package O4;

import S4.k;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.digest.Digest;
import org.apache.sshd.common.kex.AbstractDH;
import org.apache.sshd.common.kex.DHFactory;
import org.apache.sshd.common.kex.KexProposalOption;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.session.Session;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.ValidateUtils;
import org.apache.sshd.common.util.buffer.Buffer;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import org.apache.sshd.common.util.net.SshdSocketAddress;
import p5.AbstractC1502d;

/* loaded from: classes.dex */
public class b extends O4.a {

    /* renamed from: T, reason: collision with root package name */
    protected final DHFactory f3750T;

    /* renamed from: U, reason: collision with root package name */
    protected AbstractDH f3751U;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public static class a implements KeyExchangeFactory {

        /* renamed from: F, reason: collision with root package name */
        final /* synthetic */ DHFactory f3752F;

        a(DHFactory dHFactory) {
            this.f3752F = dHFactory;
        }

        @Override // org.apache.sshd.common.NamedResource
        public String getName() {
            return this.f3752F.getName();
        }

        @Override // org.apache.sshd.common.kex.KeyExchangeFactory
        public KeyExchange p3(Session session) {
            return new b(this.f3752F, session);
        }

        public String toString() {
            return NamedFactory.class.getSimpleName() + "<" + KeyExchange.class.getSimpleName() + ">[" + getName() + "]";
        }
    }

    protected b(DHFactory dHFactory, Session session) {
        super(session);
        Objects.requireNonNull(dHFactory, "No factory");
        this.f3750T = dHFactory;
    }

    public static KeyExchangeFactory Q6(DHFactory dHFactory) {
        return new a(dHFactory);
    }

    protected AbstractDH P6() {
        return this.f3750T.e2(new Object[0]);
    }

    protected void R6(Session session, OpenSshCertificate openSshCertificate) {
        PublicKey B6 = openSshCertificate.B();
        String x7 = KeyUtils.x(B6);
        String e7 = openSshCertificate.e();
        String a02 = openSshCertificate.a0();
        if (GenericUtils.o(a02) || !"ssh-rsa".equals(KeyUtils.o(a02))) {
            throw new SshException(3, "Found invalid signature alg " + a02 + " for key ID=" + e7);
        }
        if (this.f20148F.j()) {
            this.f20148F.f("verifyCertificate({})[id={}] Allowing to use variant {} instead of {}", session, e7, a02, x7);
        }
        Signature signature = (Signature) ValidateUtils.g(k.a(session.w1(), a02), "No KeyExchange CA verifier located for algorithm=%s of key ID=%s", a02, e7);
        signature.Y4(session, B6);
        signature.i3(session, openSshCertificate.t());
        if (!signature.N0(session, openSshCertificate.getSignature())) {
            throw new SshException(3, "KeyExchange CA signature verification failed for key type=" + a02 + " of key ID=" + e7);
        }
        if (openSshCertificate.getType() != 2) {
            throw new SshException(3, "KeyExchange signature verification failed, not a host key (2) " + openSshCertificate.getType() + " for key ID=" + e7);
        }
        long seconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
        if (openSshCertificate.m() > seconds || seconds >= openSshCertificate.O()) {
            throw new SshException(3, "KeyExchange signature verification failed, CA expired " + openSshCertificate.V() + " - " + openSshCertificate.v() + " for key ID=" + e7);
        }
        SocketAddress O42 = O6().O4();
        if (O42 instanceof SshdSocketAddress) {
            O42 = ((SshdSocketAddress) O42).H();
        }
        if (!(O42 instanceof InetSocketAddress)) {
            throw new SshException(3, "KeyExchange signature verification failed, could not determine connect host for key ID=" + e7);
        }
        String hostString = ((InetSocketAddress) O42).getHostString();
        Collection U6 = openSshCertificate.U();
        if (GenericUtils.q(U6) || !U6.contains(hostString)) {
            throw new SshException(3, "KeyExchange signature verification failed, invalid principal " + hostString + " for key ID=" + e7 + " - allowed=" + U6);
        }
        if (GenericUtils.q(openSshCertificate.M())) {
            return;
        }
        throw new SshException(3, "KeyExchange signature verification failed, unrecognized critical options " + openSshCertificate.M() + " for key ID=" + e7);
    }

    @Override // org.apache.sshd.common.NamedResource
    public final String getName() {
        return this.f3750T.getName();
    }

    @Override // org.apache.sshd.common.kex.dh.AbstractDHKeyExchange, org.apache.sshd.common.kex.KeyExchange
    public void q0(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) {
        super.q0(bArr, bArr2, bArr3, bArr4);
        AbstractDH P6 = P6();
        this.f3751U = P6;
        Digest e7 = P6.e();
        this.f19694L = e7;
        e7.m0();
        byte[] J6 = J6(this.f3751U.d());
        Session session = getSession();
        if (this.f20148F.j()) {
            this.f20148F.h("init({})[{}] Send SSH_MSG_KEXDH_INIT", this, session);
        }
        Buffer k32 = session.k3((byte) 30, J6.length + 32);
        k32.b0(J6);
        session.h(k32);
    }

    @Override // org.apache.sshd.common.kex.KeyExchange
    public boolean t1(int i7, Buffer buffer) {
        PublicKey publicKey;
        Q4.a O6 = O6();
        if (this.f20148F.j()) {
            this.f20148F.f("next({})[{}] process command={}", this, O6, org.apache.sshd.common.kex.k.b(i7));
        }
        if (i7 != 31) {
            throw new SshException(3, "Protocol error: expected packet SSH_MSG_KEXDH_REPLY, got " + org.apache.sshd.common.kex.k.b(i7));
        }
        byte[] t7 = buffer.t();
        byte[] K6 = K6(buffer);
        byte[] t8 = buffer.t();
        this.f3751U.i(K6);
        this.f19695M = this.f3751U.f();
        PublicKey G6 = new ByteArrayBuffer(t7).G();
        if (G6 instanceof OpenSshCertificate) {
            OpenSshCertificate openSshCertificate = (OpenSshCertificate) G6;
            PublicKey p7 = openSshCertificate.p();
            try {
                R6(O6, openSshCertificate);
                publicKey = G6;
            } catch (SshException e7) {
                if (((Boolean) AbstractC1502d.f20809q.U2(O6)).booleanValue()) {
                    throw e7;
                }
                publicKey = openSshCertificate.p();
                this.f20148F.J("Ignoring invalid certificate {}", openSshCertificate.e(), e7);
            }
            G6 = p7;
        } else {
            publicKey = G6;
        }
        String L52 = O6.L5(KexProposalOption.SERVERKEYS);
        if (GenericUtils.o(L52)) {
            throw new SshException("Unsupported server key type: " + G6.getAlgorithm() + "[" + G6.getFormat() + "]");
        }
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.W(this.f19691I);
        byteArrayBuffer.W(this.f19690H);
        byteArrayBuffer.W(this.f19693K);
        byteArrayBuffer.W(this.f19692J);
        byteArrayBuffer.W(t7);
        byteArrayBuffer.b0(D6());
        byteArrayBuffer.b0(K6);
        byteArrayBuffer.b0(this.f19695M);
        this.f19694L.c(byteArrayBuffer.g(), 0, byteArrayBuffer.a());
        this.f19696N = this.f19694L.i();
        Signature signature = (Signature) ValidateUtils.f(k.a(O6.w1(), L52), "No verifier located for algorithm=%s", L52);
        signature.Y4(O6, G6);
        signature.i3(O6, this.f19696N);
        if (signature.N0(O6, t8)) {
            O6.da(publicKey);
            return true;
        }
        throw new SshException(3, "KeyExchange signature verification failed for key type=" + L52);
    }
}
