package com.nimbusds.jose.aws.kms.crypto;

import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DependencyTimeoutException;
import com.amazonaws.services.kms.model.DisabledException;
import com.amazonaws.services.kms.model.GenerateDataKeyRequest;
import com.amazonaws.services.kms.model.GenerateDataKeyResult;
import com.amazonaws.services.kms.model.InvalidGrantTokenException;
import com.amazonaws.services.kms.model.InvalidKeyUsageException;
import com.amazonaws.services.kms.model.KMSInternalException;
import com.amazonaws.services.kms.model.KMSInvalidStateException;
import com.amazonaws.services.kms.model.KeyUnavailableException;
import com.amazonaws.services.kms.model.NotFoundException;
import com.google.common.collect.ImmutableMap;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWECryptoParts;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.aws.kms.crypto.impl.KmsSymmetricCryptoProvider;
import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException;
import com.nimbusds.jose.crypto.impl.ContentCryptoProvider;
import com.nimbusds.jose.util.Base64URL;
import java.util.Map;
import java.util.Objects;
import javax.annotation.concurrent.ThreadSafe;
import javax.crypto.spec.SecretKeySpec;
import lombok.NonNull;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypter.class */
public class KmsSymmetricEncrypter extends KmsSymmetricCryptoProvider implements JWEEncrypter {
    public KmsSymmetricEncrypter(@NonNull AWSKMS awskms, @NonNull String str) {
        super(awskms, str);
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "keyId is marked non-null but is null");
    }

    public KmsSymmetricEncrypter(@NonNull AWSKMS awskms, @NonNull String str, @NonNull Map<String, String> map) {
        super(awskms, str, map);
        Objects.requireNonNull(awskms, "kms is marked non-null but is null");
        Objects.requireNonNull(str, "keyId is marked non-null but is null");
        Objects.requireNonNull(map, "encryptionContext is marked non-null but is null");
    }

    public JWECryptoParts encrypt(@NonNull JWEHeader jWEHeader, @NonNull byte[] bArr) throws JOSEException {
        Objects.requireNonNull(jWEHeader, "header is marked non-null but is null");
        Objects.requireNonNull(bArr, "clearText is marked non-null but is null");
        validateJWEHeader(jWEHeader);
        GenerateDataKeyResult generateDataKey = generateDataKey(getKeyId(), jWEHeader.getEncryptionMethod());
        return ContentCryptoProvider.encrypt(Objects.nonNull(getEncryptionContext()) ? new JWEHeader.Builder(jWEHeader).customParams(ImmutableMap.of(KmsSymmetricCryptoProvider.ENCRYPTION_CONTEXT_HEADER, getEncryptionContext())).build() : jWEHeader, bArr, new SecretKeySpec(generateDataKey.getPlaintext().array(), jWEHeader.getAlgorithm().toString()), Base64URL.encode(generateDataKey.getCiphertextBlob().array()), getJCAContext());
    }

    private GenerateDataKeyResult generateDataKey(String str, EncryptionMethod encryptionMethod) throws JOSEException {
        try {
            return getKms().generateDataKey(new GenerateDataKeyRequest().withKeyId(str).withKeySpec(ENCRYPTION_METHOD_TO_DATA_KEY_SPEC_MAP.get(encryptionMethod)).withEncryptionContext(getEncryptionContext()));
        } catch (NotFoundException | DisabledException | InvalidKeyUsageException | KeyUnavailableException | KMSInvalidStateException e) {
            throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid key.", e);
        } catch (DependencyTimeoutException | InvalidGrantTokenException | KMSInternalException e2) {
            throw new TemporaryJOSEException("A temporary error was thrown from KMS.", e2);
        }
    }
}
