package com.google.security.cryptauth.lib.securegcm;

import com.google.protobuf.InvalidProtocolBufferException;
import com.google.security.cryptauth.lib.securegcm.SecureGcmProto;
import com.google.security.cryptauth.lib.securegcm.TransportCryptoOps;
import com.google.security.cryptauth.lib.securemessage.CryptoOps;
import com.google.security.cryptauth.lib.securemessage.PublicKeyProtoUtil;
import com.google.security.cryptauth.lib.securemessage.SecureMessageBuilder;
import com.google.security.cryptauth.lib.securemessage.SecureMessageParser;
import com.google.security.cryptauth.lib.securemessage.SecureMessageProto;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;

/* loaded from: classes2.dex */
public class EnrollmentCryptoOps {
    private static final String KA_ALG = "ECDH";
    private static final String LEGACY_KA_ALG = "DH";
    private static final CryptoOps.SigType OUTER_SIG_TYPE = CryptoOps.SigType.HMAC_SHA256;
    private static final CryptoOps.EncType OUTER_ENC_TYPE = CryptoOps.EncType.AES_256_CBC;
    private static final CryptoOps.SigType INNER_SIG_TYPE = CryptoOps.SigType.ECDSA_P256_SHA256;
    private static final CryptoOps.SigType LEGACY_INNER_SIG_TYPE = CryptoOps.SigType.RSA2048_SHA256;

    private EnrollmentCryptoOps() {
    }

    public static SecureGcmProto.GcmDeviceInfo decryptEnrollmentMessage(byte[] bArr, SecretKey secretKey, boolean z10) {
        if (bArr == null || secretKey == null) {
            throw null;
        }
        try {
            SecureMessageProto.HeaderAndBody parseSignCryptedMessage = SecureMessageParser.parseSignCryptedMessage(SecureMessageProto.SecureMessage.parseFrom(bArr), secretKey, OUTER_SIG_TYPE, secretKey, OUTER_ENC_TYPE);
            SecureGcmProto.GcmMetadata parseFrom = SecureGcmProto.GcmMetadata.parseFrom(parseSignCryptedMessage.getHeader().getPublicMetadata());
            SecureMessageProto.SecureMessage parseFrom2 = SecureMessageProto.SecureMessage.parseFrom(parseSignCryptedMessage.getBody());
            byte[] byteArray = SecureMessageParser.getUnverifiedHeader(parseFrom2).getVerificationKeyId().toByteArray();
            SecureMessageProto.HeaderAndBody parseSignedCleartextMessage = SecureMessageParser.parseSignedCleartextMessage(parseFrom2, KeyEncoding.parseUserPublicKey(byteArray), z10 ? LEGACY_INNER_SIG_TYPE : INNER_SIG_TYPE);
            SecureGcmProto.GcmDeviceInfo parseFrom3 = SecureGcmProto.GcmDeviceInfo.parseFrom(parseSignedCleartextMessage.getBody());
            if (parseFrom.getType() == TransportCryptoOps.PayloadType.ENROLLMENT.getType() && parseFrom.getVersion() <= 1 && parseSignCryptedMessage.getHeader().getVerificationKeyId().isEmpty() && parseSignedCleartextMessage.getHeader().getPublicMetadata().isEmpty() && Arrays.equals(byteArray, parseFrom3.getUserPublicKey().toByteArray()) && Arrays.equals(getMasterKeyHash(secretKey), parseFrom3.getDeviceMasterKeyHash().toByteArray())) {
                return parseFrom3;
            }
            throw new SignatureException();
        } catch (InvalidProtocolBufferException e10) {
            throw new SignatureException(e10);
        } catch (InvalidKeySpecException e11) {
            throw new SignatureException(e11);
        }
    }

    public static SecretKey doKeyAgreement(PrivateKey privateKey, PublicKey publicKey) {
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance(KeyEncoding.isLegacyPrivateKey(privateKey) ? LEGACY_KA_ALG : KA_ALG);
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(publicKey, true);
            return KeyEncoding.parseMasterKey(sha256(keyAgreement.generateSecret()));
        } catch (NoSuchAlgorithmException e10) {
            throw new RuntimeException(e10);
        }
    }

    public static byte[] encryptEnrollmentMessage(SecureGcmProto.GcmDeviceInfo gcmDeviceInfo, SecretKey secretKey, PrivateKey privateKey) {
        if (gcmDeviceInfo == null || secretKey == null || privateKey == null) {
            throw null;
        }
        if (Arrays.equals(gcmDeviceInfo.getDeviceMasterKeyHash().toByteArray(), getMasterKeyHash(secretKey))) {
            return new SecureMessageBuilder().setVerificationKeyId(new byte[0]).setPublicMetadata(SecureGcmProto.GcmMetadata.newBuilder().setType(TransportCryptoOps.PayloadType.ENROLLMENT.getType()).setVersion(1).build().toByteArray()).buildSignCryptedMessage(secretKey, OUTER_SIG_TYPE, secretKey, OUTER_ENC_TYPE, new SecureMessageBuilder().setVerificationKeyId(gcmDeviceInfo.getUserPublicKey().toByteArray()).buildSignedCleartextMessage(privateKey, KeyEncoding.isLegacyPrivateKey(privateKey) ? LEGACY_INNER_SIG_TYPE : INNER_SIG_TYPE, gcmDeviceInfo.toByteArray()).toByteArray()).toByteArray();
        }
        throw new IllegalArgumentException("DeviceMasterKeyHash not set correctly");
    }

    public static KeyPair generateEnrollmentKeyAgreementKeyPair(boolean z10) {
        return z10 ? PublicKeyProtoUtil.generateDh2048KeyPair() : PublicKeyProtoUtil.generateEcP256KeyPair();
    }

    public static byte[] getMasterKeyHash(SecretKey secretKey) {
        return sha256(secretKey.getEncoded());
    }

    public static byte[] sha256(byte[] bArr) {
        try {
            return MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256).digest(bArr);
        } catch (NoSuchAlgorithmException e10) {
            throw new RuntimeException(e10);
        }
    }
}
