package sun.security.pkcs11;

import com.ibm.security.pkcs5.PKCS5;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.KeyAgreement;
import javax.crypto.KeyAgreementSpi;
import javax.crypto.SecretKey;
import javax.crypto.ShortBufferException;
import javax.crypto.interfaces.DHPrivateKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import javax.crypto.spec.SecretKeySpec;
import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
import sun.security.pkcs11.wrapper.CK_MECHANISM;
import sun.security.pkcs11.wrapper.PKCS11Exception;
import sun.security.util.KeyUtil;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:jre/Home/jre/lib/ext/sunpkcs11.jar:sun/security/pkcs11/P11KeyAgreement.class */
public final class P11KeyAgreement extends KeyAgreementSpi {
    private final Token token;
    private final String algorithm;
    private final long mechanism;
    private P11Key privateKey;
    private BigInteger publicValue;
    private int secretLen;
    private KeyAgreement multiPartyAgreement;

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11KeyAgreement(Token token, String str, long j) {
        this.token = token;
        this.algorithm = str;
        this.mechanism = j;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyAgreementSpi
    public void engineInit(Key key, SecureRandom secureRandom) throws InvalidKeyException {
        if (!(key instanceof PrivateKey)) {
            throw new InvalidKeyException("Key must be instance of PrivateKey");
        }
        this.privateKey = P11KeyFactory.convertKey(this.token, key, this.algorithm);
        this.publicValue = null;
        this.multiPartyAgreement = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyAgreementSpi
    public void engineInit(Key key, AlgorithmParameterSpec algorithmParameterSpec, SecureRandom secureRandom) throws InvalidKeyException, InvalidAlgorithmParameterException {
        if (algorithmParameterSpec != null) {
            throw new InvalidAlgorithmParameterException("Parameters not supported");
        }
        engineInit(key, secureRandom);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyAgreementSpi
    public Key engineDoPhase(Key key, boolean z) throws InvalidKeyException, IllegalStateException {
        BigInteger y;
        BigInteger p;
        BigInteger g;
        if (this.privateKey == null) {
            throw new IllegalStateException("Not initialized");
        }
        if (this.publicValue != null) {
            throw new IllegalStateException("Phase already executed");
        }
        if (this.multiPartyAgreement != null || !z) {
            if (this.multiPartyAgreement == null) {
                try {
                    this.multiPartyAgreement = KeyAgreement.getInstance("DH", P11Util.getSunJceProvider());
                    this.multiPartyAgreement.init(this.privateKey);
                } catch (NoSuchAlgorithmException e) {
                    throw new InvalidKeyException("Could not initialize multi party agreement", e);
                }
            }
            return this.multiPartyAgreement.doPhase(key, z);
        }
        if (!(key instanceof PublicKey) || !key.getAlgorithm().equals(this.algorithm)) {
            throw new InvalidKeyException("Key must be a PublicKey with algorithm DH");
        }
        if (key instanceof DHPublicKey) {
            DHPublicKey dHPublicKey = (DHPublicKey) key;
            KeyUtil.validate(dHPublicKey);
            y = dHPublicKey.getY();
            DHParameterSpec params = dHPublicKey.getParams();
            p = params.getP();
            g = params.getG();
        } else {
            try {
                DHPublicKeySpec dHPublicKeySpec = (DHPublicKeySpec) new P11DHKeyFactory(this.token, "DH").engineGetKeySpec(key, DHPublicKeySpec.class);
                KeyUtil.validate(dHPublicKeySpec);
                y = dHPublicKeySpec.getY();
                p = dHPublicKeySpec.getP();
                g = dHPublicKeySpec.getG();
            } catch (InvalidKeySpecException e2) {
                throw new InvalidKeyException("Could not obtain key values", e2);
            }
        }
        if (this.privateKey instanceof DHPrivateKey) {
            DHParameterSpec params2 = ((DHPrivateKey) this.privateKey).getParams();
            if (!p.equals(params2.getP()) || !g.equals(params2.getG())) {
                throw new InvalidKeyException("PublicKey DH parameters must match PrivateKey DH parameters");
            }
        }
        this.publicValue = y;
        this.secretLen = (p.bitLength() + 7) >> 3;
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyAgreementSpi
    public byte[] engineGenerateSecret() throws IllegalStateException {
        if (this.multiPartyAgreement != null) {
            byte[] generateSecret = this.multiPartyAgreement.generateSecret();
            this.multiPartyAgreement = null;
            return generateSecret;
        }
        if (this.privateKey == null || this.publicValue == null) {
            throw new IllegalStateException("Not initialized correctly");
        }
        try {
            try {
                Session opSession = this.token.getOpSession();
                long C_DeriveKey = this.token.p11.C_DeriveKey(opSession.id(), new CK_MECHANISM(this.mechanism, this.publicValue), this.privateKey.keyID, this.token.getAttributes("generate", 4L, 16L, new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(0L, 4L), new CK_ATTRIBUTE(256L, 16L)}));
                CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(17L)};
                this.token.p11.C_GetAttributeValue(opSession.id(), C_DeriveKey, ck_attributeArr);
                byte[] byteArray = ck_attributeArr[0].getByteArray();
                this.token.p11.C_DestroyObject(opSession.id(), C_DeriveKey);
                if (byteArray.length == this.secretLen) {
                    this.publicValue = null;
                    this.token.releaseSession(opSession);
                    return byteArray;
                }
                if (byteArray.length > this.secretLen) {
                    throw new ProviderException("generated secret is out-of-range");
                }
                byte[] bArr = new byte[this.secretLen];
                System.arraycopy(byteArray, 0, bArr, this.secretLen - byteArray.length, byteArray.length);
                this.publicValue = null;
                this.token.releaseSession(opSession);
                return bArr;
            } catch (PKCS11Exception e) {
                throw new ProviderException("Could not derive key", e);
            }
        } catch (Throwable th) {
            this.publicValue = null;
            this.token.releaseSession(null);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyAgreementSpi
    public int engineGenerateSecret(byte[] bArr, int i) throws IllegalStateException, ShortBufferException {
        if (this.multiPartyAgreement != null) {
            int generateSecret = this.multiPartyAgreement.generateSecret(bArr, i);
            this.multiPartyAgreement = null;
            return generateSecret;
        }
        if (i + this.secretLen > bArr.length) {
            throw new ShortBufferException("Need " + this.secretLen + " bytes, only " + (bArr.length - i) + " available");
        }
        byte[] engineGenerateSecret = engineGenerateSecret();
        System.arraycopy(engineGenerateSecret, 0, bArr, i, engineGenerateSecret.length);
        return engineGenerateSecret.length;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // javax.crypto.KeyAgreementSpi
    public SecretKey engineGenerateSecret(String str) throws IllegalStateException, NoSuchAlgorithmException, InvalidKeyException {
        int length;
        if (this.multiPartyAgreement != null) {
            SecretKey generateSecret = this.multiPartyAgreement.generateSecret(str);
            this.multiPartyAgreement = null;
            return generateSecret;
        }
        if (str == null) {
            throw new NoSuchAlgorithmException("Algorithm must not be null");
        }
        if (str.equals("TlsPremasterSecret")) {
            return nativeGenerateSecret(str);
        }
        byte[] engineGenerateSecret = engineGenerateSecret();
        if (str.equalsIgnoreCase(PKCS5.CIPHER_ALGORITHM_DES)) {
            length = 8;
        } else if (str.equalsIgnoreCase(PKCS5.CIPHER_ALGORITHM_DESEDE)) {
            length = 24;
        } else if (str.equalsIgnoreCase("Blowfish")) {
            length = Math.min(56, engineGenerateSecret.length);
        } else {
            if (!str.equalsIgnoreCase("TlsPremasterSecret")) {
                throw new NoSuchAlgorithmException("Unknown algorithm " + str);
            }
            length = engineGenerateSecret.length;
        }
        if (engineGenerateSecret.length < length) {
            throw new InvalidKeyException("Secret too short");
        }
        if (str.equalsIgnoreCase(PKCS5.CIPHER_ALGORITHM_DES) || str.equalsIgnoreCase(PKCS5.CIPHER_ALGORITHM_DESEDE)) {
            for (int i = 0; i < length; i += 8) {
                P11SecretKeyFactory.fixDESParity(engineGenerateSecret, i);
            }
        }
        return new SecretKeySpec(engineGenerateSecret, 0, length, str);
    }

    private SecretKey nativeGenerateSecret(String str) throws IllegalStateException, NoSuchAlgorithmException, InvalidKeyException {
        byte[] encoded;
        byte[] trimZeroes;
        if (this.privateKey == null || this.publicValue == null) {
            throw new IllegalStateException("Not initialized correctly");
        }
        Session session = null;
        try {
            try {
                session = this.token.getObjSession();
                CK_ATTRIBUTE[] attributes = this.token.getAttributes("generate", 4L, 16L, new CK_ATTRIBUTE[]{new CK_ATTRIBUTE(0L, 4L), new CK_ATTRIBUTE(256L, 16L)});
                long C_DeriveKey = this.token.p11.C_DeriveKey(session.id(), new CK_MECHANISM(this.mechanism, this.publicValue), this.privateKey.keyID, attributes);
                CK_ATTRIBUTE[] ck_attributeArr = {new CK_ATTRIBUTE(353L)};
                this.token.p11.C_GetAttributeValue(session.id(), C_DeriveKey, ck_attributeArr);
                SecretKey secretKey = P11Key.secretKey(session, C_DeriveKey, str, ((int) ck_attributeArr[0].getLong()) << 3, attributes);
                if ("RAW".equals(secretKey.getFormat()) && encoded != (trimZeroes = KeyUtil.trimZeroes((encoded = secretKey.getEncoded())))) {
                    secretKey = new SecretKeySpec(trimZeroes, str);
                }
                SecretKey secretKey2 = secretKey;
                this.publicValue = null;
                this.token.releaseSession(session);
                return secretKey2;
            } catch (PKCS11Exception e) {
                throw new InvalidKeyException("Could not derive key", e);
            }
        } catch (Throwable th) {
            this.publicValue = null;
            this.token.releaseSession(session);
            throw th;
        }
    }
}
