package tech.lp2p.tls;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.NamedParameterSpec;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes3.dex */
public abstract class TlsEngine implements MessageProcessor, TrafficSecrets {
    private final X509TrustManager customTrustManager;
    PrivateKey privateKey;
    PublicKey publicKey;
    X509Certificate remoteCertificate;
    X509Certificate[] remoteCertificateChain;
    TlsState state;

    /* loaded from: classes3.dex */
    enum Status {
        Initial,
        ClientHelloSent,
        ServerHelloReceived,
        EncryptedExtensionsReceived,
        CertificateRequestReceived,
        CertificateReceived,
        CertificateVerifyReceived,
        Finished,
        ClientHelloReceived,
        ServerHelloSent,
        EncryptedExtensionsSent,
        CertificateRequestSent,
        CertificateSent,
        CertificateVerifySent,
        FinishedSent,
        FinishedReceived
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TlsEngine(X509TrustManager x509TrustManager) {
        this.customTrustManager = x509TrustManager;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] computeSignature(byte[] bArr, PrivateKey privateKey, SignatureScheme signatureScheme, boolean z) throws ErrorAlert {
        try {
            try {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                try {
                    byteArrayOutputStream.write(" ".repeat(64).getBytes(StandardCharsets.US_ASCII));
                    byteArrayOutputStream.write(("TLS 1.3, " + (z ? "client" : "server") + " CertificateVerify").getBytes(StandardCharsets.US_ASCII));
                    byteArrayOutputStream.write(0);
                    byteArrayOutputStream.write(bArr);
                    Signature signatureAlgorithm = getSignatureAlgorithm(signatureScheme);
                    signatureAlgorithm.initSign(privateKey);
                    signatureAlgorithm.update(byteArrayOutputStream.toByteArray());
                    byte[] sign = signatureAlgorithm.sign();
                    byteArrayOutputStream.close();
                    return sign;
                } catch (Throwable th) {
                    try {
                        byteArrayOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (IOException | SignatureException e) {
                throw new RuntimeException(e);
            }
        } catch (InvalidKeyException unused) {
            throw new InternalErrorAlert("invalid private key");
        }
    }

    private static Signature getSignatureAlgorithm(SignatureScheme signatureScheme) throws HandshakeFailureAlert {
        if (signatureScheme == SignatureScheme.rsa_pss_rsae_sha256) {
            try {
                return Signature.getInstance("SHA256withRSA/PSS");
            } catch (NoSuchAlgorithmException unused) {
                throw new RuntimeException("Missing RSASSA-PSS support");
            }
        }
        if (signatureScheme == SignatureScheme.rsa_pss_rsae_sha384) {
            try {
                return Signature.getInstance("SHA384withRSA/PSS");
            } catch (NoSuchAlgorithmException unused2) {
                throw new RuntimeException("Missing RSASSA-PSS support");
            }
        }
        if (signatureScheme == SignatureScheme.rsa_pss_rsae_sha512) {
            try {
                return Signature.getInstance("SHA512withRSA/PSS");
            } catch (NoSuchAlgorithmException unused3) {
                throw new RuntimeException("Missing RSASSA-PSS support");
            }
        }
        if (signatureScheme != SignatureScheme.ecdsa_secp256r1_sha256) {
            throw new HandshakeFailureAlert("Signature algorithm not supported " + signatureScheme);
        }
        try {
            return Signature.getInstance("SHA256withECDSA");
        } catch (NoSuchAlgorithmException unused4) {
            throw new RuntimeException("Missing SHA256withECDSA support");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean verifySignature(byte[] bArr, SignatureScheme signatureScheme, Certificate certificate, byte[] bArr2, boolean z) throws HandshakeFailureAlert, DecryptErrorAlert {
        String str = "TLS 1.3, " + (z ? "client" : "server") + " CertificateVerify";
        ByteBuffer allocate = ByteBuffer.allocate(str.getBytes(StandardCharsets.ISO_8859_1).length + 65 + bArr2.length);
        for (int i = 0; i < 64; i++) {
            allocate.put((byte) 32);
        }
        allocate.put(str.getBytes(StandardCharsets.ISO_8859_1));
        allocate.put((byte) 0);
        allocate.put(bArr2);
        try {
            Signature signatureAlgorithm = getSignatureAlgorithm(signatureScheme);
            signatureAlgorithm.initVerify(certificate);
            signatureAlgorithm.update(allocate.array());
            return signatureAlgorithm.verify(bArr);
        } catch (InvalidKeyException | SignatureException e) {
            throw new DecryptErrorAlert(e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkCertificateValidity(X509Certificate[] x509CertificateArr, boolean z) throws BadCertificateAlert {
        try {
            X509TrustManager x509TrustManager = this.customTrustManager;
            if (x509TrustManager != null) {
                if (z) {
                    x509TrustManager.checkServerTrusted(x509CertificateArr, "RSA");
                    return;
                } else {
                    x509TrustManager.checkClientTrusted(x509CertificateArr, "RSA");
                    return;
                }
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            trustManagerFactory.init((KeyStore) null);
            X509TrustManager x509TrustManager2 = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
            if (z) {
                x509TrustManager2.checkServerTrusted(x509CertificateArr, "UNKNOWN");
            } else {
                x509TrustManager2.checkClientTrusted(x509CertificateArr, "UNKNOWN");
            }
        } catch (Throwable th) {
            String message = th.getMessage();
            if (message == null || message.isBlank()) {
                message = "certificate validation failed";
            }
            throw new BadCertificateAlert(message);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] computeFinishedVerifyData(byte[] bArr, byte[] bArr2) throws BadRecordMacAlert {
        short hashLength = TlsState.getHashLength();
        byte[] hkdfExpandLabel = this.state.hkdfExpandLabel(bArr2, "finished", "", hashLength);
        String str = "HmacSHA" + (hashLength * 8);
        SecretKeySpec secretKeySpec = new SecretKeySpec(hkdfExpandLabel, str);
        try {
            Mac mac = Mac.getInstance(str);
            mac.init(secretKeySpec);
            mac.update(bArr);
            return mac.doFinal();
        } catch (InvalidKeyException e) {
            throw new RuntimeException(e);
        } catch (NoSuchAlgorithmException unused) {
            throw new RuntimeException("Missing " + str + " support");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void generateKeys(NamedGroup namedGroup) {
        KeyPairGenerator keyPairGenerator;
        try {
            if (namedGroup != NamedGroup.secp256r1 && namedGroup != NamedGroup.secp384r1 && namedGroup != NamedGroup.secp521r1) {
                if (namedGroup != NamedGroup.x25519 && namedGroup != NamedGroup.x448) {
                    throw new RuntimeException("unsupported group " + namedGroup);
                }
                keyPairGenerator = KeyPairGenerator.getInstance("XDH");
                keyPairGenerator.initialize(new NamedParameterSpec(namedGroup.toString().toUpperCase()));
                KeyPair genKeyPair = keyPairGenerator.genKeyPair();
                this.privateKey = genKeyPair.getPrivate();
                this.publicKey = genKeyPair.getPublic();
            }
            keyPairGenerator = KeyPairGenerator.getInstance("EC");
            keyPairGenerator.initialize(new ECGenParameterSpec(namedGroup.toString()));
            KeyPair genKeyPair2 = keyPairGenerator.genKeyPair();
            this.privateKey = genKeyPair2.getPrivate();
            this.publicKey = genKeyPair2.getPublic();
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException(e);
        } catch (NoSuchAlgorithmException unused) {
            throw new RuntimeException("missing key pair generator algorithm EC");
        }
    }

    @Override // tech.lp2p.tls.TrafficSecrets
    public byte[] getClientApplicationTrafficSecret() {
        TlsState tlsState = this.state;
        if (tlsState != null) {
            return tlsState.getClientApplicationTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    @Override // tech.lp2p.tls.TrafficSecrets
    public byte[] getClientHandshakeTrafficSecret() {
        TlsState tlsState = this.state;
        if (tlsState != null) {
            return tlsState.getClientHandshakeTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    public X509Certificate getRemoteCertificate() {
        return this.remoteCertificate;
    }

    @Override // tech.lp2p.tls.TrafficSecrets
    public byte[] getServerApplicationTrafficSecret() {
        TlsState tlsState = this.state;
        if (tlsState != null) {
            return tlsState.getServerApplicationTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    @Override // tech.lp2p.tls.TrafficSecrets
    public byte[] getServerHandshakeTrafficSecret() {
        TlsState tlsState = this.state;
        if (tlsState != null) {
            return tlsState.getServerHandshakeTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }
}
