package software.amazon.encryption.s3.materials;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.core.ApiName;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.model.DataKeySpec;
import software.amazon.awssdk.services.kms.model.DecryptRequest;
import software.amazon.awssdk.services.kms.model.EncryptRequest;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyResponse;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.S3Request;
import software.amazon.encryption.s3.S3EncryptionClient;
import software.amazon.encryption.s3.S3EncryptionClientException;
import software.amazon.encryption.s3.internal.ApiNameVersion;
import software.amazon.encryption.s3.materials.S3Keyring;

/* loaded from: input_file:software/amazon/encryption/s3/materials/KmsKeyring.class */
public class KmsKeyring extends S3Keyring {
    private static final ApiName API_NAME = ApiNameVersion.apiNameWithVersion();
    private static final String KEY_ID_CONTEXT_KEY = "kms_cmk_id";
    private final KmsClient _kmsClient;
    private final String _wrappingKeyId;
    private final DecryptDataKeyStrategy _kmsStrategy;
    private final DataKeyStrategy _kmsContextStrategy;
    private final Map<String, DecryptDataKeyStrategy> decryptDataKeyStrategies;

    /* loaded from: input_file:software/amazon/encryption/s3/materials/KmsKeyring$Builder.class */
    public static class Builder extends S3Keyring.Builder<KmsKeyring, Builder> {
        private KmsClient _kmsClient;
        private String _wrappingKeyId;

        private Builder() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // software.amazon.encryption.s3.materials.S3Keyring.Builder
        public Builder builder() {
            return this;
        }

        @SuppressFBWarnings(value = {"EI_EXPOSE_REP2"}, justification = "Pass mutability into wrapping client")
        public Builder kmsClient(KmsClient kmsClient) {
            this._kmsClient = kmsClient;
            return this;
        }

        public Builder wrappingKeyId(String str) {
            this._wrappingKeyId = str;
            return this;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // software.amazon.encryption.s3.materials.S3Keyring.Builder
        /* renamed from: build */
        public KmsKeyring build2() {
            if (this._kmsClient == null) {
                this._kmsClient = KmsClient.create();
            }
            return new KmsKeyring(this);
        }
    }

    public KmsKeyring(Builder builder) {
        super(builder);
        this._kmsStrategy = new DecryptDataKeyStrategy() { // from class: software.amazon.encryption.s3.materials.KmsKeyring.1
            private static final String KEY_PROVIDER_INFO = "kms";

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public boolean isLegacy() {
                return true;
            }

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public String keyProviderInfo() {
                return KEY_PROVIDER_INFO;
            }

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public byte[] decryptDataKey(DecryptionMaterials decryptionMaterials, byte[] bArr) {
                return KmsKeyring.this._kmsClient.decrypt((DecryptRequest) DecryptRequest.builder().keyId(KmsKeyring.this._wrappingKeyId).encryptionContext(decryptionMaterials.encryptionContext()).ciphertextBlob(SdkBytes.fromByteArray(bArr)).overrideConfiguration(builder2 -> {
                    builder2.addApiName(KmsKeyring.API_NAME);
                }).build()).plaintext().asByteArray();
            }
        };
        this._kmsContextStrategy = new DataKeyStrategy() { // from class: software.amazon.encryption.s3.materials.KmsKeyring.2
            private static final String KEY_PROVIDER_INFO = "kms+context";
            private static final String ENCRYPTION_CONTEXT_ALGORITHM_KEY = "aws:x-amz-cek-alg";

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public boolean isLegacy() {
                return false;
            }

            @Override // software.amazon.encryption.s3.materials.GenerateDataKeyStrategy, software.amazon.encryption.s3.materials.EncryptDataKeyStrategy, software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public String keyProviderInfo() {
                return KEY_PROVIDER_INFO;
            }

            @Override // software.amazon.encryption.s3.materials.EncryptDataKeyStrategy
            public EncryptionMaterials modifyMaterials(EncryptionMaterials encryptionMaterials) {
                S3Request mo10s3Request = encryptionMaterials.mo10s3Request();
                HashMap hashMap = new HashMap(encryptionMaterials.encryptionContext());
                if (mo10s3Request.overrideConfiguration().isPresent()) {
                    Optional optionalAttribute = ((AwsRequestOverrideConfiguration) mo10s3Request.overrideConfiguration().get()).executionAttributes().getOptionalAttribute(S3EncryptionClient.ENCRYPTION_CONTEXT);
                    Objects.requireNonNull(hashMap);
                    optionalAttribute.ifPresent(hashMap::putAll);
                }
                if (hashMap.containsKey(ENCRYPTION_CONTEXT_ALGORITHM_KEY)) {
                    throw new S3EncryptionClientException("aws:x-amz-cek-alg is a reserved key for the S3 encryption client");
                }
                hashMap.put(ENCRYPTION_CONTEXT_ALGORITHM_KEY, encryptionMaterials.algorithmSuite().cipherName());
                return encryptionMaterials.toBuilder().encryptionContext(hashMap).build();
            }

            @Override // software.amazon.encryption.s3.materials.GenerateDataKeyStrategy
            public EncryptionMaterials generateDataKey(EncryptionMaterials encryptionMaterials) {
                DataKeySpec dataKeySpec;
                if (!encryptionMaterials.algorithmSuite().dataKeyAlgorithm().equals("AES")) {
                    throw new S3EncryptionClientException(String.format("The data key algorithm %s is not supported by AWS KMS", encryptionMaterials.algorithmSuite().dataKeyAlgorithm()));
                }
                switch (encryptionMaterials.algorithmSuite().dataKeyLengthBits()) {
                    case 128:
                        dataKeySpec = DataKeySpec.AES_128;
                        break;
                    case 256:
                        dataKeySpec = DataKeySpec.AES_256;
                        break;
                    default:
                        throw new S3EncryptionClientException(String.format("The data key length %d is not supported by AWS KMS", Integer.valueOf(encryptionMaterials.algorithmSuite().dataKeyLengthBits())));
                }
                GenerateDataKeyResponse generateDataKey = KmsKeyring.this._kmsClient.generateDataKey((GenerateDataKeyRequest) GenerateDataKeyRequest.builder().keyId(KmsKeyring.this._wrappingKeyId).keySpec(dataKeySpec).encryptionContext(encryptionMaterials.encryptionContext()).overrideConfiguration(builder2 -> {
                    builder2.addApiName(KmsKeyring.API_NAME);
                }).build());
                EncryptedDataKey build = EncryptedDataKey.builder().keyProviderId(S3Keyring.KEY_PROVIDER_ID).keyProviderInfo(keyProviderInfo().getBytes(StandardCharsets.UTF_8)).encryptedDataKey((byte[]) Objects.requireNonNull(generateDataKey.ciphertextBlob().asByteArray())).build();
                ArrayList arrayList = new ArrayList(encryptionMaterials.encryptedDataKeys());
                arrayList.add(build);
                return encryptionMaterials.toBuilder().encryptedDataKeys(arrayList).plaintextDataKey(generateDataKey.plaintext().asByteArray()).build();
            }

            @Override // software.amazon.encryption.s3.materials.EncryptDataKeyStrategy
            public byte[] encryptDataKey(SecureRandom secureRandom, EncryptionMaterials encryptionMaterials) {
                return KmsKeyring.this._kmsClient.encrypt((EncryptRequest) EncryptRequest.builder().keyId(KmsKeyring.this._wrappingKeyId).encryptionContext(new HashMap(encryptionMaterials.encryptionContext())).plaintext(SdkBytes.fromByteArray(encryptionMaterials.plaintextDataKey())).overrideConfiguration(builder2 -> {
                    builder2.addApiName(KmsKeyring.API_NAME);
                }).build()).ciphertextBlob().asByteArray();
            }

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public byte[] decryptDataKey(DecryptionMaterials decryptionMaterials, byte[] bArr) {
                HashMap hashMap = new HashMap();
                GetObjectRequest mo10s3Request = decryptionMaterials.mo10s3Request();
                if (mo10s3Request.overrideConfiguration().isPresent()) {
                    Optional optionalAttribute = ((AwsRequestOverrideConfiguration) mo10s3Request.overrideConfiguration().get()).executionAttributes().getOptionalAttribute(S3EncryptionClient.ENCRYPTION_CONTEXT);
                    if (optionalAttribute.isPresent()) {
                        hashMap = new HashMap((Map) optionalAttribute.get());
                    }
                }
                HashMap hashMap2 = new HashMap(decryptionMaterials.encryptionContext());
                hashMap2.remove(KmsKeyring.KEY_ID_CONTEXT_KEY);
                hashMap2.remove(ENCRYPTION_CONTEXT_ALGORITHM_KEY);
                if (!hashMap2.equals(hashMap)) {
                    throw new S3EncryptionClientException("Provided encryption context does not match information retrieved from S3");
                }
                return KmsKeyring.this._kmsClient.decrypt((DecryptRequest) DecryptRequest.builder().keyId(KmsKeyring.this._wrappingKeyId).encryptionContext(decryptionMaterials.encryptionContext()).ciphertextBlob(SdkBytes.fromByteArray(bArr)).overrideConfiguration(builder2 -> {
                    builder2.addApiName(KmsKeyring.API_NAME);
                }).build()).plaintext().asByteArray();
            }
        };
        this.decryptDataKeyStrategies = new HashMap();
        this._kmsClient = builder._kmsClient;
        this._wrappingKeyId = builder._wrappingKeyId;
        this.decryptDataKeyStrategies.put(this._kmsStrategy.keyProviderInfo(), this._kmsStrategy);
        this.decryptDataKeyStrategies.put(this._kmsContextStrategy.keyProviderInfo(), this._kmsContextStrategy);
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // software.amazon.encryption.s3.materials.S3Keyring
    protected GenerateDataKeyStrategy generateDataKeyStrategy() {
        return this._kmsContextStrategy;
    }

    @Override // software.amazon.encryption.s3.materials.S3Keyring
    protected EncryptDataKeyStrategy encryptDataKeyStrategy() {
        return this._kmsContextStrategy;
    }

    @Override // software.amazon.encryption.s3.materials.S3Keyring
    protected Map<String, DecryptDataKeyStrategy> decryptDataKeyStrategies() {
        return this.decryptDataKeyStrategies;
    }
}
