package org.spongycastle.tls;

import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Vector;
import org.spongycastle.tls.crypto.TlsAgreement;
import org.spongycastle.tls.crypto.TlsCertificate;
import org.spongycastle.tls.crypto.TlsDHConfig;
import org.spongycastle.tls.crypto.TlsSecret;

/* loaded from: classes.dex */
public class TlsDHKeyExchange extends AbstractTlsKeyExchange {
    protected TlsAgreement agreement;
    protected TlsCredentialedAgreement agreementCredentials;
    protected TlsDHConfig dhConfig;
    protected TlsDHConfigVerifier dhConfigVerifier;
    protected TlsCertificate dhPeerCertificate;

    public TlsDHKeyExchange(int i2, Vector vector, TlsDHConfigVerifier tlsDHConfigVerifier) {
        this(i2, vector, tlsDHConfigVerifier, null);
    }

    private TlsDHKeyExchange(int i2, Vector vector, TlsDHConfigVerifier tlsDHConfigVerifier, TlsDHConfig tlsDHConfig) {
        super(checkKeyExchange(i2), vector);
        this.dhConfigVerifier = tlsDHConfigVerifier;
        this.dhConfig = tlsDHConfig;
    }

    public TlsDHKeyExchange(int i2, Vector vector, TlsDHConfig tlsDHConfig) {
        this(i2, vector, null, tlsDHConfig);
    }

    private static int checkKeyExchange(int i2) {
        if (i2 == 3 || i2 == 5 || i2 == 7 || i2 == 9 || i2 == 11) {
            return i2;
        }
        throw new IllegalArgumentException("unsupported key exchange algorithm");
    }

    @Override // org.spongycastle.tls.TlsKeyExchange
    public void generateClientKeyExchange(OutputStream outputStream) {
        if (this.agreementCredentials == null) {
            generateEphemeral(outputStream);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void generateEphemeral(OutputStream outputStream) {
        TlsUtils.writeOpaque16(this.agreement.generateEphemeral(), outputStream);
    }

    @Override // org.spongycastle.tls.TlsKeyExchange
    public TlsSecret generatePreMasterSecret() {
        TlsCredentialedAgreement tlsCredentialedAgreement = this.agreementCredentials;
        if (tlsCredentialedAgreement != null) {
            return tlsCredentialedAgreement.generateAgreement(this.dhPeerCertificate);
        }
        TlsAgreement tlsAgreement = this.agreement;
        if (tlsAgreement != null) {
            return tlsAgreement.calculateSecret();
        }
        throw new TlsFatalAlert((short) 80);
    }

    @Override // org.spongycastle.tls.AbstractTlsKeyExchange, org.spongycastle.tls.TlsKeyExchange
    public byte[] generateServerKeyExchange() {
        if (!requiresServerKeyExchange()) {
            return null;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        TlsDHUtils.writeDHConfig(this.dhConfig, byteArrayOutputStream);
        this.agreement = this.context.getCrypto().createDHDomain(this.dhConfig).createDH();
        generateEphemeral(byteArrayOutputStream);
        return byteArrayOutputStream.toByteArray();
    }

    @Override // org.spongycastle.tls.AbstractTlsKeyExchange, org.spongycastle.tls.TlsKeyExchange
    public void processClientCertificate(Certificate certificate) {
        if (this.keyExchange == 11) {
            throw new TlsFatalAlert((short) 10);
        }
        if (this.agreementCredentials != null) {
            this.dhPeerCertificate = validatePeerCertificate(1, certificate);
        }
    }

    @Override // org.spongycastle.tls.TlsKeyExchange
    public void processClientCredentials(TlsCredentials tlsCredentials) {
        if (this.keyExchange == 11) {
            throw new TlsFatalAlert((short) 80);
        }
        if (!(tlsCredentials instanceof TlsCredentialedAgreement)) {
            throw new TlsFatalAlert((short) 80);
        }
        this.agreementCredentials = (TlsCredentialedAgreement) tlsCredentials;
    }

    @Override // org.spongycastle.tls.AbstractTlsKeyExchange, org.spongycastle.tls.TlsKeyExchange
    public void processClientKeyExchange(InputStream inputStream) {
        if (this.dhPeerCertificate != null) {
            return;
        }
        processEphemeral(TlsUtils.readOpaque16(inputStream));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processEphemeral(byte[] bArr) {
        this.agreement.receivePeerValue(bArr);
    }

    @Override // org.spongycastle.tls.AbstractTlsKeyExchange, org.spongycastle.tls.TlsKeyExchange
    public void processServerCertificate(Certificate certificate) {
        if (this.keyExchange == 11) {
            throw new TlsFatalAlert((short) 10);
        }
        checkServerCertSigAlg(certificate);
        this.dhPeerCertificate = validatePeerCertificate(0, certificate);
    }

    @Override // org.spongycastle.tls.AbstractTlsKeyExchange, org.spongycastle.tls.TlsKeyExchange
    public void processServerCredentials(TlsCredentials tlsCredentials) {
        if (this.keyExchange == 11) {
            throw new TlsFatalAlert((short) 80);
        }
        if (!(tlsCredentials instanceof TlsCredentialedAgreement)) {
            throw new TlsFatalAlert((short) 80);
        }
        this.agreementCredentials = (TlsCredentialedAgreement) tlsCredentials;
    }

    @Override // org.spongycastle.tls.AbstractTlsKeyExchange, org.spongycastle.tls.TlsKeyExchange
    public void processServerKeyExchange(InputStream inputStream) {
        if (!requiresServerKeyExchange()) {
            throw new TlsFatalAlert((short) 10);
        }
        this.dhConfig = TlsDHUtils.receiveDHConfig(this.dhConfigVerifier, inputStream);
        byte[] readOpaque16 = TlsUtils.readOpaque16(inputStream);
        this.agreement = this.context.getCrypto().createDHDomain(this.dhConfig).createDH();
        processEphemeral(readOpaque16);
    }

    @Override // org.spongycastle.tls.AbstractTlsKeyExchange, org.spongycastle.tls.TlsKeyExchange
    public boolean requiresServerKeyExchange() {
        int i2 = this.keyExchange;
        return i2 == 3 || i2 == 5 || i2 == 11;
    }

    @Override // org.spongycastle.tls.TlsKeyExchange
    public void skipServerCredentials() {
        if (this.keyExchange != 11) {
            throw new TlsFatalAlert((short) 80);
        }
    }

    @Override // org.spongycastle.tls.TlsKeyExchange
    public void validateCertificateRequest(CertificateRequest certificateRequest) {
        if (this.keyExchange == 11) {
            throw new TlsFatalAlert((short) 40);
        }
        for (short s2 : certificateRequest.getCertificateTypes()) {
            if (s2 != 3 && s2 != 4) {
                throw new TlsFatalAlert((short) 47);
            }
        }
    }

    protected TlsCertificate validatePeerCertificate(int i2, Certificate certificate) {
        if (certificate.isEmpty()) {
            throw new TlsFatalAlert((short) 42);
        }
        return certificate.getCertificateAt(0).useInRole(i2, this.keyExchange);
    }
}
