package com.amazonaws.encryptionsdk.caching;

import com.amazonaws.encryptionsdk.CryptoAlgorithm;
import com.amazonaws.encryptionsdk.CryptoMaterialsManager;
import com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager;
import com.amazonaws.encryptionsdk.MasterKeyProvider;
import com.amazonaws.encryptionsdk.caching.CryptoMaterialsCache;
import com.amazonaws.encryptionsdk.exception.AwsCryptoException;
import com.amazonaws.encryptionsdk.internal.EncryptionContextSerializer;
import com.amazonaws.encryptionsdk.internal.Utils;
import com.amazonaws.encryptionsdk.model.DecryptionMaterials;
import com.amazonaws.encryptionsdk.model.DecryptionMaterialsRequest;
import com.amazonaws.encryptionsdk.model.EncryptionMaterials;
import com.amazonaws.encryptionsdk.model.EncryptionMaterialsRequest;
import com.amazonaws.encryptionsdk.model.KeyBlob;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Objects;
import java.util.UUID;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:com/amazonaws/encryptionsdk/caching/CachingCryptoMaterialsManager.class */
public class CachingCryptoMaterialsManager implements CryptoMaterialsManager {
    private static final String CACHE_ID_HASH_ALGORITHM = "SHA-512";
    private static final long MAX_MESSAGE_USE_LIMIT = 4294967296L;
    private static final long MAX_BYTE_USE_LIMIT = Long.MAX_VALUE;
    private final CryptoMaterialsManager backingCMM;
    private final CryptoMaterialsCache cache;
    private final byte[] partitionIdHash;
    private final String partitionId;
    private final long maxAgeMs;
    private final long messageUseLimit;
    private final long byteUseLimit;
    private final CryptoMaterialsCache.CacheHint hint;

    /* loaded from: input_file:com/amazonaws/encryptionsdk/caching/CachingCryptoMaterialsManager$Builder.class */
    public static class Builder {
        private CryptoMaterialsManager backingCMM;
        private CryptoMaterialsCache cache;
        private String partitionId;
        private long maxAge;
        private long messageUseLimit;
        private long byteUseLimit;

        private Builder() {
            this.partitionId = null;
            this.maxAge = 0L;
            this.messageUseLimit = CachingCryptoMaterialsManager.MAX_MESSAGE_USE_LIMIT;
            this.byteUseLimit = CachingCryptoMaterialsManager.MAX_BYTE_USE_LIMIT;
        }

        public Builder withBackingMaterialsManager(CryptoMaterialsManager cryptoMaterialsManager) {
            this.backingCMM = cryptoMaterialsManager;
            return this;
        }

        public Builder withMasterKeyProvider(MasterKeyProvider masterKeyProvider) {
            return withBackingMaterialsManager(new DefaultCryptoMaterialsManager(masterKeyProvider));
        }

        public Builder withCache(CryptoMaterialsCache cryptoMaterialsCache) {
            this.cache = cryptoMaterialsCache;
            return this;
        }

        public Builder withPartitionId(String str) {
            this.partitionId = str;
            return this;
        }

        public Builder withMaxAge(long j, TimeUnit timeUnit) {
            if (j <= 0) {
                throw new IllegalArgumentException("Max age must be positive");
            }
            this.maxAge = timeUnit.toMillis(j);
            return this;
        }

        public Builder withMessageUseLimit(long j) {
            if (j <= 0) {
                throw new IllegalArgumentException("Message use limit must be positive");
            }
            if (j > CachingCryptoMaterialsManager.MAX_MESSAGE_USE_LIMIT) {
                throw new IllegalArgumentException("Message use limit exceeds limit of 4294967296");
            }
            this.messageUseLimit = j;
            return this;
        }

        public Builder withByteUseLimit(long j) {
            if (j < 0) {
                throw new IllegalArgumentException("Byte use limit must be non-negative");
            }
            if (j > CachingCryptoMaterialsManager.MAX_BYTE_USE_LIMIT) {
                throw new IllegalArgumentException("Byte use limit exceeds maximum of 9223372036854775807");
            }
            this.byteUseLimit = j;
            return this;
        }

        public CachingCryptoMaterialsManager build() {
            if (this.backingCMM == null) {
                throw new IllegalArgumentException("Backing CMM must be set");
            }
            if (this.cache == null) {
                throw new IllegalArgumentException("Cache must be set");
            }
            if (this.maxAge <= 0) {
                throw new IllegalArgumentException("Max age must be set");
            }
            return new CachingCryptoMaterialsManager(this);
        }
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    private CachingCryptoMaterialsManager(Builder builder) {
        this.hint = new CryptoMaterialsCache.CacheHint() { // from class: com.amazonaws.encryptionsdk.caching.CachingCryptoMaterialsManager.1
            @Override // com.amazonaws.encryptionsdk.caching.CryptoMaterialsCache.CacheHint
            public long getMaxAgeMillis() {
                return CachingCryptoMaterialsManager.this.maxAgeMs;
            }
        };
        this.backingCMM = builder.backingCMM;
        this.cache = builder.cache;
        this.partitionId = builder.partitionId != null ? builder.partitionId : UUID.randomUUID().toString();
        this.maxAgeMs = builder.maxAge;
        this.messageUseLimit = builder.messageUseLimit;
        this.byteUseLimit = builder.byteUseLimit;
        try {
            this.partitionIdHash = MessageDigest.getInstance(CACHE_ID_HASH_ALGORITHM).digest(this.partitionId.getBytes(StandardCharsets.UTF_8));
        } catch (GeneralSecurityException e) {
            throw new AwsCryptoException(e);
        }
    }

    @Override // com.amazonaws.encryptionsdk.CryptoMaterialsManager
    public EncryptionMaterials getMaterialsForEncrypt(EncryptionMaterialsRequest encryptionMaterialsRequest) {
        if (encryptionMaterialsRequest.getPlaintextSize() == -1) {
            return this.backingCMM.getMaterialsForEncrypt(encryptionMaterialsRequest);
        }
        byte[] cacheIdentifier = getCacheIdentifier(encryptionMaterialsRequest.toBuilder().setPlaintext(null).setPlaintextSize(-1L).build());
        CryptoMaterialsCache.UsageStats initialIncrementForRequest = initialIncrementForRequest(encryptionMaterialsRequest);
        if (initialIncrementForRequest.getBytesEncrypted() >= this.byteUseLimit) {
            return this.backingCMM.getMaterialsForEncrypt(encryptionMaterialsRequest);
        }
        CryptoMaterialsCache.EncryptCacheEntry entryForEncrypt = this.cache.getEntryForEncrypt(cacheIdentifier, initialIncrementForRequest);
        if (entryForEncrypt != null && !isEntryExpired(entryForEncrypt.getEntryCreationTime()) && !hasExceededLimits(entryForEncrypt.getUsageStats())) {
            return entryForEncrypt.getResult();
        }
        if (entryForEncrypt != null) {
            entryForEncrypt.invalidate();
        }
        EncryptionMaterials materialsForEncrypt = this.backingCMM.getMaterialsForEncrypt(encryptionMaterialsRequest);
        if (materialsForEncrypt.getAlgorithm().isSafeToCache()) {
            this.cache.putEntryForEncrypt(cacheIdentifier, materialsForEncrypt, this.hint, initialIncrementForRequest(encryptionMaterialsRequest));
        }
        return materialsForEncrypt;
    }

    private boolean hasExceededLimits(CryptoMaterialsCache.UsageStats usageStats) {
        return usageStats.getBytesEncrypted() > this.byteUseLimit || usageStats.getMessagesEncrypted() > this.messageUseLimit;
    }

    private boolean isEntryExpired(long j) {
        return System.currentTimeMillis() - j > this.maxAgeMs;
    }

    private CryptoMaterialsCache.UsageStats initialIncrementForRequest(EncryptionMaterialsRequest encryptionMaterialsRequest) {
        return new CryptoMaterialsCache.UsageStats(encryptionMaterialsRequest.getPlaintextSize(), 1L);
    }

    @Override // com.amazonaws.encryptionsdk.CryptoMaterialsManager
    public DecryptionMaterials decryptMaterials(DecryptionMaterialsRequest decryptionMaterialsRequest) {
        byte[] cacheIdentifier = getCacheIdentifier(decryptionMaterialsRequest);
        CryptoMaterialsCache.DecryptCacheEntry entryForDecrypt = this.cache.getEntryForDecrypt(cacheIdentifier);
        if (entryForDecrypt != null && !isEntryExpired(entryForDecrypt.getEntryCreationTime())) {
            return entryForDecrypt.getResult();
        }
        DecryptionMaterials decryptMaterials = this.backingCMM.decryptMaterials(decryptionMaterialsRequest);
        this.cache.putEntryForDecrypt(cacheIdentifier, decryptMaterials, this.hint);
        return decryptMaterials;
    }

    private byte[] getCacheIdentifier(EncryptionMaterialsRequest encryptionMaterialsRequest) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(CACHE_ID_HASH_ALGORITHM);
            messageDigest.update(this.partitionIdHash);
            CryptoAlgorithm requestedAlgorithm = encryptionMaterialsRequest.getRequestedAlgorithm();
            messageDigest.update((byte) (requestedAlgorithm != null ? 1 : 0));
            if (requestedAlgorithm != null) {
                updateDigestWithAlgorithm(messageDigest, requestedAlgorithm);
            }
            messageDigest.update(MessageDigest.getInstance(CACHE_ID_HASH_ALGORITHM).digest(EncryptionContextSerializer.serialize(encryptionMaterialsRequest.getContext())));
            return messageDigest.digest();
        } catch (GeneralSecurityException e) {
            throw new AwsCryptoException(e);
        }
    }

    private byte[] getCacheIdentifier(DecryptionMaterialsRequest decryptionMaterialsRequest) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(CACHE_ID_HASH_ALGORITHM);
            byte[] digest = messageDigest.digest(EncryptionContextSerializer.serialize(decryptionMaterialsRequest.getEncryptionContext()));
            ArrayList arrayList = new ArrayList(decryptionMaterialsRequest.getEncryptedDataKeys().size());
            Iterator<KeyBlob> it = decryptionMaterialsRequest.getEncryptedDataKeys().iterator();
            while (it.hasNext()) {
                arrayList.add(messageDigest.digest(it.next().toByteArray()));
            }
            arrayList.sort(new Utils.ComparingByteArrays());
            messageDigest.update(this.partitionIdHash);
            updateDigestWithAlgorithm(messageDigest, decryptionMaterialsRequest.getAlgorithm());
            Objects.requireNonNull(messageDigest);
            arrayList.forEach(messageDigest::update);
            messageDigest.update(new byte[messageDigest.getDigestLength()]);
            messageDigest.update(digest);
            return messageDigest.digest();
        } catch (GeneralSecurityException e) {
            throw new AwsCryptoException(e);
        }
    }

    private void updateDigestWithAlgorithm(MessageDigest messageDigest, CryptoAlgorithm cryptoAlgorithm) {
        short value = cryptoAlgorithm.getValue();
        messageDigest.update(new byte[]{(byte) (value >> 8), (byte) value});
    }
}
