package org.apache.parquet.crypto.keytools;

import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.concurrent.ConcurrentMap;
import org.apache.hadoop.conf.Configuration;
import org.apache.parquet.crypto.ParquetCryptoRuntimeException;
import org.apache.parquet.crypto.keytools.KeyToolkit;
import org.apache.parquet.hadoop.BadConfigurationException;
import org.apache.parquet.hadoop.util.ConfigurationUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/parquet/crypto/keytools/HuaweiFileKeyWrapper.class */
public class HuaweiFileKeyWrapper {
    private static final Logger LOG = LoggerFactory.getLogger(HuaweiFileKeyWrapper.class);
    private static final int[] ACCEPTABLE_KEK_LENGTHS = {128, 192, 256};
    public static final int KEK_ID_LENGTH = 16;
    private ConcurrentMap<String, KeyToolkit.KeyEncryptionKey> keyPerMasterKeyID;
    private long cacheEntryLifetime;
    private KmsClient kmsClient;
    private String kmsInstanceID;
    private String kmsInstanceURL;
    private FileKeyMaterialStore keyMaterialStore;
    private Configuration hadoopConfiguration;
    private SecureRandom random;
    private boolean doubleWrapping;
    private int kekLength;
    private short keyCounter;
    private String accessToken;

    public HuaweiFileKeyWrapper(Configuration configuration, FileKeyMaterialStore fileKeyMaterialStore, KeyToolkit.KmsClientAndDetails kmsClientAndDetails) {
        this.hadoopConfiguration = configuration;
        this.keyMaterialStore = fileKeyMaterialStore;
        this.random = new SecureRandom();
        this.keyCounter = (short) 0;
        this.cacheEntryLifetime = 1000 * this.hadoopConfiguration.getLong("parquet.encryption.cache.lifetime.seconds", 600L);
        this.doubleWrapping = this.hadoopConfiguration.getBoolean("parquet.encryption.double.wrapping", true);
        this.accessToken = this.hadoopConfiguration.getTrimmed("parquet.encryption.key.access.token", "DEFAULT");
        KeyToolkit.KMS_CLIENT_CACHE_PER_TOKEN.checkCacheForExpiredTokens(this.cacheEntryLifetime);
        if (null == kmsClientAndDetails) {
            this.kmsInstanceID = this.hadoopConfiguration.getTrimmed("parquet.encryption.kms.instance.id", "DEFAULT");
            this.kmsInstanceURL = this.hadoopConfiguration.getTrimmed("parquet.encryption.kms.instance.url", "DEFAULT");
            this.kmsClient = createAndInitKmsClient(configuration, this.kmsInstanceID, this.kmsInstanceURL, this.accessToken);
        } else {
            this.kmsInstanceID = kmsClientAndDetails.getKmsInstanceID();
            this.kmsInstanceURL = kmsClientAndDetails.getKmsInstanceURL();
            this.kmsClient = kmsClientAndDetails.getKmsClient();
        }
        if (this.doubleWrapping) {
            KeyToolkit.KEK_WRITE_CACHE_PER_TOKEN.checkCacheForExpiredTokens(this.cacheEntryLifetime);
            this.keyPerMasterKeyID = KeyToolkit.KEK_WRITE_CACHE_PER_TOKEN.getOrCreateInternalCache(this.accessToken, this.cacheEntryLifetime);
            int i = configuration.getInt("parquet.encryption.kek.length.bits", 128);
            if (Arrays.binarySearch(ACCEPTABLE_KEK_LENGTHS, i) < 0) {
                throw new ParquetCryptoRuntimeException("Wrong key encryption key (KEK) length : " + i);
            }
            this.kekLength = i / 8;
        } else {
            this.keyPerMasterKeyID = null;
            this.kekLength = 0;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Creating file key wrapper. KmsClient: {}; KmsInstanceId: {}; KmsInstanceURL: {}; doubleWrapping: {}; keyMaterialStore: {}; token snippet: {}", new Object[]{this.kmsClient, this.kmsInstanceID, this.kmsInstanceURL, Boolean.valueOf(this.doubleWrapping), fileKeyMaterialStore, KeyToolkit.formatTokenForLog(this.accessToken)});
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HuaweiFileKeyWrapper(Configuration configuration, FileKeyMaterialStore fileKeyMaterialStore) {
        this(configuration, fileKeyMaterialStore, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] getEncryptionKeyMetadata(byte[] bArr, String str, boolean z) {
        return getEncryptionKeyMetadata(bArr, str, z, null);
    }

    byte[] getEncryptionKeyMetadata(byte[] bArr, String str, boolean z, String str2) {
        String encryptKeyLocally;
        if (null == this.kmsClient) {
            throw new ParquetCryptoRuntimeException("No KMS client available. See previous errors.");
        }
        String str3 = null;
        String str4 = null;
        if (this.doubleWrapping) {
            KeyToolkit.KeyEncryptionKey computeIfAbsent = this.keyPerMasterKeyID.computeIfAbsent(str, str5 -> {
                return createKeyEncryptionKey(str);
            });
            encryptKeyLocally = KeyToolkit.encryptKeyLocally(bArr, computeIfAbsent.getBytes(), computeIfAbsent.getID());
            str3 = computeIfAbsent.getEncodedID();
            str4 = computeIfAbsent.getEncodedWrappedKEK();
        } else {
            encryptKeyLocally = this.kmsClient.wrapKey(bArr, str);
        }
        boolean z2 = null == this.keyMaterialStore;
        String createSerialized = KeyMaterial.createSerialized(z, this.kmsInstanceID, this.kmsInstanceURL, str, this.doubleWrapping, str3, str4, encryptKeyLocally, z2);
        if (z2) {
            return createSerialized.getBytes(StandardCharsets.UTF_8);
        }
        if (null == str2) {
            if (z) {
                str2 = "footerKey";
            } else {
                str2 = "columnKey" + ((int) this.keyCounter);
                this.keyCounter = (short) (this.keyCounter + 1);
            }
        }
        this.keyMaterialStore.addKeyMaterial(str2, createSerialized);
        return KeyMetadata.createSerializedForExternalMaterial(str2).getBytes(StandardCharsets.UTF_8);
    }

    private KeyToolkit.KeyEncryptionKey createKeyEncryptionKey(String str) {
        byte[] bArr = new byte[this.kekLength];
        this.random.nextBytes(bArr);
        byte[] bArr2 = new byte[16];
        this.random.nextBytes(bArr2);
        return new KeyToolkit.KeyEncryptionKey(bArr, bArr2, this.kmsClient.wrapKey(bArr, str));
    }

    private static KmsClient createAndInitKmsClient(Configuration configuration, String str, String str2, String str3) {
        try {
            Class classFromConfig = ConfigurationUtil.getClassFromConfig(configuration, KmsHelper.ENCRYPTION_KMS_CLIENT_CLASS, KmsClient.class);
            if (null == classFromConfig) {
                throw new ParquetCryptoRuntimeException("Unspecified parquet.encryption.kms.client.class");
            }
            KmsClient kmsClient = (KmsClient) classFromConfig.newInstance();
            kmsClient.initialize(configuration, str, str2, str3);
            return kmsClient;
        } catch (IllegalAccessException | InstantiationException | BadConfigurationException e) {
            throw new ParquetCryptoRuntimeException("Could not instantiate KmsClient class: " + ((Object) null), e);
        }
    }
}
