package com.google.scp.shared.crypto.tink.kmstoolenclave;

import com.google.common.collect.ImmutableList;
import com.google.common.primitives.Bytes;
import com.google.crypto.tink.Aead;
import com.google.scp.shared.aws.credsprovider.AwsSessionCredentialsProvider;
import java.io.IOException;
import java.lang.ProcessBuilder;
import java.security.GeneralSecurityException;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
import software.amazon.awssdk.regions.Region;

/* loaded from: input_file:com/google/scp/shared/crypto/tink/kmstoolenclave/KmsToolEnclaveAead.class */
public final class KmsToolEnclaveAead implements Aead {
    private static String CLI_PATH = "/kmstool_enclave_cli";
    private final Region region;
    private final AwsSessionCredentialsProvider credentialsProvider;

    public KmsToolEnclaveAead(AwsSessionCredentialsProvider awsSessionCredentialsProvider, Region region) {
        this.region = region;
        this.credentialsProvider = awsSessionCredentialsProvider;
    }

    @Override // com.google.crypto.tink.Aead
    public byte[] encrypt(byte[] bArr, byte[] bArr2) {
        throw new UnsupportedOperationException("kmstool_enclave_cli does not support encryption");
    }

    @Override // com.google.crypto.tink.Aead
    public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        if (bArr2 != null && bArr2.length != 0) {
            throw new IllegalArgumentException("kmstool_enclave_cli does not support associatedData: https://github.com/aws/aws-nitro-enclaves-sdk-c/issues/35");
        }
        AwsSessionCredentials resolveCredentials = this.credentialsProvider.resolveCredentials();
        ProcessBuilder processBuilder = new ProcessBuilder(new ImmutableList.Builder().add((ImmutableList.Builder) CLI_PATH).add((ImmutableList.Builder) "decrypt").add((Object[]) new String[]{"--region", this.region.toString()}).add((Object[]) new String[]{"--aws-access-key-id", resolveCredentials.accessKeyId()}).add((Object[]) new String[]{"--aws-secret-access-key", resolveCredentials.secretAccessKey()}).add((Object[]) new String[]{"--aws-session-token", resolveCredentials.sessionToken()}).add((Object[]) new String[]{"--ciphertext", new String(Base64.getEncoder().encode(bArr))}).build());
        processBuilder.redirectError(ProcessBuilder.Redirect.INHERIT);
        try {
            Process start = processBuilder.start();
            if (start.waitFor() != 0) {
                throw new GeneralSecurityException("Non-zero exit code from kmstool cli");
            }
            List<Byte> asList = Bytes.asList(start.getInputStream().readAllBytes());
            List<Byte> asList2 = Bytes.asList("PLAINTEXT: ".getBytes());
            if (!asList.isEmpty() && Collections.indexOfSubList(asList, asList2) == 0) {
                asList = asList.subList(asList2.size(), asList.size());
            }
            if (!asList.isEmpty() && asList.get(asList.size() - 1).byteValue() == 10) {
                asList = asList.subList(0, asList.size() - 1);
            }
            return Base64.getDecoder().decode(Bytes.toArray(asList));
        } catch (IOException e) {
            throw new GeneralSecurityException("Failed to start process", e);
        } catch (IllegalArgumentException e2) {
            throw new GeneralSecurityException("Failed to handle process output", e2);
        } catch (InterruptedException e3) {
            throw new GeneralSecurityException("Process interrupted", e3);
        }
    }
}
