package org.nuxeo.ecm.core.storage.binary;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FilterOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Random;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.core.api.NuxeoException;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/core/storage/binary/AESBinaryManager.class */
public class AESBinaryManager extends LocalBinaryManager {
    protected static final int FILE_VERSION_1 = 1;
    protected static final int USE_KEYSTORE = 1;
    protected static final int USE_PBKDF2 = 2;
    protected static final String AES = "AES";
    protected static final String AES_CBC_PKCS5_PADDING = "AES/CBC/PKCS5Padding";
    protected static final String PBKDF2_WITH_HMAC_SHA1 = "PBKDF2WithHmacSHA1";
    protected static final int PBKDF2_ITERATIONS = 10000;
    protected static final int PBKDF2_KEY_LENGTH = 256;
    protected static final String PARAM_PASSWORD = "password";
    protected static final String PARAM_KEY_STORE_TYPE = "keyStoreType";
    protected static final String PARAM_KEY_STORE_FILE = "keyStoreFile";
    protected static final String PARAM_KEY_STORE_PASSWORD = "keyStorePassword";
    protected static final String PARAM_KEY_ALIAS = "keyAlias";
    protected static final String PARAM_KEY_PASSWORD = "keyPassword";
    private static final int MAX_SALT_LEN = 1024;
    private static final int MAX_IV_LEN = 1024;
    protected String digestAlgorithm;
    protected boolean usePBKDF2;
    protected String password;
    protected String keyStoreType;
    protected String keyStoreFile;
    protected String keyStorePassword;
    protected String keyAlias;
    protected String keyPassword;
    private static final Log log = LogFactory.getLog(AESBinaryManager.class);
    protected static final byte[] FILE_MAGIC = {78, 85, 88, 69, 79, 67, 82, 89, 80, 84};
    protected static final Random RANDOM = new SecureRandom();

    /* loaded from: input_file:org/nuxeo/ecm/core/storage/binary/AESBinaryManager$CipherAndDigestOutputStream.class */
    public static class CipherAndDigestOutputStream extends FilterOutputStream {
        protected Cipher cipher;
        protected OutputStream out;
        protected MessageDigest messageDigest;
        protected byte[] digest;

        public CipherAndDigestOutputStream(OutputStream outputStream, Cipher cipher, MessageDigest messageDigest) {
            super(outputStream);
            this.out = outputStream;
            this.cipher = cipher;
            this.messageDigest = messageDigest;
        }

        public byte[] getDigest() {
            return this.digest;
        }

        @Override // java.io.FilterOutputStream, java.io.OutputStream
        public void write(int i) throws IOException {
            write(new byte[]{(byte) i}, 0, 1);
        }

        @Override // java.io.FilterOutputStream, java.io.OutputStream
        public void write(byte[] bArr, int i, int i2) throws IOException {
            this.messageDigest.update(bArr, i, i2);
            byte[] update = this.cipher.update(bArr, i, i2);
            if (update != null) {
                this.out.write(update);
            }
        }

        @Override // java.io.FilterOutputStream, java.io.OutputStream, java.io.Flushable
        public void flush() throws IOException {
            this.out.flush();
        }

        @Override // java.io.FilterOutputStream, java.io.OutputStream, java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this.digest = this.messageDigest.digest();
            try {
                this.out.write(this.cipher.doFinal());
                try {
                    flush();
                    this.out.close();
                } catch (Throwable th) {
                    this.out.close();
                    throw th;
                }
            } catch (GeneralSecurityException e) {
                throw new NuxeoException(e);
            }
        }
    }

    public AESBinaryManager() {
        setUnlimitedJCEPolicy();
    }

    protected static void setUnlimitedJCEPolicy() {
        try {
            Field declaredField = Class.forName("javax.crypto.JceSecurity").getDeclaredField("isRestricted");
            declaredField.setAccessible(true);
            if (Boolean.TRUE.equals(declaredField.get(null))) {
                log.info("Setting JCE Unlimited Strength");
                declaredField.set(null, Boolean.FALSE);
            }
        } catch (IllegalArgumentException | ReflectiveOperationException | SecurityException e) {
            log.debug("Cannot check/set JCE Unlimited Strength", e);
        }
    }

    @Override // org.nuxeo.ecm.core.storage.binary.LocalBinaryManager, org.nuxeo.ecm.core.storage.binary.AbstractBinaryManager, org.nuxeo.ecm.core.storage.binary.BinaryManager
    public void initialize(BinaryManagerDescriptor binaryManagerDescriptor) throws IOException {
        super.initialize(binaryManagerDescriptor);
        this.digestAlgorithm = getDigestAlgorithm();
        String str = binaryManagerDescriptor.key;
        if (StringUtils.isBlank(str)) {
            throw new NuxeoException("Missing key for " + getClass().getSimpleName());
        }
        initializeOptions(str);
    }

    /* JADX WARN: Removed duplicated region for block: B:28:0x011c  */
    /* JADX WARN: Removed duplicated region for block: B:31:0x0125  */
    /* JADX WARN: Removed duplicated region for block: B:33:0x012e  */
    /* JADX WARN: Removed duplicated region for block: B:35:0x0137  */
    /* JADX WARN: Removed duplicated region for block: B:37:0x0140  */
    /* JADX WARN: Removed duplicated region for block: B:39:0x0149  */
    /* JADX WARN: Removed duplicated region for block: B:41:0x0152 A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected void initializeOptions(java.lang.String r6) {
        /*
            Method dump skipped, instructions count: 554
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.nuxeo.ecm.core.storage.binary.AESBinaryManager.initializeOptions(java.lang.String):void");
    }

    protected char[] getPassword() {
        return this.password.toCharArray();
    }

    protected void clearPassword(char[] cArr) {
        if (cArr != null) {
            Arrays.fill(cArr, (char) 0);
        }
    }

    protected Key generateSecretKey(byte[] bArr) throws GeneralSecurityException {
        char[] password = getPassword();
        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(PBKDF2_WITH_HMAC_SHA1);
        PBEKeySpec pBEKeySpec = new PBEKeySpec(password, bArr, PBKDF2_ITERATIONS, PBKDF2_KEY_LENGTH);
        clearPassword(password);
        SecretKey generateSecret = secretKeyFactory.generateSecret(pBEKeySpec);
        pBEKeySpec.clearPassword();
        return new SecretKeySpec(generateSecret.getEncoded(), AES);
    }

    protected Key getSecretKey() throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(this.keyStoreType);
        char[] charArray = this.keyStorePassword == null ? null : this.keyStorePassword.toCharArray();
        if (this.keyStoreFile != null) {
            BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(this.keyStoreFile));
            Throwable th = null;
            try {
                try {
                    keyStore.load(bufferedInputStream, charArray);
                    if (bufferedInputStream != null) {
                        if (0 != 0) {
                            try {
                                bufferedInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            bufferedInputStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (bufferedInputStream != null) {
                    if (th != null) {
                        try {
                            bufferedInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        bufferedInputStream.close();
                    }
                }
                throw th3;
            }
        } else {
            keyStore.load(null, charArray);
        }
        clearPassword(charArray);
        char[] charArray2 = this.keyPassword == null ? null : this.keyPassword.toCharArray();
        Key key = keyStore.getKey(this.keyAlias, charArray2);
        clearPassword(charArray2);
        return key;
    }

    @Override // org.nuxeo.ecm.core.storage.binary.LocalBinaryManager, org.nuxeo.ecm.core.storage.binary.AbstractBinaryManager, org.nuxeo.ecm.core.storage.binary.BinaryManager
    public Binary getBinary(InputStream inputStream) throws IOException {
        File createTempFile = File.createTempFile("bin_", ".tmp", this.tmpDir);
        Framework.trackFile(createTempFile, createTempFile);
        BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(createTempFile));
        IOUtils.copy(inputStream, bufferedOutputStream);
        inputStream.close();
        bufferedOutputStream.close();
        return new Binary(createTempFile, storeAndDigest(new BufferedInputStream(new FileInputStream(createTempFile))), this.repositoryName);
    }

    @Override // org.nuxeo.ecm.core.storage.binary.LocalBinaryManager, org.nuxeo.ecm.core.storage.binary.AbstractBinaryManager, org.nuxeo.ecm.core.storage.binary.BinaryManager
    public Binary getBinary(String str) {
        File fileForDigest = getFileForDigest(str, false);
        if (fileForDigest == null) {
            log.warn("Invalid digest format: " + str);
            return null;
        }
        if (!fileForDigest.exists()) {
            return null;
        }
        try {
            File createTempFile = File.createTempFile("bin_", ".tmp", this.tmpDir);
            BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(createTempFile));
            BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(fileForDigest));
            try {
                decrypt(bufferedInputStream, bufferedOutputStream);
                bufferedInputStream.close();
                bufferedOutputStream.close();
                return new Binary(createTempFile, str, this.repositoryName);
            } catch (Throwable th) {
                bufferedInputStream.close();
                bufferedOutputStream.close();
                throw th;
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.nuxeo.ecm.core.storage.binary.LocalBinaryManager
    protected String storeAndDigest(InputStream inputStream) throws IOException {
        File createTempFile = File.createTempFile("create_", ".tmp", this.tmpDir);
        BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(createTempFile));
        try {
            try {
                String storeAndDigest = storeAndDigest(inputStream, bufferedOutputStream);
                inputStream.close();
                bufferedOutputStream.close();
                atomicMove(createTempFile, getFileForDigest(storeAndDigest, true));
                createTempFile.delete();
                return storeAndDigest;
            } catch (Throwable th) {
                inputStream.close();
                bufferedOutputStream.close();
                throw th;
            }
        } catch (Throwable th2) {
            createTempFile.delete();
            throw th2;
        }
    }

    @Override // org.nuxeo.ecm.core.storage.binary.AbstractBinaryManager
    public String storeAndDigest(InputStream inputStream, OutputStream outputStream) throws IOException {
        Key secretKey;
        outputStream.write(FILE_MAGIC);
        DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
        dataOutputStream.writeByte(1);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(this.digestAlgorithm);
            if (this.usePBKDF2) {
                dataOutputStream.writeByte(2);
                byte[] bArr = new byte[16];
                RANDOM.nextBytes(bArr);
                secretKey = generateSecretKey(bArr);
                dataOutputStream.writeInt(bArr.length);
                dataOutputStream.write(bArr);
            } else {
                dataOutputStream.writeByte(1);
                secretKey = getSecretKey();
            }
            Cipher cipher = Cipher.getInstance(AES_CBC_PKCS5_PADDING);
            cipher.init(1, secretKey);
            byte[] iv = cipher.getIV();
            dataOutputStream.writeInt(iv.length);
            dataOutputStream.write(iv);
            CipherAndDigestOutputStream cipherAndDigestOutputStream = new CipherAndDigestOutputStream(outputStream, cipher, messageDigest);
            IOUtils.copy(inputStream, cipherAndDigestOutputStream);
            cipherAndDigestOutputStream.close();
            return toHexString(cipherAndDigestOutputStream.getDigest());
        } catch (GeneralSecurityException e) {
            throw new NuxeoException(e);
        }
    }

    protected void decrypt(InputStream inputStream, OutputStream outputStream) throws IOException {
        Key secretKey;
        CipherInputStream cipherInputStream;
        Throwable th;
        byte[] bArr = new byte[FILE_MAGIC.length];
        IOUtils.read(inputStream, bArr);
        if (!Arrays.equals(bArr, FILE_MAGIC)) {
            throw new IOException("Invalid file (bad magic)");
        }
        DataInputStream dataInputStream = new DataInputStream(inputStream);
        if (dataInputStream.readByte() != 1) {
            throw new IOException("Invalid file (bad version)");
        }
        byte readByte = dataInputStream.readByte();
        if (readByte == 2) {
            if (!this.usePBKDF2) {
                throw new NuxeoException("File requires PBKDF2 password");
            }
        } else {
            if (readByte != 1) {
                throw new IOException("Invalid file (bad use)");
            }
            if (this.usePBKDF2) {
                throw new NuxeoException("File requires keystore");
            }
        }
        try {
            if (this.usePBKDF2) {
                int readInt = dataInputStream.readInt();
                if (readInt <= 0 || readInt > 1024) {
                    throw new NuxeoException("Invalid salt length: " + readInt);
                }
                byte[] bArr2 = new byte[readInt];
                dataInputStream.read(bArr2, 0, readInt);
                secretKey = generateSecretKey(bArr2);
            } else {
                secretKey = getSecretKey();
            }
            int readInt2 = dataInputStream.readInt();
            if (readInt2 <= 0 || readInt2 > 1024) {
                throw new NuxeoException("Invalid IV length: " + readInt2);
            }
            byte[] bArr3 = new byte[readInt2];
            dataInputStream.read(bArr3, 0, readInt2);
            Cipher cipher = Cipher.getInstance(AES_CBC_PKCS5_PADDING);
            cipher.init(2, secretKey, new IvParameterSpec(bArr3));
            try {
                cipherInputStream = new CipherInputStream(inputStream, cipher);
                th = null;
            } catch (IOException e) {
                Throwable cause = e.getCause();
                if (cause != null && (cause instanceof BadPaddingException)) {
                    throw new NuxeoException(cause.getMessage(), e);
                }
            }
            try {
                try {
                    IOUtils.copy(cipherInputStream, outputStream);
                    if (cipherInputStream != null) {
                        if (0 != 0) {
                            try {
                                cipherInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            cipherInputStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (cipherInputStream != null) {
                    if (th != null) {
                        try {
                            cipherInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        cipherInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (GeneralSecurityException e2) {
            throw new NuxeoException(e2);
        }
    }
}
