package kafka.tier.store.encryption;

import com.google.crypto.tink.proto.AesGcmKey;
import com.google.crypto.tink.proto.KeyData;
import com.google.crypto.tink.proto.KeyStatusType;
import com.google.crypto.tink.proto.Keyset;
import com.google.crypto.tink.proto.OutputPrefixType;
import com.google.protobuf.InvalidProtocolBufferException;
import java.util.List;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:kafka/tier/store/encryption/Util.class */
public class Util {
    private static final String AES256_KEY_URL = "type.googleapis.com/google.crypto.tink.AesGcmKey";

    Util() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] extractRawAes256GCMKey(Keyset keyset) {
        List<Keyset.Key> keyList = keyset.getKeyList();
        if (keyList.size() != 1) {
            throw new IncompatibleKeysetException("extracting raw key from keyset requires exactly one key, found " + keyList.size());
        }
        Keyset.Key key = keyList.get(0);
        if (key.getStatus() != KeyStatusType.ENABLED) {
            throw new IncompatibleKeysetException("Key is not enabled");
        }
        if (key.getOutputPrefixType() != OutputPrefixType.RAW) {
            throw new IncompatibleKeysetException("GcsKeysetWriter only supports keys with the RAW prefix");
        }
        KeyData keyData = key.getKeyData();
        if (!keyData.getTypeUrl().equals(AES256_KEY_URL)) {
            throw new IncompatibleKeysetException(String.format("Expected key type '%s', found '%s'", AES256_KEY_URL, keyData.getTypeUrl()));
        }
        try {
            return AesGcmKey.parseFrom(key.getKeyData().getValue()).getKeyValue().toByteArray();
        } catch (InvalidProtocolBufferException e) {
            throw new IncompatibleKeysetException("Malformed key representation", e);
        }
    }
}
