package net.luminis.tls.handshake;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.NamedParameterSpec;
import java.security.spec.PSSParameterSpec;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import net.luminis.tls.TlsConstants;
import net.luminis.tls.TlsState;
import net.luminis.tls.TrafficSecrets;
import net.luminis.tls.alert.ErrorAlert;
import net.luminis.tls.alert.HandshakeFailureAlert;
import net.luminis.tls.alert.InternalErrorAlert;
import net.luminis.tls.env.AlgorithmMapping;
import net.luminis.tls.env.PlatformMapping;
import net.luminis.tls.extension.Extension;
import net.luminis.tls.extension.UnknownExtension;
import org.apache.commons.cli.HelpFormatter;

/* loaded from: input_file:net/luminis/tls/handshake/TlsEngine.class */
public abstract class TlsEngine implements MessageProcessor, TrafficSecrets {
    protected PublicKey publicKey;
    protected PrivateKey privateKey;
    protected TlsState state;
    protected AlgorithmMapping algorithmMapping = PlatformMapping.algorithmMapping();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: net.luminis.tls.handshake.TlsEngine$1, reason: invalid class name */
    /* loaded from: input_file:net/luminis/tls/handshake/TlsEngine$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$net$luminis$tls$TlsConstants$CipherSuite = new int[TlsConstants.CipherSuite.values().length];

        static {
            try {
                $SwitchMap$net$luminis$tls$TlsConstants$CipherSuite[TlsConstants.CipherSuite.TLS_AES_128_GCM_SHA256.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$net$luminis$tls$TlsConstants$CipherSuite[TlsConstants.CipherSuite.TLS_AES_256_GCM_SHA384.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$net$luminis$tls$TlsConstants$CipherSuite[TlsConstants.CipherSuite.TLS_CHACHA20_POLY1305_SHA256.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$net$luminis$tls$TlsConstants$CipherSuite[TlsConstants.CipherSuite.TLS_AES_128_CCM_SHA256.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$net$luminis$tls$TlsConstants$CipherSuite[TlsConstants.CipherSuite.TLS_AES_128_CCM_8_SHA256.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public abstract TlsConstants.CipherSuite getSelectedCipher();

    public static int hashLength(TlsConstants.CipherSuite cipherSuite) {
        switch (AnonymousClass1.$SwitchMap$net$luminis$tls$TlsConstants$CipherSuite[cipherSuite.ordinal()]) {
            case HelpFormatter.DEFAULT_LEFT_PAD /* 1 */:
                return 32;
            case 2:
                return 48;
            case 3:
                return 32;
            case 4:
                return 32;
            case 5:
                return 32;
            default:
                throw new RuntimeException();
        }
    }

    public static int keyLength(TlsConstants.CipherSuite cipherSuite) {
        switch (AnonymousClass1.$SwitchMap$net$luminis$tls$TlsConstants$CipherSuite[cipherSuite.ordinal()]) {
            case HelpFormatter.DEFAULT_LEFT_PAD /* 1 */:
                return 16;
            case 2:
                return 32;
            case 3:
                return 32;
            case 4:
                return 16;
            case 5:
                return 16;
            default:
                throw new RuntimeException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void generateKeys(TlsConstants.NamedGroup namedGroup) {
        KeyPairGenerator keyPairGenerator;
        try {
            if (namedGroup == TlsConstants.NamedGroup.secp256r1 || namedGroup == TlsConstants.NamedGroup.secp384r1 || namedGroup == TlsConstants.NamedGroup.secp521r1) {
                keyPairGenerator = KeyPairGenerator.getInstance("EC");
                keyPairGenerator.initialize(new ECGenParameterSpec(namedGroup.toString()));
            } else {
                if (namedGroup != TlsConstants.NamedGroup.x25519 && namedGroup != TlsConstants.NamedGroup.x448) {
                    throw new RuntimeException("unsupported group " + namedGroup);
                }
                keyPairGenerator = KeyPairGenerator.getInstance("XDH");
                keyPairGenerator.initialize(new NamedParameterSpec(namedGroup.toString().toUpperCase()));
            }
            KeyPair genKeyPair = keyPairGenerator.genKeyPair();
            this.privateKey = genKeyPair.getPrivate();
            this.publicKey = genKeyPair.getPublic();
        } catch (InvalidAlgorithmParameterException e) {
            throw new RuntimeException();
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("missing key pair generator algorithm EC");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] computeSignature(byte[] bArr, PrivateKey privateKey, TlsConstants.SignatureScheme signatureScheme, boolean z) throws ErrorAlert {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            byteArrayOutputStream.write(" ".repeat(64).getBytes(StandardCharsets.US_ASCII));
            byteArrayOutputStream.write(("TLS 1.3, " + (z ? "client" : "server") + " CertificateVerify").getBytes(StandardCharsets.US_ASCII));
            byteArrayOutputStream.write(0);
            byteArrayOutputStream.write(bArr);
            try {
                Signature signatureAlgorithm = getSignatureAlgorithm(signatureScheme);
                signatureAlgorithm.initSign(privateKey);
                signatureAlgorithm.update(byteArrayOutputStream.toByteArray());
                return signatureAlgorithm.sign();
            } catch (InvalidKeyException e) {
                throw new InternalErrorAlert("invalid private key");
            } catch (SignatureException e2) {
                throw new RuntimeException();
            }
        } catch (IOException e3) {
            throw new RuntimeException();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] computeFinishedVerifyData(byte[] bArr, byte[] bArr2) {
        short hashLength = this.state.getHashLength();
        byte[] hkdfExpandLabel = this.state.hkdfExpandLabel(bArr2, "finished", "", hashLength);
        String str = "HmacSHA" + (hashLength * 8);
        SecretKeySpec secretKeySpec = new SecretKeySpec(hkdfExpandLabel, str);
        try {
            Mac mac = Mac.getInstance(str);
            mac.init(secretKeySpec);
            mac.update(bArr);
            return mac.doFinal();
        } catch (InvalidKeyException e) {
            throw new RuntimeException();
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("Missing " + str + " support");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Signature getSignatureAlgorithm(TlsConstants.SignatureScheme signatureScheme) throws HandshakeFailureAlert {
        Signature signature;
        if (signatureScheme.equals(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256)) {
            try {
                signature = Signature.getInstance(this.algorithmMapping.get("RSASSA-PSS"));
                signature.setParameter(new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, 1));
            } catch (InvalidAlgorithmParameterException e) {
                throw new RuntimeException(e);
            } catch (NoSuchAlgorithmException e2) {
                throw new RuntimeException("Missing RSASSA-PSS support");
            }
        } else if (signatureScheme.equals(TlsConstants.SignatureScheme.rsa_pss_rsae_sha384)) {
            try {
                signature = Signature.getInstance(this.algorithmMapping.get("RSASSA-PSS"));
                signature.setParameter(new PSSParameterSpec("SHA-384", "MGF1", new MGF1ParameterSpec("SHA-384"), 48, 1));
            } catch (InvalidAlgorithmParameterException e3) {
                throw new RuntimeException(e3);
            } catch (NoSuchAlgorithmException e4) {
                throw new RuntimeException("Missing RSASSA-PSS support");
            }
        } else if (signatureScheme.equals(TlsConstants.SignatureScheme.rsa_pss_rsae_sha512)) {
            try {
                signature = Signature.getInstance(this.algorithmMapping.get("RSASSA-PSS"));
                signature.setParameter(new PSSParameterSpec("SHA-512", "MGF1", new MGF1ParameterSpec("SHA-512"), 64, 1));
            } catch (InvalidAlgorithmParameterException e5) {
                throw new RuntimeException(e5);
            } catch (NoSuchAlgorithmException e6) {
                throw new RuntimeException("Missing RSASSA-PSS support");
            }
        } else {
            if (!signatureScheme.equals(TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256)) {
                throw new HandshakeFailureAlert("Signature algorithm not supported " + signatureScheme);
            }
            try {
                signature = Signature.getInstance("SHA256withECDSA");
            } catch (NoSuchAlgorithmException e7) {
                throw new RuntimeException("Missing SHA256withECDSA support");
            }
        }
        return signature;
    }

    @Override // net.luminis.tls.TrafficSecrets
    public byte[] getClientEarlyTrafficSecret() {
        if (this.state != null) {
            return this.state.getClientEarlyTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    @Override // net.luminis.tls.TrafficSecrets
    public byte[] getClientHandshakeTrafficSecret() {
        if (this.state != null) {
            return this.state.getClientHandshakeTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    @Override // net.luminis.tls.TrafficSecrets
    public byte[] getServerHandshakeTrafficSecret() {
        if (this.state != null) {
            return this.state.getServerHandshakeTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    @Override // net.luminis.tls.TrafficSecrets
    public byte[] getClientApplicationTrafficSecret() {
        if (this.state != null) {
            return this.state.getClientApplicationTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    @Override // net.luminis.tls.TrafficSecrets
    public byte[] getServerApplicationTrafficSecret() {
        if (this.state != null) {
            return this.state.getServerApplicationTrafficSecret();
        }
        throw new IllegalStateException("Traffic secret not yet available");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean recognizedExtension(Extension extension) {
        return !(extension instanceof UnknownExtension);
    }
}
