package software.amazon.encryption.s3.materials;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.core.ApiName;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.model.DecryptRequest;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.encryption.s3.S3EncryptionClient;
import software.amazon.encryption.s3.S3EncryptionClientException;
import software.amazon.encryption.s3.internal.ApiNameVersion;
import software.amazon.encryption.s3.materials.S3Keyring;

/* loaded from: input_file:software/amazon/encryption/s3/materials/KmsDiscoveryKeyring.class */
public class KmsDiscoveryKeyring extends S3Keyring {
    private static final ApiName API_NAME = ApiNameVersion.apiNameWithVersion();
    private static final String KEY_ID_CONTEXT_KEY = "kms_cmk_id";
    private final KmsClient _kmsClient;
    private final Map<String, DecryptDataKeyStrategy> decryptDataKeyStrategies;
    private final DecryptDataKeyStrategy _kmsDiscoveryStrategy;
    private final DecryptDataKeyStrategy _kmsContextDiscoveryStrategy;

    /* loaded from: input_file:software/amazon/encryption/s3/materials/KmsDiscoveryKeyring$Builder.class */
    public static class Builder extends S3Keyring.Builder<KmsDiscoveryKeyring, Builder> {
        private KmsClient _kmsClient;

        private Builder() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // software.amazon.encryption.s3.materials.S3Keyring.Builder
        public Builder builder() {
            return this;
        }

        @SuppressFBWarnings(value = {"EI_EXPOSE_REP2"}, justification = "Pass mutability into wrapping client")
        public Builder kmsClient(KmsClient kmsClient) {
            this._kmsClient = kmsClient;
            return this;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // software.amazon.encryption.s3.materials.S3Keyring.Builder
        /* renamed from: build */
        public KmsDiscoveryKeyring build2() {
            if (this._kmsClient == null) {
                this._kmsClient = KmsClient.create();
            }
            return new KmsDiscoveryKeyring(this);
        }
    }

    public KmsDiscoveryKeyring(Builder builder) {
        super(builder);
        this.decryptDataKeyStrategies = new HashMap();
        this._kmsDiscoveryStrategy = new DecryptDataKeyStrategy() { // from class: software.amazon.encryption.s3.materials.KmsDiscoveryKeyring.1
            private static final String KEY_PROVIDER_INFO = "kms";

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public boolean isLegacy() {
                return true;
            }

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public String keyProviderInfo() {
                return KEY_PROVIDER_INFO;
            }

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public byte[] decryptDataKey(DecryptionMaterials decryptionMaterials, byte[] bArr) {
                return KmsDiscoveryKeyring.this._kmsClient.decrypt((DecryptRequest) DecryptRequest.builder().encryptionContext(decryptionMaterials.encryptionContext()).ciphertextBlob(SdkBytes.fromByteArray(bArr)).overrideConfiguration(builder2 -> {
                    builder2.addApiName(KmsDiscoveryKeyring.API_NAME);
                }).build()).plaintext().asByteArray();
            }
        };
        this._kmsContextDiscoveryStrategy = new DecryptDataKeyStrategy() { // from class: software.amazon.encryption.s3.materials.KmsDiscoveryKeyring.2
            private static final String KEY_PROVIDER_INFO = "kms+context";
            private static final String ENCRYPTION_CONTEXT_ALGORITHM_KEY = "aws:x-amz-cek-alg";

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public boolean isLegacy() {
                return false;
            }

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public String keyProviderInfo() {
                return KEY_PROVIDER_INFO;
            }

            @Override // software.amazon.encryption.s3.materials.DecryptDataKeyStrategy
            public byte[] decryptDataKey(DecryptionMaterials decryptionMaterials, byte[] bArr) {
                HashMap hashMap = new HashMap();
                GetObjectRequest mo48s3Request = decryptionMaterials.mo48s3Request();
                if (mo48s3Request.overrideConfiguration().isPresent()) {
                    Optional optionalAttribute = ((AwsRequestOverrideConfiguration) mo48s3Request.overrideConfiguration().get()).executionAttributes().getOptionalAttribute(S3EncryptionClient.ENCRYPTION_CONTEXT);
                    if (optionalAttribute.isPresent()) {
                        hashMap = new HashMap((Map) optionalAttribute.get());
                    }
                }
                HashMap hashMap2 = new HashMap(decryptionMaterials.encryptionContext());
                hashMap2.remove(KmsDiscoveryKeyring.KEY_ID_CONTEXT_KEY);
                hashMap2.remove(ENCRYPTION_CONTEXT_ALGORITHM_KEY);
                if (!hashMap2.equals(hashMap)) {
                    throw new S3EncryptionClientException("Provided encryption context does not match information retrieved from S3");
                }
                return KmsDiscoveryKeyring.this._kmsClient.decrypt((DecryptRequest) DecryptRequest.builder().encryptionContext(decryptionMaterials.encryptionContext()).ciphertextBlob(SdkBytes.fromByteArray(bArr)).overrideConfiguration(builder2 -> {
                    builder2.addApiName(KmsDiscoveryKeyring.API_NAME);
                }).build()).plaintext().asByteArray();
            }
        };
        this._kmsClient = builder._kmsClient;
        this.decryptDataKeyStrategies.put(this._kmsDiscoveryStrategy.keyProviderInfo(), this._kmsDiscoveryStrategy);
        this.decryptDataKeyStrategies.put(this._kmsContextDiscoveryStrategy.keyProviderInfo(), this._kmsContextDiscoveryStrategy);
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // software.amazon.encryption.s3.materials.S3Keyring
    protected GenerateDataKeyStrategy generateDataKeyStrategy() {
        throw new S3EncryptionClientException("KmsDiscoveryKeyring does not support GenerateDataKey");
    }

    @Override // software.amazon.encryption.s3.materials.S3Keyring
    protected EncryptDataKeyStrategy encryptDataKeyStrategy() {
        throw new S3EncryptionClientException("KmsDiscoveryKeyring does not support EncryptDataKey");
    }

    @Override // software.amazon.encryption.s3.materials.S3Keyring
    protected Map<String, DecryptDataKeyStrategy> decryptDataKeyStrategies() {
        return this.decryptDataKeyStrategies;
    }
}
