package com.google.crypto.tink.apps.webpush;

import com.google.crypto.tink.HybridEncrypt;
import com.google.crypto.tink.subtle.EllipticCurves;
import com.google.crypto.tink.subtle.EngineFactory;
import com.google.crypto.tink.subtle.Random;
import com.oblador.keychain.cipherStorage.CipherStorageKeystoreAesCbc;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECPoint;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: classes3.dex */
public final class WebPushHybridEncrypt implements HybridEncrypt {
    private final byte[] authSecret;
    private final int paddingSize;
    private final byte[] recipientPublicKey;
    private final ECPoint recipientPublicPoint;
    private final int recordSize;

    /* loaded from: classes3.dex */
    public static final class Builder {
        private byte[] recipientPublicKey = null;
        private ECPoint recipientPublicPoint = null;
        private byte[] authSecret = null;
        private int recordSize = 4096;
        private int paddingSize = 0;

        public WebPushHybridEncrypt build() throws GeneralSecurityException {
            return new WebPushHybridEncrypt(this);
        }

        public Builder withAuthSecret(byte[] bArr) {
            this.authSecret = (byte[]) bArr.clone();
            return this;
        }

        public Builder withPaddingSize(int i) {
            if (i < 0 || i > 3993) {
                throw new IllegalArgumentException(String.format("invalid padding size (%s); must be a number between [%s, %s]", Integer.valueOf(i), 0, 3993));
            }
            this.paddingSize = i;
            return this;
        }

        public Builder withRecipientPublicKey(ECPublicKey eCPublicKey) throws GeneralSecurityException {
            this.recipientPublicPoint = eCPublicKey.getW();
            this.recipientPublicKey = EllipticCurves.pointEncode(WebPushConstants.NIST_P256_CURVE_TYPE, WebPushConstants.UNCOMPRESSED_POINT_FORMAT, eCPublicKey.getW());
            return this;
        }

        public Builder withRecipientPublicKey(byte[] bArr) throws GeneralSecurityException {
            this.recipientPublicKey = (byte[]) bArr.clone();
            this.recipientPublicPoint = EllipticCurves.pointDecode(WebPushConstants.NIST_P256_CURVE_TYPE, WebPushConstants.UNCOMPRESSED_POINT_FORMAT, this.recipientPublicKey);
            return this;
        }

        public Builder withRecordSize(int i) {
            if (i < 103 || i > 4096) {
                throw new IllegalArgumentException(String.format("invalid record size (%s); must be a number between [%s, %s]", Integer.valueOf(i), 103, 4096));
            }
            this.recordSize = i;
            return this;
        }
    }

    private WebPushHybridEncrypt(Builder builder) throws GeneralSecurityException {
        if (builder.recipientPublicKey == null || builder.recipientPublicPoint == null) {
            throw new IllegalArgumentException("must set recipient's public key with Builder.withRecipientPublicKey");
        }
        this.recipientPublicKey = builder.recipientPublicKey;
        this.recipientPublicPoint = builder.recipientPublicPoint;
        if (builder.authSecret == null) {
            throw new IllegalArgumentException("must set auth secret with Builder.withAuthSecret");
        }
        if (builder.authSecret.length != 16) {
            throw new IllegalArgumentException("auth secret must have 16 bytes");
        }
        this.authSecret = builder.authSecret;
        this.recordSize = builder.recordSize;
        this.paddingSize = builder.paddingSize;
    }

    private byte[] encrypt(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        Cipher engineFactory = EngineFactory.CIPHER.getInstance("AES/GCM/NoPadding");
        engineFactory.init(1, new SecretKeySpec(bArr, CipherStorageKeystoreAesCbc.ALGORITHM_AES), new GCMParameterSpec(128, bArr2));
        byte[] bArr4 = new byte[bArr3.length + 1 + this.paddingSize];
        bArr4[bArr3.length] = 2;
        System.arraycopy(bArr3, 0, bArr4, 0, bArr3.length);
        return engineFactory.doFinal(bArr4);
    }

    @Override // com.google.crypto.tink.HybridEncrypt
    public byte[] encrypt(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        if (bArr2 != null) {
            throw new GeneralSecurityException("contextInfo must be null because it is unused");
        }
        if (bArr.length > (this.recordSize - this.paddingSize) - 103) {
            throw new GeneralSecurityException(String.format("plaintext too long; with record size = %d and padding size = %d, plaintext cannot be longer than %d", Integer.valueOf(this.recordSize), Integer.valueOf(this.paddingSize), Integer.valueOf((this.recordSize - this.paddingSize) - 103)));
        }
        KeyPair generateKeyPair = EllipticCurves.generateKeyPair(WebPushConstants.NIST_P256_CURVE_TYPE);
        ECPrivateKey eCPrivateKey = (ECPrivateKey) generateKeyPair.getPrivate();
        ECPublicKey eCPublicKey = (ECPublicKey) generateKeyPair.getPublic();
        byte[] computeSharedSecret = EllipticCurves.computeSharedSecret(eCPrivateKey, this.recipientPublicPoint);
        byte[] pointEncode = EllipticCurves.pointEncode(WebPushConstants.NIST_P256_CURVE_TYPE, WebPushConstants.UNCOMPRESSED_POINT_FORMAT, eCPublicKey.getW());
        byte[] computeIkm = WebPushUtil.computeIkm(computeSharedSecret, this.authSecret, this.recipientPublicKey, pointEncode);
        byte[] randBytes = Random.randBytes(16);
        return ByteBuffer.allocate(bArr.length + 103 + this.paddingSize).put(randBytes).putInt(this.recordSize).put((byte) 65).put(pointEncode).put(encrypt(WebPushUtil.computeCek(computeIkm, randBytes), WebPushUtil.computeNonce(computeIkm, randBytes), bArr)).array();
    }
}
