package com.amazonaws.encryptionsdk.kmssdkv2;

import com.amazonaws.encryptionsdk.CryptoAlgorithm;
import com.amazonaws.encryptionsdk.DataKey;
import com.amazonaws.encryptionsdk.EncryptedDataKey;
import com.amazonaws.encryptionsdk.MasterKey;
import com.amazonaws.encryptionsdk.MasterKeyProvider;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.internal.AwsKmsCmkArnInfo;
import com.amazonaws.encryptionsdk.internal.VersionInfo;
import com.amazonaws.encryptionsdk.kms.KmsMethods;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Consumer;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
import software.amazon.awssdk.core.ApiName;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.model.DecryptRequest;
import software.amazon.awssdk.services.kms.model.DecryptResponse;
import software.amazon.awssdk.services.kms.model.EncryptRequest;
import software.amazon.awssdk.services.kms.model.EncryptResponse;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyResponse;

/* loaded from: input_file:com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKey.class */
public final class AwsKmsMrkAwareMasterKey extends MasterKey<AwsKmsMrkAwareMasterKey> implements KmsMethods {
    static final ApiName API_NAME = ApiName.builder().name(VersionInfo.apiName()).version(VersionInfo.versionNumber()).build();
    private static final Consumer<AwsRequestOverrideConfiguration.Builder> API_NAME_INTERCEPTOR = builder -> {
        builder.addApiName(API_NAME);
    };
    private final KmsClient kmsClient_;
    private final List<String> grantTokens_ = new ArrayList();
    private final String awsKmsIdentifier_;
    private final MasterKeyProvider<AwsKmsMrkAwareMasterKey> sourceProvider_;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AwsKmsMrkAwareMasterKey getInstance(KmsClient kmsClient, String str, MasterKeyProvider<AwsKmsMrkAwareMasterKey> masterKeyProvider) {
        return new AwsKmsMrkAwareMasterKey(str, kmsClient, masterKeyProvider);
    }

    private AwsKmsMrkAwareMasterKey(String str, KmsClient kmsClient, MasterKeyProvider<AwsKmsMrkAwareMasterKey> masterKeyProvider) {
        AwsKmsCmkArnInfo.validAwsKmsIdentifier(str);
        if (kmsClient == null) {
            throw new IllegalArgumentException("AwsKmsMrkAwareMasterKey must be configured with an AWS KMS client.");
        }
        if (masterKeyProvider == null) {
            throw new IllegalArgumentException("AwsKmsMrkAwareMasterKey must be configured with a source provider.");
        }
        this.kmsClient_ = kmsClient;
        this.awsKmsIdentifier_ = str;
        this.sourceProvider_ = masterKeyProvider;
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public String getProviderId() {
        return this.sourceProvider_.getDefaultProviderId();
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public String getKeyId() {
        return this.awsKmsIdentifier_;
    }

    @Override // com.amazonaws.encryptionsdk.kms.KmsMethods
    public void setGrantTokens(List<String> list) {
        this.grantTokens_.clear();
        this.grantTokens_.addAll(list);
    }

    @Override // com.amazonaws.encryptionsdk.kms.KmsMethods
    public List<String> getGrantTokens() {
        return this.grantTokens_;
    }

    @Override // com.amazonaws.encryptionsdk.kms.KmsMethods
    public void addGrantToken(String str) {
        this.grantTokens_.add(str);
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public DataKey<AwsKmsMrkAwareMasterKey> generateDataKey(CryptoAlgorithm cryptoAlgorithm, Map<String, String> map) {
        GenerateDataKeyResponse generateDataKey = this.kmsClient_.generateDataKey((GenerateDataKeyRequest) GenerateDataKeyRequest.builder().overrideConfiguration(API_NAME_INTERCEPTOR).keyId(this.awsKmsIdentifier_).numberOfBytes(Integer.valueOf(cryptoAlgorithm.getDataKeyLength())).encryptionContext(map).grantTokens(this.grantTokens_).build());
        ByteBuffer asByteBuffer = generateDataKey.plaintext().asByteBuffer();
        if (asByteBuffer.limit() != cryptoAlgorithm.getDataKeyLength()) {
            throw new IllegalStateException("Received an unexpected number of bytes from KMS");
        }
        byte[] bArr = new byte[cryptoAlgorithm.getDataKeyLength()];
        asByteBuffer.get(bArr);
        String keyId = generateDataKey.keyId();
        if (AwsKmsCmkArnInfo.parseInfoFromKeyArn(keyId) == null) {
            throw new IllegalStateException("Received an empty or invalid keyId from KMS");
        }
        ByteBuffer asByteBuffer2 = generateDataKey.ciphertextBlob().asByteBuffer();
        byte[] bArr2 = new byte[asByteBuffer2.remaining()];
        asByteBuffer2.get(bArr2);
        return new DataKey<>(new SecretKeySpec(bArr, cryptoAlgorithm.getDataKeyAlgo()), bArr2, keyId.getBytes(StandardCharsets.UTF_8), this);
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public DataKey<AwsKmsMrkAwareMasterKey> encryptDataKey(CryptoAlgorithm cryptoAlgorithm, Map<String, String> map, DataKey<?> dataKey) {
        SecretKey key = dataKey.getKey();
        if (!key.getFormat().equals("RAW")) {
            throw new IllegalArgumentException("Only RAW encoded keys are supported");
        }
        try {
            EncryptResponse encrypt = this.kmsClient_.encrypt((EncryptRequest) EncryptRequest.builder().overrideConfiguration(API_NAME_INTERCEPTOR).keyId(this.awsKmsIdentifier_).plaintext(SdkBytes.fromByteArray(key.getEncoded())).encryptionContext(map).grantTokens(this.grantTokens_).build());
            ByteBuffer asByteBuffer = encrypt.ciphertextBlob().asByteBuffer();
            byte[] bArr = new byte[asByteBuffer.remaining()];
            asByteBuffer.get(bArr);
            String keyId = encrypt.keyId();
            if (AwsKmsCmkArnInfo.parseInfoFromKeyArn(keyId) == null) {
                throw new IllegalStateException("Received an empty or invalid keyId from KMS");
            }
            return new DataKey<>(dataKey.getKey(), bArr, keyId.getBytes(StandardCharsets.UTF_8), this);
        } catch (AwsServiceException e) {
            throw new AwsCryptoException((Throwable) e);
        }
    }

    @Override // com.amazonaws.encryptionsdk.MasterKeyProvider
    public DataKey<AwsKmsMrkAwareMasterKey> decryptDataKey(CryptoAlgorithm cryptoAlgorithm, Collection<? extends EncryptedDataKey> collection, Map<String, String> map) throws AwsCryptoException {
        ArrayList arrayList = new ArrayList();
        String providerId = getProviderId();
        return (DataKey) collection.stream().filter(encryptedDataKey -> {
            return filterEncryptedDataKeys(providerId, this.awsKmsIdentifier_, encryptedDataKey);
        }).map(encryptedDataKey2 -> {
            try {
                return decryptSingleEncryptedDataKey(this, this.kmsClient_, this.awsKmsIdentifier_, this.grantTokens_, cryptoAlgorithm, encryptedDataKey2, map);
            } catch (AwsServiceException e) {
                arrayList.add(e);
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst().orElseThrow(() -> {
            return buildCannotDecryptDksException((List<? extends Throwable>) arrayList);
        });
    }

    static DataKey<AwsKmsMrkAwareMasterKey> decryptSingleEncryptedDataKey(AwsKmsMrkAwareMasterKey awsKmsMrkAwareMasterKey, KmsClient kmsClient, String str, List<String> list, CryptoAlgorithm cryptoAlgorithm, EncryptedDataKey encryptedDataKey, Map<String, String> map) {
        DecryptResponse decrypt = kmsClient.decrypt((DecryptRequest) DecryptRequest.builder().overrideConfiguration(API_NAME_INTERCEPTOR).ciphertextBlob(SdkBytes.fromByteArray(encryptedDataKey.getEncryptedDataKey())).encryptionContext(map).grantTokens(list).keyId(str).build());
        String keyId = decrypt.keyId();
        if (keyId == null) {
            throw new IllegalStateException("Received an empty keyId from KMS");
        }
        if (!str.equals(keyId)) {
            throw new IllegalStateException("Received an invalid response from KMS Decrypt call: Unexpected keyId.");
        }
        ByteBuffer asByteBuffer = decrypt.plaintext().asByteBuffer();
        if (asByteBuffer.limit() != cryptoAlgorithm.getDataKeyLength()) {
            throw new IllegalStateException("Received an unexpected number of bytes from KMS");
        }
        byte[] bArr = new byte[cryptoAlgorithm.getDataKeyLength()];
        asByteBuffer.get(bArr);
        return new DataKey<>(new SecretKeySpec(bArr, cryptoAlgorithm.getDataKeyAlgo()), encryptedDataKey.getEncryptedDataKey(), encryptedDataKey.getProviderInformation(), awsKmsMrkAwareMasterKey);
    }

    static boolean filterEncryptedDataKeys(String str, String str2, EncryptedDataKey encryptedDataKey) {
        String str3 = new String(encryptedDataKey.getProviderInformation(), StandardCharsets.UTF_8);
        AwsKmsCmkArnInfo parseInfoFromKeyArn = AwsKmsCmkArnInfo.parseInfoFromKeyArn(str3);
        if (parseInfoFromKeyArn == null || !"key".equals(parseInfoFromKeyArn.getResourceType())) {
            throw new IllegalStateException("Invalid provider info in message.");
        }
        return encryptedDataKey.getProviderId().equals(str) && AwsKmsCmkArnInfo.awsKmsArnMatchForDecrypt(str2, str3);
    }
}
