package com.amazonaws.services.dynamodbv2.datamodeling.encryption;

import com.amazonaws.services.dynamodbv2.datamodeling.internal.AttributeValueMarshaller;
import com.amazonaws.services.dynamodbv2.datamodeling.internal.Utils;
import com.amazonaws.services.dynamodbv2.model.AttributeValue;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBSigner.class */
class DynamoDBSigner {
    private static final ConcurrentHashMap<String, DynamoDBSigner> cache = new ConcurrentHashMap<>();
    protected static final Charset UTF8 = Charset.forName("UTF-8");
    private final SecureRandom rnd;
    private final SecretKey hmacComparisonKey;
    private final String signingAlgorithm;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DynamoDBSigner getInstance(String str, SecureRandom secureRandom) {
        DynamoDBSigner dynamoDBSigner = cache.get(str);
        if (dynamoDBSigner == null) {
            dynamoDBSigner = new DynamoDBSigner(str, secureRandom);
            cache.putIfAbsent(str, dynamoDBSigner);
        }
        return dynamoDBSigner;
    }

    private DynamoDBSigner(String str, SecureRandom secureRandom) {
        secureRandom = secureRandom == null ? Utils.getRng() : secureRandom;
        this.rnd = secureRandom;
        this.signingAlgorithm = str;
        byte[] bArr = new byte[31];
        secureRandom.nextBytes(bArr);
        this.hmacComparisonKey = new SecretKeySpec(bArr, "HmacSHA256");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void verifySignature(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, byte[] bArr, Key key, ByteBuffer byteBuffer) throws GeneralSecurityException {
        if (key instanceof DelegatedKey) {
            DelegatedKey delegatedKey = (DelegatedKey) key;
            if (!delegatedKey.verify(calculateStringToSign(map, map2, bArr), toByteArray(byteBuffer), delegatedKey.getAlgorithm())) {
                throw new SignatureException("Bad signature");
            }
        } else if (key instanceof SecretKey) {
            if (!safeEquals(byteBuffer, calculateSignature(map, map2, bArr, (SecretKey) key))) {
                throw new SignatureException("Bad signature");
            }
        } else {
            if (!(key instanceof PublicKey)) {
                throw new IllegalArgumentException("No integrity key provided");
            }
            byte[] calculateStringToSign = calculateStringToSign(map, map2, bArr);
            Signature signature = Signature.getInstance(getSigningAlgorithm());
            signature.initVerify((PublicKey) key);
            signature.update(calculateStringToSign);
            if (!signature.verify(toByteArray(byteBuffer))) {
                throw new SignatureException("Bad signature");
            }
        }
    }

    static byte[] calculateStringToSign(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, byte[] bArr) throws NoSuchAlgorithmException {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ArrayList<String> arrayList = new ArrayList(map.keySet());
            Collections.sort(arrayList);
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            if (bArr != null) {
                byteArrayOutputStream.write(messageDigest.digest(bArr));
            } else {
                byteArrayOutputStream.write(messageDigest.digest());
            }
            messageDigest.reset();
            for (String str : arrayList) {
                Set<EncryptionFlags> set = map2.get(str);
                if (set != null && set.contains(EncryptionFlags.SIGN)) {
                    AttributeValue attributeValue = map.get(str);
                    byteArrayOutputStream.write(messageDigest.digest(str.getBytes(UTF8)));
                    messageDigest.reset();
                    if (set.contains(EncryptionFlags.ENCRYPT)) {
                        messageDigest.update("ENCRYPTED".getBytes(UTF8));
                    } else {
                        messageDigest.update("PLAINTEXT".getBytes(UTF8));
                    }
                    byteArrayOutputStream.write(messageDigest.digest());
                    messageDigest.reset();
                    messageDigest.update(AttributeValueMarshaller.marshall(attributeValue));
                    byteArrayOutputStream.write(messageDigest.digest());
                    messageDigest.reset();
                }
            }
            return byteArrayOutputStream.toByteArray();
        } catch (IOException e) {
            throw new RuntimeException("Unexpected exception", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] calculateSignature(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, byte[] bArr, Key key) throws GeneralSecurityException {
        if (key instanceof DelegatedKey) {
            return calculateSignature(map, map2, bArr, (DelegatedKey) key);
        }
        if (key instanceof SecretKey) {
            return calculateSignature(map, map2, bArr, (SecretKey) key);
        }
        if (key instanceof PrivateKey) {
            return calculateSignature(map, map2, bArr, (PrivateKey) key);
        }
        throw new IllegalArgumentException("No integrity key provided");
    }

    byte[] calculateSignature(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, byte[] bArr, DelegatedKey delegatedKey) throws GeneralSecurityException {
        return delegatedKey.sign(calculateStringToSign(map, map2, bArr), delegatedKey.getAlgorithm());
    }

    byte[] calculateSignature(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, byte[] bArr, SecretKey secretKey) throws GeneralSecurityException {
        if (secretKey instanceof DelegatedKey) {
            return calculateSignature(map, map2, bArr, (DelegatedKey) secretKey);
        }
        byte[] calculateStringToSign = calculateStringToSign(map, map2, bArr);
        Mac mac = Mac.getInstance(secretKey.getAlgorithm());
        mac.init(secretKey);
        mac.update(calculateStringToSign);
        return mac.doFinal();
    }

    byte[] calculateSignature(Map<String, AttributeValue> map, Map<String, Set<EncryptionFlags>> map2, byte[] bArr, PrivateKey privateKey) throws GeneralSecurityException {
        byte[] calculateStringToSign = calculateStringToSign(map, map2, bArr);
        Signature signature = Signature.getInstance(this.signingAlgorithm);
        signature.initSign(privateKey, this.rnd);
        signature.update(calculateStringToSign);
        return signature.sign();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getSigningAlgorithm() {
        return this.signingAlgorithm;
    }

    private boolean safeEquals(ByteBuffer byteBuffer, byte[] bArr) {
        try {
            byteBuffer.rewind();
            Mac mac = Mac.getInstance(this.hmacComparisonKey.getAlgorithm());
            mac.init(this.hmacComparisonKey);
            mac.update(byteBuffer);
            byte[] doFinal = mac.doFinal();
            mac.reset();
            mac.update(bArr);
            return MessageDigest.isEqual(doFinal, mac.doFinal());
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Unexpected exception", e);
        }
    }

    private static byte[] toByteArray(ByteBuffer byteBuffer) {
        if (byteBuffer.hasArray()) {
            byte[] array = byteBuffer.array();
            byteBuffer.rewind();
            return array;
        }
        byte[] bArr = new byte[byteBuffer.remaining()];
        byteBuffer.get(bArr);
        byteBuffer.rewind();
        return bArr;
    }
}
