package com.amazonaws.services.s3.internal.crypto.v1;

import com.amazonaws.AmazonWebServiceRequest;
import com.amazonaws.SDKGlobalConfiguration;
import com.amazonaws.SdkClientException;
import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.EncryptRequest;
import com.amazonaws.services.s3.Headers;
import com.amazonaws.services.s3.KeyWrapException;
import com.amazonaws.services.s3.internal.crypto.CipherLite;
import com.amazonaws.services.s3.internal.crypto.ContentCryptoScheme;
import com.amazonaws.services.s3.internal.crypto.CryptoUtils;
import com.amazonaws.services.s3.internal.crypto.JceEncryptionConstants;
import com.amazonaws.services.s3.internal.crypto.keywrap.InternalKeyWrapAlgorithm;
import com.amazonaws.services.s3.internal.crypto.keywrap.KMSKeyWrapperContext;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapperContext;
import com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapperFactory;
import com.amazonaws.services.s3.model.CryptoConfiguration;
import com.amazonaws.services.s3.model.CryptoMode;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.EncryptionMaterialsAccessor;
import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
import com.amazonaws.services.s3.model.ExtraMaterialsDescription;
import com.amazonaws.services.s3.model.KMSEncryptionMaterials;
import com.amazonaws.services.s3.model.MaterialsDescriptionProvider;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.services.s3.model.S3Object;
import com.amazonaws.util.Base64;
import com.amazonaws.util.BinaryUtils;
import com.amazonaws.util.StringUtils;
import com.amazonaws.util.Throwables;
import com.amazonaws.util.json.Jackson;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.TreeMap;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:WEB-INF/lib/aws-java-sdk-s3-1.12.80.jar:com/amazonaws/services/s3/internal/crypto/v1/ContentCryptoMaterial.class */
final class ContentCryptoMaterial {
    private final String keyWrappingAlgorithm;
    private final CipherLite cipherLite;
    private final Map<String, String> kekMaterialsDescription;
    private final byte[] encryptedCEK;

    ContentCryptoMaterial(Map<String, String> map, byte[] bArr, String str, CipherLite cipherLite) {
        this.cipherLite = cipherLite;
        this.keyWrappingAlgorithm = str;
        this.encryptedCEK = (byte[]) bArr.clone();
        this.kekMaterialsDescription = map;
    }

    String getKeyWrappingAlgorithm() {
        return this.keyWrappingAlgorithm;
    }

    private boolean usesKMSKey() {
        return KMSSecuredCEK.isKMSKeyWrapped(this.keyWrappingAlgorithm);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentCryptoScheme getContentCryptoScheme() {
        return this.cipherLite.getContentCryptoScheme();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ObjectMetadata toObjectMetadata(ObjectMetadata objectMetadata, CryptoMode cryptoMode) {
        return (cryptoMode != CryptoMode.EncryptionOnly || usesKMSKey()) ? toObjectMetadata(objectMetadata) : toObjectMetadataEO(objectMetadata);
    }

    private ObjectMetadata toObjectMetadata(ObjectMetadata objectMetadata) {
        objectMetadata.addUserMetadata(Headers.CRYPTO_KEY_V2, Base64.encodeAsString(getEncryptedCEK()));
        objectMetadata.addUserMetadata(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        objectMetadata.addUserMetadata(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        ContentCryptoScheme contentCryptoScheme = getContentCryptoScheme();
        objectMetadata.addUserMetadata(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.getCipherAlgorithm());
        int tagLengthInBits = contentCryptoScheme.getTagLengthInBits();
        if (tagLengthInBits > 0) {
            objectMetadata.addUserMetadata(Headers.CRYPTO_TAG_LENGTH, String.valueOf(tagLengthInBits));
        }
        String keyWrappingAlgorithm = getKeyWrappingAlgorithm();
        if (keyWrappingAlgorithm != null) {
            objectMetadata.addUserMetadata(Headers.CRYPTO_KEYWRAP_ALGORITHM, keyWrappingAlgorithm);
        }
        return objectMetadata;
    }

    private ObjectMetadata toObjectMetadataEO(ObjectMetadata objectMetadata) {
        objectMetadata.addUserMetadata(Headers.CRYPTO_KEY, Base64.encodeAsString(getEncryptedCEK()));
        objectMetadata.addUserMetadata(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        objectMetadata.addUserMetadata(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        return objectMetadata;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String toJsonString(CryptoMode cryptoMode) {
        return (cryptoMode != CryptoMode.EncryptionOnly || usesKMSKey()) ? toJsonString() : toJsonStringEO();
    }

    private String toJsonString() {
        HashMap hashMap = new HashMap();
        hashMap.put(Headers.CRYPTO_KEY_V2, Base64.encodeAsString(getEncryptedCEK()));
        hashMap.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        hashMap.put(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        ContentCryptoScheme contentCryptoScheme = getContentCryptoScheme();
        hashMap.put(Headers.CRYPTO_CEK_ALGORITHM, contentCryptoScheme.getCipherAlgorithm());
        int tagLengthInBits = contentCryptoScheme.getTagLengthInBits();
        if (tagLengthInBits > 0) {
            hashMap.put(Headers.CRYPTO_TAG_LENGTH, String.valueOf(tagLengthInBits));
        }
        String keyWrappingAlgorithm = getKeyWrappingAlgorithm();
        if (keyWrappingAlgorithm != null) {
            hashMap.put(Headers.CRYPTO_KEYWRAP_ALGORITHM, keyWrappingAlgorithm);
        }
        return Jackson.toJsonString(hashMap);
    }

    private String toJsonStringEO() {
        HashMap hashMap = new HashMap();
        hashMap.put(Headers.CRYPTO_KEY, Base64.encodeAsString(getEncryptedCEK()));
        hashMap.put(Headers.CRYPTO_IV, Base64.encodeAsString(this.cipherLite.getIV()));
        hashMap.put(Headers.MATERIALS_DESCRIPTION, kekMaterialDescAsJson());
        return Jackson.toJsonString(hashMap);
    }

    private String kekMaterialDescAsJson() {
        Map<String, String> kEKMaterialsDescription = getKEKMaterialsDescription();
        if (kEKMaterialsDescription == null) {
            kEKMaterialsDescription = Collections.emptyMap();
        }
        return Jackson.toJsonString(kEKMaterialsDescription);
    }

    private static Map<String, String> matdescFromJson(String str) {
        Map<String, String> stringMapFromJsonString = Jackson.stringMapFromJsonString(str);
        if (stringMapFromJsonString == null) {
            return null;
        }
        return Collections.unmodifiableMap(stringMapFromJsonString);
    }

    private static SecretKey cek(byte[] bArr, String str, EncryptionMaterials encryptionMaterials, Provider provider, ContentCryptoScheme contentCryptoScheme, AWSKMS awskms) {
        PrivateKey symmetricKey;
        InternalKeyWrapAlgorithm fromAlgorithmName = InternalKeyWrapAlgorithm.fromAlgorithmName(str);
        if (fromAlgorithmName != null && !fromAlgorithmName.isV1Algorithm()) {
            KMSKeyWrapperContext kMSKeyWrapperContext = null;
            if (fromAlgorithmName.isKMS()) {
                kMSKeyWrapperContext = KMSKeyWrapperContext.builder().kms(awskms).kmsMaterialsDescription(KMSMaterialsHandler.createKMSContextMaterialsDescription(encryptionMaterials.getMaterialsDescription(), contentCryptoScheme.getCipherAlgorithm())).build();
            }
            return cekV2(KeyWrapperContext.builder().cryptoProvider(provider).internalKeyWrapAlgorithm(fromAlgorithmName).materials(encryptionMaterials).cekSecured(bArr).contentCryptoScheme(contentCryptoScheme).kmsKeyWrapperContext(kMSKeyWrapperContext).build());
        }
        if (KMSSecuredCEK.isKMSKeyWrapped(str)) {
            return cekByKMS(bArr, str, encryptionMaterials, contentCryptoScheme, awskms);
        }
        if (encryptionMaterials.getKeyPair() != null) {
            symmetricKey = encryptionMaterials.getKeyPair().getPrivate();
            if (symmetricKey == null) {
                throw new SdkClientException("Key encrypting key not available");
            }
        } else {
            symmetricKey = encryptionMaterials.getSymmetricKey();
            if (symmetricKey == null) {
                throw new SdkClientException("Key encrypting key not available");
            }
        }
        try {
            if (str != null) {
                Cipher cipher = provider == null ? Cipher.getInstance(str) : Cipher.getInstance(str, provider);
                cipher.init(4, symmetricKey);
                return (SecretKey) cipher.unwrap(bArr, str, 3);
            }
            Cipher cipher2 = provider != null ? Cipher.getInstance(symmetricKey.getAlgorithm(), provider) : Cipher.getInstance(symmetricKey.getAlgorithm());
            cipher2.init(2, symmetricKey);
            return new SecretKeySpec(cipher2.doFinal(bArr), JceEncryptionConstants.SYMMETRIC_KEY_ALGORITHM);
        } catch (Exception e) {
            throw Throwables.failure(e, "Unable to decrypt symmetric key from object metadata");
        }
    }

    private static SecretKey cekV2(KeyWrapperContext keyWrapperContext) {
        if (keyWrapperContext.internalKeyWrapAlgorithm().isKMS()) {
            validateKMSParameters(keyWrapperContext);
        }
        Key decryptionKeyFrom = getDecryptionKeyFrom(keyWrapperContext.materials());
        return new SecretKeySpec(KeyWrapperFactory.defaultInstance().createKeyWrapper(keyWrapperContext).unwrapCek(keyWrapperContext.cekSecured(), decryptionKeyFrom), keyWrapperContext.internalKeyWrapAlgorithm().isKMS() ? keyWrapperContext.contentCryptoScheme().getKeyGeneratorAlgorithm() : decryptionKeyFrom.getAlgorithm());
    }

    private static void validateKMSParameters(KeyWrapperContext keyWrapperContext) {
        KMSKeyWrapperContext kmsKeyWrapperContext = keyWrapperContext.kmsKeyWrapperContext();
        if (kmsKeyWrapperContext == null) {
            throw new IllegalStateException("Missing KMS parameters");
        }
        Map<String, String> kmsMaterialsDescription = kmsKeyWrapperContext.kmsMaterialsDescription();
        if (kmsMaterialsDescription == null) {
            throw new IllegalStateException("Key materials from KMS must contain description entries");
        }
        String str = kmsMaterialsDescription.get(Headers.AWS_CRYPTO_CEK_ALGORITHM);
        if (str == null) {
            throw new IllegalStateException("Could not find required description in key material: aws:x-amz-cek-alg");
        }
        String normalizeContentAlgorithmForValidation = CryptoUtils.normalizeContentAlgorithmForValidation(keyWrapperContext.contentCryptoScheme().getCipherAlgorithm());
        if (!str.equals(normalizeContentAlgorithmForValidation)) {
            throw new IllegalStateException("Algorithm values from materials and metadata/instruction file don't match:" + str + ", " + normalizeContentAlgorithmForValidation);
        }
    }

    private static Key getDecryptionKeyFrom(EncryptionMaterials encryptionMaterials) {
        if (encryptionMaterials.isKMSEnabled()) {
            return null;
        }
        return encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPrivate() : encryptionMaterials.getSymmetricKey();
    }

    private static SecretKey cekByKMS(byte[] bArr, String str, EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, AWSKMS awskms) {
        return new SecretKeySpec(BinaryUtils.copyAllBytesFrom(awskms.decrypt(new DecryptRequest().withEncryptionContext(encryptionMaterials.getMaterialsDescription()).withCiphertextBlob(ByteBuffer.wrap(bArr))).getPlaintext()), contentCryptoScheme.getKeyGeneratorAlgorithm());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromObjectMetadata(ObjectMetadata objectMetadata, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, boolean z, boolean z2, AWSKMS awskms) {
        return fromObjectMetadata0(objectMetadata, encryptionMaterialsAccessor, provider, z, null, ExtraMaterialsDescription.NONE, z2, awskms);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromObjectMetadata(ObjectMetadata objectMetadata, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, boolean z, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z2, AWSKMS awskms) {
        return fromObjectMetadata0(objectMetadata, encryptionMaterialsAccessor, provider, z, jArr, extraMaterialsDescription, z2, awskms);
    }

    private static ContentCryptoMaterial fromObjectMetadata0(ObjectMetadata objectMetadata, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, boolean z, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z2, AWSKMS awskms) {
        int parseInt;
        Map<String, String> userMetadata = objectMetadata.getUserMetadata();
        String str = userMetadata.get(Headers.CRYPTO_KEY_V2);
        if (str == null) {
            str = userMetadata.get(Headers.CRYPTO_KEY);
            if (str == null) {
                throw new SdkClientException("Content encrypting key not found.");
            }
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode(userMetadata.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new SdkClientException("Content encrypting key or IV not found.");
        }
        String str2 = userMetadata.get(Headers.MATERIALS_DESCRIPTION);
        String str3 = userMetadata.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        Map<String, String> matdescFromJson = matdescFromJson(str2);
        boolean isKMSV1KeyWrapped = KMSSecuredCEK.isKMSV1KeyWrapped(str3);
        boolean isKMSV2KeyWrapped = KMSSecuredCEK.isKMSV2KeyWrapped(str3);
        Map<String, String> mergeInto = (isKMSV1KeyWrapped || isKMSV2KeyWrapped || extraMaterialsDescription == null) ? matdescFromJson : extraMaterialsDescription.mergeInto(matdescFromJson);
        EncryptionMaterials encryptionMaterials = null;
        if (isKMSV1KeyWrapped) {
            if (0 == 0) {
                encryptionMaterials = new KMSEncryptionMaterials(matdescFromJson.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
                encryptionMaterials.addDescriptions(matdescFromJson);
            }
        } else if (isKMSV2KeyWrapped) {
            encryptionMaterials = encryptionMaterialsAccessor instanceof EncryptionMaterialsProvider ? ((EncryptionMaterialsProvider) encryptionMaterialsAccessor).getEncryptionMaterials() : null;
            if (!(encryptionMaterials instanceof KMSEncryptionMaterials)) {
                throw new SdkClientException("Retrieved materials not of expected type KMSEncryptionMaterials");
            }
        } else {
            encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto);
        }
        if (encryptionMaterials == null) {
            throw new SdkClientException("Unable to retrieve the client encryption materials");
        }
        String str4 = userMetadata.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z3 = jArr != null;
        ContentCryptoScheme fromCEKAlgo = ContentCryptoScheme.fromCEKAlgo(str4, z3);
        if (z3) {
            decode2 = fromCEKAlgo.adjustIV(decode2, jArr[0]);
        } else {
            int tagLengthInBits = fromCEKAlgo.getTagLengthInBits();
            if (tagLengthInBits > 0 && tagLengthInBits != (parseInt = Integer.parseInt(userMetadata.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new SdkClientException("Unsupported tag length: " + parseInt + ", expected: " + tagLengthInBits);
            }
        }
        if (z2 && str3 == null) {
            throw newKeyWrapException();
        }
        return new ContentCryptoMaterial(mergeInto, decode, str3, fromCEKAlgo.createCipherLite(cek(decode, str3, encryptionMaterials, provider, fromCEKAlgo, awskms), decode2, 2, provider, z));
    }

    private static KeyWrapException newKeyWrapException() {
        return new KeyWrapException("Missing key-wrap for the content-encrypting-key");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromInstructionFile(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, boolean z, boolean z2, AWSKMS awskms) {
        return fromInstructionFile0(map, encryptionMaterialsAccessor, provider, z, null, ExtraMaterialsDescription.NONE, z2, awskms);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial fromInstructionFile(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, boolean z, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z2, AWSKMS awskms) {
        return fromInstructionFile0(map, encryptionMaterialsAccessor, provider, z, jArr, extraMaterialsDescription, z2, awskms);
    }

    private static ContentCryptoMaterial fromInstructionFile0(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, Provider provider, boolean z, long[] jArr, ExtraMaterialsDescription extraMaterialsDescription, boolean z2, AWSKMS awskms) {
        int parseInt;
        String str = map.get(Headers.CRYPTO_KEY_V2);
        if (str == null) {
            str = map.get(Headers.CRYPTO_KEY);
            if (str == null) {
                throw new SdkClientException("Content encrypting key not found.");
            }
        }
        byte[] decode = Base64.decode(str);
        byte[] decode2 = Base64.decode(map.get(Headers.CRYPTO_IV));
        if (decode == null || decode2 == null) {
            throw new SdkClientException("Necessary encryption info not found in the instruction file " + map);
        }
        String str2 = map.get(Headers.MATERIALS_DESCRIPTION);
        String str3 = map.get(Headers.CRYPTO_KEYWRAP_ALGORITHM);
        Map<String, String> matdescFromJson = matdescFromJson(str2);
        boolean isKMSV1KeyWrapped = KMSSecuredCEK.isKMSV1KeyWrapped(str3);
        boolean isKMSV2KeyWrapped = KMSSecuredCEK.isKMSV2KeyWrapped(str3);
        Map<String, String> mergeInto = (isKMSV1KeyWrapped || isKMSV2KeyWrapped || extraMaterialsDescription == null) ? matdescFromJson : extraMaterialsDescription.mergeInto(matdescFromJson);
        EncryptionMaterials encryptionMaterials = null;
        if (isKMSV1KeyWrapped) {
            if (0 == 0) {
                encryptionMaterials = new KMSEncryptionMaterials(matdescFromJson.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID));
                encryptionMaterials.addDescriptions(matdescFromJson);
            }
        } else if (isKMSV2KeyWrapped) {
            encryptionMaterials = encryptionMaterialsAccessor instanceof EncryptionMaterialsProvider ? ((EncryptionMaterialsProvider) encryptionMaterialsAccessor).getEncryptionMaterials() : null;
            if (!(encryptionMaterials instanceof KMSEncryptionMaterials)) {
                throw new SdkClientException("Retrieved materials not of expected type KMSEncryptionMaterials");
            }
        } else {
            encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(mergeInto);
        }
        if (encryptionMaterials == null) {
            throw new SdkClientException("Unable to retrieve the encryption materials that originally encrypted object corresponding to instruction file " + map);
        }
        String str4 = map.get(Headers.CRYPTO_CEK_ALGORITHM);
        boolean z3 = jArr != null;
        ContentCryptoScheme fromCEKAlgo = ContentCryptoScheme.fromCEKAlgo(str4, z3);
        if (z3) {
            decode2 = fromCEKAlgo.adjustIV(decode2, jArr[0]);
        } else {
            int tagLengthInBits = fromCEKAlgo.getTagLengthInBits();
            if (tagLengthInBits > 0 && tagLengthInBits != (parseInt = Integer.parseInt(map.get(Headers.CRYPTO_TAG_LENGTH)))) {
                throw new SdkClientException("Unsupported tag length: " + parseInt + ", expected: " + tagLengthInBits);
            }
        }
        if (z2 && str3 == null) {
            throw newKeyWrapException();
        }
        return new ContentCryptoMaterial(mergeInto, decode, str3, fromCEKAlgo.createCipherLite(cek(decode, str3, encryptionMaterials, provider, fromCEKAlgo, awskms), decode2, 2, provider, z));
    }

    static String parseInstructionFile(S3Object s3Object) {
        try {
            return convertStreamToString(s3Object.getObjectContent());
        } catch (Exception e) {
            throw Throwables.failure(e, "Error parsing JSON instruction file");
        }
    }

    private static String convertStreamToString(InputStream inputStream) throws IOException {
        if (inputStream == null) {
            return SDKGlobalConfiguration.DEFAULT_AWS_CSM_CLIENT_ID;
        }
        StringBuilder sb = new StringBuilder();
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream, StringUtils.UTF8));
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    return sb.toString();
                }
                sb.append(readLine);
            }
        } finally {
            inputStream.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CipherLite getCipherLite() {
        return this.cipherLite;
    }

    Map<String, String> getKEKMaterialsDescription() {
        return this.kekMaterialsDescription;
    }

    byte[] getEncryptedCEK() {
        return (byte[]) this.encryptedCEK.clone();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentCryptoMaterial recreate(Map<String, String> map, EncryptionMaterialsAccessor encryptionMaterialsAccessor, S3CryptoScheme s3CryptoScheme, CryptoConfiguration cryptoConfiguration, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        if (!usesKMSKey() && map.equals(this.kekMaterialsDescription)) {
            throw new SecurityException("Material description of the new KEK must differ from the current one");
        }
        EncryptionMaterials kMSEncryptionMaterials = usesKMSKey() ? new KMSEncryptionMaterials(this.kekMaterialsDescription.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID)) : encryptionMaterialsAccessor.getEncryptionMaterials(this.kekMaterialsDescription);
        EncryptionMaterials encryptionMaterials = encryptionMaterialsAccessor.getEncryptionMaterials(map);
        if (encryptionMaterials == null) {
            throw new SdkClientException("No material available with the description " + map + " from the encryption material provider");
        }
        ContentCryptoMaterial create = create(cek(this.encryptedCEK, this.keyWrappingAlgorithm, kMSEncryptionMaterials, cryptoConfiguration.getCryptoProvider(), getContentCryptoScheme(), awskms), this.cipherLite.getIV(), encryptionMaterials, getContentCryptoScheme(), s3CryptoScheme, cryptoConfiguration, awskms, amazonWebServiceRequest);
        if (Arrays.equals(create.encryptedCEK, this.encryptedCEK)) {
            throw new SecurityException("The new KEK must differ from the original");
        }
        return create;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentCryptoMaterial recreate(EncryptionMaterials encryptionMaterials, EncryptionMaterialsAccessor encryptionMaterialsAccessor, S3CryptoScheme s3CryptoScheme, CryptoConfiguration cryptoConfiguration, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        if (!usesKMSKey() && encryptionMaterials.getMaterialsDescription().equals(this.kekMaterialsDescription)) {
            throw new SecurityException("Material description of the new KEK must differ from the current one");
        }
        ContentCryptoMaterial create = create(cek(this.encryptedCEK, this.keyWrappingAlgorithm, usesKMSKey() ? new KMSEncryptionMaterials(this.kekMaterialsDescription.get(KMSEncryptionMaterials.CUSTOMER_MASTER_KEY_ID)) : encryptionMaterialsAccessor.getEncryptionMaterials(this.kekMaterialsDescription), cryptoConfiguration.getCryptoProvider(), getContentCryptoScheme(), awskms), this.cipherLite.getIV(), encryptionMaterials, getContentCryptoScheme(), s3CryptoScheme, cryptoConfiguration, awskms, amazonWebServiceRequest);
        if (Arrays.equals(create.encryptedCEK, this.encryptedCEK)) {
            throw new SecurityException("The new KEK must differ from the original");
        }
        return create;
    }

    static ContentCryptoMaterial create(SecretKey secretKey, byte[] bArr, EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, S3CryptoScheme s3CryptoScheme, CryptoConfiguration cryptoConfiguration, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        return doCreate(secretKey, bArr, encryptionMaterials, contentCryptoScheme, s3CryptoScheme, cryptoConfiguration, awskms, amazonWebServiceRequest);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ContentCryptoMaterial create(SecretKey secretKey, byte[] bArr, EncryptionMaterials encryptionMaterials, S3CryptoScheme s3CryptoScheme, CryptoConfiguration cryptoConfiguration, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        return doCreate(secretKey, bArr, encryptionMaterials, s3CryptoScheme.getContentCryptoScheme(), s3CryptoScheme, cryptoConfiguration, awskms, amazonWebServiceRequest);
    }

    private static ContentCryptoMaterial doCreate(SecretKey secretKey, byte[] bArr, EncryptionMaterials encryptionMaterials, ContentCryptoScheme contentCryptoScheme, S3CryptoScheme s3CryptoScheme, CryptoConfiguration cryptoConfiguration, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        return wrap(secretKey, bArr, contentCryptoScheme, cryptoConfiguration.getCryptoProvider(), cryptoConfiguration.getAlwaysUseCryptoProvider(), secureCEK(secretKey, encryptionMaterials, s3CryptoScheme.getKeyWrapScheme(), cryptoConfiguration, awskms, amazonWebServiceRequest));
    }

    public static ContentCryptoMaterial wrap(SecretKey secretKey, byte[] bArr, ContentCryptoScheme contentCryptoScheme, Provider provider, boolean z, SecuredCEK securedCEK) {
        return new ContentCryptoMaterial(securedCEK.getMaterialDescription(), securedCEK.getEncrypted(), securedCEK.getKeyWrapAlgorithm(), contentCryptoScheme.createCipherLite(secretKey, bArr, 1, provider, z));
    }

    private static SecuredCEK secureCEK(SecretKey secretKey, EncryptionMaterials encryptionMaterials, S3KeyWrapScheme s3KeyWrapScheme, CryptoConfiguration cryptoConfiguration, AWSKMS awskms, AmazonWebServiceRequest amazonWebServiceRequest) {
        if (encryptionMaterials.isKMSEnabled()) {
            Map<String, String> mergeMaterialDescriptions = mergeMaterialDescriptions(encryptionMaterials, amazonWebServiceRequest);
            EncryptRequest withPlaintext = new EncryptRequest().withEncryptionContext(mergeMaterialDescriptions).withKeyId(encryptionMaterials.getCustomerMasterKeyId()).withPlaintext(ByteBuffer.wrap(secretKey.getEncoded()));
            withPlaintext.withGeneralProgressListener(amazonWebServiceRequest.getGeneralProgressListener()).withRequestMetricCollector(amazonWebServiceRequest.getRequestMetricCollector());
            return new KMSSecuredCEK(BinaryUtils.copyAllBytesFrom(awskms.encrypt(withPlaintext).getCiphertextBlob()), mergeMaterialDescriptions);
        }
        Map<String, String> materialsDescription = encryptionMaterials.getMaterialsDescription();
        Key key = encryptionMaterials.getKeyPair() != null ? encryptionMaterials.getKeyPair().getPublic() : encryptionMaterials.getSymmetricKey();
        String keyWrapAlgorithm = s3KeyWrapScheme.getKeyWrapAlgorithm(key);
        Provider cryptoProvider = cryptoConfiguration.getCryptoProvider();
        SecureRandom secureRandom = cryptoConfiguration.getSecureRandom();
        try {
            if (keyWrapAlgorithm != null) {
                Cipher cipher = cryptoProvider == null ? Cipher.getInstance(keyWrapAlgorithm) : Cipher.getInstance(keyWrapAlgorithm, cryptoProvider);
                cipher.init(3, key, secureRandom);
                return new SecuredCEK(cipher.wrap(secretKey), keyWrapAlgorithm, materialsDescription);
            }
            byte[] encoded = secretKey.getEncoded();
            String algorithm = key.getAlgorithm();
            Cipher cipher2 = cryptoProvider != null ? Cipher.getInstance(algorithm, cryptoProvider) : Cipher.getInstance(algorithm);
            cipher2.init(1, key);
            return new SecuredCEK(cipher2.doFinal(encoded), null, materialsDescription);
        } catch (Exception e) {
            throw Throwables.failure(e, "Unable to encrypt symmetric key");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public static Map<String, String> mergeMaterialDescriptions(EncryptionMaterials encryptionMaterials, AmazonWebServiceRequest amazonWebServiceRequest) {
        Map<String, String> materialsDescription;
        Map<String, String> materialsDescription2 = encryptionMaterials.getMaterialsDescription();
        if ((amazonWebServiceRequest instanceof MaterialsDescriptionProvider) && (materialsDescription = ((MaterialsDescriptionProvider) amazonWebServiceRequest).getMaterialsDescription()) != null) {
            materialsDescription2 = new TreeMap(materialsDescription2);
            materialsDescription2.putAll(materialsDescription);
        }
        return materialsDescription2;
    }
}
