package com.cloudera.keytrustee;

import clouderakp.avro.DepositGroupProtocol;
import com.cloudera.keytrustee.ClouderaKeyStore;
import com.cloudera.keytrustee.ClouderaKeyStoreProvider;
import com.cloudera.keytrustee.dao.DaoManager;
import com.cloudera.keytrustee.dao.DaoUtil;
import com.cloudera.keytrustee.entity.DeleteStatusChange;
import com.cloudera.keytrustee.entity.Deposit;
import com.cloudera.keytrustee.entity.DepositGroupAttribute;
import com.cloudera.keytrustee.entity.KeyOption;
import com.cloudera.keytrustee.entity.KeyOptionAttribute;
import com.cloudera.keytrustee.entity.MetaBlob;
import com.cloudera.keytrustee.hsm.HsmHelper;
import com.cloudera.keytrustee.sync.MessageServer;
import com.cloudera.keytrustee.sync.PeerHelper;
import com.cloudera.keytrustee.util.ClouderaSecretKey;
import com.cloudera.keytrustee.util.Environment;
import com.cloudera.keytrustee.util.HSMKeyProviderConfiguration;
import com.cloudera.keytrustee.util.HsmKPConstants;
import com.cloudera.keytrustee.util.SelfTrustingSSLChannelPipelineFactory;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.File;
import java.io.FilenameFilter;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.io.Serializable;
import java.net.InetSocketAddress;
import java.net.URI;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.jdo.JDODataStoreException;
import javax.jdo.JDOHelper;
import javax.jdo.PersistenceManagerFactory;
import org.apache.avro.ipc.NettyServer;
import org.apache.avro.ipc.Server;
import org.apache.avro.ipc.specific.SpecificResponder;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.CryptoCodec;
import org.apache.hadoop.crypto.Decryptor;
import org.apache.hadoop.crypto.Encryptor;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderFactory;
import org.apache.hadoop.crypto.key.kms.server.KMSConfiguration;
import org.apache.hadoop.security.ProviderUtils;
import org.jboss.netty.channel.socket.nio.NioServerSocketChannelFactory;
import org.jboss.netty.handler.execution.ExecutionHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:com/cloudera/keytrustee/HSMKeyProvider.class */
public class HSMKeyProvider extends KeyProvider implements KeyProviderCryptoExtension.CryptoExtension, ClouderaKeyStore.KeyStoreAttributeStorageHelper, MessageServer.DepositConsumerProducer, PeerHelper.DepositGroupRuntimeStateListener {
    private static final String KEY_METADATA = "ClouderaKeyMetadata";
    private boolean useHSM;
    public static final String SCHEME_NAME = "cloudera.hsmkp";
    public static final String META_SCHEME_NAME = "ckshsm";
    public static final String BIT_LENGTH_ATTRIBUTE = "_cloudera.hsmkp_bit_length";
    public static final String CIPHER_ATTRIBUTE = "_cloudera.hsmkpcipher";
    public static final String DESCRIPTION_ATTRIBUTE = "_cloudera.hsmkpdescription";
    public static final String VERSIONS_ATTRIBUTE = "_cloudera.hsmkpversions";
    public static final String CREATED_ATTRIBUTE = "_cloudera.hsmkpcreated";
    public static final String HSM_KEY_NAME_KEY = "hsm.key.name";
    public static final String CONFIG_PREFIX = "hadoop.kms.";
    public static final String KEY_PROVIDER_REENCRYPTION_SOURCE_URI = "hadoop.kms.key.provider.reencryption.source.uri";
    public static final String REENCRYPTION_CRYPTO_ENABLE = "hadoop.kms.reencryption.crypto.enable";
    public static final String KEYSTORE_PASSWORD_FILE_KEY = "hadoop.security.keystore.java-keystore-provider.password-file";
    public static final String KEYSTORE_PASSWORD_ENV_VAR = "HADOOP_KEYSTORE_PASSWORD";
    public static final String LEGACY_KEY_VERSION_NAME = "legacy_id";
    private KeyProvider srcProvider;
    private final URI uri;
    private final ClouderaKeyStore metaKeyStore;
    private Properties dbConnectionProperties;
    private PersistenceManagerFactory pmf;
    private DepositGroupManager depositGroupManager;
    private char[] masterKey;
    private char[] password;
    private String hsmPassword;
    private String hsmUsername;
    private boolean changed;
    private Lock readLock;
    private Lock writeLock;
    private HsmHelper helper;
    private PeerHelper peerHelper;
    private Server messagingServer;
    private URI[] uris;
    private boolean initiateMigration;
    private Map<String, Deposit> queuedRemoteDeposits;
    private Map<String, Long> queuedRemoteDeletes;
    private boolean syncAllPending;
    private Long nextSeqNum;
    private final Map<String, KeyProvider.Metadata> cache;
    private static Logger LOG = LoggerFactory.getLogger(HSMKeyProvider.class);
    public static final char[] KEYSTORE_PASSWORD_DEFAULT = "none".toCharArray();

    /* loaded from: input_file:com/cloudera/keytrustee/HSMKeyProvider$Factory.class */
    public static class Factory extends KeyProviderFactory {
        public KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
            if (!HSMKeyProvider.SCHEME_NAME.equals(uri.getScheme())) {
                return null;
            }
            HSMKeyProvider.LOG.debug("Starting Key Provider with name {} ", uri);
            HSMKeyProvider.LOG.info("Current version of the Key Provider is {} ", HsmKPConstants.getVersion());
            return new HSMKeyProvider(uri, configuration);
        }
    }

    /* loaded from: input_file:com/cloudera/keytrustee/HSMKeyProvider$HSMProviderEncryptedKeyVersion.class */
    public static class HSMProviderEncryptedKeyVersion extends KeyProviderCryptoExtension.EncryptedKeyVersion {
        protected HSMProviderEncryptedKeyVersion(String str, String str2, byte[] bArr, KeyProvider.KeyVersion keyVersion) {
            super(str, str2, bArr, keyVersion);
        }

        protected static byte[] deriveIV(byte[] bArr) {
            return KeyProviderCryptoExtension.EncryptedKeyVersion.deriveIV(bArr);
        }
    }

    /* loaded from: input_file:com/cloudera/keytrustee/HSMKeyProvider$HSMProviderKeyVersion.class */
    public static class HSMProviderKeyVersion extends KeyProvider.KeyVersion {
        public HSMProviderKeyVersion(String str, String str2, byte[] bArr) {
            super(str, str2, bArr);
        }
    }

    /* loaded from: input_file:com/cloudera/keytrustee/HSMKeyProvider$HSMProviderMetadata.class */
    public static class HSMProviderMetadata extends KeyProvider.Metadata {
        public HSMProviderMetadata(String str, int i, String str2, Map<String, String> map, Date date, int i2) {
            super(str, i, str2, map, date, i2);
        }

        protected HSMProviderMetadata(byte[] bArr) throws IOException {
            super(bArr);
        }

        protected byte[] serialize() throws IOException {
            return super.serialize();
        }
    }

    /* loaded from: input_file:com/cloudera/keytrustee/HSMKeyProvider$KeyMetadata.class */
    public static class KeyMetadata implements Key, Serializable {
        private HSMProviderMetadata metadata;
        private static final long serialVersionUID = -7278785649500394508L;

        private KeyMetadata(HSMProviderMetadata hSMProviderMetadata) {
            this.metadata = hSMProviderMetadata;
        }

        @Override // java.security.Key
        public String getAlgorithm() {
            return this.metadata.getCipher();
        }

        @Override // java.security.Key
        public String getFormat() {
            return HSMKeyProvider.KEY_METADATA;
        }

        @Override // java.security.Key
        public byte[] getEncoded() {
            return new byte[0];
        }

        private void writeObject(ObjectOutputStream objectOutputStream) throws IOException {
            byte[] serialize = this.metadata.serialize();
            objectOutputStream.writeInt(serialize.length);
            objectOutputStream.write(serialize);
        }

        private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
            byte[] bArr = new byte[objectInputStream.readInt()];
            objectInputStream.readFully(bArr);
            this.metadata = new HSMProviderMetadata(bArr);
        }
    }

    /* loaded from: input_file:com/cloudera/keytrustee/HSMKeyProvider$SecretKeyVersion.class */
    public static class SecretKeyVersion extends KeyProvider.KeyVersion {
        private final SecretKey secretKey;

        protected SecretKeyVersion(String str, String str2, byte[] bArr, SecretKey secretKey) {
            super(str, str2, bArr);
            this.secretKey = secretKey;
        }

        public SecretKey getSecretKey() {
            return this.secretKey;
        }

        public String toString() {
            return super.toString();
        }
    }

    public static void setProperties(Properties properties, HSMKeyProviderConfiguration hSMKeyProviderConfiguration) {
        properties.put("javax.jdo.option.ConnectionURL", hSMKeyProviderConfiguration.getConnectionURL());
        properties.put("javax.jdo.option.ConnectionDriverName", hSMKeyProviderConfiguration.getConnectionDriverName());
        properties.put("javax.jdo.option.ConnectionUserName", hSMKeyProviderConfiguration.getDBUser());
        properties.put("javax.jdo.option.ConnectionPassword", hSMKeyProviderConfiguration.getDBPassword());
        properties.put("javax.jdo.option.Mapping", hSMKeyProviderConfiguration.getMapping());
    }

    @VisibleForTesting
    HSMKeyProvider(HSMKeyProvider hSMKeyProvider) {
        super(new Configuration());
        this.useHSM = true;
        this.dbConnectionProperties = new Properties();
        this.depositGroupManager = null;
        this.changed = false;
        this.queuedRemoteDeposits = Collections.synchronizedMap(new HashMap());
        this.queuedRemoteDeletes = Collections.synchronizedMap(new HashMap());
        this.syncAllPending = false;
        this.cache = new HashMap();
        this.uri = hSMKeyProvider.uri;
        this.metaKeyStore = hSMKeyProvider.metaKeyStore;
        this.password = hSMKeyProvider.password;
        this.changed = hSMKeyProvider.changed;
        this.readLock = hSMKeyProvider.readLock;
        this.writeLock = hSMKeyProvider.writeLock;
    }

    @VisibleForTesting
    public void setUseHSM(boolean z) {
        this.useHSM = z;
    }

    @VisibleForTesting
    public boolean getUseHSM() {
        return this.useHSM;
    }

    @VisibleForTesting
    public PeerHelper getPeerHelper() {
        return this.peerHelper;
    }

    public HSMKeyProvider(URI uri, Configuration configuration) throws IOException {
        this(null, uri, configuration);
    }

    public HSMKeyProvider(Environment environment, URI uri, Configuration configuration) throws IOException {
        super(configuration);
        this.useHSM = true;
        this.dbConnectionProperties = new Properties();
        this.depositGroupManager = null;
        this.changed = false;
        this.queuedRemoteDeposits = Collections.synchronizedMap(new HashMap());
        this.queuedRemoteDeletes = Collections.synchronizedMap(new HashMap());
        this.syncAllPending = false;
        this.cache = new HashMap();
        this.uri = uri;
        HSMKeyProviderConfiguration hSMKeyProviderConfiguration = new HSMKeyProviderConfiguration(environment, uri, configuration);
        String validate = hSMKeyProviderConfiguration.getTlsConfiguration().validate();
        if (!validate.isEmpty()) {
            throw new IOException("TLS Configuration is specified but invalid: " + validate);
        }
        boolean isNoHSM = hSMKeyProviderConfiguration.isNoHSM();
        this.initiateMigration = hSMKeyProviderConfiguration.isInitiateMigration();
        this.useHSM = !isNoHSM;
        this.hsmPassword = hSMKeyProviderConfiguration.getHSMPassword();
        this.password = hSMKeyProviderConfiguration.getPassword().toCharArray();
        if (this.password == null) {
            throw new IOException("Key store password is null.");
        }
        if (this.useHSM && this.hsmPassword == null) {
            throw new IOException("HSM password is null.");
        }
        this.uris = hSMKeyProviderConfiguration.getSpecifiedProviderURIs();
        ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock(true);
        this.readLock = reentrantReadWriteLock.readLock();
        this.writeLock = reentrantReadWriteLock.writeLock();
        try {
            System.setProperty("protect", hSMKeyProviderConfiguration.getThalesProtectProperty());
            setProperties(this.dbConnectionProperties, hSMKeyProviderConfiguration);
            this.pmf = JDOHelper.getPersistenceManagerFactory(this.dbConnectionProperties, "ckms");
            try {
                LOG.info("HSM Key Provider running on process [{}].", Integer.valueOf(Integer.parseInt(new File("/proc/self").getCanonicalFile().getName())));
            } catch (NumberFormatException e) {
                LOG.warn("Could not retrieve process ID.");
            }
            LOG.info("Connection to database [{}] using [{}] driver.", this.pmf.getConnectionURL(), this.pmf.getConnectionDriverName());
            DaoManager daoManager = new DaoManager();
            daoManager.setPersistenceManagerFactory(this.pmf);
            this.depositGroupManager = new DepositGroupManager(hSMKeyProviderConfiguration.getDepositGroupConfiguration(), daoManager, hSMKeyProviderConfiguration.getTlsConfiguration().getLocalDataDir());
            this.metaKeyStore = new ClouderaKeyStore(daoManager);
            this.metaKeyStore.setStorageHelper(this);
            ClouderaMasterKey clouderaMasterKey = new ClouderaMasterKey(daoManager);
            clouderaMasterKey.generateKey(new String(this.password));
            try {
                String masterKey = clouderaMasterKey.getMasterKey(new String(this.password));
                if (masterKey == null) {
                    LOG.error("The Master Key is null because: Incorrect KeyStore Password");
                    throw new IOException("The Master Key is null because: Incorrect KeyStore Password");
                }
                this.masterKey = masterKey.toCharArray();
                this.metaKeyStore.engineLoad(null, this.masterKey);
                this.peerHelper = new PeerHelper(daoManager, this, this, hSMKeyProviderConfiguration.getTlsConfiguration(), this.readLock, this.writeLock);
                if (!this.peerHelper.selfRegister(hSMKeyProviderConfiguration.getMessagePort())) {
                    LOG.warn("Self registration failed. Can not continue.");
                    throw new IOException("Self registration failed. This is fatal.");
                }
                this.helper = null;
                if (this.useHSM) {
                    this.helper = HsmHelper.getHsmHelper(hSMKeyProviderConfiguration);
                    this.helper.setDepositGroupManager(this.depositGroupManager);
                    this.helper.loadKeyStore();
                }
                NioServerSocketChannelFactory nioServerSocketChannelFactory = new NioServerSocketChannelFactory(Executors.newCachedThreadPool(), Executors.newCachedThreadPool());
                hSMKeyProviderConfiguration.getTlsConfiguration().initSecureRandom(this.helper);
                this.messagingServer = new NettyServer(new SpecificResponder(DepositGroupProtocol.class, new MessageServer(hSMKeyProviderConfiguration.getDepositGroupConfiguration().getGroupName(), hSMKeyProviderConfiguration.getDepositGroupConfiguration().getPassword(), daoManager, this, this)), new InetSocketAddress(hSMKeyProviderConfiguration.getMessagePort()), nioServerSocketChannelFactory, new SelfTrustingSSLChannelPipelineFactory(hSMKeyProviderConfiguration.getTlsConfiguration()), (ExecutionHandler) null);
                if (this.peerHelper.confirmServers(hSMKeyProviderConfiguration.getDepositGroupConfiguration().getGroupName(), hSMKeyProviderConfiguration.getDepositGroupConfiguration().getPassword()) && this.useHSM) {
                    this.helper.refreshDepositGroupRuntimeState();
                    this.helper.loadKeyStore();
                }
                this.peerHelper.bootStrap();
                if (this.initiateMigration || configuration.getBoolean(REENCRYPTION_CRYPTO_ENABLE, false)) {
                    File file = new File(hSMKeyProviderConfiguration.getKTKMSDataDir());
                    File file2 = new File(System.getProperty("kms.config.dir"));
                    LOG.info("Copying KT KMS config [{}] to KMS Config Dir [{}].", file, file2);
                    FileUtils.copyFileToDirectory(file, file2, true);
                    loadSourceProvider(configuration);
                    if (this.initiateMigration) {
                        initiateMigration();
                    }
                }
            } catch (Throwable th) {
                LOG.error("Unable to decrypt master key.", th);
                throw new IOException("Could not retrieve master key: " + th.getMessage());
            }
        } catch (NoSuchAlgorithmException | CertificateException e2) {
            LOG.error("Could not load [{}] keystore: [{}]", this.helper != null ? "HSM" : "meta", e2);
            throw new IOException("Can't load keystore due to " + e2.getCause().getClass().getSimpleName() + ".", e2);
        }
    }

    private void initiateMigration() throws IOException {
        LOG.info("Migration attempt on provider: [{}]", this.srcProvider);
        migrateKeys(this.srcProvider);
    }

    private void loadSourceProvider(Configuration configuration) {
        if (configuration.getBoolean(REENCRYPTION_CRYPTO_ENABLE, false)) {
            try {
                URI[] specifiedProviderURIs = getSpecifiedProviderURIs();
                Preconditions.checkNotNull(specifiedProviderURIs, "Migration URI array is null.");
                if (specifiedProviderURIs.length < 2) {
                    throw new IOException("Migration URI array must contain at least two entries (HSMKP and one or more others).");
                }
                for (int i = 0; i < specifiedProviderURIs.length; i++) {
                    URI uri = specifiedProviderURIs[i];
                    LOG.info("Migration attempt on URI: [{}]", uri);
                    if (i != 0) {
                        Configuration kMSConf = KMSConfiguration.getKMSConf();
                        if (HSMKeyProviderConfiguration.DB_USER_DEFAULT.equals(uri.getScheme())) {
                            String[] list = new File(ProviderUtils.unnestUri(uri).toUri().toURL().getPath()).list(new FilenameFilter() { // from class: com.cloudera.keytrustee.HSMKeyProvider.1
                                @Override // java.io.FilenameFilter
                                public boolean accept(File file, String str) {
                                    return str.equalsIgnoreCase("keytrustee.conf") || str.equalsIgnoreCase("pubring.gpg") || str.equalsIgnoreCase("secring.gpg");
                                }
                            });
                            if (null == list || list.length < 3) {
                                throw new IOException("Key Trustee Conf Dir for HSM KMS migration,  re-encryption and fallback is empty. Unexpected in migration and/or re-encryption modes. Halting HSM KMS.");
                            }
                            LOG.info("Found expected Key Trustee Conf Dir state.");
                        }
                        this.srcProvider = KeyProviderFactory.get(uri, kMSConf);
                    } else if (!SCHEME_NAME.equals(uri.getScheme())) {
                        throw new IOException("First element in Migration URI array must be a cloudera.hsmkp:// URI.");
                    }
                }
            } catch (IOException e) {
                LOG.error("Could not load source provider [{}].", this.uris, e);
            }
        }
    }

    /* renamed from: getKeyVersion, reason: merged with bridge method [inline-methods] */
    public SecretKeyVersion m54getKeyVersion(String str) throws IOException {
        return getKeyVersion(str, true, true);
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public SecretKeyVersion getKeyVersion(String str, boolean z, boolean z2) throws IOException {
        String keyName = this.metaKeyStore.getKeyName(str);
        if (z) {
            LOG.debug("Version {} maps to key {}", str, keyName);
        } else {
            LOG.trace("Version {} maps to key {}", str, keyName);
        }
        if (null == keyName) {
            if (!z2 || null == this.srcProvider) {
                return null;
            }
            LOG.info("Found no key version [{}] in this provider but will attempt to fallback to legacy provider.", str);
            KeyProvider.KeyVersion keyVersion = this.srcProvider.getKeyVersion(str);
            if (null == keyVersion) {
                LOG.info("Found no key version [{}] in legacy provider.", str);
                return null;
            }
            String name = keyVersion.getName();
            LOG.info("Found legacy key version [{}] for key name [{}].", keyVersion, name);
            keyName = name;
        }
        return getKeyVersion(keyName, str, z, z2);
    }

    public SecretKeyVersion getKeyVersion(String str, String str2, boolean z, boolean z2) throws IOException {
        SecretKey secretKey;
        this.readLock.lock();
        try {
            KeyProvider.Metadata versionedMetadata = getVersionedMetadata(str, str2);
            if (z2 && versionedMetadata == null && this.srcProvider != null) {
                LOG.debug("Attempting fallback on versioned metadata fetch for key [{}] and versionname [{}]", str, str2);
                versionedMetadata = getVersionedMetadata(str, str2, true);
                if (null != versionedMetadata) {
                    SecretKeyVersion secretKeyVersion = new SecretKeyVersion(str, str2, null, null);
                    this.readLock.unlock();
                    return secretKeyVersion;
                }
            }
            String str3 = null;
            if (this.useHSM && null != versionedMetadata) {
                str3 = (String) versionedMetadata.getAttributes().get(HSM_KEY_NAME_KEY);
            }
            if (z) {
                LOG.debug("Current HSM key name is {} for {}.", str3, str2);
            } else {
                LOG.trace("Current HSM key name is {} for {}.", str3, str2);
            }
            try {
                try {
                    try {
                        try {
                            if (this.useHSM) {
                                if ((this.metaKeyStore.engineContainsAlias(str) && null == str3) || !this.helper.getKeyStore().containsAlias(str3)) {
                                    LOG.debug("Key is present in themetaKeyStore and not in keyStore. The reason for the same is that the key originated on the peer.");
                                    reloadKeys();
                                }
                                if (null == str3 || !this.helper.getKeyStore().containsAlias(str3)) {
                                    LOG.debug("Key is not present in the keystore.");
                                    this.readLock.unlock();
                                    return null;
                                }
                                secretKey = (SecretKey) this.helper.getKeyStore().getKey(str3, this.hsmPassword.toCharArray());
                            } else {
                                if (!this.metaKeyStore.engineContainsAlias(str)) {
                                    this.metaKeyStore.engineLoad(null, this.masterKey);
                                    if (!this.metaKeyStore.engineContainsAlias(str)) {
                                        LOG.debug("Metadata KeyStore doesnt contain the Alias");
                                        this.readLock.unlock();
                                        return null;
                                    }
                                }
                                secretKey = (SecretKey) this.metaKeyStore.engineGetKey(str2, this.masterKey);
                            }
                            byte[] bArr = null;
                            if (!this.useHSM && null != secretKey) {
                                bArr = secretKey.getEncoded();
                            }
                            SecretKeyVersion secretKeyVersion2 = new SecretKeyVersion(str, str2, bArr, secretKey);
                            this.readLock.unlock();
                            return secretKeyVersion2;
                        } catch (KeyStoreException e) {
                            throw new IOException("Can't get hsm key " + str3 + " for key " + str2 + " from " + getConnectionURLString(), e);
                        }
                    } catch (NoSuchAlgorithmException e2) {
                        throw new IOException("Can't get algorithm for key " + ((Object) null) + " from " + getConnectionURLString(), e2);
                    }
                } catch (CertificateException e3) {
                    throw new IOException("Certificate exception storing key", e3);
                }
            } catch (UnrecoverableKeyException e4) {
                throw new IOException("Can't recover key " + ((Object) null) + " from " + getConnectionURLString(), e4);
            }
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    public List<String> getKeys() throws IOException {
        this.readLock.lock();
        try {
            HashSet hashSet = new HashSet();
            reloadKeys();
            Enumeration<String> engineAliases = this.metaKeyStore.engineAliases();
            while (engineAliases.hasMoreElements()) {
                hashSet.add(engineAliases.nextElement());
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Get keys returned with {} keys.", Integer.valueOf(hashSet.size()));
            }
            ArrayList arrayList = new ArrayList(hashSet);
            this.readLock.unlock();
            return arrayList;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        this.readLock.lock();
        try {
            ArrayList arrayList = new ArrayList();
            KeyProvider.Metadata metadata = getMetadata(str);
            if (metadata != null) {
                Iterator<String> it = this.metaKeyStore.getVersions(str).iterator();
                while (it.hasNext()) {
                    arrayList.add(m54getKeyVersion(it.next()));
                }
            }
            if (null != this.srcProvider) {
                Map attributes = metadata.getAttributes();
                for (String str2 : attributes.keySet()) {
                    if (str2.startsWith(LEGACY_KEY_VERSION_NAME)) {
                        LOG.info("Adding legacy version name [{}] to list.", str2);
                        arrayList.add(m54getKeyVersion((String) attributes.get(str2)));
                    }
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Key with name {} and size of the keyVersion list is {}.", str, Integer.valueOf(arrayList.size()));
            }
            return arrayList;
        } finally {
            this.readLock.unlock();
        }
    }

    /* renamed from: getCurrentKey, reason: merged with bridge method [inline-methods] */
    public SecretKeyVersion m53getCurrentKey(String str) throws IOException {
        return getCurrentKey(str, true);
    }

    public SecretKeyVersion getCurrentKey(String str, boolean z) throws IOException {
        KeyProvider.Metadata metadata = getMetadata(str);
        String latestVersion = this.metaKeyStore.getLatestVersion(str);
        if (metadata == null) {
            return null;
        }
        return getKeyVersion(latestVersion, z, true);
    }

    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        this.readLock.lock();
        try {
            if (this.cache.containsKey(str)) {
                LOG.debug("Key metadata found in cache.");
                KeyProvider.Metadata metadata = this.cache.get(str);
                this.readLock.unlock();
                return metadata;
            }
            try {
                try {
                    try {
                        if (!this.metaKeyStore.engineContainsAlias(str)) {
                            this.metaKeyStore.engineLoad(null, this.masterKey);
                            if (!this.metaKeyStore.engineContainsAlias(str)) {
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("Metadata KeyStore doesnt contain the Alias");
                                }
                                return null;
                            }
                        }
                        ClouderaKeyStore.MetadataKeyEntry engineGetMetadata = this.metaKeyStore.engineGetMetadata(str, this.masterKey);
                        if (engineGetMetadata != null) {
                            ClouderaKeyStoreProvider.ClouderaKeyMetadata clouderaKeyMetadata = new ClouderaKeyStoreProvider.ClouderaKeyMetadata(engineGetMetadata);
                            this.cache.put(str, clouderaKeyMetadata);
                            this.readLock.unlock();
                            return clouderaKeyMetadata;
                        }
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("KeyMetadata is null.");
                        }
                        this.readLock.unlock();
                        return null;
                    } catch (ClassCastException e) {
                        throw new IOException("Can't cast key for " + str + " in keystore " + getConnectionURLString() + " to a KeyMetadata. Key may have been added using  keytool or some other non-Hadoop method.", e);
                    }
                } catch (NoSuchAlgorithmException e2) {
                    throw new IOException("Can't get algorithm for " + str + " from keystore " + getConnectionURLString(), e2);
                }
            } catch (CertificateException e3) {
                throw new IOException("Certificate problem " + getConnectionURLString(), e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    KeyProvider.Metadata getVersionedMetadata(String str, String str2) throws IOException {
        return getVersionedMetadata(str, str2, false);
    }

    KeyProvider.Metadata getVersionedMetadata(String str, String str2, boolean z) throws IOException {
        LOG.debug("Entered getVersionedMetadata [{}] fallback mode.", z ? "in" : "not in");
        this.readLock.lock();
        try {
            try {
                try {
                    if (!this.metaKeyStore.engineContainsAlias(str)) {
                        this.metaKeyStore.engineLoad(null, this.masterKey);
                        if (!this.metaKeyStore.engineContainsAlias(str)) {
                            LOG.trace("Found no alias named [{}].", str);
                            this.readLock.unlock();
                            return null;
                        }
                    }
                    ClouderaKeyStore.MetadataKeyEntry engineGetMetadata = this.metaKeyStore.engineGetMetadata(str, str2, this.masterKey, z);
                    if (engineGetMetadata != null) {
                        ClouderaKeyStoreProvider.ClouderaKeyMetadata clouderaKeyMetadata = new ClouderaKeyStoreProvider.ClouderaKeyMetadata(engineGetMetadata);
                        this.readLock.unlock();
                        return clouderaKeyMetadata;
                    }
                    LOG.trace("Found no key metadata for key [{}] with version [{}].", str, str2);
                    this.readLock.unlock();
                    return null;
                } catch (ClassCastException e) {
                    throw new IOException("Can't cast key for " + str2 + " in keystore " + getConnectionURLString() + " to a KeyMetadata. Key may have been added using  keytool or some other non-Hadoop method.", e);
                }
            } catch (NoSuchAlgorithmException e2) {
                throw new IOException("Can't get algorithm for " + str2 + " from keystore " + getConnectionURLString(), e2);
            } catch (CertificateException e3) {
                throw new IOException("Certificate problem " + getConnectionURLString(), e3);
            }
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v31, types: [java.util.Map] */
    public KeyProvider.KeyVersion createKey(String str, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException {
        HashMap hashMap;
        SecretKey secretKey;
        String genUuid = DaoUtil.genUuid();
        String generateHsmKeyName = generateHsmKeyName(str, genUuid);
        if (options.getAttributes().isEmpty()) {
            hashMap = new HashMap();
            LOG.debug("options.getAttribute is empty. Creating a new Hashmap.");
        } else {
            hashMap = options.getAttributes();
        }
        hashMap.put(HSM_KEY_NAME_KEY, generateHsmKeyName);
        options.setAttributes(hashMap);
        try {
            if (this.useHSM) {
                LOG.debug("Generating secret key on HSM.");
                secretKey = this.helper.generateSecretKey(generateHsmKeyName, options.getBitLength(), options.getCipher());
            } else {
                LOG.debug("Generating secret key locally.");
                byte[] generateKey = super.generateKey(options.getBitLength(), options.getCipher());
                LOG.trace("Generated key with cipher {} and length {}. Encoded size is {}.", new Object[]{options.getCipher(), Integer.valueOf(options.getBitLength()), Integer.valueOf(generateKey.length)});
                ClouderaSecretKey clouderaSecretKey = new ClouderaSecretKey(options.getCipher(), "RAW", generateKey);
                LOG.trace("Secret Key has format [{}] and encoded length [{}].", clouderaSecretKey.getFormat(), Integer.valueOf(clouderaSecretKey.getEncoded().length));
                secretKey = clouderaSecretKey;
            }
            LOG.debug("Creating key with name [{}] and the hsmKeyName is [{}].", str, generateHsmKeyName);
            logCacheInformation();
            return createKey(str, genUuid, secretKey, options);
        } catch (InvalidAlgorithmParameterException e) {
            throw new NoSuchAlgorithmException(e);
        }
    }

    private void logCacheInformation() {
        Configuration conf = getConf();
        LOG.info("hadoop.security.kms.encrypted.key.cache.size : {}", conf.get("hadoop.security.kms.encrypted.key.cache.size"));
        LOG.info("hadoop.security.kms.encrypted.key.cache.low.watermark : {}", conf.get("hadoop.security.kms.encrypted.key.cache.low.watermark"));
        LOG.info("hadoop.security.kms.client.encrypted.key.cache.size : {}", conf.get("hadoop.security.kms.client.encrypted.key.cache.size"));
        LOG.info("hadoop.security.kms.client.encrypted.key.cache.low-watermark : {}", conf.get("hadoop.security.kms.client.encrypted.key.cache.low-watermark"));
    }

    private String generateHsmKeyName(String str, String str2) {
        return str.substring(0, Math.min(28, str.length())) + "-" + str2;
    }

    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        try {
            this.writeLock.lock();
            setSyncAllPending(true);
            if (this.useHSM) {
                throw new IOException("Method unsupported on HSMKeyProvider.");
            }
            reloadKeys();
            if (this.metaKeyStore.engineContainsAlias(str) || this.cache.containsKey(str)) {
                throw new IOException("Key " + str + " already exists");
            }
            if (this.metaKeyStore.engineContainsDeletedAlias(str)) {
                throw new IOException("Key " + str + " already exists. Key has been deleted but not purged.");
            }
            HSMProviderMetadata hSMProviderMetadata = new HSMProviderMetadata(options.getCipher(), options.getBitLength(), options.getDescription(), options.getAttributes(), new Date(), 1);
            if (options.getBitLength() != 8 * bArr.length) {
                throw new IOException("Wrong key length. Required " + options.getBitLength() + ", but got " + (8 * bArr.length));
            }
            this.cache.put(str, hSMProviderMetadata);
            KeyProvider.KeyVersion innerSetKeyVersion = innerSetKeyVersion(str, DaoUtil.genUuid(), new SecretKeySpec(bArr, options.getCipher()), hSMProviderMetadata.getCipher(), hSMProviderMetadata.getBitLength(), hSMProviderMetadata.getDescription(), hSMProviderMetadata.getAttributes());
            setSyncAllPending(false);
            this.writeLock.unlock();
            return innerSetKeyVersion;
        } catch (Throwable th) {
            setSyncAllPending(false);
            this.writeLock.unlock();
            throw th;
        }
    }

    public KeyProvider.KeyVersion createKey(String str, String str2, SecretKey secretKey, KeyProvider.Options options) throws IOException {
        this.writeLock.lock();
        setSyncAllPending(true);
        reloadKeys();
        try {
            if (this.metaKeyStore.engineContainsAlias(str) || this.cache.containsKey(str)) {
                throw new IOException("Key " + str + " already exists in " + this);
            }
            if (this.metaKeyStore.engineContainsDeletedAlias(str)) {
                throw new IOException("Key " + str + " already exists. Key has been deleted but not purged.");
            }
            HSMProviderMetadata hSMProviderMetadata = new HSMProviderMetadata(options.getCipher(), options.getBitLength(), options.getDescription(), options.getAttributes(), new Date(), 1);
            this.cache.put(str, hSMProviderMetadata);
            KeyProvider.KeyVersion innerSetKeyVersion = innerSetKeyVersion(str, str2, secretKey, hSMProviderMetadata.getCipher(), hSMProviderMetadata.getBitLength(), hSMProviderMetadata.getDescription(), hSMProviderMetadata.getAttributes());
            setSyncAllPending(false);
            this.writeLock.unlock();
            return innerSetKeyVersion;
        } catch (Throwable th) {
            setSyncAllPending(false);
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public String consumeDeposit(Deposit deposit) throws IOException {
        KeyProvider.KeyVersion createKey;
        if (this.writeLock.tryLock()) {
            try {
                createKey = createKey(deposit);
                flush();
            } finally {
                this.writeLock.unlock();
            }
        } else {
            LOG.info("Deposit received from remote peer while local write in progress. Queueing remote deposit [{}]. Later error will be reported if deposit consumption fails.", deposit.getUuid());
            createKey = queueDeposit(deposit);
        }
        return createKey.getVersionName();
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public Deposit findActiveDepositByVersion(String str) {
        return this.metaKeyStore.findActiveDepositByVersion(str);
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public Long getMaxDepositSeqNum() {
        return Long.valueOf(this.metaKeyStore.getMaxDepositSeqNum());
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public List<Deposit> findDepositSeqNumGreaterThan(Long l) {
        return this.metaKeyStore.findDepositSeqNumGreaterThan(l);
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public List<KeyProvider.KeyVersion> getKeyVersionsWithSeqNumGreaterThan(Long l) {
        ArrayList arrayList = new ArrayList();
        List<Deposit> findDepositSeqNumGreaterThan = findDepositSeqNumGreaterThan(l);
        LOG.debug("Found {} deposits with seqNum greater than {}.", Integer.valueOf(findDepositSeqNumGreaterThan.size()), l);
        Iterator<Deposit> it = findDepositSeqNumGreaterThan.iterator();
        while (it.hasNext()) {
            try {
                m54getKeyVersion(it.next().getUuid());
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        return arrayList;
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public List<DeleteStatusChange> getDeletedDepositUUIDsGreaterThanSeqNum(Long l) {
        return this.metaKeyStore.getStatusChangeGreaterThan(l);
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public long handleDeleteDeposit(List<DeleteStatusChange> list) throws IOException {
        try {
            if (!this.writeLock.tryLock(60L, TimeUnit.SECONDS)) {
                throw new IOException("Failure to acquire writelock for delete processing. This usually means a large number of new keys are being synchronized. Try re-starting this node.");
            }
            try {
                long handleDeleteDeposit = this.metaKeyStore.handleDeleteDeposit(list);
                this.writeLock.unlock();
                return handleDeleteDeposit;
            } catch (Throwable th) {
                this.writeLock.unlock();
                throw th;
            }
        } catch (InterruptedException e) {
            throw new IOException("Interrupted while waiting to acquire writelock for delete processing. This usually means a large number of new keys are being synchronized. Try re-starting this node.");
        }
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public Long getMaxStatusChangeSeqNum() {
        return Long.valueOf(this.metaKeyStore.getMaxStatusChangeSeqNum());
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public List getUUIDs() {
        return this.metaKeyStore.getAllUUIDs();
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public List<DeleteStatusChange> findDeleteStatusChangeGreaterThanSeqNum(Long l) {
        return this.metaKeyStore.findDeleteStatusChangeSeqNumGreaterThan(l);
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public String getDepositUUID(String str) {
        return this.metaKeyStore.getDepositUUID(str);
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public void readUnlock() {
        this.readLock.unlock();
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public void readLock() {
        this.readLock.lock();
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public List<String> deleteDeposit(String str, long j) throws IOException {
        List<String> versions;
        if (this.writeLock.tryLock()) {
            versions = this.metaKeyStore.getVersions(str);
            try {
                if (null != versions) {
                    deleteKey(str, false, j);
                } else {
                    versions = this.metaKeyStore.getAllVersions(str);
                }
                this.writeLock.unlock();
            } catch (Throwable th) {
                this.writeLock.unlock();
                throw th;
            }
        } else {
            LOG.info("DeleteStatusChange received from remote peer while local write in progress. Queueing remote delete [{}]. Later error will be reported if status change consumption fails.", str);
            versions = this.metaKeyStore.getVersions(str);
            queueDelete(str, Long.valueOf(j));
        }
        return versions;
    }

    private KeyProvider.KeyVersion queueDeposit(Deposit deposit) {
        HSMProviderKeyVersion hSMProviderKeyVersion;
        synchronized (this.queuedRemoteDeposits) {
            String name = deposit.getName();
            String uuid = deposit.getUuid();
            this.queuedRemoteDeposits.put(uuid, deposit);
            hSMProviderKeyVersion = new HSMProviderKeyVersion(name, uuid, null);
        }
        return hSMProviderKeyVersion;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v42, types: [javax.crypto.SecretKey] */
    KeyProvider.KeyVersion createKey(Deposit deposit) throws IOException {
        String name = deposit.getName();
        String uuid = deposit.getUuid();
        SecretKeySpec secretKeySpec = null;
        String str = null;
        deposit.setSequenceNumber(this.metaKeyStore.getNextDepositSeqNum());
        if (this.useHSM) {
            str = getHSMKeyNameFromReceivedEntity(deposit);
            LOG.info("Received entity for HSM key name [" + str + "].");
        }
        KeyOption keyOption = deposit.getKeyOption();
        try {
            if (null != getKeyVersion(uuid, true, false)) {
                LOG.info("Attempting to consume deposit {} that is already synced", name);
            } else {
                Map<String, String> keyOptionAttributesMap = getKeyOptionAttributesMap(keyOption);
                keyOptionAttributesMap.put(ClouderaKeyStore.ORIGINAL_DEPOSIT_CREATION_TIMESTAMP, String.valueOf(deposit.getOriginalCreationTime().getTime()));
                this.cache.put(name, new HSMProviderMetadata(keyOption.getCipher(), keyOption.getBitLength(), keyOption.getDescription(), keyOptionAttributesMap, new Date(), 1));
                MetaBlob metaBlob = deposit.getMetaBlob();
                if (this.useHSM) {
                    if (null != metaBlob) {
                        this.helper.loadKeyStore();
                        this.helper.saveKeyFile(metaBlob);
                        this.helper.addToBlobFilenameSuffixMap(str, metaBlob.getName());
                        this.helper.storeKeyStore();
                        this.helper.loadKeyStore();
                    }
                    if (null == str || !this.helper.getKeyStore().containsAlias(str)) {
                        LOG.error("Key is not present in the keystore. Sync/save was insufficient. Will try writing it now");
                    }
                    secretKeySpec = (SecretKey) this.helper.getKeyStore().getKey(str, this.hsmPassword.toCharArray());
                    this.metaKeyStore.addKeyEntry(name, null, this.masterKey, deposit.getKeyOption().getCipher(), deposit.getKeyOption().getBitLength(), deposit.getDescription(), uuid, keyOptionAttributesMap);
                    this.metaKeyStore.engineStore((OutputStream) null, this.masterKey);
                    reloadKeys();
                } else {
                    secretKeySpec = new SecretKeySpec(deposit.getContent().getBytes(), keyOption.getCipher());
                    this.metaKeyStore.addKeyEntry(name, secretKeySpec, this.masterKey, deposit.getKeyOption().getCipher(), deposit.getKeyOption().getBitLength(), deposit.getKeyOption().getDescription(), uuid, keyOptionAttributesMap);
                }
                this.changed = true;
            }
            byte[] bArr = null;
            if (!this.useHSM && null != secretKeySpec) {
                bArr = secretKeySpec.getEncoded();
            }
            return new HSMProviderKeyVersion(name, uuid, bArr);
        } catch (KeyStoreException e) {
            throw new IOException("Error loading HSM keystore or adding entry to metadata store.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new IOException("No algorithm available on HSM to support key [" + str + "].", e2);
        } catch (UnrecoverableKeyException e3) {
            throw new IOException("Could not recover HSM key [" + str + "] from HSM keystore.", e3);
        } catch (CertificateException e4) {
            throw new IOException("Certificate Exception on ", e4);
        }
    }

    private Map<String, String> getKeyOptionAttributesMap(KeyOption keyOption) {
        HashMap hashMap = new HashMap(keyOption.getAttributes().size());
        for (KeyOptionAttribute keyOptionAttribute : keyOption.getAttributes()) {
            hashMap.put(keyOptionAttribute.getKey(), keyOptionAttribute.getValue());
        }
        return hashMap;
    }

    private String getHSMKeyNameFromReceivedEntity(Deposit deposit) {
        String str = null;
        for (KeyOptionAttribute keyOptionAttribute : deposit.getKeyOption().getAttributes()) {
            if (keyOptionAttribute.getKey().equals(HSM_KEY_NAME_KEY)) {
                str = keyOptionAttribute.getValue();
            }
        }
        return str;
    }

    KeyProvider.KeyVersion innerSetKeyVersion(String str, String str2, SecretKey secretKey, String str3, int i, String str4, Map<String, String> map) throws IOException {
        try {
            String str5 = map.get(HSM_KEY_NAME_KEY);
            if (this.useHSM) {
                this.helper.setKeyEntry(str5, secretKey, this.hsmPassword.toCharArray(), null);
                this.metaKeyStore.addKeyEntry(str, null, this.masterKey, str3, i, str4, str2, map);
            } else {
                this.metaKeyStore.addKeyEntry(str, secretKey, this.masterKey, str3, i, str4, str2, map);
            }
            this.changed = true;
            byte[] bArr = null;
            if (!this.useHSM && null != secretKey) {
                bArr = secretKey.getEncoded();
            }
            if (this.useHSM) {
                try {
                    this.helper.storeKeyStore();
                } catch (NoSuchAlgorithmException e) {
                    e.printStackTrace();
                    throw new IOException(e.getMessage());
                } catch (CertificateException e2) {
                    e2.printStackTrace();
                }
            }
            if (!syncInnerSetKeyVersion(str, str2)) {
                this.metaKeyStore.clearEntries();
                reloadKeys();
                throw new IOException(String.format("Unable to sync key version [%s, %s] with peer.", str, str2));
            }
            flush();
            consumeQueuedRemoteDeposits();
            consumeQueuedRemoteDeletes();
            this.peerHelper.syncAllToPeers();
            return new HSMProviderKeyVersion(str, str2, bArr);
        } catch (KeyStoreException e3) {
            throw new IOException("Can't store key " + str + " in " + this, e3);
        }
    }

    private void consumeQueuedRemoteDeposits() throws IOException {
        synchronized (this.queuedRemoteDeposits) {
            Iterator<Map.Entry<String, Deposit>> it = this.queuedRemoteDeposits.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry<String, Deposit> next = it.next();
                String key = next.getKey();
                Deposit value = next.getValue();
                LOG.debug("Attempting to store queued remote deposit [{}].", key);
                if (getDepositUUID(value.getUuid()) == null) {
                    createKey(value);
                }
                LOG.debug("Stored queued remote deposit [{}].", key);
                it.remove();
            }
        }
    }

    private boolean syncInnerSetKeyVersion(String str, String str2) throws IOException {
        boolean z = false;
        try {
            z = this.peerHelper.updateDeposit(str2, this.metaKeyStore.createKmsDeposit(str, this.masterKey));
        } catch (JDODataStoreException e) {
            LOG.error("Local store unavailable. Is metastore service running?", e);
        } catch (NoSuchAlgorithmException e2) {
            LOG.error(String.format("Sync key version failed for [%s, %s].", str, str2), e2);
        }
        return z;
    }

    private void queueDelete(String str, Long l) {
        synchronized (this.queuedRemoteDeletes) {
            this.queuedRemoteDeletes.put(str, l);
        }
    }

    public void deleteKey(String str) throws IOException {
        try {
            this.writeLock.lock();
            deleteKey(str, true, new Date().getTime());
            consumeQueuedRemoteDeletes();
        } finally {
            this.writeLock.unlock();
        }
    }

    private void consumeQueuedRemoteDeletes() throws IOException {
        synchronized (this.queuedRemoteDeletes) {
            for (Map.Entry<String, Long> entry : this.queuedRemoteDeletes.entrySet()) {
                String key = entry.getKey();
                Long value = entry.getValue();
                LOG.debug("Attempting to store queued remote delete [{}].", key);
                if (null != getMetadata(key)) {
                    deleteKey(key, false, value.longValue());
                }
                LOG.debug("Stored queued remote delete [{}].", key);
            }
        }
    }

    public void deleteKey(String str, boolean z, long j) throws IOException {
        reloadKeys();
        if (getMetadata(str) == null) {
            throw new IOException("Key " + str + " does not exist in " + this);
        }
        List<String> versions = this.metaKeyStore.getVersions(str);
        try {
            if (this.metaKeyStore.engineContainsAlias(str)) {
                this.metaKeyStore.engineDeleteEntry(str, j);
            }
            if (z && !this.peerHelper.deleteDeposit(str, versions, j)) {
                LOG.warn("Unable to complete delete on all nodes. Sync responded with a failure. Minimum persistence not reached.");
                throw new IOException("Unable to complete delete on all nodes. Sync responded with a failure. Minimum persistence not reached.");
            }
            this.cache.remove(str);
            this.changed = true;
        } catch (KeyStoreException e) {
            throw new IOException("Problem removing " + str + " from " + this, e);
        }
    }

    public KeyProvider.KeyVersion rollNewVersion(String str) throws NoSuchAlgorithmException, IOException {
        SecretKey clouderaSecretKey;
        KeyProvider.Metadata metadata = getMetadata(str);
        if (metadata == null) {
            throw new IOException("Can't find Metadata for key " + str);
        }
        String genUuid = DaoUtil.genUuid();
        String generateHsmKeyName = generateHsmKeyName(str, genUuid);
        LOG.debug("Rolling the key with name {} for hsmKeyName {}", str, generateHsmKeyName);
        try {
            if (this.useHSM) {
                clouderaSecretKey = this.helper.generateSecretKey(generateHsmKeyName, metadata.getBitLength(), metadata.getCipher());
            } else {
                clouderaSecretKey = new ClouderaSecretKey(metadata.getCipher(), null, super.generateKey(metadata.getBitLength(), metadata.getCipher()));
            }
            logCacheInformation();
            return rollNewVersion(str, genUuid, generateHsmKeyName, clouderaSecretKey);
        } catch (InvalidAlgorithmParameterException e) {
            throw new NoSuchAlgorithmException(e);
        }
    }

    public void close() throws IOException {
        super.close();
        LOG.warn("HSM Key Provider is being closed. Closing metastore connection.");
        this.pmf.close();
        this.messagingServer.close();
    }

    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        if (this.useHSM) {
            throw new IOException("Unimplemented.");
        }
        try {
            setSyncAllPending(true);
            reloadKeys();
            KeyProvider.Metadata metadata = getMetadata(str);
            if (metadata == null) {
                throw new IOException("Key " + str + " not found");
            }
            if (metadata.getBitLength() != 8 * bArr.length) {
                throw new IOException("Wrong key length. Required " + metadata.getBitLength() + ", but got " + (8 * bArr.length));
            }
            KeyProvider.KeyVersion innerSetKeyVersion = innerSetKeyVersion(str, DaoUtil.genUuid(), new SecretKeySpec(bArr, metadata.getCipher()), metadata.getCipher(), metadata.getBitLength(), metadata.getDescription(), metadata.getAttributes());
            setSyncAllPending(false);
            return innerSetKeyVersion;
        } catch (Throwable th) {
            setSyncAllPending(false);
            throw th;
        }
    }

    public KeyProvider.KeyVersion rollNewVersion(String str, String str2, String str3, SecretKey secretKey) throws IOException {
        this.writeLock.lock();
        setSyncAllPending(true);
        try {
            reloadKeys();
            KeyProvider.Metadata metadata = getMetadata(str);
            if (metadata == null) {
                throw new IOException("Key " + str + " not found");
            }
            LOG.debug("Rolling the key with name {} and version {}.", str, str2);
            Map attributes = metadata.getAttributes();
            if (this.useHSM && null != str3) {
                attributes.put(HSM_KEY_NAME_KEY, str3);
            }
            KeyProvider.KeyVersion innerSetKeyVersion = innerSetKeyVersion(str, str2, secretKey, metadata.getCipher(), metadata.getBitLength(), metadata.getDescription(), metadata.getAttributes());
            setSyncAllPending(false);
            this.writeLock.unlock();
            return innerSetKeyVersion;
        } catch (Throwable th) {
            setSyncAllPending(false);
            this.writeLock.unlock();
            throw th;
        }
    }

    public void flush() throws IOException {
        this.writeLock.lock();
        try {
            try {
                if (this.changed) {
                    try {
                        if (this.useHSM) {
                            this.helper.storeKeyStore();
                        }
                        this.metaKeyStore.engineStore((OutputStream) null, this.masterKey);
                        this.nextSeqNum = null;
                        reloadKeys();
                        this.changed = false;
                        this.writeLock.unlock();
                    } catch (NoSuchAlgorithmException e) {
                        throw new IOException("No such algorithm storing key", e);
                    } catch (CertificateException e2) {
                        throw new IOException("Certificate exception storing key", e2);
                    }
                }
            } catch (IOException e3) {
                reloadKeys();
                throw e3;
            }
        } finally {
            this.writeLock.unlock();
        }
    }

    @Override // com.cloudera.keytrustee.sync.PeerHelper.DepositGroupRuntimeStateListener
    public void updateDepositGroupAttributes(List<DepositGroupAttribute> list) throws IOException {
        if (this.useHSM) {
            this.helper.updateDepositGroupAttributes(list);
        }
    }

    @Override // com.cloudera.keytrustee.sync.PeerHelper.DepositGroupRuntimeStateListener
    public void updateDepositGroupMetaBlob(MetaBlob metaBlob) throws IOException {
        if (this.useHSM) {
            this.helper.updateDepositGroupMetaBlob(metaBlob);
        }
    }

    @Override // com.cloudera.keytrustee.ClouderaKeyStore.KeyStoreAttributeStorageHelper
    public void updateDeltaEntryAttributesBeforeStore(Map<String, String> map) throws IOException {
        if (this.useHSM) {
            this.helper.updateAttributesAfterHsmStore(map);
        }
    }

    @Override // com.cloudera.keytrustee.ClouderaKeyStore.KeyStoreAttributeStorageHelper
    public MetaBlob getMetaBlobForHsmKeyName(String str) throws IOException {
        MetaBlob metaBlob = null;
        if (this.useHSM) {
            metaBlob = this.helper.getMetaBlobForHsmKeyName(str);
        }
        return metaBlob;
    }

    protected byte[] generateKey(int i, String str) throws NoSuchAlgorithmException {
        if (this.useHSM) {
            throw new NoSuchAlgorithmException("HSMKeyProvider.generateKey unimplemented. Use HSMKeyProvider.generateSecretKey.");
        }
        return super.generateKey(i, str);
    }

    private String getAlgorithm(String str) {
        int indexOf = str.indexOf(47);
        if (indexOf != -1) {
            return str.substring(0, indexOf);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Using cipher {}.", str);
        }
        return str;
    }

    private void loadKeys(char[] cArr) throws NoSuchAlgorithmException, CertificateException, IOException {
        this.metaKeyStore.engineLoad(null, cArr);
    }

    private void reloadKeys() throws IOException {
        try {
            this.cache.clear();
            loadKeys(this.masterKey);
            if (this.useHSM) {
                this.helper.loadKeyStore();
            }
        } catch (NoSuchAlgorithmException e) {
            throw new IOException("Can't load Keys");
        } catch (CertificateException e2) {
            throw new IOException("Can't load Keys");
        }
    }

    private String getConnectionURLString() {
        return (String) this.dbConnectionProperties.get("javax.jdo.option.ConnectionURL");
    }

    public String toString() {
        return this.uri.toString();
    }

    public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String str) throws IOException, GeneralSecurityException {
        byte[] bArr;
        byte[] bArr2;
        SecretKeyVersion currentKey = getCurrentKey(str, false);
        Preconditions.checkNotNull(currentKey, "No KeyVersion exists for key '%s' ", new Object[]{str});
        LOG.trace("Generating Encrypted Key for key name [{}] and versionName [{}]", str, currentKey.getVersionName());
        Cipher cipher = null;
        Encryptor encryptor = null;
        if (this.useHSM) {
            cipher = this.helper.getCipherInstance("AES/CTR/NoPadding");
            bArr = new byte[16];
            bArr2 = new byte[cipher.getBlockSize()];
            this.helper.getNextSecureRandomBytes(bArr);
            this.helper.getNextSecureRandomBytes(bArr2);
        } else {
            CryptoCodec cryptoCodec = CryptoCodec.getInstance(getConf());
            bArr = new byte[currentKey.getSecretKey().getEncoded().length];
            cryptoCodec.generateSecureRandom(bArr);
            bArr2 = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
            cryptoCodec.generateSecureRandom(bArr2);
            byte[] deriveIV = HSMProviderEncryptedKeyVersion.deriveIV(bArr2);
            encryptor = cryptoCodec.createEncryptor();
            LOG.trace("Key length is [{}]. IV length is [{}].", Integer.valueOf(currentKey.getSecretKey().getEncoded().length), Integer.valueOf(bArr2.length));
            encryptor.init(currentKey.getSecretKey().getEncoded(), deriveIV);
        }
        return generateEncryptedKey(encryptor, cipher, currentKey, bArr, bArr2);
    }

    public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        String encryptionKeyVersionName = encryptedKeyVersion.getEncryptionKeyVersionName();
        SecretKeyVersion m54getKeyVersion = m54getKeyVersion(encryptionKeyVersionName);
        if ((m54getKeyVersion == null || (m54getKeyVersion.getMaterial() == null && this.metaKeyStore.getKeyName(encryptionKeyVersionName) == null)) && null != this.srcProvider) {
            LOG.info("No key version [{}] found. Falling back to configured reencryption source [{}].", encryptedKeyVersion, this.srcProvider.getConf().get("hadoop.kms.key.provider.uri"));
            return KeyProviderCryptoExtension.createKeyProviderCryptoExtension(this.srcProvider).decryptEncryptedKey(encryptedKeyVersion);
        }
        LOG.debug("Decrypting Encrypted Key for {}", encryptionKeyVersionName);
        Preconditions.checkNotNull(m54getKeyVersion, "KeyVersion name '%s' does not exist", new Object[]{encryptionKeyVersionName});
        Preconditions.checkArgument(encryptedKeyVersion.getEncryptedKeyVersion().getVersionName().equals("EEK"), "encryptedKey version name must be '%s', is '%s'", new Object[]{"EEK", encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()});
        byte[] deriveIV = HSMProviderEncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv());
        if (!this.useHSM || 0 != 0) {
            Decryptor createDecryptor = CryptoCodec.getInstance(getConf()).createDecryptor();
            createDecryptor.init(m54getKeyVersion.getSecretKey().getEncoded(), deriveIV);
            KeyProvider.KeyVersion encryptedKeyVersion2 = encryptedKeyVersion.getEncryptedKeyVersion();
            int length = encryptedKeyVersion2.getMaterial().length;
            ByteBuffer allocateDirect = ByteBuffer.allocateDirect(length);
            ByteBuffer allocateDirect2 = ByteBuffer.allocateDirect(length);
            allocateDirect.put(encryptedKeyVersion2.getMaterial());
            allocateDirect.flip();
            createDecryptor.decrypt(allocateDirect, allocateDirect2);
            allocateDirect2.flip();
            byte[] bArr = new byte[length];
            allocateDirect2.get(bArr);
            return new HSMProviderKeyVersion(m54getKeyVersion.getName(), "EK", bArr);
        }
        Cipher cipherInstance = this.helper.getCipherInstance("AES/CTR/NoPadding");
        cipherInstance.init(2, m54getKeyVersion.getSecretKey(), new IvParameterSpec(deriveIV));
        KeyProvider.KeyVersion encryptedKeyVersion3 = encryptedKeyVersion.getEncryptedKeyVersion();
        int length2 = encryptedKeyVersion3.getMaterial().length;
        ByteBuffer allocateDirect3 = ByteBuffer.allocateDirect(length2);
        ByteBuffer allocateDirect4 = ByteBuffer.allocateDirect(length2);
        allocateDirect3.put(encryptedKeyVersion3.getMaterial());
        allocateDirect3.flip();
        byte[] bArr2 = new byte[length2];
        allocateDirect3.get(bArr2);
        byte[] doFinal = cipherInstance.doFinal(bArr2);
        byte[] bArr3 = new byte[length2];
        allocateDirect4.put(doFinal);
        allocateDirect4.flip();
        allocateDirect4.get(bArr3);
        return new HSMProviderKeyVersion(m54getKeyVersion.getName(), "EK", bArr3);
    }

    public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        String encryptionKeyName = encryptedKeyVersion.getEncryptionKeyName();
        SecretKeyVersion m53getCurrentKey = m53getCurrentKey(encryptionKeyName);
        Preconditions.checkNotNull(m53getCurrentKey, "KeyVersion name '%s' does not exist", new Object[]{encryptionKeyName});
        Preconditions.checkArgument(encryptedKeyVersion.getEncryptedKeyVersion().getVersionName().equals("EEK"), "encryptedKey version name must be '%s', is '%s'", new Object[]{"EEK", encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()});
        if (encryptedKeyVersion.getEncryptedKeyVersion().equals(m53getCurrentKey)) {
            return encryptedKeyVersion;
        }
        KeyProvider.KeyVersion decryptEncryptedKey = decryptEncryptedKey(encryptedKeyVersion);
        CryptoCodec cryptoCodec = CryptoCodec.getInstance(getConf());
        try {
            Cipher cipher = null;
            if (this.useHSM) {
                cipher = this.helper.getCipherInstance("AES/CTR/NoPadding");
            }
            KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey = generateEncryptedKey(cryptoCodec.createEncryptor(), cipher, m53getCurrentKey, decryptEncryptedKey.getMaterial(), encryptedKeyVersion.getEncryptedKeyIv());
            cryptoCodec.close();
            return generateEncryptedKey;
        } catch (Throwable th) {
            cryptoCodec.close();
            throw th;
        }
    }

    public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> list) throws IOException, GeneralSecurityException {
        Preconditions.checkNotNull(list, "Input list is null");
        CryptoCodec cryptoCodec = CryptoCodec.getInstance(getConf());
        Throwable th = null;
        try {
            try {
                Encryptor createEncryptor = cryptoCodec.createEncryptor();
                ListIterator<KeyProviderCryptoExtension.EncryptedKeyVersion> listIterator = list.listIterator();
                while (listIterator.hasNext()) {
                    KeyProviderCryptoExtension.EncryptedKeyVersion next = listIterator.next();
                    Preconditions.checkNotNull(next, "EncryptedKeyVersion is null");
                    String encryptionKeyName = next.getEncryptionKeyName();
                    Preconditions.checkNotNull(encryptionKeyName, "Key name is null");
                    SecretKeyVersion m53getCurrentKey = m53getCurrentKey(encryptionKeyName);
                    Preconditions.checkNotNull(m53getCurrentKey, "KeyVersion name '%s' does not exist", new Object[]{encryptionKeyName});
                    Preconditions.checkArgument(next.getEncryptedKeyVersion().getVersionName().equals("EEK"), "encryptedKey version name must be '%s', is '%s'", new Object[]{"EEK", next.getEncryptedKeyVersion().getVersionName()});
                    if (!next.getEncryptedKeyVersion().equals(m53getCurrentKey)) {
                        Cipher cipher = null;
                        if (this.useHSM) {
                            cipher = this.helper.getCipherInstance("AES/CTR/NoPadding");
                        }
                        listIterator.set(generateEncryptedKey(createEncryptor, cipher, m53getCurrentKey, decryptEncryptedKey(next).getMaterial(), next.getEncryptedKeyIv()));
                    }
                }
                if (cryptoCodec != null) {
                    if (0 == 0) {
                        cryptoCodec.close();
                        return;
                    }
                    try {
                        cryptoCodec.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (cryptoCodec != null) {
                if (th != null) {
                    try {
                        cryptoCodec.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    cryptoCodec.close();
                }
            }
            throw th4;
        }
    }

    private KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(Encryptor encryptor, Cipher cipher, SecretKeyVersion secretKeyVersion, byte[] bArr, byte[] bArr2) throws IOException, GeneralSecurityException {
        int length = bArr.length;
        ByteBuffer allocateDirect = ByteBuffer.allocateDirect(length);
        ByteBuffer allocateDirect2 = ByteBuffer.allocateDirect(length);
        allocateDirect.put(bArr);
        allocateDirect.flip();
        byte[] bArr3 = new byte[length];
        allocateDirect.get(bArr3);
        byte[] deriveIV = HSMProviderEncryptedKeyVersion.deriveIV(bArr2);
        if (!this.useHSM) {
            encryptor.init(secretKeyVersion.getSecretKey().getEncoded(), deriveIV);
            encryptor.encrypt(allocateDirect, allocateDirect2);
            byte[] bArr4 = new byte[length];
            allocateDirect2.get(bArr4);
            return new HSMProviderEncryptedKeyVersion(secretKeyVersion.getName(), secretKeyVersion.getVersionName(), bArr2, new HSMProviderKeyVersion(secretKeyVersion.getName(), "EEK", bArr4));
        }
        LOG.trace("Generating encrypted key using encryption key [{}] with secret [{}].", secretKeyVersion, secretKeyVersion.getSecretKey());
        cipher.init(1, secretKeyVersion.getSecretKey(), new IvParameterSpec(deriveIV));
        allocateDirect2.put(cipher.doFinal(bArr3));
        allocateDirect2.flip();
        byte[] bArr5 = new byte[length];
        allocateDirect2.get(bArr5);
        return new HSMProviderEncryptedKeyVersion(secretKeyVersion.getName(), secretKeyVersion.getVersionName(), bArr2, new HSMProviderKeyVersion(secretKeyVersion.getName(), "EEK", bArr5));
    }

    public void warmUpEncryptedKeys(String... strArr) throws IOException {
    }

    public void drain(String str) {
    }

    @Override // com.cloudera.keytrustee.sync.MessageServer.DepositConsumerProducer
    public boolean isSyncAllPending() {
        return this.syncAllPending;
    }

    private void setSyncAllPending(boolean z) {
        this.syncAllPending = z;
    }

    public void migrateKeys(KeyProvider keyProvider) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Entering migrateKeys method.");
        }
        List<String> keys = keyProvider.getKeys();
        LOG.info("Attempting to migrate [{}] keys.", Integer.valueOf(keys.size()));
        int i = 0;
        int i2 = 0;
        ArrayList arrayList = new ArrayList();
        for (String str : keys) {
            i++;
            LOG.info("Attempting to migrate key [{}] of [{}].", Integer.valueOf(i), Integer.valueOf(keys.size()));
            List<KeyProvider.KeyVersion> keyVersions = keyProvider.getKeyVersions(str);
            KeyProvider.Metadata metadata = keyProvider.getMetadata(str);
            try {
                try {
                    this.writeLock.lock();
                    if (null == m53getCurrentKey(str)) {
                        LOG.info("Migrating key [{}].", str);
                        KeyProvider.Options keyOptions = getKeyOptions(metadata);
                        Map attributes = keyOptions.getAttributes();
                        HashMap hashMap = new HashMap(null != attributes ? 4 + attributes.size() : 4);
                        hashMap.put(BIT_LENGTH_ATTRIBUTE, String.valueOf(metadata.getBitLength()));
                        hashMap.put(CIPHER_ATTRIBUTE, metadata.getCipher());
                        if (null != metadata.getDescription()) {
                            hashMap.put(DESCRIPTION_ATTRIBUTE, metadata.getDescription());
                        }
                        if (null != attributes) {
                            hashMap.putAll(attributes);
                        }
                        for (KeyProvider.KeyVersion keyVersion : keyVersions) {
                            LOG.info("Saving legacy key version name [{}] in key attributes.", keyVersion.getVersionName());
                            hashMap.put(LEGACY_KEY_VERSION_NAME + i2, keyVersion.getVersionName());
                            i2++;
                        }
                        keyOptions.setAttributes(hashMap);
                        createKey(str, keyOptions);
                    } else {
                        LOG.warn("Key [{}] already exists. Skipping migration.", str);
                    }
                    this.writeLock.unlock();
                } catch (NoSuchAlgorithmException e) {
                    String format = String.format("Error during migration of key [{}]", str);
                    LOG.error(format, e);
                    arrayList.add(format + System.getProperty("line.separator") + e.getMessage());
                    this.writeLock.unlock();
                }
            } catch (Throwable th) {
                this.writeLock.unlock();
                throw th;
            }
        }
        if (arrayList.size() > 0 && LOG.isErrorEnabled()) {
            LOG.error("Summary of migration failures ( " + arrayList.size() + " ).");
            LOG.error("----------------------------------------");
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                LOG.error((String) it.next());
                LOG.error(System.getProperty("line.separator"));
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Exiting migrateKeys method.");
        }
    }

    private KeyProvider.Options getKeyOptions(KeyProvider.Metadata metadata) {
        KeyProvider.Options options = new KeyProvider.Options(getConf());
        Map attributes = metadata.getAttributes();
        if (null != attributes) {
            HashMap hashMap = new HashMap(attributes.size());
            for (String str : attributes.keySet()) {
                hashMap.put(str, (String) attributes.get(str));
            }
            options.setAttributes(hashMap);
        }
        if (null != metadata.getDescription()) {
            options.setDescription(metadata.getDescription());
        }
        return options;
    }

    public URI[] getSpecifiedProviderURIs() {
        return this.uris;
    }
}
