package io.confluent.kafka.schemaregistry.encryption.aws;

import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.kms.AbstractAWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.DecryptResult;
import com.amazonaws.services.kms.model.EncryptRequest;
import com.amazonaws.services.kms.model.EncryptResult;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeyTemplates;
import com.google.crypto.tink.KeysetHandle;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/aws/FakeAwsKms.class */
public class FakeAwsKms extends AbstractAWSKMS {
    private final Map<String, Aead> aeads = new HashMap();

    private static byte[] serializeContext(Map<String, String> map) {
        return new TreeMap(map).toString().getBytes(StandardCharsets.UTF_8);
    }

    public FakeAwsKms(List<String> list) throws GeneralSecurityException {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            this.aeads.put(it.next(), (Aead) KeysetHandle.generateNew(KeyTemplates.get("AES128_GCM")).getPrimitive(Aead.class));
        }
    }

    public EncryptResult encrypt(EncryptRequest encryptRequest) {
        if (!this.aeads.containsKey(encryptRequest.getKeyId())) {
            throw new AmazonServiceException("Unknown key ID : " + encryptRequest.getKeyId() + " is not in " + this.aeads.keySet());
        }
        try {
            return new EncryptResult().withKeyId(encryptRequest.getKeyId()).withCiphertextBlob(ByteBuffer.wrap(this.aeads.get(encryptRequest.getKeyId()).encrypt(encryptRequest.getPlaintext().array(), serializeContext(encryptRequest.getEncryptionContext()))));
        } catch (GeneralSecurityException e) {
            throw new AmazonServiceException(e.getMessage());
        }
    }

    public DecryptResult decrypt(DecryptRequest decryptRequest) {
        for (Map.Entry<String, Aead> entry : this.aeads.entrySet()) {
            try {
                return new DecryptResult().withKeyId(entry.getKey()).withPlaintext(ByteBuffer.wrap(entry.getValue().decrypt(decryptRequest.getCiphertextBlob().array(), serializeContext(decryptRequest.getEncryptionContext()))));
            } catch (GeneralSecurityException e) {
            }
        }
        throw new AmazonServiceException("unable to decrypt");
    }
}
