package org.openjsse.sun.security.ssl;

import androidx.fragment.app.E0;
import g.k;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.text.MessageFormat;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import org.openjsse.sun.security.ssl.ECDHKeyExchange;
import org.openjsse.sun.security.ssl.SSLHandshake;
import org.openjsse.sun.security.ssl.SupportedGroupsExtension;
import org.openjsse.sun.security.ssl.X509Authentication;
import org.openjsse.sun.security.util.HexDumpEncoder;
import v6.e;

/* loaded from: classes2.dex */
final class ECDHServerKeyExchange {
    static final SSLConsumer ecdheHandshakeConsumer;
    static final HandshakeProducer ecdheHandshakeProducer;

    /* loaded from: classes2.dex */
    public static final class ECDHServerKeyExchangeConsumer implements SSLConsumer {
        private ECDHServerKeyExchangeConsumer() {
        }

        @Override // org.openjsse.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            ECDHServerKeyExchangeMessage eCDHServerKeyExchangeMessage = new ECDHServerKeyExchangeMessage(clientHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming ECDH ServerKeyExchange handshake message", eCDHServerKeyExchangeMessage);
            }
            AlgorithmConstraints algorithmConstraints = clientHandshakeContext.algorithmConstraints;
            if (algorithmConstraints != null && !algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), eCDHServerKeyExchangeMessage.publicKey)) {
                throw clientHandshakeContext.conContext.fatal(Alert.INSUFFICIENT_SECURITY, "ECDH ServerKeyExchange does not comply to algorithm constraints");
            }
            clientHandshakeContext.handshakeCredentials.add(new ECDHKeyExchange.ECDHECredentials(eCDHServerKeyExchangeMessage.publicKey, eCDHServerKeyExchangeMessage.namedGroup));
        }
    }

    /* loaded from: classes2.dex */
    public static final class ECDHServerKeyExchangeMessage extends SSLHandshake.HandshakeMessage {
        private static final byte CURVE_NAMED_CURVE = 3;
        private final SupportedGroupsExtension.NamedGroup namedGroup;
        private final byte[] paramsSignature;
        private final ECPublicKey publicKey;
        private final byte[] publicPoint;
        private final SignatureScheme signatureScheme;
        private final boolean useExplicitSigAlgorithm;

        public ECDHServerKeyExchangeMessage(HandshakeContext handshakeContext) {
            super(handshakeContext);
            Signature signature;
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) handshakeContext;
            X509Authentication.X509Possession x509Possession = null;
            ECDHKeyExchange.ECDHEPossession eCDHEPossession = null;
            for (SSLPossession sSLPossession : serverHandshakeContext.handshakePossessions) {
                if (sSLPossession instanceof ECDHKeyExchange.ECDHEPossession) {
                    eCDHEPossession = (ECDHKeyExchange.ECDHEPossession) sSLPossession;
                    if (x509Possession != null) {
                        break;
                    }
                } else if (sSLPossession instanceof X509Authentication.X509Possession) {
                    x509Possession = (X509Authentication.X509Possession) sSLPossession;
                    if (eCDHEPossession != null) {
                        break;
                    }
                } else {
                    continue;
                }
            }
            if (eCDHEPossession == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No ECDHE credentials negotiated for server key exchange");
            }
            ECPublicKey eCPublicKey = eCDHEPossession.publicKey;
            this.publicKey = eCPublicKey;
            ECParameterSpec params = eCPublicKey.getParams();
            byte[] encodePoint = JsseJce.encodePoint(eCPublicKey.getW(), params.getCurve());
            this.publicPoint = encodePoint;
            SupportedGroupsExtension.NamedGroup valueOf = SupportedGroupsExtension.NamedGroup.valueOf(params);
            this.namedGroup = valueOf;
            if (valueOf == null || valueOf.oid == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unnamed EC parameter spec: " + params);
            }
            if (x509Possession == null) {
                this.paramsSignature = null;
                this.signatureScheme = null;
                this.useExplicitSigAlgorithm = false;
                return;
            }
            boolean useTLS12PlusSpec = serverHandshakeContext.negotiatedProtocol.useTLS12PlusSpec();
            this.useExplicitSigAlgorithm = useTLS12PlusSpec;
            if (useTLS12PlusSpec) {
                Map.Entry<SignatureScheme, Signature> signerOfPreferableAlgorithm = SignatureScheme.getSignerOfPreferableAlgorithm(serverHandshakeContext.peerRequestedSignatureSchemes, x509Possession, serverHandshakeContext.negotiatedProtocol);
                if (signerOfPreferableAlgorithm == null) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "No supported signature algorithm for " + x509Possession.popPrivateKey.getAlgorithm() + "  key");
                }
                this.signatureScheme = signerOfPreferableAlgorithm.getKey();
                signature = signerOfPreferableAlgorithm.getValue();
            } else {
                this.signatureScheme = null;
                try {
                    signature = getSignature(x509Possession.popPrivateKey.getAlgorithm(), x509Possession.popPrivateKey);
                } catch (InvalidKeyException | NoSuchAlgorithmException e9) {
                    throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + x509Possession.popPrivateKey.getAlgorithm(), e9);
                }
            }
            try {
                updateSignature(signature, serverHandshakeContext.clientHelloRandom.randomBytes, serverHandshakeContext.serverHelloRandom.randomBytes, valueOf.id, encodePoint);
                this.paramsSignature = signature.sign();
            } catch (SignatureException e10) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failed to sign ecdhe parameters: " + x509Possession.popPrivateKey.getAlgorithm(), e10);
            }
        }

        public ECDHServerKeyExchangeMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) {
            super(handshakeContext);
            X509Authentication.X509Credentials x509Credentials;
            Signature verifier;
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) handshakeContext;
            byte int8 = (byte) Record.getInt8(byteBuffer);
            if (int8 != 3) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, k.h("Unsupported ECCurveType: ", int8));
            }
            int int16 = Record.getInt16(byteBuffer);
            SupportedGroupsExtension.NamedGroup valueOf = SupportedGroupsExtension.NamedGroup.valueOf(int16);
            this.namedGroup = valueOf;
            if (valueOf == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, k.h("Unknown named group ID: ", int16));
            }
            if (!SupportedGroupsExtension.SupportedGroups.isSupported(valueOf)) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unsupported named group: " + valueOf);
            }
            String str = valueOf.oid;
            if (str == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Unknown named EC curve: " + valueOf);
            }
            ECParameterSpec eCParameterSpec = JsseJce.getECParameterSpec(str);
            if (eCParameterSpec == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "No supported EC parameter: " + valueOf);
            }
            byte[] bytes8 = Record.getBytes8(byteBuffer);
            this.publicPoint = bytes8;
            if (bytes8.length == 0) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Insufficient ECPoint data: " + valueOf);
            }
            try {
                this.publicKey = (ECPublicKey) JsseJce.getKeyFactory("EC").generatePublic(new ECPublicKeySpec(JsseJce.decodePoint(bytes8, eCParameterSpec.getCurve()), eCParameterSpec));
                Iterator<SSLCredentials> it = clientHandshakeContext.handshakeCredentials.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        x509Credentials = null;
                        break;
                    }
                    SSLCredentials next = it.next();
                    if (next instanceof X509Authentication.X509Credentials) {
                        x509Credentials = (X509Authentication.X509Credentials) next;
                        break;
                    }
                }
                if (x509Credentials == null) {
                    if (byteBuffer.hasRemaining()) {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid DH ServerKeyExchange: unknown extra data");
                    }
                    this.signatureScheme = null;
                    this.paramsSignature = null;
                    this.useExplicitSigAlgorithm = false;
                    return;
                }
                boolean useTLS12PlusSpec = clientHandshakeContext.negotiatedProtocol.useTLS12PlusSpec();
                this.useExplicitSigAlgorithm = useTLS12PlusSpec;
                if (useTLS12PlusSpec) {
                    int int162 = Record.getInt16(byteBuffer);
                    SignatureScheme valueOf2 = SignatureScheme.valueOf(int162);
                    this.signatureScheme = valueOf2;
                    if (valueOf2 == null) {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, E0.h("Invalid signature algorithm (", int162, ") used in ECDH ServerKeyExchange handshake message"));
                    }
                    if (!clientHandshakeContext.localSupportedSignAlgs.contains(valueOf2)) {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, e.i(new StringBuilder("Unsupported signature algorithm ("), valueOf2.name, ") used in ECDH ServerKeyExchange handshake message"));
                    }
                } else {
                    this.signatureScheme = null;
                }
                byte[] bytes16 = Record.getBytes16(byteBuffer);
                this.paramsSignature = bytes16;
                if (useTLS12PlusSpec) {
                    try {
                        verifier = this.signatureScheme.getVerifier(x509Credentials.popPublicKey);
                    } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException e9) {
                        throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + this.signatureScheme.name, e9);
                    }
                } else {
                    try {
                        verifier = getSignature(x509Credentials.popPublicKey.getAlgorithm(), x509Credentials.popPublicKey);
                    } catch (InvalidKeyException | NoSuchAlgorithmException e10) {
                        throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Unsupported signature algorithm: " + x509Credentials.popPublicKey.getAlgorithm(), e10);
                    }
                }
                try {
                    updateSignature(verifier, clientHandshakeContext.clientHelloRandom.randomBytes, clientHandshakeContext.serverHelloRandom.randomBytes, this.namedGroup.id, this.publicPoint);
                    if (verifier.verify(bytes16)) {
                    } else {
                        throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Invalid ECDH ServerKeyExchange signature");
                    }
                } catch (SignatureException e11) {
                    throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot verify ECDH ServerKeyExchange signature", e11);
                }
            } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e12) {
                throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Invalid ECPoint: " + this.namedGroup, e12);
            }
        }

        private static Signature getSignature(String str, Key key) {
            Signature signature;
            str.getClass();
            if (str.equals("EC")) {
                signature = JsseJce.getSignature("SHA1withECDSA");
            } else {
                if (!str.equals("RSA")) {
                    throw new NoSuchAlgorithmException("neither an RSA or a EC key : ".concat(str));
                }
                signature = RSASignature.getInstance();
            }
            if (signature != null) {
                if (key instanceof PublicKey) {
                    signature.initVerify((PublicKey) key);
                } else {
                    signature.initSign((PrivateKey) key);
                }
            }
            return signature;
        }

        private static void updateSignature(Signature signature, byte[] bArr, byte[] bArr2, int i8, byte[] bArr3) {
            signature.update(bArr);
            signature.update(bArr2);
            signature.update(CURVE_NAMED_CURVE);
            signature.update((byte) ((i8 >> 8) & 255));
            signature.update((byte) (i8 & 255));
            signature.update((byte) bArr3.length);
            signature.update(bArr3);
        }

        @Override // org.openjsse.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.SERVER_KEY_EXCHANGE;
        }

        @Override // org.openjsse.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            int i8;
            byte[] bArr = this.paramsSignature;
            if (bArr != null) {
                i8 = bArr.length + 2;
                if (this.useExplicitSigAlgorithm) {
                    i8 += SignatureScheme.sizeInRecord();
                }
            } else {
                i8 = 0;
            }
            return this.publicPoint.length + 4 + i8;
        }

        @Override // org.openjsse.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) {
            handshakeOutStream.putInt8(3);
            handshakeOutStream.putInt16(this.namedGroup.id);
            handshakeOutStream.putBytes8(this.publicPoint);
            if (this.paramsSignature != null) {
                if (this.useExplicitSigAlgorithm) {
                    handshakeOutStream.putInt16(this.signatureScheme.id);
                }
                handshakeOutStream.putBytes16(this.paramsSignature);
            }
        }

        public String toString() {
            if (this.useExplicitSigAlgorithm) {
                MessageFormat messageFormat = new MessageFormat("\"ECDH ServerKeyExchange\": '{'\n  \"parameters\": '{'\n    \"named group\": \"{0}\"\n    \"ecdh public\": '{'\n{1}\n    '}',\n  '}',\n  \"digital signature\":  '{'\n    \"signature algorithm\": \"{2}\"\n    \"signature\": '{'\n{3}\n    '}',\n  '}'\n'}'", Locale.ENGLISH);
                HexDumpEncoder hexDumpEncoder = new HexDumpEncoder();
                return messageFormat.format(new Object[]{this.namedGroup.name, Utilities.indent(hexDumpEncoder.encodeBuffer(this.publicPoint), "      "), this.signatureScheme.name, Utilities.indent(hexDumpEncoder.encodeBuffer(this.paramsSignature), "      ")});
            }
            if (this.paramsSignature != null) {
                MessageFormat messageFormat2 = new MessageFormat("\"ECDH ServerKeyExchange\": '{'\n  \"parameters\":  '{'\n    \"named group\": \"{0}\"\n    \"ecdh public\": '{'\n{1}\n    '}',\n  '}',\n  \"signature\": '{'\n{2}\n  '}'\n'}'", Locale.ENGLISH);
                HexDumpEncoder hexDumpEncoder2 = new HexDumpEncoder();
                return messageFormat2.format(new Object[]{this.namedGroup.name, Utilities.indent(hexDumpEncoder2.encodeBuffer(this.publicPoint), "      "), Utilities.indent(hexDumpEncoder2.encodeBuffer(this.paramsSignature), "    ")});
            }
            return new MessageFormat("\"ECDH ServerKeyExchange\": '{'\n  \"parameters\":  '{'\n    \"named group\": \"{0}\"\n    \"ecdh public\": '{'\n{1}\n    '}',\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{this.namedGroup.name, Utilities.indent(new HexDumpEncoder().encodeBuffer(this.publicPoint), "      ")});
        }
    }

    /* loaded from: classes2.dex */
    public static final class ECDHServerKeyExchangeProducer implements HandshakeProducer {
        private ECDHServerKeyExchangeProducer() {
        }

        @Override // org.openjsse.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            ECDHServerKeyExchangeMessage eCDHServerKeyExchangeMessage = new ECDHServerKeyExchangeMessage(serverHandshakeContext);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced ECDH ServerKeyExchange handshake message", eCDHServerKeyExchangeMessage);
            }
            eCDHServerKeyExchangeMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            return null;
        }
    }

    static {
        ecdheHandshakeConsumer = new ECDHServerKeyExchangeConsumer();
        ecdheHandshakeProducer = new ECDHServerKeyExchangeProducer();
    }
}
