package com.google.crypto.tink.integration.awskmsv2;

import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableMap;
import com.google.crypto.tink.Aead;
import java.security.GeneralSecurityException;
import java.util.List;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.model.DecryptRequest;
import software.amazon.awssdk.services.kms.model.DecryptResponse;
import software.amazon.awssdk.services.kms.model.EncryptRequest;
import software.amazon.awssdk.utils.BinaryUtils;

/* loaded from: input_file:com/google/crypto/tink/integration/awskmsv2/AwsKmsV2Aead.class */
public final class AwsKmsV2Aead implements Aead {
    private final KmsClient kmsClient;
    private final String keyArn;

    public AwsKmsV2Aead(KmsClient kmsClient, String str) {
        this.kmsClient = kmsClient;
        this.keyArn = str;
    }

    @Override // com.google.crypto.tink.Aead
    public byte[] encrypt(byte[] bArr, byte[] bArr2) {
        EncryptRequest.Builder plaintext = EncryptRequest.builder().keyId(this.keyArn).plaintext(SdkBytes.fromByteArray(bArr));
        if (bArr2 != null && bArr2.length != 0) {
            plaintext = plaintext.encryptionContext(ImmutableMap.of("associatedData", BinaryUtils.toHex(bArr2)));
        }
        return this.kmsClient.encrypt((EncryptRequest) plaintext.mo12755build()).ciphertextBlob().asByteArray();
    }

    @Override // com.google.crypto.tink.Aead
    public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        DecryptRequest.Builder ciphertextBlob = DecryptRequest.builder().keyId(this.keyArn).ciphertextBlob(SdkBytes.fromByteArray(bArr));
        if (bArr2 != null && bArr2.length != 0) {
            ciphertextBlob = ciphertextBlob.encryptionContext(ImmutableMap.of("associatedData", BinaryUtils.toHex(bArr2)));
        }
        DecryptResponse decrypt = this.kmsClient.decrypt((DecryptRequest) ciphertextBlob.mo12755build());
        if (!isKeyArnFormat(this.keyArn) || decrypt.keyId().equals(this.keyArn)) {
            return decrypt.plaintext().asByteArray();
        }
        throw new GeneralSecurityException("Decryption failed: wrong key id");
    }

    private static boolean isKeyArnFormat(String str) {
        List<String> splitToList = Splitter.on(':').splitToList(str);
        return splitToList.size() == 6 && splitToList.get(5).startsWith("key/");
    }
}
