package com.amazonaws.cloudhsm.jce.provider;

import com.amazonaws.cloudhsm.jce.jni.CloudHsmCipher;
import com.amazonaws.cloudhsm.jce.jni.Session;
import com.amazonaws.cloudhsm.jce.jni.UnwrapKeyBuilder;
import com.amazonaws.cloudhsm.jce.jni.exception.AesGcmInvalidParametersException;
import com.amazonaws.cloudhsm.jce.jni.exception.InvalidIvException;
import com.amazonaws.cloudhsm.jce.provider.attributes.KeyType;
import com.amazonaws.cloudhsm.jce.provider.attributes.ObjectClassType;
import com.amazonaws.cloudhsm.jce.provider.spec.GCMUnwrapKeySpec;
import java.io.ByteArrayOutputStream;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.text.MessageFormat;
import java.util.HashSet;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.GCMParameterSpec;

/* loaded from: input_file:BOOT-INF/lib/cloudhsm-jce-0.0.1-SNAPSHOT.jar:com/amazonaws/cloudhsm/jce/provider/AesGcmCipher.class */
public class AesGcmCipher extends CloudHsmCipherBase {
    static final HashSet<String> supportedModes = (HashSet) Stream.of(Mode.GCM.toString()).collect(Collectors.toCollection(HashSet::new));
    static final HashSet<String> supportedPaddings = (HashSet) Stream.of(Padding.NO_PADDING.toString()).collect(Collectors.toCollection(HashSet::new));
    static final HashSet<Integer> supportedOpModes = (HashSet) Stream.of((Object[]) new Integer[]{1, 2, 3, 4}).collect(Collectors.toCollection(HashSet::new));
    private static final int DEFAULT_TAG_LENGTH_IN_BITS = 128;
    static final String ALGORITHM_STRING = "AES GCM No Padding";
    ByteArrayOutputStream aadBuffer;
    long tagLengthBits;
    boolean isFinalized;
    boolean isUpdateAlreadyCalled;

    public AesGcmCipher(CloudHsmProvider cloudHsmProvider) throws IllegalStateException {
        super(Mode.GCM, Padding.NO_PADDING, cloudHsmProvider);
        this.aadBuffer = new ByteArrayOutputStream();
        this.isFinalized = false;
        this.isUpdateAlreadyCalled = false;
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase
    synchronized HashSet<String> getSupportedModes() {
        return (HashSet) supportedModes.clone();
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase
    synchronized HashSet<String> getSupportedPaddings() {
        return (HashSet) supportedPaddings.clone();
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase
    synchronized HashSet<Integer> getSupportedOpModes() {
        return (HashSet) supportedOpModes.clone();
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase
    Optional<CloudHsmCipher> initCipherInstance() throws AesGcmInvalidParametersException {
        byte[] aadBufferAndResetBuffer = getAadBufferAndResetBuffer();
        CloudHsmKey cloudHsmKey = getCloudHsmKey();
        switch (this.opMode) {
            case 1:
                return getEncryptInstance(cloudHsmKey, aadBufferAndResetBuffer);
            case 2:
                return getDecryptInstance(cloudHsmKey, aadBufferAndResetBuffer);
            case 3:
                return getWrapInstance(aadBufferAndResetBuffer);
            case 4:
                return getUnwrapInstance();
            default:
                throw new UnsupportedOperationException(MessageFormat.format(ErrorMessages.CIPHER_OPERATION_MODE_NOT_SUPPORTED.getMessage(), Integer.valueOf(this.opMode)));
        }
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase
    protected void initAlgorithmParamSpecOrCreateDefault(Optional<AlgorithmParameterSpec> optional) throws InvalidAlgorithmParameterException {
        AlgorithmParameterSpec orElseThrow = this.opMode == 2 || this.opMode == 4 ? optional.orElseThrow(() -> {
            return new InvalidAlgorithmParameterException(ErrorMessages.CIPHER_GCM_PARAMETER_SPEC_PROVIDED_IS_NULL.getMessage());
        }) : optional.orElse(getDefaultAesGcmAlgorithmParameters());
        if ((orElseThrow instanceof GCMUnwrapKeySpec) && this.opMode == 4) {
            setKeyAttributes(((GCMUnwrapKeySpec) orElseThrow).getKeySpec());
            setIv(((GCMUnwrapKeySpec) orElseThrow).getGcmSpec().getIV());
            this.tagLengthBits = ((GCMUnwrapKeySpec) orElseThrow).getGcmSpec().getTLen();
        } else {
            if (!(orElseThrow instanceof GCMParameterSpec)) {
                throw new InvalidAlgorithmParameterException(MessageFormat.format(ErrorMessages.CIPHER_UNSUPPORTED_PARAM_SPEC.getMessage(), ALGORITHM_STRING));
            }
            setIv(((GCMParameterSpec) orElseThrow).getIV());
            this.tagLengthBits = ((GCMParameterSpec) orElseThrow).getTLen();
        }
    }

    private synchronized void validateNotFinalized() {
        if (this.isFinalized) {
            if (this.opMode == 1 || this.opMode == 3) {
                throw new IllegalStateException(ErrorMessages.CIPHER_OPERATION_ALREADY_FINALIZED.getMessage());
            }
        }
    }

    private synchronized void setUpdateAlreadyCalled(boolean z) {
        this.isUpdateAlreadyCalled = z;
    }

    private synchronized void validateUpdateNotAlreadyCalled() {
        if (this.isUpdateAlreadyCalled) {
            throw new IllegalStateException(ErrorMessages.UPDATE_OPERATION_ALREADY_CALLED.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase, javax.crypto.CipherSpi
    public synchronized void engineInit(int i, Key key, SecureRandom secureRandom) throws InvalidKeyException {
        this.isFinalized = false;
        setUpdateAlreadyCalled(false);
        super.engineInit(i, key, secureRandom);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase, javax.crypto.CipherSpi
    public synchronized void engineInit(int i, Key key, AlgorithmParameterSpec algorithmParameterSpec, SecureRandom secureRandom) throws InvalidKeyException, InvalidAlgorithmParameterException {
        this.isFinalized = false;
        setUpdateAlreadyCalled(false);
        super.engineInit(i, key, algorithmParameterSpec, secureRandom);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase, javax.crypto.CipherSpi
    public synchronized byte[] engineUpdate(byte[] bArr, int i, int i2) {
        validateNotFinalized();
        setUpdateAlreadyCalled(true);
        return super.engineUpdate(bArr, i, i2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase, javax.crypto.CipherSpi
    public synchronized int engineUpdate(byte[] bArr, int i, int i2, byte[] bArr2, int i3) throws ShortBufferException {
        validateNotFinalized();
        setUpdateAlreadyCalled(true);
        return super.engineUpdate(bArr, i, i2, bArr2, i3);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase, javax.crypto.CipherSpi
    public synchronized byte[] engineWrap(Key key) throws IllegalBlockSizeException, InvalidKeyException {
        validateNotFinalized();
        byte[] engineWrap = super.engineWrap(key);
        this.isFinalized = true;
        return engineWrap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase, javax.crypto.CipherSpi
    public synchronized byte[] engineDoFinal(byte[] bArr, int i, int i2) throws IllegalBlockSizeException, BadPaddingException {
        validateNotFinalized();
        try {
            byte[] engineDoFinal = super.engineDoFinal(bArr, i, i2);
            this.isFinalized = true;
            setUpdateAlreadyCalled(false);
            return engineDoFinal;
        } catch (Throwable th) {
            setUpdateAlreadyCalled(false);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase, javax.crypto.CipherSpi
    public synchronized int engineDoFinal(byte[] bArr, int i, int i2, byte[] bArr2, int i3) throws ShortBufferException, IllegalBlockSizeException, BadPaddingException {
        validateNotFinalized();
        try {
            int engineDoFinal = super.engineDoFinal(bArr, i, i2, bArr2, i3);
            this.isFinalized = true;
            setUpdateAlreadyCalled(false);
            return engineDoFinal;
        } catch (Throwable th) {
            setUpdateAlreadyCalled(false);
            throw th;
        }
    }

    @Override // javax.crypto.CipherSpi
    protected synchronized void engineUpdateAAD(byte[] bArr, int i, int i2) {
        validateNotFinalized();
        validateUpdateNotAlreadyCalled();
        Validations.validateInputBufferForRead(bArr, i, i2);
        this.aadBuffer.write(bArr, i, i2);
    }

    @Override // javax.crypto.CipherSpi
    protected synchronized void engineUpdateAAD(ByteBuffer byteBuffer) {
        throw new UnsupportedOperationException(ErrorMessages.CIPHER_OPERATION_UPDATEAAD_WITH_BYTE_BUFFER_NOT_SUPPORTED.getMessage());
    }

    private GCMParameterSpec getDefaultAesGcmAlgorithmParameters() {
        return new GCMParameterSpec(128, new byte[12]);
    }

    private byte[] getAadBufferAndResetBuffer() {
        ByteArrayOutputStream byteArrayOutputStream = this.aadBuffer;
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        byteArrayOutputStream.reset();
        return byteArray;
    }

    private Optional<CloudHsmCipher> getEncryptInstance(CloudHsmKey cloudHsmKey, byte[] bArr) throws AesGcmInvalidParametersException {
        Optional.empty();
        try {
            Optional<CloudHsmCipher> of = Optional.of(getSession().encryptAesGcm(cloudHsmKey.getCoreKey(), (byte[]) require(getIv()), bArr, Long.valueOf(this.tagLengthBits)));
            setIv(null);
            return of;
        } catch (AesGcmInvalidParametersException e) {
            throw e;
        } catch (Exception e2) {
            throw ErrorHandling.asCloudhsmException(e2);
        }
    }

    private Optional<CloudHsmCipher> getDecryptInstance(CloudHsmKey cloudHsmKey, byte[] bArr) throws AesGcmInvalidParametersException {
        Optional.empty();
        try {
            return Optional.of(getSession().decryptAesGcm(cloudHsmKey.getCoreKey(), (byte[]) require(getIv()), bArr, Long.valueOf(this.tagLengthBits)));
        } catch (AesGcmInvalidParametersException e) {
            throw e;
        } catch (Exception e2) {
            throw ErrorHandling.asCloudhsmException(e2);
        }
    }

    private Optional<CloudHsmCipher> getWrapInstance(byte[] bArr) throws AesGcmInvalidParametersException {
        Optional.empty();
        try {
            return Optional.of(getSession().aesGcmWrap(bArr, Long.valueOf(this.tagLengthBits)));
        } catch (AesGcmInvalidParametersException e) {
            throw e;
        } catch (Exception e2) {
            throw ErrorHandling.asCloudhsmException(e2);
        }
    }

    private Optional<CloudHsmCipher> getUnwrapInstance() throws AesGcmInvalidParametersException {
        Optional.empty();
        try {
            return Optional.of(getSession().aesGcmUnwrapInit((byte[]) require(getIv())));
        } catch (AesGcmInvalidParametersException e) {
            throw e;
        } catch (Exception e2) {
            throw ErrorHandling.asCloudhsmException(e2);
        }
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase
    protected UnwrapKeyBuilder getUnwrapKeyBuilder(KeyType keyType, ObjectClassType objectClassType) throws Exception {
        return getSession().aesGcmUnwrapBuilder(keyType, objectClassType, (byte[]) require(getIv()), getAadBufferAndResetBuffer(), Long.valueOf(this.tagLengthBits));
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmCipherBase
    protected void validateKey(CloudHsmKey cloudHsmKey) throws InvalidAlgorithmParameterException {
        Session session = getProvider().getSession();
        CloudHsmCipher cloudHsmCipher = null;
        switch (this.opMode) {
            case 1:
                try {
                    session.validateEncryptAesGcm(cloudHsmKey.getCoreKey(), (byte[]) require(getIv()), Long.valueOf(this.tagLengthBits));
                    break;
                } catch (AesGcmInvalidParametersException | InvalidIvException e) {
                    throw e;
                } catch (Exception e2) {
                    throw ErrorHandling.asCloudhsmException(e2);
                }
            case 2:
                try {
                    session.validateDecryptAesGcm(cloudHsmKey.getCoreKey(), (byte[]) require(getIv()), Long.valueOf(this.tagLengthBits));
                    break;
                } catch (AesGcmInvalidParametersException | InvalidIvException e3) {
                    throw e3;
                } catch (Exception e4) {
                    throw ErrorHandling.asCloudhsmException(e4);
                }
            case 3:
                try {
                    cloudHsmCipher = session.aesGcmWrap(new byte[0], Long.valueOf(this.tagLengthBits));
                    break;
                } catch (AesGcmInvalidParametersException e5) {
                    throw e5;
                } catch (Exception e6) {
                    throw ErrorHandling.asCloudhsmException(e6);
                }
            case 4:
                try {
                    cloudHsmCipher = session.aesGcmUnwrapInit(new byte[0]);
                    break;
                } catch (Exception e7) {
                    throw ErrorHandling.asCloudhsmException(e7);
                }
            default:
                throw new UnsupportedOperationException(MessageFormat.format(ErrorMessages.CIPHER_OPERATION_MODE_NOT_SUPPORTED.getMessage(), Integer.valueOf(this.opMode)));
        }
        if (cloudHsmCipher != null) {
            cloudHsmCipher.delete();
        }
    }
}
