package software.amazon.encryption.s3.internal;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import software.amazon.awssdk.utils.IoUtils;
import software.amazon.encryption.s3.S3EncryptionClientException;
import software.amazon.encryption.s3.algorithms.AlgorithmSuite;
import software.amazon.encryption.s3.materials.DecryptionMaterials;

/* loaded from: input_file:software/amazon/encryption/s3/internal/BufferedAesGcmContentStrategy.class */
public class BufferedAesGcmContentStrategy implements ContentDecryptionStrategy {
    private static final long BUFFERED_MAX_CONTENT_LENGTH_MiB = 64;
    private static final long BUFFERED_MAX_CONTENT_LENGTH_BYTES = 67108864;

    /* loaded from: input_file:software/amazon/encryption/s3/internal/BufferedAesGcmContentStrategy$Builder.class */
    public static class Builder {
        private Builder() {
        }

        public BufferedAesGcmContentStrategy build() {
            return new BufferedAesGcmContentStrategy(this);
        }
    }

    private BufferedAesGcmContentStrategy(Builder builder) {
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // software.amazon.encryption.s3.internal.ContentDecryptionStrategy
    public InputStream decryptContent(ContentMetadata contentMetadata, DecryptionMaterials decryptionMaterials, InputStream inputStream) {
        if (decryptionMaterials.ciphertextLength() > BUFFERED_MAX_CONTENT_LENGTH_BYTES) {
            throw new S3EncryptionClientException(String.format("The object you are attempting to decrypt exceeds the maximum content length allowed in default mode. Please enable Delayed Authentication mode to decrypt objects largerthan %d", Long.valueOf(BUFFERED_MAX_CONTENT_LENGTH_MiB)));
        }
        try {
            byte[] byteArray = IoUtils.toByteArray(inputStream);
            AlgorithmSuite algorithmSuite = contentMetadata.algorithmSuite();
            SecretKeySpec secretKeySpec = new SecretKeySpec(decryptionMaterials.plaintextDataKey(), algorithmSuite.dataKeyAlgorithm());
            int cipherTagLengthBits = algorithmSuite.cipherTagLengthBits();
            byte[] contentIv = contentMetadata.contentIv();
            try {
                Cipher createCipher = CryptoFactory.createCipher(algorithmSuite.cipherName(), decryptionMaterials.cryptoProvider());
                createCipher.init(2, secretKeySpec, new GCMParameterSpec(cipherTagLengthBits, contentIv));
                return new ByteArrayInputStream(createCipher.doFinal(byteArray));
            } catch (GeneralSecurityException e) {
                throw new S3EncryptionClientException("Unable to " + algorithmSuite.cipherName() + " content decrypt.", e);
            }
        } catch (IOException e2) {
            throw new S3EncryptionClientException("Unexpected exception while buffering ciphertext input stream!", e2);
        }
    }
}
