package io.confluent.kafka.schemaregistry.encryption.local;

import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.KmsClients;
import com.google.crypto.tink.PrimitiveSet;
import com.google.crypto.tink.Registry;
import com.google.crypto.tink.proto.AesGcmKey;
import com.google.crypto.tink.proto.KeyStatusType;
import com.google.crypto.tink.proto.Keyset;
import com.google.crypto.tink.proto.OutputPrefixType;
import com.google.crypto.tink.subtle.Hkdf;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.protobuf.ByteString;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import javax.annotation.Nullable;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/local/LocalKmsClient.class */
public final class LocalKmsClient implements KmsClient {
    public static final String PREFIX = "local-kms://";
    private static final String AES_GCM_KEY = "type.googleapis.com/google.crypto.tink.AesGcmKey";

    @Nullable
    private String keyUri;
    private Aead aead;

    private LocalKmsClient() {
    }

    private LocalKmsClient(String str, String str2, List<String> list) throws GeneralSecurityException {
        if (!str.toLowerCase(Locale.US).startsWith(PREFIX)) {
            throw new IllegalArgumentException("key URI must start with local-kms://");
        }
        this.keyUri = str;
        PrimitiveSet.Builder newBuilder = PrimitiveSet.newBuilder(Aead.class);
        newBuilder.addPrimaryPrimitive(getPrimitive(str2), getKey(str2));
        for (String str3 : list) {
            newBuilder.addPrimitive(getPrimitive(str3), getKey(str3));
        }
        this.aead = (Aead) Registry.wrap(newBuilder.build());
    }

    private Aead getPrimitive(String str) throws GeneralSecurityException {
        return (Aead) Registry.getPrimitive(AES_GCM_KEY, AesGcmKey.newBuilder().setVersion(0).setKeyValue(ByteString.copyFrom(Hkdf.computeHkdf("HmacSha256", str.getBytes(StandardCharsets.UTF_8), (byte[]) null, (byte[]) null, 16))).build().toByteString(), Aead.class);
    }

    private Keyset.Key getKey(String str) throws GeneralSecurityException {
        return Keyset.Key.newBuilder().setKeyId(getId(str)).setStatus(KeyStatusType.ENABLED).setOutputPrefixType(OutputPrefixType.TINK).build();
    }

    private int getId(String str) throws GeneralSecurityException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            messageDigest.update(str.getBytes(StandardCharsets.UTF_8));
            return ByteBuffer.wrap(messageDigest.digest()).getInt();
        } catch (NoSuchAlgorithmException e) {
            throw new GeneralSecurityException(e);
        }
    }

    public boolean doesSupport(String str) {
        if (this.keyUri == null || !this.keyUri.equals(str)) {
            return this.keyUri == null && str.toLowerCase(Locale.US).startsWith(PREFIX);
        }
        return true;
    }

    @CanIgnoreReturnValue
    public KmsClient withCredentials(String str) throws GeneralSecurityException {
        return this;
    }

    @CanIgnoreReturnValue
    public KmsClient withDefaultCredentials() throws GeneralSecurityException {
        return this;
    }

    public Aead getAead(String str) throws GeneralSecurityException {
        if (this.keyUri == null || this.keyUri.equals(str)) {
            return this.aead;
        }
        throw new GeneralSecurityException(String.format("this client is bound to %s, cannot load keys bound to %s", this.keyUri, str));
    }

    public static KmsClient register(Optional<String> optional, String str, List<String> list) throws GeneralSecurityException {
        LocalKmsClient localKmsClient = new LocalKmsClient(optional.orElse(PREFIX), str, list);
        KmsClients.add(localKmsClient);
        return localKmsClient;
    }
}
