package com.amazonaws.services.dynamodbv2.datamodeling.encryption;

import com.amazonaws.services.dynamodbv2.datamodeling.encryption.EncryptionContext;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.DecryptionMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.EncryptionMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider;
import com.amazonaws.services.dynamodbv2.datamodeling.internal.AttributeValueMarshaller;
import com.amazonaws.services.dynamodbv2.datamodeling.internal.ByteBufferInputStream;
import com.amazonaws.services.dynamodbv2.datamodeling.internal.Utils;
import com.amazonaws.services.dynamodbv2.model.AttributeValue;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.EOFException;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;

/* loaded from: input_file:com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.class */
public class DynamoDBEncryptor {
    private static final String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA";
    private static final String DEFAULT_METADATA_FIELD = "*amzn-ddb-map-desc*";
    private static final String DEFAULT_SIGNATURE_FIELD = "*amzn-ddb-map-sig*";
    private static final String DEFAULT_DESCRIPTION_BASE = "amzn-ddb-map-";
    private static final String SYMMETRIC_ENCRYPTION_MODE = "/CBC/PKCS5Padding";
    private static final int CURRENT_VERSION = 0;
    private String signatureFieldName = DEFAULT_SIGNATURE_FIELD;
    private String materialDescriptionFieldName = DEFAULT_METADATA_FIELD;
    private EncryptionMaterialsProvider encryptionMaterialsProvider;
    private final String descriptionBase;
    private final String symmetricEncryptionModeHeader;
    private final String signingAlgorithmHeader;
    public static final String DEFAULT_SIGNING_ALGORITHM_HEADER = "amzn-ddb-map-signingAlg";
    private Function<EncryptionContext, EncryptionContext> encryptionContextOverrideOperator;
    private static final Charset UTF8 = Charset.forName("UTF-8");
    private static final ConcurrentHashMap<String, Integer> BLOCK_SIZE_CACHE = new ConcurrentHashMap<>();
    private static final Function<String, Integer> BLOCK_SIZE_CALCULATOR = str -> {
        try {
            return Integer.valueOf(Cipher.getInstance(str).getBlockSize());
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("Algorithm does not exist", e);
        }
    };

    protected DynamoDBEncryptor(EncryptionMaterialsProvider encryptionMaterialsProvider, String str) {
        this.encryptionMaterialsProvider = encryptionMaterialsProvider;
        this.descriptionBase = str;
        this.symmetricEncryptionModeHeader = this.descriptionBase + "sym-mode";
        this.signingAlgorithmHeader = this.descriptionBase + "signingAlg";
    }

    public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider encryptionMaterialsProvider, String str) {
        return new DynamoDBEncryptor(encryptionMaterialsProvider, str);
    }

    public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider encryptionMaterialsProvider) {
        return getInstance(encryptionMaterialsProvider, DEFAULT_DESCRIPTION_BASE);
    }

    public Map<String, AttributeValue> decryptAllFieldsExcept(Map<String, AttributeValue> map, EncryptionContext encryptionContext, String... strArr) throws GeneralSecurityException {
        return decryptAllFieldsExcept(map, encryptionContext, Arrays.asList(strArr));
    }

    public Map<String, AttributeValue> decryptAllFieldsExcept(Map<String, AttributeValue> map, EncryptionContext encryptionContext, Collection<String> collection) throws GeneralSecurityException {
        return decryptRecord(map, allDecryptionFlagsExcept(map, collection), encryptionContext);
    }

    public Map<String, Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String, AttributeValue> map, String... strArr) {
        return allDecryptionFlagsExcept(map, Arrays.asList(strArr));
    }

    public Map<String, Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String, AttributeValue> map, Collection<String> collection) {
        HashMap hashMap = new HashMap();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            hashMap.put(it.next(), EnumSet.of(EncryptionFlags.SIGN));
        }
        for (String str : map.keySet()) {
            if (!hashMap.containsKey(str) && !str.equals(getMaterialDescriptionFieldName()) && !str.equals(getSignatureFieldName())) {
                hashMap.put(str, EnumSet.of(EncryptionFlags.ENCRYPT, EncryptionFlags.SIGN));
            }
        }
        return hashMap;
    }

    public Map<String, AttributeValue> encryptAllFieldsExcept(Map<String, AttributeValue> map, EncryptionContext encryptionContext, String... strArr) throws GeneralSecurityException {
        return encryptAllFieldsExcept(map, encryptionContext, Arrays.asList(strArr));
    }

    public Map<String, AttributeValue> encryptAllFieldsExcept(Map<String, AttributeValue> map, EncryptionContext encryptionContext, Collection<String> collection) throws GeneralSecurityException {
        return encryptRecord(map, allEncryptionFlagsExcept(map, collection), encryptionContext);
    }

    public Map<String, Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String, AttributeValue> map, String... strArr) {
        return allEncryptionFlagsExcept(map, Arrays.asList(strArr));
    }

    public Map<String, Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String, AttributeValue> map, Collection<String> collection) {
        HashMap hashMap = new HashMap();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            hashMap.put(it.next(), EnumSet.of(EncryptionFlags.SIGN));
        }
        for (String str : map.keySet()) {
            if (!hashMap.containsKey(str)) {
                hashMap.put(str, EnumSet.of(EncryptionFlags.ENCRYPT, EncryptionFlags.SIGN));
            }
        }
        return hashMap;
    }

    public Map<String, AttributeValue> decryptRecord(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, EncryptionContext encryptionContext) throws GeneralSecurityException {
        if (map2.isEmpty()) {
            return map;
        }
        HashMap hashMap = new HashMap(map);
        Map<String, String> emptyMap = Collections.emptyMap();
        DynamoDBSigner dynamoDBSigner = DynamoDBSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, Utils.getRng());
        if (hashMap.containsKey(this.materialDescriptionFieldName)) {
            emptyMap = unmarshallDescription(hashMap.get(this.materialDescriptionFieldName));
        }
        EncryptionContext build = new EncryptionContext.Builder(encryptionContext).withMaterialDescription(emptyMap).withAttributeValues(hashMap).build();
        Function<EncryptionContext, EncryptionContext> encryptionContextOverrideOperator = getEncryptionContextOverrideOperator();
        if (encryptionContextOverrideOperator != null) {
            build = encryptionContextOverrideOperator.apply(build);
        }
        DecryptionMaterials decryptionMaterials = this.encryptionMaterialsProvider.getDecryptionMaterials(build);
        SecretKey decryptionKey = decryptionMaterials.getDecryptionKey();
        if (emptyMap.containsKey(this.signingAlgorithmHeader)) {
            dynamoDBSigner = DynamoDBSigner.getInstance(emptyMap.get(this.signingAlgorithmHeader), Utils.getRng());
        }
        ByteBuffer allocate = (!hashMap.containsKey(this.signatureFieldName) || hashMap.get(this.signatureFieldName).getB() == null) ? ByteBuffer.allocate(CURRENT_VERSION) : hashMap.get(this.signatureFieldName).getB().asReadOnlyBuffer();
        hashMap.remove(this.signatureFieldName);
        dynamoDBSigner.verifySignature(hashMap, map2, ("TABLE>" + build.getTableName() + "<TABLE").getBytes(UTF8), decryptionMaterials.getVerificationKey(), allocate);
        hashMap.remove(this.materialDescriptionFieldName);
        actualDecryption(hashMap, map2, decryptionKey, emptyMap);
        return hashMap;
    }

    public Map<String, AttributeValue> encryptRecord(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, EncryptionContext encryptionContext) throws GeneralSecurityException {
        if (map2.isEmpty()) {
            return map;
        }
        HashMap hashMap = new HashMap(map);
        EncryptionContext build = new EncryptionContext.Builder(encryptionContext).withAttributeValues(hashMap).build();
        Function<EncryptionContext, EncryptionContext> encryptionContextOverrideOperator = getEncryptionContextOverrideOperator();
        if (encryptionContextOverrideOperator != null) {
            build = encryptionContextOverrideOperator.apply(build);
        }
        EncryptionMaterials encryptionMaterials = this.encryptionMaterialsProvider.getEncryptionMaterials(build);
        HashMap hashMap2 = new HashMap(encryptionMaterials.getMaterialDescription());
        actualEncryption(hashMap, map2, hashMap2, encryptionMaterials.getEncryptionKey());
        String str = hashMap2.get(this.signingAlgorithmHeader);
        DynamoDBSigner dynamoDBSigner = str != null ? DynamoDBSigner.getInstance(str, Utils.getRng()) : DynamoDBSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, Utils.getRng());
        if (encryptionMaterials.getSigningKey() instanceof PrivateKey) {
            hashMap2.put(this.signingAlgorithmHeader, dynamoDBSigner.getSigningAlgorithm());
        }
        if (!hashMap2.isEmpty()) {
            hashMap.put(this.materialDescriptionFieldName, marshallDescription(hashMap2));
        }
        byte[] calculateSignature = dynamoDBSigner.calculateSignature(hashMap, map2, ("TABLE>" + build.getTableName() + "<TABLE").getBytes(UTF8), encryptionMaterials.getSigningKey());
        AttributeValue attributeValue = new AttributeValue();
        attributeValue.setB(ByteBuffer.wrap(calculateSignature));
        hashMap.put(this.signatureFieldName, attributeValue);
        return hashMap;
    }

    private void actualDecryption(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, SecretKey secretKey, Map<String, String> map3) throws GeneralSecurityException {
        ByteBuffer allocate;
        String str = secretKey != null ? secretKey.getAlgorithm() + map3.get(this.symmetricEncryptionModeHeader) : null;
        Cipher cipher = CURRENT_VERSION;
        int i = -1;
        for (Map.Entry<String, AttributeValue> entry : map.entrySet()) {
            Set<EncryptionFlags> set = map2.get(entry.getKey());
            if (set != null && set.contains(EncryptionFlags.ENCRYPT)) {
                if (!set.contains(EncryptionFlags.SIGN)) {
                    throw new IllegalArgumentException("All encrypted fields must be signed. Bad field: " + entry.getKey());
                }
                ByteBuffer asReadOnlyBuffer = entry.getValue().getB().asReadOnlyBuffer();
                asReadOnlyBuffer.rewind();
                if (secretKey instanceof DelegatedKey) {
                    allocate = ByteBuffer.wrap(((DelegatedKey) secretKey).decrypt(toByteArray(asReadOnlyBuffer), null, str));
                } else {
                    if (cipher == null) {
                        i = getBlockSize(str);
                        cipher = Cipher.getInstance(str);
                    }
                    byte[] bArr = new byte[i];
                    asReadOnlyBuffer.get(bArr);
                    cipher.init(2, secretKey, new IvParameterSpec(bArr), Utils.getRng());
                    allocate = ByteBuffer.allocate(cipher.getOutputSize(asReadOnlyBuffer.remaining()));
                    cipher.doFinal(asReadOnlyBuffer, allocate);
                    allocate.rewind();
                }
                entry.setValue(AttributeValueMarshaller.unmarshall(allocate));
            }
        }
    }

    protected static int getBlockSize(String str) {
        return BLOCK_SIZE_CACHE.computeIfAbsent(str, BLOCK_SIZE_CALCULATOR).intValue();
    }

    private void actualEncryption(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, Map<String, String> map3, SecretKey secretKey) throws GeneralSecurityException {
        ByteBuffer allocate;
        String str = CURRENT_VERSION;
        if (secretKey != null) {
            map3.put(this.symmetricEncryptionModeHeader, SYMMETRIC_ENCRYPTION_MODE);
            str = secretKey.getAlgorithm() + SYMMETRIC_ENCRYPTION_MODE;
        }
        Cipher cipher = CURRENT_VERSION;
        int i = -1;
        for (Map.Entry<String, AttributeValue> entry : map.entrySet()) {
            Set<EncryptionFlags> set = map2.get(entry.getKey());
            if (set != null && set.contains(EncryptionFlags.ENCRYPT)) {
                if (!set.contains(EncryptionFlags.SIGN)) {
                    throw new IllegalArgumentException("All encrypted fields must be signed. Bad field: " + entry.getKey());
                }
                ByteBuffer marshall = AttributeValueMarshaller.marshall(entry.getValue());
                marshall.rewind();
                if (secretKey instanceof DelegatedKey) {
                    allocate = ByteBuffer.wrap(((DelegatedKey) secretKey).encrypt(toByteArray(marshall), null, str));
                } else {
                    if (cipher == null) {
                        i = getBlockSize(str);
                        cipher = Cipher.getInstance(str);
                    }
                    cipher.init(1, secretKey, Utils.getRng());
                    allocate = ByteBuffer.allocate(i + cipher.getOutputSize(marshall.remaining()));
                    allocate.position(i);
                    cipher.doFinal(marshall, allocate);
                    allocate.flip();
                    byte[] iv = cipher.getIV();
                    if (iv.length != i) {
                        throw new IllegalStateException(String.format("Generated IV length (%d) not equal to block size (%d)", Integer.valueOf(iv.length), Integer.valueOf(i)));
                    }
                    allocate.put(iv);
                    allocate.rewind();
                }
                entry.setValue(new AttributeValue().withB(allocate));
            }
        }
    }

    public String getSignatureFieldName() {
        return this.signatureFieldName;
    }

    public void setSignatureFieldName(String str) {
        this.signatureFieldName = str;
    }

    public String getMaterialDescriptionFieldName() {
        return this.materialDescriptionFieldName;
    }

    public void setMaterialDescriptionFieldName(String str) {
        this.materialDescriptionFieldName = str;
    }

    protected static AttributeValue marshallDescription(Map<String, String> map) {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
            dataOutputStream.writeInt(CURRENT_VERSION);
            for (Map.Entry<String, String> entry : map.entrySet()) {
                byte[] bytes = entry.getKey().getBytes(UTF8);
                dataOutputStream.writeInt(bytes.length);
                dataOutputStream.write(bytes);
                byte[] bytes2 = entry.getValue().getBytes(UTF8);
                dataOutputStream.writeInt(bytes2.length);
                dataOutputStream.write(bytes2);
            }
            dataOutputStream.close();
            AttributeValue attributeValue = new AttributeValue();
            attributeValue.setB(ByteBuffer.wrap(byteArrayOutputStream.toByteArray()));
            return attributeValue;
        } catch (IOException e) {
            throw new RuntimeException("Unexpected exception", e);
        }
    }

    public String getSigningAlgorithmHeader() {
        return this.signingAlgorithmHeader;
    }

    protected static Map<String, String> unmarshallDescription(AttributeValue attributeValue) {
        attributeValue.getB().mark();
        try {
            try {
                DataInputStream dataInputStream = new DataInputStream(new ByteBufferInputStream(attributeValue.getB()));
                try {
                    HashMap hashMap = new HashMap();
                    if (dataInputStream.readInt() != 0) {
                        throw new IllegalArgumentException("Unsupported description version");
                    }
                    while (dataInputStream.available() > 0) {
                        try {
                            int readInt = dataInputStream.readInt();
                            byte[] bArr = new byte[readInt];
                            if (dataInputStream.read(bArr) != readInt) {
                                throw new IllegalArgumentException("Malformed description");
                            }
                            String str = new String(bArr, UTF8);
                            int readInt2 = dataInputStream.readInt();
                            byte[] bArr2 = new byte[readInt2];
                            if (dataInputStream.read(bArr2) != readInt2) {
                                throw new IllegalArgumentException("Malformed description");
                            }
                            hashMap.put(str, new String(bArr2, UTF8));
                        } catch (EOFException e) {
                            throw new IllegalArgumentException("Malformed description", e);
                        }
                    }
                    dataInputStream.close();
                    attributeValue.getB().reset();
                    return hashMap;
                } catch (Throwable th) {
                    try {
                        dataInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                attributeValue.getB().reset();
                throw th3;
            }
        } catch (IOException e2) {
            throw new RuntimeException("Unexpected exception", e2);
        }
    }

    public final void setEncryptionContextOverrideOperator(Function<EncryptionContext, EncryptionContext> function) {
        this.encryptionContextOverrideOperator = function;
    }

    public final Function<EncryptionContext, EncryptionContext> getEncryptionContextOverrideOperator() {
        return this.encryptionContextOverrideOperator;
    }

    private static byte[] toByteArray(ByteBuffer byteBuffer) {
        ByteBuffer duplicate = byteBuffer.duplicate();
        if (duplicate.hasArray() && duplicate.arrayOffset() == 0) {
            byte[] array = duplicate.array();
            if (duplicate.remaining() == array.length) {
                return array;
            }
        }
        byte[] bArr = new byte[duplicate.remaining()];
        duplicate.get(bArr);
        return bArr;
    }
}
