package ro.ghionoiu.kmsjwt.key;

import com.amazonaws.services.kms.AWSKMS;
import com.amazonaws.services.kms.model.DecryptRequest;
import com.amazonaws.services.kms.model.DecryptResult;
import java.nio.ByteBuffer;
import java.util.Set;

/* loaded from: input_file:ro/ghionoiu/kmsjwt/key/KMSDecrypt.class */
public class KMSDecrypt implements KeyDecrypt {
    private final AWSKMS kmsClient;
    private final Set<String> supportedKeyARNs;

    public KMSDecrypt(AWSKMS awskms, Set<String> set) {
        this.kmsClient = awskms;
        this.supportedKeyARNs = set;
    }

    @Override // ro.ghionoiu.kmsjwt.key.KeyDecrypt
    public byte[] decrypt(byte[] bArr) throws KeyOperationException {
        try {
            DecryptResult decrypt = this.kmsClient.decrypt(new DecryptRequest().withCiphertextBlob(ByteBuffer.wrap(bArr)));
            if (this.supportedKeyARNs.contains(decrypt.getKeyId())) {
                return decrypt.getPlaintext().array();
            }
            throw new KeyOperationException("Ciphertext signed by unexpected key");
        } catch (Exception e) {
            throw new KeyOperationException(e.getMessage(), e);
        }
    }
}
