package com.amazonaws.services.s3.internal.crypto;

import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonWebServiceRequest;
import com.amazonaws.services.kms.AWSKMSClient;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.EncryptRequest;
import com.amazonaws.services.s3.Headers;
import com.amazonaws.services.s3.KeyWrapException;
import com.amazonaws.services.s3.model.CryptoMode;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
import com.amazonaws.services.s3.model.ExtraMaterialsDescription;
import com.amazonaws.services.s3.model.KMSEncryptionMaterials;
import com.amazonaws.services.s3.model.MaterialsDescriptionProvider;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.util.Base64;
import com.amazonaws.util.BinaryUtils;
import com.amazonaws.util.json.JsonUtils;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.TreeMap;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import qd.C2928c;

@Deprecated
/* loaded from: classes.dex */
final class ContentCryptoMaterial {

    /* renamed from: a, reason: collision with root package name */
    public final String f16497a;

    /* renamed from: b, reason: collision with root package name */
    public final CipherLite f16498b;

    /* renamed from: c, reason: collision with root package name */
    public final Map<String, String> f16499c;

    /* renamed from: d, reason: collision with root package name */
    public final byte[] f16500d;

    public ContentCryptoMaterial(Map<String, String> map, byte[] bArr, String str, CipherLite cipherLite) {
        this.f16498b = cipherLite;
        this.f16497a = str;
        this.f16500d = (byte[]) bArr.clone();
        this.f16499c = map;
    }

    public static SecretKey a(byte[] bArr, String str, EncryptionMaterials encryptionMaterials, Provider provider, ContentCryptoScheme contentCryptoScheme, AWSKMSClient aWSKMSClient) {
        Key symmetricKey;
        if (KMSSecuredCEK.isKMSKeyWrapped(str)) {
            byte[] copyAllBytesFrom = BinaryUtils.copyAllBytesFrom(aWSKMSClient.decrypt(new DecryptRequest().withEncryptionContext(encryptionMaterials.getMaterialsDescription()).withCiphertextBlob(ByteBuffer.wrap(bArr))).getPlaintext());
            contentCryptoScheme.h();
            return new SecretKeySpec(copyAllBytesFrom, "AES");
        }
        if (encryptionMaterials.getKeyPair() != null) {
            symmetricKey = encryptionMaterials.getKeyPair().getPrivate();
            if (symmetricKey == null) {
                throw new AmazonClientException("Key encrypting key not available");
            }
        } else {
            symmetricKey = encryptionMaterials.getSymmetricKey();
            if (symmetricKey == null) {
                throw new AmazonClientException("Key encrypting key not available");
            }
        }
        try {
            if (str != null) {
                Cipher cipher = provider == null ? Cipher.getInstance(str) : Cipher.getInstance(str, provider);
                cipher.init(4, symmetricKey);
                return (SecretKey) cipher.unwrap(bArr, str, 3);
            }
            Cipher cipher2 = provider != null ? Cipher.getInstance(symmetricKey.getAlgorithm(), provider) : Cipher.getInstance(symmetricKey.getAlgorithm());
            cipher2.init(2, symmetricKey);
            return new SecretKeySpec(cipher2.doFinal(bArr), "AES");
        } catch (Exception e10) {
            throw new AmazonClientException("Unable to decrypt symmetric key from object metadata", e10);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static ContentCryptoMaterial b(SecretKey secretKey, byte[] bArr, EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, S3CryptoScheme s3CryptoScheme, Provider provider, AWSKMSClient aWSKMSClient, AmazonWebServiceRequest amazonWebServiceRequest) {
        SecuredCEK securedCEK;
        SecuredCEK securedCEK2;
        Map<String, String> materialsDescription;
        S3KeyWrapScheme s3KeyWrapScheme = s3CryptoScheme.f16521a;
        SecureRandom secureRandom = S3CryptoScheme.f16520c;
        if (encryptionMaterials.isKMSEnabled()) {
            Map<String, String> materialsDescription2 = encryptionMaterials.getMaterialsDescription();
            if ((amazonWebServiceRequest instanceof MaterialsDescriptionProvider) && (materialsDescription = ((MaterialsDescriptionProvider) amazonWebServiceRequest).getMaterialsDescription()) != null) {
                TreeMap treeMap = new TreeMap(materialsDescription2);
                treeMap.putAll(materialsDescription);
                materialsDescription2 = treeMap;
            }
            EncryptRequest withPlaintext = new EncryptRequest().withEncryptionContext(materialsDescription2).withKeyId(encryptionMaterials.getCustomerMasterKeyId()).withPlaintext(ByteBuffer.wrap(secretKey.getEncoded()));
            withPlaintext.withGeneralProgressListener(amazonWebServiceRequest.getGeneralProgressListener()).withRequestMetricCollector(amazonWebServiceRequest.getRequestMetricCollector());
            securedCEK2 = new KMSSecuredCEK(BinaryUtils.copyAllBytesFrom(aWSKMSClient.encrypt(withPlaintext).getCiphertextBlob()), materialsDescription2);
        } else {
            Map<String, String> materialsDescription3 = encryptionMaterials.getMaterialsDescription();
            Key key = encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPublic() : encryptionMaterials.getSymmetricKey();
            String a10 = s3KeyWrapScheme.a(key, provider);
            try {
                if (a10 != null) {
                    Cipher cipher = provider == null ? Cipher.getInstance(a10) : Cipher.getInstance(a10, provider);
                    cipher.init(3, key, secureRandom);
                    securedCEK = new SecuredCEK(cipher.wrap(secretKey), a10, materialsDescription3);
                } else {
                    byte[] encoded = secretKey.getEncoded();
                    String algorithm = key.getAlgorithm();
                    Cipher cipher2 = provider != null ? Cipher.getInstance(algorithm, provider) : Cipher.getInstance(algorithm);
                    cipher2.init(1, key);
                    securedCEK = new SecuredCEK(cipher2.doFinal(encoded), null, materialsDescription3);
                }
                securedCEK2 = securedCEK;
            } catch (Exception e10) {
                throw new AmazonClientException("Unable to encrypt symmetric key", e10);
            }
        }
        return wrap(secretKey, bArr, contentCryptoScheme, provider, securedCEK2);
    }

    public static ContentCryptoMaterial c(Map map, EncryptionMaterialsProvider encryptionMaterialsProvider, Provider provider, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z7, AWSKMSClient aWSKMSClient) {
        EncryptionMaterials encryptionMaterials;
        int parseInt;
        String str = (String) map.get(Headers.CRYPTO_KEY_V2);
        if (str == null && (str = (String) map.get(Headers.CRYPTO_KEY)) == null) {
            throw new AmazonClientException("Content encrypting key not found.");
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode((String) map.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new AmazonClientException("Necessary encryption info not found in the instruction file " + map);
        }
        String str2 = (String) map.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        boolean isKMSKeyWrapped = KMSSecuredCEK.isKMSKeyWrapped(str2);
        Map<String, String> jsonToMap = JsonUtils.jsonToMap((String) map.get(Headers.MATERIALS_DESCRIPTION));
        Map<String, String> unmodifiableMap = jsonToMap == null ? null : Collections.unmodifiableMap(jsonToMap);
        Map<String, String> mergeInto = (extraMaterialsDescription == null || isKMSKeyWrapped) ? unmodifiableMap : extraMaterialsDescription.mergeInto(unmodifiableMap);
        if (isKMSKeyWrapped) {
            KMSEncryptionMaterials kMSEncryptionMaterials = new KMSEncryptionMaterials(unmodifiableMap.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
            kMSEncryptionMaterials.addDescriptions(unmodifiableMap);
            encryptionMaterials = kMSEncryptionMaterials;
        } else {
            EncryptionMaterials encryptionMaterials2 = encryptionMaterialsProvider != null ? encryptionMaterialsProvider.getEncryptionMaterials(mergeInto) : null;
            if (encryptionMaterials2 == null) {
                throw new AmazonClientException("Unable to retrieve the encryption materials that originally encrypted object corresponding to instruction file " + map);
            }
            encryptionMaterials = encryptionMaterials2;
        }
        String str3 = (String) map.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z10 = jArr != null;
        ContentCryptoScheme d4 = ContentCryptoScheme.d(str3, z10);
        if (z10) {
            decode2 = d4.a(decode2, jArr[0]);
        } else {
            int k10 = d4.k();
            if (k10 > 0 && k10 != (parseInt = Integer.parseInt((String) map.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new AmazonClientException(C2928c.e("Unsupported tag length: ", parseInt, ", expected: ", k10));
            }
        }
        byte[] bArr = decode2;
        if (z7 && str2 == null) {
            throw new KeyWrapException("Missing key-wrap for the content-encrypting-key");
        }
        return new ContentCryptoMaterial(mergeInto, decode, str2, d4.c(a(decode, str2, encryptionMaterials, provider, d4, aWSKMSClient), 2, provider, bArr));
    }

    public static ContentCryptoMaterial d(ObjectMetadata objectMetadata, EncryptionMaterialsProvider encryptionMaterialsProvider, Provider provider, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z7, AWSKMSClient aWSKMSClient) {
        EncryptionMaterials encryptionMaterials;
        int parseInt;
        Map<String, String> userMetadata = objectMetadata.getUserMetadata();
        String str = userMetadata.get(Headers.CRYPTO_KEY_V2);
        if (str == null && (str = userMetadata.get(Headers.CRYPTO_KEY)) == null) {
            throw new AmazonClientException("Content encrypting key not found.");
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode(userMetadata.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new AmazonClientException("Content encrypting key or IV not found.");
        }
        String str2 = userMetadata.get(Headers.MATERIALS_DESCRIPTION);
        String str3 = userMetadata.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        boolean isKMSKeyWrapped = KMSSecuredCEK.isKMSKeyWrapped(str3);
        Map<String, String> jsonToMap = JsonUtils.jsonToMap(str2);
        Map<String, String> unmodifiableMap = jsonToMap == null ? null : Collections.unmodifiableMap(jsonToMap);
        Map<String, String> mergeInto = (isKMSKeyWrapped || extraMaterialsDescription == null) ? unmodifiableMap : extraMaterialsDescription.mergeInto(unmodifiableMap);
        if (isKMSKeyWrapped) {
            KMSEncryptionMaterials kMSEncryptionMaterials = new KMSEncryptionMaterials(unmodifiableMap.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
            kMSEncryptionMaterials.addDescriptions(unmodifiableMap);
            encryptionMaterials = kMSEncryptionMaterials;
        } else {
            EncryptionMaterials encryptionMaterials2 = encryptionMaterialsProvider != null ? encryptionMaterialsProvider.getEncryptionMaterials(mergeInto) : null;
            if (encryptionMaterials2 == null) {
                throw new AmazonClientException("Unable to retrieve the client encryption materials");
            }
            encryptionMaterials = encryptionMaterials2;
        }
        String str4 = userMetadata.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z10 = jArr != null;
        ContentCryptoScheme d4 = ContentCryptoScheme.d(str4, z10);
        if (z10) {
            decode2 = d4.a(decode2, jArr[0]);
        } else {
            int k10 = d4.k();
            if (k10 > 0 && k10 != (parseInt = Integer.parseInt(userMetadata.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new AmazonClientException(C2928c.e("Unsupported tag length: ", parseInt, ", expected: ", k10));
            }
        }
        byte[] bArr = decode2;
        if (z7 && str3 == null) {
            throw new KeyWrapException("Missing key-wrap for the content-encrypting-key");
        }
        return new ContentCryptoMaterial(mergeInto, decode, str3, d4.c(a(decode, str3, encryptionMaterials, provider, d4, aWSKMSClient), 2, provider, bArr));
    }

    public static ContentCryptoMaterial wrap(SecretKey secretKey, byte[] bArr, ContentCryptoScheme contentCryptoScheme, Provider provider, SecuredCEK securedCEK) {
        return new ContentCryptoMaterial(securedCEK.f16529c, securedCEK.f16527a, securedCEK.f16528b, contentCryptoScheme.c(secretKey, 1, provider, bArr));
    }

    public final String e() {
        Map<String, String> map = this.f16499c;
        if (map == null) {
            map = Collections.emptyMap();
        }
        return JsonUtils.mapToString(map);
    }

    public final ContentCryptoMaterial f(EncryptionMaterials encryptionMaterials, EncryptionMaterialsProvider encryptionMaterialsProvider, S3CryptoScheme s3CryptoScheme, Provider provider, AWSKMSClient aWSKMSClient, AmazonWebServiceRequest amazonWebServiceRequest) {
        if (!i() && encryptionMaterials.getMaterialsDescription().equals(this.f16499c)) {
            throw new SecurityException("Material description of the new KEK must differ from the current one");
        }
        ContentCryptoMaterial b10 = b(a(this.f16500d, this.f16497a, i() ? new KMSEncryptionMaterials(this.f16499c.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID)) : encryptionMaterialsProvider.getEncryptionMaterials(this.f16499c), provider, this.f16498b.f16494b, aWSKMSClient), this.f16498b.b(), encryptionMaterials, this.f16498b.f16494b, s3CryptoScheme, provider, aWSKMSClient, amazonWebServiceRequest);
        if (Arrays.equals(b10.f16500d, this.f16500d)) {
            throw new SecurityException("The new KEK must differ from the original");
        }
        return b10;
    }

    public final ContentCryptoMaterial g(Map map, EncryptionMaterialsProvider encryptionMaterialsProvider, S3CryptoScheme s3CryptoScheme, Provider provider, AWSKMSClient aWSKMSClient, AmazonWebServiceRequest amazonWebServiceRequest) {
        if (!i() && map.equals(this.f16499c)) {
            throw new SecurityException("Material description of the new KEK must differ from the current one");
        }
        EncryptionMaterials kMSEncryptionMaterials = i() ? new KMSEncryptionMaterials(this.f16499c.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID)) : encryptionMaterialsProvider.getEncryptionMaterials(this.f16499c);
        EncryptionMaterials encryptionMaterials = encryptionMaterialsProvider.getEncryptionMaterials(map);
        if (encryptionMaterials != null) {
            ContentCryptoMaterial b10 = b(a(this.f16500d, this.f16497a, kMSEncryptionMaterials, provider, this.f16498b.f16494b, aWSKMSClient), this.f16498b.b(), encryptionMaterials, this.f16498b.f16494b, s3CryptoScheme, provider, aWSKMSClient, amazonWebServiceRequest);
            if (Arrays.equals(b10.f16500d, this.f16500d)) {
                throw new SecurityException("The new KEK must differ from the original");
            }
            return b10;
        }
        throw new AmazonClientException("No material available with the description " + map + " from the encryption material provider");
    }

    public final String h(CryptoMode cryptoMode) {
        if (cryptoMode == CryptoMode.EncryptionOnly && !i()) {
            HashMap hashMap = new HashMap();
            hashMap.put(Headers.CRYPTO_KEY, Base64.encodeAsString((byte[]) this.f16500d.clone()));
            hashMap.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.f16498b.b()));
            hashMap.put(Headers.MATERIALS_DESCRIPTION, e());
            return JsonUtils.mapToString(hashMap);
        }
        HashMap hashMap2 = new HashMap();
        hashMap2.put(Headers.CRYPTO_KEY_V2, Base64.encodeAsString((byte[]) this.f16500d.clone()));
        hashMap2.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.f16498b.b()));
        hashMap2.put(Headers.MATERIALS_DESCRIPTION, e());
        ContentCryptoScheme contentCryptoScheme = this.f16498b.f16494b;
        hashMap2.put(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.f());
        int k10 = contentCryptoScheme.k();
        if (k10 > 0) {
            hashMap2.put(Headers.CRYPTO_TAG_LENGTH, String.valueOf(k10));
        }
        String str = this.f16497a;
        if (str != null) {
            hashMap2.put(Headers.CRYPTO_KEYWRAP_ALGORITHM, str);
        }
        return JsonUtils.mapToString(hashMap2);
    }

    public final boolean i() {
        return KMSSecuredCEK.isKMSKeyWrapped(this.f16497a);
    }
}
