package org.elasticsearch.xpack.core.watcher.crypto;

import java.io.IOException;
import java.io.InputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.function.Function;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.io.Streams;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.watcher.WatcherField;

/* loaded from: input_file:ingrid-ibus-7.1.0-RC1/lib/x-pack-core-7.17.15.jar:org/elasticsearch/xpack/core/watcher/crypto/CryptoService.class */
public class CryptoService {
    public static final String KEY_ALGO = "HmacSHA512";
    public static final int KEY_SIZE = 1024;
    public static final String ENCRYPTED_TEXT_PREFIX = "::es_encrypted::";
    private static final String DEFAULT_ENCRYPTION_ALGORITHM = "AES/CTR/NoPadding";
    private static final String DEFAULT_KEY_ALGORITH = "AES";
    private static final int DEFAULT_KEY_LENGTH = 128;
    private static final Setting<String> ENCRYPTION_ALGO_SETTING;
    private static final Setting<Integer> ENCRYPTION_KEY_LENGTH_SETTING;
    private static final Setting<String> ENCRYPTION_KEY_ALGO_SETTING;
    private static final Logger logger;
    private final SecureRandom secureRandom = new SecureRandom();
    private final String encryptionAlgorithm;
    private final int ivLength;
    private final SecretKey encryptionKey;
    static final /* synthetic */ boolean $assertionsDisabled;

    public CryptoService(Settings settings) throws IOException {
        this.encryptionAlgorithm = ENCRYPTION_ALGO_SETTING.get(settings);
        int intValue = ENCRYPTION_KEY_LENGTH_SETTING.get(settings).intValue();
        this.ivLength = intValue / 8;
        String str = ENCRYPTION_KEY_ALGO_SETTING.get(settings);
        if (intValue % 8 != 0) {
            throw new IllegalArgumentException("invalid key length [" + intValue + "]. value must be a multiple of 8");
        }
        InputStream inputStream = WatcherField.ENCRYPTION_KEY_SETTING.get(settings);
        try {
            if (inputStream == null) {
                throw new ElasticsearchException("setting [" + WatcherField.ENCRYPTION_KEY_SETTING.getKey() + "] must be set in keystore", new Object[0]);
            }
            try {
                this.encryptionKey = encryptionKey(readSystemKey(inputStream), intValue, str);
                if (inputStream != null) {
                    inputStream.close();
                }
                if (!$assertionsDisabled && this.encryptionKey == null) {
                    throw new AssertionError("the encryption key should never be null");
                }
            } catch (NoSuchAlgorithmException e) {
                throw new ElasticsearchException("failed to start crypto service. could not load encryption key", e, new Object[0]);
            }
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static SecretKey readSystemKey(InputStream inputStream) throws IOException {
        byte[] bArr = new byte[128];
        if (Streams.readFully(inputStream, bArr) != 128) {
            throw new IllegalArgumentException("key size did not match expected value; was the key generated with elasticsearch-syskeygen?");
        }
        return new SecretKeySpec(bArr, KEY_ALGO);
    }

    public char[] encrypt(char[] cArr) {
        return ENCRYPTED_TEXT_PREFIX.concat(Base64.getEncoder().encodeToString(encryptInternal(CharArrays.toUtf8Bytes(cArr), this.encryptionKey))).toCharArray();
    }

    public char[] decrypt(char[] cArr) {
        if (!isEncrypted(cArr)) {
            return cArr;
        }
        try {
            return CharArrays.utf8BytesToChars(decryptInternal(Base64.getDecoder().decode(new String(cArr, ENCRYPTED_TEXT_PREFIX.length(), cArr.length - ENCRYPTED_TEXT_PREFIX.length())), this.encryptionKey));
        } catch (IllegalArgumentException e) {
            throw new ElasticsearchException("unable to decode encrypted data", e, new Object[0]);
        }
    }

    protected boolean isEncrypted(char[] cArr) {
        return CharArrays.charsBeginsWith(ENCRYPTED_TEXT_PREFIX, cArr);
    }

    private byte[] encryptInternal(byte[] bArr, SecretKey secretKey) {
        byte[] bArr2 = new byte[this.ivLength];
        this.secureRandom.nextBytes(bArr2);
        try {
            byte[] doFinal = cipher(1, this.encryptionAlgorithm, secretKey, bArr2).doFinal(bArr);
            byte[] bArr3 = new byte[bArr2.length + doFinal.length];
            System.arraycopy(bArr2, 0, bArr3, 0, bArr2.length);
            System.arraycopy(doFinal, 0, bArr3, bArr2.length, doFinal.length);
            return bArr3;
        } catch (BadPaddingException | IllegalBlockSizeException e) {
            throw new ElasticsearchException("error encrypting data", e, new Object[0]);
        }
    }

    private byte[] decryptInternal(byte[] bArr, SecretKey secretKey) {
        if (bArr.length < this.ivLength) {
            logger.error("received data for decryption with size [{}] that is less than IV length [{}]", Integer.valueOf(bArr.length), Integer.valueOf(this.ivLength));
            throw new IllegalArgumentException("invalid data to decrypt");
        }
        byte[] bArr2 = new byte[this.ivLength];
        System.arraycopy(bArr, 0, bArr2, 0, this.ivLength);
        byte[] bArr3 = new byte[bArr.length - this.ivLength];
        System.arraycopy(bArr, this.ivLength, bArr3, 0, bArr.length - this.ivLength);
        try {
            return cipher(2, this.encryptionAlgorithm, secretKey, bArr2).doFinal(bArr3);
        } catch (BadPaddingException | IllegalBlockSizeException e) {
            throw new IllegalStateException("error decrypting data", e);
        }
    }

    private static Cipher cipher(int i, String str, SecretKey secretKey, byte[] bArr) {
        try {
            Cipher cipher = Cipher.getInstance(str);
            cipher.init(i, secretKey, new IvParameterSpec(bArr));
            return cipher;
        } catch (Exception e) {
            throw new ElasticsearchException("error creating cipher", e, new Object[0]);
        }
    }

    private static SecretKey encryptionKey(SecretKey secretKey, int i, String str) throws NoSuchAlgorithmException {
        byte[] encoded = secretKey.getEncoded();
        if (encoded.length * 8 < i) {
            throw new IllegalArgumentException("at least " + i + " bits should be provided as key data");
        }
        byte[] digest = MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256).digest(encoded);
        if (!$assertionsDisabled && digest.length != 32) {
            throw new AssertionError();
        }
        if (digest.length * 8 < i) {
            throw new IllegalArgumentException("requested key length is too large");
        }
        return new SecretKeySpec(Arrays.copyOfRange(digest, 0, i / 8), str);
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(ENCRYPTION_KEY_LENGTH_SETTING);
        list.add(ENCRYPTION_KEY_ALGO_SETTING);
        list.add(ENCRYPTION_ALGO_SETTING);
    }

    static {
        $assertionsDisabled = !CryptoService.class.desiredAssertionStatus();
        ENCRYPTION_ALGO_SETTING = new Setting<>(SecurityField.setting("encryption.algorithm"), (Function<Settings, String>) settings -> {
            return DEFAULT_ENCRYPTION_ALGORITHM;
        }, str -> {
            return str;
        }, Setting.Property.NodeScope);
        ENCRYPTION_KEY_LENGTH_SETTING = Setting.intSetting(SecurityField.setting("encryption_key.length"), 128, Setting.Property.NodeScope);
        ENCRYPTION_KEY_ALGO_SETTING = new Setting<>(SecurityField.setting("encryption_key.algorithm"), "AES", str2 -> {
            return str2;
        }, Setting.Property.NodeScope);
        logger = LogManager.getLogger((Class<?>) CryptoService.class);
    }
}
