package com.google.cloud.spring.kms;

import com.google.cloud.kms.v1.CryptoKeyName;
import com.google.cloud.kms.v1.DecryptRequest;
import com.google.cloud.kms.v1.DecryptResponse;
import com.google.cloud.kms.v1.EncryptRequest;
import com.google.cloud.kms.v1.EncryptResponse;
import com.google.cloud.kms.v1.KeyManagementServiceClient;
import com.google.cloud.spring.core.GcpProjectIdProvider;
import com.google.common.hash.Hashing;
import com.google.protobuf.ByteString;
import com.google.protobuf.Int64Value;
import java.nio.charset.StandardCharsets;

/* loaded from: input_file:com/google/cloud/spring/kms/KmsTemplate.class */
public class KmsTemplate implements KmsOperations {
    private final KeyManagementServiceClient client;
    private final GcpProjectIdProvider projectIdProvider;

    public KmsTemplate(KeyManagementServiceClient keyManagementServiceClient, GcpProjectIdProvider gcpProjectIdProvider) {
        this.client = keyManagementServiceClient;
        this.projectIdProvider = gcpProjectIdProvider;
    }

    @Override // com.google.cloud.spring.kms.KmsOperations
    public byte[] encryptText(String str, String str2) {
        return encryptBytes(str, str2.getBytes(StandardCharsets.UTF_8));
    }

    @Override // com.google.cloud.spring.kms.KmsOperations
    public byte[] encryptBytes(String str, byte[] bArr) {
        EncryptResponse encrypt = this.client.encrypt(EncryptRequest.newBuilder().setName(KmsPropertyUtils.getCryptoKeyName(str, this.projectIdProvider).toString()).setPlaintext(ByteString.copyFrom(bArr)).setPlaintextCrc32C(Int64Value.newBuilder().setValue(longCrc32c(bArr)).build()).build());
        assertCrcMatch(encrypt);
        return encrypt.getCiphertext().toByteArray();
    }

    @Override // com.google.cloud.spring.kms.KmsOperations
    public String decryptText(String str, byte[] bArr) {
        return new String(decryptBytes(str, bArr), StandardCharsets.UTF_8);
    }

    @Override // com.google.cloud.spring.kms.KmsOperations
    public byte[] decryptBytes(String str, byte[] bArr) {
        CryptoKeyName cryptoKeyName = KmsPropertyUtils.getCryptoKeyName(str, this.projectIdProvider);
        ByteString copyFrom = ByteString.copyFrom(bArr);
        DecryptResponse decrypt = this.client.decrypt(DecryptRequest.newBuilder().setName(cryptoKeyName.toString()).setCiphertext(copyFrom).setCiphertextCrc32C(Int64Value.newBuilder().setValue(longCrc32c(copyFrom)).build()).build());
        assertCrcMatch(decrypt);
        return decrypt.getPlaintext().toByteArray();
    }

    private long longCrc32c(ByteString byteString) {
        return longCrc32c(byteString.toByteArray());
    }

    private long longCrc32c(byte[] bArr) {
        return Hashing.crc32c().hashBytes(bArr).padToLong();
    }

    private void assertCrcMatch(EncryptResponse encryptResponse) {
        if (encryptResponse.getCiphertextCrc32C().getValue() != longCrc32c(encryptResponse.getCiphertext())) {
            throw new KmsException("Encryption: response from server corrupted");
        }
    }

    private void assertCrcMatch(DecryptResponse decryptResponse) {
        if (decryptResponse.getPlaintextCrc32C().getValue() != longCrc32c(decryptResponse.getPlaintext())) {
            throw new KmsException("Decryption : response from server corrupted");
        }
    }
}
