package com.microsoft.identity.broker4j.broker.prt;

import com.microsoft.identity.broker4j.broker.crypto.IKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.keyfactories.IBrokerKeyFactory;
import com.microsoft.identity.broker4j.opentelemetry.AttributeName;
import com.microsoft.identity.common.java.AuthenticationConstants;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.jwt.IJweResponseDecryptor;
import com.microsoft.identity.common.java.logging.Logger;
import com.microsoft.identity.common.java.opentelemetry.SpanExtension;
import com.microsoft.identity.common.java.platform.JweResponse;
import cz.msebera.android.httpclient.extras.Base64;
import io.opentelemetry.api.trace.Span;
import java.nio.ByteBuffer;
import lombok.NonNull;

/* loaded from: classes3.dex */
public class SessionKeyBasedDecryptorAesGcm implements IJweResponseDecryptor {
    private static final String TAG = "SessionKeyBasedDecryptorAesGcm";

    @NonNull
    final IBrokerKeyFactory mBrokerKeyFactory;

    @NonNull
    final IKeyEntry mSessionKey;

    public SessionKeyBasedDecryptorAesGcm(@NonNull IBrokerKeyFactory iBrokerKeyFactory, @NonNull IKeyEntry iKeyEntry) {
        if (iBrokerKeyFactory == null) {
            throw new NullPointerException("mBrokerKeyFactory is marked non-null but is null");
        }
        if (iKeyEntry == null) {
            throw new NullPointerException("mSessionKey is marked non-null but is null");
        }
        this.mBrokerKeyFactory = iBrokerKeyFactory;
        this.mSessionKey = iKeyEntry;
    }

    @Override // com.microsoft.identity.common.java.jwt.IJweResponseDecryptor
    public String decryptJwe(@NonNull String str) throws ClientException {
        if (str == null) {
            throw new NullPointerException("jwe is marked non-null but is null");
        }
        String str2 = TAG + ":decryptJwe";
        Span current = SpanExtension.current();
        JweResponse parseJwe = JweResponse.parseJwe(str);
        if (!parseJwe.getJweHeader().getEncryptionAlgorithm().equalsIgnoreCase("A256GCM")) {
            Logger.error(str2, "Invalid content encryption algorithm: " + parseJwe.getJweHeader().getEncryptionAlgorithm(), null);
            throw new IllegalArgumentException("Invalid content encryption algorithm");
        }
        if (!parseJwe.getJweHeader().getAlgorithm().equalsIgnoreCase("dir")) {
            Logger.error(str2, "Invalid key management algorithm: " + parseJwe.getJweHeader().getAlgorithm(), null);
            throw new IllegalArgumentException("Invalid key management algorithm");
        }
        byte[] iv = parseJwe.getIv();
        byte[] payload = parseJwe.getPayload();
        byte[] authenticationTag = parseJwe.getAuthenticationTag();
        if (authenticationTag == null) {
            Logger.error(str2, "Authentication tag is missing", null);
            throw new IllegalArgumentException("Authentication Tag is missing.");
        }
        byte[] aad = parseJwe.getAAD();
        byte[] decode = Base64.decode(parseJwe.getJweHeader().getContext(), 0);
        current.setAttribute(AttributeName.iv_decoded_length.name(), iv.length);
        current.setAttribute(AttributeName.payload_ciphertext_length.name(), payload.length);
        current.setAttribute(AttributeName.derived_key_ctx_length.name(), decode.length);
        current.setAttribute(AttributeName.authentication_tag_length.name(), authenticationTag.length);
        IKeyEntry deriveKey = SessionKeyUtil.deriveKey(this.mBrokerKeyFactory, this.mSessionKey, decode);
        byte[] decryptWithGcm = this.mBrokerKeyFactory.getDerivedSessionKeyAccessor(deriveKey, "AES/GCM/NoPadding").decryptWithGcm(ByteBuffer.allocate(payload.length + authenticationTag.length).put(payload).put(authenticationTag).array(), iv, authenticationTag.length, aad);
        this.mBrokerKeyFactory.getKeyManager().deleteKey(deriveKey);
        return new String(decryptWithGcm, AuthenticationConstants.CHARSET_UTF8);
    }
}
