package com.google.scp.shared.crypto.tink.aws;

import com.google.crypto.tink.integration.awskmsv2.AwsKmsV2Aead;
import com.google.crypto.tink.integration.awskmsv2.AwsKmsV2Client;
import com.google.crypto.tink.subtle.Validators;
import com.google.scp.shared.aws.credsprovider.AwsSessionCredentialsProvider;
import com.google.scp.shared.crypto.tink.CloudAeadSelector;
import com.google.scp.shared.crypto.tink.kmstoolenclave.KmsToolEnclaveAead;
import java.net.URI;
import java.util.Objects;
import java.util.Optional;
import software.amazon.awssdk.arns.Arn;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.http.SdkHttpClient;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.KmsClientBuilder;

/* loaded from: input_file:com/google/scp/shared/crypto/tink/aws/AwsTinkUtil.class */
public final class AwsTinkUtil {
    private AwsTinkUtil() {
    }

    public static CloudAeadSelector getKmsAeadSelector(AwsCredentialsProvider awsCredentialsProvider, SdkHttpClient sdkHttpClient, Optional<URI> optional) {
        return str -> {
            Arn parseKmsUri = parseKmsUri(str);
            return new AwsKmsV2Aead(((KmsClientBuilder) ((KmsClientBuilder) ((KmsClientBuilder) ((KmsClientBuilder) KmsClient.builder().credentialsProvider(awsCredentialsProvider)).region(getRegion(parseKmsUri))).httpClient(sdkHttpClient)).applyMutation(kmsClientBuilder -> {
                Objects.requireNonNull(kmsClientBuilder);
                optional.ifPresent(kmsClientBuilder::endpointOverride);
            })).mo12755build(), parseKmsUri.toString());
        };
    }

    public static CloudAeadSelector getEnclaveAeadSelector(AwsSessionCredentialsProvider awsSessionCredentialsProvider) {
        return str -> {
            return new KmsToolEnclaveAead(awsSessionCredentialsProvider, getRegion(parseKmsUri(str)));
        };
    }

    public static Arn parseKmsUri(String str) {
        return Arn.fromString(Validators.validateKmsKeyUriAndRemovePrefix(AwsKmsV2Client.PREFIX, str));
    }

    private static Region getRegion(Arn arn) {
        if (arn.region().isEmpty()) {
            throw new IllegalArgumentException(String.format("Provided ARN (%s) doesn't contain a region.", arn.toString()));
        }
        return Region.of(arn.region().get());
    }
}
