package com.amazonaws.services.s3.internal.crypto.v2;

import com.amazonaws.SdkClientException;
import com.amazonaws.services.s3.Headers;
import com.amazonaws.services.s3.KeyWrapException;
import com.amazonaws.services.s3.internal.crypto.CipherLite;
import com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme;
import com.amazonaws.services.s3.internal.crypto.keywrap.InternalKeyWrapAlgorithm;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapAlgorithmResolver;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapperContext;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapperFactory;
import com.amazonaws.services.s3.model.CryptoConfigurationV2;
import com.amazonaws.services.s3.model.CryptoMode;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.EncryptionMaterialsAccessor;
import com.amazonaws.services.s3.model.ExtraMaterialsDescription;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.util.Base64;
import com.amazonaws.util.json.Jackson;
import java.security.Key;
import java.security.Provider;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/amazonaws/services/s3/internal/crypto/v2/ContentCryptoMaterial.class */
final class ContentCryptoMaterial {
    private final InternalKeyWrapAlgorithm keyWrappingAlgorithm;
    private final CipherLite cipherLite;
    private final Map<String, String> kekMaterialsDescription;
    private final byte[] encryptedCEK;

    ContentCryptoMaterial(Map<String, String> map, byte[] bArr, InternalKeyWrapAlgorithm internalKeyWrapAlgorithm, CipherLite cipherLite) {
        this.cipherLite = cipherLite;
        this.keyWrappingAlgorithm = internalKeyWrapAlgorithm;
        this.encryptedCEK = (byte[]) bArr.clone();
        this.kekMaterialsDescription = map;
    }

    InternalKeyWrapAlgorithm getKeyWrappingAlgorithm() {
        return this.keyWrappingAlgorithm;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentCryptoScheme getContentCryptoScheme() {
        return this.cipherLite.getContentCryptoScheme();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ObjectMetadata toObjectMetadata(ObjectMetadata objectMetadata) {
        objectMetadata.addUserMetadata(Headers.CRYPTO_KEY_V2, Base64.encodeAsString(getEncryptedCEK()));
        objectMetadata.addUserMetadata(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        objectMetadata.addUserMetadata(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        ContentCryptoScheme contentCryptoScheme = getContentCryptoScheme();
        objectMetadata.addUserMetadata(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.getCipherAlgorithm());
        int tagLengthInBits = contentCryptoScheme.getTagLengthInBits();
        if (tagLengthInBits > 0) {
            objectMetadata.addUserMetadata(Headers.CRYPTO_TAG_LENGTH, String.valueOf(tagLengthInBits));
        }
        InternalKeyWrapAlgorithm keyWrappingAlgorithm = getKeyWrappingAlgorithm();
        if (keyWrappingAlgorithm != null) {
            objectMetadata.addUserMetadata(Headers.CRYPTO_KEYWRAP_ALGORITHM, keyWrappingAlgorithm.algorithmName());
        }
        return objectMetadata;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String toJsonString() {
        HashMap hashMap = new HashMap();
        hashMap.put(Headers.CRYPTO_KEY_V2, Base64.encodeAsString(getEncryptedCEK()));
        hashMap.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        hashMap.put(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        ContentCryptoScheme contentCryptoScheme = getContentCryptoScheme();
        hashMap.put(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.getCipherAlgorithm());
        int tagLengthInBits = contentCryptoScheme.getTagLengthInBits();
        if (tagLengthInBits > 0) {
            hashMap.put(Headers.CRYPTO_TAG_LENGTH, String.valueOf(tagLengthInBits));
        }
        InternalKeyWrapAlgorithm keyWrappingAlgorithm = getKeyWrappingAlgorithm();
        if (keyWrappingAlgorithm != null) {
            hashMap.put(Headers.CRYPTO_KEYWRAP_ALGORITHM, keyWrappingAlgorithm.algorithmName());
        }
        return Jackson.toJsonString(hashMap);
    }

    private String kekMaterialDescAsJson() {
        Map<String, String> kEKMaterialsDescription = getKEKMaterialsDescription();
        if (kEKMaterialsDescription == null) {
            kEKMaterialsDescription = Collections.emptyMap();
        }
        return Jackson.toJsonString(kEKMaterialsDescription);
    }

    private static Map<String, String> matdescFromJson(String str) {
        Map<String, String> stringMapFromJsonString = Jackson.stringMapFromJsonString(str);
        if (stringMapFromJsonString == null) {
            return null;
        }
        return Collections.unmodifiableMap(stringMapFromJsonString);
    }

    private static SecretKey decryptCEK(KeyWrapperContext keyWrapperContext) {
        Key decryptionKeyFrom = getDecryptionKeyFrom(keyWrapperContext.materials());
        return new SecretKeySpec(KeyWrapperFactory.defaultInstance().createKeyWrapper(keyWrapperContext).unwrapCek(keyWrapperContext.cekSecured(), decryptionKeyFrom), decryptionKeyFrom.getAlgorithm());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromObjectMetadata(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, ExtraMaterialsDescription extraMaterialsDescription, boolean z) {
        int parseInt;
        byte[] decode = Base64.decode(map.get(Headers.CRYPTO_KEY_V2));
        if (decode == null) {
            throw new SdkClientException("Content encrypting key not found.");
        }
        byte[] decode2 = Base64.decode(map.get(Headers.CRYPTO_IV));
        if (decode2 == null) {
            throw new SdkClientException("IV not found.");
        }
        String str = map.get(Headers.MATERIALS_DESCRIPTION);
        String str2 = map.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        Map<String, String> matdescFromJson = matdescFromJson(str);
        InternalKeyWrapAlgorithm fromAlgorithmName = InternalKeyWrapAlgorithm.fromAlgorithmName(str2);
        validateKeyWrapAlgorithmForDecrypt(fromAlgorithmName, z, cryptoConfigurationV2.getCryptoMode());
        Map<String, String> mergeInto = extraMaterialsDescription == null ? matdescFromJson : extraMaterialsDescription.mergeInto(matdescFromJson);
        EncryptionMaterials encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto);
        validateMaterialsForDecrypt(encryptionMaterials);
        ContentCryptoScheme fromCEKAlgo = ContentCryptoScheme.fromCEKAlgo();
        int tagLengthInBits = fromCEKAlgo.getTagLengthInBits();
        if (tagLengthInBits <= 0 || tagLengthInBits == (parseInt = Integer.parseInt(map.get(Headers.CRYPTO_TAG_LENGTH)))) {
            return new ContentCryptoMaterial(mergeInto, decode, fromAlgorithmName, fromCEKAlgo.createCipherLite(decryptCEK(KeyWrapperContext.builder().cekSecured(decode).internalKeyWrapAlgorithm(fromAlgorithmName).materials(encryptionMaterials).cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).contentCryptoScheme(fromCEKAlgo).build()), decode2, 2, cryptoConfigurationV2.getCryptoProvider(), cryptoConfigurationV2.getAlwaysUseCryptoProvider()));
        }
        throw new SdkClientException("Unsupported tag length: " + parseInt + ", expected: " + tagLengthInBits);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromInstructionFile(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, ExtraMaterialsDescription extraMaterialsDescription, boolean z) {
        int parseInt;
        byte[] decode = Base64.decode(map.get(Headers.CRYPTO_KEY_V2));
        if (decode == null) {
            throw new SdkClientException("Content encrypting key not found.");
        }
        byte[] decode2 = Base64.decode(map.get(Headers.CRYPTO_IV));
        if (decode2 == null) {
            throw new SdkClientException("Necessary encryption info iv not found in the instruction file " + map);
        }
        InternalKeyWrapAlgorithm fromAlgorithmName = InternalKeyWrapAlgorithm.fromAlgorithmName(map.get(Headers.CRYPTO_KEYWRAP_ALGORITHM));
        validateKeyWrapAlgorithmForDecrypt(fromAlgorithmName, z, cryptoConfigurationV2.getCryptoMode());
        Map<String, String> matdescFromJson = matdescFromJson(map.get(Headers.MATERIALS_DESCRIPTION));
        Map<String, String> mergeInto = extraMaterialsDescription == null ? matdescFromJson : extraMaterialsDescription.mergeInto(matdescFromJson);
        EncryptionMaterials encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto);
        validateMaterialsForDecrypt(encryptionMaterials);
        ContentCryptoScheme fromCEKAlgo = ContentCryptoScheme.fromCEKAlgo();
        int tagLengthInBits = fromCEKAlgo.getTagLengthInBits();
        if (tagLengthInBits <= 0 || tagLengthInBits == (parseInt = Integer.parseInt(map.get(Headers.CRYPTO_TAG_LENGTH)))) {
            return new ContentCryptoMaterial(mergeInto, decode, fromAlgorithmName, fromCEKAlgo.createCipherLite(decryptCEK(KeyWrapperContext.builder().cekSecured(decode).internalKeyWrapAlgorithm(fromAlgorithmName).materials(encryptionMaterials).cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).contentCryptoScheme(fromCEKAlgo).build()), decode2, 2, cryptoConfigurationV2.getCryptoProvider(), cryptoConfigurationV2.getAlwaysUseCryptoProvider()));
        }
        throw new SdkClientException("Unsupported tag length: " + parseInt + ", expected: " + tagLengthInBits);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CipherLite getCipherLite() {
        return this.cipherLite;
    }

    Map<String, String> getKEKMaterialsDescription() {
        return this.kekMaterialsDescription;
    }

    byte[] getEncryptedCEK() {
        return (byte[]) this.encryptedCEK.clone();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial create(SecretKey secretKey, byte[] bArr, EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, CryptoConfigurationV2 cryptoConfigurationV2) {
        return wrap(secretKey, bArr, contentCryptoScheme, cryptoConfigurationV2.getCryptoProvider(), cryptoConfigurationV2.getAlwaysUseCryptoProvider(), encryptCEK(secretKey, createEncryptionKeyWrapperContext(encryptionMaterials, contentCryptoScheme, cryptoConfigurationV2)));
    }

    private static KeyWrapperContext createEncryptionKeyWrapperContext(EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, CryptoConfigurationV2 cryptoConfigurationV2) {
        return KeyWrapperContext.builder().cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).materials(encryptionMaterials).internalKeyWrapAlgorithm(InternalKeyWrapAlgorithm.fromExternal(KeyWrapAlgorithmResolver.getDefaultKeyWrapAlgorithm(encryptionMaterials))).contentCryptoScheme(contentCryptoScheme).build();
    }

    static ContentCryptoMaterial wrap(SecretKey secretKey, byte[] bArr, ContentCryptoScheme contentCryptoScheme, Provider provider, boolean z, SecuredCEK securedCEK) {
        return new ContentCryptoMaterial(securedCEK.getMaterialDescription(), securedCEK.getEncrypted(), securedCEK.getKeyWrapAlgorithm(), contentCryptoScheme.createCipherLite(secretKey, bArr, 1, provider, z));
    }

    private static SecuredCEK encryptCEK(SecretKey secretKey, KeyWrapperContext keyWrapperContext) {
        EncryptionMaterials materials = keyWrapperContext.materials();
        validateKeyWrapAlgorithmForEncrypt(materials, keyWrapperContext.internalKeyWrapAlgorithm());
        Key encryptionKeyFrom = getEncryptionKeyFrom(materials);
        return new SecuredCEK(KeyWrapperFactory.defaultInstance().createKeyWrapper(keyWrapperContext).wrapCek(secretKey.getEncoded(), encryptionKeyFrom), keyWrapperContext.internalKeyWrapAlgorithm(), materials.getMaterialsDescription());
    }

    private static Key getEncryptionKeyFrom(EncryptionMaterials encryptionMaterials) {
        return encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPublic() : encryptionMaterials.getSymmetricKey();
    }

    private static Key getDecryptionKeyFrom(EncryptionMaterials encryptionMaterials) {
        return encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPrivate() : encryptionMaterials.getSymmetricKey();
    }

    private static void validateKeyWrapAlgorithmForEncrypt(EncryptionMaterials encryptionMaterials, InternalKeyWrapAlgorithm internalKeyWrapAlgorithm) {
        if (encryptionMaterials.getKeyPair() != null && !internalKeyWrapAlgorithm.isAsymmetric()) {
            throw new IllegalStateException(String.format("Encryption materials with asymmetric keys are not consistent with selected key wrap algorithm %s.", internalKeyWrapAlgorithm));
        }
        if (encryptionMaterials.getSymmetricKey() != null && !internalKeyWrapAlgorithm.isSymmetric()) {
            throw new IllegalStateException(String.format("Encryption materials with a symmetric key are not consistent with selected key wrap algorithm %s.", internalKeyWrapAlgorithm));
        }
    }

    private static void validateKeyWrapAlgorithmForDecrypt(InternalKeyWrapAlgorithm internalKeyWrapAlgorithm, boolean z, CryptoMode cryptoMode) {
        if (CryptoMode.StrictAuthenticatedEncryption.equals(cryptoMode)) {
            if (internalKeyWrapAlgorithm == null) {
                throw new KeyWrapException("No key wrap algorithm detected. Use crypto mode " + CryptoMode.AuthenticatedEncryption + " to decrypt object.");
            }
        } else if (z && internalKeyWrapAlgorithm == null) {
            throw new KeyWrapException("Key wrap expected, but no key wrap algorithm was found.");
        }
    }

    private static void validateMaterialsForDecrypt(EncryptionMaterials encryptionMaterials) {
        if (encryptionMaterials == null) {
            throw new SdkClientException("Unable to retrieve the client encryption materials");
        }
    }
}
