package io.confluent.kafka.schemaregistry.encryption.tink;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.DeterministicAead;
import com.google.crypto.tink.KeyTemplates;
import com.google.crypto.tink.Registry;
import com.google.crypto.tink.TinkProtoParametersFormat;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.daead.DeterministicAeadConfig;
import com.google.crypto.tink.proto.KeyTemplate;
import com.google.protobuf.ByteString;
import com.google.protobuf.ExtensionRegistryLite;
import com.google.protobuf.InvalidProtocolBufferException;
import java.nio.BufferUnderflowException;
import java.security.GeneralSecurityException;
import java.util.concurrent.ExecutionException;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/tink/Cryptor.class */
public class Cryptor {
    private final DekFormat dekFormat;
    private final KeyTemplate dekTemplate;
    private final LoadingCache<ByteString, DeterministicAead> deterministicAeads;
    private final LoadingCache<ByteString, Aead> aeads;
    private static final int DEFAULT_CACHE_SIZE = 100;

    public Cryptor(DekFormat dekFormat) throws GeneralSecurityException {
        KeyTemplate build;
        try {
            build = KeyTemplate.parseFrom(TinkProtoParametersFormat.serialize(dekFormat.getParameters()), ExtensionRegistryLite.getEmptyRegistry());
        } catch (GeneralSecurityException e) {
            com.google.crypto.tink.KeyTemplate keyTemplate = KeyTemplates.get(dekFormat.name());
            build = KeyTemplate.newBuilder().setTypeUrl(keyTemplate.getTypeUrl()).setValue(ByteString.copyFrom(keyTemplate.getValue())).build();
        } catch (InvalidProtocolBufferException e2) {
            throw new GeneralSecurityException((Throwable) e2);
        }
        this.dekFormat = dekFormat;
        this.dekTemplate = build;
        this.deterministicAeads = CacheBuilder.newBuilder().maximumSize(100L).build(new CacheLoader<ByteString, DeterministicAead>() { // from class: io.confluent.kafka.schemaregistry.encryption.tink.Cryptor.1
            public DeterministicAead load(ByteString byteString) throws GeneralSecurityException {
                return (DeterministicAead) Registry.getPrimitive(Cryptor.this.dekTemplate.getTypeUrl(), byteString, DeterministicAead.class);
            }
        });
        this.aeads = CacheBuilder.newBuilder().maximumSize(100L).build(new CacheLoader<ByteString, Aead>() { // from class: io.confluent.kafka.schemaregistry.encryption.tink.Cryptor.2
            public Aead load(ByteString byteString) throws GeneralSecurityException {
                return (Aead) Registry.getPrimitive(Cryptor.this.dekTemplate.getTypeUrl(), byteString, Aead.class);
            }
        });
    }

    public DekFormat getDekFormat() {
        return this.dekFormat;
    }

    public byte[] generateKey() throws GeneralSecurityException {
        return Registry.newKeyData(this.dekTemplate).getValue().toByteArray();
    }

    public byte[] encrypt(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        return this.dekFormat.isDeterministic() ? getDeterministicAead(bArr).encryptDeterministically(bArr2, bArr3) : getAead(bArr).encrypt(bArr2, bArr3);
    }

    public byte[] decrypt(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        try {
            return this.dekFormat.isDeterministic() ? getDeterministicAead(bArr).decryptDeterministically(bArr2, bArr3) : getAead(bArr).decrypt(bArr2, bArr3);
        } catch (IndexOutOfBoundsException | NegativeArraySizeException | BufferUnderflowException e) {
            throw new GeneralSecurityException("invalid ciphertext", e);
        }
    }

    private DeterministicAead getDeterministicAead(byte[] bArr) throws GeneralSecurityException {
        try {
            return (DeterministicAead) this.deterministicAeads.get(ByteString.copyFrom(bArr));
        } catch (ExecutionException e) {
            if (e.getCause() instanceof GeneralSecurityException) {
                throw ((GeneralSecurityException) e.getCause());
            }
            throw new RuntimeException(e.getCause());
        }
    }

    private Aead getAead(byte[] bArr) throws GeneralSecurityException {
        try {
            return (Aead) this.aeads.get(ByteString.copyFrom(bArr));
        } catch (ExecutionException e) {
            if (e.getCause() instanceof GeneralSecurityException) {
                throw ((GeneralSecurityException) e.getCause());
            }
            throw new RuntimeException(e.getCause());
        }
    }

    static {
        try {
            AeadConfig.register();
            DeterministicAeadConfig.register();
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException(e);
        }
    }
}
