getPassword());
        pBEKeySpec.clearPassword();
        return secureString;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setString(String str, char[] cArr) throws GeneralSecurityException {
        if (!ASCII_ENCODER.canEncode(CharBuffer.wrap(cArr))) {
            throw new IllegalArgumentException("Value must be ascii");
        }
        ((KeyStore) this.keystore.get()).setEntry(str, new KeyStore.SecretKeyEntry(this.secretFactory.generateSecret(new PBEKeySpec(cArr))), (KeyStore.ProtectionParameter) this.keystorePassword.get());
        this.settingNames.add(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void remove(String str) throws KeyStoreException {
        ((KeyStore) this.keystore.get()).deleteEntry(str);
        this.settingNames.remove(str);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        try {
            if (this.keystorePassword.get() != null) {
                ((KeyStore.PasswordProtection) this.keystorePassword.get()).destroy();
            }
        } catch (DestroyFailedException e) {
            throw new IOException(e);
        }
    }
}
