package com.amazonaws.services.s3.internal.crypto.v2;

import com.amazonaws.AmazonWebServiceRequest;
import com.amazonaws.SDKGlobalConfiguration;
import com.amazonaws.SdkClientException;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.s3.Headers;
import com.amazonaws.services.s3.KeyWrapException;
import com.amazonaws.services.s3.internal.crypto.CipherLite;
import com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme;
import com.amazonaws.services.s3.internal.crypto.CryptoUtils;
import com.amazonaws.services.s3.internal.crypto.JceEncryptionConstants;
import com.amazonaws.services.s3.internal.crypto.keywrap.InternalKeyWrapAlgorithm;
import com.amazonaws.services.s3.internal.crypto.keywrap.KMSKeyWrapperContext;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapAlgorithmResolver;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapperContext;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapperFactory;
import com.amazonaws.services.s3.model.CryptoConfigurationV2;
import com.amazonaws.services.s3.model.CryptoMode;
import com.amazonaws.services.s3.model.CryptoRangeGetMode;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.EncryptionMaterialsAccessor;
import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
import com.amazonaws.services.s3.model.ExtraMaterialsDescription;
import com.amazonaws.services.s3.model.KMSEncryptionMaterials;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.services.s3.model.PutInstructionFileRequest;
import com.amazonaws.services.s3.model.S3Object;
import com.amazonaws.util.Base64;
import com.amazonaws.util.BinaryUtils;
import com.amazonaws.util.StringUtils;
import com.amazonaws.util.Throwables;
import com.amazonaws.util.json.Jackson;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.PrivateKey;
import java.security.Provider;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:WEB-INF/lib/aws-java-sdk-s3-1.12.246.jar:com/amazonaws/services/s3/internal/crypto/v2/ContentCryptoMaterial.class */
final class ContentCryptoMaterial {
    private final InternalKeyWrapAlgorithm keyWrappingAlgorithm;
    private final CipherLite cipherLite;
    private final Map<String, String> kekMaterialsDescription;
    private final byte[] encryptedCEK;

    ContentCryptoMaterial(Map<String, String> map, byte[] bArr, InternalKeyWrapAlgorithm internalKeyWrapAlgorithm, CipherLite cipherLite) {
        this.cipherLite = cipherLite;
        this.keyWrappingAlgorithm = internalKeyWrapAlgorithm;
        this.encryptedCEK = (byte[]) bArr.clone();
        this.kekMaterialsDescription = map;
    }

    InternalKeyWrapAlgorithm getKeyWrappingAlgorithm() {
        return this.keyWrappingAlgorithm;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentCryptoScheme getContentCryptoScheme() {
        return this.cipherLite.getContentCryptoScheme();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ObjectMetadata toObjectMetadata(ObjectMetadata objectMetadata) {
        objectMetadata.addUserMetadata(Headers.CRYPTO_KEY_V2, Base64.encodeAsString(getEncryptedCEK()));
        objectMetadata.addUserMetadata(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        objectMetadata.addUserMetadata(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        ContentCryptoScheme contentCryptoScheme = getContentCryptoScheme();
        objectMetadata.addUserMetadata(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.getCipherAlgorithm());
        int tagLengthInBits = contentCryptoScheme.getTagLengthInBits();
        if (tagLengthInBits > 0) {
            objectMetadata.addUserMetadata(Headers.CRYPTO_TAG_LENGTH, String.valueOf(tagLengthInBits));
        }
        InternalKeyWrapAlgorithm keyWrappingAlgorithm = getKeyWrappingAlgorithm();
        if (keyWrappingAlgorithm != null) {
            objectMetadata.addUserMetadata(Headers.CRYPTO_KEYWRAP_ALGORITHM, keyWrappingAlgorithm.algorithmName());
        }
        return objectMetadata;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String toJsonString() {
        HashMap hashMap = new HashMap();
        hashMap.put(Headers.CRYPTO_KEY_V2, Base64.encodeAsString(getEncryptedCEK()));
        hashMap.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        hashMap.put(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        ContentCryptoScheme contentCryptoScheme = getContentCryptoScheme();
        hashMap.put(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.getCipherAlgorithm());
        int tagLengthInBits = contentCryptoScheme.getTagLengthInBits();
        if (tagLengthInBits > 0) {
            hashMap.put(Headers.CRYPTO_TAG_LENGTH, String.valueOf(tagLengthInBits));
        }
        InternalKeyWrapAlgorithm keyWrappingAlgorithm = getKeyWrappingAlgorithm();
        if (keyWrappingAlgorithm != null) {
            hashMap.put(Headers.CRYPTO_KEYWRAP_ALGORITHM, keyWrappingAlgorithm.algorithmName());
        }
        return Jackson.toJsonString(hashMap);
    }

    private String kekMaterialDescAsJson() {
        Map<String, String> kEKMaterialsDescription = getKEKMaterialsDescription();
        if (kEKMaterialsDescription == null) {
            kEKMaterialsDescription = Collections.emptyMap();
        }
        return Jackson.toJsonString(kEKMaterialsDescription);
    }

    private static Map<String, String> matdescFromJson(String str) {
        Map<String, String> stringMapFromJsonString = Jackson.stringMapFromJsonString(str);
        if (stringMapFromJsonString == null) {
            return null;
        }
        return Collections.unmodifiableMap(stringMapFromJsonString);
    }

    private static SecretKey decryptCEK(KeyWrapperContext keyWrapperContext) {
        if (isV1DecryptContext(keyWrapperContext)) {
            return decryptV1CEK(keyWrapperContext);
        }
        if (keyWrapperContext.internalKeyWrapAlgorithm().isKMS()) {
            validateKMSParameters(keyWrapperContext);
        }
        Key decryptionKeyFrom = getDecryptionKeyFrom(keyWrapperContext.materials());
        return new SecretKeySpec(KeyWrapperFactory.defaultInstance().createKeyWrapper(keyWrapperContext).unwrapCek(keyWrapperContext.cekSecured(), decryptionKeyFrom), keyWrapperContext.internalKeyWrapAlgorithm().isKMS() ? keyWrapperContext.contentCryptoScheme().getKeyGeneratorAlgorithm() : decryptionKeyFrom.getAlgorithm());
    }

    private static boolean isV1DecryptContext(KeyWrapperContext keyWrapperContext) {
        InternalKeyWrapAlgorithm internalKeyWrapAlgorithm = keyWrapperContext.internalKeyWrapAlgorithm();
        return internalKeyWrapAlgorithm == null || internalKeyWrapAlgorithm.isV1Algorithm();
    }

    private static void validateKMSParameters(KeyWrapperContext keyWrapperContext) {
        KMSKeyWrapperContext kmsKeyWrapperContext = keyWrapperContext.kmsKeyWrapperContext();
        if (kmsKeyWrapperContext == null) {
            throw new IllegalStateException("Missing KMS parameters");
        }
        Map<String, String> kmsMaterialsDescription = kmsKeyWrapperContext.kmsMaterialsDescription();
        if (kmsMaterialsDescription == null) {
            throw new IllegalStateException("Key materials from KMS must contain description entries");
        }
        String str = kmsMaterialsDescription.get(Headers.AWS_CRYPTO_CEK_ALGORITHM);
        if (str == null) {
            throw new IllegalStateException("Could not find required description in key material: aws:x-amz-cek-alg");
        }
        String normalizeContentAlgorithmForValidation = CryptoUtils.normalizeContentAlgorithmForValidation(keyWrapperContext.contentCryptoScheme().getCipherAlgorithm());
        if (!str.equals(normalizeContentAlgorithmForValidation)) {
            throw new IllegalStateException("Algorithm values from materials and metadata/instruction file don't match:" + str + ", " + normalizeContentAlgorithmForValidation);
        }
    }

    private static SecretKey decryptV1CEK(KeyWrapperContext keyWrapperContext) {
        InternalKeyWrapAlgorithm internalKeyWrapAlgorithm = keyWrapperContext.internalKeyWrapAlgorithm();
        if (internalKeyWrapAlgorithm != null && internalKeyWrapAlgorithm.isKMS()) {
            return decryptV1CEKByKMS(keyWrapperContext);
        }
        String algorithmName = internalKeyWrapAlgorithm != null ? internalKeyWrapAlgorithm.algorithmName() : null;
        PrivateKey privateKey = keyWrapperContext.materials().getKeyPair() != null ? keyWrapperContext.materials().getKeyPair().getPrivate() : keyWrapperContext.materials().getSymmetricKey();
        if (privateKey == null) {
            throw new SdkClientException("Key encrypting key not available");
        }
        Provider cryptoProvider = keyWrapperContext.cryptoProvider();
        try {
            if (algorithmName != null) {
                Cipher cipher = cryptoProvider == null ? Cipher.getInstance(algorithmName) : Cipher.getInstance(algorithmName, cryptoProvider);
                cipher.init(4, privateKey);
                return (SecretKey) cipher.unwrap(keyWrapperContext.cekSecured(), algorithmName, 3);
            }
            Cipher cipher2 = cryptoProvider != null ? Cipher.getInstance(privateKey.getAlgorithm(), cryptoProvider) : Cipher.getInstance(privateKey.getAlgorithm());
            cipher2.init(2, privateKey);
            return new SecretKeySpec(cipher2.doFinal(keyWrapperContext.cekSecured()), JceEncryptionConstants.SYMMETRIC_KEY_ALGORITHM);
        } catch (Exception e) {
            throw Throwables.failure(e, "Unable to decrypt symmetric key from object metadata");
        }
    }

    private static SecretKey decryptV1CEKByKMS(KeyWrapperContext keyWrapperContext) {
        KMSKeyWrapperContext kmsKeyWrapperContext = keyWrapperContext.kmsKeyWrapperContext();
        if (kmsKeyWrapperContext == null) {
            throw new IllegalStateException("Missing KMS parameters");
        }
        String customerMasterKeyId = keyWrapperContext.materials().getCustomerMasterKeyId();
        if (null == customerMasterKeyId || customerMasterKeyId.isEmpty()) {
            throw new IllegalArgumentException("The CMK must be specified to decrypt KMS protected objects");
        }
        return new SecretKeySpec(BinaryUtils.copyAllBytesFrom(kmsKeyWrapperContext.kms().decrypt(new DecryptRequest().withEncryptionContext(keyWrapperContext.materials().getMaterialsDescription()).withCiphertextBlob(ByteBuffer.wrap(keyWrapperContext.cekSecured())).withKeyId(customerMasterKeyId)).getPlaintext()), keyWrapperContext.contentCryptoScheme().getKeyGeneratorAlgorithm());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromObjectMetadata(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, boolean z, AWSKMS awskms) {
        return fromObjectMetadata0(map, encryptionMaterialsAccessor, cryptoConfigurationV2, null, ExtraMaterialsDescription.NONE, z, awskms);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromObjectMetadata(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z, AWSKMS awskms) {
        return fromObjectMetadata0(map, encryptionMaterialsAccessor, cryptoConfigurationV2, jArr, extraMaterialsDescription, z, awskms);
    }

    private static ContentCryptoMaterial fromObjectMetadata0(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z, AWSKMS awskms) {
        EncryptionMaterials encryptionMaterials;
        int parseInt;
        String str = map.get(Headers.CRYPTO_KEY_V2);
        if (str == null) {
            str = map.get(Headers.CRYPTO_KEY);
            if (str == null) {
                throw new SdkClientException("Content encrypting key not found.");
            }
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode(map.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new SdkClientException("Content encrypting key or IV not found.");
        }
        String str2 = map.get(Headers.MATERIALS_DESCRIPTION);
        String str3 = map.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        Map<String, String> matdescFromJson = matdescFromJson(str2);
        InternalKeyWrapAlgorithm fromAlgorithmName = InternalKeyWrapAlgorithm.fromAlgorithmName(str3);
        validateKeyWrapAlgorithmForDecrypt(fromAlgorithmName, z, cryptoConfigurationV2.getCryptoMode());
        boolean z2 = fromAlgorithmName != null && fromAlgorithmName.isKMS();
        Map<String, String> mergeInto = (z2 || extraMaterialsDescription == null) ? matdescFromJson : extraMaterialsDescription.mergeInto(matdescFromJson);
        if (z2) {
            encryptionMaterials = encryptionMaterialsAccessor instanceof EncryptionMaterialsProvider ? ((EncryptionMaterialsProvider) encryptionMaterialsAccessor).getEncryptionMaterials() : null;
        } else {
            encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto);
        }
        validateMaterialsForDecrypt(encryptionMaterials, mergeInto, cryptoConfigurationV2.getCryptoMode(), fromAlgorithmName);
        String str4 = map.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z3 = jArr != null;
        ContentCryptoScheme fromCEKAlgo = ContentCryptoScheme.fromCEKAlgo(str4, z3);
        if (z3) {
            assertCryptoSchemeAllowedForRangeGet(fromCEKAlgo, cryptoConfigurationV2.getCryptoMode(), cryptoConfigurationV2.getRangeGetMode());
            decode2 = fromCEKAlgo.adjustIV(decode2, jArr[0]);
        } else {
            int tagLengthInBits = fromCEKAlgo.getTagLengthInBits();
            if (tagLengthInBits > 0 && tagLengthInBits != (parseInt = Integer.parseInt(map.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new SdkClientException("Unsupported tag length: " + parseInt + ", expected: " + tagLengthInBits);
            }
        }
        return new ContentCryptoMaterial(mergeInto, decode, fromAlgorithmName, fromCEKAlgo.createCipherLite(decryptCEK(KeyWrapperContext.builder().cekSecured(decode).internalKeyWrapAlgorithm(fromAlgorithmName).materials(encryptionMaterials).cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).contentCryptoScheme(fromCEKAlgo).kmsKeyWrapperContext(KMSKeyWrapperContext.builder().kms(awskms).kmsMaterialsDescription(mergeInto).build()).build()), decode2, 2, cryptoConfigurationV2.getCryptoProvider(), cryptoConfigurationV2.getAlwaysUseCryptoProvider()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromInstructionFile(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, boolean z, AWSKMS awskms) {
        return fromInstructionFile0(map, encryptionMaterialsAccessor, cryptoConfigurationV2, null, ExtraMaterialsDescription.NONE, z, awskms);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromInstructionFile(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z, AWSKMS awskms) {
        return fromInstructionFile0(map, encryptionMaterialsAccessor, cryptoConfigurationV2, jArr, extraMaterialsDescription, z, awskms);
    }

    private static ContentCryptoMaterial fromInstructionFile0(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z, AWSKMS awskms) {
        EncryptionMaterials encryptionMaterials;
        int parseInt;
        String str = map.get(Headers.CRYPTO_KEY_V2);
        if (str == null) {
            str = map.get(Headers.CRYPTO_KEY);
            if (str == null) {
                throw new SdkClientException("Content encrypting key not found.");
            }
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode(map.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new SdkClientException("Necessary encryption info not found in the instruction file " + map);
        }
        InternalKeyWrapAlgorithm fromAlgorithmName = InternalKeyWrapAlgorithm.fromAlgorithmName(map.get(Headers.CRYPTO_KEYWRAP_ALGORITHM));
        validateKeyWrapAlgorithmForDecrypt(fromAlgorithmName, z, cryptoConfigurationV2.getCryptoMode());
        boolean z2 = fromAlgorithmName != null && fromAlgorithmName.isKMS();
        Map<String, String> matdescFromJson = matdescFromJson(map.get(Headers.MATERIALS_DESCRIPTION));
        Map<String, String> mergeInto = (extraMaterialsDescription == null || z2) ? matdescFromJson : extraMaterialsDescription.mergeInto(matdescFromJson);
        if (z2) {
            encryptionMaterials = encryptionMaterialsAccessor instanceof EncryptionMaterialsProvider ? ((EncryptionMaterialsProvider) encryptionMaterialsAccessor).getEncryptionMaterials() : null;
        } else {
            encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto);
        }
        validateMaterialsForDecrypt(encryptionMaterials, mergeInto, cryptoConfigurationV2.getCryptoMode(), fromAlgorithmName);
        String str2 = map.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z3 = jArr != null;
        ContentCryptoScheme fromCEKAlgo = ContentCryptoScheme.fromCEKAlgo(str2, z3);
        if (z3) {
            assertCryptoSchemeAllowedForRangeGet(fromCEKAlgo, cryptoConfigurationV2.getCryptoMode(), cryptoConfigurationV2.getRangeGetMode());
            decode2 = fromCEKAlgo.adjustIV(decode2, jArr[0]);
        } else {
            int tagLengthInBits = fromCEKAlgo.getTagLengthInBits();
            if (tagLengthInBits > 0 && tagLengthInBits != (parseInt = Integer.parseInt(map.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new SdkClientException("Unsupported tag length: " + parseInt + ", expected: " + tagLengthInBits);
            }
        }
        return new ContentCryptoMaterial(mergeInto, decode, fromAlgorithmName, fromCEKAlgo.createCipherLite(decryptCEK(KeyWrapperContext.builder().cekSecured(decode).internalKeyWrapAlgorithm(fromAlgorithmName).materials(encryptionMaterials).cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).contentCryptoScheme(fromCEKAlgo).kmsKeyWrapperContext(KMSKeyWrapperContext.builder().kms(awskms).kmsMaterialsDescription(mergeInto).build()).build()), decode2, 2, cryptoConfigurationV2.getCryptoProvider(), cryptoConfigurationV2.getAlwaysUseCryptoProvider()));
    }

    static String parseInstructionFile(S3Object s3Object) {
        try {
            return convertStreamToString(s3Object.getObjectContent());
        } catch (Exception e) {
            throw Throwables.failure(e, "Error parsing JSON instruction file");
        }
    }

    private static String convertStreamToString(InputStream inputStream) throws IOException {
        if (inputStream == null) {
            return SDKGlobalConfiguration.DEFAULT_AWS_CSM_CLIENT_ID;
        }
        StringBuilder sb = new StringBuilder();
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream, StringUtils.UTF8));
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    return sb.toString();
                }
                sb.append(readLine);
            }
        } finally {
            inputStream.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CipherLite getCipherLite() {
        return this.cipherLite;
    }

    Map<String, String> getKEKMaterialsDescription() {
        return this.kekMaterialsDescription;
    }

    byte[] getEncryptedCEK() {
        return (byte[]) this.encryptedCEK.clone();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentCryptoMaterial recreate(EncryptionMaterialsAccessor encryptionMaterialsAccessor, CryptoConfigurationV2 cryptoConfigurationV2, String str, AWSKMS awskms, PutInstructionFileRequest putInstructionFileRequest) {
        EncryptionMaterials newEncryptionMaterials = getNewEncryptionMaterials(putInstructionFileRequest, encryptionMaterialsAccessor);
        if (!InternalKeyWrapAlgorithm.KMS.equals(this.keyWrappingAlgorithm) && newEncryptionMaterials.getMaterialsDescription().equals(this.kekMaterialsDescription)) {
            throw new SecurityException("Material description of the new KEK must differ from the current one");
        }
        if (InternalKeyWrapAlgorithm.KMS.equals(this.keyWrappingAlgorithm)) {
            throw new SdkClientException("Recreating KMS encrypted CEK is not supported.");
        }
        EncryptionMaterials encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(this.kekMaterialsDescription);
        validateKeyWrapAlgorithmForDecrypt(this.keyWrappingAlgorithm, cryptoConfigurationV2.getCryptoMode());
        ContentCryptoMaterial create = create(decryptCEK(KeyWrapperContext.builder().cekSecured(this.encryptedCEK).internalKeyWrapAlgorithm(InternalKeyWrapAlgorithm.fromAlgorithmName(str)).materials(encryptionMaterials).cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).contentCryptoScheme(getContentCryptoScheme()).kmsKeyWrapperContext(KMSKeyWrapperContext.builder().kms(awskms).build()).build()), this.cipherLite.getIV(), newEncryptionMaterials, getContentCryptoScheme(), cryptoConfigurationV2, awskms, putInstructionFileRequest);
        if (Arrays.equals(create.encryptedCEK, this.encryptedCEK)) {
            throw new SecurityException("The new KEK must differ from the original");
        }
        return create;
    }

    private EncryptionMaterials getNewEncryptionMaterials(PutInstructionFileRequest putInstructionFileRequest, EncryptionMaterialsAccessor encryptionMaterialsAccessor) {
        EncryptionMaterials encryptionMaterials = putInstructionFileRequest.getEncryptionMaterials();
        if (encryptionMaterials == null) {
            encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(putInstructionFileRequest.getMaterialsDescription());
        }
        if (encryptionMaterials == null) {
            throw new SdkClientException("No material available with the description " + putInstructionFileRequest.getMaterialsDescription() + " from the encryption material provider");
        }
        return encryptionMaterials;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial create(SecretKey secretKey, byte[] bArr, EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, CryptoConfigurationV2 cryptoConfigurationV2, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        return wrap(secretKey, bArr, contentCryptoScheme, cryptoConfigurationV2.getCryptoProvider(), cryptoConfigurationV2.getAlwaysUseCryptoProvider(), encryptCEK(secretKey, createEncryptionKeyWrapperContext(encryptionMaterials, contentCryptoScheme, cryptoConfigurationV2, awskms, amazonWebServiceRequest)));
    }

    private static KeyWrapperContext createEncryptionKeyWrapperContext(EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, CryptoConfigurationV2 cryptoConfigurationV2, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        InternalKeyWrapAlgorithm fromExternal = InternalKeyWrapAlgorithm.fromExternal(KeyWrapAlgorithmResolver.getDefaultKeyWrapAlgorithm(encryptionMaterials));
        if (!encryptionMaterials.isKMSEnabled()) {
            return KeyWrapperContext.builder().cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).materials(encryptionMaterials).internalKeyWrapAlgorithm(fromExternal).contentCryptoScheme(contentCryptoScheme).build();
        }
        return KeyWrapperContext.builder().cryptoProvider(cryptoConfigurationV2.getCryptoProvider()).secureRandom(cryptoConfigurationV2.getSecureRandom()).materials(encryptionMaterials).internalKeyWrapAlgorithm(fromExternal).kmsKeyWrapperContext(KMSKeyWrapperContext.builder().kms(awskms).kmsMaterialsDescription(KMSMaterialsHandler.createKMSContextMaterialsDescription(KMSMaterialsHandler.mergeMaterialsDescription((KMSEncryptionMaterials) encryptionMaterials, amazonWebServiceRequest), contentCryptoScheme.getCipherAlgorithm())).originalRequest(amazonWebServiceRequest).build()).contentCryptoScheme(contentCryptoScheme).build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial wrap(SecretKey secretKey, byte[] bArr, ContentCryptoScheme contentCryptoScheme, Provider provider, boolean z, SecuredCEK securedCEK) {
        return new ContentCryptoMaterial(securedCEK.getMaterialDescription(), securedCEK.getEncrypted(), securedCEK.getKeyWrapAlgorithm(), contentCryptoScheme.createCipherLite(secretKey, bArr, 1, provider, z));
    }

    private static SecuredCEK encryptCEK(SecretKey secretKey, KeyWrapperContext keyWrapperContext) {
        EncryptionMaterials materials = keyWrapperContext.materials();
        validateKeyWrapAlgorithmForEncrypt(materials, keyWrapperContext.internalKeyWrapAlgorithm());
        return new SecuredCEK(KeyWrapperFactory.defaultInstance().createKeyWrapper(keyWrapperContext).wrapCek(secretKey.getEncoded(), getEncryptionKeyFrom(materials)), keyWrapperContext.internalKeyWrapAlgorithm(), materials.isKMSEnabled() ? keyWrapperContext.kmsKeyWrapperContext().kmsMaterialsDescription() : materials.getMaterialsDescription());
    }

    private static Key getEncryptionKeyFrom(EncryptionMaterials encryptionMaterials) {
        if (encryptionMaterials.isKMSEnabled()) {
            return null;
        }
        return encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPublic() : encryptionMaterials.getSymmetricKey();
    }

    private static Key getDecryptionKeyFrom(EncryptionMaterials encryptionMaterials) {
        if (encryptionMaterials.isKMSEnabled()) {
            return null;
        }
        return encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPrivate() : encryptionMaterials.getSymmetricKey();
    }

    private static void validateKeyWrapAlgorithmForEncrypt(EncryptionMaterials encryptionMaterials, InternalKeyWrapAlgorithm internalKeyWrapAlgorithm) {
        if (encryptionMaterials.isKMSEnabled()) {
            validateKMSKeyWrapAlgorithmForEncrypt(encryptionMaterials, internalKeyWrapAlgorithm);
        } else {
            if (encryptionMaterials.getKeyPair() != null && !internalKeyWrapAlgorithm.isAsymmetric()) {
                throw new IllegalStateException(String.format("Encryption materials with asymmetric keys are not consistent with selected key wrap algorithm %s.", internalKeyWrapAlgorithm));
            }
            if (encryptionMaterials.getSymmetricKey() != null && !internalKeyWrapAlgorithm.isSymmetric()) {
                throw new IllegalStateException(String.format("Encryption materials with a symmetric key are not consistent with selected key wrap algorithm %s.", internalKeyWrapAlgorithm));
            }
        }
    }

    private static void validateKMSKeyWrapAlgorithmForEncrypt(EncryptionMaterials encryptionMaterials, InternalKeyWrapAlgorithm internalKeyWrapAlgorithm) {
        if (!InternalKeyWrapAlgorithm.KMS.equals(internalKeyWrapAlgorithm)) {
            throw new IllegalStateException(String.format("KMS enabled encryption materials are not consistent with selected key wrap algorithm %s.", internalKeyWrapAlgorithm));
        }
    }

    private static void validateKeyWrapAlgorithmForDecrypt(InternalKeyWrapAlgorithm internalKeyWrapAlgorithm, CryptoMode cryptoMode) {
        validateKeyWrapAlgorithmForDecrypt(internalKeyWrapAlgorithm, false, cryptoMode);
    }

    private static void validateKeyWrapAlgorithmForDecrypt(InternalKeyWrapAlgorithm internalKeyWrapAlgorithm, boolean z, CryptoMode cryptoMode) {
        if (!CryptoMode.StrictAuthenticatedEncryption.equals(cryptoMode)) {
            if (z && internalKeyWrapAlgorithm == null) {
                throw new KeyWrapException("Key wrap expected, but no key wrap algorithm was found.");
            }
        } else {
            if (internalKeyWrapAlgorithm == null) {
                throw new KeyWrapException("No key wrap algorithm detected. Use crypto mode " + CryptoMode.AuthenticatedEncryption + " to decrypt object.");
            }
            if (internalKeyWrapAlgorithm.isV1Algorithm()) {
                throw new KeyWrapException("Detected key wrap algorithm used with previous version of client. Use crypto mode " + CryptoMode.AuthenticatedEncryption + " to decrypt object.");
            }
        }
    }

    private static void validateMaterialsForDecrypt(EncryptionMaterials encryptionMaterials, Map<String, String> map, CryptoMode cryptoMode, InternalKeyWrapAlgorithm internalKeyWrapAlgorithm) {
        if (encryptionMaterials == null) {
            throw new SdkClientException("Unable to retrieve the client encryption materials");
        }
        if (internalKeyWrapAlgorithm == null || !internalKeyWrapAlgorithm.isKMS()) {
            return;
        }
        if (internalKeyWrapAlgorithm.isV1Algorithm() || !KMSMaterialsHandler.isValidV2Description(encryptionMaterials.getMaterialsDescription(), map)) {
            boolean isValidV1Description = KMSMaterialsHandler.isValidV1Description(encryptionMaterials.getMaterialsDescription(), map);
            if (!internalKeyWrapAlgorithm.isV1Algorithm() || !isValidV1Description) {
                throw new IllegalStateException("Provided encryption materials do not match information retrieved from the encrypted object");
            }
            if (!CryptoMode.AuthenticatedEncryption.equals(cryptoMode)) {
                throw new IllegalStateException("A previous version of the client may have been used to encrypt key via KMS. Use crypto mode " + CryptoMode.AuthenticatedEncryption + " to decrypt object.");
            }
        }
    }

    private static void assertCryptoSchemeAllowedForRangeGet(ContentCryptoScheme contentCryptoScheme, CryptoMode cryptoMode, CryptoRangeGetMode cryptoRangeGetMode) {
        if (cryptoRangeGetMode.permitsCipherAlgorithm(cryptoMode, contentCryptoScheme.getCipherAlgorithm())) {
            return;
        }
        if (!CryptoRangeGetMode.DISABLED.equals(cryptoRangeGetMode)) {
            throw new SecurityException("Range get support is not enabled for this content encryption type. Use " + CryptoMode.AuthenticatedEncryption + " instead. See https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html");
        }
        throw new SecurityException("Unable to perform range get request: Range get support has been disabled. See https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html");
    }
}
