package software.amazon.encryption.s3.internal;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.concurrent.CompletableFuture;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import software.amazon.awssdk.core.async.AsyncResponseTransformer;
import software.amazon.awssdk.core.async.SdkPublisher;
import software.amazon.awssdk.services.s3.S3AsyncClient;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.GetObjectResponse;
import software.amazon.encryption.s3.S3EncryptionClientException;
import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
import software.amazon.encryption.s3.legacy.internal.AesCtrUtils;
import software.amazon.encryption.s3.legacy.internal.RangedGetUtils;
import software.amazon.encryption.s3.materials.CryptographicMaterialsManager;
import software.amazon.encryption.s3.materials.DecryptMaterialsRequest;
import software.amazon.encryption.s3.materials.DecryptionMaterials;

/* loaded from: input_file:software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline.class */
public class GetEncryptedObjectPipeline {
    private final S3AsyncClient _s3AsyncClient;
    private final CryptographicMaterialsManager _cryptoMaterialsManager;
    private final boolean _enableLegacyUnauthenticatedModes;
    private final boolean _enableDelayedAuthentication;
    private final long _bufferSize;

    /* loaded from: input_file:software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline$Builder.class */
    public static class Builder {
        private S3AsyncClient _s3AsyncClient;
        private CryptographicMaterialsManager _cryptoMaterialsManager;
        private boolean _enableLegacyUnauthenticatedModes;
        private boolean _enableDelayedAuthentication;
        private long _bufferSize;

        private Builder() {
        }

        @SuppressFBWarnings(value = {"EI_EXPOSE_REP2"}, justification = "Pass mutability into wrapping client")
        public Builder s3AsyncClient(S3AsyncClient s3AsyncClient) {
            this._s3AsyncClient = s3AsyncClient;
            return this;
        }

        public Builder cryptoMaterialsManager(CryptographicMaterialsManager cryptographicMaterialsManager) {
            this._cryptoMaterialsManager = cryptographicMaterialsManager;
            return this;
        }

        public Builder enableLegacyUnauthenticatedModes(boolean z) {
            this._enableLegacyUnauthenticatedModes = z;
            return this;
        }

        public Builder bufferSize(long j) {
            this._bufferSize = j;
            return this;
        }

        public Builder enableDelayedAuthentication(boolean z) {
            this._enableDelayedAuthentication = z;
            return this;
        }

        public GetEncryptedObjectPipeline build() {
            return new GetEncryptedObjectPipeline(this);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline$DecryptingResponseTransformer.class */
    public class DecryptingResponseTransformer<T> implements AsyncResponseTransformer<GetObjectResponse, T> {
        final AsyncResponseTransformer<GetObjectResponse, T> wrappedAsyncResponseTransformer;
        final GetObjectRequest getObjectRequest;
        ContentMetadata contentMetadata;
        GetObjectResponse getObjectResponse;
        DecryptionMaterials materials;
        ContentMetadataDecodingStrategy contentMetadataStrategy;
        CompletableFuture<T> resultFuture;

        DecryptingResponseTransformer(AsyncResponseTransformer<GetObjectResponse, T> asyncResponseTransformer, GetObjectRequest getObjectRequest) {
            this.contentMetadataStrategy = new ContentMetadataDecodingStrategy(GetEncryptedObjectPipeline.this._s3AsyncClient);
            this.wrappedAsyncResponseTransformer = asyncResponseTransformer;
            this.getObjectRequest = getObjectRequest;
        }

        public CompletableFuture<T> prepare() {
            this.resultFuture = this.wrappedAsyncResponseTransformer.prepare();
            return this.resultFuture;
        }

        public void onResponse(GetObjectResponse getObjectResponse) {
            this.getObjectResponse = getObjectResponse;
            this.contentMetadata = this.contentMetadataStrategy.decode(this.getObjectRequest, getObjectResponse);
            this.materials = GetEncryptedObjectPipeline.this.prepareMaterialsFromRequest(this.getObjectRequest, getObjectResponse, this.contentMetadata);
            this.wrappedAsyncResponseTransformer.onResponse(getObjectResponse);
        }

        public void exceptionOccurred(Throwable th) {
            this.wrappedAsyncResponseTransformer.exceptionOccurred(th);
        }

        public void onStream(SdkPublisher<ByteBuffer> sdkPublisher) {
            long[] range = RangedGetUtils.getRange(this.materials.mo40s3Request().range());
            long[] cryptoRange = RangedGetUtils.getCryptoRange(this.materials.mo40s3Request().range());
            AlgorithmSuite algorithmSuite = this.materials.algorithmSuite();
            SecretKey dataKey = this.materials.dataKey();
            int cipherTagLengthBits = algorithmSuite.cipherTagLengthBits();
            byte[] contentIv = this.contentMetadata.contentIv();
            if (algorithmSuite == AlgorithmSuite.ALG_AES_256_CTR_IV16_TAG16_NO_KDF) {
                contentIv = AesCtrUtils.adjustIV(contentIv, cryptoRange[0]);
            }
            try {
                Cipher createCipher = CryptoFactory.createCipher(algorithmSuite.cipherName(), this.materials.cryptoProvider());
                switch (algorithmSuite) {
                    case ALG_AES_256_GCM_IV12_TAG16_NO_KDF:
                        createCipher.init(2, dataKey, new GCMParameterSpec(cipherTagLengthBits, contentIv));
                        break;
                    case ALG_AES_256_CTR_IV16_TAG16_NO_KDF:
                    case ALG_AES_256_CBC_IV16_NO_KDF:
                        createCipher.init(2, dataKey, new IvParameterSpec(contentIv));
                        break;
                    default:
                        throw new S3EncryptionClientException("Unknown algorithm: " + algorithmSuite.cipherName());
                }
                if (algorithmSuite.equals(AlgorithmSuite.ALG_AES_256_CBC_IV16_NO_KDF) || algorithmSuite.equals(AlgorithmSuite.ALG_AES_256_CTR_IV16_TAG16_NO_KDF) || GetEncryptedObjectPipeline.this._enableDelayedAuthentication) {
                    this.wrappedAsyncResponseTransformer.onStream(new CipherPublisher(sdkPublisher, this.getObjectResponse.contentLength(), range, this.contentMetadata.contentRange(), algorithmSuite.cipherTagLengthBits(), this.materials, contentIv));
                } else {
                    this.wrappedAsyncResponseTransformer.onStream(new BufferedCipherPublisher(sdkPublisher, this.getObjectResponse.contentLength(), this.materials, contentIv, GetEncryptedObjectPipeline.this._bufferSize));
                }
            } catch (GeneralSecurityException e) {
                throw new S3EncryptionClientException("Unable to " + algorithmSuite.cipherName() + " content decrypt.", e);
            }
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    private GetEncryptedObjectPipeline(Builder builder) {
        this._s3AsyncClient = builder._s3AsyncClient;
        this._cryptoMaterialsManager = builder._cryptoMaterialsManager;
        this._enableLegacyUnauthenticatedModes = builder._enableLegacyUnauthenticatedModes;
        this._enableDelayedAuthentication = builder._enableDelayedAuthentication;
        this._bufferSize = builder._bufferSize;
    }

    public <T> CompletableFuture<T> getObject(GetObjectRequest getObjectRequest, AsyncResponseTransformer<GetObjectResponse, T> asyncResponseTransformer) {
        GetObjectRequest getObjectRequest2 = (GetObjectRequest) getObjectRequest.toBuilder().overrideConfiguration(ApiNameVersion.API_NAME_INTERCEPTOR).range(RangedGetUtils.getCryptoRangeAsString(getObjectRequest.range())).build();
        if (this._enableLegacyUnauthenticatedModes || getObjectRequest.range() == null) {
            return this._s3AsyncClient.getObject(getObjectRequest2, new DecryptingResponseTransformer(asyncResponseTransformer, getObjectRequest));
        }
        throw new S3EncryptionClientException("Enable legacy unauthenticated modes to use Ranged Get.");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public DecryptionMaterials prepareMaterialsFromRequest(GetObjectRequest getObjectRequest, GetObjectResponse getObjectResponse, ContentMetadata contentMetadata) {
        AlgorithmSuite algorithmSuite = contentMetadata.algorithmSuite();
        if (!this._enableLegacyUnauthenticatedModes && algorithmSuite.isLegacy()) {
            throw new S3EncryptionClientException("Enable legacy unauthenticated modes to use legacy content decryption: " + algorithmSuite.cipherName());
        }
        return this._cryptoMaterialsManager.decryptMaterials(DecryptMaterialsRequest.builder().s3Request(getObjectRequest).algorithmSuite(algorithmSuite).encryptedDataKeys(Collections.singletonList(contentMetadata.encryptedDataKey())).encryptionContext(contentMetadata.encryptedDataKeyContext()).ciphertextLength(getObjectResponse.contentLength().longValue()).build());
    }
}
