package com.amazonaws.c3r;

import com.amazonaws.c3r.config.ClientSettings;
import com.amazonaws.c3r.encryption.EncryptionContext;
import com.amazonaws.c3r.encryption.keys.KeyUtil;
import com.amazonaws.c3r.encryption.keys.SaltedHkdf;
import com.amazonaws.c3r.exception.C3rIllegalArgumentException;
import com.amazonaws.c3r.exception.C3rRuntimeException;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/amazonaws/c3r/FingerprintTransformer.class */
public class FingerprintTransformer extends Transformer {

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    private static final Logger log = LoggerFactory.getLogger(FingerprintTransformer.class);
    static final byte[] HKDF_INFO_BYTES = KeyUtil.HKDF_INFO.getBytes(StandardCharsets.UTF_8);
    private static final byte[] ENCRYPTION_DESCRIPTOR = "hmac:".getBytes(StandardCharsets.UTF_8);
    private static final byte[] FORMAT_VERSION = "02:".getBytes(StandardCharsets.UTF_8);
    public static final String DESCRIPTOR_PREFIX_STRING = new String(FORMAT_VERSION, StandardCharsets.UTF_8) + new String(ENCRYPTION_DESCRIPTOR, StandardCharsets.UTF_8);
    static final byte[] DESCRIPTOR_PREFIX = DESCRIPTOR_PREFIX_STRING.getBytes(StandardCharsets.UTF_8);
    private static final int HMAC_KEY_SIZE = 32;
    private final SaltedHkdf hkdf;
    private final ClientSettings clientSettings;
    private final boolean failOnUnmarshal;
    private final Mac mac;
    private boolean unmarshalWarningRaised = false;

    public FingerprintTransformer(SecretKey secretKey, byte[] bArr, ClientSettings clientSettings, boolean z) {
        this.clientSettings = clientSettings;
        this.failOnUnmarshal = z;
        try {
            this.hkdf = new SaltedHkdf(secretKey, bArr);
            this.mac = Mac.getInstance(KeyUtil.HMAC_ALG);
        } catch (NoSuchAlgorithmException e) {
            throw new C3rRuntimeException("Could not initialize FingerprintTransformer.", e);
        }
    }

    @Override // com.amazonaws.c3r.Transformer
    public byte[] marshal(byte[] bArr, EncryptionContext encryptionContext) {
        byte[] deriveKey;
        if (encryptionContext == null) {
            throw new C3rIllegalArgumentException("An EncryptionContext must be provided when marshaling.");
        }
        if (encryptionContext.getClientDataType() == null) {
            throw new C3rIllegalArgumentException("EncryptionContext missing ClientDataType when encrypting data for column `" + encryptionContext.getColumnLabel() + "`.");
        }
        if (!encryptionContext.getClientDataType().supportsFingerprintColumns()) {
            throw new C3rIllegalArgumentException(encryptionContext.getClientDataType() + " is not a type supported by fingerprint columns.");
        }
        if (!encryptionContext.getClientDataType().isEquivalenceClassRepresentativeType()) {
            throw new C3rIllegalArgumentException(encryptionContext.getClientDataType() + " is not the parent type of its equivalence class. Expected parent type is " + encryptionContext.getClientDataType().getRepresentativeType() + ".");
        }
        if (bArr == null && this.clientSettings.isPreserveNulls()) {
            return null;
        }
        if (this.clientSettings.isAllowJoinsOnColumnsWithDifferentNames()) {
            deriveKey = this.hkdf.deriveKey(HKDF_INFO_BYTES, 32);
        } else {
            deriveKey = this.hkdf.deriveKey(("c3r-hmac-sha256-col-" + encryptionContext.getColumnLabel()).getBytes(StandardCharsets.UTF_8), 32);
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(deriveKey, this.mac.getAlgorithm());
        Arrays.fill(deriveKey, (byte) 0);
        try {
            this.mac.init(secretKeySpec);
            byte[] encode = Base64.getEncoder().encode(this.mac.doFinal(bArr));
            byte[] array = ByteBuffer.allocate(DESCRIPTOR_PREFIX.length + encode.length).put(DESCRIPTOR_PREFIX).put(encode).array();
            validateMarshalledByteLength(array);
            return array;
        } catch (InvalidKeyException e) {
            throw new C3rRuntimeException("Initialization of hmac failed for target column `" + encryptionContext.getColumnLabel() + "`.", e);
        }
    }

    @Override // com.amazonaws.c3r.Transformer
    public byte[] unmarshal(byte[] bArr) {
        if (this.failOnUnmarshal) {
            throw new C3rRuntimeException("Data encrypted for a fingerprint column was found but is forbidden with current settings.");
        }
        if (!this.unmarshalWarningRaised) {
            this.unmarshalWarningRaised = true;
            log.warn("Data encrypted for a fingerprint column was found. Encrypted fingerprint column data cannot be decrypted and will appear as-is in the output.");
        }
        return bArr;
    }

    @Override // com.amazonaws.c3r.Transformer
    public byte[] getVersion() {
        return (byte[]) FORMAT_VERSION.clone();
    }

    @Override // com.amazonaws.c3r.Transformer
    byte[] getEncryptionDescriptor() {
        return (byte[]) ENCRYPTION_DESCRIPTOR.clone();
    }
}
