package com.amazonaws.services.s3.internal.crypto;

import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonWebServiceRequest;
import com.amazonaws.services.kms.AWSKMSClient;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.EncryptRequest;
import com.amazonaws.services.s3.Headers;
import com.amazonaws.services.s3.KeyWrapException;
import com.amazonaws.services.s3.model.CryptoMode;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.EncryptionMaterialsAccessor;
import com.amazonaws.services.s3.model.ExtraMaterialsDescription;
import com.amazonaws.services.s3.model.KMSEncryptionMaterials;
import com.amazonaws.services.s3.model.MaterialsDescriptionProvider;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.util.Base64;
import com.amazonaws.util.BinaryUtils;
import com.amazonaws.util.json.JsonUtils;
import defpackage.oj;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.TreeMap;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

@Deprecated
/* loaded from: classes.dex */
public final class ContentCryptoMaterial {

    /* renamed from: a, reason: collision with root package name */
    public final String f2308a;
    public final CipherLite b;
    public final Map<String, String> c;
    public final byte[] d;

    public ContentCryptoMaterial(Map<String, String> map, byte[] bArr, String str, CipherLite cipherLite) {
        this.b = cipherLite;
        this.f2308a = str;
        this.d = (byte[]) bArr.clone();
        this.c = map;
    }

    public static SecretKey a(byte[] bArr, String str, EncryptionMaterials encryptionMaterials, Provider provider, ContentCryptoScheme contentCryptoScheme, AWSKMSClient aWSKMSClient) {
        Key symmetricKey;
        if (KMSSecuredCEK.a(str)) {
            return new SecretKeySpec(BinaryUtils.copyAllBytesFrom(aWSKMSClient.decrypt(new DecryptRequest().withEncryptionContext(encryptionMaterials.getMaterialsDescription()).withCiphertextBlob(ByteBuffer.wrap(bArr))).getPlaintext()), contentCryptoScheme.h());
        }
        if (encryptionMaterials.getKeyPair() != null) {
            symmetricKey = encryptionMaterials.getKeyPair().getPrivate();
            if (symmetricKey == null) {
                throw new AmazonClientException("Key encrypting key not available");
            }
        } else {
            symmetricKey = encryptionMaterials.getSymmetricKey();
            if (symmetricKey == null) {
                throw new AmazonClientException("Key encrypting key not available");
            }
        }
        try {
            if (str != null) {
                Cipher cipher = provider == null ? Cipher.getInstance(str) : Cipher.getInstance(str, provider);
                cipher.init(4, symmetricKey);
                return (SecretKey) cipher.unwrap(bArr, str, 3);
            }
            Cipher cipher2 = provider != null ? Cipher.getInstance(symmetricKey.getAlgorithm(), provider) : Cipher.getInstance(symmetricKey.getAlgorithm());
            cipher2.init(2, symmetricKey);
            return new SecretKeySpec(cipher2.doFinal(bArr), JceEncryptionConstants.SYMMETRIC_KEY_ALGORITHM);
        } catch (Exception e) {
            throw new AmazonClientException("Unable to decrypt symmetric key from object metadata", e);
        }
    }

    public static ContentCryptoMaterial b(SecretKey secretKey, byte[] bArr, EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, S3CryptoScheme s3CryptoScheme, Provider provider, AWSKMSClient aWSKMSClient, AmazonWebServiceRequest amazonWebServiceRequest) {
        SecuredCEK securedCEK;
        SecuredCEK securedCEK2;
        S3KeyWrapScheme s3KeyWrapScheme = s3CryptoScheme.b;
        SecureRandom secureRandom = S3CryptoScheme.f2314a;
        if (encryptionMaterials.isKMSEnabled()) {
            Map<String, String> g = g(encryptionMaterials, amazonWebServiceRequest);
            EncryptRequest withPlaintext = new EncryptRequest().withEncryptionContext(g).withKeyId(encryptionMaterials.getCustomerMasterKeyId()).withPlaintext(ByteBuffer.wrap(secretKey.getEncoded()));
            withPlaintext.withGeneralProgressListener(amazonWebServiceRequest.getGeneralProgressListener()).withRequestMetricCollector(amazonWebServiceRequest.getRequestMetricCollector());
            securedCEK2 = new KMSSecuredCEK(BinaryUtils.copyAllBytesFrom(aWSKMSClient.encrypt(withPlaintext).getCiphertextBlob()), g);
        } else {
            Map<String, String> materialsDescription = encryptionMaterials.getMaterialsDescription();
            Key key = encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPublic() : encryptionMaterials.getSymmetricKey();
            String a2 = s3KeyWrapScheme.a(key, provider);
            try {
                if (a2 != null) {
                    Cipher cipher = provider == null ? Cipher.getInstance(a2) : Cipher.getInstance(a2, provider);
                    cipher.init(3, key, secureRandom);
                    securedCEK = new SecuredCEK(cipher.wrap(secretKey), a2, materialsDescription);
                } else {
                    byte[] encoded = secretKey.getEncoded();
                    String algorithm = key.getAlgorithm();
                    Cipher cipher2 = provider != null ? Cipher.getInstance(algorithm, provider) : Cipher.getInstance(algorithm);
                    cipher2.init(1, key);
                    securedCEK = new SecuredCEK(cipher2.doFinal(encoded), null, materialsDescription);
                }
                securedCEK2 = securedCEK;
            } catch (Exception e) {
                throw new AmazonClientException("Unable to encrypt symmetric key", e);
            }
        }
        return new ContentCryptoMaterial(securedCEK2.c, securedCEK2.f2317a, securedCEK2.b, contentCryptoScheme.c(secretKey, bArr, 1, provider));
    }

    public static ContentCryptoMaterial c(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z, AWSKMSClient aWSKMSClient) {
        EncryptionMaterials encryptionMaterials;
        int parseInt;
        String str = map.get(Headers.CRYPTO_KEY_V2);
        if (str == null && (str = map.get(Headers.CRYPTO_KEY)) == null) {
            throw new AmazonClientException("Content encrypting key not found.");
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode(map.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new AmazonClientException("Necessary encryption info not found in the instruction file " + map);
        }
        String str2 = map.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        boolean a2 = KMSSecuredCEK.a(str2);
        Map<String, String> jsonToMap = JsonUtils.jsonToMap(map.get(Headers.MATERIALS_DESCRIPTION));
        Map<String, String> unmodifiableMap = jsonToMap == null ? null : Collections.unmodifiableMap(jsonToMap);
        Map<String, String> mergeInto = (extraMaterialsDescription == null || a2) ? unmodifiableMap : extraMaterialsDescription.mergeInto(unmodifiableMap);
        if (a2) {
            KMSEncryptionMaterials kMSEncryptionMaterials = new KMSEncryptionMaterials(unmodifiableMap.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
            kMSEncryptionMaterials.addDescriptions(unmodifiableMap);
            encryptionMaterials = kMSEncryptionMaterials;
        } else {
            EncryptionMaterials encryptionMaterials2 = encryptionMaterialsAccessor != null ? encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto) : null;
            if (encryptionMaterials2 == null) {
                throw new AmazonClientException("Unable to retrieve the encryption materials that originally encrypted object corresponding to instruction file " + map);
            }
            encryptionMaterials = encryptionMaterials2;
        }
        String str3 = map.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z2 = jArr != null;
        ContentCryptoScheme d = ContentCryptoScheme.d(str3, z2);
        if (z2) {
            decode2 = d.a(decode2, jArr[0]);
        } else {
            int k = d.k();
            if (k > 0 && k != (parseInt = Integer.parseInt(map.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new AmazonClientException(oj.t("Unsupported tag length: ", parseInt, ", expected: ", k));
            }
        }
        byte[] bArr = decode2;
        if (z && str2 == null) {
            throw new KeyWrapException("Missing key-wrap for the content-encrypting-key");
        }
        return new ContentCryptoMaterial(mergeInto, decode, str2, d.c(a(decode, str2, encryptionMaterials, provider, d, aWSKMSClient), bArr, 2, provider));
    }

    public static ContentCryptoMaterial d(ObjectMetadata objectMetadata, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z, AWSKMSClient aWSKMSClient) {
        EncryptionMaterials encryptionMaterials;
        int parseInt;
        Map<String, String> userMetadata = objectMetadata.getUserMetadata();
        String str = userMetadata.get(Headers.CRYPTO_KEY_V2);
        if (str == null && (str = userMetadata.get(Headers.CRYPTO_KEY)) == null) {
            throw new AmazonClientException("Content encrypting key not found.");
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode(userMetadata.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new AmazonClientException("Content encrypting key or IV not found.");
        }
        String str2 = userMetadata.get(Headers.MATERIALS_DESCRIPTION);
        String str3 = userMetadata.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        boolean a2 = KMSSecuredCEK.a(str3);
        Map<String, String> jsonToMap = JsonUtils.jsonToMap(str2);
        Map<String, String> unmodifiableMap = jsonToMap == null ? null : Collections.unmodifiableMap(jsonToMap);
        Map<String, String> mergeInto = (a2 || extraMaterialsDescription == null) ? unmodifiableMap : extraMaterialsDescription.mergeInto(unmodifiableMap);
        if (a2) {
            KMSEncryptionMaterials kMSEncryptionMaterials = new KMSEncryptionMaterials(unmodifiableMap.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
            kMSEncryptionMaterials.addDescriptions(unmodifiableMap);
            encryptionMaterials = kMSEncryptionMaterials;
        } else {
            EncryptionMaterials encryptionMaterials2 = encryptionMaterialsAccessor != null ? encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto) : null;
            if (encryptionMaterials2 == null) {
                throw new AmazonClientException("Unable to retrieve the client encryption materials");
            }
            encryptionMaterials = encryptionMaterials2;
        }
        String str4 = userMetadata.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z2 = jArr != null;
        ContentCryptoScheme d = ContentCryptoScheme.d(str4, z2);
        if (z2) {
            decode2 = d.a(decode2, jArr[0]);
        } else {
            int k = d.k();
            if (k > 0 && k != (parseInt = Integer.parseInt(userMetadata.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new AmazonClientException(oj.t("Unsupported tag length: ", parseInt, ", expected: ", k));
            }
        }
        byte[] bArr = decode2;
        if (z && str3 == null) {
            throw new KeyWrapException("Missing key-wrap for the content-encrypting-key");
        }
        return new ContentCryptoMaterial(mergeInto, decode, str3, d.c(a(decode, str3, encryptionMaterials, provider, d, aWSKMSClient), bArr, 2, provider));
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static Map<String, String> g(EncryptionMaterials encryptionMaterials, AmazonWebServiceRequest amazonWebServiceRequest) {
        Map<String, String> materialsDescription;
        Map<String, String> materialsDescription2 = encryptionMaterials.getMaterialsDescription();
        if (!(amazonWebServiceRequest instanceof MaterialsDescriptionProvider) || (materialsDescription = ((MaterialsDescriptionProvider) amazonWebServiceRequest).getMaterialsDescription()) == null) {
            return materialsDescription2;
        }
        TreeMap treeMap = new TreeMap(materialsDescription2);
        treeMap.putAll(materialsDescription);
        return treeMap;
    }

    public byte[] e() {
        return (byte[]) this.d.clone();
    }

    public final String f() {
        Map<String, String> map = this.c;
        if (map == null) {
            map = Collections.emptyMap();
        }
        return JsonUtils.mapToString(map);
    }

    public ContentCryptoMaterial h(EncryptionMaterials encryptionMaterials, EncryptionMaterialsAccessor encryptionMaterialsAccessor, S3CryptoScheme s3CryptoScheme, Provider provider, AWSKMSClient aWSKMSClient, AmazonWebServiceRequest amazonWebServiceRequest) {
        if (!k() && encryptionMaterials.getMaterialsDescription().equals(this.c)) {
            throw new SecurityException("Material description of the new KEK must differ from the current one");
        }
        ContentCryptoMaterial b = b(a(this.d, this.f2308a, k() ? new KMSEncryptionMaterials(this.c.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID)) : encryptionMaterialsAccessor.getEncryptionMaterials(this.c), provider, this.b.c, aWSKMSClient), this.b.b(), encryptionMaterials, this.b.c, s3CryptoScheme, provider, aWSKMSClient, amazonWebServiceRequest);
        if (Arrays.equals(b.d, this.d)) {
            throw new SecurityException("The new KEK must differ from the original");
        }
        return b;
    }

    public ContentCryptoMaterial i(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, S3CryptoScheme s3CryptoScheme, Provider provider, AWSKMSClient aWSKMSClient, AmazonWebServiceRequest amazonWebServiceRequest) {
        if (!k() && map.equals(this.c)) {
            throw new SecurityException("Material description of the new KEK must differ from the current one");
        }
        EncryptionMaterials kMSEncryptionMaterials = k() ? new KMSEncryptionMaterials(this.c.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID)) : encryptionMaterialsAccessor.getEncryptionMaterials(this.c);
        EncryptionMaterials encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(map);
        if (encryptionMaterials != null) {
            ContentCryptoMaterial b = b(a(this.d, this.f2308a, kMSEncryptionMaterials, provider, this.b.c, aWSKMSClient), this.b.b(), encryptionMaterials, this.b.c, s3CryptoScheme, provider, aWSKMSClient, amazonWebServiceRequest);
            if (Arrays.equals(b.d, this.d)) {
                throw new SecurityException("The new KEK must differ from the original");
            }
            return b;
        }
        throw new AmazonClientException("No material available with the description " + map + " from the encryption material provider");
    }

    public String j(CryptoMode cryptoMode) {
        if (cryptoMode == CryptoMode.EncryptionOnly && !k()) {
            HashMap hashMap = new HashMap();
            hashMap.put(Headers.CRYPTO_KEY, Base64.encodeAsString(e()));
            hashMap.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.b.b()));
            hashMap.put(Headers.MATERIALS_DESCRIPTION, f());
            return JsonUtils.mapToString(hashMap);
        }
        HashMap hashMap2 = new HashMap();
        hashMap2.put(Headers.CRYPTO_KEY_V2, Base64.encodeAsString(e()));
        hashMap2.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.b.b()));
        hashMap2.put(Headers.MATERIALS_DESCRIPTION, f());
        ContentCryptoScheme contentCryptoScheme = this.b.c;
        hashMap2.put(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.f());
        int k = contentCryptoScheme.k();
        if (k > 0) {
            hashMap2.put(Headers.CRYPTO_TAG_LENGTH, String.valueOf(k));
        }
        String str = this.f2308a;
        if (str != null) {
            hashMap2.put(Headers.CRYPTO_KEYWRAP_ALGORITHM, str);
        }
        return JsonUtils.mapToString(hashMap2);
    }

    public final boolean k() {
        return KMSSecuredCEK.a(this.f2308a);
    }
}
