package com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers;

import com.amazonaws.AmazonWebServiceRequest;
import com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMappingException;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.EncryptionContext;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.DecryptionMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.EncryptionMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.SymmetricRawMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.WrappedRawMaterials;
import com.amazonaws.services.dynamodbv2.datamodeling.internal.Base64;
import com.amazonaws.services.dynamodbv2.datamodeling.internal.Hkdf;
import com.amazonaws.services.dynamodbv2.datamodeling.internal.Utils;
import com.amazonaws.services.dynamodbv2.model.AttributeValue;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.DecryptResult;
import com.amazonaws.services.kms.model.GenerateDataKeyRequest;
import com.amazonaws.services.kms.model.GenerateDataKeyResult;
import com.amazonaws.util.StringUtils;
import java.nio.ByteBuffer;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/DirectKmsMaterialProvider.class */
public class DirectKmsMaterialProvider implements EncryptionMaterialsProvider {
    static final String USER_AGENT_PREFIX = "DynamodbEncryptionSdkJava/";
    private static final String USER_AGENT = USER_AGENT_PREFIX + Utils.loadVersion();
    private static final String COVERED_ATTR_CTX_KEY = "aws-kms-ec-attr";
    private static final String SIGNING_KEY_ALGORITHM = "amzn-ddb-sig-alg";
    private static final String TABLE_NAME_EC_KEY = "*aws-kms-table*";
    private static final String DEFAULT_ENC_ALG = "AES/256";
    private static final String DEFAULT_SIG_ALG = "HmacSHA256/256";
    private static final String KEY_COVERAGE = "*keys*";
    private static final String KDF_ALG = "HmacSHA256";
    private static final String KDF_SIG_INFO = "Signing";
    private static final String KDF_ENC_INFO = "Encryption";
    private final AWSKMS kms;
    private final String encryptionKeyId;
    private final Map<String, String> description;
    private final String dataKeyAlg;
    private final int dataKeyLength;
    private final String dataKeyDesc;
    private final String sigKeyAlg;
    private final int sigKeyLength;
    private final String sigKeyDesc;

    public DirectKmsMaterialProvider(AWSKMS awskms) {
        this(awskms, null);
    }

    public DirectKmsMaterialProvider(AWSKMS awskms, String str, Map<String, String> map) {
        this.kms = awskms;
        this.encryptionKeyId = str;
        this.description = map != null ? Collections.unmodifiableMap(new HashMap(map)) : Collections.emptyMap();
        this.dataKeyDesc = this.description.containsKey(WrappedRawMaterials.CONTENT_KEY_ALGORITHM) ? this.description.get(WrappedRawMaterials.CONTENT_KEY_ALGORITHM) : DEFAULT_ENC_ALG;
        String[] split = this.dataKeyDesc.split("/", 2);
        this.dataKeyAlg = split[0];
        this.dataKeyLength = split.length == 2 ? Integer.parseInt(split[1]) : 256;
        this.sigKeyDesc = this.description.containsKey(SIGNING_KEY_ALGORITHM) ? this.description.get(SIGNING_KEY_ALGORITHM) : DEFAULT_SIG_ALG;
        String[] split2 = this.sigKeyDesc.split("/", 2);
        this.sigKeyAlg = split2[0];
        this.sigKeyLength = split2.length == 2 ? Integer.parseInt(split2[1]) : 256;
    }

    public DirectKmsMaterialProvider(AWSKMS awskms, String str) {
        this(awskms, str, Collections.emptyMap());
    }

    @Override // com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider
    public DecryptionMaterials getDecryptionMaterials(EncryptionContext encryptionContext) {
        Map<String, String> materialDescription = encryptionContext.getMaterialDescription();
        HashMap hashMap = new HashMap();
        String str = materialDescription.get(WrappedRawMaterials.CONTENT_KEY_ALGORITHM);
        String str2 = materialDescription.get(SIGNING_KEY_ALGORITHM);
        hashMap.put("*amzn-ddb-env-alg*", str);
        hashMap.put("*amzn-ddb-sig-alg*", str2);
        populateKmsEcFromEc(encryptionContext, hashMap);
        DecryptRequest decryptRequest = (DecryptRequest) appendUserAgent(new DecryptRequest());
        decryptRequest.setCiphertextBlob(ByteBuffer.wrap(Base64.decode(materialDescription.get(WrappedRawMaterials.ENVELOPE_KEY))));
        decryptRequest.setEncryptionContext(hashMap);
        DecryptResult decrypt = decrypt(decryptRequest, encryptionContext);
        validateEncryptionKeyId(decrypt.getKeyId(), encryptionContext);
        try {
            Hkdf hkdf = Hkdf.getInstance(KDF_ALG);
            hkdf.init(toArray(decrypt.getPlaintext()));
            String[] split = str.split("/", 2);
            int parseInt = split.length == 2 ? Integer.parseInt(split[1]) : 256;
            String[] split2 = str2.split("/", 2);
            return new SymmetricRawMaterials(new SecretKeySpec(hkdf.deriveKey(KDF_ENC_INFO, parseInt / 8), split[0]), new SecretKeySpec(hkdf.deriveKey(KDF_SIG_INFO, (split2.length == 2 ? Integer.parseInt(split2[1]) : 256) / 8), split2[0]), materialDescription);
        } catch (NoSuchAlgorithmException e) {
            throw new DynamoDBMappingException(e);
        }
    }

    @Override // com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider
    public EncryptionMaterials getEncryptionMaterials(EncryptionContext encryptionContext) {
        HashMap hashMap = new HashMap();
        hashMap.put("*amzn-ddb-env-alg*", this.dataKeyDesc);
        hashMap.put("*amzn-ddb-sig-alg*", this.sigKeyDesc);
        populateKmsEcFromEc(encryptionContext, hashMap);
        String selectEncryptionKeyId = selectEncryptionKeyId(encryptionContext);
        if (StringUtils.isNullOrEmpty(selectEncryptionKeyId)) {
            throw new DynamoDBMappingException("Encryption key id is empty.");
        }
        GenerateDataKeyRequest generateDataKeyRequest = (GenerateDataKeyRequest) appendUserAgent(new GenerateDataKeyRequest());
        generateDataKeyRequest.setKeyId(selectEncryptionKeyId);
        generateDataKeyRequest.setNumberOfBytes(32);
        generateDataKeyRequest.setEncryptionContext(hashMap);
        GenerateDataKeyResult generateDataKey = generateDataKey(generateDataKeyRequest, encryptionContext);
        HashMap hashMap2 = new HashMap();
        hashMap2.putAll(this.description);
        hashMap2.put(COVERED_ATTR_CTX_KEY, KEY_COVERAGE);
        hashMap2.put(WrappedRawMaterials.KEY_WRAPPING_ALGORITHM, "kms");
        hashMap2.put(WrappedRawMaterials.CONTENT_KEY_ALGORITHM, this.dataKeyDesc);
        hashMap2.put(SIGNING_KEY_ALGORITHM, this.sigKeyDesc);
        hashMap2.put(WrappedRawMaterials.ENVELOPE_KEY, Base64.encodeToString(toArray(generateDataKey.getCiphertextBlob())));
        try {
            Hkdf hkdf = Hkdf.getInstance(KDF_ALG);
            hkdf.init(toArray(generateDataKey.getPlaintext()));
            return new SymmetricRawMaterials(new SecretKeySpec(hkdf.deriveKey(KDF_ENC_INFO, this.dataKeyLength / 8), this.dataKeyAlg), new SecretKeySpec(hkdf.deriveKey(KDF_SIG_INFO, this.sigKeyLength / 8), this.sigKeyAlg), hashMap2);
        } catch (NoSuchAlgorithmException e) {
            throw new DynamoDBMappingException(e);
        }
    }

    protected String getEncryptionKeyId() {
        return this.encryptionKeyId;
    }

    protected String selectEncryptionKeyId(EncryptionContext encryptionContext) throws DynamoDBMappingException {
        return getEncryptionKeyId();
    }

    protected void validateEncryptionKeyId(String str, EncryptionContext encryptionContext) throws DynamoDBMappingException {
    }

    protected DecryptResult decrypt(DecryptRequest decryptRequest, EncryptionContext encryptionContext) {
        return this.kms.decrypt(decryptRequest);
    }

    protected GenerateDataKeyResult generateDataKey(GenerateDataKeyRequest generateDataKeyRequest, EncryptionContext encryptionContext) {
        return this.kms.generateDataKey(generateDataKeyRequest);
    }

    protected void populateKmsEcFromEc(EncryptionContext encryptionContext, Map<String, String> map) {
        String hashKeyName = encryptionContext.getHashKeyName();
        if (hashKeyName != null) {
            AttributeValue attributeValue = encryptionContext.getAttributeValues().get(hashKeyName);
            if (attributeValue.getN() != null) {
                map.put(hashKeyName, attributeValue.getN());
            } else if (attributeValue.getS() != null) {
                map.put(hashKeyName, attributeValue.getS());
            } else {
                if (attributeValue.getB() == null) {
                    throw new UnsupportedOperationException("DirectKmsMaterialProvider only supports String, Number, and Binary HashKeys");
                }
                map.put(hashKeyName, Base64.encodeToString(toArray(attributeValue.getB())));
            }
        }
        String rangeKeyName = encryptionContext.getRangeKeyName();
        if (rangeKeyName != null) {
            AttributeValue attributeValue2 = encryptionContext.getAttributeValues().get(rangeKeyName);
            if (attributeValue2.getN() != null) {
                map.put(rangeKeyName, attributeValue2.getN());
            } else if (attributeValue2.getS() != null) {
                map.put(rangeKeyName, attributeValue2.getS());
            } else {
                if (attributeValue2.getB() == null) {
                    throw new UnsupportedOperationException("DirectKmsMaterialProvider only supports String, Number, and Binary RangeKeys");
                }
                map.put(rangeKeyName, Base64.encodeToString(toArray(attributeValue2.getB())));
            }
        }
        String tableName = encryptionContext.getTableName();
        if (tableName != null) {
            map.put(TABLE_NAME_EC_KEY, tableName);
        }
    }

    private static byte[] toArray(ByteBuffer byteBuffer) {
        ByteBuffer asReadOnlyBuffer = byteBuffer.asReadOnlyBuffer();
        byte[] bArr = new byte[asReadOnlyBuffer.remaining()];
        asReadOnlyBuffer.get(bArr);
        return bArr;
    }

    private static <X extends AmazonWebServiceRequest> X appendUserAgent(X x) {
        x.getRequestClientOptions().appendUserAgent(USER_AGENT);
        return x;
    }

    @Override // com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider
    public void refresh() {
    }
}
