package com.schibsted.security.strongbox.sdk.internal.encryption;

import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.encryptionsdk.AwsCrypto;
import com.amazonaws.encryptionsdk.CommitmentPolicy;
import com.amazonaws.encryptionsdk.CryptoAlgorithm;
import com.amazonaws.encryptionsdk.CryptoResult;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.kms.KmsMasterKey;
import com.amazonaws.encryptionsdk.kms.KmsMasterKeyProvider;
import com.amazonaws.services.kms.AWSKMSClient;
import com.schibsted.security.strongbox.sdk.exceptions.UnlimitedEncryptionNotSetException;
import com.schibsted.security.strongbox.sdk.internal.ClientConfigurationHelper;
import com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource;
import com.schibsted.security.strongbox.sdk.types.ClientConfiguration;
import com.schibsted.security.strongbox.sdk.types.EncryptionStrength;
import com.schibsted.security.strongbox.sdk.types.SecretsGroupIdentifier;
import java.util.Map;
import java.util.Optional;

/* loaded from: input_file:com/schibsted/security/strongbox/sdk/internal/encryption/KMSEncryptor.class */
public class KMSEncryptor implements Encryptor, ManagedResource {
    private final AwsCrypto crypto;
    private final KMSManager kmsManager;
    private final AWSCredentialsProvider awsCredentials;
    private final SecretsGroupIdentifier groupIdentifier;
    private final ClientConfiguration clientConfiguration;
    private Optional<KmsMasterKeyProvider> prov = Optional.empty();
    private Optional<String> keyArn = Optional.empty();

    public KMSEncryptor(KMSManager kMSManager, AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration, SecretsGroupIdentifier secretsGroupIdentifier, AwsCrypto awsCrypto, EncryptionStrength encryptionStrength) {
        this.awsCredentials = aWSCredentialsProvider;
        this.clientConfiguration = clientConfiguration;
        this.groupIdentifier = secretsGroupIdentifier;
        this.kmsManager = kMSManager;
        if (encryptionStrength.equals(EncryptionStrength.AES_128)) {
            awsCrypto.setEncryptionAlgorithm(CryptoAlgorithm.ALG_AES_128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256);
        } else {
            if (!encryptionStrength.equals(EncryptionStrength.AES_256)) {
                throw new IllegalArgumentException(String.format("Unrecognized encryption strength %s", encryptionStrength.toString()));
            }
            awsCrypto.setEncryptionAlgorithm(CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384);
        }
        this.crypto = awsCrypto;
    }

    public static KMSEncryptor fromCredentials(AWSCredentialsProvider aWSCredentialsProvider, ClientConfiguration clientConfiguration, SecretsGroupIdentifier secretsGroupIdentifier, EncryptionStrength encryptionStrength) {
        return new KMSEncryptor(KMSManager.fromCredentials(aWSCredentialsProvider, clientConfiguration, secretsGroupIdentifier), aWSCredentialsProvider, clientConfiguration, secretsGroupIdentifier, AwsCrypto.builder().withCommitmentPolicy(CommitmentPolicy.ForbidEncryptAllowDecrypt).withMaxEncryptedDataKeys(1).build(), encryptionStrength);
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.encryption.Encryptor
    public String encrypt(String str, EncryptionContext encryptionContext) {
        return (String) this.crypto.encryptString(getProvider(), str, encryptionContext.toMap()).getResult();
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.encryption.Encryptor
    public String decrypt(String str, EncryptionContext encryptionContext) {
        CryptoResult<?, KmsMasterKey> decryptString = this.crypto.decryptString(getProvider(), str);
        verify(decryptString, encryptionContext);
        return (String) decryptString.getResult();
    }

    boolean isInvalidKeyException(AwsCryptoException awsCryptoException) {
        return awsCryptoException.getMessage().equals("java.security.InvalidKeyException: Illegal key size");
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.encryption.Encryptor
    public byte[] encrypt(byte[] bArr, EncryptionContext encryptionContext) {
        try {
            return (byte[]) this.crypto.encryptData(getProvider(), bArr, encryptionContext.toMap()).getResult();
        } catch (AwsCryptoException e) {
            if (isInvalidKeyException(e)) {
                throw new UnlimitedEncryptionNotSetException();
            }
            throw e;
        }
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.encryption.Encryptor
    public byte[] decrypt(byte[] bArr, EncryptionContext encryptionContext) {
        try {
            CryptoResult<?, KmsMasterKey> decryptData = this.crypto.decryptData(getProvider(), bArr);
            verify(decryptData, encryptionContext);
            return (byte[]) decryptData.getResult();
        } catch (AwsCryptoException e) {
            if (isInvalidKeyException(e)) {
                throw new UnlimitedEncryptionNotSetException();
            }
            throw e;
        }
    }

    private void verify(CryptoResult<?, KmsMasterKey> cryptoResult, EncryptionContext encryptionContext) {
        if (!((String) cryptoResult.getMasterKeyIds().get(0)).equals(getKeyArn())) {
            throw new IllegalStateException("Wrong key id!");
        }
        for (Map.Entry<String, String> entry : encryptionContext.toMap().entrySet()) {
            if (!entry.getValue().equals(cryptoResult.getEncryptionContext().get(entry.getKey()))) {
                throw new IllegalStateException("Wrong Encryption Context!");
            }
        }
    }

    public byte[] generateRandom(Integer num) {
        return this.kmsManager.generateRandom(num);
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public String create() {
        return this.kmsManager.create();
    }

    public String create(boolean z) {
        return this.kmsManager.create(z);
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public void delete() {
        this.kmsManager.delete();
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public Optional<String> awsAdminPolicy() {
        return this.kmsManager.awsAdminPolicy();
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public Optional<String> awsReadOnlyPolicy() {
        return this.kmsManager.awsReadOnlyPolicy();
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public String getArn() {
        return this.kmsManager.getArn();
    }

    @Override // com.schibsted.security.strongbox.sdk.internal.interfaces.ManagedResource
    public boolean exists() {
        return this.kmsManager.exists();
    }

    public boolean exists(boolean z) {
        return this.kmsManager.exists(z);
    }

    public int pendingDeletionWindowInDays() {
        return this.kmsManager.pendingDeletionWindowInDays();
    }

    protected KmsMasterKeyProvider getProvider() {
        if (!this.prov.isPresent()) {
            this.prov = Optional.of(KmsMasterKeyProvider.builder().withClientBuilder(AWSKMSClient.builder().withCredentials(this.awsCredentials).withRegion(this.groupIdentifier.region.getName()).withClientConfiguration(ClientConfigurationHelper.transformAndVerifyOrThrow(this.clientConfiguration))).withDefaultRegion(this.groupIdentifier.region.getName()).buildStrict(new String[]{getKeyArn()}));
        }
        return this.prov.get();
    }

    protected String getKeyArn() {
        if (!this.keyArn.isPresent()) {
            this.keyArn = Optional.of(this.kmsManager.getArn());
        }
        return this.keyArn.get();
    }
}
