package software.amazon.encryption.s3.materials;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.LogFactory;
import software.amazon.encryption.s3.S3EncryptionClient;
import software.amazon.encryption.s3.S3EncryptionClientException;

/* loaded from: input_file:software/amazon/encryption/s3/materials/S3Keyring.class */
public abstract class S3Keyring implements Keyring {
    public static final String KEY_PROVIDER_ID = "S3Keyring";
    protected final DataKeyGenerator _dataKeyGenerator;
    private final boolean _enableLegacyWrappingAlgorithms;
    private final SecureRandom _secureRandom;

    /* loaded from: input_file:software/amazon/encryption/s3/materials/S3Keyring$Builder.class */
    public static abstract class Builder<KeyringT extends S3Keyring, BuilderT extends Builder<KeyringT, BuilderT>> {
        private SecureRandom _secureRandom;
        private boolean _enableLegacyWrappingAlgorithms = false;
        private DataKeyGenerator _dataKeyGenerator = new DefaultDataKeyGenerator();

        protected abstract BuilderT builder();

        public BuilderT enableLegacyWrappingAlgorithms(boolean z) {
            this._enableLegacyWrappingAlgorithms = z;
            return builder();
        }

        @SuppressFBWarnings({"EI_EXPOSE_REP"})
        public BuilderT secureRandom(SecureRandom secureRandom) {
            if (secureRandom == null) {
                throw new S3EncryptionClientException("SecureRandom provided to S3Keyring cannot be null");
            }
            this._secureRandom = secureRandom;
            return builder();
        }

        public BuilderT dataKeyGenerator(DataKeyGenerator dataKeyGenerator) {
            if (dataKeyGenerator == null) {
                throw new S3EncryptionClientException("DataKeyGenerator cannot be null!");
            }
            this._dataKeyGenerator = dataKeyGenerator;
            return builder();
        }

        /* renamed from: build */
        public abstract KeyringT build2();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public S3Keyring(Builder<?, ?> builder) {
        this._enableLegacyWrappingAlgorithms = ((Builder) builder)._enableLegacyWrappingAlgorithms;
        this._secureRandom = ((Builder) builder)._secureRandom;
        this._dataKeyGenerator = ((Builder) builder)._dataKeyGenerator;
    }

    public EncryptionMaterials defaultGenerateDataKey(EncryptionMaterials encryptionMaterials) {
        return encryptionMaterials.toBuilder().plaintextDataKey(this._dataKeyGenerator.generateDataKey(encryptionMaterials.algorithmSuite(), encryptionMaterials.cryptoProvider()).getEncoded()).build();
    }

    @Override // software.amazon.encryption.s3.materials.Keyring
    public EncryptionMaterials onEncrypt(EncryptionMaterials encryptionMaterials) {
        EncryptDataKeyStrategy encryptDataKeyStrategy = encryptDataKeyStrategy();
        EncryptionMaterials modifyMaterials = encryptDataKeyStrategy.modifyMaterials(encryptionMaterials);
        if (modifyMaterials.plaintextDataKey() == null) {
            modifyMaterials = generateDataKeyStrategy().generateDataKey(modifyMaterials);
        }
        if (!modifyMaterials.encryptedDataKeys().isEmpty()) {
            return modifyMaterials;
        }
        try {
            EncryptedDataKey build = EncryptedDataKey.builder().keyProviderId(KEY_PROVIDER_ID).keyProviderInfo(encryptDataKeyStrategy.keyProviderInfo().getBytes(StandardCharsets.UTF_8)).encryptedDataKey(encryptDataKeyStrategy.encryptDataKey(this._secureRandom, modifyMaterials)).build();
            ArrayList arrayList = new ArrayList(modifyMaterials.encryptedDataKeys());
            arrayList.add(build);
            return modifyMaterials.toBuilder().encryptedDataKeys(arrayList).build();
        } catch (Exception e) {
            throw new S3EncryptionClientException("Unable to " + encryptDataKeyStrategy.keyProviderInfo() + " wrap", e);
        }
    }

    protected abstract GenerateDataKeyStrategy generateDataKeyStrategy();

    protected abstract EncryptDataKeyStrategy encryptDataKeyStrategy();

    @Override // software.amazon.encryption.s3.materials.Keyring
    public DecryptionMaterials onDecrypt(DecryptionMaterials decryptionMaterials, List<EncryptedDataKey> list) {
        if (decryptionMaterials.plaintextDataKey() != null) {
            throw new S3EncryptionClientException("Decryption materials already contains a plaintext data key.");
        }
        if (list.size() != 1) {
            throw new S3EncryptionClientException("Only one encrypted data key is supported, found: " + list.size());
        }
        EncryptedDataKey encryptedDataKey = list.get(0);
        String keyProviderId = encryptedDataKey.keyProviderId();
        if (!KEY_PROVIDER_ID.equals(keyProviderId)) {
            throw new S3EncryptionClientException("Unknown key provider: " + keyProviderId);
        }
        String str = new String(encryptedDataKey.keyProviderInfo(), StandardCharsets.UTF_8);
        DecryptDataKeyStrategy decryptDataKeyStrategy = decryptDataKeyStrategies().get(str);
        if (decryptDataKeyStrategy == null) {
            throw new S3EncryptionClientException("The keyring does not support the object's key wrapping algorithm: " + str);
        }
        if (decryptDataKeyStrategy.isLegacy() && !this._enableLegacyWrappingAlgorithms) {
            throw new S3EncryptionClientException("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: " + str);
        }
        try {
            return decryptionMaterials.toBuilder().plaintextDataKey(decryptDataKeyStrategy.decryptDataKey(decryptionMaterials, encryptedDataKey.encryptedDatakey())).build();
        } catch (GeneralSecurityException e) {
            throw new S3EncryptionClientException("Unable to " + str + " unwrap", e);
        }
    }

    protected abstract Map<String, DecryptDataKeyStrategy> decryptDataKeyStrategies();

    public void warnIfEncryptionContextIsPresent(EncryptionMaterials encryptionMaterials) {
        encryptionMaterials.mo40s3Request().overrideConfiguration().flatMap(awsRequestOverrideConfiguration -> {
            return awsRequestOverrideConfiguration.executionAttributes().getOptionalAttribute(S3EncryptionClient.ENCRYPTION_CONTEXT);
        }).ifPresent(map -> {
            LogFactory.getLog(getClass()).warn("Usage of Encryption Context provides no security benefit in " + getClass().getSimpleName());
        });
    }
}
