package com.google.crypto.tink.integration.awskms;

import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.DecryptResult;
import com.amazonaws.services.kms.model.EncryptRequest;
import com.amazonaws.util.BinaryUtils;
import com.google.crypto.tink.Aead;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;

/* loaded from: input_file:com/google/crypto/tink/integration/awskms/AwsKmsAead.class */
public final class AwsKmsAead implements Aead {
    private final AWSKMS kmsClient;
    private final String keyArn;

    public AwsKmsAead(AWSKMS awskms, String str) throws GeneralSecurityException {
        this.kmsClient = awskms;
        this.keyArn = str;
    }

    @Override // com.google.crypto.tink.Aead
    public byte[] encrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        try {
            EncryptRequest withPlaintext = new EncryptRequest().withKeyId(this.keyArn).withPlaintext(ByteBuffer.wrap(bArr));
            if (bArr2 != null && bArr2.length != 0) {
                withPlaintext = withPlaintext.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(bArr2));
            }
            return this.kmsClient.encrypt(withPlaintext).getCiphertextBlob().array();
        } catch (AmazonServiceException e) {
            throw new GeneralSecurityException("encryption failed", e);
        }
    }

    @Override // com.google.crypto.tink.Aead
    public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        try {
            DecryptRequest withCiphertextBlob = new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(bArr));
            if (bArr2 != null && bArr2.length != 0) {
                withCiphertextBlob = withCiphertextBlob.addEncryptionContextEntry("associatedData", BinaryUtils.toHex(bArr2));
            }
            DecryptResult decrypt = this.kmsClient.decrypt(withCiphertextBlob);
            if (decrypt.getKeyId().equals(this.keyArn)) {
                return decrypt.getPlaintext().array();
            }
            throw new GeneralSecurityException("decryption failed: wrong key id");
        } catch (AmazonServiceException e) {
            throw new GeneralSecurityException("decryption failed", e);
        }
    }
}
