package com.google.security.cryptauth.lib.securegcm;

import com.google.protobuf.InvalidProtocolBufferException;
import com.google.security.cryptauth.lib.securegcm.DeviceToDeviceMessagesProto;
import com.google.security.cryptauth.lib.securegcm.SecureGcmProto;
import com.google.security.cryptauth.lib.securegcm.TransportCryptoOps;
import com.google.security.cryptauth.lib.securemessage.CryptoOps;
import com.google.security.cryptauth.lib.securemessage.PublicKeyProtoUtil;
import com.google.security.cryptauth.lib.securemessage.SecureMessageBuilder;
import com.google.security.cryptauth.lib.securemessage.SecureMessageParser;
import com.google.security.cryptauth.lib.securemessage.SecureMessageProto;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.SecretKey;

/* loaded from: classes2.dex */
class D2DCryptoOps {
    public static final byte[] SALT = {-126, -86, 85, -96, -45, -105, -8, -125, 70, -54, 28, -18, -115, 57, 9, -71, 95, 19, -6, 125, -21, 29, 74, -77, -125, 118, -72, 37, 109, -88, 85, 16};

    private D2DCryptoOps() {
    }

    public static DeviceToDeviceMessagesProto.DeviceToDeviceMessage decryptResponderHelloMessage(SecretKey secretKey, byte[] bArr) {
        try {
            TransportCryptoOps.Payload verifydecryptPayload = verifydecryptPayload(bArr, secretKey);
            if (TransportCryptoOps.PayloadType.DEVICE_TO_DEVICE_RESPONDER_HELLO_PAYLOAD.equals(verifydecryptPayload.getPayloadType())) {
                return DeviceToDeviceMessagesProto.DeviceToDeviceMessage.parseFrom(verifydecryptPayload.getMessage());
            }
            throw new SignatureException("wrong message type in responder hello");
        } catch (InvalidProtocolBufferException e10) {
            throw new SignatureException(e10);
        } catch (InvalidKeyException e11) {
            throw new SignatureException(e11);
        } catch (NoSuchAlgorithmException e12) {
            throw new SignatureException(e12);
        }
    }

    public static SecretKey deriveNewKeyForPurpose(SecretKey secretKey, String str) {
        return KeyEncoding.parseMasterKey(CryptoOps.hkdf(secretKey, SALT, str.getBytes()));
    }

    public static SecretKey deriveSharedKeyFromGenericPublicKey(PrivateKey privateKey, SecureMessageProto.GenericPublicKey genericPublicKey) {
        try {
            return EnrollmentCryptoOps.doKeyAgreement(privateKey, PublicKeyProtoUtil.parsePublicKey(genericPublicKey));
        } catch (InvalidKeyException e10) {
            throw new SignatureException(e10);
        } catch (InvalidKeySpecException e11) {
            throw new SignatureException(e11);
        }
    }

    public static DeviceToDeviceMessagesProto.ResponderHello parseAndValidateResponderHello(byte[] bArr) {
        bArr.getClass();
        SecureMessageProto.Header unverifiedHeader = SecureMessageParser.getUnverifiedHeader(SecureMessageProto.SecureMessage.parseFrom(bArr));
        if (!unverifiedHeader.hasDecryptionKeyId()) {
            throw new InvalidProtocolBufferException("Missing decryption key id");
        }
        DeviceToDeviceMessagesProto.ResponderHello parseFrom = DeviceToDeviceMessagesProto.ResponderHello.parseFrom(unverifiedHeader.getDecryptionKeyId().toByteArray());
        if (parseFrom.hasPublicDhKey()) {
            return parseFrom;
        }
        throw new InvalidProtocolBufferException("Missing public key in responder hello");
    }

    public static byte[] signcryptMessageAndResponderHello(TransportCryptoOps.Payload payload, SecretKey secretKey, PublicKey publicKey, int i10) {
        DeviceToDeviceMessagesProto.ResponderHello.Builder newBuilder = DeviceToDeviceMessagesProto.ResponderHello.newBuilder();
        newBuilder.setPublicDhKey(PublicKeyProtoUtil.encodePublicKey(publicKey));
        newBuilder.setProtocolVersion(i10);
        return signcryptPayload(payload, secretKey, newBuilder.build().toByteArray());
    }

    public static byte[] signcryptPayload(TransportCryptoOps.Payload payload, SecretKey secretKey) {
        return signcryptPayload(payload, secretKey, null);
    }

    public static byte[] signcryptPayload(TransportCryptoOps.Payload payload, SecretKey secretKey, byte[] bArr) {
        if (payload == null || secretKey == null) {
            throw null;
        }
        SecureMessageBuilder publicMetadata = new SecureMessageBuilder().setPublicMetadata(SecureGcmProto.GcmMetadata.newBuilder().setType(payload.getPayloadType().getType()).setVersion(1).build().toByteArray());
        if (bArr != null) {
            publicMetadata.setDecryptionKeyId(bArr);
        }
        return publicMetadata.buildSignCryptedMessage(secretKey, CryptoOps.SigType.HMAC_SHA256, secretKey, CryptoOps.EncType.AES_256_CBC, payload.getMessage()).toByteArray();
    }

    public static TransportCryptoOps.Payload verifydecryptPayload(byte[] bArr, SecretKey secretKey) {
        if (bArr == null || secretKey == null) {
            throw null;
        }
        try {
            SecureMessageProto.HeaderAndBody parseSignCryptedMessage = SecureMessageParser.parseSignCryptedMessage(SecureMessageProto.SecureMessage.parseFrom(bArr), secretKey, CryptoOps.SigType.HMAC_SHA256, secretKey, CryptoOps.EncType.AES_256_CBC);
            if (!parseSignCryptedMessage.getHeader().hasPublicMetadata()) {
                throw new SignatureException("missing metadata");
            }
            SecureGcmProto.GcmMetadata parseFrom = SecureGcmProto.GcmMetadata.parseFrom(parseSignCryptedMessage.getHeader().getPublicMetadata());
            if (parseFrom.getVersion() <= 1) {
                return new TransportCryptoOps.Payload(TransportCryptoOps.PayloadType.valueOf(parseFrom.getType()), parseSignCryptedMessage.getBody().toByteArray());
            }
            throw new SignatureException("Unsupported protocol version");
        } catch (InvalidProtocolBufferException e10) {
            throw new SignatureException(e10);
        } catch (IllegalArgumentException e11) {
            throw new SignatureException(e11);
        }
    }
}
