package com.google.scp.operator.cpio.cryptoclient;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ConcurrentHashMultiset;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.google.crypto.tink.HybridDecrypt;
import com.google.crypto.tink.JsonKeysetReader;
import com.google.crypto.tink.KeysetHandle;
import com.google.inject.BindingAnnotation;
import com.google.inject.Inject;
import com.google.protobuf.ByteString;
import com.google.scp.coordinator.protos.keymanagement.shared.api.v1.EncryptionKeyProto;
import com.google.scp.coordinator.protos.keymanagement.shared.api.v1.KeyDataProto;
import com.google.scp.operator.cpio.cryptoclient.Annotations;
import com.google.scp.operator.cpio.cryptoclient.DecryptionKeyService;
import com.google.scp.operator.cpio.cryptoclient.EncryptionKeyFetchingService;
import com.google.scp.operator.cpio.cryptoclient.model.ErrorReason;
import com.google.scp.shared.api.exception.ServiceException;
import com.google.scp.shared.crypto.tink.CloudAeadSelector;
import com.google.scp.shared.util.KeySplitUtil;
import java.io.IOException;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.security.GeneralSecurityException;
import java.util.Base64;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:com/google/scp/operator/cpio/cryptoclient/MultiPartyDecryptionKeyServiceImpl.class */
public final class MultiPartyDecryptionKeyServiceImpl implements DecryptionKeyService {
    private static final int MAX_CACHE_SIZE = 100;
    private static final int EXCEPTION_CACHE_THRESHOLD = 3;
    private final long decrypterCacheEntryTtlSec;
    private final long exceptionCacheEntryTtlSec;
    private final CloudAeadSelector coordinatorAAeadService;
    private final CloudAeadSelector coordinatorBAeadService;
    private final EncryptionKeyFetchingService coordinatorAEncryptionKeyFetchingService;
    private final EncryptionKeyFetchingService coordinatorBEncryptionKeyFetchingService;
    private final LoadingCache<String, HybridDecrypt> decrypterCache;
    private final Cache<String, DecryptionKeyService.KeyFetchException> exceptionCache;
    private final ConcurrentHashMultiset<String> exceptionCounts = ConcurrentHashMultiset.create();
    private static final ImmutableSet<ErrorReason> EXCEPTIONS_FOR_CACHING = ImmutableSet.of(ErrorReason.INTERNAL, ErrorReason.KEY_NOT_FOUND, ErrorReason.KEY_DECRYPTION_ERROR);
    private static final int CONCURRENCY_LEVEL = Runtime.getRuntime().availableProcessors();

    @Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD})
    @BindingAnnotation
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:com/google/scp/operator/cpio/cryptoclient/MultiPartyDecryptionKeyServiceImpl$CoordinatorAEncryptionKeyFetchingService.class */
    public @interface CoordinatorAEncryptionKeyFetchingService {
    }

    @Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD})
    @BindingAnnotation
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:com/google/scp/operator/cpio/cryptoclient/MultiPartyDecryptionKeyServiceImpl$CoordinatorBEncryptionKeyFetchingService.class */
    public @interface CoordinatorBEncryptionKeyFetchingService {
    }

    @Inject
    public MultiPartyDecryptionKeyServiceImpl(@CoordinatorAEncryptionKeyFetchingService EncryptionKeyFetchingService encryptionKeyFetchingService, @CoordinatorBEncryptionKeyFetchingService EncryptionKeyFetchingService encryptionKeyFetchingService2, @Annotations.CoordinatorAAead CloudAeadSelector cloudAeadSelector, @Annotations.CoordinatorBAead CloudAeadSelector cloudAeadSelector2, @Annotations.DecrypterCacheEntryTtlSec long j, @Annotations.ExceptionCacheEntryTtlSec long j2) {
        this.coordinatorAEncryptionKeyFetchingService = encryptionKeyFetchingService;
        this.coordinatorBEncryptionKeyFetchingService = encryptionKeyFetchingService2;
        this.coordinatorAAeadService = cloudAeadSelector;
        this.coordinatorBAeadService = cloudAeadSelector2;
        this.decrypterCacheEntryTtlSec = j;
        this.exceptionCacheEntryTtlSec = j2;
        this.decrypterCache = CacheBuilder.newBuilder().maximumSize(100L).expireAfterWrite(this.decrypterCacheEntryTtlSec, TimeUnit.SECONDS).concurrencyLevel(CONCURRENCY_LEVEL).build(new CacheLoader<String, HybridDecrypt>() { // from class: com.google.scp.operator.cpio.cryptoclient.MultiPartyDecryptionKeyServiceImpl.1
            @Override // com.google.common.cache.CacheLoader
            public HybridDecrypt load(String str) throws DecryptionKeyService.KeyFetchException {
                return MultiPartyDecryptionKeyServiceImpl.this.createDecrypter(str);
            }
        });
        this.exceptionCache = CacheBuilder.newBuilder().expireAfterWrite(this.exceptionCacheEntryTtlSec, TimeUnit.SECONDS).concurrencyLevel(CONCURRENCY_LEVEL).build();
    }

    @Override // com.google.scp.operator.cpio.cryptoclient.DecryptionKeyService
    public HybridDecrypt getDecrypter(String str) throws DecryptionKeyService.KeyFetchException {
        try {
            HybridDecrypt ifPresent = this.decrypterCache.getIfPresent(str);
            if (ifPresent != null) {
                return ifPresent;
            }
            DecryptionKeyService.KeyFetchException ifPresent2 = this.exceptionCache.getIfPresent(str);
            if (ifPresent2 != null) {
                throw ifPresent2;
            }
            return this.decrypterCache.get(str);
        } catch (UncheckedExecutionException | ExecutionException e) {
            ErrorReason errorReason = ErrorReason.UNKNOWN_ERROR;
            if (e.getCause() instanceof DecryptionKeyService.KeyFetchException) {
                errorReason = ((DecryptionKeyService.KeyFetchException) e.getCause()).getReason();
            }
            DecryptionKeyService.KeyFetchException keyFetchException = new DecryptionKeyService.KeyFetchException("Failed to get key with id: " + str, errorReason, e);
            this.exceptionCounts.add(str);
            if (this.exceptionCounts.count(str) >= 3 && EXCEPTIONS_FOR_CACHING.contains(errorReason)) {
                this.exceptionCache.put(str, keyFetchException);
            }
            throw keyFetchException;
        }
    }

    @Override // com.google.scp.operator.cpio.cryptoclient.DecryptionKeyService
    public void clearExceptionCache() {
        this.exceptionCache.invalidateAll();
        this.exceptionCounts.clear();
    }

    private HybridDecrypt createDecrypter(String str) throws DecryptionKeyService.KeyFetchException {
        try {
            EncryptionKeyProto.EncryptionKey fetchEncryptionKey = this.coordinatorAEncryptionKeyFetchingService.fetchEncryptionKey(str);
            switch (fetchEncryptionKey.getEncryptionKeyType()) {
                case UNSPECIFIED:
                    throw new DecryptionKeyService.KeyFetchException("Encryption key type is unsupported", ErrorReason.UNSUPPORTED_ENCRYPTION_KEY_TYPE_ERROR);
                case MULTI_PARTY_HYBRID_EVEN_KEYSPLIT:
                    return createDecrypterSplitKey(fetchEncryptionKey, this.coordinatorBEncryptionKeyFetchingService.fetchEncryptionKey(str));
                default:
                    throw new DecryptionKeyService.KeyFetchException("Unsupported encryption key type.", ErrorReason.UNKNOWN_ERROR);
            }
        } catch (EncryptionKeyFetchingService.EncryptionKeyFetchingServiceException e) {
            throw generateKeyFetchException(e);
        } catch (IOException e2) {
            throw new DecryptionKeyService.KeyFetchException("Failed to fetch key ID: " + str, ErrorReason.UNKNOWN_ERROR, e2);
        } catch (GeneralSecurityException e3) {
            throw new DecryptionKeyService.KeyFetchException(e3, ErrorReason.KEY_DECRYPTION_ERROR);
        }
    }

    private HybridDecrypt createDecrypterSingleKey(EncryptionKeyProto.EncryptionKey encryptionKey) throws GeneralSecurityException, IOException {
        KeyDataProto.KeyData ownerKeyData = getOwnerKeyData(encryptionKey);
        return (HybridDecrypt) KeysetHandle.read(JsonKeysetReader.withString(ownerKeyData.getKeyMaterial()), this.coordinatorAAeadService.getAead(ownerKeyData.getKeyEncryptionKeyUri())).getPrimitive(HybridDecrypt.class);
    }

    private HybridDecrypt createDecrypterSplitKey(EncryptionKeyProto.EncryptionKey encryptionKey, EncryptionKeyProto.EncryptionKey encryptionKey2) throws GeneralSecurityException, IOException {
        KeyDataProto.KeyData ownerKeyData = getOwnerKeyData(encryptionKey);
        byte[] decrypt = this.coordinatorAAeadService.getAead(ownerKeyData.getKeyEncryptionKeyUri()).decrypt(Base64.getDecoder().decode(ownerKeyData.getKeyMaterial()), new byte[0]);
        KeyDataProto.KeyData ownerKeyData2 = getOwnerKeyData(encryptionKey2);
        return (HybridDecrypt) KeySplitUtil.reconstructXorKeysetHandle(ImmutableList.of(ByteString.copyFrom(decrypt), ByteString.copyFrom(this.coordinatorBAeadService.getAead(ownerKeyData2.getKeyEncryptionKeyUri()).decrypt(Base64.getDecoder().decode(ownerKeyData2.getKeyMaterial()), new byte[0])))).getPrimitive(HybridDecrypt.class);
    }

    private KeyDataProto.KeyData getOwnerKeyData(EncryptionKeyProto.EncryptionKey encryptionKey) {
        return encryptionKey.getKeyDataList().stream().filter(keyData -> {
            return !keyData.getKeyMaterial().isEmpty();
        }).findFirst().get();
    }

    private static DecryptionKeyService.KeyFetchException generateKeyFetchException(EncryptionKeyFetchingService.EncryptionKeyFetchingServiceException encryptionKeyFetchingServiceException) {
        if (!(encryptionKeyFetchingServiceException.getCause() instanceof ServiceException)) {
            return new DecryptionKeyService.KeyFetchException(encryptionKeyFetchingServiceException, ErrorReason.UNKNOWN_ERROR);
        }
        switch (((ServiceException) encryptionKeyFetchingServiceException.getCause()).getErrorCode()) {
            case NOT_FOUND:
                return new DecryptionKeyService.KeyFetchException(encryptionKeyFetchingServiceException, ErrorReason.KEY_NOT_FOUND);
            case PERMISSION_DENIED:
            case UNAUTHENTICATED:
                return new DecryptionKeyService.KeyFetchException(encryptionKeyFetchingServiceException, ErrorReason.PERMISSION_DENIED);
            case INTERNAL:
                return new DecryptionKeyService.KeyFetchException(encryptionKeyFetchingServiceException, ErrorReason.INTERNAL);
            case UNAVAILABLE:
            case DEADLINE_EXCEEDED:
                return new DecryptionKeyService.KeyFetchException(encryptionKeyFetchingServiceException, ErrorReason.KEY_SERVICE_UNAVAILABLE);
            default:
                return new DecryptionKeyService.KeyFetchException(encryptionKeyFetchingServiceException, ErrorReason.UNKNOWN_ERROR);
        }
    }
}
