package org.openjsse.sun.security.ssl;

import androidx.recyclerview.widget.RecyclerView;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.util.Iterator;
import java.util.List;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.SSLHandshakeException;
import org.openjsse.sun.security.ssl.CipherSuite;
import org.openjsse.sun.security.ssl.SupportedGroupsExtension;
import org.openjsse.sun.security.ssl.X509Authentication;
import sun.security.action.GetPropertyAction;
import sun.security.util.KeyUtil;

/* loaded from: classes.dex */
final class DHKeyExchange {
    public static final SSLKeyAgreementGenerator kaGenerator;
    public static final SSLPossessionGenerator poExportableGenerator;
    public static final SSLPossessionGenerator poGenerator;

    /* loaded from: classes.dex */
    public static final class DHECredentials implements SSLCredentials {
        public final SupportedGroupsExtension.NamedGroup namedGroup;
        public final DHPublicKey popPublicKey;

        public DHECredentials(DHPublicKey dHPublicKey, SupportedGroupsExtension.NamedGroup namedGroup) {
            this.popPublicKey = dHPublicKey;
            this.namedGroup = namedGroup;
        }

        public static DHECredentials valueOf(SupportedGroupsExtension.NamedGroup namedGroup, byte[] bArr) {
            DHParameterSpec dHParameterSpec;
            if (namedGroup.type != SupportedGroupsExtension.NamedGroupType.NAMED_GROUP_FFDHE) {
                throw new RuntimeException("Credentials decoding:  Not FFDHE named group");
            }
            if (bArr == null || bArr.length == 0 || (dHParameterSpec = (DHParameterSpec) namedGroup.getParameterSpec()) == null) {
                return null;
            }
            return new DHECredentials((DHPublicKey) JsseJce.getKeyFactory("DiffieHellman").generatePublic(new DHPublicKeySpec(new BigInteger(1, bArr), dHParameterSpec.getP(), dHParameterSpec.getG())), namedGroup);
        }
    }

    /* loaded from: classes.dex */
    public static final class DHEKAGenerator implements SSLKeyAgreementGenerator {
        private static DHEKAGenerator instance = new DHEKAGenerator();

        /* loaded from: classes.dex */
        public static final class DHEKAKeyDerivation implements SSLKeyDerivation {
            private final HandshakeContext context;
            private final PrivateKey localPrivateKey;
            private final PublicKey peerPublicKey;

            public DHEKAKeyDerivation(HandshakeContext handshakeContext, PrivateKey privateKey, PublicKey publicKey) {
                this.context = handshakeContext;
                this.localPrivateKey = privateKey;
                this.peerPublicKey = publicKey;
            }

            private SecretKey t12DeriveKey(String str, AlgorithmParameterSpec algorithmParameterSpec) {
                try {
                    KeyAgreement keyAgreement = JsseJce.getKeyAgreement("DiffieHellman");
                    keyAgreement.init(this.localPrivateKey);
                    keyAgreement.doPhase(this.peerPublicKey, true);
                    SecretKey generateSecret = keyAgreement.generateSecret("TlsPremasterSecret");
                    SSLMasterKeyDerivation valueOf = SSLMasterKeyDerivation.valueOf(this.context.negotiatedProtocol);
                    if (valueOf != null) {
                        return valueOf.createKeyDerivation(this.context, generateSecret).deriveKey("MasterSecret", algorithmParameterSpec);
                    }
                    throw new SSLHandshakeException("No expected master key derivation for protocol: " + this.context.negotiatedProtocol.name);
                } catch (GeneralSecurityException e5) {
                    throw ((SSLHandshakeException) new SSLHandshakeException("Could not generate secret").initCause(e5));
                }
            }

            private SecretKey t13DeriveKey(String str, AlgorithmParameterSpec algorithmParameterSpec) {
                try {
                    KeyAgreement keyAgreement = JsseJce.getKeyAgreement("DiffieHellman");
                    keyAgreement.init(this.localPrivateKey);
                    keyAgreement.doPhase(this.peerPublicKey, true);
                    SecretKey generateSecret = keyAgreement.generateSecret("TlsPremasterSecret");
                    HandshakeContext handshakeContext = this.context;
                    CipherSuite.HashAlg hashAlg = handshakeContext.negotiatedCipherSuite.hashAlg;
                    SSLKeyDerivation sSLKeyDerivation = handshakeContext.handshakeKeyDerivation;
                    HKDF hkdf = new HKDF(hashAlg.name);
                    if (sSLKeyDerivation == null) {
                        byte[] bArr = new byte[hashAlg.hashLength];
                        sSLKeyDerivation = new SSLSecretDerivation(this.context, hkdf.extract(bArr, new SecretKeySpec(bArr, "TlsPreSharedSecret"), "TlsEarlySecret"));
                    }
                    return hkdf.extract(sSLKeyDerivation.deriveKey("TlsSaltSecret", null), generateSecret, str);
                } catch (GeneralSecurityException e5) {
                    throw ((SSLHandshakeException) new SSLHandshakeException("Could not generate secret").initCause(e5));
                }
            }

            @Override // org.openjsse.sun.security.ssl.SSLKeyDerivation
            public SecretKey deriveKey(String str, AlgorithmParameterSpec algorithmParameterSpec) {
                return !this.context.negotiatedProtocol.useTLS13PlusSpec() ? t12DeriveKey(str, algorithmParameterSpec) : t13DeriveKey(str, algorithmParameterSpec);
            }
        }

        private DHEKAGenerator() {
        }

        @Override // org.openjsse.sun.security.ssl.SSLKeyAgreementGenerator
        public SSLKeyDerivation createKeyDerivation(HandshakeContext handshakeContext) {
            SupportedGroupsExtension.NamedGroup namedGroup;
            Iterator<SSLPossession> it = handshakeContext.handshakePossessions.iterator();
            DHEPossession dHEPossession = null;
            DHECredentials dHECredentials = null;
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SSLPossession next = it.next();
                if (next instanceof DHEPossession) {
                    DHEPossession dHEPossession2 = (DHEPossession) next;
                    for (SSLCredentials sSLCredentials : handshakeContext.handshakeCredentials) {
                        if (sSLCredentials instanceof DHECredentials) {
                            DHECredentials dHECredentials2 = (DHECredentials) sSLCredentials;
                            SupportedGroupsExtension.NamedGroup namedGroup2 = dHEPossession2.namedGroup;
                            if (namedGroup2 != null && (namedGroup = dHECredentials2.namedGroup) != null) {
                                if (namedGroup2.equals(namedGroup)) {
                                    dHECredentials = dHECredentials2;
                                    break;
                                }
                            } else {
                                DHParameterSpec params = dHEPossession2.publicKey.getParams();
                                DHParameterSpec params2 = dHECredentials2.popPublicKey.getParams();
                                if (params.getP().equals(params2.getP()) && params.getG().equals(params2.getG())) {
                                    dHECredentials = dHECredentials2;
                                    break;
                                }
                            }
                        }
                    }
                    if (dHECredentials != null) {
                        dHEPossession = dHEPossession2;
                        break;
                    }
                }
            }
            if (dHEPossession == null || dHECredentials == null) {
                throw handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "No sufficient DHE key agreement parameters negotiated");
            }
            return new DHEKAKeyDerivation(handshakeContext, dHEPossession.privateKey, dHECredentials.popPublicKey);
        }
    }

    /* loaded from: classes.dex */
    public static final class DHEPossession implements SSLPossession {
        public final SupportedGroupsExtension.NamedGroup namedGroup;
        public final PrivateKey privateKey;
        public final DHPublicKey publicKey;

        public DHEPossession(int i5, SecureRandom secureRandom) {
            DHParameterSpec dHParameterSpec = PredefinedDHParameterSpecs.definedParams.get(Integer.valueOf(i5));
            try {
                KeyPairGenerator keyPairGenerator = JsseJce.getKeyPairGenerator("DiffieHellman");
                if (dHParameterSpec != null) {
                    keyPairGenerator.initialize(dHParameterSpec, secureRandom);
                } else {
                    keyPairGenerator.initialize(i5, secureRandom);
                }
                KeyPair generateDHKeyPair = generateDHKeyPair(keyPairGenerator);
                if (generateDHKeyPair != null) {
                    this.privateKey = generateDHKeyPair.getPrivate();
                    DHPublicKey dHPublicKey = (DHPublicKey) generateDHKeyPair.getPublic();
                    this.publicKey = dHPublicKey;
                    this.namedGroup = SupportedGroupsExtension.NamedGroup.valueOf(dHPublicKey.getParams());
                    return;
                }
                throw new RuntimeException("Could not generate DH keypair of " + i5 + " bits");
            } catch (GeneralSecurityException e5) {
                throw new RuntimeException("Could not generate DH keypair", e5);
            }
        }

        public DHEPossession(DHECredentials dHECredentials, SecureRandom secureRandom) {
            try {
                KeyPairGenerator keyPairGenerator = JsseJce.getKeyPairGenerator("DiffieHellman");
                keyPairGenerator.initialize(dHECredentials.popPublicKey.getParams(), secureRandom);
                KeyPair generateDHKeyPair = generateDHKeyPair(keyPairGenerator);
                if (generateDHKeyPair == null) {
                    throw new RuntimeException("Could not generate DH keypair");
                }
                this.privateKey = generateDHKeyPair.getPrivate();
                this.publicKey = (DHPublicKey) generateDHKeyPair.getPublic();
                this.namedGroup = dHECredentials.namedGroup;
            } catch (GeneralSecurityException e5) {
                throw new RuntimeException("Could not generate DH keypair", e5);
            }
        }

        public DHEPossession(SupportedGroupsExtension.NamedGroup namedGroup, SecureRandom secureRandom) {
            try {
                KeyPairGenerator keyPairGenerator = JsseJce.getKeyPairGenerator("DiffieHellman");
                keyPairGenerator.initialize((DHParameterSpec) namedGroup.getParameterSpec(), secureRandom);
                KeyPair generateDHKeyPair = generateDHKeyPair(keyPairGenerator);
                if (generateDHKeyPair == null) {
                    throw new RuntimeException("Could not generate DH keypair");
                }
                this.privateKey = generateDHKeyPair.getPrivate();
                this.publicKey = (DHPublicKey) generateDHKeyPair.getPublic();
                this.namedGroup = namedGroup;
            } catch (GeneralSecurityException e5) {
                throw new RuntimeException("Could not generate DH keypair", e5);
            }
        }

        private KeyPair generateDHKeyPair(KeyPairGenerator keyPairGenerator) {
            boolean z5 = !KeyUtil.isOracleJCEProvider(keyPairGenerator.getProvider().getName());
            int i5 = 0;
            boolean z6 = false;
            while (i5 <= 2) {
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                if (z5) {
                    try {
                        KeyUtil.validate(getDHPublicKeySpec(generateKeyPair.getPublic()));
                    } catch (InvalidKeyException e5) {
                        if (z6) {
                            throw e5;
                        }
                        i5++;
                        z6 = true;
                    }
                }
                return generateKeyPair;
            }
            return null;
        }

        private static DHPublicKeySpec getDHPublicKeySpec(PublicKey publicKey) {
            if (publicKey instanceof DHPublicKey) {
                DHPublicKey dHPublicKey = (DHPublicKey) publicKey;
                DHParameterSpec params = dHPublicKey.getParams();
                return new DHPublicKeySpec(dHPublicKey.getY(), params.getP(), params.getG());
            }
            try {
                return (DHPublicKeySpec) JsseJce.getKeyFactory("DiffieHellman").getKeySpec(publicKey, DHPublicKeySpec.class);
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e5) {
                throw new RuntimeException("Unable to get DHPublicKeySpec", e5);
            }
        }

        @Override // org.openjsse.sun.security.ssl.SSLPossession
        public byte[] encode() {
            byte[] byteArray = Utilities.toByteArray(this.publicKey.getY());
            int keySize = (KeyUtil.getKeySize(this.publicKey) + 7) >>> 3;
            if (keySize <= 0 || byteArray.length >= keySize) {
                return byteArray;
            }
            byte[] bArr = new byte[keySize];
            System.arraycopy(byteArray, 0, bArr, keySize - byteArray.length, byteArray.length);
            return bArr;
        }
    }

    /* loaded from: classes.dex */
    public static final class DHEPossessionGenerator implements SSLPossessionGenerator {
        private static final int customizedDHKeySize;
        private static final boolean useLegacyEphemeralDHKeys;
        private static final boolean useSmartEphemeralDHKeys;
        private final boolean exportable;

        static {
            String privilegedGetProperty = GetPropertyAction.privilegedGetProperty("jdk.tls.ephemeralDHKeySize");
            if (privilegedGetProperty == null || privilegedGetProperty.length() == 0) {
                useLegacyEphemeralDHKeys = false;
            } else {
                if ("matched".equals(privilegedGetProperty)) {
                    useLegacyEphemeralDHKeys = false;
                    useSmartEphemeralDHKeys = true;
                    customizedDHKeySize = -1;
                }
                if (!"legacy".equals(privilegedGetProperty)) {
                    useLegacyEphemeralDHKeys = false;
                    useSmartEphemeralDHKeys = false;
                    try {
                        int a6 = c.a(privilegedGetProperty);
                        customizedDHKeySize = a6;
                        if (a6 < 1024 || a6 > 8192 || (a6 & 63) != 0) {
                            throw new IllegalArgumentException("Unsupported customized DH key size: " + a6 + ". The key size must be multiple of 64, and range from 1024 to 8192 (inclusive)");
                        }
                        return;
                    } catch (NumberFormatException unused) {
                        throw new IllegalArgumentException("Invalid system property jdk.tls.ephemeralDHKeySize");
                    }
                }
                useLegacyEphemeralDHKeys = true;
            }
            useSmartEphemeralDHKeys = false;
            customizedDHKeySize = -1;
        }

        private DHEPossessionGenerator(boolean z5) {
            this.exportable = z5;
        }

        @Override // org.openjsse.sun.security.ssl.SSLPossessionGenerator
        public SSLPossession createPossession(HandshakeContext handshakeContext) {
            List<SupportedGroupsExtension.NamedGroup> list;
            SupportedGroupsExtension.NamedGroup preferredGroup;
            boolean z5 = useLegacyEphemeralDHKeys;
            if (!z5 && (list = handshakeContext.clientRequestedNamedGroups) != null && !list.isEmpty() && (preferredGroup = SupportedGroupsExtension.SupportedGroups.getPreferredGroup(handshakeContext.negotiatedProtocol, handshakeContext.algorithmConstraints, SupportedGroupsExtension.NamedGroupType.NAMED_GROUP_FFDHE, handshakeContext.clientRequestedNamedGroups)) != null) {
                return new DHEPossession(preferredGroup, handshakeContext.sslContext.getSecureRandom());
            }
            boolean z6 = this.exportable;
            int i5 = z6 ? 512 : 1024;
            if (!z6) {
                if (z5) {
                    i5 = 768;
                } else if (useSmartEphemeralDHKeys) {
                    SSLPossession sSLPossession = ((ServerHandshakeContext) handshakeContext).interimAuthn;
                    PrivateKey privateKey = sSLPossession instanceof X509Authentication.X509Possession ? ((X509Authentication.X509Possession) sSLPossession).popPrivateKey : null;
                    if (privateKey != null) {
                        i5 = KeyUtil.getKeySize(privateKey) > 1024 ? RecyclerView.a0.FLAG_MOVED : 1024;
                    }
                } else {
                    int i6 = customizedDHKeySize;
                    if (i6 > 0) {
                        i5 = i6;
                    }
                }
            }
            return new DHEPossession(i5, handshakeContext.sslContext.getSecureRandom());
        }
    }

    static {
        poGenerator = new DHEPossessionGenerator(false);
        poExportableGenerator = new DHEPossessionGenerator(true);
        kaGenerator = new DHEKAGenerator();
    }
}
