package com.netflix.msl.keyx;

import com.netflix.android.org.json.JSONObject;
import com.netflix.msl.MslCryptoException;
import com.netflix.msl.MslError;
import com.netflix.msl.MslInternalException;
import com.netflix.msl.MslKeyExchangeException;
import com.netflix.msl.MslMasterTokenException;
import com.netflix.msl.crypto.CryptoCache;
import com.netflix.msl.crypto.ICryptoContext;
import com.netflix.msl.crypto.SessionCryptoContext;
import com.netflix.msl.entityauth.EntityAuthenticationData;
import com.netflix.msl.keyx.KeyExchangeFactory;
import com.netflix.msl.tokens.MasterToken;
import com.netflix.msl.util.AuthenticationUtils;
import com.netflix.msl.util.Base64;
import com.netflix.msl.util.MslContext;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import javax.crypto.KeyAgreement;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.xbill.DNS.Flags;

/* loaded from: classes.dex */
public abstract class AbstractAuthenticatedDiffieHellmanExchange extends KeyExchangeFactory {
    private static final String HMAC_SHA256_ALGO = "HmacSHA256";
    private static final String HMAC_SHA384_ALGO = "HmacSHA384";
    private static final String SHA384_ALGO = "SHA-384";
    private final AuthenticationUtils authutils;
    private final DiffieHellmanParameters params;
    private final DerivationKeyRepository repository;

    /* loaded from: classes.dex */
    public enum Mechanism {
        PSK,
        MGK,
        WRAP
    }

    /* loaded from: classes.dex */
    public class SessionKeys {
        public final SecretKey derivationKey;
        public final SecretKey encryptionKey;
        public final SecretKey hmacKey;

        public SessionKeys(SecretKey secretKey, SecretKey secretKey2, SecretKey secretKey3) {
            this.encryptionKey = secretKey;
            this.hmacKey = secretKey2;
            this.derivationKey = secretKey3;
        }
    }

    public AbstractAuthenticatedDiffieHellmanExchange(DerivationKeyRepository derivationKeyRepository, DiffieHellmanParameters diffieHellmanParameters, AuthenticationUtils authenticationUtils) {
        super(NetflixKeyExchangeScheme.AUTHENTICATED_DH);
        this.repository = derivationKeyRepository;
        this.params = diffieHellmanParameters;
        this.authutils = authenticationUtils;
    }

    private static byte[] computeMac(Key key, byte[] bArr, String str) {
        try {
            Mac mac = CryptoCache.getMac(str);
            mac.init(key);
            return mac.doFinal(bArr);
        } catch (InvalidKeyException e) {
            throw new MslCryptoException(MslError.INVALID_HMAC_KEY, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new MslInternalException(str + " algorithm not found.", e2);
        }
    }

    public static byte[] concat(byte[] bArr, byte[] bArr2) {
        byte[] copyOf = Arrays.copyOf(bArr, bArr.length + bArr2.length);
        System.arraycopy(bArr2, 0, copyOf, bArr.length, bArr2.length);
        return copyOf;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] correctNullBytes(byte[] bArr) {
        int i = 0;
        for (int i2 = 0; i2 < bArr.length && bArr[i2] == 0; i2++) {
            i++;
        }
        if (i == 1) {
            return bArr;
        }
        int length = bArr.length - i;
        byte[] bArr2 = new byte[length + 1];
        bArr2[0] = 0;
        System.arraycopy(bArr, i, bArr2, 1, length);
        return bArr2;
    }

    protected static SessionKeys deriveSessionKeys(PublicKey publicKey, PrivateKey privateKey, DHParameterSpec dHParameterSpec, byte[] bArr) {
        try {
            KeyAgreement keyAgreement = CryptoCache.getKeyAgreement("DiffieHellman");
            keyAgreement.init(privateKey, dHParameterSpec);
            keyAgreement.doPhase(publicKey, true);
            byte[] computeMac = computeMac(new SecretKeySpec(bArr, HMAC_SHA384_ALGO), correctNullBytes(keyAgreement.generateSecret()), HMAC_SHA384_ALGO);
            byte[] bArr2 = new byte[16];
            System.arraycopy(computeMac, 0, bArr2, 0, bArr2.length);
            byte[] bArr3 = new byte[32];
            System.arraycopy(computeMac, bArr2.length, bArr3, 0, bArr3.length);
            byte[] bArr4 = new byte[16];
            System.arraycopy(computeMac(new SecretKeySpec(computeMac(new SecretKeySpec(new byte[]{2, 118, 23, -104, 79, 98, 39, 83, -102, 99, Flags.CD, -119, 124, 1, 125, 105}, "HmacSHA256"), concat(bArr2, bArr3), "HmacSHA256"), "HmacSHA256"), new byte[]{Byte.MIN_VALUE, -97, -126, -89, -83, -33, 84, -115, 62, -87, -35, 6, Byte.MAX_VALUE, -7, -69, -111}, "HmacSHA256"), 0, bArr4, 0, bArr4.length);
            return new SessionKeys(new SecretKeySpec(bArr2, "AES"), new SecretKeySpec(bArr3, "HmacSHA256"), new SecretKeySpec(bArr4, "AES"));
        } catch (InvalidAlgorithmParameterException e) {
            throw new MslInternalException("Diffie-Hellman algorithm parameters rejected by Diffie-Hellman key agreement.", e);
        } catch (InvalidKeyException e2) {
            throw new MslInternalException("Diffie-Hellman private key or generated public key rejected by Diffie-Hellman key agreement.", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new MslInternalException("DiffieHellman algorithm not found.", e3);
        }
    }

    private KeyPair generatePrivatePublicKeyPair(DHParameterSpec dHParameterSpec) {
        try {
            KeyPairGenerator keyPairGenerator = CryptoCache.getKeyPairGenerator("DH");
            keyPairGenerator.initialize(dHParameterSpec);
            return keyPairGenerator.generateKeyPair();
        } catch (InvalidAlgorithmParameterException e) {
            throw new MslInternalException("Diffie-Hellman algorithm parameters rejected by Diffie-Hellman key agreement.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new MslInternalException("DiffieHellman algorithm not found.", e2);
        }
    }

    private PublicKey reconstituteRequestPublicKey(AuthenticatedDiffieHellmanRequestData authenticatedDiffieHellmanRequestData, DHParameterSpec dHParameterSpec) {
        try {
            return CryptoCache.getKeyFactory("DiffieHellman").generatePublic(new DHPublicKeySpec(authenticatedDiffieHellmanRequestData.getPublicKey(), dHParameterSpec.getP(), dHParameterSpec.getG()));
        } catch (NoSuchAlgorithmException e) {
            throw new MslInternalException("DiffieHellman algorithm not found.", e);
        } catch (InvalidKeySpecException e2) {
            throw new MslInternalException("Diffie-Hellman public key specification rejected by Diffie-Hellman key factory.", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.netflix.msl.keyx.KeyExchangeFactory
    public KeyRequestData createRequestData(MslContext mslContext, JSONObject jSONObject) {
        return new AuthenticatedDiffieHellmanRequestData(jSONObject);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.netflix.msl.keyx.KeyExchangeFactory
    public KeyResponseData createResponseData(MslContext mslContext, MasterToken masterToken, JSONObject jSONObject) {
        return new AuthenticatedDiffieHellmanResponseData(masterToken, jSONObject);
    }

    @Override // com.netflix.msl.keyx.KeyExchangeFactory
    public KeyExchangeFactory.KeyExchangeData generateResponse(MslContext mslContext, KeyRequestData keyRequestData, EntityAuthenticationData entityAuthenticationData) {
        if (!(keyRequestData instanceof AuthenticatedDiffieHellmanRequestData)) {
            throw new MslInternalException("Key request data " + keyRequestData.getClass().getName() + " was not created by this factory.");
        }
        AuthenticatedDiffieHellmanRequestData authenticatedDiffieHellmanRequestData = (AuthenticatedDiffieHellmanRequestData) keyRequestData;
        String identity = entityAuthenticationData.getIdentity();
        if (!this.authutils.isSchemePermitted(identity, getScheme())) {
            throw new MslKeyExchangeException(MslError.KEYX_INCORRECT_DATA, "Authentication Scheme for Device Type Not Supported " + identity + ":" + getScheme());
        }
        Mechanism mechanism = authenticatedDiffieHellmanRequestData.getMechanism();
        byte[] wrapdata = authenticatedDiffieHellmanRequestData.getWrapdata();
        DHParameterSpec parameterSpec = this.params.getParameterSpec(authenticatedDiffieHellmanRequestData.getParametersId());
        PublicKey reconstituteRequestPublicKey = reconstituteRequestPublicKey(authenticatedDiffieHellmanRequestData, parameterSpec);
        KeyPair generatePrivatePublicKeyPair = generatePrivatePublicKeyPair(parameterSpec);
        DHPublicKey dHPublicKey = (DHPublicKey) generatePrivatePublicKeyPair.getPublic();
        SessionKeys deriveSessionKeys = deriveSessionKeys(reconstituteRequestPublicKey, (DHPrivateKey) generatePrivatePublicKeyPair.getPrivate(), parameterSpec, getHashWrapKeyData(mslContext, mechanism, wrapdata, identity));
        byte[] wrap = mslContext.getMslCryptoContext().wrap(deriveSessionKeys.derivationKey.getEncoded());
        MasterToken createMasterToken = mslContext.getTokenFactory().createMasterToken(mslContext, entityAuthenticationData, deriveSessionKeys.encryptionKey, deriveSessionKeys.hmacKey, null);
        return new KeyExchangeFactory.KeyExchangeData(new AuthenticatedDiffieHellmanResponseData(createMasterToken, wrap, authenticatedDiffieHellmanRequestData.getParametersId(), dHPublicKey.getY()), new SessionCryptoContext(mslContext, createMasterToken));
    }

    @Override // com.netflix.msl.keyx.KeyExchangeFactory
    public KeyExchangeFactory.KeyExchangeData generateResponse(MslContext mslContext, KeyRequestData keyRequestData, MasterToken masterToken) {
        if (!(keyRequestData instanceof AuthenticatedDiffieHellmanRequestData)) {
            throw new MslInternalException("Key request data " + keyRequestData.getClass().getName() + " was not created by this factory.");
        }
        AuthenticatedDiffieHellmanRequestData authenticatedDiffieHellmanRequestData = (AuthenticatedDiffieHellmanRequestData) keyRequestData;
        if (!masterToken.isVerified()) {
            throw new MslMasterTokenException(MslError.MASTERTOKEN_UNTRUSTED, masterToken);
        }
        String identity = masterToken.getIdentity();
        if (!this.authutils.isSchemePermitted(identity, getScheme())) {
            throw new MslKeyExchangeException(MslError.KEYX_INCORRECT_DATA, "Authentication Scheme for Device Type Not Supported " + identity + ":" + getScheme());
        }
        Mechanism mechanism = authenticatedDiffieHellmanRequestData.getMechanism();
        byte[] wrapdata = authenticatedDiffieHellmanRequestData.getWrapdata();
        DHParameterSpec parameterSpec = this.params.getParameterSpec(authenticatedDiffieHellmanRequestData.getParametersId());
        PublicKey reconstituteRequestPublicKey = reconstituteRequestPublicKey(authenticatedDiffieHellmanRequestData, parameterSpec);
        KeyPair generatePrivatePublicKeyPair = generatePrivatePublicKeyPair(parameterSpec);
        DHPublicKey dHPublicKey = (DHPublicKey) generatePrivatePublicKeyPair.getPublic();
        SessionKeys deriveSessionKeys = deriveSessionKeys(reconstituteRequestPublicKey, (DHPrivateKey) generatePrivatePublicKeyPair.getPrivate(), parameterSpec, getHashWrapKeyData(mslContext, mechanism, wrapdata, identity));
        byte[] wrap = mslContext.getMslCryptoContext().wrap(deriveSessionKeys.derivationKey.getEncoded());
        MasterToken renewMasterToken = mslContext.getTokenFactory().renewMasterToken(mslContext, masterToken, deriveSessionKeys.encryptionKey, deriveSessionKeys.hmacKey, null);
        return new KeyExchangeFactory.KeyExchangeData(new AuthenticatedDiffieHellmanResponseData(renewMasterToken, wrap, authenticatedDiffieHellmanRequestData.getParametersId(), dHPublicKey.getY()), new SessionCryptoContext(mslContext, renewMasterToken));
    }

    @Override // com.netflix.msl.keyx.KeyExchangeFactory
    public ICryptoContext getCryptoContext(MslContext mslContext, KeyRequestData keyRequestData, KeyResponseData keyResponseData, MasterToken masterToken) {
        byte[] hashWrapKeyData;
        if (!(keyRequestData instanceof AuthenticatedDiffieHellmanRequestData)) {
            throw new MslInternalException("Key request data " + keyRequestData.getClass().getName() + " was not created by this factory.");
        }
        AuthenticatedDiffieHellmanRequestData authenticatedDiffieHellmanRequestData = (AuthenticatedDiffieHellmanRequestData) keyRequestData;
        if (!(keyResponseData instanceof AuthenticatedDiffieHellmanResponseData)) {
            throw new MslInternalException("Key response data " + keyResponseData.getClass().getName() + " was not created by this factory.");
        }
        AuthenticatedDiffieHellmanResponseData authenticatedDiffieHellmanResponseData = (AuthenticatedDiffieHellmanResponseData) keyResponseData;
        String parametersId = authenticatedDiffieHellmanRequestData.getParametersId();
        String parametersId2 = authenticatedDiffieHellmanResponseData.getParametersId();
        if (!parametersId.equals(parametersId2)) {
            throw new MslKeyExchangeException(MslError.KEYX_RESPONSE_REQUEST_MISMATCH, "request " + parametersId + "; response " + parametersId2).setMasterToken(masterToken);
        }
        DHPrivateKey privateKey = authenticatedDiffieHellmanRequestData.getPrivateKey();
        if (privateKey == null) {
            throw new MslKeyExchangeException(MslError.KEYX_PRIVATE_KEY_MISSING, "request Diffie-Hellman private key").setMasterToken(masterToken);
        }
        DHParameterSpec params = privateKey.getParams();
        try {
            PublicKey generatePublic = CryptoCache.getKeyFactory("DiffieHellman").generatePublic(new DHPublicKeySpec(authenticatedDiffieHellmanResponseData.getPublicKey(), params.getP(), params.getG()));
            Mechanism mechanism = authenticatedDiffieHellmanRequestData.getMechanism();
            byte[] wrapdata = authenticatedDiffieHellmanRequestData.getWrapdata();
            String identity = mslContext.getEntityAuthenticationData(null).getIdentity();
            switch (mechanism) {
                case WRAP:
                    SecretKey derivationKey = this.repository.getDerivationKey(wrapdata);
                    if (derivationKey == null) {
                        throw new MslKeyExchangeException(MslError.KEYX_DERIVATION_KEY_MISSING, Base64.encode(wrapdata));
                    }
                    try {
                        hashWrapKeyData = CryptoCache.getMessageDigest(SHA384_ALGO).digest(derivationKey.getEncoded());
                        break;
                    } catch (NoSuchAlgorithmException e) {
                        throw new MslInternalException("SHA-384 algorithm not found.", e);
                    }
                case PSK:
                    hashWrapKeyData = getHashWrapKeyData(mslContext, mechanism, null, identity);
                    break;
                case MGK:
                    hashWrapKeyData = getHashWrapKeyData(mslContext, mechanism, null, identity);
                    break;
                default:
                    throw new MslInternalException("Key request data mechanism " + mechanism + " is not supported but it should be.");
            }
            SessionKeys deriveSessionKeys = deriveSessionKeys(generatePublic, privateKey, params, hashWrapKeyData);
            this.repository.addDerivationKey(authenticatedDiffieHellmanResponseData.getWrapdata(), deriveSessionKeys.derivationKey);
            if (wrapdata != null) {
                this.repository.removeDerivationKey(wrapdata);
            }
            return new SessionCryptoContext(mslContext, authenticatedDiffieHellmanResponseData.getMasterToken(), identity, deriveSessionKeys.encryptionKey, deriveSessionKeys.hmacKey);
        } catch (NoSuchAlgorithmException e2) {
            throw new MslInternalException("DiffieHellman algorithm not found.", e2);
        } catch (InvalidKeySpecException e3) {
            throw new MslKeyExchangeException(MslError.KEYX_INVALID_PUBLIC_KEY, "Diffie-Hellman public key specification rejected by Diffie-Hellman key factory.", e3);
        }
    }

    protected abstract byte[] getHashWrapKeyData(MslContext mslContext, Mechanism mechanism, byte[] bArr, String str);
}
