package com.amazonaws.athena.connector.lambda.security;

import com.amazonaws.athena.connector.lambda.data.Block;
import com.amazonaws.athena.connector.lambda.data.BlockAllocator;
import com.amazonaws.athena.connector.lambda.data.RecordBatchSerDe;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.arrow.vector.types.pojo.Schema;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:com/amazonaws/athena/connector/lambda/security/AesGcmBlockCrypto.class */
public class AesGcmBlockCrypto implements BlockCrypto {
    protected static final int GCM_TAG_LENGTH_BITS = 128;
    protected static final int NONCE_BYTES = 12;
    protected static final int KEY_BYTES = 16;
    protected static final String KEYSPEC = "AES";
    protected static final String ALGO = "AES/GCM/NoPadding";
    protected static final String ALGO_BC = "BC";
    private final RecordBatchSerDe serDe;
    private final BlockAllocator allocator;

    public AesGcmBlockCrypto(BlockAllocator blockAllocator) {
        this.serDe = new RecordBatchSerDe(blockAllocator);
        this.allocator = blockAllocator;
    }

    @Override // com.amazonaws.athena.connector.lambda.security.BlockCrypto
    public byte[] encrypt(EncryptionKey encryptionKey, Block block) {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            this.serDe.serialize(block.getRecordBatch(), byteArrayOutputStream);
            return makeCipher(1, encryptionKey).doFinal(byteArrayOutputStream.toByteArray());
        } catch (IOException | BadPaddingException | IllegalBlockSizeException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.amazonaws.athena.connector.lambda.security.BlockCrypto
    public Block decrypt(EncryptionKey encryptionKey, byte[] bArr, Schema schema) {
        try {
            byte[] doFinal = makeCipher(2, encryptionKey).doFinal(bArr);
            Block createBlock = this.allocator.createBlock(schema);
            createBlock.loadRecordBatch(this.serDe.deserialize(doFinal));
            return createBlock;
        } catch (IOException | BadPaddingException | IllegalBlockSizeException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.amazonaws.athena.connector.lambda.security.BlockCrypto
    public byte[] decrypt(EncryptionKey encryptionKey, byte[] bArr) {
        try {
            return makeCipher(2, encryptionKey).doFinal(bArr);
        } catch (BadPaddingException | IllegalBlockSizeException e) {
            throw new RuntimeException(e);
        }
    }

    private Cipher makeCipher(int i, EncryptionKey encryptionKey) {
        if (encryptionKey.getNonce().length != NONCE_BYTES) {
            throw new RuntimeException("Expected 12 nonce bytes but found " + encryptionKey.getNonce().length);
        }
        if (encryptionKey.getKey().length != KEY_BYTES) {
            throw new RuntimeException("Expected 16 key bytes but found " + encryptionKey.getKey().length);
        }
        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH_BITS, encryptionKey.getNonce());
        SecretKeySpec secretKeySpec = new SecretKeySpec(encryptionKey.getKey(), KEYSPEC);
        try {
            Cipher cipher = Cipher.getInstance(ALGO, ALGO_BC);
            cipher.init(i, secretKeySpec, gCMParameterSpec);
            return cipher;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | NoSuchPaddingException e) {
            throw new RuntimeException(e);
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
