package org.apache.hadoop.hdfs;

import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.security.GeneralSecurityException;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.CipherSuite;
import org.apache.hadoop.crypto.CryptoCodec;
import org.apache.hadoop.crypto.CryptoInputStream;
import org.apache.hadoop.crypto.CryptoProtocolVersion;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderTokenIssuer;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.fs.FileEncryptionInfo;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.KMSUtil;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-client-3.3.4.111-eep-910.jar:org/apache/hadoop/hdfs/HdfsKMSUtil.class */
public final class HdfsKMSUtil {
    private static final String DFS_KMS_PREFIX = "dfs-kms-";
    private static String keyProviderUriKeyName = "hadoop.security.key.provider.path";

    private HdfsKMSUtil() {
    }

    public static KeyProvider createKeyProvider(Configuration configuration) throws IOException {
        return KMSUtil.createKeyProvider(configuration, keyProviderUriKeyName);
    }

    public static CryptoProtocolVersion getCryptoProtocolVersion(FileEncryptionInfo fileEncryptionInfo) throws IOException {
        CryptoProtocolVersion cryptoProtocolVersion = fileEncryptionInfo.getCryptoProtocolVersion();
        if (CryptoProtocolVersion.supports(cryptoProtocolVersion)) {
            return cryptoProtocolVersion;
        }
        throw new IOException("Client does not support specified CryptoProtocolVersion " + cryptoProtocolVersion.getDescription() + " version number" + cryptoProtocolVersion.getVersion());
    }

    public static CryptoCodec getCryptoCodec(Configuration configuration, FileEncryptionInfo fileEncryptionInfo) throws IOException {
        CipherSuite cipherSuite = fileEncryptionInfo.getCipherSuite();
        if (cipherSuite.equals(CipherSuite.UNKNOWN)) {
            throw new IOException("NameNode specified unknown CipherSuite with ID " + cipherSuite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
        }
        CryptoCodec cryptoCodec = CryptoCodec.getInstance(configuration, cipherSuite);
        if (cryptoCodec == null) {
            throw new UnknownCipherSuiteException("No configuration found for the cipher suite " + cipherSuite.getConfigSuffix() + " prefixed with " + CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX + ". Please see the example configuration hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE at core-default.xml for details.");
        }
        return cryptoCodec;
    }

    public static URI getKeyProviderUri(UserGroupInformation userGroupInformation, URI uri, String str, Configuration configuration) throws IOException {
        URI uri2 = null;
        Credentials credentials = userGroupInformation.getCredentials();
        Text keyProviderMapKey = getKeyProviderMapKey(uri);
        byte[] secretKey = credentials.getSecretKey(keyProviderMapKey);
        if (secretKey != null) {
            uri2 = URI.create(DFSUtilClient.bytes2String(secretKey));
        }
        if (uri2 == null) {
            if (str != null && !configuration.getBoolean(CommonConfigurationKeys.DFS_CLIENT_IGNORE_NAMENODE_DEFAULT_KMS_URI, false) && !str.isEmpty()) {
                uri2 = URI.create(str);
            }
            if (uri2 == null) {
                uri2 = KMSUtil.getKeyProviderUri(configuration, keyProviderUriKeyName);
            }
            if (uri2 != null) {
                credentials.addSecretKey(keyProviderMapKey, DFSUtilClient.string2Bytes(uri2.toString()));
            }
        }
        return uri2;
    }

    public static KeyProvider getKeyProvider(KeyProviderTokenIssuer keyProviderTokenIssuer, Configuration configuration) throws IOException {
        URI keyProviderUri = keyProviderTokenIssuer.getKeyProviderUri();
        if (keyProviderUri != null) {
            return KMSUtil.createKeyProviderFromUri(configuration, keyProviderUri);
        }
        return null;
    }

    public static Text getKeyProviderMapKey(URI uri) {
        return new Text(DFS_KMS_PREFIX + uri.getScheme() + "://" + uri.getAuthority());
    }

    public static CryptoInputStream createWrappedInputStream(InputStream inputStream, KeyProvider keyProvider, FileEncryptionInfo fileEncryptionInfo, Configuration configuration) throws IOException {
        getCryptoProtocolVersion(fileEncryptionInfo);
        return new CryptoInputStream(inputStream, getCryptoCodec(configuration, fileEncryptionInfo), decryptEncryptedDataEncryptionKey(fileEncryptionInfo, keyProvider).getMaterial(), fileEncryptionInfo.getIV());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo fileEncryptionInfo, KeyProvider keyProvider) throws IOException {
        if (keyProvider == null) {
            throw new IOException("No KeyProvider is configured, cannot access an encrypted file");
        }
        try {
            return KeyProviderCryptoExtension.createKeyProviderCryptoExtension(keyProvider).decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion.createForDecryption(fileEncryptionInfo.getKeyName(), fileEncryptionInfo.getEzKeyVersionName(), fileEncryptionInfo.getIV(), fileEncryptionInfo.getEncryptedDataEncryptionKey()));
        } catch (GeneralSecurityException e) {
            throw new IOException(e);
        }
    }
}
