package com.aliyun.oss.crypto;

import com.aliyun.oss.ClientException;
import com.aliyun.oss.common.auth.Credentials;
import com.aliyun.oss.common.auth.CredentialsProvider;
import com.aliyun.oss.common.utils.BinaryUtil;
import com.aliyun.oss.internal.RequestParameters;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.http.FormatType;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.kms.model.v20160120.DecryptRequest;
import com.aliyuncs.kms.model.v20160120.DecryptResponse;
import com.aliyuncs.kms.model.v20160120.EncryptRequest;
import com.aliyuncs.kms.model.v20160120.EncryptResponse;
import com.aliyuncs.profile.DefaultProfile;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:BOOT-INF/lib/aliyun-sdk-oss-3.17.1.jar:com/aliyun/oss/crypto/KmsEncryptionMaterials.class */
public class KmsEncryptionMaterials implements EncryptionMaterials {
    private static final String KEY_WRAP_ALGORITHM = "KMS/ALICLOUD";
    private String region;
    private String cmk;
    CredentialsProvider credentialsProvider;
    private final Map<String, String> desc;
    private final LinkedHashMap<KmsClientSuite, Map<String, String>> kmsDescMaterials = new LinkedHashMap<>();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/aliyun-sdk-oss-3.17.1.jar:com/aliyun/oss/crypto/KmsEncryptionMaterials$KmsClientSuite.class */
    public final class KmsClientSuite {
        private String region;
        private CredentialsProvider credentialsProvider;

        KmsClientSuite(String str, CredentialsProvider credentialsProvider) {
            this.region = str;
            this.credentialsProvider = credentialsProvider;
        }
    }

    public KmsEncryptionMaterials(String str, String str2) {
        assertParameterNotNull(str, "kms region");
        assertParameterNotNull(str2, "kms cmk");
        this.region = str;
        this.cmk = str2;
        this.desc = new HashMap();
    }

    public KmsEncryptionMaterials(String str, String str2, Map<String, String> map) {
        assertParameterNotNull(str, "kms region");
        assertParameterNotNull(str, "kms cmk");
        this.region = str;
        this.cmk = str2;
        this.desc = map == null ? new HashMap() : new HashMap(map);
    }

    public void setKmsCredentialsProvider(CredentialsProvider credentialsProvider) {
        this.credentialsProvider = credentialsProvider;
        this.kmsDescMaterials.put(new KmsClientSuite(this.region, credentialsProvider), this.desc);
    }

    private DefaultAcsClient createKmsClient(String str, CredentialsProvider credentialsProvider) {
        Credentials credentials = credentialsProvider.getCredentials();
        return new DefaultAcsClient(DefaultProfile.getProfile(str, credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSecurityToken()));
    }

    private EncryptResponse encryptPlainText(String str, String str2) throws ClientException {
        DefaultAcsClient createKmsClient = createKmsClient(this.region, this.credentialsProvider);
        EncryptRequest encryptRequest = new EncryptRequest();
        encryptRequest.setSysProtocol(ProtocolType.HTTPS);
        encryptRequest.setAcceptFormat(FormatType.JSON);
        encryptRequest.setSysMethod(MethodType.POST);
        encryptRequest.setKeyId(str);
        encryptRequest.setPlaintext(str2);
        try {
            return (EncryptResponse) createKmsClient.getAcsResponse(encryptRequest);
        } catch (Exception e) {
            throw new ClientException("the kms client encrypt data failed." + e.getMessage(), e);
        }
    }

    private DecryptResponse decryptCipherBlob(KmsClientSuite kmsClientSuite, String str) throws ClientException {
        DefaultAcsClient createKmsClient = createKmsClient(kmsClientSuite.region, kmsClientSuite.credentialsProvider);
        DecryptRequest decryptRequest = new DecryptRequest();
        decryptRequest.setSysProtocol(ProtocolType.HTTPS);
        decryptRequest.setAcceptFormat(FormatType.JSON);
        decryptRequest.setSysMethod(MethodType.POST);
        decryptRequest.setCiphertextBlob(str);
        try {
            return (DecryptResponse) createKmsClient.getAcsResponse(decryptRequest);
        } catch (Exception e) {
            throw new ClientException("The kms client decrypt data faild." + e.getMessage(), e);
        }
    }

    public void addKmsDescMaterial(String str, Map<String, String> map) {
        addKmsDescMaterial(str, this.credentialsProvider, map);
    }

    public synchronized void addKmsDescMaterial(String str, CredentialsProvider credentialsProvider, Map<String, String> map) {
        assertParameterNotNull(str, "region");
        assertParameterNotNull(credentialsProvider, "credentialsProvider");
        KmsClientSuite kmsClientSuite = new KmsClientSuite(str, credentialsProvider);
        if (map != null) {
            this.kmsDescMaterials.put(kmsClientSuite, new HashMap(map));
        } else {
            this.kmsDescMaterials.put(kmsClientSuite, new HashMap());
        }
    }

    private KmsClientSuite findKmsClientSuiteByDescription(Map<String, String> map) {
        if (map == null) {
            return null;
        }
        for (Map.Entry<KmsClientSuite, Map<String, String>> entry : this.kmsDescMaterials.entrySet()) {
            if (map.equals(entry.getValue())) {
                return entry.getKey();
            }
        }
        return null;
    }

    private <K, V> Map.Entry<K, V> getTailByReflection(LinkedHashMap<K, V> linkedHashMap) throws NoSuchFieldException, IllegalAccessException {
        Field declaredField = linkedHashMap.getClass().getDeclaredField(RequestParameters.TAIL);
        declaredField.setAccessible(true);
        return (Map.Entry) declaredField.get(linkedHashMap);
    }

    @Override // com.aliyun.oss.crypto.EncryptionMaterials
    public void encryptCEK(ContentCryptoMaterialRW contentCryptoMaterialRW) {
        try {
            assertParameterNotNull(contentCryptoMaterialRW, "contentMaterialRW");
            assertParameterNotNull(contentCryptoMaterialRW.getIV(), "contentMaterialRW#getIV");
            assertParameterNotNull(contentCryptoMaterialRW.getCEK(), "contentMaterialRW#getCEK");
            byte[] fromBase64String = BinaryUtil.fromBase64String(encryptPlainText(this.cmk, BinaryUtil.toBase64String(contentCryptoMaterialRW.getIV())).getCiphertextBlob());
            contentCryptoMaterialRW.setEncryptedCEK(BinaryUtil.fromBase64String(encryptPlainText(this.cmk, BinaryUtil.toBase64String(contentCryptoMaterialRW.getCEK().getEncoded())).getCiphertextBlob()));
            contentCryptoMaterialRW.setEncryptedIV(fromBase64String);
            contentCryptoMaterialRW.setKeyWrapAlgorithm(KEY_WRAP_ALGORITHM);
            contentCryptoMaterialRW.setMaterialsDescription(this.desc);
        } catch (Exception e) {
            throw new ClientException("Kms encrypt CEK IV error. Please check your cmk, region, accessKeyId and accessSecretId." + e.getMessage(), e);
        }
    }

    @Override // com.aliyun.oss.crypto.EncryptionMaterials
    public void decryptCEK(ContentCryptoMaterialRW contentCryptoMaterialRW) {
        assertParameterNotNull(contentCryptoMaterialRW, "ContentCryptoMaterialRW");
        assertParameterNotNull(contentCryptoMaterialRW.getEncryptedCEK(), "ContentCryptoMaterialRW#getEncryptedCEK");
        assertParameterNotNull(contentCryptoMaterialRW.getEncryptedIV(), "ContentCryptoMaterialRW#getEncryptedIV");
        assertParameterNotNull(contentCryptoMaterialRW.getKeyWrapAlgorithm(), "ContentCryptoMaterialRW#getKeyWrapAlgorithm");
        if (!contentCryptoMaterialRW.getKeyWrapAlgorithm().toLowerCase().equals(KEY_WRAP_ALGORITHM.toLowerCase())) {
            throw new ClientException("Unrecognize your object key wrap algorithm: " + contentCryptoMaterialRW.getKeyWrapAlgorithm());
        }
        try {
            KmsClientSuite findKmsClientSuiteByDescription = findKmsClientSuiteByDescription(contentCryptoMaterialRW.getMaterialsDescription());
            if (findKmsClientSuiteByDescription == null) {
                findKmsClientSuiteByDescription = (KmsClientSuite) getTailByReflection(this.kmsDescMaterials).getKey();
            }
            byte[] fromBase64String = BinaryUtil.fromBase64String(decryptCipherBlob(findKmsClientSuiteByDescription, BinaryUtil.toBase64String(contentCryptoMaterialRW.getEncryptedIV())).getPlaintext());
            contentCryptoMaterialRW.setCEK(new SecretKeySpec(BinaryUtil.fromBase64String(decryptCipherBlob(findKmsClientSuiteByDescription, BinaryUtil.toBase64String(contentCryptoMaterialRW.getEncryptedCEK())).getPlaintext()), ""));
            contentCryptoMaterialRW.setIV(fromBase64String);
        } catch (Exception e) {
            throw new ClientException("Unable to decrypt content secured key and iv. Please check your kms region and materails description." + e.getMessage(), e);
        }
    }

    private void assertParameterNotNull(Object obj, String str) {
        if (obj == null) {
            throw new IllegalArgumentException(str);
        }
    }
}
