package com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers;

import com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.EncryptionContext;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.AsymmetricRawMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.DecryptionMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.EncryptionMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.SymmetricRawMaterials;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableEntryException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;

/* loaded from: input_file:com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/KeyStoreMaterialsProvider.class */
public class KeyStoreMaterialsProvider implements EncryptionMaterialsProvider {
    private final Map<String, String> description;
    private final String encryptionAlias;
    private final String signingAlias;
    private final KeyStore.ProtectionParameter encryptionProtection;
    private final KeyStore.ProtectionParameter signingProtection;
    private final KeyStore keyStore;
    private final AtomicReference<CurrentMaterials> currMaterials;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/KeyStoreMaterialsProvider$CurrentMaterials.class */
    public class CurrentMaterials {
        public final KeyStore.Entry encryptionEntry;
        public final KeyStore.Entry signingEntry;
        public final SymmetricRawMaterials symRawMaterials;

        public CurrentMaterials(KeyStore.Entry entry, KeyStore.Entry entry2) {
            this.encryptionEntry = entry;
            this.signingEntry = entry2;
            if (!(entry instanceof KeyStore.SecretKeyEntry)) {
                this.symRawMaterials = null;
            } else if (entry2 instanceof KeyStore.SecretKeyEntry) {
                this.symRawMaterials = new SymmetricRawMaterials(((KeyStore.SecretKeyEntry) entry).getSecretKey(), ((KeyStore.SecretKeyEntry) entry2).getSecretKey(), (Map<String, String>) KeyStoreMaterialsProvider.this.description);
            } else {
                this.symRawMaterials = new SymmetricRawMaterials(((KeyStore.SecretKeyEntry) entry).getSecretKey(), KeyStoreMaterialsProvider.entry2Pair(entry2), (Map<String, String>) KeyStoreMaterialsProvider.this.description);
            }
        }
    }

    public KeyStoreMaterialsProvider(KeyStore keyStore, String str, String str2, Map<String, String> map) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        this(keyStore, str, str2, null, null, map);
    }

    public KeyStoreMaterialsProvider(KeyStore keyStore, String str, String str2, KeyStore.ProtectionParameter protectionParameter, KeyStore.ProtectionParameter protectionParameter2, Map<String, String> map) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        this.currMaterials = new AtomicReference<>();
        this.keyStore = keyStore;
        this.encryptionAlias = str;
        this.signingAlias = str2;
        this.encryptionProtection = protectionParameter;
        this.signingProtection = protectionParameter2;
        this.description = Collections.unmodifiableMap(new HashMap(map));
        validateKeys();
        loadKeys();
    }

    @Override // com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider
    public DecryptionMaterials getDecryptionMaterials(EncryptionContext encryptionContext) {
        CurrentMaterials currentMaterials = this.currMaterials.get();
        if (!encryptionContext.getMaterialDescription().entrySet().containsAll(this.description.entrySet())) {
            return null;
        }
        if (currentMaterials.encryptionEntry instanceof KeyStore.SecretKeyEntry) {
            return currentMaterials.symRawMaterials;
        }
        try {
            return makeAsymMaterials(currentMaterials, encryptionContext.getMaterialDescription());
        } catch (GeneralSecurityException e) {
            throw new DynamoDBMappingException("Unable to decrypt envelope key", e);
        }
    }

    @Override // com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider
    public EncryptionMaterials getEncryptionMaterials(EncryptionContext encryptionContext) {
        CurrentMaterials currentMaterials = this.currMaterials.get();
        if (currentMaterials.encryptionEntry instanceof KeyStore.SecretKeyEntry) {
            return currentMaterials.symRawMaterials;
        }
        try {
            return makeAsymMaterials(currentMaterials, this.description);
        } catch (GeneralSecurityException e) {
            throw new DynamoDBMappingException("Unable to encrypt envelope key", e);
        }
    }

    private AsymmetricRawMaterials makeAsymMaterials(CurrentMaterials currentMaterials, Map<String, String> map) throws GeneralSecurityException {
        KeyPair entry2Pair = entry2Pair(currentMaterials.encryptionEntry);
        return currentMaterials.signingEntry instanceof KeyStore.SecretKeyEntry ? new AsymmetricRawMaterials(entry2Pair, ((KeyStore.SecretKeyEntry) currentMaterials.signingEntry).getSecretKey(), map) : new AsymmetricRawMaterials(entry2Pair, entry2Pair(currentMaterials.signingEntry), map);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KeyPair entry2Pair(KeyStore.Entry entry) {
        PublicKey publicKey = null;
        PrivateKey privateKey = null;
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
            if (privateKeyEntry.getCertificate() != null) {
                publicKey = privateKeyEntry.getCertificate().getPublicKey();
            }
            privateKey = privateKeyEntry.getPrivateKey();
        } else {
            if (!(entry instanceof KeyStore.TrustedCertificateEntry)) {
                throw new IllegalArgumentException("Only entry types PrivateKeyEntry and TrustedCertificateEntry are supported.");
            }
            publicKey = ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate().getPublicKey();
        }
        return new KeyPair(publicKey, privateKey);
    }

    @Override // com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider
    public void refresh() {
        try {
            loadKeys();
        } catch (GeneralSecurityException e) {
            throw new DynamoDBMappingException("Unable to load keys from keystore", e);
        }
    }

    private void validateKeys() throws KeyStoreException {
        if (!this.keyStore.containsAlias(this.encryptionAlias)) {
            throw new IllegalArgumentException("Keystore does not contain alias: " + this.encryptionAlias);
        }
        if (!this.keyStore.containsAlias(this.signingAlias)) {
            throw new IllegalArgumentException("Keystore does not contain alias: " + this.signingAlias);
        }
    }

    private void loadKeys() throws NoSuchAlgorithmException, UnrecoverableEntryException, KeyStoreException {
        this.currMaterials.set(new CurrentMaterials(this.keyStore.getEntry(this.encryptionAlias, this.encryptionProtection), this.keyStore.getEntry(this.signingAlias, this.signingProtection)));
    }
}
