package org.jgroups.protocols;

import groovy.inspect.Inspector;
import java.io.DataInput;
import java.io.DataOutput;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Iterator;
import java.util.function.Supplier;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
import org.jgroups.Address;
import org.jgroups.Event;
import org.jgroups.Header;
import org.jgroups.Message;
import org.jgroups.annotations.MBean;
import org.jgroups.annotations.Property;
import org.jgroups.util.MessageBatch;
import org.jgroups.util.Tuple;
import org.jgroups.util.Util;

@MBean(description = "Key exchange protocol to fetch a shared secret group key from the key server.That shared (symmetric) key is subsequently used to encrypt communication between cluster members")
/* loaded from: input_file:WEB-INF/lib/jgroups-4.0.9.Final.jar:org/jgroups/protocols/DH_KEY_EXCHANGE.class */
public class DH_KEY_EXCHANGE extends KeyExchange {

    @Property(description = "The type of secret key to be sent up the stack (converted from DH). Should be the same as ASYM_ENCRYPT.sym_algorithm if ASYM_ENCRYPT is used")
    protected String secret_key_algorithm = "AES";

    @Property(description = "The length of the secret key (in bits) to be sent up the stack. AES requires 128 bits. Should be the same as ASYM_ENCRYPT.sym_keylength if ASYM_ENCRYPT is used.")
    protected int secret_key_length = 128;

    @Property(description = "Max time (in ms) that a FETCH_SECRET_KEY down event will be ignored (if an existing request is in progress) until a new request for the secret key is sent to the keyserver")
    protected long timeout = HdfsServerConstants.NAMENODE_LEASE_RECHECK_INTERVAL;
    protected KeyAgreement key_agreement;
    protected PublicKey dh_key;
    protected long last_key_request;
    protected static final KeyPairGenerator key_pair_gen;
    protected static final KeyFactory dh_key_factory;

    /* loaded from: input_file:WEB-INF/lib/jgroups-4.0.9.Final.jar:org/jgroups/protocols/DH_KEY_EXCHANGE$DhHeader.class */
    public static class DhHeader extends Header {
        protected Type type;
        protected byte[] dh_key;
        protected byte[] encrypted_secret_key;
        protected byte[] secret_key_version;

        public static DhHeader createSecretKeyRequest(byte[] bArr) {
            DhHeader dhHeader = new DhHeader();
            dhHeader.type = Type.SECRET_KEY_REQ;
            dhHeader.dh_key = bArr;
            return dhHeader;
        }

        public static DhHeader createSecretKeyResponse(byte[] bArr, byte[] bArr2, byte[] bArr3) {
            DhHeader dhHeader = new DhHeader();
            dhHeader.type = Type.SECRET_KEY_RSP;
            dhHeader.dh_key = bArr;
            dhHeader.encrypted_secret_key = bArr2;
            dhHeader.secret_key_version = bArr3;
            return dhHeader;
        }

        @Override // org.jgroups.Constructable
        public Supplier<? extends Header> create() {
            return DhHeader::new;
        }

        @Override // org.jgroups.Header
        public short getMagicId() {
            return (short) 92;
        }

        public byte[] dhKey() {
            return this.dh_key;
        }

        public byte[] encryptedSecret() {
            return this.encrypted_secret_key;
        }

        public byte[] version() {
            return this.secret_key_version;
        }

        @Override // org.jgroups.util.SizeStreamable
        public int serializedSize() {
            switch (this.type) {
                case SECRET_KEY_REQ:
                    return 5 + (this.dh_key != null ? this.dh_key.length : 0);
                case SECRET_KEY_RSP:
                    return 13 + (this.dh_key != null ? this.dh_key.length : 0) + (this.encrypted_secret_key != null ? this.encrypted_secret_key.length : 0) + (this.secret_key_version != null ? this.secret_key_version.length : 0);
                default:
                    return 0;
            }
        }

        @Override // org.jgroups.util.Streamable
        public void writeTo(DataOutput dataOutput) throws Exception {
            dataOutput.writeByte(this.type.ordinal());
            switch (this.type) {
                case SECRET_KEY_REQ:
                    dataOutput.writeInt(this.dh_key != null ? this.dh_key.length : 0);
                    if (this.dh_key != null) {
                        dataOutput.write(this.dh_key);
                        return;
                    }
                    return;
                case SECRET_KEY_RSP:
                    int length = this.dh_key != null ? this.dh_key.length : 0;
                    dataOutput.writeInt(length);
                    if (length > 0) {
                        dataOutput.write(this.dh_key);
                    }
                    dataOutput.writeInt(this.encrypted_secret_key != null ? this.encrypted_secret_key.length : 0);
                    if (this.encrypted_secret_key != null) {
                        dataOutput.write(this.encrypted_secret_key);
                    }
                    dataOutput.writeInt(this.secret_key_version != null ? this.secret_key_version.length : 0);
                    if (this.secret_key_version != null) {
                        dataOutput.write(this.secret_key_version);
                        return;
                    }
                    return;
                default:
                    return;
            }
        }

        @Override // org.jgroups.util.Streamable
        public void readFrom(DataInput dataInput) throws Exception {
            this.type = Type.values()[dataInput.readByte()];
            int readInt = dataInput.readInt();
            if (readInt > 0) {
                this.dh_key = new byte[readInt];
                dataInput.readFully(this.dh_key);
            }
            switch (this.type) {
                case SECRET_KEY_REQ:
                default:
                    return;
                case SECRET_KEY_RSP:
                    int readInt2 = dataInput.readInt();
                    if (readInt2 > 0) {
                        this.encrypted_secret_key = new byte[readInt2];
                        dataInput.readFully(this.encrypted_secret_key);
                    }
                    int readInt3 = dataInput.readInt();
                    if (readInt3 > 0) {
                        this.secret_key_version = new byte[readInt3];
                        dataInput.readFully(this.secret_key_version);
                        return;
                    }
                    return;
            }
        }

        @Override // org.jgroups.Header
        public String toString() {
            if (this.type == null) {
                return Inspector.NOT_APPLICABLE;
            }
            switch (this.type) {
                case SECRET_KEY_REQ:
                    return String.format("%s dh-key %d bytes", this.type, Integer.valueOf(this.dh_key.length));
                case SECRET_KEY_RSP:
                    return String.format("%s dh-key %d bytes, encrypted secret %d bytes, version: %s", this.type, Integer.valueOf(this.dh_key.length), Integer.valueOf(this.encrypted_secret_key.length), Util.byteArrayToHexString(this.secret_key_version));
                default:
                    return Inspector.NOT_APPLICABLE;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/jgroups-4.0.9.Final.jar:org/jgroups/protocols/DH_KEY_EXCHANGE$Type.class */
    public enum Type {
        SECRET_KEY_REQ,
        SECRET_KEY_RSP
    }

    @Override // org.jgroups.stack.Protocol
    public void init() throws Exception {
        super.init();
        if (this.secret_key_length % 8 != 0) {
            throw new IllegalStateException(String.format("secret_key_length (%d) must be a multiple of 8", Integer.valueOf(this.secret_key_length)));
        }
        ASYM_ENCRYPT asym_encrypt = (ASYM_ENCRYPT) findProtocolAbove(ASYM_ENCRYPT.class);
        if (asym_encrypt != null) {
            String symAlgorithm = asym_encrypt.symAlgorithm();
            int symKeylength = asym_encrypt.symKeylength();
            if (Util.match(symAlgorithm, this.secret_key_algorithm)) {
                this.log.warn("overriding %s=%s to %s from %s", "secret_key_algorithm", this.secret_key_algorithm, symAlgorithm, ASYM_ENCRYPT.class.getSimpleName());
                this.secret_key_algorithm = symAlgorithm;
            }
            if (symKeylength != this.secret_key_length) {
                this.log.warn("overriding %s=%d to %d from %s", "secret_key_length", Integer.valueOf(this.secret_key_length), Integer.valueOf(symKeylength), ASYM_ENCRYPT.class.getSimpleName());
                this.secret_key_length = symKeylength;
            }
        }
        this.key_agreement = KeyAgreement.getInstance("DH");
    }

    @Override // org.jgroups.protocols.KeyExchange
    public void fetchSecretKeyFrom(Address address) throws NoSuchAlgorithmException, InvalidKeyException {
        byte[] bArr = null;
        synchronized (this) {
            if (this.dh_key != null) {
                long currentTimeMillis = System.currentTimeMillis();
                if (currentTimeMillis - this.last_key_request >= this.timeout) {
                    this.last_key_request = currentTimeMillis;
                    bArr = this.dh_key.getEncoded();
                }
            } else {
                KeyPair generateKeyPair = key_pair_gen.generateKeyPair();
                PrivateKey privateKey = generateKeyPair.getPrivate();
                this.dh_key = generateKeyPair.getPublic();
                bArr = this.dh_key.getEncoded();
                this.key_agreement.init(privateKey);
                this.log.debug("%s: sending public key %s.. to %s", this.local_addr, print16(this.dh_key), address);
            }
        }
        if (bArr != null) {
            this.down_prot.down(new Message(address).putHeader(this.id, DhHeader.createSecretKeyRequest(bArr)));
        }
    }

    @Override // org.jgroups.stack.Protocol, org.jgroups.UpHandler
    public Object up(Message message) {
        DhHeader dhHeader = (DhHeader) message.getHeader(this.id);
        if (dhHeader == null) {
            return this.up_prot.up(message);
        }
        handle(dhHeader, message.src());
        return null;
    }

    @Override // org.jgroups.stack.Protocol, org.jgroups.UpHandler
    public void up(MessageBatch messageBatch) {
        Iterator<Message> it = messageBatch.iterator();
        while (it.hasNext()) {
            Message next = it.next();
            DhHeader dhHeader = (DhHeader) next.getHeader(this.id);
            if (dhHeader != null) {
                messageBatch.remove(next);
                handle(dhHeader, next.src());
            }
        }
        if (messageBatch.isEmpty()) {
            return;
        }
        this.up_prot.up(messageBatch);
    }

    protected void handle(DhHeader dhHeader, Address address) {
        try {
            PublicKey generatePublic = dh_key_factory.generatePublic(new X509EncodedKeySpec(dhHeader.dh_key));
            switch (dhHeader.type) {
                case SECRET_KEY_REQ:
                    handleSecretKeyRequest(generatePublic, address);
                    break;
                case SECRET_KEY_RSP:
                    handleSecretKeyResponse(generatePublic, dhHeader.encrypted_secret_key, dhHeader.secret_key_version, address);
                    break;
                default:
                    this.log.warn("unknown header type %d", dhHeader.type);
                    break;
            }
        } catch (Throwable th) {
            this.log.error(String.format("failed handling request %s", dhHeader), th);
        }
    }

    protected void handleSecretKeyRequest(PublicKey publicKey, Address address) throws Exception {
        byte[] bArr;
        byte[] doFinal;
        KeyPair generateKeyPair = key_pair_gen.generateKeyPair();
        PrivateKey privateKey = generateKeyPair.getPrivate();
        PublicKey publicKey2 = generateKeyPair.getPublic();
        this.log.debug("%s: received public key %s.. from %s", this.local_addr, print16(publicKey), address);
        synchronized (this) {
            this.key_agreement.init(privateKey);
            this.key_agreement.doPhase(publicKey, true);
            SecretKey hash = hash(this.key_agreement.generateSecret());
            Cipher cipher = Cipher.getInstance(this.secret_key_algorithm);
            cipher.init(1, hash);
            Tuple tuple = (Tuple) this.up_prot.up(new Event(111));
            SecretKey secretKey = (SecretKey) tuple.getVal1();
            bArr = (byte[]) tuple.getVal2();
            doFinal = cipher.doFinal(secretKey.getEncoded());
        }
        this.log.debug("%s: sending public key rsp %s.. to %s", this.local_addr, print16(publicKey2), address);
        this.down_prot.down(new Message(address).putHeader(this.id, DhHeader.createSecretKeyResponse(publicKey2.getEncoded(), doFinal, bArr)));
    }

    protected void handleSecretKeyResponse(PublicKey publicKey, byte[] bArr, byte[] bArr2, Address address) throws Exception {
        Tuple tuple;
        this.log.debug("%s: received public key rsp %s.. from %s", this.local_addr, print16(publicKey), address);
        synchronized (this) {
            this.key_agreement.doPhase(publicKey, true);
            SecretKey hash = hash(this.key_agreement.generateSecret());
            Cipher cipher = Cipher.getInstance(this.secret_key_algorithm);
            cipher.init(2, hash);
            tuple = new Tuple(new SecretKeySpec(cipher.doFinal(bArr), this.secret_key_algorithm), bArr2);
            this.dh_key = null;
        }
        this.log.debug("%s: sending up secret key (version: %s)", this.local_addr, Util.byteArrayToHexString(bArr2));
        this.up_prot.up(new Event(112, tuple));
    }

    protected SecretKey hash(byte[] bArr) throws Exception {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bArr);
        return new SecretKeySpec(messageDigest.digest(), 0, this.secret_key_length / 8, this.secret_key_algorithm);
    }

    protected static String print16(PublicKey publicKey) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(publicKey.getEncoded());
            return Util.byteArrayToHexString(messageDigest.digest(), 0, 16);
        } catch (NoSuchAlgorithmException e) {
            return e.toString();
        }
    }

    static {
        try {
            key_pair_gen = KeyPairGenerator.getInstance("DH");
            dh_key_factory = KeyFactory.getInstance("DH");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }
}
