package net.jradius.tls;

import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.Signer;
import org.bouncycastle.crypto.agreement.srp.SRP6Client;
import org.bouncycastle.crypto.agreement.srp.SRP6Util;
import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.crypto.io.SignerInputStream;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.DSAPublicKeyParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.util.PublicKeyFactory;
import org.bouncycastle.util.BigIntegers;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:net/jradius/tls/TlsSRPKeyExchange.class */
public class TlsSRPKeyExchange implements TlsKeyExchange {
    private TlsProtocolHandler handler;
    private CertificateVerifyer verifyer;
    private short keyExchange;
    private TlsSigner tlsSigner;
    private AsymmetricKeyParameter serverPublicKey = null;
    private byte[] SRP_identity = null;
    private byte[] SRP_password = null;
    private byte[] s = null;
    private BigInteger B = null;
    private SRP6Client srpClient = new SRP6Client();

    /* JADX INFO: Access modifiers changed from: package-private */
    public TlsSRPKeyExchange(TlsProtocolHandler tlsProtocolHandler, CertificateVerifyer certificateVerifyer, short s) {
        switch (s) {
            case TlsKeyExchange.KE_SRP /* 10 */:
                this.tlsSigner = null;
                break;
            case TlsKeyExchange.KE_SRP_DSS /* 11 */:
                this.tlsSigner = new TlsDSSSigner();
                break;
            case 12:
                this.tlsSigner = new TlsRSASigner();
                break;
            default:
                throw new IllegalArgumentException("unsupported key exchange algorithm");
        }
        this.handler = tlsProtocolHandler;
        this.verifyer = certificateVerifyer;
        this.keyExchange = s;
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void skipServerCertificate() throws IOException {
        if (this.tlsSigner != null) {
            this.handler.failWithError((short) 2, (short) 10);
        }
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void processServerCertificate(Certificate certificate) throws IOException {
        if (this.tlsSigner == null) {
            this.handler.failWithError((short) 2, (short) 10);
        }
        X509CertificateStructure x509CertificateStructure = certificate.certs[0];
        try {
            this.serverPublicKey = PublicKeyFactory.createKey(x509CertificateStructure.getSubjectPublicKeyInfo());
        } catch (RuntimeException e) {
            this.handler.failWithError((short) 2, (short) 43);
        }
        if (this.serverPublicKey.isPrivate()) {
            this.handler.failWithError((short) 2, (short) 80);
        }
        switch (this.keyExchange) {
            case TlsKeyExchange.KE_SRP_DSS /* 11 */:
                if (!(this.serverPublicKey instanceof DSAPublicKeyParameters)) {
                    this.handler.failWithError((short) 2, (short) 46);
                    break;
                }
                break;
            case 12:
                if (!(this.serverPublicKey instanceof RSAKeyParameters)) {
                    this.handler.failWithError((short) 2, (short) 46);
                }
                validateKeyUsage(x509CertificateStructure, 128);
                break;
            default:
                this.handler.failWithError((short) 2, (short) 43);
                break;
        }
        if (this.verifyer.isValid(certificate.getCerts())) {
            return;
        }
        this.handler.failWithError((short) 2, (short) 90);
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void skipServerKeyExchange() throws IOException {
        this.handler.failWithError((short) 2, (short) 10);
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public void processServerKeyExchange(InputStream inputStream, SecurityParameters securityParameters) throws IOException {
        InputStream inputStream2 = inputStream;
        Signer signer = null;
        if (this.tlsSigner != null) {
            signer = initSigner(this.tlsSigner, securityParameters);
            inputStream2 = new SignerInputStream(inputStream, signer);
        }
        byte[] readOpaque16 = TlsUtils.readOpaque16(inputStream2);
        byte[] readOpaque162 = TlsUtils.readOpaque16(inputStream2);
        byte[] readOpaque8 = TlsUtils.readOpaque8(inputStream2);
        byte[] readOpaque163 = TlsUtils.readOpaque16(inputStream2);
        if (signer != null) {
            if (!signer.verifySignature(TlsUtils.readOpaque16(inputStream))) {
                this.handler.failWithError((short) 2, (short) 42);
            }
        }
        BigInteger bigInteger = new BigInteger(1, readOpaque16);
        BigInteger bigInteger2 = new BigInteger(1, readOpaque162);
        this.s = readOpaque8;
        try {
            this.B = SRP6Util.validatePublicValue(bigInteger, new BigInteger(1, readOpaque163));
        } catch (CryptoException e) {
            this.handler.failWithError((short) 2, (short) 47);
        }
        this.srpClient.init(bigInteger, bigInteger2, new SHA1Digest(), this.handler.getRandom());
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public byte[] generateClientKeyExchange() throws IOException {
        return BigIntegers.asUnsignedByteArray(this.srpClient.generateClientCredentials(this.s, this.SRP_identity, this.SRP_password));
    }

    @Override // net.jradius.tls.TlsKeyExchange
    public byte[] generatePremasterSecret() throws IOException {
        try {
            return BigIntegers.asUnsignedByteArray(this.srpClient.calculateSecret(this.B));
        } catch (CryptoException e) {
            this.handler.failWithError((short) 2, (short) 47);
            return null;
        }
    }

    private void validateKeyUsage(X509CertificateStructure x509CertificateStructure, int i) throws IOException {
        X509Extension extension;
        X509Extensions extensions = x509CertificateStructure.getTBSCertificate().getExtensions();
        if (extensions == null || (extension = extensions.getExtension(X509Extensions.KeyUsage)) == null || (KeyUsage.getInstance(extension).getBytes()[0] & 255 & i) == i) {
            return;
        }
        this.handler.failWithError((short) 2, (short) 46);
    }

    private Signer initSigner(TlsSigner tlsSigner, SecurityParameters securityParameters) {
        Signer createVerifyer = tlsSigner.createVerifyer(this.serverPublicKey);
        createVerifyer.update(securityParameters.clientRandom, 0, securityParameters.clientRandom.length);
        createVerifyer.update(securityParameters.serverRandom, 0, securityParameters.serverRandom.length);
        return createVerifyer;
    }
}
