package com.amazonaws.c3r;

import com.amazonaws.c3r.config.ClientSettings;
import com.amazonaws.c3r.data.ClientDataInfo;
import com.amazonaws.c3r.data.ClientDataType;
import com.amazonaws.c3r.encryption.EncryptionContext;
import com.amazonaws.c3r.encryption.Encryptor;
import com.amazonaws.c3r.exception.C3rIllegalArgumentException;
import com.amazonaws.c3r.exception.C3rRuntimeException;
import com.amazonaws.c3r.internal.AdditionalAuthenticatedData;
import com.amazonaws.c3r.internal.InitializationVector;
import com.amazonaws.c3r.internal.Nonce;
import com.amazonaws.c3r.internal.PadUtil;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;

/* loaded from: input_file:com/amazonaws/c3r/SealedTransformer.class */
public class SealedTransformer extends Transformer {
    static final byte[] FORMAT_VERSION = "01:".getBytes(StandardCharsets.UTF_8);
    static final byte[] ENCRYPTION_DESCRIPTOR = "enc:".getBytes(StandardCharsets.UTF_8);
    public static final String DESCRIPTOR_PREFIX_STRING = new String(FORMAT_VERSION, StandardCharsets.UTF_8) + new String(ENCRYPTION_DESCRIPTOR, StandardCharsets.UTF_8);
    static final byte[] DESCRIPTOR_PREFIX = DESCRIPTOR_PREFIX_STRING.getBytes(StandardCharsets.UTF_8);
    private static final AdditionalAuthenticatedData AAD = new AdditionalAuthenticatedData(DESCRIPTOR_PREFIX);
    private static final int DATA_INFO_TAG_BYTE_LENGTH = 1;
    private final Encryptor encryptor;
    private final ClientSettings clientSettings;

    public SealedTransformer(Encryptor encryptor, ClientSettings clientSettings) {
        this.encryptor = encryptor;
        this.clientSettings = clientSettings;
    }

    @Override // com.amazonaws.c3r.Transformer
    public byte[] marshal(byte[] bArr, EncryptionContext encryptionContext) {
        if (encryptionContext == null) {
            throw new C3rIllegalArgumentException("An EncryptionContext must be provided when encrypting.");
        }
        if (encryptionContext.getClientDataType() == null) {
            throw new C3rIllegalArgumentException("EncryptionContext missing ClientDataType when encrypting data for column `" + encryptionContext.getColumnLabel() + "`.");
        }
        if (encryptionContext.getClientDataType() != ClientDataType.STRING) {
            throw new C3rIllegalArgumentException("Only string columns can be encrypted, but encountered non-string column `" + encryptionContext.getColumnLabel() + "`.");
        }
        if (bArr == null && this.clientSettings.isPreserveNulls()) {
            return null;
        }
        ClientDataInfo build = ClientDataInfo.builder().type(encryptionContext.getClientDataType()).isNull(bArr == null).build();
        byte[] padMessage = PadUtil.padMessage(bArr, encryptionContext);
        InitializationVector deriveIv = InitializationVector.deriveIv(encryptionContext.getColumnLabel(), encryptionContext.getNonce());
        byte[] buildBase64EncodedMessage = buildBase64EncodedMessage(this.encryptor.encrypt(ByteBuffer.allocate(DATA_INFO_TAG_BYTE_LENGTH + padMessage.length).put(build.encode()).put(padMessage).array(), deriveIv, AAD, encryptionContext), encryptionContext.getNonce(), deriveIv);
        byte[] array = ByteBuffer.allocate(DESCRIPTOR_PREFIX.length + buildBase64EncodedMessage.length).put(DESCRIPTOR_PREFIX).put(buildBase64EncodedMessage).array();
        validateMarshalledByteLength(array);
        return array;
    }

    @Override // com.amazonaws.c3r.Transformer
    public byte[] unmarshal(byte[] bArr) {
        if (bArr == null) {
            return null;
        }
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        verifyFormatVersion(wrap);
        verifyEncryptionDescriptor(wrap);
        byte[] bArr2 = new byte[wrap.remaining()];
        wrap.get(bArr2);
        try {
            ByteBuffer wrap2 = ByteBuffer.wrap(Base64.getDecoder().decode(bArr2));
            Nonce extractNonce = extractNonce(wrap2);
            InitializationVector extractIv = extractIv(wrap2);
            byte[] decrypt = this.encryptor.decrypt(extractCiphertext(wrap2), extractIv, AAD, EncryptionContext.builder().nonce(extractNonce).columnLabel("UNMARSHAL").build());
            ClientDataInfo decode = ClientDataInfo.decode(decrypt[0]);
            if (decode.getType() != ClientDataType.STRING) {
                throw new C3rIllegalArgumentException("Expected encrypted data to be of type string, but found unsupported data type: " + decode.getType());
            }
            if (decode.isNull()) {
                return null;
            }
            return PadUtil.removePadding(Arrays.copyOfRange(decrypt, DATA_INFO_TAG_BYTE_LENGTH, decrypt.length));
        } catch (Exception e) {
            throw new C3rRuntimeException("Ciphertext could not be decoded from Base64.", e);
        }
    }

    @Override // com.amazonaws.c3r.Transformer
    public byte[] getVersion() {
        return (byte[]) FORMAT_VERSION.clone();
    }

    @Override // com.amazonaws.c3r.Transformer
    byte[] getEncryptionDescriptor() {
        return (byte[]) ENCRYPTION_DESCRIPTOR.clone();
    }

    byte[] buildBase64EncodedMessage(byte[] bArr, Nonce nonce, InitializationVector initializationVector) {
        byte[] bytes = nonce.getBytes();
        byte[] bytes2 = initializationVector.getBytes();
        return Base64.getEncoder().encode(ByteBuffer.allocate(bytes.length + bytes2.length + bArr.length).put(bytes).put(bytes2).put(bArr).array());
    }

    void verifyFormatVersion(ByteBuffer byteBuffer) {
        if (byteBuffer.remaining() < FORMAT_VERSION.length) {
            throw new C3rRuntimeException("Ciphertext missing version header, unable to decrypt.");
        }
        byte[] bArr = new byte[FORMAT_VERSION.length];
        byteBuffer.get(bArr);
        if (!Arrays.equals(FORMAT_VERSION, bArr)) {
            throw new C3rRuntimeException("Ciphertext version mismatch. Expected `" + Arrays.toString(FORMAT_VERSION) + "` but was `" + Arrays.toString(bArr) + "`.");
        }
    }

    void verifyEncryptionDescriptor(ByteBuffer byteBuffer) {
        if (byteBuffer.remaining() < ENCRYPTION_DESCRIPTOR.length) {
            throw new C3rRuntimeException("Ciphertext missing description header, unable to decrypt.");
        }
        byte[] bArr = new byte[ENCRYPTION_DESCRIPTOR.length];
        byteBuffer.get(bArr);
        if (!Arrays.equals(ENCRYPTION_DESCRIPTOR, bArr)) {
            throw new C3rRuntimeException("Ciphertext descriptor mismatch. Expected `" + new String(ENCRYPTION_DESCRIPTOR, StandardCharsets.UTF_8) + "` but was `" + new String(bArr, StandardCharsets.UTF_8) + "`.");
        }
    }

    Nonce extractNonce(ByteBuffer byteBuffer) {
        if (byteBuffer.remaining() < 32) {
            throw new C3rRuntimeException("Ciphertext missing nonce, unable to decrypt.");
        }
        byte[] bArr = new byte[32];
        byteBuffer.get(bArr);
        return new Nonce(bArr);
    }

    InitializationVector extractIv(ByteBuffer byteBuffer) {
        if (byteBuffer.remaining() < 12) {
            throw new C3rRuntimeException("Ciphertext missing IV, unable to decrypt.");
        }
        byte[] bArr = new byte[12];
        byteBuffer.get(bArr);
        return new InitializationVector(bArr);
    }

    byte[] extractCiphertext(ByteBuffer byteBuffer) {
        byte[] bArr = new byte[byteBuffer.remaining()];
        byteBuffer.get(bArr);
        return bArr;
    }
}
