package com.google.cloud.broker.encryption.backends;

import com.google.api.client.googleapis.util.Utils;
import com.google.api.services.cloudkms.v1.CloudKMS;
import com.google.api.services.cloudkms.v1.model.DecryptRequest;
import com.google.api.services.cloudkms.v1.model.EncryptRequest;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.broker.encryption.backends.keyset.KeysetUtils;
import com.google.cloud.broker.settings.AppSettings;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.aead.AeadKeyTemplates;
import com.google.crypto.tink.proto.KeyTemplate;
import java.io.IOException;
import java.security.GeneralSecurityException;

/* loaded from: input_file:com/google/cloud/broker/encryption/backends/CloudKMSBackend.class */
public class CloudKMSBackend extends AbstractEncryptionBackend {
    private static final String MEMORY = "memory";
    private static final String KMS_API = "https://www.googleapis.com/auth/cloudkms";
    private Aead aead;
    private static KeyTemplate KEY_TEMPLATE;

    /* loaded from: input_file:com/google/cloud/broker/encryption/backends/CloudKMSBackend$GcpKmsAead.class */
    public static final class GcpKmsAead implements Aead {
        private final CloudKMS kmsClient;
        private final String kekUri;

        GcpKmsAead(CloudKMS cloudKMS, String str) throws GeneralSecurityException {
            this.kmsClient = cloudKMS;
            this.kekUri = str;
        }

        @Override // com.google.crypto.tink.Aead
        public byte[] encrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            try {
                return this.kmsClient.projects().locations().keyRings().cryptoKeys().encrypt(this.kekUri, new EncryptRequest().encodePlaintext(bArr).encodeAdditionalAuthenticatedData(bArr2)).execute().decodeCiphertext();
            } catch (IOException e) {
                throw new GeneralSecurityException("encryption failed", e);
            }
        }

        @Override // com.google.crypto.tink.Aead
        public byte[] decrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
            try {
                return this.kmsClient.projects().locations().keyRings().cryptoKeys().decrypt(this.kekUri, new DecryptRequest().encodeCiphertext(bArr).encodeAdditionalAuthenticatedData(bArr2)).execute().decodePlaintext();
            } catch (IOException e) {
                throw new GeneralSecurityException("decryption failed", e);
            }
        }
    }

    public CloudKMSBackend() {
        String string = AppSettings.getInstance().getString("encryption.cloud-kms.kek-uri");
        String string2 = AppSettings.getInstance().getString("encryption.cloud-kms.dek-uri");
        if (string.equalsIgnoreCase(MEMORY)) {
            try {
                this.aead = (Aead) KeysetHandle.generateNew(KEY_TEMPLATE).getPrimitive(Aead.class);
            } catch (GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
        } else {
            try {
                this.aead = (Aead) readKeyset(string2, string, getKMSClient()).getPrimitive(Aead.class);
            } catch (GeneralSecurityException e2) {
                throw new RuntimeException("Failed to initialize encryption backend", e2);
            }
        }
    }

    public byte[] decrypt(byte[] bArr) {
        try {
            return this.aead.decrypt(bArr, null);
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    public byte[] encrypt(byte[] bArr) {
        try {
            return this.aead.encrypt(bArr, null);
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    private static CloudKMS getKMSClient() {
        try {
            return new CloudKMS.Builder(Utils.getDefaultTransport(), Utils.getDefaultJsonFactory(), new HttpCredentialsAdapter(GoogleCredentials.getApplicationDefault().createScoped(new String[]{"https://www.googleapis.com/auth/cloudkms"}))).setApplicationName("gcp-token-broker").build();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private static KeysetHandle readKeyset(String str, String str2, CloudKMS cloudKMS) {
        try {
            return KeysetHandle.read(KeysetUtils.getKeysetManager(str), new GcpKmsAead(cloudKMS, str2));
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("Failed to read Keyset `" + str + "` with KMS key `" + str2 + "`", e);
        }
    }

    public static KeysetHandle generateAndWriteKeyset(String str, String str2) {
        return generateAndWriteKeyset(KEY_TEMPLATE, str, str2, getKMSClient());
    }

    private static KeysetHandle generateAndWriteKeyset(KeyTemplate keyTemplate, String str, String str2, CloudKMS cloudKMS) {
        try {
            GcpKmsAead gcpKmsAead = new GcpKmsAead(cloudKMS, str2);
            KeysetHandle generateNew = KeysetHandle.generateNew(keyTemplate);
            generateNew.write(KeysetUtils.getKeysetManager(str), gcpKmsAead);
            return generateNew;
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("Failed to write Keyset `" + str + "` with KMS key `" + str2 + "`", e);
        }
    }

    static {
        try {
            AeadConfig.register();
            KEY_TEMPLATE = AeadKeyTemplates.AES256_GCM;
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Failed to register Tink Aead", e);
        }
    }
}
