package com.distelli.persistence.impl.ddb;

import com.amazonaws.services.dynamodbv2.document.Item;
import com.amazonaws.services.dynamodbv2.model.AttributeValue;
import com.distelli.crypto.KeyProvider;
import com.distelli.persistence.impl.InvalidEncryptionFormat;
import com.distelli.persistence.impl.MacInputStream;
import com.distelli.persistence.impl.MacOutputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/distelli/persistence/impl/ddb/DDBEncryption.class */
class DDBEncryption {
    private static final Logger LOG = LoggerFactory.getLogger(DDBEncryption.class);
    private static final int HEADER_LEN = 17;
    private static final int TRAILER_LEN = 32;
    private static final int MIN_LEN = 65;
    private static final int VERSION = 1;
    private Set<String> _noEncrypt;
    private KeyProvider _keyProvider;
    private AttributeValuePacker _packer = new AttributeValuePacker();

    /* JADX INFO: Access modifiers changed from: package-private */
    public DDBEncryption(KeyProvider keyProvider, Set<String> set) {
        this._keyProvider = keyProvider;
        this._noEncrypt = Collections.unmodifiableSet(set);
    }

    public Set<String> getNoEncrypt() {
        return this._noEncrypt;
    }

    public KeyProvider getKeyProvider() {
        return this._keyProvider;
    }

    public boolean isEncrypted(String str) {
        return !this._noEncrypt.contains(str);
    }

    public boolean requiresEncryption(String str) {
        return (null == this._keyProvider || this._keyProvider.getKey(1L) == null || this._noEncrypt.contains(str)) ? false : true;
    }

    public byte[] encrypt(Object obj) {
        return encrypt(DDBUtils.toAttributeValue(obj));
    }

    public <T> T decrypt(byte[] bArr, Class<T> cls) {
        return (T) DDBUtils.toSimpleValue(decrypt(bArr));
    }

    public Item encrypt(Item item) {
        if (null == item) {
            return null;
        }
        Item item2 = new Item();
        for (Map.Entry entry : item.asMap().entrySet()) {
            if (requiresEncryption((String) entry.getKey())) {
                item2.with((String) entry.getKey(), encrypt(entry.getValue()));
            } else {
                item2.with((String) entry.getKey(), entry.getValue());
            }
        }
        return item2;
    }

    public Item decrypt(Item item) {
        if (null == item) {
            return null;
        }
        boolean z = (null == this._keyProvider || this._keyProvider.getKey(1L) == null) ? false : true;
        Item item2 = new Item();
        for (Map.Entry entry : item.asMap().entrySet()) {
            Object value = entry.getValue();
            if (z && (value instanceof byte[])) {
                try {
                    value = decrypt((byte[]) value, Object.class);
                } catch (Throwable th) {
                    if (requiresEncryption((String) entry.getKey())) {
                        LOG.warn("Failed to decrypt '" + ((String) entry.getKey()) + "'", th);
                    }
                }
            }
            item2.with((String) entry.getKey(), value);
        }
        return item2;
    }

    private AttributeValue decrypt(byte[] bArr) {
        if (bArr.length < MIN_LEN) {
            throw new InvalidEncryptionFormat("Expected encrypted byte array to be at least 65 bytes, got " + bArr.length);
        }
        if (bArr[0] != VERSION) {
            throw new InvalidEncryptionFormat("Unsupported encryption format " + ((int) bArr[0]) + ", only supported version=" + VERSION);
        }
        Key key = this._keyProvider.getKey(1L);
        Mac createSha256 = createSha256(key);
        Cipher createAesCipher = createAesCipher(2, key, new IvParameterSpec(bArr, VERSION, 16));
        MacInputStream macInputStream = new MacInputStream(new ByteArrayInputStream(bArr, 0, bArr.length - TRAILER_LEN), createSha256);
        CipherInputStream cipherInputStream = new CipherInputStream(macInputStream, createAesCipher);
        try {
            long skip = macInputStream.skip(17L);
            if (17 != skip) {
                throw new InvalidEncryptionFormat("Expected to skip 17 bytes, only skipped " + skip + " bytes");
            }
            AttributeValue readValue = this._packer.readValue(cipherInputStream);
            try {
                if (isEqual(macInputStream.doFinal(), Arrays.copyOfRange(bArr, bArr.length - TRAILER_LEN, bArr.length))) {
                    return readValue;
                }
                throw new InvalidEncryptionFormat("MAC does not match");
            } catch (Exception e) {
                throw new InvalidEncryptionFormat(e);
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    private byte[] encrypt(AttributeValue attributeValue) {
        Key key = this._keyProvider.getKey(1L);
        Mac createSha256 = createSha256(key);
        Cipher createAesCipher = createAesCipher(VERSION, key, null);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        MacOutputStream macOutputStream = new MacOutputStream(byteArrayOutputStream, createSha256);
        CipherOutputStream cipherOutputStream = new CipherOutputStream(macOutputStream, createAesCipher);
        try {
            macOutputStream.write(VERSION);
            macOutputStream.write(createAesCipher.getIV());
            this._packer.writeValue(cipherOutputStream, attributeValue);
            cipherOutputStream.flush();
            try {
                macOutputStream.write(createAesCipher.doFinal());
                macOutputStream.flush();
                byteArrayOutputStream.write(createSha256.doFinal());
                return byteArrayOutputStream.toByteArray();
            } catch (GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    private static Mac createSha256(Key key) {
        try {
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(key);
            return mac;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static Cipher createAesCipher(int i, Key key, AlgorithmParameterSpec algorithmParameterSpec) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(i, key, algorithmParameterSpec);
            return cipher;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private boolean isEqual(byte[] bArr, byte[] bArr2) {
        if (bArr.length != bArr2.length) {
            return false;
        }
        Object[] objArr = false;
        for (int i = 0; i < bArr.length; i += VERSION) {
            objArr = (objArr == true ? 1 : 0) | (bArr[i] ^ bArr2[i]) ? 1 : 0;
        }
        return objArr == false;
    }
}
