package com.amazonaws.encryptionsdk.internal;

import com.amazonaws.encryptionsdk.CMMHandler;
import com.amazonaws.encryptionsdk.CommitmentPolicy;
import com.amazonaws.encryptionsdk.CryptoAlgorithm;
import com.amazonaws.encryptionsdk.CryptoMaterialsManager;
import com.amazonaws.encryptionsdk.DataKey;
import com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager;
import com.amazonaws.encryptionsdk.MasterKey;
import com.amazonaws.encryptionsdk.MasterKeyProvider;
import com.amazonaws.encryptionsdk.ParsedCiphertext;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.exception.BadCiphertextException;
import com.amazonaws.encryptionsdk.model.CiphertextFooters;
import com.amazonaws.encryptionsdk.model.CiphertextHeaders;
import com.amazonaws.encryptionsdk.model.CiphertextType;
import com.amazonaws.encryptionsdk.model.ContentType;
import com.amazonaws.encryptionsdk.model.DecryptionMaterialsHandler;
import com.amazonaws.encryptionsdk.model.DecryptionMaterialsRequest;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import software.amazon.cryptography.materialproviders.ICryptographicMaterialsManager;

/* loaded from: input_file:com/amazonaws/encryptionsdk/internal/DecryptionHandler.class */
public class DecryptionHandler<K extends MasterKey<K>> implements MessageCryptoHandler {
    private final CMMHandler cmmHandler_;
    private final CommitmentPolicy commitmentPolicy_;
    private final int maxEncryptedDataKeys_;
    private final SignaturePolicy signaturePolicy_;
    private final CiphertextHeaders ciphertextHeaders_;
    private final CiphertextFooters ciphertextFooters_;
    private boolean ciphertextHeadersParsed_;
    private CryptoHandler contentCryptoHandler_;
    private DataKey<K> dataKey_;
    private SecretKey decryptionKey_;
    private CryptoAlgorithm cryptoAlgo_;
    private Signature trailingSig_;
    private Map<String, String> encryptionContext_;
    private Map<String, String> reproducedEncryptionContext_;
    private byte[] unparsedBytes_;
    private boolean complete_;
    private long ciphertextSizeBound_;
    private long ciphertextBytesSupplied_;

    private DecryptionHandler(CMMHandler cMMHandler, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) {
        this.encryptionContext_ = null;
        this.reproducedEncryptionContext_ = Collections.emptyMap();
        this.unparsedBytes_ = new byte[0];
        this.complete_ = false;
        this.ciphertextSizeBound_ = -1L;
        this.ciphertextBytesSupplied_ = 0L;
        Utils.assertNonNull(cMMHandler, "cmmHandler");
        Utils.assertNonNull(commitmentPolicy, "commitmentPolicy");
        Utils.assertNonNull(signaturePolicy, "signaturePolicy");
        this.cmmHandler_ = cMMHandler;
        this.commitmentPolicy_ = commitmentPolicy;
        this.maxEncryptedDataKeys_ = i;
        this.signaturePolicy_ = signaturePolicy;
        this.ciphertextHeaders_ = new CiphertextHeaders();
        this.ciphertextFooters_ = new CiphertextFooters();
    }

    private DecryptionHandler(CMMHandler cMMHandler, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i, Map<String, String> map) {
        this.encryptionContext_ = null;
        this.reproducedEncryptionContext_ = Collections.emptyMap();
        this.unparsedBytes_ = new byte[0];
        this.complete_ = false;
        this.ciphertextSizeBound_ = -1L;
        this.ciphertextBytesSupplied_ = 0L;
        Utils.assertNonNull(cMMHandler, "cmmHandler");
        Utils.assertNonNull(commitmentPolicy, "commitmentPolicy");
        Utils.assertNonNull(signaturePolicy, "signaturePolicy");
        this.cmmHandler_ = cMMHandler;
        this.commitmentPolicy_ = commitmentPolicy;
        this.maxEncryptedDataKeys_ = i;
        this.signaturePolicy_ = signaturePolicy;
        this.reproducedEncryptionContext_ = map;
        this.ciphertextHeaders_ = new CiphertextHeaders();
        this.ciphertextFooters_ = new CiphertextFooters();
    }

    private DecryptionHandler(CMMHandler cMMHandler, CiphertextHeaders ciphertextHeaders, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i, Map<String, String> map) throws AwsCryptoException {
        this.encryptionContext_ = null;
        this.reproducedEncryptionContext_ = Collections.emptyMap();
        this.unparsedBytes_ = new byte[0];
        this.complete_ = false;
        this.ciphertextSizeBound_ = -1L;
        this.ciphertextBytesSupplied_ = 0L;
        Utils.assertNonNull(cMMHandler, "materialsManager");
        Utils.assertNonNull(commitmentPolicy, "commitmentPolicy");
        Utils.assertNonNull(signaturePolicy, "signaturePolicy");
        this.cmmHandler_ = cMMHandler;
        this.ciphertextHeaders_ = ciphertextHeaders;
        this.commitmentPolicy_ = commitmentPolicy;
        this.signaturePolicy_ = signaturePolicy;
        this.maxEncryptedDataKeys_ = i;
        this.ciphertextFooters_ = new CiphertextFooters();
        if (ciphertextHeaders instanceof ParsedCiphertext) {
            this.ciphertextBytesSupplied_ = ((ParsedCiphertext) ciphertextHeaders).getOffset();
        } else {
            this.ciphertextBytesSupplied_ = ciphertextHeaders.toByteArray().length;
        }
        this.reproducedEncryptionContext_ = map;
        readHeaderFields(ciphertextHeaders);
        updateTrailingSignature(ciphertextHeaders);
    }

    public static <K extends MasterKey<K>> DecryptionHandler<K> create(MasterKeyProvider<K> masterKeyProvider, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        Utils.assertNonNull(masterKeyProvider, "customerMasterKeyProvider");
        return (DecryptionHandler<K>) create(new DefaultCryptoMaterialsManager(masterKeyProvider), commitmentPolicy, signaturePolicy, i);
    }

    @Deprecated
    public static <K extends MasterKey<K>> DecryptionHandler<K> create(MasterKeyProvider<K> masterKeyProvider, CiphertextHeaders ciphertextHeaders, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        Utils.assertNonNull(masterKeyProvider, "customerMasterKeyProvider");
        return (DecryptionHandler<K>) create(new DefaultCryptoMaterialsManager(masterKeyProvider), ciphertextHeaders, commitmentPolicy, signaturePolicy, i);
    }

    public static <K extends MasterKey<K>> DecryptionHandler<K> create(MasterKeyProvider<K> masterKeyProvider, ParsedCiphertext parsedCiphertext, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        Utils.assertNonNull(masterKeyProvider, "customerMasterKeyProvider");
        return (DecryptionHandler<K>) create((CryptoMaterialsManager) new DefaultCryptoMaterialsManager(masterKeyProvider), parsedCiphertext, commitmentPolicy, signaturePolicy, i);
    }

    public static DecryptionHandler<?> create(CryptoMaterialsManager cryptoMaterialsManager, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        return new DecryptionHandler<>(new CMMHandler(cryptoMaterialsManager), commitmentPolicy, signaturePolicy, i);
    }

    public static DecryptionHandler<?> create(ICryptographicMaterialsManager iCryptographicMaterialsManager, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        return new DecryptionHandler<>(new CMMHandler(iCryptographicMaterialsManager), commitmentPolicy, signaturePolicy, i);
    }

    public static DecryptionHandler<?> create(ICryptographicMaterialsManager iCryptographicMaterialsManager, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i, Map<String, String> map) throws AwsCryptoException {
        return new DecryptionHandler<>(new CMMHandler(iCryptographicMaterialsManager), commitmentPolicy, signaturePolicy, i, map);
    }

    @Deprecated
    public static DecryptionHandler<?> create(CryptoMaterialsManager cryptoMaterialsManager, CiphertextHeaders ciphertextHeaders, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        return new DecryptionHandler<>(new CMMHandler(cryptoMaterialsManager), ciphertextHeaders, commitmentPolicy, signaturePolicy, i, Collections.emptyMap());
    }

    public static DecryptionHandler<?> create(CryptoMaterialsManager cryptoMaterialsManager, ParsedCiphertext parsedCiphertext, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        return new DecryptionHandler<>(new CMMHandler(cryptoMaterialsManager), parsedCiphertext, commitmentPolicy, signaturePolicy, i, Collections.emptyMap());
    }

    public static DecryptionHandler<?> create(ICryptographicMaterialsManager iCryptographicMaterialsManager, ParsedCiphertext parsedCiphertext, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i) throws AwsCryptoException {
        return new DecryptionHandler<>(new CMMHandler(iCryptographicMaterialsManager), parsedCiphertext, commitmentPolicy, signaturePolicy, i, Collections.emptyMap());
    }

    public static DecryptionHandler<?> create(ICryptographicMaterialsManager iCryptographicMaterialsManager, ParsedCiphertext parsedCiphertext, CommitmentPolicy commitmentPolicy, SignaturePolicy signaturePolicy, int i, Map<String, String> map) throws AwsCryptoException {
        return new DecryptionHandler<>(new CMMHandler(iCryptographicMaterialsManager), parsedCiphertext, commitmentPolicy, signaturePolicy, i, map);
    }

    @Override // com.amazonaws.encryptionsdk.internal.CryptoHandler
    public ProcessingSummary processBytes(byte[] bArr, int i, int i2, byte[] bArr2, int i3) throws BadCiphertextException, AwsCryptoException {
        if (i2 < 0 || i < 0) {
            throw new AwsCryptoException(String.format("Invalid values for input offset: %d and length: %d", Integer.valueOf(i), Integer.valueOf(i2)));
        }
        if (bArr.length == 0 || i2 == 0) {
            return ProcessingSummary.ZERO;
        }
        long length = this.unparsedBytes_.length + i2;
        if (length > 2147483647L) {
            throw new AwsCryptoException("Size of the total bytes to parse and decrypt exceeded allowed maximum:2147483647");
        }
        checkSizeBound(i2);
        this.ciphertextBytesSupplied_ += i2;
        byte[] bArr3 = new byte[(int) length];
        int length2 = this.unparsedBytes_.length;
        System.arraycopy(this.unparsedBytes_, 0, bArr3, 0, this.unparsedBytes_.length);
        System.arraycopy(bArr, i, bArr3, this.unparsedBytes_.length, i2);
        int i4 = 0;
        if (!this.ciphertextHeadersParsed_) {
            i4 = 0 + this.ciphertextHeaders_.deserialize(bArr3, 0, this.maxEncryptedDataKeys_);
            if (!this.ciphertextHeaders_.isComplete().booleanValue()) {
                this.unparsedBytes_ = Arrays.copyOfRange(bArr3, i4, bArr3.length);
                return new ProcessingSummary(0, i2);
            }
            readHeaderFields(this.ciphertextHeaders_);
            updateTrailingSignature(this.ciphertextHeaders_);
            this.unparsedBytes_ = new byte[0];
        }
        int i5 = 0;
        if (!this.contentCryptoHandler_.isComplete()) {
            if (bArr3.length - i4 > 0) {
                ProcessingSummary processBytes = this.contentCryptoHandler_.processBytes(bArr3, i4, bArr3.length - i4, bArr2, i3);
                updateTrailingSignature(bArr3, i4, processBytes.getBytesProcessed());
                i5 = processBytes.getBytesWritten();
                i4 += processBytes.getBytesProcessed();
            }
            if (this.contentCryptoHandler_.isComplete()) {
                i5 += this.contentCryptoHandler_.doFinal(bArr2, i3 + i5);
            }
        }
        if (this.contentCryptoHandler_.isComplete()) {
            if (this.cryptoAlgo_.getTrailingSignatureLength() > 0) {
                i4 += this.ciphertextFooters_.deserialize(bArr3, i4);
                if (!this.ciphertextFooters_.isComplete()) {
                    this.unparsedBytes_ = Arrays.copyOfRange(bArr3, i4, bArr3.length);
                    return new ProcessingSummary(i5, i2);
                }
                this.unparsedBytes_ = new byte[0];
                try {
                    if (!this.trailingSig_.verify(this.ciphertextFooters_.getMAuth())) {
                        throw new BadCiphertextException("Bad trailing signature");
                    }
                    this.complete_ = true;
                } catch (SignatureException e) {
                    throw new BadCiphertextException("Bad trailing signature", e);
                }
            } else {
                this.complete_ = true;
            }
        }
        return new ProcessingSummary(i5, i4 - length2);
    }

    @Override // com.amazonaws.encryptionsdk.internal.CryptoHandler
    public int doFinal(byte[] bArr, int i) throws BadCiphertextException {
        if (this.ciphertextBytesSupplied_ == 0) {
            return 0;
        }
        if (this.contentCryptoHandler_ == null) {
            throw new BadCiphertextException("Unable to process entire ciphertext.");
        }
        int doFinal = this.contentCryptoHandler_.doFinal(bArr, i);
        if (this.complete_) {
            return doFinal;
        }
        throw new BadCiphertextException("Unable to process entire ciphertext.");
    }

    @Override // com.amazonaws.encryptionsdk.internal.CryptoHandler
    public int estimateOutputSize(int i) {
        if (this.contentCryptoHandler_ != null) {
            return this.contentCryptoHandler_.estimateOutputSize(i);
        }
        if (i > 0) {
            return i;
        }
        return 0;
    }

    @Override // com.amazonaws.encryptionsdk.internal.CryptoHandler
    public int estimatePartialOutputSize(int i) {
        if (this.contentCryptoHandler_ != null) {
            return this.contentCryptoHandler_.estimatePartialOutputSize(i);
        }
        if (i > 0) {
            return i;
        }
        return 0;
    }

    @Override // com.amazonaws.encryptionsdk.internal.CryptoHandler
    public int estimateFinalOutputSize() {
        if (this.contentCryptoHandler_ != null) {
            return this.contentCryptoHandler_.estimateFinalOutputSize();
        }
        return 0;
    }

    @Override // com.amazonaws.encryptionsdk.internal.MessageCryptoHandler
    public Map<String, String> getEncryptionContext() {
        return this.encryptionContext_;
    }

    private void checkSizeBound(long j) {
        if (this.ciphertextSizeBound_ != -1 && this.ciphertextBytesSupplied_ + j > this.ciphertextSizeBound_) {
            throw new IllegalStateException("Ciphertext size exceeds size bound");
        }
    }

    @Override // com.amazonaws.encryptionsdk.internal.MessageCryptoHandler
    public void setMaxInputLength(long j) {
        if (j < 0) {
            throw Utils.cannotBeNegative("Max input length");
        }
        if (this.ciphertextSizeBound_ == -1 || this.ciphertextSizeBound_ > j) {
            this.ciphertextSizeBound_ = j;
        }
        checkSizeBound(0L);
    }

    long getMaxInputLength() {
        return this.ciphertextSizeBound_;
    }

    private void verifyHeaderIntegrity(CiphertextHeaders ciphertextHeaders, byte[] bArr) throws BadCiphertextException {
        CipherHandler cipherHandler = new CipherHandler(this.decryptionKey_, 2, this.cryptoAlgo_);
        try {
            byte[] headerTag = ciphertextHeaders.getHeaderTag();
            cipherHandler.cipherData(ciphertextHeaders.getHeaderNonce(), org.bouncycastle.util.Arrays.concatenate(ciphertextHeaders.serializeAuthenticatedFields(), bArr), headerTag, 0, headerTag.length);
        } catch (BadCiphertextException e) {
            throw new BadCiphertextException("Header integrity check failed.", e);
        }
    }

    private void readHeaderFields(CiphertextHeaders ciphertextHeaders) {
        this.cryptoAlgo_ = ciphertextHeaders.getCryptoAlgoId();
        if (ciphertextHeaders.getType() != CiphertextType.CUSTOMER_AUTHENTICATED_ENCRYPTED_DATA) {
            throw new BadCiphertextException("Invalid type in ciphertext.");
        }
        byte[] messageId = ciphertextHeaders.getMessageId();
        if (!this.commitmentPolicy_.algorithmAllowedForDecrypt(this.cryptoAlgo_)) {
            throw new AwsCryptoException("Configuration conflict. Cannot decrypt message with ID " + messageId + " due to CommitmentPolicy " + this.commitmentPolicy_ + " requiring only committed messages. Algorithm ID was " + this.cryptoAlgo_ + ". See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/troubleshooting-migration.html");
        }
        if (this.maxEncryptedDataKeys_ > 0 && this.ciphertextHeaders_.getEncryptedKeyBlobCount() > this.maxEncryptedDataKeys_) {
            throw new AwsCryptoException("Ciphertext encrypted data keys exceed maxEncryptedDataKeys");
        }
        if (!this.signaturePolicy_.algorithmAllowedForDecrypt(this.cryptoAlgo_)) {
            throw new AwsCryptoException("Configuration conflict. Cannot decrypt message with ID " + messageId + " because AwsCrypto.createUnsignedMessageDecryptingStream()  accepts only unsigned messages. Algorithm ID was " + this.cryptoAlgo_ + ".");
        }
        DecryptionMaterialsHandler decryptMaterials = this.cmmHandler_.decryptMaterials(DecryptionMaterialsRequest.newBuilder().setAlgorithm(this.cryptoAlgo_).setEncryptionContext(ciphertextHeaders.getEncryptionContextMap()).setReproducedEncryptionContext(this.reproducedEncryptionContext_).setEncryptedDataKeys(ciphertextHeaders.getEncryptedKeyBlobs()).build(), this.commitmentPolicy_);
        this.encryptionContext_ = decryptMaterials.getEncryptionContext();
        List<String> requiredEncryptionContextKeys = decryptMaterials.getRequiredEncryptionContextKeys();
        byte[] serialize = EncryptionContextSerializer.serialize((Map) this.encryptionContext_.entrySet().stream().filter(entry -> {
            return requiredEncryptionContextKeys.contains(entry.getKey());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        })));
        this.dataKey_ = (DataKey<K>) decryptMaterials.getDataKey();
        PublicKey trailingSignatureKey = decryptMaterials.getTrailingSignatureKey();
        try {
            this.decryptionKey_ = this.cryptoAlgo_.getEncryptionKeyFromDataKey(this.dataKey_.getKey(), ciphertextHeaders);
            if (this.cryptoAlgo_.getTrailingSignatureLength() > 0) {
                Utils.assertNonNull(trailingSignatureKey, "trailing public key");
                try {
                    this.trailingSig_ = Signature.getInstance(TrailingSignatureAlgorithm.forCryptoAlgorithm(this.cryptoAlgo_).getHashAndSignAlgorithm());
                    this.trailingSig_.initVerify(trailingSignatureKey);
                } catch (GeneralSecurityException e) {
                    throw new AwsCryptoException(e);
                }
            } else {
                if (trailingSignatureKey != null) {
                    throw new AwsCryptoException("Unexpected trailing signature key in context");
                }
                this.trailingSig_ = null;
            }
            ContentType contentType = ciphertextHeaders.getContentType();
            short nonceLength = ciphertextHeaders.getNonceLength();
            int frameLength = ciphertextHeaders.getFrameLength();
            verifyHeaderIntegrity(ciphertextHeaders, serialize);
            switch (contentType) {
                case FRAME:
                    this.contentCryptoHandler_ = new FrameDecryptionHandler(this.decryptionKey_, (byte) nonceLength, this.cryptoAlgo_, messageId, frameLength);
                    break;
                case SINGLEBLOCK:
                    this.contentCryptoHandler_ = new BlockDecryptionHandler(this.decryptionKey_, (byte) nonceLength, this.cryptoAlgo_, messageId);
                    break;
            }
            this.ciphertextHeadersParsed_ = true;
        } catch (InvalidKeyException e2) {
            throw new AwsCryptoException(e2);
        }
    }

    private void updateTrailingSignature(CiphertextHeaders ciphertextHeaders) {
        if (this.trailingSig_ != null) {
            byte[] byteArray = ciphertextHeaders.toByteArray();
            updateTrailingSignature(byteArray, 0, byteArray.length);
        }
    }

    private void updateTrailingSignature(byte[] bArr, int i, int i2) {
        if (this.trailingSig_ != null) {
            try {
                this.trailingSig_.update(bArr, i, i2);
            } catch (SignatureException e) {
                throw new AwsCryptoException(e);
            }
        }
    }

    @Override // com.amazonaws.encryptionsdk.internal.MessageCryptoHandler
    public CiphertextHeaders getHeaders() {
        return this.ciphertextHeaders_;
    }

    @Override // com.amazonaws.encryptionsdk.internal.MessageCryptoHandler
    public List<K> getMasterKeys() {
        return Collections.singletonList(this.dataKey_.getMasterKey());
    }

    @Override // com.amazonaws.encryptionsdk.internal.CryptoHandler
    public boolean isComplete() {
        return this.complete_;
    }
}
