package com.nimbusds.jose.aws.kms.crypto;

import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.DecryptResult;
import com.amazonaws.services.kms.model.DependencyTimeoutException;
import com.amazonaws.services.kms.model.DisabledException;
import com.amazonaws.services.kms.model.InvalidGrantTokenException;
import com.amazonaws.services.kms.model.InvalidKeyUsageException;
import com.amazonaws.services.kms.model.KMSInternalException;
import com.amazonaws.services.kms.model.KMSInvalidStateException;
import com.amazonaws.services.kms.model.KeyUnavailableException;
import com.amazonaws.services.kms.model.NotFoundException;
import com.nimbusds.jose.CriticalHeaderParamsAware;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.aws.kms.crypto.impl.KmsSymmetricCryptoProvider;
import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException;
import com.nimbusds.jose.crypto.impl.ContentCryptoProvider;
import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
import com.nimbusds.jose.util.Base64URL;
import java.nio.ByteBuffer;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.annotation.concurrent.ThreadSafe;
import javax.crypto.spec.SecretKeySpec;
import lombok.NonNull;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypter.class */
public class KmsSymmetricDecrypter extends KmsSymmetricCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
    private final CriticalHeaderParamsDeferral critPolicy;

    public KmsSymmetricDecrypter(@NonNull AWSKMS awskms, @NonNull String str, @NonNull Map<String, String> map) {
        super(awskms, str, map);
        this.critPolicy = new CriticalHeaderParamsDeferral();
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "keyId is marked non-null but is null");
        Objects.requireNonNull(map, "encryptionContext is marked non-null but is null");
    }

    public KmsSymmetricDecrypter(@NonNull AWSKMS awskms, @NonNull String str) {
        super(awskms, str);
        this.critPolicy = new CriticalHeaderParamsDeferral();
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "keyId is marked non-null but is null");
    }

    public KmsSymmetricDecrypter(@NonNull AWSKMS awskms, @NonNull String str, @NonNull Set<String> set) {
        this(awskms, str);
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "keyId is marked non-null but is null");
        Objects.requireNonNull(set, "defCritHeaders is marked non-null but is null");
        this.critPolicy.setDeferredCriticalHeaderParams(set);
    }

    public KmsSymmetricDecrypter(@NonNull AWSKMS awskms, @NonNull String str, @NonNull Map<String, String> map, @NonNull Set<String> set) {
        this(awskms, str, map);
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "keyId is marked non-null but is null");
        Objects.requireNonNull(map, "encryptionContext is marked non-null but is null");
        Objects.requireNonNull(set, "defCritHeaders is marked non-null but is null");
        this.critPolicy.setDeferredCriticalHeaderParams(set);
    }

    public Set<String> getProcessedCriticalHeaderParams() {
        return this.critPolicy.getProcessedCriticalHeaderParams();
    }

    public Set<String> getDeferredCriticalHeaderParams() {
        return this.critPolicy.getDeferredCriticalHeaderParams();
    }

    public byte[] decrypt(@NonNull JWEHeader jWEHeader, @NonNull Base64URL base64URL, @NonNull Base64URL base64URL2, @NonNull Base64URL base64URL3, @NonNull Base64URL base64URL4) throws JOSEException {
        Objects.requireNonNull(jWEHeader, "header is marked non-null but is null");
        Objects.requireNonNull(base64URL, "encryptedKey is marked non-null but is null");
        Objects.requireNonNull(base64URL2, "iv is marked non-null but is null");
        Objects.requireNonNull(base64URL3, "cipherText is marked non-null but is null");
        Objects.requireNonNull(base64URL4, "authTag is marked non-null but is null");
        validateJWEHeader(jWEHeader);
        this.critPolicy.ensureHeaderPasses(jWEHeader);
        return ContentCryptoProvider.decrypt(jWEHeader, base64URL, base64URL2, base64URL3, base64URL4, new SecretKeySpec(decryptCek(getKeyId(), getEncryptionContext(), base64URL).getPlaintext().array(), jWEHeader.getAlgorithm().toString()), getJCAContext());
    }

    private DecryptResult decryptCek(String str, Map<String, String> map, Base64URL base64URL) throws JOSEException {
        try {
            return getKms().decrypt(new DecryptRequest().withEncryptionContext(map).withKeyId(str).withCiphertextBlob(ByteBuffer.wrap(base64URL.decode())));
        } catch (DependencyTimeoutException | InvalidGrantTokenException | KMSInternalException e) {
            throw new TemporaryJOSEException("A temporary error was thrown from KMS.", e);
        } catch (NotFoundException | DisabledException | InvalidKeyUsageException | KeyUnavailableException | KMSInvalidStateException e2) {
            throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid key.", e2);
        }
    }
}
