package com.amazonaws.encryptionsdk.jce;

import com.amazonaws.encryptionsdk.CryptoAlgorithm;
import com.amazonaws.encryptionsdk.DataKey;
import com.amazonaws.encryptionsdk.EncryptedDataKey;
import com.amazonaws.encryptionsdk.MasterKey;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.exception.UnsupportedProviderException;
import com.amazonaws.encryptionsdk.internal.EncryptionContextSerializer;
import com.amazonaws.encryptionsdk.internal.VersionInfo;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/amazonaws/encryptionsdk/jce/JceMasterKey.class */
public abstract class JceMasterKey extends MasterKey<JceMasterKey> {
    private static final Logger LOGGER = Logger.getLogger(JceMasterKey.class.getName());
    private static final byte[] EMPTY_ARRAY = new byte[0];
    private final SecureRandom rnd = new SecureRandom();
    private final Key wrappingKey_;
    private final Key unwrappingKey_;
    private final String providerName_;
    private final String keyId_;
    private final byte[] keyIdBytes_;

    /* loaded from: input_file:com/amazonaws/encryptionsdk/jce/JceMasterKey$AesGcm.class */
    private static class AesGcm extends JceMasterKey {
        private static final int NONCE_LENGTH = 12;
        private static final int TAG_LENGTH = 128;
        private static final String TRANSFORMATION = "AES/GCM/NoPadding";
        private final SecureRandom rnd;

        public AesGcm(SecretKey secretKey, String str, String str2) {
            super(secretKey, secretKey, str, str2);
            this.rnd = new SecureRandom();
        }

        private static byte[] specToBytes(GCMParameterSpec gCMParameterSpec) {
            byte[] iv = gCMParameterSpec.getIV();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
                Throwable th = null;
                try {
                    dataOutputStream.writeInt(gCMParameterSpec.getTLen());
                    dataOutputStream.writeInt(iv.length);
                    dataOutputStream.write(iv);
                    dataOutputStream.close();
                    byteArrayOutputStream.close();
                    if (dataOutputStream != null) {
                        if (0 != 0) {
                            try {
                                dataOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            dataOutputStream.close();
                        }
                    }
                    return byteArrayOutputStream.toByteArray();
                } finally {
                }
            } catch (IOException e) {
                throw new AssertionError("Impossible exception", e);
            }
        }

        private static GCMParameterSpec bytesToSpec(byte[] bArr, int i) {
            try {
                DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(bArr, i, bArr.length - i));
                Throwable th = null;
                try {
                    try {
                        int readInt = dataInputStream.readInt();
                        byte[] bArr2 = new byte[dataInputStream.readInt()];
                        dataInputStream.readFully(bArr2);
                        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(readInt, bArr2);
                        if (dataInputStream != null) {
                            if (0 != 0) {
                                try {
                                    dataInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                dataInputStream.close();
                            }
                        }
                        return gCMParameterSpec;
                    } finally {
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new AssertionError("Impossible exception", e);
            }
        }

        @Override // com.amazonaws.encryptionsdk.jce.JceMasterKey
        protected WrappingData buildWrappingCipher(Key key, Map<String, String> map) throws GeneralSecurityException {
            byte[] bArr = new byte[NONCE_LENGTH];
            this.rnd.nextBytes(bArr);
            GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(TAG_LENGTH, bArr);
            Cipher cipher = Cipher.getInstance(TRANSFORMATION);
            cipher.init(1, key, gCMParameterSpec);
            cipher.updateAAD(EncryptionContextSerializer.serialize(map));
            return new WrappingData(cipher, specToBytes(gCMParameterSpec));
        }

        @Override // com.amazonaws.encryptionsdk.jce.JceMasterKey
        protected Cipher buildUnwrappingCipher(Key key, byte[] bArr, int i, Map<String, String> map) throws GeneralSecurityException {
            GCMParameterSpec bytesToSpec = bytesToSpec(bArr, i);
            Cipher cipher = Cipher.getInstance(TRANSFORMATION);
            cipher.init(2, key, bytesToSpec);
            cipher.updateAAD(EncryptionContextSerializer.serialize(map));
            return cipher;
        }
    }

    /* loaded from: input_file:com/amazonaws/encryptionsdk/jce/JceMasterKey$Rsa.class */
    private static class Rsa extends JceMasterKey {
        private static final Pattern SUPPORTED_TRANSFORMATIONS = Pattern.compile("RSA/ECB/(?:PKCS1Padding|OAEPWith(SHA-(?:1|224|256|384|512))AndMGF1Padding)", 2);
        private final AlgorithmParameterSpec parameterSpec_;
        private final String transformation_;

        private Rsa(PublicKey publicKey, PrivateKey privateKey, String str, String str2, String str3) {
            super(publicKey, privateKey, str, str2);
            MGF1ParameterSpec mGF1ParameterSpec;
            Matcher matcher = SUPPORTED_TRANSFORMATIONS.matcher(str3);
            if (!matcher.matches()) {
                JceMasterKey.LOGGER.warning(str3 + " is not officially supported by the JceMasterKey");
                this.transformation_ = str3;
                this.parameterSpec_ = null;
                return;
            }
            String group = matcher.group(1);
            if (group == null) {
                this.transformation_ = str3;
                this.parameterSpec_ = null;
                return;
            }
            String upperCase = group.toUpperCase();
            this.transformation_ = "RSA/ECB/OAEPPadding";
            boolean z = -1;
            switch (upperCase.hashCode()) {
                case -1523887821:
                    if (upperCase.equals("SHA-224")) {
                        z = true;
                        break;
                    }
                    break;
                case -1523887726:
                    if (upperCase.equals("SHA-256")) {
                        z = 2;
                        break;
                    }
                    break;
                case -1523886674:
                    if (upperCase.equals("SHA-384")) {
                        z = 3;
                        break;
                    }
                    break;
                case -1523884971:
                    if (upperCase.equals("SHA-512")) {
                        z = 4;
                        break;
                    }
                    break;
                case 78861104:
                    if (upperCase.equals("SHA-1")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    mGF1ParameterSpec = MGF1ParameterSpec.SHA1;
                    break;
                case VersionInfo.CURRENT_CIPHERTEXT_VERSION /* 1 */:
                    JceMasterKey.LOGGER.warning(str3 + " is not officially supported by the JceMasterKey");
                    mGF1ParameterSpec = MGF1ParameterSpec.SHA224;
                    break;
                case true:
                    mGF1ParameterSpec = MGF1ParameterSpec.SHA256;
                    break;
                case true:
                    mGF1ParameterSpec = MGF1ParameterSpec.SHA384;
                    break;
                case true:
                    mGF1ParameterSpec = MGF1ParameterSpec.SHA512;
                    break;
                default:
                    throw new IllegalArgumentException("Unsupported algorithm: " + str3);
            }
            this.parameterSpec_ = new OAEPParameterSpec(upperCase, "MGF1", mGF1ParameterSpec, PSource.PSpecified.DEFAULT);
        }

        @Override // com.amazonaws.encryptionsdk.jce.JceMasterKey
        protected WrappingData buildWrappingCipher(Key key, Map<String, String> map) throws GeneralSecurityException {
            Cipher cipher = Cipher.getInstance(this.transformation_);
            cipher.init(1, key, this.parameterSpec_);
            return new WrappingData(cipher, JceMasterKey.EMPTY_ARRAY);
        }

        @Override // com.amazonaws.encryptionsdk.jce.JceMasterKey
        protected Cipher buildUnwrappingCipher(Key key, byte[] bArr, int i, Map<String, String> map) throws GeneralSecurityException {
            if (bArr.length != i) {
                throw new IllegalArgumentException("Extra info must be empty for RSA keys");
            }
            Cipher cipher = Cipher.getInstance(this.transformation_);
            cipher.init(2, key, this.parameterSpec_);
            return cipher;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/amazonaws/encryptionsdk/jce/JceMasterKey$WrappingData.class */
    public static class WrappingData {
        public final Cipher cipher;
        public final byte[] extraInfo;

        public WrappingData(Cipher cipher, byte[] bArr) {
            this.cipher = cipher;
            this.extraInfo = bArr != null ? bArr : JceMasterKey.EMPTY_ARRAY;
        }
    }

    public static JceMasterKey getInstance(SecretKey secretKey, String str, String str2, String str3) {
        String upperCase = str3.toUpperCase();
        boolean z = -1;
        switch (upperCase.hashCode()) {
            case -478497774:
                if (upperCase.equals("AES/GCM/NOPADDING")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new AesGcm(secretKey, str, str2);
            default:
                throw new IllegalArgumentException("Right now only AES/GCM/NoPadding is supported");
        }
    }

    public static JceMasterKey getInstance(PublicKey publicKey, PrivateKey privateKey, String str, String str2, String str3) {
        if (str3.toUpperCase().startsWith("RSA/ECB/")) {
            return new Rsa(publicKey, privateKey, str, str2, str3);
        }
        throw new UnsupportedOperationException("Currently only RSA asymmetric algorithms are supported");
    }

    protected JceMasterKey(Key key, Key key2, String str, String str2) {
        this.wrappingKey_ = key;
        this.unwrappingKey_ = key2;
        this.providerName_ = str;
        this.keyId_ = str2;
        this.keyIdBytes_ = this.keyId_.getBytes(StandardCharsets.UTF_8);
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public String getProviderId() {
        return this.providerName_;
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public String getKeyId() {
        return this.keyId_;
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public DataKey<JceMasterKey> generateDataKey(CryptoAlgorithm cryptoAlgorithm, Map<String, String> map) {
        byte[] bArr = new byte[cryptoAlgorithm.getDataKeyLength()];
        this.rnd.nextBytes(bArr);
        return encryptRawKey(new SecretKeySpec(bArr, cryptoAlgorithm.getDataKeyAlgo()), bArr, map);
    }

    @Override // com.amazonaws.encryptionsdk.MasterKey
    public DataKey<JceMasterKey> encryptDataKey(CryptoAlgorithm cryptoAlgorithm, Map<String, String> map, DataKey<?> dataKey) {
        SecretKey key = dataKey.getKey();
        if (!key.getFormat().equals("RAW")) {
            throw new IllegalArgumentException("Can only re-encrypt data keys which are in RAW format, not " + dataKey.getKey().getFormat());
        }
        if (!key.getAlgorithm().equalsIgnoreCase(cryptoAlgorithm.getDataKeyAlgo())) {
            throw new IllegalArgumentException("Incorrect key algorithm. Expected " + key.getAlgorithm() + " but got " + cryptoAlgorithm.getKeyAlgo());
        }
        byte[] encoded = key.getEncoded();
        DataKey<JceMasterKey> encryptRawKey = encryptRawKey(key, encoded, map);
        Arrays.fill(encoded, (byte) 0);
        return encryptRawKey;
    }

    protected DataKey<JceMasterKey> encryptRawKey(SecretKey secretKey, byte[] bArr, Map<String, String> map) {
        try {
            WrappingData buildWrappingCipher = buildWrappingCipher(this.wrappingKey_, map);
            byte[] doFinal = buildWrappingCipher.cipher.doFinal(bArr);
            byte[] bArr2 = new byte[this.keyIdBytes_.length + buildWrappingCipher.extraInfo.length];
            System.arraycopy(this.keyIdBytes_, 0, bArr2, 0, this.keyIdBytes_.length);
            System.arraycopy(buildWrappingCipher.extraInfo, 0, bArr2, this.keyIdBytes_.length, buildWrappingCipher.extraInfo.length);
            return new DataKey<>(secretKey, doFinal, bArr2, this);
        } catch (GeneralSecurityException e) {
            throw new AwsCryptoException(e);
        }
    }

    @Override // com.amazonaws.encryptionsdk.MasterKeyProvider
    public DataKey<JceMasterKey> decryptDataKey(CryptoAlgorithm cryptoAlgorithm, Collection<? extends EncryptedDataKey> collection, Map<String, String> map) throws UnsupportedProviderException, AwsCryptoException {
        DataKey<JceMasterKey> actualDecrypt;
        ArrayList arrayList = new ArrayList();
        for (EncryptedDataKey encryptedDataKey : collection) {
            try {
                if (encryptedDataKey.getProviderId().equals(getProviderId()) && arrayPrefixEquals(encryptedDataKey.getProviderInformation(), this.keyIdBytes_, this.keyIdBytes_.length) && (actualDecrypt = actualDecrypt(cryptoAlgorithm, encryptedDataKey, map)) != null) {
                    return actualDecrypt;
                }
            } catch (Exception e) {
                arrayList.add(e);
            }
        }
        throw buildCannotDecryptDksException(arrayList);
    }

    protected DataKey<JceMasterKey> actualDecrypt(CryptoAlgorithm cryptoAlgorithm, EncryptedDataKey encryptedDataKey, Map<String, String> map) throws GeneralSecurityException {
        byte[] doFinal = buildUnwrappingCipher(this.unwrappingKey_, encryptedDataKey.getProviderInformation(), this.keyIdBytes_.length, map).doFinal(encryptedDataKey.getEncryptedDataKey());
        if (doFinal.length != cryptoAlgorithm.getDataKeyLength()) {
            return null;
        }
        return new DataKey<>(new SecretKeySpec(doFinal, cryptoAlgorithm.getDataKeyAlgo()), encryptedDataKey.getEncryptedDataKey(), encryptedDataKey.getProviderInformation(), this);
    }

    protected static boolean arrayPrefixEquals(byte[] bArr, byte[] bArr2, int i) {
        if (bArr == null || bArr2 == null || bArr.length < i || bArr2.length < i) {
            return false;
        }
        for (int i2 = 0; i2 < i; i2++) {
            if (bArr[i2] != bArr2[i2]) {
                return false;
            }
        }
        return true;
    }

    protected abstract WrappingData buildWrappingCipher(Key key, Map<String, String> map) throws GeneralSecurityException;

    protected abstract Cipher buildUnwrappingCipher(Key key, byte[] bArr, int i, Map<String, String> map) throws GeneralSecurityException;
}
