package com.amazonaws.encryptionsdk;

import com.amazonaws.encryptionsdk.MasterKeyRequest;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException;
import com.amazonaws.encryptionsdk.internal.Constants;
import com.amazonaws.encryptionsdk.internal.TrailingSignatureAlgorithm;
import com.amazonaws.encryptionsdk.internal.Utils;
import com.amazonaws.encryptionsdk.model.DecryptionMaterials;
import com.amazonaws.encryptionsdk.model.DecryptionMaterialsRequest;
import com.amazonaws.encryptionsdk.model.EncryptionMaterials;
import com.amazonaws.encryptionsdk.model.EncryptionMaterialsRequest;
import com.amazonaws.encryptionsdk.model.KeyBlob;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/amazonaws/encryptionsdk/DefaultCryptoMaterialsManager.class */
public class DefaultCryptoMaterialsManager implements CryptoMaterialsManager {
    private final MasterKeyProvider<?> mkp;
    private final CryptoAlgorithm DEFAULT_CRYPTO_ALGORITHM = CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384;

    public DefaultCryptoMaterialsManager(MasterKeyProvider<?> masterKeyProvider) {
        Utils.assertNonNull(masterKeyProvider, "mkp");
        this.mkp = masterKeyProvider;
    }

    @Override // com.amazonaws.encryptionsdk.CryptoMaterialsManager
    public EncryptionMaterials getMaterialsForEncrypt(EncryptionMaterialsRequest encryptionMaterialsRequest) {
        Map<String, String> context = encryptionMaterialsRequest.getContext();
        CryptoAlgorithm requestedAlgorithm = encryptionMaterialsRequest.getRequestedAlgorithm();
        CommitmentPolicy commitmentPolicy = encryptionMaterialsRequest.getCommitmentPolicy();
        if (requestedAlgorithm == null && commitmentPolicy == CommitmentPolicy.ForbidEncryptAllowDecrypt) {
            requestedAlgorithm = CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384;
        } else if (requestedAlgorithm == null) {
            requestedAlgorithm = CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384;
        }
        KeyPair keyPair = null;
        if (requestedAlgorithm.getTrailingSignatureLength() > 0) {
            try {
                keyPair = generateTrailingSigKeyPair(requestedAlgorithm);
                if (context.containsKey(Constants.EC_PUBLIC_KEY_FIELD)) {
                    throw new IllegalArgumentException("EncryptionContext contains reserved field aws-crypto-public-key");
                }
                context = new HashMap(context);
                context.put(Constants.EC_PUBLIC_KEY_FIELD, serializeTrailingKeyForEc(requestedAlgorithm, keyPair));
            } catch (GeneralSecurityException e) {
                throw new AwsCryptoException(e);
            }
        }
        MasterKeyRequest.Builder newBuilder = MasterKeyRequest.newBuilder();
        newBuilder.setEncryptionContext(context);
        newBuilder.setStreaming(encryptionMaterialsRequest.getPlaintextSize() == -1);
        if (encryptionMaterialsRequest.getPlaintext() != null) {
            newBuilder.setPlaintext(encryptionMaterialsRequest.getPlaintext());
        } else {
            newBuilder.setSize(encryptionMaterialsRequest.getPlaintextSize());
        }
        List<MasterKey> masterKeysForEncryption = ((MasterKeyProvider) Utils.assertNonNull(this.mkp, "provider")).getMasterKeysForEncryption(newBuilder.build());
        if (masterKeysForEncryption.isEmpty()) {
            throw new IllegalArgumentException("No master keys provided");
        }
        DataKey<?> generateDataKey = masterKeysForEncryption.get(0).generateDataKey(requestedAlgorithm, context);
        ArrayList arrayList = new ArrayList(masterKeysForEncryption.size());
        arrayList.add(new KeyBlob(generateDataKey));
        for (int i = 1; i < masterKeysForEncryption.size(); i++) {
            arrayList.add(new KeyBlob(masterKeysForEncryption.get(i).encryptDataKey(requestedAlgorithm, context, generateDataKey)));
        }
        return EncryptionMaterials.newBuilder().setAlgorithm(requestedAlgorithm).setCleartextDataKey(generateDataKey.getKey()).setEncryptedDataKeys(arrayList).setEncryptionContext(context).setTrailingSignatureKey(keyPair == null ? null : keyPair.getPrivate()).setMasterKeys(masterKeysForEncryption).build();
    }

    @Override // com.amazonaws.encryptionsdk.CryptoMaterialsManager
    public DecryptionMaterials decryptMaterials(DecryptionMaterialsRequest decryptionMaterialsRequest) {
        DataKey<?> decryptDataKey = this.mkp.decryptDataKey(decryptionMaterialsRequest.getAlgorithm(), decryptionMaterialsRequest.getEncryptedDataKeys(), decryptionMaterialsRequest.getEncryptionContext());
        if (decryptDataKey == null) {
            throw new CannotUnwrapDataKeyException("Could not decrypt any data keys");
        }
        PublicKey publicKey = null;
        if (decryptionMaterialsRequest.getAlgorithm().getTrailingSignatureLength() > 0) {
            try {
                String str = decryptionMaterialsRequest.getEncryptionContext().get(Constants.EC_PUBLIC_KEY_FIELD);
                if (str == null) {
                    throw new AwsCryptoException("Missing trailing signature public key");
                }
                publicKey = deserializeTrailingKeyFromEc(decryptionMaterialsRequest.getAlgorithm(), str);
            } catch (IllegalStateException e) {
                throw new AwsCryptoException(e);
            }
        } else if (decryptionMaterialsRequest.getEncryptionContext().containsKey(Constants.EC_PUBLIC_KEY_FIELD)) {
            throw new AwsCryptoException("Trailing signature public key found for non-signed algorithm");
        }
        return DecryptionMaterials.newBuilder().setDataKey(decryptDataKey).setTrailingSignatureKey(publicKey).build();
    }

    private PublicKey deserializeTrailingKeyFromEc(CryptoAlgorithm cryptoAlgorithm, String str) {
        return TrailingSignatureAlgorithm.forCryptoAlgorithm(cryptoAlgorithm).deserializePublicKey(str);
    }

    private static String serializeTrailingKeyForEc(CryptoAlgorithm cryptoAlgorithm, KeyPair keyPair) {
        return TrailingSignatureAlgorithm.forCryptoAlgorithm(cryptoAlgorithm).serializePublicKey(keyPair.getPublic());
    }

    private static KeyPair generateTrailingSigKeyPair(CryptoAlgorithm cryptoAlgorithm) throws GeneralSecurityException {
        return TrailingSignatureAlgorithm.forCryptoAlgorithm(cryptoAlgorithm).generateKey();
    }
}
