package org.openjsse.sun.security.ssl;

import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.text.MessageFormat;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import org.openjsse.sun.security.ssl.AlpnExtension;
import org.openjsse.sun.security.ssl.DHKeyExchange;
import org.openjsse.sun.security.ssl.SSLHandshake;
import org.openjsse.sun.security.ssl.SupportedGroupsExtension;
import org.openjsse.sun.security.ssl.X509Authentication;
import org.openjsse.sun.security.util.HexDumpEncoder;
import sun.security.util.KeyUtil;

/* loaded from: classes.dex */
final class DHServerKeyExchange {
    public static final SSLConsumer dhHandshakeConsumer;
    public static final HandshakeProducer dhHandshakeProducer;

    /* loaded from: classes.dex */
    public static final class DHServerKeyExchangeConsumer implements SSLConsumer {
        private DHServerKeyExchangeConsumer() {
        }

        @Override // org.openjsse.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            DHServerKeyExchangeMessage dHServerKeyExchangeMessage = new DHServerKeyExchangeMessage(clientHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming DH ServerKeyExchange handshake message", dHServerKeyExchangeMessage);
            }
            try {
                DHPublicKey dHPublicKey = (DHPublicKey) JsseJce.getKeyFactory("DiffieHellman").generatePublic(new DHPublicKeySpec(new BigInteger(1, dHServerKeyExchangeMessage.f3702y), new BigInteger(1, dHServerKeyExchangeMessage.f3701p), new BigInteger(1, dHServerKeyExchangeMessage.g)));
                if (!clientHandshakeContext.algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), dHPublicKey)) {
                    throw clientHandshakeContext.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "DH ServerKeyExchange does not comply to algorithm constraints");
                }
                clientHandshakeContext.handshakeCredentials.add(new DHKeyExchange.DHECredentials(dHPublicKey, SupportedGroupsExtension.NamedGroup.valueOf(dHPublicKey.getParams())));
            } catch (GeneralSecurityException e5) {
                throw clientHandshakeContext.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "Could not generate DHPublicKey", e5);
            }
        }
    }

    /* loaded from: classes.dex */
    public static final class DHServerKeyExchangeMessage extends SSLHandshake.HandshakeMessage {
        private final byte[] g;

        /* renamed from: p, reason: collision with root package name */
        private final byte[] f3701p;
        private final byte[] paramsSignature;
        private final SignatureScheme signatureScheme;
        private final boolean useExplicitSigAlgorithm;

        /* renamed from: y, reason: collision with root package name */
        private final byte[] f3702y;

        public DHServerKeyExchangeMessage(HandshakeContext handshakeContext) {
            super(handshakeContext);
            Signature signature;
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) handshakeContext;
            X509Authentication.X509Possession x509Possession = null;
            DHKeyExchange.DHEPossession dHEPossession = null;
            for (SSLPossession sSLPossession : serverHandshakeContext.handshakePossessions) {
                if (sSLPossession instanceof DHKeyExchange.DHEPossession) {
                    dHEPossession = (DHKeyExchange.DHEPossession) sSLPossession;
                    if (x509Possession != null) {
                        break;
                    }
                } else if (sSLPossession instanceof X509Authentication.X509Possession) {
                    x509Possession = (X509Authentication.X509Possession) sSLPossession;
                    if (dHEPossession != null) {
                        break;
                    }
                } else {
                    continue;
                }
            }
            if (dHEPossession == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No DHE credentials negotiated for server key exchange");
            }
            DHPublicKey dHPublicKey = dHEPossession.publicKey;
            DHParameterSpec params = dHPublicKey.getParams();
            this.f3701p = Utilities.toByteArray(params.getP());
            this.g = Utilities.toByteArray(params.getG());
            this.f3702y = Utilities.toByteArray(dHPublicKey.getY());
            if (x509Possession == null) {
                this.paramsSignature = null;
                this.signatureScheme = null;
                this.useExplicitSigAlgorithm = false;
                return;
            }
            boolean useTLS12PlusSpec = serverHandshakeContext.negotiatedProtocol.useTLS12PlusSpec();
            this.useExplicitSigAlgorithm = useTLS12PlusSpec;
            if (useTLS12PlusSpec) {
                Map.Entry<SignatureScheme, Signature> signerOfPreferableAlgorithm = SignatureScheme.getSignerOfPreferableAlgorithm(serverHandshakeContext.peerRequestedSignatureSchemes, x509Possession, serverHandshakeContext.negotiatedProtocol);
                if (signerOfPreferableAlgorithm == null) {
                    TransportContext transportContext = serverHandshakeContext.conContext;
                    Alert alert = Alert.INTERNAL_ERROR;
                    StringBuilder y5 = androidx.activity.b.y("No supported signature algorithm for ");
                    y5.append(x509Possession.popPrivateKey.getAlgorithm());
                    y5.append("  key");
                    throw transportContext.fatal(alert, y5.toString());
                }
                this.signatureScheme = signerOfPreferableAlgorithm.getKey();
                signature = signerOfPreferableAlgorithm.getValue();
            } else {
                this.signatureScheme = null;
                try {
                    signature = getSignature(x509Possession.popPrivateKey.getAlgorithm(), x509Possession.popPrivateKey);
                } catch (InvalidKeyException | NoSuchAlgorithmException e5) {
                    TransportContext transportContext2 = serverHandshakeContext.conContext;
                    Alert alert2 = Alert.INTERNAL_ERROR;
                    StringBuilder y6 = androidx.activity.b.y("Unsupported signature algorithm: ");
                    y6.append(x509Possession.popPrivateKey.getAlgorithm());
                    throw transportContext2.fatal(alert2, y6.toString(), e5);
                }
            }
            try {
                updateSignature(signature, serverHandshakeContext.clientHelloRandom.randomBytes, serverHandshakeContext.serverHelloRandom.randomBytes);
                this.paramsSignature = signature.sign();
            } catch (SignatureException e6) {
                TransportContext transportContext3 = serverHandshakeContext.conContext;
                Alert alert3 = Alert.INTERNAL_ERROR;
                StringBuilder y7 = androidx.activity.b.y("Failed to sign dhe parameters: ");
                y7.append(x509Possession.popPrivateKey.getAlgorithm());
                throw transportContext3.fatal(alert3, y7.toString(), e6);
            }
        }

        public DHServerKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) {
            super(handshakeContext);
            X509Authentication.X509Credentials x509Credentials;
            Signature verifier;
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) handshakeContext;
            byte[] a6 = d.a(byteBuffer);
            this.f3701p = a6;
            this.g = d.a(byteBuffer);
            byte[] a7 = d.a(byteBuffer);
            this.f3702y = a7;
            try {
                KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, a7), new BigInteger(1, a6), new BigInteger(1, a6)));
                Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        x509Credentials = null;
                        break;
                    }
                    SSLCredentials next = it.next();
                    if (next instanceof X509Authentication.X509Credentials) {
                        x509Credentials = (X509Authentication.X509Credentials) next;
                        break;
                    }
                }
                if (x509Credentials == null) {
                    if (byteBuffer.hasRemaining()) {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid DH ServerKeyExchange: unknown extra data");
                    }
                    this.signatureScheme = null;
                    this.paramsSignature = null;
                    this.useExplicitSigAlgorithm = false;
                    return;
                }
                boolean useTLS12PlusSpec = clientHandshakeContext.negotiatedProtocol.useTLS12PlusSpec();
                this.useExplicitSigAlgorithm = useTLS12PlusSpec;
                if (useTLS12PlusSpec) {
                    int d5 = d.d(byteBuffer);
                    SignatureScheme valueOf = SignatureScheme.valueOf(d5);
                    this.signatureScheme = valueOf;
                    if (valueOf == null) {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, androidx.activity.b.n("Invalid signature algorithm (", d5, ") used in DH ServerKeyExchange handshake message"));
                    }
                    if (!clientHandshakeContext.localSupportedSignAlgs.contains(valueOf)) {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, androidx.activity.b.v(androidx.activity.b.y("Unsupported signature algorithm ("), valueOf.name, ") used in DH ServerKeyExchange handshake message"));
                    }
                } else {
                    this.signatureScheme = null;
                }
                byte[] a8 = d.a(byteBuffer);
                this.paramsSignature = a8;
                if (useTLS12PlusSpec) {
                    try {
                        verifier = this.signatureScheme.getVerifier(x509Credentials.popPublicKey);
                    } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException e5) {
                        TransportContext transportContext = clientHandshakeContext.conContext;
                        Alert alert = Alert.INTERNAL_ERROR;
                        StringBuilder y5 = androidx.activity.b.y("Unsupported signature algorithm: ");
                        y5.append(this.signatureScheme.name);
                        throw transportContext.fatal(alert, y5.toString(), e5);
                    }
                } else {
                    try {
                        verifier = getSignature(x509Credentials.popPublicKey.getAlgorithm(), x509Credentials.popPublicKey);
                    } catch (InvalidKeyException | NoSuchAlgorithmException e6) {
                        TransportContext transportContext2 = clientHandshakeContext.conContext;
                        Alert alert2 = Alert.INTERNAL_ERROR;
                        StringBuilder y6 = androidx.activity.b.y("Unsupported signature algorithm: ");
                        y6.append(x509Credentials.popPublicKey.getAlgorithm());
                        throw transportContext2.fatal(alert2, y6.toString(), e6);
                    }
                }
                try {
                    updateSignature(verifier, clientHandshakeContext.clientHelloRandom.randomBytes, clientHandshakeContext.serverHelloRandom.randomBytes);
                    if (verifier.verify(a8)) {
                    } else {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid signature on DH ServerKeyExchange message");
                    }
                } catch (SignatureException e7) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot verify DH ServerKeyExchange signature", e7);
                }
            } catch (InvalidKeyException e8) {
                throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid DH ServerKeyExchange: invalid parameters", e8);
            }
        }

        private static Signature getSignature(String str, Key key) {
            Signature signature;
            Objects.requireNonNull(str);
            if (str.equals(JsseJce.SIGNATURE_DSA)) {
                signature = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
            } else {
                if (!str.equals("RSA")) {
                    throw new NoSuchAlgorithmException(androidx.activity.b.s("neither an RSA or a DSA key : ", str));
                }
                signature = RSASignature.getInstance();
            }
            if (signature != null) {
                if (key instanceof PublicKey) {
                    signature.initVerify((PublicKey) key);
                } else {
                    signature.initSign((PrivateKey) key);
                }
            }
            return signature;
        }

        private void updateSignature(Signature signature, byte[] bArr, byte[] bArr2) {
            signature.update(bArr);
            signature.update(bArr2);
            signature.update((byte) (this.f3701p.length >> 8));
            signature.update((byte) (this.f3701p.length & AlpnExtension.CHAlpnProducer.MAX_AP_LENGTH));
            signature.update(this.f3701p);
            signature.update((byte) (this.g.length >> 8));
            signature.update((byte) (this.g.length & AlpnExtension.CHAlpnProducer.MAX_AP_LENGTH));
            signature.update(this.g);
            signature.update((byte) (this.f3702y.length >> 8));
            signature.update((byte) (this.f3702y.length & AlpnExtension.CHAlpnProducer.MAX_AP_LENGTH));
            signature.update(this.f3702y);
        }

        @Override // org.openjsse.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.SERVER_KEY_EXCHANGE;
        }

        @Override // org.openjsse.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            int i5;
            byte[] bArr = this.paramsSignature;
            if (bArr != null) {
                i5 = bArr.length + 2;
                if (this.useExplicitSigAlgorithm) {
                    i5 += SignatureScheme.sizeInRecord();
                }
            } else {
                i5 = 0;
            }
            return this.f3701p.length + 6 + this.g.length + this.f3702y.length + i5;
        }

        @Override // org.openjsse.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) {
            handshakeOutStream.putBytes16(this.f3701p);
            handshakeOutStream.putBytes16(this.g);
            handshakeOutStream.putBytes16(this.f3702y);
            if (this.paramsSignature != null) {
                if (this.useExplicitSigAlgorithm) {
                    handshakeOutStream.putInt16(this.signatureScheme.id);
                }
                handshakeOutStream.putBytes16(this.paramsSignature);
            }
        }

        public String toString() {
            if (this.paramsSignature == null) {
                MessageFormat messageFormat = new MessageFormat("\"DH ServerKeyExchange\": '{'\n  \"parameters\": '{'\n    \"dh_p\": '{'\n{0}\n    '}',\n    \"dh_g\": '{'\n{1}\n    '}',\n    \"dh_Ys\": '{'\n{2}\n    '}',\n  '}'\n'}'", Locale.ENGLISH);
                HexDumpEncoder hexDumpEncoder = new HexDumpEncoder();
                return messageFormat.format(new Object[]{Utilities.indent(hexDumpEncoder.encodeBuffer(this.f3701p), "      "), Utilities.indent(hexDumpEncoder.encodeBuffer(this.g), "      "), Utilities.indent(hexDumpEncoder.encodeBuffer(this.f3702y), "      ")});
            }
            if (this.useExplicitSigAlgorithm) {
                MessageFormat messageFormat2 = new MessageFormat("\"DH ServerKeyExchange\": '{'\n  \"parameters\": '{'\n    \"dh_p\": '{'\n{0}\n    '}',\n    \"dh_g\": '{'\n{1}\n    '}',\n    \"dh_Ys\": '{'\n{2}\n    '}',\n  '}',\n  \"digital signature\":  '{'\n    \"signature algorithm\": \"{3}\"\n    \"signature\": '{'\n{4}\n    '}',\n  '}'\n'}'", Locale.ENGLISH);
                HexDumpEncoder hexDumpEncoder2 = new HexDumpEncoder();
                return messageFormat2.format(new Object[]{Utilities.indent(hexDumpEncoder2.encodeBuffer(this.f3701p), "      "), Utilities.indent(hexDumpEncoder2.encodeBuffer(this.g), "      "), Utilities.indent(hexDumpEncoder2.encodeBuffer(this.f3702y), "      "), this.signatureScheme.name, Utilities.indent(hexDumpEncoder2.encodeBuffer(this.paramsSignature), "      ")});
            }
            MessageFormat messageFormat3 = new MessageFormat("\"DH ServerKeyExchange\": '{'\n  \"parameters\": '{'\n    \"dh_p\": '{'\n{0}\n    '}',\n    \"dh_g\": '{'\n{1}\n    '}',\n    \"dh_Ys\": '{'\n{2}\n    '}',\n  '}',\n  \"signature\": '{'\n{3}\n  '}'\n'}'", Locale.ENGLISH);
            HexDumpEncoder hexDumpEncoder3 = new HexDumpEncoder();
            return messageFormat3.format(new Object[]{Utilities.indent(hexDumpEncoder3.encodeBuffer(this.f3701p), "      "), Utilities.indent(hexDumpEncoder3.encodeBuffer(this.g), "      "), Utilities.indent(hexDumpEncoder3.encodeBuffer(this.f3702y), "      "), Utilities.indent(hexDumpEncoder3.encodeBuffer(this.paramsSignature), "    ")});
        }
    }

    /* loaded from: classes.dex */
    public static final class DHServerKeyExchangeProducer implements HandshakeProducer {
        private DHServerKeyExchangeProducer() {
        }

        @Override // org.openjsse.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            DHServerKeyExchangeMessage dHServerKeyExchangeMessage = new DHServerKeyExchangeMessage(serverHandshakeContext);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced DH ServerKeyExchange handshake message", dHServerKeyExchangeMessage);
            }
            dHServerKeyExchangeMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            return null;
        }
    }

    static {
        dhHandshakeConsumer = new DHServerKeyExchangeConsumer();
        dhHandshakeProducer = new DHServerKeyExchangeProducer();
    }
}
