package com.joyent.manta.client.crypto;

import com.joyent.manta.client.MantaObjectInputStream;
import com.joyent.manta.exception.MantaClientEncryptionCiphertextAuthenticationException;
import com.joyent.manta.exception.MantaClientEncryptionException;
import com.joyent.manta.exception.MantaIOException;
import com.joyent.manta.http.MantaHttpHeaders;
import com.joyent.manta.util.NotThreadSafe;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.util.Arrays;
import java.util.Base64;
import java.util.function.Supplier;
import javax.crypto.AEADBadTagException;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.io.IOUtils;
import org.apache.commons.io.input.BoundedInputStream;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.Validate;
import org.apache.commons.lang3.exception.ExceptionContext;
import org.bouncycastle.crypto.macs.HMac;
import org.bouncycastle.crypto.params.KeyParameter;
import org.bouncycastle.jcajce.io.CipherInputStream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NotThreadSafe
/* loaded from: input_file:com/joyent/manta/client/crypto/MantaEncryptedObjectInputStream.class */
public class MantaEncryptedObjectInputStream extends MantaObjectInputStream {
    private static final long serialVersionUID = 8536248985759134599L;
    private static final int EOF = -1;
    private static final Logger LOGGER = LoggerFactory.getLogger(MantaEncryptedObjectInputStream.class);
    private static final int DEFAULT_BUFFER_SIZE = 512;
    private final SupportedCipherDetails cipherDetails;
    private final SecretKey secretKey;
    private final Cipher cipher;
    private final HMac hmac;
    private final InputStream cipherInputStream;
    private long plaintextBytesRead;
    private volatile boolean closed;
    private final Object closeLock;
    private final boolean authenticateCiphertext;
    private final Long startPosition;
    private final Long plaintextRangeLength;
    private final Long contentLength;
    private final boolean unboundedEnd;
    private long initialBytesToSkip;

    public MantaEncryptedObjectInputStream(MantaObjectInputStream mantaObjectInputStream, SupportedCipherDetails supportedCipherDetails, SecretKey secretKey, boolean z) {
        this(mantaObjectInputStream, supportedCipherDetails, secretKey, z, null, null, true);
    }

    public MantaEncryptedObjectInputStream(MantaObjectInputStream mantaObjectInputStream, SupportedCipherDetails supportedCipherDetails, SecretKey secretKey, boolean z, Long l, Long l2, boolean z2) {
        super(mantaObjectInputStream);
        this.plaintextBytesRead = 0L;
        this.closed = false;
        this.closeLock = new Object();
        this.authenticateCiphertext = z;
        this.startPosition = l;
        this.plaintextRangeLength = l2;
        this.cipherDetails = supportedCipherDetails;
        this.contentLength = super.getContentLength();
        this.unboundedEnd = z2;
        if ((l != null || l2 != null) && !supportedCipherDetails.supportsRandomAccess()) {
            ExceptionContext mantaClientEncryptionException = new MantaClientEncryptionException("Cipher and cipher mode specified doesn't support random access");
            annotateException(mantaClientEncryptionException);
            throw mantaClientEncryptionException;
        }
        this.cipher = supportedCipherDetails.getCipher();
        this.secretKey = secretKey;
        this.hmac = findHmac();
        this.initialBytesToSkip = initializeCipher();
        this.cipherInputStream = createCryptoStream();
        initializeHmac();
    }

    private void initializeHmac() {
        if (this.hmac == null) {
            return;
        }
        this.hmac.init(new KeyParameter(this.secretKey.getEncoded()));
        byte[] iv = this.cipher.getIV();
        this.hmac.update(iv, 0, iv.length);
    }

    private long initializeCipher() {
        String headerAsString = getHeaderAsString(MantaHttpHeaders.ENCRYPTION_IV);
        if (headerAsString == null || headerAsString.isEmpty()) {
            ExceptionContext mantaClientEncryptionException = new MantaClientEncryptionException("Initialization Vector (IV) was not set for the object. Unable to decrypt.");
            annotateException(mantaClientEncryptionException);
            throw mantaClientEncryptionException;
        }
        byte[] decode = Base64.getDecoder().decode(headerAsString);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("IV: {}", Hex.encodeHexString(decode));
        }
        try {
            this.cipher.init(2, this.secretKey, this.cipherDetails.getEncryptionParameterSpec(decode));
            if (this.startPosition == null || this.startPosition.longValue() <= 0) {
                return 0L;
            }
            return this.cipherDetails.updateCipherToPosition(this.cipher, this.startPosition.longValue());
        } catch (InvalidAlgorithmParameterException | InvalidKeyException e) {
            ExceptionContext mantaClientEncryptionException2 = new MantaClientEncryptionException("Error initializing cipher", e);
            annotateException(mantaClientEncryptionException2);
            throw mantaClientEncryptionException2;
        }
    }

    private InputStream createCryptoStream() {
        InputStream inputStream;
        boolean z = this.plaintextRangeLength != null && this.plaintextRangeLength.longValue() > 0;
        if (this.cipherDetails.isAEADCipher()) {
            inputStream = super.getBackingStream();
        } else {
            InputStream boundedInputStream = new BoundedInputStream(super.getBackingStream(), (!z || this.unboundedEnd) ? this.contentLength.longValue() - (this.hmac == null ? this.cipherDetails.getAuthenticationTagOrHmacLengthInBytes() : this.hmac.getMacSize()) : this.contentLength.longValue());
            boundedInputStream.setPropagateClose(false);
            inputStream = boundedInputStream;
        }
        CipherInputStream cipherInputStream = new CipherInputStream(inputStream, this.cipher);
        return !z ? cipherInputStream : new BoundedInputStream(cipherInputStream, this.plaintextRangeLength.longValue() + this.initialBytesToSkip);
    }

    private HMac findHmac() {
        if (this.cipherDetails.isAEADCipher() || !this.authenticateCiphertext) {
            return null;
        }
        String headerAsString = getHeaderAsString(MantaHttpHeaders.ENCRYPTION_HMAC_TYPE);
        if (headerAsString == null) {
            ExceptionContext mantaClientEncryptionException = new MantaClientEncryptionException(String.format("HMAC header metadata [%s] was missing from object", MantaHttpHeaders.ENCRYPTION_HMAC_TYPE));
            annotateException(mantaClientEncryptionException);
            throw mantaClientEncryptionException;
        }
        if (headerAsString.isEmpty()) {
            ExceptionContext mantaClientEncryptionException2 = new MantaClientEncryptionException(String.format("HMAC header metadata [%s] was empty on object", MantaHttpHeaders.ENCRYPTION_HMAC_TYPE));
            annotateException(mantaClientEncryptionException2);
            throw mantaClientEncryptionException2;
        }
        Supplier<HMac> supplier = SupportedHmacsLookupMap.INSTANCE.get(headerAsString);
        if (supplier != null) {
            return supplier.get();
        }
        ExceptionContext mantaClientEncryptionException3 = new MantaClientEncryptionException(String.format("HMAC stored in header metadata [%s] is unsupported", headerAsString));
        annotateException(mantaClientEncryptionException3);
        throw mantaClientEncryptionException3;
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream
    public InputStream getBackingStream() {
        return this.cipherInputStream;
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream
    public boolean markSupported() {
        return false;
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream
    public void mark(int i) {
        throw new UnsupportedOperationException("mark is not a supported operation on " + getClass());
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream
    public void reset() throws IOException {
        throw new UnsupportedOperationException("reset is not a supported operation on " + getClass());
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream
    public int read() throws IOException {
        if (this.closed) {
            MantaIOException mantaIOException = new MantaIOException("Can't read a closed stream");
            annotateException(mantaIOException);
            throw mantaIOException;
        }
        skipInitialBytes();
        try {
            int read = this.cipherInputStream.read();
            if (this.hmac != null && read > EOF && this.authenticateCiphertext) {
                this.hmac.update((byte) read);
            }
            if (read > EOF) {
                this.plaintextBytesRead++;
            }
            return read;
        } catch (IOException e) {
            Throwable cause = e.getCause();
            if (cause == null || !cause.getClass().equals(AEADBadTagException.class)) {
                MantaIOException mantaIOException2 = new MantaIOException("Error reading from cipher stream", e);
                annotateException(mantaIOException2);
                throw mantaIOException2;
            }
            ExceptionContext mantaClientEncryptionCiphertextAuthenticationException = new MantaClientEncryptionCiphertextAuthenticationException(cause);
            annotateException(mantaClientEncryptionCiphertextAuthenticationException);
            throw mantaClientEncryptionCiphertextAuthenticationException;
        }
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream
    public int read(byte[] bArr) throws IOException {
        return read(bArr, true);
    }

    private int read(byte[] bArr, boolean z) throws IOException {
        if (this.closed && z) {
            MantaIOException mantaIOException = new MantaIOException("Can't read a closed stream");
            mantaIOException.setContextValue("path", getPath());
            throw mantaIOException;
        }
        skipInitialBytes();
        try {
            int read = this.cipherInputStream.read(bArr);
            if (this.hmac != null && read > EOF && this.authenticateCiphertext) {
                this.hmac.update(bArr, 0, read);
            }
            if (read > EOF) {
                this.plaintextBytesRead += read;
            }
            return read;
        } catch (IOException e) {
            Throwable cause = e.getCause();
            if (cause == null || !cause.getClass().equals(AEADBadTagException.class)) {
                MantaIOException mantaIOException2 = new MantaIOException("Error reading from cipher stream", e);
                annotateException(mantaIOException2);
                throw mantaIOException2;
            }
            ExceptionContext mantaClientEncryptionCiphertextAuthenticationException = new MantaClientEncryptionCiphertextAuthenticationException(cause);
            annotateException(mantaClientEncryptionCiphertextAuthenticationException);
            throw mantaClientEncryptionCiphertextAuthenticationException;
        }
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream
    public int read(byte[] bArr, int i, int i2) throws IOException {
        if (this.closed) {
            MantaIOException mantaIOException = new MantaIOException("Can't read a closed stream");
            mantaIOException.setContextValue("path", getPath());
            throw mantaIOException;
        }
        skipInitialBytes();
        try {
            int read = this.cipherInputStream.read(bArr, i, i2);
            if (this.hmac != null && read > EOF && this.authenticateCiphertext) {
                this.hmac.update(bArr, i, read);
            }
            if (read > EOF) {
                this.plaintextBytesRead += read;
            }
            return read;
        } catch (IOException e) {
            Throwable cause = e.getCause();
            if (cause == null || !cause.getClass().equals(AEADBadTagException.class)) {
                MantaIOException mantaIOException2 = new MantaIOException("Error reading from cipher stream", e);
                annotateException(mantaIOException2);
                throw mantaIOException2;
            }
            ExceptionContext mantaClientEncryptionCiphertextAuthenticationException = new MantaClientEncryptionCiphertextAuthenticationException(cause);
            annotateException(mantaClientEncryptionCiphertextAuthenticationException);
            throw mantaClientEncryptionCiphertextAuthenticationException;
        }
    }

    @Override // java.io.InputStream
    public long skip(long j) throws IOException {
        if (this.closed) {
            MantaIOException mantaIOException = new MantaIOException("Can't skip a closed stream");
            mantaIOException.setContextValue("path", getPath());
            throw mantaIOException;
        }
        skipInitialBytes();
        if (j <= 0) {
            return 0L;
        }
        if (this.authenticateCiphertext && !this.cipherDetails.isAEADCipher()) {
            int calculateBufferSize = calculateBufferSize();
            byte[] bArr = new byte[j < ((long) calculateBufferSize) ? (int) j : calculateBufferSize];
            long j2 = 0;
            int i = 0;
            while (i > EOF && j2 <= j) {
                i = read(bArr);
                if (i > EOF) {
                    j2 += i;
                }
            }
            return j2;
        }
        long j3 = 0;
        long j4 = 0;
        while (true) {
            long j5 = j4;
            if (j5 >= j) {
                return j3;
            }
            try {
                if (this.cipherInputStream.read() > EOF) {
                    j3++;
                }
                j4 = j5 + 1;
            } catch (IOException e) {
                MantaIOException mantaIOException2 = new MantaIOException("Error reading from cipher stream", e);
                annotateException(mantaIOException2);
                throw mantaIOException2;
            }
        }
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream
    public int available() throws IOException {
        if (!this.closed) {
            skipInitialBytes();
            return this.cipherInputStream.available();
        }
        MantaIOException mantaIOException = new MantaIOException("Can't calculate available on a closed stream");
        mantaIOException.setContextValue("path", getPath());
        throw mantaIOException;
    }

    private void skipInitialBytes() throws IOException {
        while (this.initialBytesToSkip > 0) {
            if (this.cipherInputStream.read() <= EOF) {
                this.initialBytesToSkip = 0L;
                return;
            }
            this.initialBytesToSkip--;
        }
    }

    private void readRemainingBytes() throws IOException {
        if (this.cipherInputStream.available() <= 0) {
            return;
        }
        do {
        } while (read(new byte[calculateBufferSize()], false) > EOF);
    }

    private int calculateBufferSize() {
        long longValue = ((Long) ObjectUtils.firstNonNull(new Long[]{getContentLength(), -1L})).longValue();
        if (longValue >= 0) {
            longValue -= this.cipherDetails.getAuthenticationTagOrHmacLengthInBytes();
        }
        return (longValue > 512 || longValue < 0) ? DEFAULT_BUFFER_SIZE : (int) longValue;
    }

    private byte[] readHmacFromEndOfStream() throws MantaIOException {
        InputStream backingStream = super.getBackingStream();
        int macSize = this.hmac.getMacSize();
        byte[] bArr = new byte[macSize];
        int i = 0;
        while (true) {
            int i2 = i;
            if (i2 >= macSize) {
                return bArr;
            }
            try {
                int read = backingStream.read(bArr, i2, macSize - i2);
                if (i2 < macSize && read == EOF) {
                    ExceptionContext mantaIOException = new MantaIOException("No HMAC was stored at the end of the stream");
                    annotateException(mantaIOException);
                    throw mantaIOException;
                }
                i = i2 + read;
            } catch (IOException e) {
                MantaIOException mantaIOException2 = new MantaIOException("Unable to read HMAC from the end of stream");
                annotateException(mantaIOException2);
                mantaIOException2.setContextValue("backingStreamClass", backingStream.getClass());
                mantaIOException2.setContextValue("hmacBytesReadTotal", Integer.valueOf(i2));
                mantaIOException2.setContextValue("hmacBytesExpected", Integer.valueOf(macSize));
                throw mantaIOException2;
            }
        }
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, java.io.InputStream, java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        synchronized (this.closeLock) {
            if (this.closed) {
                return;
            }
            this.closed = true;
            readRemainingBytes();
            try {
                IOUtils.closeQuietly(this.cipherInputStream);
            } catch (Exception e) {
                LOGGER.warn("Error closing CipherInputStream", e);
            }
            if (this.hmac == null || !this.authenticateCiphertext) {
                return;
            }
            byte[] bArr = new byte[this.hmac.getMacSize()];
            this.hmac.doFinal(bArr, 0);
            byte[] readHmacFromEndOfStream = readHmacFromEndOfStream();
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Calculated HMAC is: {}", Hex.encodeHexString(bArr));
            }
            if (super.getBackingStream().read() >= 0) {
                MantaIOException mantaIOException = new MantaIOException("More bytes were available than the expected HMAC length");
                annotateException(mantaIOException);
                throw mantaIOException;
            }
            super.close();
            if (Arrays.equals(readHmacFromEndOfStream, bArr)) {
                return;
            }
            ExceptionContext mantaClientEncryptionCiphertextAuthenticationException = new MantaClientEncryptionCiphertextAuthenticationException();
            annotateException(mantaClientEncryptionCiphertextAuthenticationException);
            mantaClientEncryptionCiphertextAuthenticationException.setContextValue("expected", Hex.encodeHexString(readHmacFromEndOfStream));
            mantaClientEncryptionCiphertextAuthenticationException.setContextValue("checksum", Hex.encodeHexString(bArr));
            throw mantaClientEncryptionCiphertextAuthenticationException;
        }
    }

    private void annotateException(ExceptionContext exceptionContext) {
        exceptionContext.setContextValue("path", getPath());
        exceptionContext.setContextValue("etag", getEtag());
        exceptionContext.setContextValue("lastModified", getLastModifiedTime());
        exceptionContext.setContextValue("ciphertextContentLength", super.getContentLength());
        exceptionContext.setContextValue("plaintextContentLength", getContentLength());
        exceptionContext.setContextValue("plaintextBytesRead", Long.valueOf(this.plaintextBytesRead));
        exceptionContext.setContextValue("cipherId", getHeaderAsString(MantaHttpHeaders.ENCRYPTION_CIPHER));
        exceptionContext.setContextValue("cipherDetails", this.cipherDetails);
        exceptionContext.setContextValue("cipherInputStream", this.cipherInputStream);
        exceptionContext.setContextValue("authenticationEnabled", Boolean.valueOf(this.authenticateCiphertext));
        exceptionContext.setContextValue("threadName", Thread.currentThread().getName());
        exceptionContext.setContextValue("requestId", getRequestId());
        if (this.cipher != null && this.cipher.getIV() != null) {
            exceptionContext.setContextValue("iv", Hex.encodeHexString(this.cipher.getIV()));
        }
        if (this.hmac != null) {
            exceptionContext.setContextValue("hmacAlgorithm", this.hmac.getAlgorithmName());
        } else {
            exceptionContext.setContextValue("hmacAlgorithm", "null");
        }
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, com.joyent.manta.client.MantaObject
    public String getContentType() {
        return getMetadata().getOrDefault("e-content-length", super.getContentType());
    }

    @Override // com.joyent.manta.client.MantaObjectInputStream, com.joyent.manta.client.MantaObject
    public Long getContentLength() {
        String headerAsString = getHeaderAsString(MantaHttpHeaders.ENCRYPTION_PLAINTEXT_CONTENT_LENGTH);
        if (headerAsString != null) {
            return Long.valueOf(Long.parseLong(headerAsString));
        }
        if (this.closed) {
            return Long.valueOf(this.plaintextBytesRead);
        }
        if (LOGGER.isInfoEnabled() && this.cipherDetails.plaintextSizeCalculationIsAnEstimate()) {
            LOGGER.info("Plaintext size reported may be inaccurate for object: {}", getPath());
        }
        Long contentLength = super.getContentLength();
        Validate.notNull(contentLength, "Content-length header wasn't set by server", new Object[0]);
        return Long.valueOf(this.cipherDetails.plaintextSize(contentLength.longValue()));
    }
}
