package org.apache.hadoop.ozone.client.rpc;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import org.apache.hadoop.crypto.CipherSuite;
import org.apache.hadoop.crypto.CryptoCodec;
import org.apache.hadoop.crypto.CryptoProtocolVersion;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.fs.FileEncryptionInfo;
import org.apache.hadoop.hdds.StringUtils;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.utils.LegacyHadoopConfigurationSource;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.KMSUtil;

/* loaded from: input_file:org/apache/hadoop/ozone/client/rpc/OzoneKMSUtil.class */
public final class OzoneKMSUtil {
    private static final String O3_KMS_PREFIX = "ozone-kms-";
    private static final String UTF8_CSN = StandardCharsets.UTF_8.name();
    private static String keyProviderUriKeyName = "hadoop.security.key.provider.path";

    private OzoneKMSUtil() {
    }

    public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo fileEncryptionInfo, KeyProvider keyProvider) throws IOException {
        if (keyProvider == null) {
            throw new IOException("No KeyProvider is configured, cannot access an encrypted file");
        }
        try {
            return KeyProviderCryptoExtension.createKeyProviderCryptoExtension(keyProvider).decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(fileEncryptionInfo.getKeyName(), fileEncryptionInfo.getEzKeyVersionName(), fileEncryptionInfo.getIV(), fileEncryptionInfo.getEncryptedDataEncryptionKey()));
        } catch (GeneralSecurityException e) {
            throw new IOException(e);
        }
    }

    public static Text getKeyProviderMapKey(URI uri) {
        return new Text(O3_KMS_PREFIX + uri.getScheme() + "://" + uri.getAuthority());
    }

    public static String bytes2String(byte[] bArr) {
        return bytes2String(bArr, 0, bArr.length);
    }

    private static String bytes2String(byte[] bArr, int i, int i2) {
        try {
            return new String(bArr, i, i2, UTF8_CSN);
        } catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException("UTF8 encoding is not supported", e);
        }
    }

    public static URI getKeyProviderUri(UserGroupInformation userGroupInformation, URI uri, String str, ConfigurationSource configurationSource) throws IOException {
        URI uri2 = null;
        Credentials credentials = userGroupInformation.getCredentials();
        Text text = null;
        if (uri != null) {
            text = getKeyProviderMapKey(uri);
            byte[] secretKey = credentials.getSecretKey(text);
            if (secretKey != null) {
                uri2 = URI.create(bytes2String(secretKey));
            }
        }
        if (uri2 == null) {
            if (str == null) {
                uri2 = KMSUtil.getKeyProviderUri(LegacyHadoopConfigurationSource.asHadoopConfiguration(configurationSource), keyProviderUriKeyName);
            } else if (!str.isEmpty()) {
                uri2 = URI.create(str);
            }
        }
        if (uri2 != null && text != null) {
            credentials.addSecretKey(text, StringUtils.string2Bytes(uri2.toString()));
        }
        return uri2;
    }

    public static KeyProvider getKeyProvider(ConfigurationSource configurationSource, URI uri) throws IOException {
        if (uri == null) {
            throw new IOException("KMS serverProviderUri is not configured.");
        }
        return KMSUtil.createKeyProviderFromUri(LegacyHadoopConfigurationSource.asHadoopConfiguration(configurationSource), uri);
    }

    public static CryptoProtocolVersion getCryptoProtocolVersion(FileEncryptionInfo fileEncryptionInfo) throws IOException {
        CryptoProtocolVersion cryptoProtocolVersion = fileEncryptionInfo.getCryptoProtocolVersion();
        if (CryptoProtocolVersion.supports(cryptoProtocolVersion)) {
            return cryptoProtocolVersion;
        }
        throw new IOException("Client does not support specified CryptoProtocolVersion " + cryptoProtocolVersion.getDescription() + " version number" + cryptoProtocolVersion.getVersion());
    }

    public static void checkCryptoProtocolVersion(FileEncryptionInfo fileEncryptionInfo) throws IOException {
        CryptoProtocolVersion cryptoProtocolVersion = fileEncryptionInfo.getCryptoProtocolVersion();
        if (!CryptoProtocolVersion.supports(cryptoProtocolVersion)) {
            throw new IOException("Client does not support specified CryptoProtocolVersion " + cryptoProtocolVersion.getDescription() + " version number" + cryptoProtocolVersion.getVersion());
        }
    }

    public static CryptoCodec getCryptoCodec(ConfigurationSource configurationSource, FileEncryptionInfo fileEncryptionInfo) throws IOException {
        CipherSuite cipherSuite = fileEncryptionInfo.getCipherSuite();
        if (cipherSuite.equals(CipherSuite.UNKNOWN)) {
            throw new IOException("NameNode specified unknown CipherSuite with ID " + cipherSuite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
        }
        CryptoCodec cryptoCodec = CryptoCodec.getInstance(LegacyHadoopConfigurationSource.asHadoopConfiguration(configurationSource), cipherSuite);
        if (cryptoCodec == null) {
            throw new OMException("No configuration found for the cipher suite " + cipherSuite.getConfigSuffix() + " prefixed with hadoop.security.crypto.codec.classes. Please see the example configuration hadoop.security.crypto.codec.classes.EXAMPLE CIPHER SUITE at core-default.xml for details.", OMException.ResultCodes.UNKNOWN_CIPHER_SUITE);
        }
        return cryptoCodec;
    }
}
