package org.apache.hadoop.hbase.security;

import java.security.Key;
import java.security.KeyException;
import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.io.crypto.KeyProviderForTesting;
import org.apache.hadoop.hbase.testclassification.ClientTests;
import org.apache.hadoop.hbase.testclassification.SmallTests;
import org.apache.hadoop.hbase.util.Bytes;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;

@Category({ClientTests.class, SmallTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/security/TestEncryptionUtil.class */
public class TestEncryptionUtil {
    private static final String INVALID_HASH_ALG = "this-hash-algorithm-not-exists hopefully... :)";
    private static final String DEFAULT_HASH_ALGORITHM = "use-default";

    @ClassRule
    public static final HBaseClassTestRule CLASS_RULE = HBaseClassTestRule.forClass(TestEncryptionUtil.class);

    @Test
    public void testKeyWrappingUsingHashAlgDefault() throws Exception {
        testKeyWrapping(DEFAULT_HASH_ALGORITHM);
    }

    @Test
    public void testKeyWrappingUsingHashAlgMD5() throws Exception {
        testKeyWrapping("MD5");
    }

    @Test
    public void testKeyWrappingUsingHashAlgSHA256() throws Exception {
        testKeyWrapping("SHA-256");
    }

    @Test
    public void testKeyWrappingUsingHashAlgSHA384() throws Exception {
        testKeyWrapping("SHA-384");
    }

    @Test(expected = RuntimeException.class)
    public void testKeyWrappingWithInvalidHashAlg() throws Exception {
        testKeyWrapping(INVALID_HASH_ALG);
    }

    @Test
    public void testWALKeyWrappingUsingHashAlgDefault() throws Exception {
        testWALKeyWrapping(DEFAULT_HASH_ALGORITHM);
    }

    @Test
    public void testWALKeyWrappingUsingHashAlgMD5() throws Exception {
        testWALKeyWrapping("MD5");
    }

    @Test
    public void testWALKeyWrappingUsingHashAlgSHA256() throws Exception {
        testWALKeyWrapping("SHA-256");
    }

    @Test
    public void testWALKeyWrappingUsingHashAlgSHA384() throws Exception {
        testWALKeyWrapping("SHA-384");
    }

    @Test(expected = RuntimeException.class)
    public void testWALKeyWrappingWithInvalidHashAlg() throws Exception {
        testWALKeyWrapping(INVALID_HASH_ALG);
    }

    @Test(expected = KeyException.class)
    public void testWALKeyWrappingWithIncorrectKey() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hbase.crypto.keyprovider", KeyProviderForTesting.class.getName());
        byte[] bArr = new byte[16];
        Bytes.secureRandom(bArr);
        byte[] wrapKey = EncryptionUtil.wrapKey(configuration, "hbase", new SecretKeySpec(bArr, configuration.get("hbase.crypto.wal.algorithm", "AES")));
        Assert.assertNotNull(wrapKey);
        EncryptionUtil.unwrapWALKey(configuration, "other", wrapKey);
    }

    @Test(expected = KeyException.class)
    public void testHashAlgorithmMismatchWhenFailExpected() throws Exception {
        Configuration configuration = new Configuration();
        configuration.setBoolean("hbase.crypto.key.hash.algorithm.failOnMismatch", true);
        testKeyWrappingWithMismatchingAlgorithms(configuration);
    }

    @Test
    public void testHashAlgorithmMismatchWhenFailNotExpected() throws Exception {
        Configuration configuration = new Configuration();
        configuration.setBoolean("hbase.crypto.key.hash.algorithm.failOnMismatch", false);
        testKeyWrappingWithMismatchingAlgorithms(configuration);
    }

    @Test
    public void testHashAlgorithmMismatchShouldNotFailWithDefaultConfig() throws Exception {
        testKeyWrappingWithMismatchingAlgorithms(new Configuration());
    }

    private void testKeyWrapping(String str) throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hbase.crypto.keyprovider", KeyProviderForTesting.class.getName());
        if (!str.equals(DEFAULT_HASH_ALGORITHM)) {
            configuration.set("hbase.crypto.key.hash.algorithm", str);
        }
        byte[] bArr = new byte[16];
        Bytes.secureRandom(bArr);
        byte[] wrapKey = EncryptionUtil.wrapKey(configuration, "hbase", new SecretKeySpec(bArr, configuration.get("hbase.crypto.key.algorithm", "AES")));
        Assert.assertNotNull(wrapKey);
        Key unwrapKey = EncryptionUtil.unwrapKey(configuration, "hbase", wrapKey);
        Assert.assertNotNull(unwrapKey);
        Assert.assertTrue(unwrapKey instanceof SecretKeySpec);
        Assert.assertTrue("Unwrapped key bytes do not match original", Bytes.equals(bArr, unwrapKey.getEncoded()));
        try {
            EncryptionUtil.unwrapKey(configuration, "other", wrapKey);
            Assert.fail("Unwrap with incorrect key did not throw KeyException");
        } catch (KeyException e) {
        }
    }

    private void testWALKeyWrapping(String str) throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hbase.crypto.keyprovider", KeyProviderForTesting.class.getName());
        if (!str.equals(DEFAULT_HASH_ALGORITHM)) {
            configuration.set("hbase.crypto.key.hash.algorithm", str);
        }
        byte[] bArr = new byte[16];
        Bytes.secureRandom(bArr);
        byte[] wrapKey = EncryptionUtil.wrapKey(configuration, "hbase", new SecretKeySpec(bArr, configuration.get("hbase.crypto.wal.algorithm", "AES")));
        Assert.assertNotNull(wrapKey);
        Key unwrapWALKey = EncryptionUtil.unwrapWALKey(configuration, "hbase", wrapKey);
        Assert.assertNotNull(unwrapWALKey);
        Assert.assertTrue(unwrapWALKey instanceof SecretKeySpec);
        Assert.assertTrue("Unwrapped key bytes do not match original", Bytes.equals(bArr, unwrapWALKey.getEncoded()));
    }

    private void testKeyWrappingWithMismatchingAlgorithms(Configuration configuration) throws Exception {
        configuration.set("hbase.crypto.keyprovider", KeyProviderForTesting.class.getName());
        configuration.set("hbase.crypto.key.hash.algorithm", "MD5");
        byte[] bArr = new byte[16];
        Bytes.secureRandom(bArr);
        byte[] wrapKey = EncryptionUtil.wrapKey(configuration, "hbase", new SecretKeySpec(bArr, configuration.get("hbase.crypto.key.algorithm", "AES")));
        Assert.assertNotNull(wrapKey);
        configuration.set("hbase.crypto.key.hash.algorithm", "SHA-384");
        Key unwrapKey = EncryptionUtil.unwrapKey(configuration, "hbase", wrapKey);
        Assert.assertNotNull(unwrapKey);
        Assert.assertTrue("Unwrapped key bytes do not match original", Bytes.equals(bArr, unwrapKey.getEncoded()));
    }
}
