package com.amazonaws.services.s3.internal.crypto.keywrap;

import com.amazonaws.services.s3.internal.crypto.JceEncryptionConstants;
import com.amazonaws.util.Throwables;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:WEB-INF/lib/aws-java-sdk-s3-1.12.88.jar:com/amazonaws/services/s3/internal/crypto/keywrap/RsaOaepKeyWrapper.class */
public final class RsaOaepKeyWrapper implements KeyWrapper {
    private static final String CIPHER_ALGORITHM = "RSA/ECB/OAEPPadding";
    private static final Map<InternalKeyWrapAlgorithm, String> DIGEST_SCHEME_MAP;
    private static final Map<InternalKeyWrapAlgorithm, Mgf1Scheme> MGF1_SCHEME_MAP;
    private final CipherProvider cipherProvider;
    private final String digestScheme;
    private final Mgf1Scheme mgf1Scheme;
    private final InternalKeyWrapAlgorithm cryptoKeyWrapAlgorithm;
    private final String cekAlgorithm;
    private final byte[] encodedCekAlgorithm;

    /* loaded from: input_file:WEB-INF/lib/aws-java-sdk-s3-1.12.88.jar:com/amazonaws/services/s3/internal/crypto/keywrap/RsaOaepKeyWrapper$Builder.class */
    public static final class Builder {
        private CipherProvider cipherProvider;
        private InternalKeyWrapAlgorithm cryptoKeyWrapAlgorithm;
        private String cekAlgorithm;

        private Builder() {
        }

        public Builder cipherProvider(CipherProvider cipherProvider) {
            this.cipherProvider = cipherProvider;
            return this;
        }

        public Builder cryptoKeyWrapAlgorithm(InternalKeyWrapAlgorithm internalKeyWrapAlgorithm) {
            this.cryptoKeyWrapAlgorithm = internalKeyWrapAlgorithm;
            return this;
        }

        public Builder cekAlgorithm(String str) {
            this.cekAlgorithm = str;
            return this;
        }

        public RsaOaepKeyWrapper build() {
            return new RsaOaepKeyWrapper(this);
        }
    }

    private RsaOaepKeyWrapper(Builder builder) {
        this.cipherProvider = (CipherProvider) validateNotNull(builder.cipherProvider, "cipherProvider");
        this.cryptoKeyWrapAlgorithm = (InternalKeyWrapAlgorithm) validateNotNull(builder.cryptoKeyWrapAlgorithm, "cryptoKeyAlgorithm");
        this.cekAlgorithm = (String) validateNotNull(builder.cekAlgorithm, "cekAlgorithm");
        this.encodedCekAlgorithm = builder.cekAlgorithm.getBytes(StandardCharsets.UTF_8);
        this.digestScheme = DIGEST_SCHEME_MAP.get(this.cryptoKeyWrapAlgorithm);
        this.mgf1Scheme = MGF1_SCHEME_MAP.get(this.cryptoKeyWrapAlgorithm);
        if (this.mgf1Scheme == null) {
            throw new IllegalArgumentException("No valid MGF1 scheme could be found for cryptoKeyAlgorithm '" + this.cryptoKeyWrapAlgorithm.algorithmName() + "'");
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    public static String cipherAlgorithm() {
        return CIPHER_ALGORITHM;
    }

    @Override // com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapper
    public byte[] unwrapCek(byte[] bArr, Key key) {
        Cipher createCipher = this.cipherProvider.createCipher();
        try {
            createCipher.init(4, key, new OAEPParameterSpec(this.digestScheme, "MGF1", this.mgf1Scheme.getMgf1ParameterSpec(), PSource.PSpecified.DEFAULT));
            return splitConcatenatedKey(createCipher.unwrap(bArr, JceEncryptionConstants.SYMMETRIC_KEY_ALGORITHM, 3).getEncoded());
        } catch (Exception e) {
            throw Throwables.failure(e, "An exception was thrown when attempting to decrypt the Content Encryption Key");
        }
    }

    @Override // com.amazonaws.services.s3.internal.crypto.keywrap.KeyWrapper
    public byte[] wrapCek(byte[] bArr, Key key) {
        Cipher createCipher = this.cipherProvider.createCipher();
        try {
            createCipher.init(3, key, new OAEPParameterSpec(this.digestScheme, "MGF1", this.mgf1Scheme.getMgf1ParameterSpec(), PSource.PSpecified.DEFAULT));
            return createCipher.wrap(new SecretKeySpec(createCompositeCek(bArr), JceEncryptionConstants.SYMMETRIC_KEY_ALGORITHM));
        } catch (Exception e) {
            throw Throwables.failure(e, "An exception was thrown when attempting to encrypt the Content Encryption Key");
        }
    }

    public CipherProvider cipherProvider() {
        return this.cipherProvider;
    }

    public Mgf1Scheme mgf1Scheme() {
        return this.mgf1Scheme;
    }

    public String cekAlgorithm() {
        return this.cekAlgorithm;
    }

    private <T> T validateNotNull(T t, String str) {
        if (t == null) {
            throw new NullPointerException("Error initializing RsaOaepKeyWrapper: '" + str + "' cannot be null");
        }
        return t;
    }

    private byte[] createCompositeCek(byte[] bArr) {
        byte[] bArr2 = new byte[1 + bArr.length + this.encodedCekAlgorithm.length];
        bArr2[0] = (byte) bArr.length;
        System.arraycopy(bArr, 0, bArr2, 1, bArr.length);
        System.arraycopy(this.encodedCekAlgorithm, 0, bArr2, 1 + bArr.length, this.encodedCekAlgorithm.length);
        return bArr2;
    }

    private byte[] splitConcatenatedKey(byte[] bArr) {
        int i = bArr[0];
        int length = (bArr.length - i) - 1;
        if (!isValidKeyLength(i)) {
            throw new SecurityException("invalid key length in composite CEK");
        }
        if (length <= 0) {
            throw new SecurityException("invalid algorithm length in composite CEK");
        }
        byte[] bArr2 = new byte[i];
        byte[] bArr3 = new byte[length];
        System.arraycopy(bArr, 1, bArr2, 0, i);
        System.arraycopy(bArr, 1 + i, bArr3, 0, length);
        if (Arrays.equals(bArr3, this.encodedCekAlgorithm)) {
            return bArr2;
        }
        throw new SecurityException("The content encryption algorithm used at encryption time does not match the algorithm stored for decryption time. The object may be altered or corrupted.");
    }

    private static boolean isValidKeyLength(int i) {
        return i == 16 || i == 24 || i == 32;
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put(InternalKeyWrapAlgorithm.RSA_OAEP_SHA1, "SHA-1");
        DIGEST_SCHEME_MAP = Collections.unmodifiableMap(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMap2.put(InternalKeyWrapAlgorithm.RSA_OAEP_SHA1, Mgf1Scheme.MGF1_SHA1);
        MGF1_SCHEME_MAP = Collections.unmodifiableMap(hashMap2);
    }
}
