package io.kroxylicious.filter.encryption.dek;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.kroxylicious.kms.service.DestroyableRawSecretKey;
import java.nio.BufferOverflowException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;
import javax.annotation.concurrent.NotThreadSafe;
import javax.annotation.concurrent.ThreadSafe;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;

@ThreadSafe
/* loaded from: input_file:io/kroxylicious/filter/encryption/dek/Dek.class */
public final class Dek<E> {
    private final E edek;
    private final AtomicReference<DestroyableRawSecretKey> atomicKey;
    private final AtomicLong remainingEncryptions;
    final AtomicCryptorUsageCounter outstandingCryptors;
    private final CipherManager cipherManager;

    @NotThreadSafe
    /* loaded from: input_file:io/kroxylicious/filter/encryption/dek/Dek$Decryptor.class */
    public final class Decryptor implements AutoCloseable {
        private final Cipher cipher;
        private SecretKey key;
        private final CipherManager cipherManager;

        private Decryptor(CipherManager cipherManager, SecretKey secretKey) {
            this.cipher = cipherManager.newCipher();
            this.cipherManager = cipherManager;
            this.key = secretKey;
        }

        public void decrypt(@NonNull ByteBuffer byteBuffer, @Nullable ByteBuffer byteBuffer2, @NonNull ByteBuffer byteBuffer3, @NonNull ByteBuffer byteBuffer4) {
            try {
                this.cipher.init(2, this.key, this.cipherManager.readParameters(byteBuffer3));
                if (byteBuffer2 != null) {
                    this.cipher.updateAAD(byteBuffer2);
                }
                this.cipher.doFinal(byteBuffer, byteBuffer4);
            } catch (GeneralSecurityException e) {
                throw new DekException(e);
            }
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            if (this.key != null) {
                this.key = null;
                Dek.this.maybeDestroyKey(Dek.this.outstandingCryptors.releaseDecryptorUsage());
            }
        }
    }

    @NotThreadSafe
    /* loaded from: input_file:io/kroxylicious/filter/encryption/dek/Dek$Encryptor.class */
    public final class Encryptor implements AutoCloseable {
        private final Cipher cipher;
        private SecretKey key;
        private final Supplier<AlgorithmParameterSpec> paramSupplier;
        private final CipherManager cipherManager;
        private int numEncryptions;
        private boolean haveParameters = false;

        private Encryptor(CipherManager cipherManager, SecretKey secretKey, int i) {
            if (i <= 0) {
                throw new IllegalArgumentException();
            }
            this.cipherManager = (CipherManager) Objects.requireNonNull(cipherManager);
            this.key = (SecretKey) Objects.requireNonNull(secretKey);
            this.numEncryptions = i;
            this.cipher = cipherManager.newCipher();
            this.paramSupplier = cipherManager.paramSupplier();
        }

        @NonNull
        public E edek() {
            return (E) Dek.this.edek();
        }

        public ByteBuffer generateParameters(@NonNull EncryptAllocator encryptAllocator) {
            if (this.numEncryptions <= 0) {
                throw new DekUsageException("The Encryptor has no more operations allowed");
            }
            this.numEncryptions--;
            try {
                AlgorithmParameterSpec algorithmParameterSpec = this.paramSupplier.get();
                this.cipher.init(1, this.key, algorithmParameterSpec);
                ByteBuffer buffer = encryptAllocator.buffer(this.cipherManager.size(algorithmParameterSpec));
                this.cipherManager.writeParameters(buffer, algorithmParameterSpec);
                buffer.flip();
                this.haveParameters = true;
                return buffer;
            } catch (BufferOverflowException e) {
                throw new BufferTooSmallException();
            } catch (GeneralSecurityException e2) {
                throw new DekException(e2);
            }
        }

        public ByteBuffer encrypt(@NonNull ByteBuffer byteBuffer, @Nullable ByteBuffer byteBuffer2, @NonNull EncryptAllocator encryptAllocator) {
            if (!this.haveParameters) {
                throw new IllegalStateException("Expecting a prior call to generateParameters()");
            }
            this.haveParameters = false;
            if (byteBuffer2 != null) {
                try {
                    this.cipher.updateAAD(byteBuffer2);
                    byteBuffer2.rewind();
                } catch (ShortBufferException e) {
                    throw new BufferTooSmallException();
                } catch (GeneralSecurityException e2) {
                    throw new DekException(e2);
                }
            }
            ByteBuffer buffer = encryptAllocator.buffer(this.cipher.getOutputSize(byteBuffer.remaining()));
            int position = byteBuffer.position();
            this.cipher.doFinal(byteBuffer, buffer);
            byteBuffer.position(position);
            buffer.flip();
            if (this.numEncryptions == 0) {
                close();
            }
            return buffer;
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            if (this.key != null) {
                this.key = null;
                Dek.this.maybeDestroyKey(Dek.this.outstandingCryptors.releaseEncryptorUsage());
            }
        }

        @NonNull
        public CipherManager cipherManager() {
            return this.cipherManager;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Dek(@NonNull E e, @NonNull DestroyableRawSecretKey destroyableRawSecretKey, @NonNull CipherManager cipherManager, long j) {
        Objects.requireNonNull(e);
        if (((DestroyableRawSecretKey) Objects.requireNonNull(destroyableRawSecretKey)).isDestroyed()) {
            throw new IllegalArgumentException();
        }
        Objects.requireNonNull(cipherManager);
        if (j < 0) {
            throw new IllegalArgumentException();
        }
        this.edek = e;
        this.atomicKey = new AtomicReference<>(destroyableRawSecretKey);
        this.cipherManager = cipherManager;
        this.remainingEncryptions = new AtomicLong(j);
        this.outstandingCryptors = new AtomicCryptorUsageCounter();
        if (j == 0) {
            this.outstandingCryptors.destroyForEncrypt();
        }
    }

    @NonNull
    public Dek<E>.Encryptor encryptor(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException();
        }
        if (this.remainingEncryptions.addAndGet(-i) < 0) {
            throw new ExhaustedDekException("This DEK does not have " + i + " encryptions available");
        }
        if (this.outstandingCryptors.acquireEncryptorUsage()) {
            return new Encryptor(this.cipherManager, this.atomicKey.get(), i);
        }
        throw new DestroyedDekException();
    }

    public Dek<E>.Decryptor decryptor() {
        if (this.outstandingCryptors.acquireDecryptorUsage()) {
            return new Decryptor(this.cipherManager, this.atomicKey.get());
        }
        throw new DestroyedDekException();
    }

    public void destroyForEncrypt() {
        maybeDestroyKey(this.outstandingCryptors.destroyForEncrypt());
    }

    public void destroy() {
        maybeDestroyKey(this.outstandingCryptors.destroyForBoth());
    }

    public void destroyForDecrypt() {
        maybeDestroyKey(this.outstandingCryptors.destroyForDecrypt());
    }

    private void maybeDestroyKey(boolean z) {
        DestroyableRawSecretKey andSet;
        if (!z || (andSet = this.atomicKey.getAndSet(null)) == null) {
            return;
        }
        andSet.destroy();
    }

    public boolean isDestroyed() {
        SecretKey secretKey = this.atomicKey.get();
        return secretKey == null || secretKey.isDestroyed();
    }

    public E edek() {
        return this.edek;
    }
}
